DNS-architecture - what would you recommend?


  • Hi there,

    I am currently thinking about the following scenario, DNS-servers in

    Forest Root (

    -- Domain Tree B (

    -- Domain Tree C (

    Every DNS server is a DC btw., all DCs are linked via high-speed networks (no site links / WANs)

    So I have three different DNS forward lookup zones, with one or two DNS servers handling them, which I could design as follows:

    Solution 1:

    All forward lookup zones are replicated throughout the forest. Every DNS server has the zones via the ForestDNSZone. I like this one, because the replication of DNS is entirely handled by Active Directory. Also - every DNS server can fail, and I will still retain all the data. Dynamic registration may occur on every DNS as every zone is writable


    + Replication via AD

    + Very resilient

    - DNS-zones are writable from every DNS-server and for all the domain admins.

    Solution 2:

    Each DNS server has its own zone, and two secondary zones containing the zones of the other forward lookup zones. Secondary zones are just used for load balancing DNS and are not writeable.

    + DNS notify (only updating the zones via push if necessary)

    + Read-only zones on the other DNS servers

    - No AD replication

    Solution 3 - stub zones:

    Every domain gets stub zones referring to the other SOAs. As I understood - every request is handled then by the DNS responsible. The list will always continue only authoritative DNS servers.

    + Error resilient (failing DNS is automatically removed)

    + Replication via AD

    + Read protected

    + Small

    - Lots of requests to other DNS-servers

    Solution 4 - conditional forwarders:

    DNS is forwarded to the specific DNS servers based on their lookup zone. Similar like the stub zone, only worse, as a failing DNS server has to be manually removed from the configuration.

    -/+ Nothing I could think about :)

    Maybe someone wants to share his / her ideas :) (or correct me if I misunderstood anything)


    Kind regards,


    • Edited by secMMF Tuesday, February 19, 2013 6:14 PM
    Tuesday, February 19, 2013 6:12 PM

All replies

  • Hi,

    Thank you for the post.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.


    Nick Gu - MSFT

    Thursday, February 21, 2013 1:46 AM