Solved

Internal DNS deletage to external host

Posted on 2013-06-13
6
642 Views
Last Modified: 2013-06-30
We have been facing an issue with internal DNS delegation.

Here is a description of our architecture and the issue:

Architecture
--------------
   
Domain1
      DHCPDNS1 and DHCPDNS2   (Windows Server 2012)


Domain2
      extDNS1 and extDNS2   (Windows Server 2003) - external DNS
      intDNS1  and intDNS2   (Windows Server 2003) - internal DNS for Domain2 servers
      srv1 and srv2   (Windows Server 2003) - Web servers


Here is description of our architecture:
We have two Active Directory domains (forests) in our environment. The first is, "Domain1" (which we use for general purpose servers and users/client machines) and "Domain2" (which we use for web development servers).
Domain2 also includes our external DNSes "extDNS1" and "extDNS2".  We have quite a few websites that are hosted externally (outside both "Domain1" and "Domain2") but need to be referenced internally on our webservers ("srv1" and "srv2") in "Domain2" for integration with other websites and portals. These websites use "extDNS1" and "extDNS2" as their DNS. Inorder that "srv1" and "srv2" are able to reference these external servers, we have setup delegates for these domains in the internal DNS in Domain2 on servers "intDNS1" and "intDNS2". These delegates point to our servers "DHCPDNS1" and "DHCPDNS2" in "Domain1" in order to get the external DNS address. "DHCPDNS1" and "DHCPDNS2" are our DHCP servers.

This setup worked perfectly till we had "DHCPDNS1" and "DHCPDNS2" on Windows Server 2008. We recently migrated these two servers to Windows Server 2012, with the same DHCP and DNS settings they had earlier. After migration, on "srv1" or "srv2", we are not able to resolve the IP addresses of our domains whose delegates point to "DHCPDNS1" and "DHCPDNS2", on ping.  

Here are some observations and some things we tried:
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache. As long as these records exist in DHCPDNS1's or DHCPDNS2's resolver cache, srv1 and srv2 (and all servers in Domain2) are able to ping those subdomains. When the resolver cache records on DHCPDNS1 and DHCPDNS2 expire, ping from the Domain2 servers fail to work. Remember, this is only for those domains who have a delegate pointing to DHCPDNS1 and DHCPDNS2. Again, our aim is that the servers in Domain2 are able to retrieve the external IP address, which is not possible as the external DNS is in the same domain.

2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully. This worked for 7 days and ping requests fail to resolve on all Domain2 servers now. I'm not sure if it has anything to do with Aging on DHCPDNS1 which is set to 7 days, by default.

Hoping that someone can help throw some light here.
Once again, our aim is that all servers in Domain2 (which includes the external DNSes) must be able to ping the external addresses (which use extDNS1 and extDNS2 as its DNS). Thus, the internal DNS in domain Domain2 must point to the external IP address.
0
Comment
Question by:Tomasz Czyz
  • 2
6 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39268607
Sorry, but you lost me with your description.  Can you give some examples (screenshots would be even better)?  How many domains are we dealing with here, just the two, or are there more with the external websites?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 39268877
1. If we ping these subdomains on any client machine or server in Domain1 or on DHCPDNS1 or DHCPDNS2, it is able to retrieve the external IP address, and then stores this in its DNS resolver cache.

If this is desirable and expected, what happens to the cache after the current entry has expired? I assume you're using "ipconfig /displaydns" to show that?

If you find it's unable to resolve the address, test each server in the resolver list using:

nslookup -d -q=a <address> extDNS1
nslookup -d -q=a <address> extDNS2

To simplify the result, add a period after the name you're looking up. i.e. "www.domain.com." instead of "www.domain.com". This will prevent nslookup from using any configured suffix search list. For example, that would make the command:

nslookup -d -q=a www.domain.com. extDNS1

Once you've executed that the most interesting field is the RCODE in the "Got Answer" section.


2. When changed the Dynamic Updates from "None" to "Nonsecure and secure" on DHCPDNS1 and the Domain2 servers were immediately able to route their ping requests through DHCPDNS1 and DHCPDNS2 successfully.

This suggests that a record is being flushed by scavenging. If you find, while testing above, that the RCODE reports NXDOMAIN (does not exist) you need to establish how those addresses end up on the server in the first place.

That is, the problem of the record being removed from one or more DNS servers can be addressed by allowing the server in question to update again.

Please let us know how you get on.

Cheers,

Chris
0
 
LVL 2

Accepted Solution

by:
Tomasz Czyz earned 0 total points
ID: 39277285
Thanks, Chris for your detailed reply, and all those helpful points.

We setup forwarding from the DHCPDNS1 and DHCPDNS2 servers to 8.8.8.8, and now all the servers in Domain2 are able to resolve those records.
0
 
LVL 2

Author Closing Comment

by:Tomasz Czyz
ID: 39287944
The other solutions provided were not the exact solution.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now