DNS split - the right way?

He guys,

I have what I believe to be a dilemma regarding a new DNS environment I need to build.

Currently we have a Forest Root domain 'domain.com' with AD integrated DNS.
It is on VLAN1.
The only computers that are members of this domain are 2x Domain Controllers.
It does have a few A records for services using the domain.com dns zone.

We also have child.domain.com on VLAN2.
It has AD integrated DNS.
It is the domain that most computers are members of and they use the domain controllers in this domain as their DNS servers.

Both VLAN1 and VLAN2 have full bi-directional communication with each other.
The DC's in the parent domain.com have a delegation of child.domain.com displayed in their DNS server zone.

This is all working fine, however I need to add a workgroup server using the same top-level domain without causing conflict.

VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone 'domain.com' and several subdomains 'subdomain1.domain.com', 'subdomain2.domain.com', etc need to be hosted on this newly built workgroup DNS server in VLAN3.

My original thinking was that I would just convert domain.com to a Primary DNS server on VLAN1 and then create the Secondary DNS servers on VLAN3, but then I was informed that it couldn't communicate to the Primary.

I then thought maybe I could create the new Primary in VLAN3 and then convert VLAN1 to a secondary, but then I couldn't create a delegate on VLAN3 of child.domain.com

If I create a new DNS Primary zone 'domain.com' on VLAN3, can I create a forwarder on the child.domain.com to point to the new Primary domain for all domain.com resolution? Would that impact domain services at all since it is a child of the forest root?

The thing is, all other services across every VLAN in the LAN/WAN will be using the new DNS server(s) in VLAN3, so VLAN1 dns isn't necessary so much. But it still needs to be there for itself right?

I guess another option is to have VLAN3 the Primary of domain.com and create all of the subdomains on there including child.domain.com and make all DNS servers on VLAN1/2 secondary servers rather than AD integrated. Is DNS ok using NAT for this purpose?

One catch is that all DNS servers must be on Windows 2012.

Anyway, your feedback would be greatly appreciated.
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
See, in reality you required traffic to be flow from VLAN 1 and 2 to VLAN 3

Your traffic will never flow from VLAN 3 to VLAN 1 and 2

Because those zones are read only Zones (Secondary) and hence it will never flow from VLAN 3 to VLAN 1 and 2

However you do require Bi-Directional port opened between both DNS servers as VLAN3 servers should be able to poll VALN 1 and 2 DNS servers for fetching DNS Zones
Like wise VLAN 1 and 2 should be able to notify zone updates to VLAN3 DNS Servers

If Bi-Directional Port opening is problem, then you need to export zones from VLAN 1 and 2 servers and import \ create standard primary zones same like VLAN1 and 2 on VLAN 3 DNS servers

Still it will achieve what you are looking for.

In that case only thing you need to manually update VLAN3 DNS zones in case any records get changed in VLAN 1 and 2

do you want 3rd domain or what ?

Also why you require NAT to communicate with 3rd domain?

It is need to be accessed through internet

Sorry, but question is not clear to me..

Your comment:
VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone 'domain.com' and several subdomains 'subdomain1.domain.com', 'subdomain2.domain.com', etc need to be hosted on this newly built workgroup DNS server in VLAN3.

domain.com and subdomain1.domain.com refering to VLAN 1 and VLAN2 ?

if dedicated active directory si not required in VLAN3 location, then you can simply have workgroup server in VLAN3 location and create standard primary zones pointing to domain.com \ subdomain1.domain.com and so on
if your communication between VLAN1\2 and VLAN3 is over NAT, then here you need to put natted IPs of VLAN1 and VLAN2 domain controlles in DNS zones of VLAN3 server

lltc78Author Commented:
No, no other AD domains wanted. Just DNS subdomains.

It's not the internet but for CGN to be shared between other networks.

No, domain.com and subdomain1.domain.com are needed on VLAN3, but hosts on this network are not able to make a connection to hosts in VLAN1/2
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

CGN refers to common group network I hope

So you mean,

You want dns zones in VLAN3 with same name and resources as VLAN1 and VLAN2 and same time users cannot access VLAN1 and 2 hosts from here

So, what records will contains in VLAN3 domain.com and subdomains ?
Do you want to putup dns entries on workstation and servers in VLAN1 and 2 pointing to VLAN3 DNS servers and it should get resolved to VLAN1 and 2 as appropriate
You can play with DNS like you want...

Sorry, but still unable to understand exact requirement here, if you could please tell us what exactly you are looking for I can help

lltc78Author Commented:
That's pretty much what I want.
So basically VLAN1 (domain.com) and VLAN2 (child.domain.com) are more for internal use, and trusted. VLAN3 is shared for all other private networks to use as their DNS server, but it needs to host domain.com for them, and subdomain.domain.com.

The child.domain.com computers need to resolve hostnames from both domain.com/child.domain.com which is hosted in VLAN3.

I assume the domain members/computers in child.domain.com will use their Domain Controllers as their DNS server. But can those DC's forward to VLAN3 DNS servers which hosts domain.com without affecting the Domain Forest? Does the child domain need communication to the forest root domain in any way, and does it need dns for this?
See, in VLAN1 and 2 dns name resolution will work as below

child domain will have conditional forwarding set in dns on child domain DCs for resolving queries in parent domain
parent domain having dns delegation towards child domain to resolve dns queries for child domain in parent domain

Now when you are having DNS installed in VLAN1 and 2, why you would require DNS in VLAN3 ?
Its always best practise to use native DNS servers........

Your Comment:
The child.domain.com computers need to resolve hostnames from both domain.com/child.domain.com which is hosted in VLAN3.

It looks like child.domain.com compuetrs remains in VLAN2, correct?
In that case why they will look for VLAN3 DNS servers ...when there DNS server exists in same VLAn (VLAN2) ?

Just have a quck questions:
Why you want to put VLAN3 and DNS servers in that VLAn when your native VLANs are there with native DNS servers ?
Do you have any client computers belonging to parent domain (VLAN1) and child domain (VLAN2) placed in VLAN3 and they need to get authenticated through appropriate domain controllers ?...I mean is this your exact requirement ?

Sorry, still i unable to understand what is your goal and what you are trying to achieve ?

lltc78Author Commented:
I have tried explaining it the best I can.

VLAN3 is needed to host the DNS servers that contain domain.com/subdomain1.domain.com/subdomain2.domain.com for all other networks. These networks are separated for different clients to use. The client networks need a dns server to resolve to. The ONLY dns server they will be able to access is on VLAN3.

This DNS server will have all of these other subdomains in it. These subdomains will not be on any other dns server. ONLY in VLAN3. This is not part of an AD domain. It just needs to provide name resolution for the domain.com zone and subdomains that the clients need access to.

Can I remove that conditional forwarding from the child domain so that it does not resolve to the parent domain?

The only authentication required is from computers in VLAN1/2 to their respective domain controller. No domain members will be in VLAN3. It's not a domain, it's just a network that will host workgroup servers, and host DNS (non-AD integrated)

VLAN1/2 already exists. Both VLANs were built using the domain.com name and child.
They are both AD domains. These are the ONLY AD domains. They are to be used internally only. No client needs access to them, nor will they get it.

Since subdomain1.domain.com and subdomain2.domain.com will ONLY be on the workgroup dns server (VLAN3), the child.domain.com computers need to resolve those hostnames, just the same as every other client.

You don't have to remove conditional forwarder in child domain, it will bring down name resolution between child domain and parent domain in VLAN 1 and 2
It will also required for problem free login between parent and child domain

Now to do what you are trying to do, just have a one \ two workgroup servers in VLAN3 and install DNS roles on that server

From your VLAN 1 and 2 DNS servers (DCs) enable TCP 53 bi-directional towards VLAN3 workgroup DNS servers (Above TWO)

Now enable zone transfer on parent zone and all required child zones in both parent and child domain in VLAN1 and 2 and allow zone transfer to workgroup DNS servers in VLAN3

Now create secondary zones on both workgroup DNS servers for every primary zone where you have enabled zone transfer in VLAN1 and 2

Now on workgroup member servers in VLAN3 should point to these two workgroup DNS servers for name resolution

Note that you must enable DNS suffix search list on all workgroup servers network card properties (advanced DNS configuration setting) and specify all domain names there so that servers can get name resolution fo rrespective domain resurces

Also you have to open appropriate application ports from VLAN3 servers to VLAN1 and 2
for resources access
For exapme if resources are web servers, you must open port 80 and 443 from VLAn3 to VLAn1 and 2 segment web servers

lltc78Author Commented:
That is one of the methods I wanted to do, but I have since been informed that I can't have bidirectional between 1/2 and 3. There is no traffic allowed to originate from VLAN3 towards 1/2. That's the problem I have.

I need a solution that doesn't involved VLAN3 sending any outgoing to VLAN1/2.
lltc78Author Commented:
I had the same thoughts, and discussion with network/security teams ended with me losing. I just cannot get bi-directional ports opened.

i come to the same conclusion overnight and figured manual zone exports would be needed. I was hoping for another way but I guess I'm restricted.

Thanks for your help
lltc78Author Commented:
Very active with the responses, and detailed in answers.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.