Thank you for the opportunity to help you with your question!
This is a collection of real world DNS best practices for mid to large size companies. Small companies that are growing should also follow these practices to save them growth pains in the future. The basic idea behind most of the best practices provided is to limit server and client side DNS administration. As an added benefit following these practices will reduce the amount of documentation required on your DNS environment by making DNS self documenting. You may also notice that these practices build upon each other. By doing one it makes the next one possible or easier to do.
Server Administration Best Practices Part I
These are the foundations and building blocks for all the DNS best practices.
1)Use Active Directory integrated DNS zones
a.Why? Active Directory will automatically replicate DNS information to other DNS servers that are installed on Active Directory Domain Controllers.
2)Configure all DNS Servers to have either local copies of all DNS Zones or to appropriately forward to other DNS servers.
a.Why? Making sure that all DNS Zones are available from all DNS servers simplifies DNS administration and prevents DNS name resolution problems. As a company changes over time what was once an isolated DNS zone can suddenly become used in many locations. Simply being proactive and appropriately configuring DNS will reduce your administration over time.
b.Options for configuring all DNS servers to find all DNS zones. Ordered in preference from the top down.
i.Configure all DNS Zones to replicate to All DNS servers in the Active Directory forest when possible.
1.Why? Replicating DNS zones across domain lines will allow all domains in the forest to share DNS information easier and ultimately make DNS administration easier. Simply secure each DNS zone as needed if decentralized administration and security is a concern. Replicate to “all Domains in the Forest” even if you have only one domain, this will save you time in the future should a second domain be added.
ii.Use Active Directory (AD) Integrated DNS Forwarders instead of normal standalone DNS Forwarders when possible.
dnscmd /ZoneAdd domain.com /DsForwarder 10.10.10.10 [/DP /forest]
2.Why? Using AD integrated forwarders will replicate the information to all the DNS servers in the domain or the forest (/DP /Forest). This will simplify DNS administration. Replicating to the forest (/DP /Forest) is preferred.
iii.Use AD Integrated Stub Zones instead of standalone DNS Domain Forwards.
1.Why? Stub Zones can automatically be replicated to all DNS servers when AD integrated Zones are used and they work similar to DNS forwards. Using DNS Stubs will decrease administration as DNS servers are replaced overtime. Using standalone server based DNS Domain Forwards can require configuration of every DNS server, increasing DNS administration.
iv.Configure Zone Transfers by using the Name Servers tab, and configuring the Zone Transfers tab to transfer to and notify the Name Servers of changes. Do not use Zone Transfers to IP Addresses.
1.Why? Using the Name Servers tab to configure the Zone Transfer creates a better documented DNS server. An Active Directory integrated DNS Server will replicate the Name Server information to each DNS server. As DNS servers are added or replaced this information is kept, using only the Zone Transfers tab and transferring by IP Address can result in lost information when a server is replaced.
v.Create a DNS Server Hierarchy for DNS forwarders.
1.How? Configure all the DNS Servers to forward requests toward a centralized location if a query for any DNS Zone is not found on the local DNS server. Each new DNS server will have some new zones that can be searched. If you drew a picture of this solution the end result should be diagram that looks like a tree showing the location of every DNS Zone and how it would be resolved from every location.
2.This is an older way of doing DNS forwarding that still works, but is cumbersome to manage in large environments. Proper planning of every DNS zone is required. This is not a recommended way of doing DNS forwarding, but is provided as an historical option.
3)Integration with other DNS servers at other companies.
a.Many of the techniques above (DNS Hierarchy excluded) lend themselves to sharing one or more DNS zones with other companies.
b.Best Practice Suggestions: Use AD Integrated DNS forwarders to resolve DNS Zones across independent companies/forests, or replicate DNS Zones onto all DNS servers if the companies are owned by the same parent company and in the same forest.
Please let me know if you nea case for torture by michale levined any clarification. I'm always happy to answer your questions.