Solved

DNS resolution across domains

Posted on 2015-02-04
4
158 Views
Last Modified: 2015-04-08
I have 2 domains. PRODUCTION.COM is one domain and TEST.COM is another domain. There is a one way trust, allowing PRODUCTION.COM users to have access to TEST.COM. I have a particularly weird issue with DNS that I cannot explain. I have two DNS servers for each domain. The client machines on Test.COM use the TEST.COM DNS servers for DNS resolution. On the TEST.COM DNS server, I have forward lookup zones for both TEST.COM and PRODUCTION.COM. Each DNS Server in TEST.COM have forwarders configured to the PRODUCTION.COM DNS Servers. The DHCP server is sending OPTION 015 to each client machine with the value TEST.COM and nothing else. Users are reporting that at one point, users connected to client machines within TEST.COM, could resolve short names for hosts in PRODUCTION.COM. an example of this maybe SITE1 would automatically resolve to SITE1.PRODUCTION.COM. From my knowledge of DNS, I cannot figure out how the user was able to short hand resolve PRODUCTION.COM DNS names without a FQDN. The user's NIC and DNS settings are all default, they are not statically mapping the DNS suffixes in their NIC configuration. Apparenlty this functionality just stopped working but as far as I can tell the configuration does not support their claims that it used to resolve short hand DNS names.  What could potentially be enabled to allow the user to resolve these names via short hand? Obvious answers would be if option 15 was manipulated to push PRODUCTION.COM as the DNS server, the server was joined to PRODUCTION.COM instead of TEST.COM, or their NIC settings had a manual mapping to PRODUCTION.COM.
0
Comment
Question by:jbla9028
4 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40589546
Perhaps with NetBIOS broadcasts?  That would depend on your network topology though.

My question would be do you really want this to happen?  If someone wants to access a machine in another domain I say they should have to use the FQDN.

There could have been a CNAME entry in the TEST.COM zone that pointed to an entry in the PRODUCTION.COM zone.  You can configure multiple DNS suffixes to search with Group Policy.  You would not want to change DHCP Option 15.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 40590220
I agree that I do not want this. The test team is arguing that a change was recently made to prevent previous functionality. I am more curious as to what caused it to work in the first place. I thought it could a NetBIOS broadcast. I have some more info that was perplexing. If I have a client machine that belongs to PRODUCTION.COM but is in a VLAN that uses DHCP and option 015 for TEST.COM is propagated, + the DNS servers are pointing to the DNS servers for TEST.COM the client machine can actually resolve both PRODUCTION.COM and TEST.COM. I ran wireshark and the trace shows the client machine actually sent a request for SITE1.PRODUCTION.COM, even though I asked to resolve just SITE1.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 40591319
If that client is a member of the PRODUCTION.COM domain, it's normal for it to use that domain name as its primary DNS suffix, so it will be one of its search suffixes. If you run ipconfig /all on the client and look near the top of the output, what's listed in the DNS Suffix Search List?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 40592468
Could LLMNR resolution (Local Link Multicast Name Resolution) which machines can use when a DNS server is not available or unable to resolve a name. Otherwise do you have a WINS server around anywhere? The easiest thing to do would be to capture the DNS traffic and have a look in Wireshark as to how the request is being answered.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cant install rsat on win 7 13 43
Windows 7 won't join domain 4 42
How do i move AD Contacts to O365? 2 30
self service AD unlock account from Azure portal 2 33
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now