DIFFICULT Forest Trust w/ DMZ issue -- Same namespaces in DNS

Posted on 2007-10-15
Medium Priority
Last Modified: 2008-05-31
I'm trying to create a one-way forest trust between my dmz and lan domains.  The DMZ has a 2003 active directory domain of dmz.local.  The internal lan has a 2003 active directory domain of company.com.  The problem I am having in creating the trust is that our dmz dns server contains a zone called company.com.  This is used as our public DNS record for this namespace.

The problem...our internal domain has the same namespace as a dns zone that is on our external dmz.  Therefore, I am unable to setup conditional forwarding on our external DC to point to our internal domain.  

I've tried using local host entries as well as local lmhosts entries to no avail.  I continue to get the error message saying there are currently no logon servers available.  

Is it possible to create the trust without using DNS forwarding in the dmz dns???  Is this possible by using the /etc/hosts or /etc/lmhosts???

Question by:netsec545
LVL 22

Expert Comment

ID: 20083710
Can you export the company.com externally zone to an DNS server that will manage only that zone? Usually in the DMZ all servers are stand allone servers, maximum member server. An trust relationship betwen your DMZ domain and internal domain will affect your security. So think again before implementing this trust.

LVL 30

Accepted Solution

LauraEHunterMVP earned 1000 total points
ID: 20084192
[1]  The scenario you are describing is called "split-brain DNS", and is non-trivial to set up and maintain.  See the following for a fuller description of the issue and what is involved in managing a split-brain DNS: http://www.minasi.com/sample-newsletter.htm

[2]  Of greater concern is this: why are you creating a trust relationship between your internal AD and your DMZ AD?  The # of firewall ports that you will need to open on your perimeter firewall (or the site-to-site VPN that would be required) to allow this will render your DMZ all but useless.

Assisted Solution

MSE-dwells earned 1000 total points
ID: 20085127
Since you've already been beaten to death ;0) on the politics of such a move, let's cover just the techical pieces.

A forest-trust imposes the same DNS dependencies as Active Directory itself.  The trusting domain needs to be able to resolve the trusted domain ~fully -- the only exception worth noting are the CNAMEs used by the DRA (directory replication agent), you'll see them as GUIDs under the _msdcs subdomain ... these a re unnecessary since domains sharing a trust relationship don't replicate anything.

Your only option is, as Laura says, to implement a split-brain DNS.  You cannot use /etc/hosts or lmhosts since a dependency exists on DNS SRV records that cannot be spoofed using either of these two files (which merely pre-populate a local cache).

Do the DCs in the DMZ really need to resolve the public 'company.com' namespace?
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 20085347
I understand there are risks involved in establishing a trust between the 2 domains.  But the reasons for doing so are quite simple.  Allow internal developers, programmers, and administrators to access these DMZ machines by using their internal user id's.  Eliminate the sharing of a single administrator or web account used in the DMZ by many users and many departments.  

The design, while yes risky, does have some inherent advantages.  If we use IPSec filtering and encyrption between all DMZ machines and internal machines, and only allow the specific ports necessary for the trust, which is only a handful, and create only a one way trust in which the inside AD does not trust the outside AD.  Then to me, this option is worth investigating.  

I will look into the split-brain approach, but this does not seem to answer my trust issues.  From MSE-dwells response, it looks like DNS entries will be necessary for this to work.  


Expert Comment

ID: 20085386
Right ... I'm trying to gain a better understanding of what the 'machines' are in the DMZ that the devs. are accessing?  Do any or some *need* to resolve the public company.com or is it merely a zone held on a name server that sits in the DMZ facing the Net?

Author Comment

ID: 20086206
We have roughly 40 - 50 servers in the DMZ ranging from web, ftp, application, and ISA servers.

Hmmm...I'd have to think about how the DMZ servers interact with each other.  I doubt they need to know the public IP addresses, only their internal IP addresses.  So I could take the DNS servers out of the AD environment and split them into a segmented workgroup.  This would remove the need to have the company.com zone in the DMZ AD DNS.

Expert Comment

ID: 20086431
Aassuming you have at least a couple of DCs in the DMZ, I was thinking you'd configure all devices in the DMZ to resolve against at least 2 of the DMZ's DCs (i.e. - preferred and alternate).  These DCs would obviously have the DNS service installed and would be configured to maintain an AD-integrated stub zone representing the internal 'company.com' AD-zone.  They would then be configured to forward to the other name servers within the DMZ.  This would permit the devices in the DMZ to resolve against the internal 'company.com' zone when chasing references to the trusted domain.

Obviously, this assumes the DCs don't already require the public 'company.com' zone ... hopefully it's food for thought.

Author Comment

ID: 20094655
OK, so what I think I want to do, at least today.  Is move the public DNS records off the DMZ domain, and make them stand alone servers.  This will remove the conflict of the two domains that I have now.  

With that being the case, I know I can setup the trust by adding forwarders to the DMZ AD DNS server.  The problem with this, is that I do not want any of the servers in the DMZ to be able to resolve the IP addressses of the internal AD.  

With a forwarder, I would forward all company.com to the inside.  Therefore all the DMZ servers would be able to resolve internal addresses.  As well, I want the dmz servers to point to the new publc DNS standalone servers for company.com.

How do I do this, and have the trust work?

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question