Tech Line
The Root of All Problems
Leaving the Windows 2000 default root zone in your DNS will stop Internet resolution in its tracks.
Chris: I have a development Windows 2000 domain, with DNS
installed on the domain controller. The domain name is TOSESC.COM. I'm
unable to access or resolve the Internet using this DNS. When I checked
the root hints, it says that it is a ROOT DNS and you cannot add root
hints.
What makes it a Root as opposed to non-Root? I tried reading/configuring
it either as an integrated AD or primary, but both gave me errors that
it cannot be resolved.
— Rene
Tech Help—Just An
E-Mail Away |
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
Rene, I used to think that either money or greed was the
root of all problems. Now I realize that it's DNS. I'll actually be attending
a motivational seminar on Wednesday and will be listening to Rudolph Giuliani,
Larry King, and Zig Ziglar. If any of these guys start talking about money
or greed, I'll be sure to correct them with "No, it's actually DNS!"
DNS can cause so many problems on a network that this service usually
is the cause of problems. Whenever I write a column about DNS, it is almost
always sure to generate at least 10 DNS questions for my Inbox. Rene's
DNS root problem is a classic problem that often stumps administrators
with the initial Windows 2000 DNS deployments.
When DNS is installed as part of the dcpromo process on a Windows 2000
server, two forward lookup zones are created: a root zone (.) and a zone
for the newly created domain. In the DNS hierarchy, the very top of the
DNS hierarchy is the root (.). Below the root are the top level domains
such as .com and .edu. While this is all well and good, the problem with
having a configured root zone on a private DNS server is that it makes
the server believe that it is at the root of the DNS hierarchy. In being
a root server, the DNS server believes that it has all of the answers
to all domains. So as a root server, a DNS server will respond to DNS
queries with either a result of the query (IP address) or with an authoritative
answer of "nonexistent domain." Basically, this means that
any domain name that the DNS server does not have a configured, forward
lookup zone for must not exist.
If your DNS clients have a second DNS server IP address configured in
their TCP/IP properties, they will never query the second DNS server because
they will always receive an authoritative answer from the first. If the
client receives an authoritative, nonexistent domain response from its
primary DNS server, it will not attempt to query another server for the
same record. As far as the client is concerned, it has learned that without
a doubt the record does not exist.
So if you want to prevent a DNS server from forwarding requests or using
root hints to perform iterative queries to root-level servers in order
to resolve Internet domain names, then adding a root (.) forward lookup
zone will do it. If a root zone exists on your DNS server and you want
to allow iterative queries to root servers or forwarding, then just delete
the root (.) forward lookup zone and you'll be all set.
The default behavior of creating a root zone when DNS is installed as
part of the dcpromo process was changed in Windows Server 2003. With Windows
2003, no root zone is created as part of the DNS Server service installation
during dcpromo, so this common problem is no longer seen by administrators
setting up Windows 2003 domain controllers and DNS servers.
Whether you have a problem in life or on your network, don't look too
far for the cause. It's probably DNS!
[Chris Wolf has just released Virtualization:
From the Desktop to the Enterprise (Apress) and also welcomes your
virtualization questions for this column. —Editors]