How can I permanently remove default root hints from a Server 2008 DNS server?

My network exists in private address space and I am unable to perform DNS lookups against DNS servers on the internet directly (blocked by firewall). There are other networks that exist in the same private address space as my network. I need to be able to perform DNS lookups for devices in these networks as well.

There are 2 main internal DNS servers in this private address space, but not on my netowrk. I can perform DNS lookups against both of these servers for devices internal to our address space and names on the internet. I would like to permanently remove the root hints from our Server 2008 R2 DNS server and replace them with these 2 internal DNS servers. I have removed them from the dnsmgmt console, the C:\Windows\System32\DNS\cache.dns file, and from the RootDNSServers folder under the System folder in ADUC. Even so, they continue to repopulate into the root hints tab in the server properties for DNS after roughly an hour. Does anyone know how to permanently remove these entries?


Solution 1:

Permanently deleting root hints from a Microsoft DNS server is not supported, however, if you want to remove them, you can. Before you continue down this path, please have a full backup of your servers and be prepared for unintentional outages.

The root hints must be removed from 3 different places, the Root Hints tab in the server properties, the cache.dns file in C:\Windows\System32\dns, and the System Folder in ADUC. Remove them in the following order.

To remove them from the cache.dns folder, edit the file C:\Windows\System32\dns\cache.dns and either comment out, or delete everything in the file. I highly recommend backing up this file before you start.

To remove the objects from AD, open ADUC and click on View>Advanced Features. Under the root of your domain, expand System>MicrosoftDNS>RootDNSServers, delete all of the dnsNode objects.

To remove the objects from the DNS server properties, launch DNS Manager, right click on the server and select properties. Click on the root hints tab, and remove the servers.

A much better way to forgo the use of root hints is to just uncheck the Use root hints if no forwarders are available check box on the forwarders tab and use forwarders instead.

Solution 2:

Microsoft does not support the removal of the root hints and the Microsoft DNS server requires at least one root hint to be listed. You can change the root hints and those changes should be permanent.

In your case, you have two main options:

1) Set the disable recursion and setup the forwarders to prevent the servers listed in the root hints from being used.
2) Update/modify/add new root hints to the internal servers and delete the remaining root hint servers.

Of the two, I would choose option 1 as it preserves the root hints in case your infrastructure does change.