Do not use recursion for this domain

Whilst checking that the Domain Controllers in my environment were configured according to my design I discovered one servers DNS config was incorrect. I use a simple spreadsheet to document the settings I expect to be deployed on a domain controller which includes things like the IP addresses, the DNS forwarders, DNS scavenging settings etc then I use a script to compare the actual settings to the spreadsheet.

Initially I just used a CSV file but then I developed some functions , which I converted to a module, so that I could use a Excel workbook. Why – well for starters I can use multiple tabs in the same workbook, rather than multiple CSV files and the real killer feature I can use conditional formatting to highlight configuration errors.

I’ll post my scripts if anyone would be interested but the topic today – is how Microsoft keep changing setting names to confuse us and worse in this example if you use a Win 7 or Windows server 2008 MMC then you check the box and in early mmc versions you uncheck the box. No wonder someone got it wrong when configuring it!

The setting in question is “Do not use recursion for this” domain which is set on the DNS forwarders tab. Often you won’t want internal servers to try and go direct to the internet. When all else fails unless you untick this box the DNS server will go out to the root hint servers to resolve the names. In some situations this can actually cause you service interruption especially if you have a split brain DNS.

On a windows server 2008 DC the MMC will show this exact same setting but it’s called “use root hint servers if no forwarders are available”. You can see why Microsoft renamed the setting as this one actually makes it clear what you are doing. In this case though you want to uncheck the box.

To be 100% fair who is managing 2003 DCs or are using XP clients so this post is probably a little late for most people. Actually what really matters is which MMC you are using not the DC OS being used. View the setting using 2003 or XP you will see the right hand screen, use 2008, win7 or greater and you will see the left. Confusing or what?



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.