Solved

DNS split - the right way?

Posted on 2014-04-14
11
694 Views
Last Modified: 2014-04-14
He guys,

I have what I believe to be a dilemma regarding a new DNS environment I need to build.

Currently we have a Forest Root domain 'domain.com' with AD integrated DNS.
It is on VLAN1.
The only computers that are members of this domain are 2x Domain Controllers.
It does have a few A records for services using the domain.com dns zone.

We also have child.domain.com on VLAN2.
It has AD integrated DNS.
It is the domain that most computers are members of and they use the domain controllers in this domain as their DNS servers.

Both VLAN1 and VLAN2 have full bi-directional communication with each other.
The DC's in the parent domain.com have a delegation of child.domain.com displayed in their DNS server zone.

This is all working fine, however I need to add a workgroup server using the same top-level domain without causing conflict.

VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone 'domain.com' and several subdomains 'subdomain1.domain.com', 'subdomain2.domain.com', etc need to be hosted on this newly built workgroup DNS server in VLAN3.

My original thinking was that I would just convert domain.com to a Primary DNS server on VLAN1 and then create the Secondary DNS servers on VLAN3, but then I was informed that it couldn't communicate to the Primary.

I then thought maybe I could create the new Primary in VLAN3 and then convert VLAN1 to a secondary, but then I couldn't create a delegate on VLAN3 of child.domain.com

If I create a new DNS Primary zone 'domain.com' on VLAN3, can I create a forwarder on the child.domain.com to point to the new Primary domain for all domain.com resolution? Would that impact domain services at all since it is a child of the forest root?

The thing is, all other services across every VLAN in the LAN/WAN will be using the new DNS server(s) in VLAN3, so VLAN1 dns isn't necessary so much. But it still needs to be there for itself right?

I guess another option is to have VLAN3 the Primary of domain.com and create all of the subdomains on there including child.domain.com and make all DNS servers on VLAN1/2 secondary servers rather than AD integrated. Is DNS ok using NAT for this purpose?

One catch is that all DNS servers must be on Windows 2012.

Anyway, your feedback would be greatly appreciated.
0
Comment
Question by:lltc78
  • 6
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
do you want 3rd domain or what ?

Also why you require NAT to communicate with 3rd domain?

It is need to be accessed through internet

Sorry, but question is not clear to me..

Your comment:
VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone 'domain.com' and several subdomains 'subdomain1.domain.com', 'subdomain2.domain.com', etc need to be hosted on this newly built workgroup DNS server in VLAN3.


domain.com and subdomain1.domain.com refering to VLAN 1 and VLAN2 ?

if dedicated active directory si not required in VLAN3 location, then you can simply have workgroup server in VLAN3 location and create standard primary zones pointing to domain.com \ subdomain1.domain.com and so on
if your communication between VLAN1\2 and VLAN3 is over NAT, then here you need to put natted IPs of VLAN1 and VLAN2 domain controlles in DNS zones of VLAN3 server

Mahesh
0
 

Author Comment

by:lltc78
Comment Utility
No, no other AD domains wanted. Just DNS subdomains.

It's not the internet but for CGN to be shared between other networks.

No, domain.com and subdomain1.domain.com are needed on VLAN3, but hosts on this network are not able to make a connection to hosts in VLAN1/2
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
CGN refers to common group network I hope

So you mean,

You want dns zones in VLAN3 with same name and resources as VLAN1 and VLAN2 and same time users cannot access VLAN1 and 2 hosts from here

So, what records will contains in VLAN3 domain.com and subdomains ?
Do you want to putup dns entries on workstation and servers in VLAN1 and 2 pointing to VLAN3 DNS servers and it should get resolved to VLAN1 and 2 as appropriate
You can play with DNS like you want...

Sorry, but still unable to understand exact requirement here, if you could please tell us what exactly you are looking for I can help

Mahesh.
0
 

Author Comment

by:lltc78
Comment Utility
That's pretty much what I want.
So basically VLAN1 (domain.com) and VLAN2 (child.domain.com) are more for internal use, and trusted. VLAN3 is shared for all other private networks to use as their DNS server, but it needs to host domain.com for them, and subdomain.domain.com.

The child.domain.com computers need to resolve hostnames from both domain.com/child.domain.com which is hosted in VLAN3.

I assume the domain members/computers in child.domain.com will use their Domain Controllers as their DNS server. But can those DC's forward to VLAN3 DNS servers which hosts domain.com without affecting the Domain Forest? Does the child domain need communication to the forest root domain in any way, and does it need dns for this?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
See, in VLAN1 and 2 dns name resolution will work as below

child domain will have conditional forwarding set in dns on child domain DCs for resolving queries in parent domain
parent domain having dns delegation towards child domain to resolve dns queries for child domain in parent domain

Now when you are having DNS installed in VLAN1 and 2, why you would require DNS in VLAN3 ?
Its always best practise to use native DNS servers........

Your Comment:
The child.domain.com computers need to resolve hostnames from both domain.com/child.domain.com which is hosted in VLAN3.

It looks like child.domain.com compuetrs remains in VLAN2, correct?
In that case why they will look for VLAN3 DNS servers ...when there DNS server exists in same VLAn (VLAN2) ?

Just have a quck questions:
Why you want to put VLAN3 and DNS servers in that VLAn when your native VLANs are there with native DNS servers ?
Do you have any client computers belonging to parent domain (VLAN1) and child domain (VLAN2) placed in VLAN3 and they need to get authenticated through appropriate domain controllers ?...I mean is this your exact requirement ?

Sorry, still i unable to understand what is your goal and what you are trying to achieve ?

mahesh.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:lltc78
Comment Utility
I have tried explaining it the best I can.

VLAN3 is needed to host the DNS servers that contain domain.com/subdomain1.domain.com/subdomain2.domain.com for all other networks. These networks are separated for different clients to use. The client networks need a dns server to resolve to. The ONLY dns server they will be able to access is on VLAN3.

This DNS server will have all of these other subdomains in it. These subdomains will not be on any other dns server. ONLY in VLAN3. This is not part of an AD domain. It just needs to provide name resolution for the domain.com zone and subdomains that the clients need access to.

Can I remove that conditional forwarding from the child domain so that it does not resolve to the parent domain?

The only authentication required is from computers in VLAN1/2 to their respective domain controller. No domain members will be in VLAN3. It's not a domain, it's just a network that will host workgroup servers, and host DNS (non-AD integrated)

VLAN1/2 already exists. Both VLANs were built using the domain.com name and child.
They are both AD domains. These are the ONLY AD domains. They are to be used internally only. No client needs access to them, nor will they get it.

Since subdomain1.domain.com and subdomain2.domain.com will ONLY be on the workgroup dns server (VLAN3), the child.domain.com computers need to resolve those hostnames, just the same as every other client.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Ok

You don't have to remove conditional forwarder in child domain, it will bring down name resolution between child domain and parent domain in VLAN 1 and 2
It will also required for problem free login between parent and child domain

Now to do what you are trying to do, just have a one \ two workgroup servers in VLAN3 and install DNS roles on that server

From your VLAN 1 and 2 DNS servers (DCs) enable TCP 53 bi-directional towards VLAN3 workgroup DNS servers (Above TWO)

Now enable zone transfer on parent zone and all required child zones in both parent and child domain in VLAN1 and 2 and allow zone transfer to workgroup DNS servers in VLAN3

Now create secondary zones on both workgroup DNS servers for every primary zone where you have enabled zone transfer in VLAN1 and 2

Now on workgroup member servers in VLAN3 should point to these two workgroup DNS servers for name resolution

Note that you must enable DNS suffix search list on all workgroup servers network card properties (advanced DNS configuration setting) and specify all domain names there so that servers can get name resolution fo rrespective domain resurces

Also you have to open appropriate application ports from VLAN3 servers to VLAN1 and 2
for resources access
For exapme if resources are web servers, you must open port 80 and 443 from VLAn3 to VLAn1 and 2 segment web servers

Mahesh.
0
 

Author Comment

by:lltc78
Comment Utility
That is one of the methods I wanted to do, but I have since been informed that I can't have bidirectional between 1/2 and 3. There is no traffic allowed to originate from VLAN3 towards 1/2. That's the problem I have.

I need a solution that doesn't involved VLAN3 sending any outgoing to VLAN1/2.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
See, in reality you required traffic to be flow from VLAN 1 and 2 to VLAN 3

Your traffic will never flow from VLAN 3 to VLAN 1 and 2

Because those zones are read only Zones (Secondary) and hence it will never flow from VLAN 3 to VLAN 1 and 2

However you do require Bi-Directional port opened between both DNS servers as VLAN3 servers should be able to poll VALN 1 and 2 DNS servers for fetching DNS Zones
Like wise VLAN 1 and 2 should be able to notify zone updates to VLAN3 DNS Servers

If Bi-Directional Port opening is problem, then you need to export zones from VLAN 1 and 2 servers and import \ create standard primary zones same like VLAN1 and 2 on VLAN 3 DNS servers

Still it will achieve what you are looking for.

In that case only thing you need to manually update VLAN3 DNS zones in case any records get changed in VLAN 1 and 2

Mahesh.
0
 

Author Comment

by:lltc78
Comment Utility
I had the same thoughts, and discussion with network/security teams ended with me losing. I just cannot get bi-directional ports opened.

i come to the same conclusion overnight and figured manual zone exports would be needed. I was hoping for another way but I guess I'm restricted.

Thanks for your help
0
 

Author Closing Comment

by:lltc78
Comment Utility
Very active with the responses, and detailed in answers.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now