DNS split - the right way?

Posted on 2014-04-14
Last Modified: 2014-04-14
He guys,

I have what I believe to be a dilemma regarding a new DNS environment I need to build.

Currently we have a Forest Root domain '' with AD integrated DNS.
It is on VLAN1.
The only computers that are members of this domain are 2x Domain Controllers.
It does have a few A records for services using the dns zone.

We also have on VLAN2.
It has AD integrated DNS.
It is the domain that most computers are members of and they use the domain controllers in this domain as their DNS servers.

Both VLAN1 and VLAN2 have full bi-directional communication with each other.
The DC's in the parent have a delegation of displayed in their DNS server zone.

This is all working fine, however I need to add a workgroup server using the same top-level domain without causing conflict.

VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone '' and several subdomains '', '', etc need to be hosted on this newly built workgroup DNS server in VLAN3.

My original thinking was that I would just convert to a Primary DNS server on VLAN1 and then create the Secondary DNS servers on VLAN3, but then I was informed that it couldn't communicate to the Primary.

I then thought maybe I could create the new Primary in VLAN3 and then convert VLAN1 to a secondary, but then I couldn't create a delegate on VLAN3 of

If I create a new DNS Primary zone '' on VLAN3, can I create a forwarder on the to point to the new Primary domain for all resolution? Would that impact domain services at all since it is a child of the forest root?

The thing is, all other services across every VLAN in the LAN/WAN will be using the new DNS server(s) in VLAN3, so VLAN1 dns isn't necessary so much. But it still needs to be there for itself right?

I guess another option is to have VLAN3 the Primary of and create all of the subdomains on there including and make all DNS servers on VLAN1/2 secondary servers rather than AD integrated. Is DNS ok using NAT for this purpose?

One catch is that all DNS servers must be on Windows 2012.

Anyway, your feedback would be greatly appreciated.
Question by:lltc78
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 37

Expert Comment

ID: 39998473
do you want 3rd domain or what ?

Also why you require NAT to communicate with 3rd domain?

It is need to be accessed through internet

Sorry, but question is not clear to me..

Your comment:
VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone '' and several subdomains '', '', etc need to be hosted on this newly built workgroup DNS server in VLAN3. and refering to VLAN 1 and VLAN2 ?

if dedicated active directory si not required in VLAN3 location, then you can simply have workgroup server in VLAN3 location and create standard primary zones pointing to \ and so on
if your communication between VLAN1\2 and VLAN3 is over NAT, then here you need to put natted IPs of VLAN1 and VLAN2 domain controlles in DNS zones of VLAN3 server


Author Comment

ID: 39998567
No, no other AD domains wanted. Just DNS subdomains.

It's not the internet but for CGN to be shared between other networks.

No, and are needed on VLAN3, but hosts on this network are not able to make a connection to hosts in VLAN1/2
LVL 37

Expert Comment

ID: 39998593
CGN refers to common group network I hope

So you mean,

You want dns zones in VLAN3 with same name and resources as VLAN1 and VLAN2 and same time users cannot access VLAN1 and 2 hosts from here

So, what records will contains in VLAN3 and subdomains ?
Do you want to putup dns entries on workstation and servers in VLAN1 and 2 pointing to VLAN3 DNS servers and it should get resolved to VLAN1 and 2 as appropriate
You can play with DNS like you want...

Sorry, but still unable to understand exact requirement here, if you could please tell us what exactly you are looking for I can help

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Author Comment

ID: 39998635
That's pretty much what I want.
So basically VLAN1 ( and VLAN2 ( are more for internal use, and trusted. VLAN3 is shared for all other private networks to use as their DNS server, but it needs to host for them, and

The computers need to resolve hostnames from both which is hosted in VLAN3.

I assume the domain members/computers in will use their Domain Controllers as their DNS server. But can those DC's forward to VLAN3 DNS servers which hosts without affecting the Domain Forest? Does the child domain need communication to the forest root domain in any way, and does it need dns for this?
LVL 37

Expert Comment

ID: 39998747
See, in VLAN1 and 2 dns name resolution will work as below

child domain will have conditional forwarding set in dns on child domain DCs for resolving queries in parent domain
parent domain having dns delegation towards child domain to resolve dns queries for child domain in parent domain

Now when you are having DNS installed in VLAN1 and 2, why you would require DNS in VLAN3 ?
Its always best practise to use native DNS servers........

Your Comment:
The computers need to resolve hostnames from both which is hosted in VLAN3.

It looks like compuetrs remains in VLAN2, correct?
In that case why they will look for VLAN3 DNS servers ...when there DNS server exists in same VLAn (VLAN2) ?

Just have a quck questions:
Why you want to put VLAN3 and DNS servers in that VLAn when your native VLANs are there with native DNS servers ?
Do you have any client computers belonging to parent domain (VLAN1) and child domain (VLAN2) placed in VLAN3 and they need to get authenticated through appropriate domain controllers ?...I mean is this your exact requirement ?

Sorry, still i unable to understand what is your goal and what you are trying to achieve ?


Author Comment

ID: 39998774
I have tried explaining it the best I can.

VLAN3 is needed to host the DNS servers that contain for all other networks. These networks are separated for different clients to use. The client networks need a dns server to resolve to. The ONLY dns server they will be able to access is on VLAN3.

This DNS server will have all of these other subdomains in it. These subdomains will not be on any other dns server. ONLY in VLAN3. This is not part of an AD domain. It just needs to provide name resolution for the zone and subdomains that the clients need access to.

Can I remove that conditional forwarding from the child domain so that it does not resolve to the parent domain?

The only authentication required is from computers in VLAN1/2 to their respective domain controller. No domain members will be in VLAN3. It's not a domain, it's just a network that will host workgroup servers, and host DNS (non-AD integrated)

VLAN1/2 already exists. Both VLANs were built using the name and child.
They are both AD domains. These are the ONLY AD domains. They are to be used internally only. No client needs access to them, nor will they get it.

Since and will ONLY be on the workgroup dns server (VLAN3), the computers need to resolve those hostnames, just the same as every other client.
LVL 37

Expert Comment

ID: 39998892

You don't have to remove conditional forwarder in child domain, it will bring down name resolution between child domain and parent domain in VLAN 1 and 2
It will also required for problem free login between parent and child domain

Now to do what you are trying to do, just have a one \ two workgroup servers in VLAN3 and install DNS roles on that server

From your VLAN 1 and 2 DNS servers (DCs) enable TCP 53 bi-directional towards VLAN3 workgroup DNS servers (Above TWO)

Now enable zone transfer on parent zone and all required child zones in both parent and child domain in VLAN1 and 2 and allow zone transfer to workgroup DNS servers in VLAN3

Now create secondary zones on both workgroup DNS servers for every primary zone where you have enabled zone transfer in VLAN1 and 2

Now on workgroup member servers in VLAN3 should point to these two workgroup DNS servers for name resolution

Note that you must enable DNS suffix search list on all workgroup servers network card properties (advanced DNS configuration setting) and specify all domain names there so that servers can get name resolution fo rrespective domain resurces

Also you have to open appropriate application ports from VLAN3 servers to VLAN1 and 2
for resources access
For exapme if resources are web servers, you must open port 80 and 443 from VLAn3 to VLAn1 and 2 segment web servers


Author Comment

ID: 39998915
That is one of the methods I wanted to do, but I have since been informed that I can't have bidirectional between 1/2 and 3. There is no traffic allowed to originate from VLAN3 towards 1/2. That's the problem I have.

I need a solution that doesn't involved VLAN3 sending any outgoing to VLAN1/2.
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39999428
See, in reality you required traffic to be flow from VLAN 1 and 2 to VLAN 3

Your traffic will never flow from VLAN 3 to VLAN 1 and 2

Because those zones are read only Zones (Secondary) and hence it will never flow from VLAN 3 to VLAN 1 and 2

However you do require Bi-Directional port opened between both DNS servers as VLAN3 servers should be able to poll VALN 1 and 2 DNS servers for fetching DNS Zones
Like wise VLAN 1 and 2 should be able to notify zone updates to VLAN3 DNS Servers

If Bi-Directional Port opening is problem, then you need to export zones from VLAN 1 and 2 servers and import \ create standard primary zones same like VLAN1 and 2 on VLAN 3 DNS servers

Still it will achieve what you are looking for.

In that case only thing you need to manually update VLAN3 DNS zones in case any records get changed in VLAN 1 and 2


Author Comment

ID: 40000241
I had the same thoughts, and discussion with network/security teams ended with me losing. I just cannot get bi-directional ports opened.

i come to the same conclusion overnight and figured manual zone exports would be needed. I was hoping for another way but I guess I'm restricted.

Thanks for your help

Author Closing Comment

ID: 40000246
Very active with the responses, and detailed in answers.

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question