We help IT Professionals succeed at work.

DNS zones on separate subnets under same AD Domain Name.

acrodriguez asked
Medium Priority
Last Modified: 2011-08-18
I have two nets. 192.168.1.x and 192.168.2.x. My 192.168.1.x hosts my DC with primary DNS zone (domain.org) and AD. I have the nets connected by VPN. What zone file should I use for my 192.168.2.x net. The DC on 192.168.2.x, I installed on as a additional domain controller within the same domain.org AD Domain. It replicates fine with the DC on 192.168.1.x. What zone type should I use and what zone name can I use? I have not had time to finish my MCSE yet so I'm designing and learning as I'm going along. The DNS is my last piece of the puzzle. I have DHCP on the 192.168.2.x DC and the DNS is setup for the 192.168.2.x, then 192.168.1.x and then the DNS of the ISP's.
Watch Question

Top Expert 2005

Make the Primary site DNS Zones Active Directory Integrated.

Make sure the remote DC is pointing to the main site's DNS server only.
Simply install DNS on the other DC and wait.
All zones should replicate to the remote server from the parent.

Once complete, point the remote server to itself for DNS and all the clients on this subnet should point to it also.

Configure Forwarder to the ISP on both networks - do not Forward from the remote site to the parent site (there's no point since all records on both servers should be the same).


Netman66. Thank you. So, make the remote site have it's own primary zone with Active Directory Integrated. Correct? I also added reverse address lookups for security. Your opinion please?
Top Expert 2005

If the Main site has Zones that are AD Integrated, then you only have to install DNS on the server - you do not need to create ANY zones.  Replication will create them for you.  In fact, if you do create them you will cause them to be out of sync.

I suppose the Reverse Zone can be created since it differs from the main site.


My apologies for my ignorance here. In reading about Active Directory Integrated DNS, when using different sites with different subnets, it was best to use a DC with DNS on all subnets all under the same domain name each as a Global Catalog Server especially when using VPN's. Your saying I don't have to add a primary zone to the DNS server at the remote site because it will cause sync problems between the DNS systems. The replication will handle everything. I'm using a cost of 50 on the DEFAULTIPSITELINK because the VPN connections are T-1's.
    So what about redundancy if I lose the DC at the main site? How will the remote site handle the issue if the primary zone is not present?
Top Expert 2005
No problem - if we don't ask, we don't learn!

OK... let's start from the top.

Your Primary site has a working DNS.
You make each zone AD Integrated.
On the Remote DC, point it only to the main site's DNS.
Install DNS on the Remote DC.
Once it's installed, it registers itself with DNS on the main site as a Service (DNS).
Since the Zones on the main site are AD Integrated, they will replicate to the new DNS server - there is no need to create zones, they will replicate (by default) like so:

_msdcs.forestrootdomain.com   <<= replication scope is All DNS servers in the Forest.
forestrootdomain.com               <<= replication scope is All DNS servers in the Domain.

Reverse Zones are the same.

Since the remote site is on a different subnet, then you need to setup a reverse zone there.  It will replicate anyway.

The key to all this is to use DHCP to setup the scope options and give out IPs.  Scope option 003 is the router's IP, 005 and 006 are your DNS servers (for the remote site, place the remote DC as Primary and the Main site as Secondary).  The reverse will be true at the Main site.

Once the zones are AD Integrated and there are more than one DNS server, then pointing the DNS servers to themselves is okay since replication will bring all servers in sync.  Make sure there are NO ISP DNS entries anywhere inside your LAN on either site - this means no ISP DNS address on any NIC (including and especially the server).  The only place to add the ISP info is to the Forwarder tab on your own DNS server.  Each site should Forward to their repective ISP.

You should also not change any sitelink costs unless you know exactly what you are doing.  Since you only have on link then this setting is best left alone.

If you lose the main site DNS server, then all clients should have the opposite site's DNS server as the Secondary.  As mentioned above, this is easily done on the Scope Option for the Scope in each site.  Be careful not to set Server Options unless they are the same on both sites.  Normally, you only deal with Scope Options.

I hope that helps somewhat.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.