Question : Why allow zone xfer when every DNS is purely ADI zones, and why point SOA to localhost IP on every DC?

Greetings friends! :-)

Ok, I've got a very small single (root) domain forest with 3 DCs (2003), and all FSMOs on one of those DCs. All 3 DCs are also GC servers and ADI DNS servers (no WINS) with only one fwd lookup zone, and 3 reverse. On all 3 DCs, the 3 reverse zones and the 1 fwd looup zone are config'd such that the SOA for the zone in question is the IP of the localhost (all other zones/domains will fwd to some other DNS servers not owned by us).

QUESTION 1: We are wondering if there might be a benefit to setting the SOA to be the DC which has all the FSMO roles, as we consider it our most stable and powerful server?

QUESTION 2: Whoever set this up before me, also set the big strong poppa bear server (the DC with all the FSMOs) to allow zone transfers to the other two smaller DCs. My question is WHY? Since they are ADI I see no benefit to that.

Thanks again,
~ks

Answer : Why allow zone xfer when every DNS is purely ADI zones, and why point SOA to localhost IP on every DC?

Hey,

> QUESTION 1: We are wondering if there might be a benefit to setting the SOA to
> be the DC which has all the FSMO roles, as we consider it our most stable and
> powerful server?

Unless you go and disable Dynamic Updates you don't get control of that record. Each and every server is a Primary (Master), so each has SOA set to itself.

Clients won't care at all what your SOA is set to, if you were to have Secondaries they would and only need a valid SOA from a valid Primary (any of the servers can act as that).

The load created by DNS is tiny, extremely unlikely to be significant in a domain that only needs 3 DCs :)

> QUESTION 2: Whoever set this up before me, also set the big strong poppa bear
> server (the DC with all the FSMOs) to allow zone transfers to the other two smaller
> DCs. My question is WHY? Since they are ADI I see no benefit to that.

Completely unnecessary, it won't mind at all if you disable that setting :)

Chris

Random Solutions

Recommendation needed - access point with time-based ip restriction

Illegal redirection for VoIP traffic on Checkpoint NG firewall

Linksys Router setup with a different gateway

Windows Server 2003 Active Directory DCPromo ends with NtFrs Event ID 13565 Error

DHCP Not Working on new Windows 2008 Server

Call Manager Express: Add Second number on my CIPC

wireless problem

HELP! Can't access webpage from behind router. Need help with cisco ios (maybe).

DNS Search Suffix duplicated