AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Implement DNS Forwarders and Conditional Forwarders

DNS forwarders are used to send queries that your DNS server can’t resolve to another server, such as Azure DNS Private Resolver or an external DNS server. Conditional forwarders send queries for specific domains to designated DNS servers only, which helps keep traffic focused and efficient. Together, they improve name resolution in a hybrid on-premises and Azure setup by ensuring queries go to the correct resolver. This reduces unnecessary lookups and speeds up response times. Properly configured forwarders and conditional forwarders support seamless connectivity between your local network and Azure services.

To set up DNS forwarders, you first need to verify that your private DNS zone is linked to the virtual network in Azure. Next, choose between the Azure-provided DNS settings or apply custom DNS settings if you have special routing needs. In Windows Server DNS Manager or PowerShell, you can then add forwarders:

• Verify private zone links in your Azure portal.
• Use the default Azure DNS or point to custom DNS IPs.
• Create forwarders with PowerShell commands such as Set-DnsServerForwarder.
• Test initial resolution with nslookup.
  This setup ensures that any query your server can’t resolve locally is forwarded to the right destination.

When you need to direct queries only for certain domains, you use conditional forwarders. In Windows Server DNS Manager, you add a new conditional forwarder by specifying the domain namespace and the IP addresses of the target DNS servers. You can also do this programmatically with PowerShell using the Add-DnsServerConditionalForwarderZone cmdlet and providing the domain and server IPs. By doing so, queries for those domains bypass normal resolution paths and go directly to the designated servers. This approach minimizes unnecessary traffic and keeps responses fast for critical domains.

After you configure forwarders and conditional forwarders, you must validate that everything works as expected. Use the Test-DnsServer cmdlet in PowerShell to check forwarding rules and confirm that they are active. Then run Resolve-DnsName to verify that specific hostnames resolve correctly through the forwarder or conditional forwarder. Finally, review your DNS event logs to spot any errors or failures in forwarding. These steps help you catch misconfigurations early and ensure reliable name resolution across your network.

Even with correct settings, issues can arise. Common troubleshooting steps include:

• Checking that all required virtual networks are properly linked to the private zone.
• Verifying network connectivity between your DNS server and the forwarder’s IP address.
• Ensuring that firewall rules don’t block DNS traffic on port 53.
• Confirming that conditional forwarder domain names and IPs match exactly.
  By systematically checking these areas, you can resolve most forwarding failures.

Conclusion

In summary, DNS forwarders and conditional forwarders are essential for hybrid environments because they route unresolved or domain-specific queries to the right DNS servers. Setting up forwarders involves linking private zones, choosing DNS settings, and using PowerShell or DNS Manager to add forwarders. Conditional forwarders focus only on specified domains, reducing unnecessary traffic and speeding up lookups. Validation using Test-DnsServer, Resolve-DnsName, and DNS event logs ensures your configuration is correct. Finally, understanding common troubleshooting steps helps keep name resolution reliable across both on-premises and Azure networks.