We have been facing an issue with internal DNS delegation.
Here is a description of our architecture and the issue:
DHCPDNS1 and DHCPDNS2 (Windows Server 2012)
extDNS1 and extDNS2 (Windows Server 2003) - external DNS
intDNS1 and intDNS2 (Windows Server 2003) - internal DNS for Domain2 servers
srv1 and srv2 (Windows Server 2003) - Web servers
Here is description of our architecture:
We have two Active Directory domains (forests) in our environment. The first is, "Domain1" (which we use for general purpose servers and users/client machines) and "Domain2" (which we use for web development servers).
Domain2 also includes our external DNSes "extDNS1" and "extDNS2". We have quite a few websites that are hosted externally (outside both "Domain1" and "Domain2") but need to be referenced internally on our webservers ("srv1" and "srv2") in "Domain2" for integration with other websites and portals. These websites use "extDNS1" and "extDNS2" as their DNS. Inorder that "srv1" and "srv2" are able to reference these external servers, we have setup delegates for these domains in the internal DNS in Domain2 on servers "intDNS1" and "intDNS2". These delegates point to our servers "DHCPDNS1" and "DHCPDNS2" in "Domain1" in order to get the external DNS address. "DHCPDNS1" and "DHCPDNS2" are our DHCP servers.
This setup worked perfectly till we had "DHCPDNS1" and "DHCPDNS2" on Windows Server 2008. We recently migrated these two servers to Windows Server 2012, with the same DHCP and DNS settings they had earlier. After migration, on "srv1" or "srv2", we are not able to resolve the IP addresses of our domains whose delegates point to "DHCPDNS1" and "DHCPDNS2", on ping.
Here are some observations and some things we tried:
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache. As long as these records exist in DHCPDNS1's or DHCPDNS2's resolver cache, srv1 and srv2 (and all servers in Domain2) are able to ping those subdomains. When the resolver cache records on DHCPDNS1 and DHCPDNS2 expire, ping from the Domain2 servers fail to work. Remember, this is only for those domains who have a delegate pointing to DHCPDNS1 and DHCPDNS2. Again, our aim is that the servers in Domain2 are able to retrieve the external IP address, which is not possible as the external DNS is in the same domain.
2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully. This worked for 7 days and ping requests fail to resolve on all Domain2 servers now. I'm not sure if it has anything to do with Aging on DHCPDNS1 which is set to 7 days, by default.
Hoping that someone can help throw some light here.
Once again, our aim is that all servers in Domain2 (which includes the external DNSes) must be able to ping the external addresses (which use extDNS1 and extDNS2 as its DNS). Thus, the internal DNS in domain Domain2 must point to the external IP address.