One of my clients has 3 Active Directory forests each with multiple domains. Stub zones are in place for the forest root domain in each forest which are stored in each DomainDNSZone for each forest. When a DNS client wants to resolve a hostname for a host in a child domain in a different Active Directory forest it is using recursion referencing the root DNS server (from the Stub Zone) and obtaining the NS RR's for the child domain.
Delegation records and Conditional Forwarders need to be updated manually when DNS servers are added and removed from the environment. Currently the companies delegation records are not align with the DNS servers in each of the child domains for each Active Directory forest. The company wants to implement a solution which is automated so they will never have to worry about updating Delegates or Forwarders. Stub Zones meet the requirement.
The company is currently looking at removing all delegation between parent and child domains in each forest and use Stub Zones instead. They also want wish to use Stub Zones cross forest. To avoid having to create a Stub Zone in each domain they wish to store the Stub Zone for every domain in the ForestDNSZone partition in each forest. This means all domains in each forest will be able to utilize the Stub Zone.
I have the following questions:
In an Active Directory Forest we want to store each domain’s DNS zone in the DomainDNSZone partition within Active Directory. We want to configure a Stub Zone for every domain within a DNS forest and store these Stub Zones in the ForestDNSZones partition within Active Directory so they replicate to all AD Domains on the given forest. Question: All domain controllers will have their domain DNS zone under the DomainDNSZones partition in Active Directory. However they will also receive the stub zone for the ForestDNSZones partition as they are a member of the same forest. What happens here with the stub zone located in ForestDNSZones?
You can only configure forwarders or stub zones on any given DNS server. What happens if you create a forwarder on one DNS server then on another DNS server in a different AD site you create a stub zone that is AD Integrated. When it goes to replicate, it will replicate the stub zone to the DNS server which in this case both a stub zone and a forwarder exists. How does windows DNS deal with this?
In the relationship between child and parent domains, if an organisation chooses to use stub zones instead of delegation, if they do not remove the delegation records which precedence the Stub RR's or the Delegate RR's?
To answer these questions I raised I ended up having to create a lab environment and perform testing. Below are my answers:
Question 1 Answer
If a "Stub Zone" exists in the forest DNS partition but a DNS server in the same forest has a the "Primary Zone" file stored locally or in another location within DNS, the DNS server will ignore the "Stub Zone" in the forest DNS partition. To find this out I created a lab environment with two domains within a single forest:
Contoso.com DNS server:
Properties for the branch.contoso.com stub zone on the contoso.com DNS server:
Branch.contoso.com DNS server:
Properties for the contoso.com stub zone on the branch.contoso.com DNS server:
Question 2 Answer
If a stub zone exists on a DNS server windows will not let you create a conditional DNS forwarder matching the same name as the stub zone. If a conditional DNS forwarder exists windows will not let you create a DNS stub zone matching the same name as the conditional forwarder. If you create an AD integrated stub zone on another DNS server in a different active directory site it will replicate through standard AD replication. When it replicates to the server containing the conditional forwarder, the stub zone will take precedence over the conditional forwarder. Stub Zones always have precedence over conditional forwarders.
Question 3 Answer
Stub Zones always have precedence over delegation.