Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


DNS split - the right way?

Posted on 2014-04-14
Medium Priority
Last Modified: 2014-04-14
He guys,

I have what I believe to be a dilemma regarding a new DNS environment I need to build.

Currently we have a Forest Root domain 'domain.com' with AD integrated DNS.
It is on VLAN1.
The only computers that are members of this domain are 2x Domain Controllers.
It does have a few A records for services using the domain.com dns zone.

We also have child.domain.com on VLAN2.
It has AD integrated DNS.
It is the domain that most computers are members of and they use the domain controllers in this domain as their DNS servers.

Both VLAN1 and VLAN2 have full bi-directional communication with each other.
The DC's in the parent domain.com have a delegation of child.domain.com displayed in their DNS server zone.

This is all working fine, however I need to add a workgroup server using the same top-level domain without causing conflict.

VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone 'domain.com' and several subdomains 'subdomain1.domain.com', 'subdomain2.domain.com', etc need to be hosted on this newly built workgroup DNS server in VLAN3.

My original thinking was that I would just convert domain.com to a Primary DNS server on VLAN1 and then create the Secondary DNS servers on VLAN3, but then I was informed that it couldn't communicate to the Primary.

I then thought maybe I could create the new Primary in VLAN3 and then convert VLAN1 to a secondary, but then I couldn't create a delegate on VLAN3 of child.domain.com

If I create a new DNS Primary zone 'domain.com' on VLAN3, can I create a forwarder on the child.domain.com to point to the new Primary domain for all domain.com resolution? Would that impact domain services at all since it is a child of the forest root?

The thing is, all other services across every VLAN in the LAN/WAN will be using the new DNS server(s) in VLAN3, so VLAN1 dns isn't necessary so much. But it still needs to be there for itself right?

I guess another option is to have VLAN3 the Primary of domain.com and create all of the subdomains on there including child.domain.com and make all DNS servers on VLAN1/2 secondary servers rather than AD integrated. Is DNS ok using NAT for this purpose?

One catch is that all DNS servers must be on Windows 2012.

Anyway, your feedback would be greatly appreciated.
Question by:lltc78
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 38

Expert Comment

ID: 39998473
do you want 3rd domain or what ?

Also why you require NAT to communicate with 3rd domain?

It is need to be accessed through internet

Sorry, but question is not clear to me..

Your comment:
VLAN3 will be created.
It will not have any outgoing communication with either VLAN1/2
VLAN1/2 can communicate to VLAN3 using NAT
The DNS zone 'domain.com' and several subdomains 'subdomain1.domain.com', 'subdomain2.domain.com', etc need to be hosted on this newly built workgroup DNS server in VLAN3.

domain.com and subdomain1.domain.com refering to VLAN 1 and VLAN2 ?

if dedicated active directory si not required in VLAN3 location, then you can simply have workgroup server in VLAN3 location and create standard primary zones pointing to domain.com \ subdomain1.domain.com and so on
if your communication between VLAN1\2 and VLAN3 is over NAT, then here you need to put natted IPs of VLAN1 and VLAN2 domain controlles in DNS zones of VLAN3 server


Author Comment

ID: 39998567
No, no other AD domains wanted. Just DNS subdomains.

It's not the internet but for CGN to be shared between other networks.

No, domain.com and subdomain1.domain.com are needed on VLAN3, but hosts on this network are not able to make a connection to hosts in VLAN1/2
LVL 38

Expert Comment

ID: 39998593
CGN refers to common group network I hope

So you mean,

You want dns zones in VLAN3 with same name and resources as VLAN1 and VLAN2 and same time users cannot access VLAN1 and 2 hosts from here

So, what records will contains in VLAN3 domain.com and subdomains ?
Do you want to putup dns entries on workstation and servers in VLAN1 and 2 pointing to VLAN3 DNS servers and it should get resolved to VLAN1 and 2 as appropriate
You can play with DNS like you want...

Sorry, but still unable to understand exact requirement here, if you could please tell us what exactly you are looking for I can help

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Author Comment

ID: 39998635
That's pretty much what I want.
So basically VLAN1 (domain.com) and VLAN2 (child.domain.com) are more for internal use, and trusted. VLAN3 is shared for all other private networks to use as their DNS server, but it needs to host domain.com for them, and subdomain.domain.com.

The child.domain.com computers need to resolve hostnames from both domain.com/child.domain.com which is hosted in VLAN3.

I assume the domain members/computers in child.domain.com will use their Domain Controllers as their DNS server. But can those DC's forward to VLAN3 DNS servers which hosts domain.com without affecting the Domain Forest? Does the child domain need communication to the forest root domain in any way, and does it need dns for this?
LVL 38

Expert Comment

ID: 39998747
See, in VLAN1 and 2 dns name resolution will work as below

child domain will have conditional forwarding set in dns on child domain DCs for resolving queries in parent domain
parent domain having dns delegation towards child domain to resolve dns queries for child domain in parent domain

Now when you are having DNS installed in VLAN1 and 2, why you would require DNS in VLAN3 ?
Its always best practise to use native DNS servers........

Your Comment:
The child.domain.com computers need to resolve hostnames from both domain.com/child.domain.com which is hosted in VLAN3.

It looks like child.domain.com compuetrs remains in VLAN2, correct?
In that case why they will look for VLAN3 DNS servers ...when there DNS server exists in same VLAn (VLAN2) ?

Just have a quck questions:
Why you want to put VLAN3 and DNS servers in that VLAn when your native VLANs are there with native DNS servers ?
Do you have any client computers belonging to parent domain (VLAN1) and child domain (VLAN2) placed in VLAN3 and they need to get authenticated through appropriate domain controllers ?...I mean is this your exact requirement ?

Sorry, still i unable to understand what is your goal and what you are trying to achieve ?


Author Comment

ID: 39998774
I have tried explaining it the best I can.

VLAN3 is needed to host the DNS servers that contain domain.com/subdomain1.domain.com/subdomain2.domain.com for all other networks. These networks are separated for different clients to use. The client networks need a dns server to resolve to. The ONLY dns server they will be able to access is on VLAN3.

This DNS server will have all of these other subdomains in it. These subdomains will not be on any other dns server. ONLY in VLAN3. This is not part of an AD domain. It just needs to provide name resolution for the domain.com zone and subdomains that the clients need access to.

Can I remove that conditional forwarding from the child domain so that it does not resolve to the parent domain?

The only authentication required is from computers in VLAN1/2 to their respective domain controller. No domain members will be in VLAN3. It's not a domain, it's just a network that will host workgroup servers, and host DNS (non-AD integrated)

VLAN1/2 already exists. Both VLANs were built using the domain.com name and child.
They are both AD domains. These are the ONLY AD domains. They are to be used internally only. No client needs access to them, nor will they get it.

Since subdomain1.domain.com and subdomain2.domain.com will ONLY be on the workgroup dns server (VLAN3), the child.domain.com computers need to resolve those hostnames, just the same as every other client.
LVL 38

Expert Comment

ID: 39998892

You don't have to remove conditional forwarder in child domain, it will bring down name resolution between child domain and parent domain in VLAN 1 and 2
It will also required for problem free login between parent and child domain

Now to do what you are trying to do, just have a one \ two workgroup servers in VLAN3 and install DNS roles on that server

From your VLAN 1 and 2 DNS servers (DCs) enable TCP 53 bi-directional towards VLAN3 workgroup DNS servers (Above TWO)

Now enable zone transfer on parent zone and all required child zones in both parent and child domain in VLAN1 and 2 and allow zone transfer to workgroup DNS servers in VLAN3

Now create secondary zones on both workgroup DNS servers for every primary zone where you have enabled zone transfer in VLAN1 and 2

Now on workgroup member servers in VLAN3 should point to these two workgroup DNS servers for name resolution

Note that you must enable DNS suffix search list on all workgroup servers network card properties (advanced DNS configuration setting) and specify all domain names there so that servers can get name resolution fo rrespective domain resurces

Also you have to open appropriate application ports from VLAN3 servers to VLAN1 and 2
for resources access
For exapme if resources are web servers, you must open port 80 and 443 from VLAn3 to VLAn1 and 2 segment web servers


Author Comment

ID: 39998915
That is one of the methods I wanted to do, but I have since been informed that I can't have bidirectional between 1/2 and 3. There is no traffic allowed to originate from VLAN3 towards 1/2. That's the problem I have.

I need a solution that doesn't involved VLAN3 sending any outgoing to VLAN1/2.
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 39999428
See, in reality you required traffic to be flow from VLAN 1 and 2 to VLAN 3

Your traffic will never flow from VLAN 3 to VLAN 1 and 2

Because those zones are read only Zones (Secondary) and hence it will never flow from VLAN 3 to VLAN 1 and 2

However you do require Bi-Directional port opened between both DNS servers as VLAN3 servers should be able to poll VALN 1 and 2 DNS servers for fetching DNS Zones
Like wise VLAN 1 and 2 should be able to notify zone updates to VLAN3 DNS Servers

If Bi-Directional Port opening is problem, then you need to export zones from VLAN 1 and 2 servers and import \ create standard primary zones same like VLAN1 and 2 on VLAN 3 DNS servers

Still it will achieve what you are looking for.

In that case only thing you need to manually update VLAN3 DNS zones in case any records get changed in VLAN 1 and 2


Author Comment

ID: 40000241
I had the same thoughts, and discussion with network/security teams ended with me losing. I just cannot get bi-directional ports opened.

i come to the same conclusion overnight and figured manual zone exports would be needed. I was hoping for another way but I guess I'm restricted.

Thanks for your help

Author Closing Comment

ID: 40000246
Very active with the responses, and detailed in answers.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question