Tech Line

The Root of All Problems

Leaving the Windows 2000 default root zone in your DNS will stop Internet resolution in its tracks.

Chris: I have a development Windows 2000 domain, with DNS installed on the domain controller. The domain name is TOSESC.COM. I'm unable to access or resolve the Internet using this DNS. When I checked the root hints, it says that it is a ROOT DNS and you cannot add root hints.

What makes it a Root as opposed to non-Root? I tried reading/configuring it either as an integrated AD or primary, but both gave me errors that it cannot be resolved.
— Rene

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at; the best questions get answered in this column and garner the questioner with a nifty baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Rene, I used to think that either money or greed was the root of all problems. Now I realize that it's DNS. I'll actually be attending a motivational seminar on Wednesday and will be listening to Rudolph Giuliani, Larry King, and Zig Ziglar. If any of these guys start talking about money or greed, I'll be sure to correct them with "No, it's actually DNS!"

DNS can cause so many problems on a network that this service usually is the cause of problems. Whenever I write a column about DNS, it is almost always sure to generate at least 10 DNS questions for my Inbox. Rene's DNS root problem is a classic problem that often stumps administrators with the initial Windows 2000 DNS deployments.

When DNS is installed as part of the dcpromo process on a Windows 2000 server, two forward lookup zones are created: a root zone (.) and a zone for the newly created domain. In the DNS hierarchy, the very top of the DNS hierarchy is the root (.). Below the root are the top level domains such as .com and .edu. While this is all well and good, the problem with having a configured root zone on a private DNS server is that it makes the server believe that it is at the root of the DNS hierarchy. In being a root server, the DNS server believes that it has all of the answers to all domains. So as a root server, a DNS server will respond to DNS queries with either a result of the query (IP address) or with an authoritative answer of "nonexistent domain." Basically, this means that any domain name that the DNS server does not have a configured, forward lookup zone for must not exist.

If your DNS clients have a second DNS server IP address configured in their TCP/IP properties, they will never query the second DNS server because they will always receive an authoritative answer from the first. If the client receives an authoritative, nonexistent domain response from its primary DNS server, it will not attempt to query another server for the same record. As far as the client is concerned, it has learned that without a doubt the record does not exist.

So if you want to prevent a DNS server from forwarding requests or using root hints to perform iterative queries to root-level servers in order to resolve Internet domain names, then adding a root (.) forward lookup zone will do it. If a root zone exists on your DNS server and you want to allow iterative queries to root servers or forwarding, then just delete the root (.) forward lookup zone and you'll be all set.

The default behavior of creating a root zone when DNS is installed as part of the dcpromo process was changed in Windows Server 2003. With Windows 2003, no root zone is created as part of the DNS Server service installation during dcpromo, so this common problem is no longer seen by administrators setting up Windows 2003 domain controllers and DNS servers.

Whether you have a problem in life or on your network, don't look too far for the cause. It's probably DNS!

[Chris Wolf has just released Virtualization: From the Desktop to the Enterprise (Apress) and also welcomes your virtualization questions for this column. —Editors]

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.