Tweaking DNS in a newly created trust.

Hi,

You should be able to set up DNS servers in each domain, and than set up secondary DNS server in other domains. Do not forget to add a "connection specific DNS suffix" (domain1.local, domain2.local and domain2.local, domain1.local) to each domain.

Settign up a primary DNS is straight forward, you can manually specify DNS server to replicate.

Coffinated,

To make sure I understand, I have two separate domains.  One is companyA.local and the other is CompanyB.local.  I initially set up a stub zone in DNS and then set up a trust between the two.  Each domain has it's own AD and DNS servers.  I should now then be able to go in under each DNS Server under FWD lookup Zones and create a secondary zone for the opposite domain.  I would do this on each domain.  What do I do with the Stub Zone that is on each domain? Under properties General Type/Change, can I not just change it to a secondary or will that cause problems? Or do I need the secondary in place first then remove the stub zone?

Thanks for your reply,
D

I found these instructions.  
http://technet.microsoft.com/en-us/library/cc754941.aspx

In looking at the first section, it looks simple enough.  This will just use the host records on the other domains DNS without having to create one on the other DNS Server.

Doing it this way or adding a secondary zone, which will give me the greatest flexibility in functionality with the trust between the two domains?

I am concerned with Zone transfers as well and want to limit the security risk without impacting function.  One side is ITAR compliant while the other is not, but the one side needs access to the ERP system housed on the other.  This is why the trust is there.  I initially set up a stub zone then the trust, but soon founs out that I had to alter the host record of certain workstations to effectively communicate with servers on teh other side.  Otherwise I would have to use the FQDN to do what I needed. I also realized I could not set up a host record like I have on each domains domain server.  

So I am looking to implement something that will be secure, but will allow me to communicate efficiently like I do inside each domain.  I was where I can go into DNS and supposedly I have the option to change from say a stub zone to a secondary... Has anyone tried that or is it recommended to eliminate the stub first then  set up a secondary.  I realize if I do a conditional forwarder I will have to eliminate the stub zone first.  

Will I have the use of host records or is that part of the forwarder arrangement.?

When you use forwarders, there's no need to manage the host records anywhere except on the originating domain's DNS servers. What you would be setting up is conditional forwarder(s) for the foreign domain on each domain's DNS server(s). For example, if you have CompanyA.local with DNS1.CompanyA.local and DN2.CompanyA.local, and CompanyB.local with DNS1.CompanyB.local and dns2.CompanyB.local, you would set up conditional forwarders on each domain. CompanyA's conditional forwarders would be for the domain "CompanyB.local" and would consist of DNS1.CompanyB.local and DNS2.CompanyB.local; and vice versa for CompanyB.local. Then ALL querys for host names host.companyb.local would simply be referred directly to CompanyB's DNS server(s).

Does that answer your question?

This is without doubt the simplest way to accomplish what you've described, since there's no manual maintenance of host records at all, assuming that you use dynamic DNS updating on both of these domains, and you don't have to worry about potential replication or security issues between the two domains.

Fantastic, I think that does answer my question.  Sorry to be a pain, but setting up a trust and everything in between is all new to me and I want to make sure I set things up properly... I have read many things and some have been great information but a little vague.  I just want to be sure of what to expect and ask a lot of questions before doing something... and perhaps something stupid.

So my basic plan of attack is that I will get rid of the stub zones and then implement the forwarders as coffinated, by: Coffinated Posted on 2013-05-20 at 14:41:45ID: 39182342, described.

I will let this lie a couple days, implement it and then report back on what happens.  I appreciate it.

I set up the conditional forwarders and eliminated the stub zones.  They set up just fine.  I can ping the fqdn of a server on company b from company a.  For example,  fileserver.companyb.local.  However, I cannot ping fileserver.  I figured that if it could not resolve on  company A DNS, the request would forward the request to company B. The reason this is important is that company B will be using applications with servers on company A. The install/information paths do not use FQDN and do not work properly on company B computers.  The way around this is via the editing of the host record on the local host. However, this is impractical as I do not want to push out a host record to every computer. For this reason I think I may need to set up a secondary zone so that I can add host records... Or did I misconfigure or miss something?

Hi,

I was away for a few days, as far as the ping not coming back it could be due to a firewall (if any),as usual clear local DNS cache on the server as well as on the workstations. After pinging it does it even return IP address or it says it cannot be found? Check the arp table for the IP address of the server you cannot ping.

When I ping say, sci-mi-fp, it comes back with "Ping request could not find the host.  Please check the name and try again." When I ping sci-mi-fp.sci.local, it pings properly. As far as the arp table, on the workstation I am pinging from, I do not see the IP address. I have the windows firewall turned off on the server and there is no firewall between the two domains, just 2 core switches with an Ethernet cable running between the two.

When setting up the forwarder I also checked the box store this conditional forwarder in AD, and replace it as follows... All DNS servers in this forest. The IP addresses of the master servers resolves properly on each side.

I think what you need to do is add the second domain to the DHCP scope options (option 119). This will add the second domain to the search list for your client workstations. If you're using Windows 2008 DHCP server(s), you may not see 119 on the options list, but you can add it to the list by right-clicking the IPv4 object in the DHCP console and running "Set Predefined Options."

I don't think DHCP option 119 is supported by any current Windows clients.  I've found a few references to back that up (here, for example), and I'm unable to get it working in my test lab (2012 DHCP server, Windows 7 client).  I can add the option to the server with no trouble, but the list never shows up on the client.

You will likely need to use Group Policy to configure the DNS suffix search list.  This will only work on domain-joined machines, of course.

I am in the process of changing the DNS Suffixes.  This seems to working out very well.  Right now I am manually changing it as a test. I had an interesting issue in that I set up a secondary DNS zone prior to figuring out the DNS Suffix.  I encountered an interesting issue where at random times during the day it seems the two networks lose connection to the AD servers.  When on company B Network, trying to access an application hosted on Company A network, I would sometimes get a no logon server available  message.  After a certain amount of time, the connection would restore and all would be fine.  Tonight I have switched back to conditional forwarders as I did not have any such issues... All I did on my test machines before figuring out the suffix was amend the host record and everything worked well.  I am going to watch things over the next few days and see how things work out.  But does anyone have any ideas as to what might cause the random disconnect?

You can use GP to change dns suffixes

http://technet.microsoft.com/en-us/library/cc959267.aspx