Solved

Internal DNS deletage to external host

Posted on 2013-06-13
6
652 Views
Last Modified: 2013-06-30
We have been facing an issue with internal DNS delegation.

Here is a description of our architecture and the issue:

Architecture
--------------
   
Domain1
      DHCPDNS1 and DHCPDNS2   (Windows Server 2012)


Domain2
      extDNS1 and extDNS2   (Windows Server 2003) - external DNS
      intDNS1  and intDNS2   (Windows Server 2003) - internal DNS for Domain2 servers
      srv1 and srv2   (Windows Server 2003) - Web servers


Here is description of our architecture:
We have two Active Directory domains (forests) in our environment. The first is, "Domain1" (which we use for general purpose servers and users/client machines) and "Domain2" (which we use for web development servers).
Domain2 also includes our external DNSes "extDNS1" and "extDNS2".  We have quite a few websites that are hosted externally (outside both "Domain1" and "Domain2") but need to be referenced internally on our webservers ("srv1" and "srv2") in "Domain2" for integration with other websites and portals. These websites use "extDNS1" and "extDNS2" as their DNS. Inorder that "srv1" and "srv2" are able to reference these external servers, we have setup delegates for these domains in the internal DNS in Domain2 on servers "intDNS1" and "intDNS2". These delegates point to our servers "DHCPDNS1" and "DHCPDNS2" in "Domain1" in order to get the external DNS address. "DHCPDNS1" and "DHCPDNS2" are our DHCP servers.

This setup worked perfectly till we had "DHCPDNS1" and "DHCPDNS2" on Windows Server 2008. We recently migrated these two servers to Windows Server 2012, with the same DHCP and DNS settings they had earlier. After migration, on "srv1" or "srv2", we are not able to resolve the IP addresses of our domains whose delegates point to "DHCPDNS1" and "DHCPDNS2", on ping.  

Here are some observations and some things we tried:
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache. As long as these records exist in DHCPDNS1's or DHCPDNS2's resolver cache, srv1 and srv2 (and all servers in Domain2) are able to ping those subdomains. When the resolver cache records on DHCPDNS1 and DHCPDNS2 expire, ping from the Domain2 servers fail to work. Remember, this is only for those domains who have a delegate pointing to DHCPDNS1 and DHCPDNS2. Again, our aim is that the servers in Domain2 are able to retrieve the external IP address, which is not possible as the external DNS is in the same domain.

2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully. This worked for 7 days and ping requests fail to resolve on all Domain2 servers now. I'm not sure if it has anything to do with Aging on DHCPDNS1 which is set to 7 days, by default.

Hoping that someone can help throw some light here.
Once again, our aim is that all servers in Domain2 (which includes the external DNSes) must be able to ping the external addresses (which use extDNS1 and extDNS2 as its DNS). Thus, the internal DNS in domain Domain2 must point to the external IP address.
0
Comment
Question by:Tomasz Czyz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39268607
Sorry, but you lost me with your description.  Can you give some examples (screenshots would be even better)?  How many domains are we dealing with here, just the two, or are there more with the external websites?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 39268877
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache.

If this is desirable and expected, what happens to the cache after the current entry has expired? I assume you're using "ipconfig /displaydns" to show that?

If you find it's unable to resolve the address, test each server in the resolver list using:

nslookup -d -q=a <address> extDNS1
nslookup -d -q=a <address> extDNS2

To simplify the result, add a period after the name you're looking up. i.e. "www.domain.com." instead of "www.domain.com". This will prevent nslookup from using any configured suffix search list. For example, that would make the command:

nslookup -d -q=a www.domain.com. extDNS1

Once you've executed that the most interesting field is the RCODE in the "Got Answer" section.


2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully.

This suggests that a record is being flushed by scavenging. If you find, while testing above, that the RCODE reports NXDOMAIN (does not exist) you need to establish how those addresses end up on the server in the first place.

That is, the problem of the record being removed from one or more DNS servers can be addressed by allowing the server in question to update again.

Please let us know how you get on.

Cheers,

Chris
0
 
LVL 2

Accepted Solution

by:
Tomasz Czyz earned 0 total points
ID: 39277285
Thanks, Chris for your detailed reply, and all those helpful points.

We setup forwarding from the DHCPDNS1 and DHCPDNS2 servers to 8.8.8.8, and now all the servers in Domain2 are able to resolve those records.
0
 
LVL 2

Author Closing Comment

by:Tomasz Czyz
ID: 39287944
The other solutions provided were not the exact solution.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question