Learn how to a build a cloud-first strategyRegister Now


AD DNS Problem with 2 Domains

Posted on 2007-10-10
Medium Priority
Last Modified: 2013-12-05
I have 2 Windows 2000 AD DOMAINS, domain1.com and domain2.com, running on the same IP subnet. The domains are setup with a functioning trust.

Both domains use AD integrated DNS that's hosted on AD servers in the domain1.com domain.

Zone transfers are enabled for servers listed on the name servers tab. Secure updates are enabled. All DNS records function and replicate to DNS servers in domain1.com (this includes all records for the domain2.com zone.)

I'm now setting up a new subnet that will extend the domain2.com domain to a new site.
IP routing is functioning between the sites, and there are no FW policies in place that block traffic between the subnets. I've also setup a new site & subnet in AD Sites & Svcs.

Only domain2.com will be setup at the new site, so I've setup an additional DC for domain2.com on the remote subnet, listing the domain1.com IP address as the primary DNS server before running DC promo. DNS server was installed on the new DC but not configured before running DCpromo.

After running DCPromo and rebooting, all seems well (including AD replication) with the exception of DNS.

When I open the DNS snap-in I see the zones for domain1.com and domain2.com, but none of the records have replicated from the domain1.com DNS servers. Only the name server and host records for the domain2.com domain controllers are listed.

Dcdiag gives me no errors. There are no errors in the event log.
Repadmin /showreps shows successful attempts for inbound domain2.com neighbors, and displays nothing under outbound neighbors.

Could this be some kind of permission problem between the DNS servers on domain1.com and the domain/DNS servers in domain2.com?

To test, I tried setting up AD integrated DNS on one of the other domain2.com servers on the existing subnet, and I get the *same* result.

When I setup an additional domain1.com DC with DNS on the new subnet, DNS works perfectly. All records are displayed and replicated. This eliminates an IP routing/firewall problems.

This definitely has something to do with the fact that the primary AD DNS for domain2.com is hosted on the domain1.com DCs.

Are there permissions that I can set on the domain1.com DC to make this work or is this setup just wrong?

Should I setup a standard secondary DNS in the new subnet instead of AD integrated?

Domain2.com was originally setup to use domain1.com's DNS server because all machines are on the same subnet and share DHCP configuration.
Is there a way to migrate domain2.com's DNS to a domain2.com AD server while still sharing the same subnet/DHCP configuration?

Thanks for any help!
Question by:tdelia
  • 4
  • 3
LVL 71

Expert Comment

by:Chris Dent
ID: 20051269

Your new DC on Domain2.com will only replicate AD Data from other DCs within Domain2.com.

Do the servers for Domain2.com have the full set of records on the primary network?

If so, how? Zone Transfers?


Author Comment

ID: 20051424
Thanks so much for responding.

I think this is the crux of the problem, but don't know how to work my way around or out of it:
"Your new DC on Domain2.com will only replicate AD Data from other DCs within Domain2.com."

The domain2.com servers still point to the domain1.com DNS server. I did this because DCHP on this network directs clients in both domains to the same primary/secondary DNS servers.

None of the domain2.com DCs are running DNS servers -- I believe that's why I'm not seeing the full set of records when I start a DNS server on the domain2.com servers. I only see the domain1.com and domain2.com zones and server records.

Everything has worked well up to this point... I assumed that because the original AD setup of domain2.com allowed me to use "AD integrated" on the domain1.com server that I was OK.

So how do I work my way around/out of this given that all machines on this subnet use the same DNS settings? Can I transfer the domain2.com zone to DNS servers on the domain2.com domain, and still have all clients point to the domain1.com DNS server?

Thanks again!
LVL 71

Accepted Solution

Chris Dent earned 2000 total points
ID: 20051566

That makes sense.

AD Integrated is just a storage and replication mechanism for DNS. It means the zone data is stored in the directory. You can see that under AD Users and Computers if you turn on Advanced Features and look under System then MicrosoftDNS.

You should, hopefully, see that the DNS Data held in domain2.com is fairly limited as it only exists in the AD Domain domain1.com.

So you have a few choices:

1. Have all Servers and Clients in the remote site use the Main Site's DNS Servers for name resolution.

This is perhaps the easiest solution, but gives no independence to the remote site. If that's a requirement we should move on.

2. This option is more complex, we have to go back to a more traditional approach to the DNS configuration. This has it's own pitfalls which we can cover in a moment, the main one being that Secondary zones are Read Only.

Main Site:

 - Install the DNS Service onto Domain2.com's DCs
 - Add a Primary AD Integrated Zone for Domain2.com to Domain2.com's DCs
 - Change Domain2.com's DCs to refer to themselves for DNS Resolution
 - Add a Secondary Zone to each of Domain2.com's DCs for Domain1.com
 - Remove Domain2.com from the DCs for Domain1.com
 - Add a Secondary Zone to each of Domain1.com's DCs for Domain2.com

Remote Site:

 - AD Replication will take care of the addition of the zone for Domain2.com
 - Add a Secondary Zone to each of the Domain2.com DCs for Domain1.com
 - Change Domain2.com's DCs to refer to themselves for DNS Resolution

While this configuration is technically correct it does leave client updates a little dead. As clients in the main site will still be referring to the DCs for Domain1.com they won't be able to add records for themselves into domain2.com.

Probably best if I pass this back to you so you can read through and see what you think at this stage.

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Author Comment

ID: 20051816
I definitely need to make sure that the remote site can function if there's a connectivity problem. That's kind of where this all began.

Client updates might also be a problem.

Would it be possible to setup a domain2.com DC/DNS server at the remote site, but with a secondary zone to domain1.com and domain2.com from the domain1.com server? Not sure if this is possible because of a conflict with the domain2.com namespace...

If the DNS server would allow it, I could also setup a secondary zone for domain2.com (from the remote site) on the domain1.com server. All users at the primary site could still point to and make client updates to the domain1.com DNS server. Users at the second site would point to the site 2 domain2.com server and update it. Each site could read the other site's records. In that scenario, would DNS check the secondary zone if it didn't find a record in the primary AD integrated zone with the same name?

LVL 71

Expert Comment

by:Chris Dent
ID: 20051943

>Would it be possible to setup a domain2.com DC/DNS server at
> the remote site, but with a secondary zone to domain1.com
> and domain2.com from the domain1.com server?

Yes. But you would have to delete the domain2.com zone from that server (and out of domain2.com's AD entirely).

Remember that using Secondary zones means they would be Read Only. Clients and Servers on that site would be unable to perform updates against the Read Only zones.

Updates are never referred, so anything on the remote site would simply fail to update DNS. That includes the Domain Controller itself which gets in the way if you use Aging / Scavenging in DNS at all.

If using Secondary Zones in that fashion you should ensure that the Expire interval in the SOA (Start of Authority) Record for the zone is sufficiently high that the Secondary zone won't disappear should the connection drop.


Author Comment

ID: 20052110
Thanks, Chris. You've been incredibly helpful.

Now that I know the domain2.com setup was functioning as it should, I think I may just expand upon what's already in place.

It will cost me a machine, but if I setup a domain1.com DC/DNS server at the remote site, I can point the domain2.com DNS clients (and AD servers) to them (as we do at the primary site.)  
This would provide AD replication, client updates, and fault tolerance should I lose the connection between sites.

LVL 71

Expert Comment

by:Chris Dent
ID: 20052124

That would work very well indeed :)


Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question