AD DNS Problem with 2 Domains

I have 2 Windows 2000 AD DOMAINS, domain1.com and domain2.com, running on the same IP subnet. The domains are setup with a functioning trust.

Both domains use AD integrated DNS that's hosted on AD servers in the domain1.com domain.

Zone transfers are enabled for servers listed on the name servers tab. Secure updates are enabled. All DNS records function and replicate to DNS servers in domain1.com (this includes all records for the domain2.com zone.)

I'm now setting up a new subnet that will extend the domain2.com domain to a new site.
IP routing is functioning between the sites, and there are no FW policies in place that block traffic between the subnets. I've also setup a new site & subnet in AD Sites & Svcs.

Only domain2.com will be setup at the new site, so I've setup an additional DC for domain2.com on the remote subnet, listing the domain1.com IP address as the primary DNS server before running DC promo. DNS server was installed on the new DC but not configured before running DCpromo.

After running DCPromo and rebooting, all seems well (including AD replication) with the exception of DNS.

When I open the DNS snap-in I see the zones for domain1.com and domain2.com, but none of the records have replicated from the domain1.com DNS servers. Only the name server and host records for the domain2.com domain controllers are listed.

Dcdiag gives me no errors. There are no errors in the event log.
Repadmin /showreps shows successful attempts for inbound domain2.com neighbors, and displays nothing under outbound neighbors.

Could this be some kind of permission problem between the DNS servers on domain1.com and the domain/DNS servers in domain2.com?

To test, I tried setting up AD integrated DNS on one of the other domain2.com servers on the existing subnet, and I get the *same* result.

When I setup an additional domain1.com DC with DNS on the new subnet, DNS works perfectly. All records are displayed and replicated. This eliminates an IP routing/firewall problems.

This definitely has something to do with the fact that the primary AD DNS for domain2.com is hosted on the domain1.com DCs.

Are there permissions that I can set on the domain1.com DC to make this work or is this setup just wrong?

Should I setup a standard secondary DNS in the new subnet instead of AD integrated?

Domain2.com was originally setup to use domain1.com's DNS server because all machines are on the same subnet and share DHCP configuration.
Is there a way to migrate domain2.com's DNS to a domain2.com AD server while still sharing the same subnet/DHCP configuration?

Thanks for any help!
LVL 1
tdeliaAsked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

That makes sense.

AD Integrated is just a storage and replication mechanism for DNS. It means the zone data is stored in the directory. You can see that under AD Users and Computers if you turn on Advanced Features and look under System then MicrosoftDNS.

You should, hopefully, see that the DNS Data held in domain2.com is fairly limited as it only exists in the AD Domain domain1.com.

So you have a few choices:

1. Have all Servers and Clients in the remote site use the Main Site's DNS Servers for name resolution.

This is perhaps the easiest solution, but gives no independence to the remote site. If that's a requirement we should move on.

2. This option is more complex, we have to go back to a more traditional approach to the DNS configuration. This has it's own pitfalls which we can cover in a moment, the main one being that Secondary zones are Read Only.

Main Site:

 - Install the DNS Service onto Domain2.com's DCs
 - Add a Primary AD Integrated Zone for Domain2.com to Domain2.com's DCs
 - Change Domain2.com's DCs to refer to themselves for DNS Resolution
 - Add a Secondary Zone to each of Domain2.com's DCs for Domain1.com
 - Remove Domain2.com from the DCs for Domain1.com
 - Add a Secondary Zone to each of Domain1.com's DCs for Domain2.com

Remote Site:

 - AD Replication will take care of the addition of the zone for Domain2.com
 - Add a Secondary Zone to each of the Domain2.com DCs for Domain1.com
 - Change Domain2.com's DCs to refer to themselves for DNS Resolution

While this configuration is technically correct it does leave client updates a little dead. As clients in the main site will still be referring to the DCs for Domain1.com they won't be able to add records for themselves into domain2.com.

Probably best if I pass this back to you so you can read through and see what you think at this stage.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Your new DC on Domain2.com will only replicate AD Data from other DCs within Domain2.com.

Do the servers for Domain2.com have the full set of records on the primary network?

If so, how? Zone Transfers?

Chris
0
 
tdeliaAuthor Commented:
Thanks so much for responding.

I think this is the crux of the problem, but don't know how to work my way around or out of it:
"Your new DC on Domain2.com will only replicate AD Data from other DCs within Domain2.com."

The domain2.com servers still point to the domain1.com DNS server. I did this because DCHP on this network directs clients in both domains to the same primary/secondary DNS servers.

None of the domain2.com DCs are running DNS servers -- I believe that's why I'm not seeing the full set of records when I start a DNS server on the domain2.com servers. I only see the domain1.com and domain2.com zones and server records.

Everything has worked well up to this point... I assumed that because the original AD setup of domain2.com allowed me to use "AD integrated" on the domain1.com server that I was OK.

So how do I work my way around/out of this given that all machines on this subnet use the same DNS settings? Can I transfer the domain2.com zone to DNS servers on the domain2.com domain, and still have all clients point to the domain1.com DNS server?

Thanks again!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
tdeliaAuthor Commented:
I definitely need to make sure that the remote site can function if there's a connectivity problem. That's kind of where this all began.

Client updates might also be a problem.

Would it be possible to setup a domain2.com DC/DNS server at the remote site, but with a secondary zone to domain1.com and domain2.com from the domain1.com server? Not sure if this is possible because of a conflict with the domain2.com namespace...

If the DNS server would allow it, I could also setup a secondary zone for domain2.com (from the remote site) on the domain1.com server. All users at the primary site could still point to and make client updates to the domain1.com DNS server. Users at the second site would point to the site 2 domain2.com server and update it. Each site could read the other site's records. In that scenario, would DNS check the secondary zone if it didn't find a record in the primary AD integrated zone with the same name?

0
 
Chris DentPowerShell DeveloperCommented:

>Would it be possible to setup a domain2.com DC/DNS server at
> the remote site, but with a secondary zone to domain1.com
> and domain2.com from the domain1.com server?

Yes. But you would have to delete the domain2.com zone from that server (and out of domain2.com's AD entirely).

Remember that using Secondary zones means they would be Read Only. Clients and Servers on that site would be unable to perform updates against the Read Only zones.

Updates are never referred, so anything on the remote site would simply fail to update DNS. That includes the Domain Controller itself which gets in the way if you use Aging / Scavenging in DNS at all.

If using Secondary Zones in that fashion you should ensure that the Expire interval in the SOA (Start of Authority) Record for the zone is sufficiently high that the Secondary zone won't disappear should the connection drop.

Chris
0
 
tdeliaAuthor Commented:
Thanks, Chris. You've been incredibly helpful.

Now that I know the domain2.com setup was functioning as it should, I think I may just expand upon what's already in place.

It will cost me a machine, but if I setup a domain1.com DC/DNS server at the remote site, I can point the domain2.com DNS clients (and AD servers) to them (as we do at the primary site.)  
This would provide AD replication, client updates, and fault tolerance should I lose the connection between sites.



0
 
Chris DentPowerShell DeveloperCommented:

That would work very well indeed :)

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.