DNS issue and how to

Here is my proble, I will try to make it as clear as possible :

I have 2 sites linked by a mpls vpn connexion. I will call the main site "SITE A" and the secondary site "SITE B".

Site A has a dedicated link to the internet and a dedicated link to the vpn.
Site B has a dedicated link to the vpn and on that link there is a gateway for internet.

Site A has the main servers, Site B has only one file server used also for DNS and DHCP.

How do I configure dns server on Site B with the following requirements :

- Site A and Site B are on different subnets (Site A is 172.16.1.x and Site B is 192.168.200.x)
- Site A must be able to see Site B and vice versa.
- Site B must not access internet trough Site A and must not use Site A's firewall rules.

What is the best config? Populate Site A's dns server to Site B? If yes, and in any cas, can you give me a good "how to" in order to configure everything properly?

Hope that was clear enough to understand :-)
LVL 12
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Lets call these DNS servers DNS A and DNS B for simplicity :)

> So I leave forwarders as they are at the moment on site B and on the dhcp (site B),
> dns is the server on sitte B right?

That's right, yes. There's no need to change those.

> on site B if I go to google, it goes through dns on site B but if I look for a site A server,
> it will go through dns on site A

Correct about requests for things like Google. But not quite for things about Site A.

DNS B will have a replica of all the information DNS A has.

DNS B will talk to DNS A about updates to the domain occasionally, but a user on Site B asking about Site A will get an answer from DNS B directly. DNS A need not know, and does not even need to be online for that to work.

Back to the Start of Authority (SOA) tab again, how often DNS B looks for an update to the domain is dictated by the Refresh Interval. If it finds it needs an update it will ask DNS A for that. Otherwise it'll leave DNS A alone.

I hope that all makes sense!

Chris DentPowerShell DeveloperCommented:

I guess they're not part of the same domain / forest (assuming AD is even involved)?

A number of options present themselves:

1. Use Conditional Forwarders to send requests from Site B to the DNS for Site A (and vice-versa)
2. Use a Stub Zone
3. Use a Secondary Zone

1 and 2 are about equivalent. 3 is more fault tolerant, but has a bit more configuration. I'd be quite inclined to go for 1 as it's the easiest. If you wish to try...

1. Open the DNS Console for Site B
2. Right click on the server and select Forwarders
3. Enter the domain name for Site A
4. Enter the IP address for the DNS server in Site A
5. Repeat on Site A for Site B
6. Test that you can resolve host names in the remote sites

None of the options above will cause other names to be resolved by the remote DNS server, nor will it impact how each site routes out to the Internet.

dlan75Author Commented:
Forgot that !
Well they are part of the same domain on the same forest !
what should I do?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

dlan75Author Commented:
If I configure on site B forwarders to go on site A then everything will go through site A (I mean internet) won't it?
Chris DentPowerShell DeveloperCommented:

The server in Site B, it's just a stand-alone server rather than a Domain Controller?

If that's correct, I'd go with a Secondary zone on Site B. That would first mean enabling Zone Transfers on the server for Site A.

dlan75Author Commented:
No server on site B is just member of the domain but not a DC. Ok can you guide me trough that option?
Chris DentPowerShell DeveloperCommented:


First bit is done on the server in Site A:

1. Open the DNS Console
2. Expand Forward Lookup Zones
3. Select your domain name
4. Right click on the zone and select Properties
5. Select the Zone Transfers tab
6. Tick "Allow Zone Transfers"
7. Select Only to servers listed on the Name Servers tab
8. Apply any change there then select the Name Servers tab
9. Click Add and enter the Name of the server in Site B (you may need to enter the IP address as well)
10. Apply that change
11. One final optional change for Site A
  a. Select the Start of Authority Tab
  b. Under Expiry increase the value to 1209600, that is two weeks. This is how long the Secondary server will keep its copy of the zone without being able to talk to the Primary. Long intervals are good for fault tolerance.
  c. Apply that change as well

Now head to the DNS server in Site B (you can do this from the same DNS console, separate instructions to make it clear where we're making the change).

1. Open the DNS Console
2. Select Forward Lookup Zones
3. Right click and select New Zone
4. Select Secondary Zone
5. Enter the name of the domain as you have it on the server for Site A
6. Enter the name or IP address of the server in Site A as the Master Server
7. Finish off the wizard

Everything is configured now. Hopefully the zone will transfer immediately, and hopefully you will see a copy of everything you have on Site A in the new Secondary Zone.

Do note that performing a Zone Transfer requires access to TCP Port 53 back in Site A. If you have Firewalls between sites you may need to poke some holes.

And that's all... if a client on Site B needs to update DNS the request will head off over the WAN to Site A. Otherwise it will look up names using the server on Site B.

dlan75Author Commented:
thx for that.
So I leave forwarders as they are at the moment on site B and on the dhcp (site B), dns is the server on sitte B right?
So if I understand, on site A nothing changes, on site B if I go to google, it goes through dns on site B but if I look for a site A server, it will go through dns on site A
am I right? (sorry i am really new to distand  site's dns config)
dlan75Author Commented:
Seems to be working but how can I be sure that if I look for a specific ip address on Site B it doesn't go to Site A?
dlan75Author Commented:
Ok what I wanted to do isn't working but your solution works fine.
Thank you for the help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.