Data Flow – Windows AD DNS with Conditional Forwarders

Here’s a simplified breakdown of the data flow that occurs when a client computer in an Active Directory (AD) environment tries to resolve a DNS query for a domain like “” which is specified as a conditional forwarder in Windows AD DNS server:

1. The client computer (let’s call it laptop.domain.local) wants to access a resource in the “” domain (for instance, It first checks its local DNS cache to see if it already has a recent record for this domain. If not, it proceeds to the next step.

2. The client computer then sends a DNS query to its configured DNS server, which in an AD environment would be the AD DNS server.

3. The AD DNS server receives the DNS query. It also checks its own cache to see if it already has the answer. If not, it checks its zones to see if it is authoritative for the “” domain. In this case, it’s not.

4. However, the AD DNS server has a conditional forwarder set up for ““. This means that instead of using its standard DNS forwarding or recursive lookup processes to resolve the query, it forwards the query directly to the DNS server(s) specified in the conditional forwarder.

5. The conditional forwarder’s DNS server receives the query. This server should be authoritative for the “” domain, so it looks up the record in its own zones and replies with the IP address associated with

6. The AD DNS server receives this response and forwards it back to the client computer. It also caches the record so that if it receives another request for the same domain, it can answer without having to go through the entire process again.

7. Finally, the client computer receives the response and can now connect to the resource at It also caches the record for a set period of time (according to the TTL or “time to live” value of the record) so that it can quickly resolve the same domain if needed in the near future.

It’s important to remember that actual DNS processes can be more complex due to factors such as DNS server configuration, the use of secondary DNS servers, and so on. This scenario is a simplified representation of what happens in a typical setup with a conditional forwarder.


If there are multiple IP addresses specified for a conditional forwarder, the DNS server will attempt to use them in the order they are listed. However, the behavior depends on the configuration of the DNS server and the response from the forwarder’s DNS servers.

Here’s a simplified breakdown:

IP Order for Conditional Fowarder:

1. The client computer sends a DNS query to the AD DNS server, just like in the previous scenario.

2. The AD DNS server receives the query, checks its cache and local zones, and determines that it needs to use the conditional forwarder for ““.

3. The AD DNS server sends the query to the first IP address in the list, which is in this case.

4. If the DNS server at responds with the answer, the AD DNS server forwards that response back to the client, and the process is complete.

5. However, if the DNS server at does not respond (for instance, if it’s down or unreachable), the AD DNS server will try the next IP address in the list, which is This process continues until it gets a response, or until it has tried all of the IP addresses in the list.

6. If none of the listed DNS servers respond, the query will fail, and the client will not be able to resolve the domain.

This process provides a level of redundancy and fault tolerance. If one of the DNS servers specified in the conditional forwarder is down or otherwise unable to respond, the AD DNS server can still resolve queries by contacting one of the other servers in the list.


When you’re configuring a conditional forwarder in DNS, you have an option that says “Store this conditional forwarder in Active Directory, and replicate as follows“.

This option means that the configuration of the conditional forwarder will be stored in Active Directory, rather than just on the local DNS server. This allows the conditional forwarder configuration to be replicated to other DNS servers in your Active Directory environment.

As for the “and replicate as follows” part, it refers to the scope of the replication. You can choose between the following options:

1. To all DNS servers running on domain controllers in this domain: This option replicates the conditional forwarder to all DNS servers running on domain controllers within the same domain.

2. To all DNS servers running on domain controllers in this forest: This option replicates the conditional forwarder to all DNS servers running on domain controllers in the entire forest.

By storing the conditional forwarder in Active Directory and setting the correct replication scope, you can ensure that all of your DNS servers have the correct conditional forwarder configuration and that any changes you make to that configuration will be propagated automatically to all servers.