How to configure an Active Directory Integrated Conditional DNS Forwarder

Issue:

By default the DNS MMC for Windows 2003 Server only allows for local DNS forwarders to be configured on each DNS server.  This makes distributing DNS forwarding to multiple DNS servers administratively difficult in large environments.

 

Cause:

By design, the DNS MMC for Windows 2003 Server does not allow DNS conditional forwarders to be integrated into Active Directory.

 

Solution:

Use the dnscmd.exe command line utility available in the Windows 2003 support tools.

 

Below is the command syntax for adding an AD integrated conditional forwarder.

 

dnscmd dnsserver /zoneadd domain.com /DsForwarder ipaddress [ipaddress]  /DP FQDN

 

dnsserver is the DNS server ipaddress to configure

domain.com is the DNS Zone to configure as a conditional forwarder

ipaddress is the primary DNS server to forward requests to

[ipaddess] is an optional secondary DNS server to forward requests to

FQDN can be any of the following.

• /forest - will replicate to all DNS servers that are also Domain Controllers
• /domain - will replicate to all DNS server that are also Domain Controllers
• /legacy - will replicate to all Domain Controllers in the domain the DNS server is a member of.  This is the Windows 2000 equivalent.
• FQDN (partition.domain.com) of a custom application partition.  This must already be created using the NTDSutil’s Partition Management option.

 

You can verify that the AD integrated condition forwarder has been configured using the DNS MMC and looking on the Forwarders tab.  When select a conditional forwarder that is AD integrated the DNS will display the following message in the properties window.

 

“Forwarder is integrated to Active Directory” 

 

See the example screen shot below for more information.

 

You can also delete an AD integrated conditional forwarder using the following command.

dnscmd dnsserver /zonedelete domain.com /DsDel /f