You know how DNS is supposed to work: You type in on your workstation’s browser, your DNS server resolves the name into an IP address, and then your workstation’s browser connects to the page at that address and displays the page. So, after you go to the trouble of setting up Windows 2000, Active Directory, and Windows 2000’s DNS server, why would you be unable to resolve any addresses for resources outside of your local network?

This problem occurs because Windows 2000 can sometimes configure its DNS server to act as a root server. As a root server, the DNS server will only resolve addresses that it contains. In this Daily Feature, I’ll show you why this happens and how to fix it.

Author’s note

In this article, I am only going to focus on making your Windows 2000 DNS server forward requests for addresses that it can’t resolve itself. I’m not going to go into deep detail about what DNS does in general or how to set up a Windows 2000 DNS server. For more information about DNS and Windows 2000, see the Daily Drill Down “Using the Windows 2000 DNS service.”

What’s the problem?
In a Windows 2000 environment, DNS fills two roles. First, Windows 2000’s DNS can provide traditional name resolution for clients on your network that need to access Internet resources. Secondly, Windows 2000’s DNS can provide access to Active Directory and network resources.

When you first install DNS and Active Directory on your network, Windows 2000’s Setup program can cause these two roles to come into conflict with each other. Setup can accidentally configure DNS to resolve Active Directory resources but not allow clients to access Internet-based DNS servers.

When Setup runs, it checks your network for other DNS servers. If it doesn’t find any, Setup assumes that it’s the only DNS server on the planet and sets itself up as a root server. By definition, root servers are authoritative. Basically, they are DNS know-it-alls that don’t require help from other DNS servers.

In a network that’s not connected to the Internet, having your main DNS server configured as a root server isn’t a problem. Because there aren’t any external addresses to worry about, the root server indeed knows all there is to know about addresses on your network. However, things become complicated when you finally connect your network to the Internet. At that point, your internal DNS server can’t know the address for every Internet resource, so it requires help from external DNS servers.

If Setup has configured your DNS server as a root server, the DNS server won’t look for help from external DNS servers. As a matter of fact, if you try to configure forwarders or root hints on a Windows 2000 DNS root server, it will outright refuse to accept the information.

Tearing it out by the root
So what do you do to allow your internal Windows 2000 DNS server to forward queries for addresses it doesn’t contain to other DNS servers? Fortunately, you can manually administer an attitude adjustment to your DNS server to make it realize that there are other DNS servers it should refer to, essentially removing the DNS server’s root server configuration.

To do so, click Start | Programs | Administrative Tools | DNS. This will start the DNS Management Console. Expand DNS Server object in the left pane. Expand the Forward Lookup Zones folder. Select the zone folder that is marked with a period (.), right click it, and select Delete.

If you’re using Active Directory Integrated Zones, the DNS MMC will display a dialog box informing you that when you delete the zone, the MMC will also delete the zone from Active Directory and any DNS server that references Active Directory. Click Yes to remove the zone from both Active Directory and the DNS server.

Setting up forwarders
After you restart your Windows server, you can then configure DNS to forward to other DNS servers. To do so, start the DNS MMC, right-click your DNS server, and select Properties. When the Properties window for the server appears, click the Forwarders tab. Select the Enable Forwarders check box.

If this check box is grayed out, then your DNS server is still configured as a root server. Recheck to make sure you’ve selected the proper DNS server and that you properly removed the root zone folder as mentioned above.

After you select the Enable Forwarders check box, enter the DNS servers you want to forward to in the IP address field. You’ll need to enter the IP address of each server one at a time, clicking Add after each one. When you have finished, click OK.

Going forward
Once you remove the DNS server’s root capability and configure forwarders on your DNS server, your workstations will be able to access both internal and external network resources. You can also save yourself the headache of entering multiple DNS addresses on client workstations. Just direct client requests to your Windows 2000 DNS server, and it will handle the requests as it sees fit.