Solved

Tweaking DNS in a newly created trust.

Posted on 2013-05-20
21
330 Views
Last Modified: 2013-12-04
I have just set up a two way trust between a parent and child company.  This was the first time doing this.  I basically followed the following instructions in setting it up

http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
http://www.misdivision.com/blog/step-by-step-how-to-create-a-stub-zone-in-windows-server-2008-r2

The trust installed just fine and the stub zone is working just fine.  I now want to set up DNS on each side so that I can add host records and what not without having to add a host file to each computer.  What is the best way to do this?  Do I just set up a new zone or do I need to entirely redo the way I set up DNS? If need be, I can provide a screenshot of how my DNS looks.  I do not mind experimenting, but I do not want to risk breaking something and taking both networks down. The functional level of both networks is server 2008/2008R2

Thanks in advance for your assistance.
0
Comment
Question by:dustaine
  • 9
  • 4
  • 4
  • +2
21 Comments
 
LVL 5

Expert Comment

by:Coffinated
Comment Utility
Hi,

You should be able to set up DNS servers in each domain, and than set up secondary DNS server in other domains. Do not forget to add a "connection specific DNS suffix" (domain1.local, domain2.local and domain2.local, domain1.local) to each domain.

Settign up a primary DNS is straight forward, you can manually specify DNS server to replicate.
0
 

Author Comment

by:dustaine
Comment Utility
Coffinated,

To make sure I understand, I have two separate domains.  One is companyA.local and the other is CompanyB.local.  I initially set up a stub zone in DNS and then set up a trust between the two.  Each domain has it's own AD and DNS servers.  I should now then be able to go in under each DNS Server under FWD lookup Zones and create a secondary zone for the opposite domain.  I would do this on each domain.  What do I do with the Stub Zone that is on each domain? Under properties General Type/Change, can I not just change it to a secondary or will that cause problems? Or do I need the secondary in place first then remove the stub zone?

Thanks for your reply,
D
0
 
LVL 5

Accepted Solution

by:
Coffinated earned 125 total points
Comment Utility
Here's even easier set up.

CompanyA:
- delete stub zone
- set up DNS forward to CompanyB (ip: B.B.B.B)

CompanyB:
- delete stub zone
- set up DNS forward to CompanyA (ip: A.A.A.A)

All queries will be forwarded to other DNS servers, or to the root hints.

http://technet.microsoft.com/en-us/library/cc757172.aspx
0
 

Author Comment

by:dustaine
Comment Utility
I found these instructions.  
http://technet.microsoft.com/en-us/library/cc754941.aspx

In looking at the first section, it looks simple enough.  This will just use the host records on the other domains DNS without having to create one on the other DNS Server.

Doing it this way or adding a secondary zone, which will give me the greatest flexibility in functionality with the trust between the two domains?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 125 total points
Comment Utility
You can setup conditional forwarder on each DNS server pointing to the remote DNS server.
http://technet.microsoft.com/en-us/library/ee307976(v=ws.10).aspx

Another option is to setup zone transfers between your two Domains, previous document also mentioned secondary zones with zone transfers.

Another useful link for understanding zone transfers.
http://technet.microsoft.com/en-us/library/cc782181(v=ws.10).aspx
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 250 total points
Comment Utility
Personally I would prefer using conditional forwarders over zone transfers, unless speed of communication between the two networks is an issue.  There can be security concerns with zone transfers whereas with conditional forwarders the traffic is simply forwarded on to the authoritative DNS server for the specified domain. I've never used zone transfers, so I'm not an expert on that, but I would think that the only advantage would possibly be faster response times on name resolution, and also the ability to continue to resolve host names even if the other domain's DNS server was down. If both domains have redundancy already in DNS (i.e., more than one DNS server in the domain), then the redundancy factor probably wouldn't be an issue.
0
 

Author Comment

by:dustaine
Comment Utility
I am concerned with Zone transfers as well and want to limit the security risk without impacting function.  One side is ITAR compliant while the other is not, but the one side needs access to the ERP system housed on the other.  This is why the trust is there.  I initially set up a stub zone then the trust, but soon founs out that I had to alter the host record of certain workstations to effectively communicate with servers on teh other side.  Otherwise I would have to use the FQDN to do what I needed. I also realized I could not set up a host record like I have on each domains domain server.  

So I am looking to implement something that will be secure, but will allow me to communicate efficiently like I do inside each domain.  I was where I can go into DNS and supposedly I have the option to change from say a stub zone to a secondary... Has anyone tried that or is it recommended to eliminate the stub first then  set up a secondary.  I realize if I do a conditional forwarder I will have to eliminate the stub zone first.  

Will I have the use of host records or is that part of the forwarder arrangement.?
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
When you use forwarders, there's no need to manage the host records anywhere except on the originating domain's DNS servers. What you would be setting up is conditional forwarder(s) for the foreign domain on each domain's DNS server(s). For example, if you have CompanyA.local with DNS1.CompanyA.local and DN2.CompanyA.local, and CompanyB.local with DNS1.CompanyB.local and dns2.CompanyB.local, you would set up conditional forwarders on each domain. CompanyA's conditional forwarders would be for the domain "CompanyB.local" and would consist of DNS1.CompanyB.local and DNS2.CompanyB.local; and vice versa for CompanyB.local. Then ALL querys for host names host.companyb.local would simply be referred directly to CompanyB's DNS server(s).

Does that answer your question?

This is without doubt the simplest way to accomplish what you've described, since there's no manual maintenance of host records at all, assuming that you use dynamic DNS updating on both of these domains, and you don't have to worry about potential replication or security issues between the two domains.
0
 

Author Comment

by:dustaine
Comment Utility
Fantastic, I think that does answer my question.  Sorry to be a pain, but setting up a trust and everything in between is all new to me and I want to make sure I set things up properly... I have read many things and some have been great information but a little vague.  I just want to be sure of what to expect and ask a lot of questions before doing something... and perhaps something stupid.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:dustaine
Comment Utility
So my basic plan of attack is that I will get rid of the stub zones and then implement the forwarders as coffinated, by: Coffinated Posted on 2013-05-20 at 14:41:45ID: 39182342, described.

I will let this lie a couple days, implement it and then report back on what happens.  I appreciate it.
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 250 total points
Comment Utility
Yes.  One caveat, though, which has nothing to do with DNS, would be routing or firewall(s) between the two domains.  I'm assuming that you have the routing issues in hand because you've already established a trust and allowed communications using your stub zone.  So, when you add the foreign DNS server(s) as forwarders, you want to use the IP addresses of those servers, not the FQDN. This is because the DNS servers in each domain would have no way to resolve the FQDNs of the DNS servers in the other domain, but presumably if the routing is working properly then they would be able to find those servers by IP address. Or, you could maintain your stub zone with just the IP addresses of the DNS servers in the other domain; I think that would work also.
0
 

Author Comment

by:dustaine
Comment Utility
I set up the conditional forwarders and eliminated the stub zones.  They set up just fine.  I can ping the fqdn of a server on company b from company a.  For example,  fileserver.companyb.local.  However, I cannot ping fileserver.  I figured that if it could not resolve on  company A DNS, the request would forward the request to company B. The reason this is important is that company B will be using applications with servers on company A. The install/information paths do not use FQDN and do not work properly on company B computers.  The way around this is via the editing of the host record on the local host. However, this is impractical as I do not want to push out a host record to every computer. For this reason I think I may need to set up a secondary zone so that I can add host records... Or did I misconfigure or miss something?
0
 
LVL 5

Expert Comment

by:Coffinated
Comment Utility
Hi,

I was away for a few days, as far as the ping not coming back it could be due to a firewall (if any),as usual clear local DNS cache on the server as well as on the workstations. After pinging it does it even return IP address or it says it cannot be found? Check the arp table for the IP address of the server you cannot ping.
0
 

Author Comment

by:dustaine
Comment Utility
When I ping say, sci-mi-fp, it comes back with "Ping request could not find the host.  Please check the name and try again." When I ping sci-mi-fp.sci.local, it pings properly. As far as the arp table, on the workstation I am pinging from, I do not see the IP address. I have the windows firewall turned off on the server and there is no firewall between the two domains, just 2 core switches with an Ethernet cable running between the two.
0
 

Author Comment

by:dustaine
Comment Utility
When setting up the forwarder I also checked the box store this conditional forwarder in AD, and replace it as follows... All DNS servers in this forest. The IP addresses of the master servers resolves properly on each side.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
I think what you need to do is add the second domain to the DHCP scope options (option 119). This will add the second domain to the search list for your client workstations. If you're using Windows 2008 DHCP server(s), you may not see 119 on the options list, but you can add it to the list by right-clicking the IPv4 object in the DHCP console and running "Set Predefined Options."
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
I don't think DHCP option 119 is supported by any current Windows clients.  I've found a few references to back that up (here, for example), and I'm unable to get it working in my test lab (2012 DHCP server, Windows 7 client).  I can add the option to the server with no trouble, but the list never shows up on the client.

You will likely need to use Group Policy to configure the DNS suffix search list.  This will only work on domain-joined machines, of course.
0
 

Author Comment

by:dustaine
Comment Utility
I am in the process of changing the DNS Suffixes.  This seems to working out very well.  Right now I am manually changing it as a test. I had an interesting issue in that I set up a secondary DNS zone prior to figuring out the DNS Suffix.  I encountered an interesting issue where at random times during the day it seems the two networks lose connection to the AD servers.  When on company B Network, trying to access an application hosted on Company A network, I would sometimes get a no logon server available  message.  After a certain amount of time, the connection would restore and all would be fine.  Tonight I have switched back to conditional forwarders as I did not have any such issues... All I did on my test machines before figuring out the suffix was amend the host record and everything worked well.  I am going to watch things over the next few days and see how things work out.  But does anyone have any ideas as to what might cause the random disconnect?
0
 
LVL 5

Expert Comment

by:Coffinated
Comment Utility
You can use GP to change dns suffixes

http://technet.microsoft.com/en-us/library/cc959267.aspx
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now