Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 666
  • Last Modified:

Internal DNS deletage to external host

We have been facing an issue with internal DNS delegation.

Here is a description of our architecture and the issue:

Architecture
--------------
   
Domain1
      DHCPDNS1 and DHCPDNS2   (Windows Server 2012)


Domain2
      extDNS1 and extDNS2   (Windows Server 2003) - external DNS
      intDNS1  and intDNS2   (Windows Server 2003) - internal DNS for Domain2 servers
      srv1 and srv2   (Windows Server 2003) - Web servers


Here is description of our architecture:
We have two Active Directory domains (forests) in our environment. The first is, "Domain1" (which we use for general purpose servers and users/client machines) and "Domain2" (which we use for web development servers).
Domain2 also includes our external DNSes "extDNS1" and "extDNS2".  We have quite a few websites that are hosted externally (outside both "Domain1" and "Domain2") but need to be referenced internally on our webservers ("srv1" and "srv2") in "Domain2" for integration with other websites and portals. These websites use "extDNS1" and "extDNS2" as their DNS. Inorder that "srv1" and "srv2" are able to reference these external servers, we have setup delegates for these domains in the internal DNS in Domain2 on servers "intDNS1" and "intDNS2". These delegates point to our servers "DHCPDNS1" and "DHCPDNS2" in "Domain1" in order to get the external DNS address. "DHCPDNS1" and "DHCPDNS2" are our DHCP servers.

This setup worked perfectly till we had "DHCPDNS1" and "DHCPDNS2" on Windows Server 2008. We recently migrated these two servers to Windows Server 2012, with the same DHCP and DNS settings they had earlier. After migration, on "srv1" or "srv2", we are not able to resolve the IP addresses of our domains whose delegates point to "DHCPDNS1" and "DHCPDNS2", on ping.  

Here are some observations and some things we tried:
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache. As long as these records exist in DHCPDNS1's or DHCPDNS2's resolver cache, srv1 and srv2 (and all servers in Domain2) are able to ping those subdomains. When the resolver cache records on DHCPDNS1 and DHCPDNS2 expire, ping from the Domain2 servers fail to work. Remember, this is only for those domains who have a delegate pointing to DHCPDNS1 and DHCPDNS2. Again, our aim is that the servers in Domain2 are able to retrieve the external IP address, which is not possible as the external DNS is in the same domain.

2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully. This worked for 7 days and ping requests fail to resolve on all Domain2 servers now. I'm not sure if it has anything to do with Aging on DHCPDNS1 which is set to 7 days, by default.

Hoping that someone can help throw some light here.
Once again, our aim is that all servers in Domain2 (which includes the external DNSes) must be able to ping the external addresses (which use extDNS1 and extDNS2 as its DNS). Thus, the internal DNS in domain Domain2 must point to the external IP address.
0
Tomasz Czyz
Asked:
Tomasz Czyz
  • 2
2 Solutions
 
footechCommented:
Sorry, but you lost me with your description.  Can you give some examples (screenshots would be even better)?  How many domains are we dealing with here, just the two, or are there more with the external websites?
0
 
Chris DentPowerShell DeveloperCommented:
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache.

If this is desirable and expected, what happens to the cache after the current entry has expired? I assume you're using "ipconfig /displaydns" to show that?

If you find it's unable to resolve the address, test each server in the resolver list using:

nslookup -d -q=a <address> extDNS1
nslookup -d -q=a <address> extDNS2

To simplify the result, add a period after the name you're looking up. i.e. "www.domain.com." instead of "www.domain.com". This will prevent nslookup from using any configured suffix search list. For example, that would make the command:

nslookup -d -q=a www.domain.com. extDNS1

Once you've executed that the most interesting field is the RCODE in the "Got Answer" section.


2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully.

This suggests that a record is being flushed by scavenging. If you find, while testing above, that the RCODE reports NXDOMAIN (does not exist) you need to establish how those addresses end up on the server in the first place.

That is, the problem of the record being removed from one or more DNS servers can be addressed by allowing the server in question to update again.

Please let us know how you get on.

Cheers,

Chris
0
 
Tomasz CzyzSystem AdministratorAuthor Commented:
Thanks, Chris for your detailed reply, and all those helpful points.

We setup forwarding from the DHCPDNS1 and DHCPDNS2 servers to 8.8.8.8, and now all the servers in Domain2 are able to resolve those records.
0
 
Tomasz CzyzSystem AdministratorAuthor Commented:
The other solutions provided were not the exact solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now