Conditional DNS Forwarder, Domain Trusts, DMZ

We are in the beginnings of a company merger and have planned to start our Domain Trust.  We have point to point VPN tunnel between our ASAs on the Internet, no dedicated circuit yet.  When we first set up this tunnel we pointed our Exchange servers at each other so that mail would flow "internally", so mail isn't my problem here.  CompanyA has several web based services that non-IT departments are accessing, sharepoint, Citrix, etc.  When I put a Conditional DNS forwarder in place those web services that are hosted in the DMZ for CompanyA become unaccessable.  This is because instead of the citrix site resolving to the Internet address of it is resolving to the internal DMZ address of, that network is not accessable to me in CompanyB, with a Forwarder in place I can not put a seperate DNS Zone in CompanyB.  My question is, how can I setup the forwarder so that we can continue the Domain Trust but at the same time have the external resources avaliable to CompanyB.

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
Hmm yuck...

You'd have to override name resolution for those hosts. The Trust needs you to resolve the entire remote domain, which rules out only forwarding certain requests.

To stop it forwarding certain hosts you'd have to create a zone for each of those hosts. e.g.

New Zone --> Name:
New A Record --> Blank name; server IP

Or conditionally forward each of those host names out to a public internet service in much the same way. Quite horrible however you look at it.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cbitsupportAuthor Commented:
Maybe I didn't set something up right but I tried this in test. These are my results.

I have a test.domain test domain, I have a conditional forwarder to this domain.  I added www.test.domain as a new DNS zone on my primary DNS.  I added a blank A Record with as an IP (just random).  When I do an NSLOOKUP from my PC I get the www.test.domain to come back as a record but not with an IP and I can't ping it.  When I ping I just get "host not found".  I would think if this is working correctly I should be able to ping it and attempt to ping the fake IP address.
Chris DentPowerShell DeveloperCommented:
That it doesn't have an IP listed is a bit troubling. Can you try flushing the DNS Cache on the server? It could be that it has a conflicting record in cache.

cbitsupportAuthor Commented:
I have flushed DNS on the servers and on the PCs, no change.
cbitsupportAuthor Commented:
I tried this test again but instead of my www.test.domain pointing to a random IP, I created a new one, rrr.test.domain and pointed it to a random internet IP and it worked.  So I put my forwarder back in to the real domain for CompanyA and I put individual DNS zones for the web resources that my users need.  So far it is working perfectly.  I am going to leave the case open for a day just in case I hit any snags between now and then.  Thank you!!!  This worked!!  :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.