Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DNS resolution across domains

Posted on 2015-02-04
4
Medium Priority
?
174 Views
Last Modified: 2015-04-08
I have 2 domains. PRODUCTION.COM is one domain and TEST.COM is another domain. There is a one way trust, allowing PRODUCTION.COM users to have access to TEST.COM. I have a particularly weird issue with DNS that I cannot explain. I have two DNS servers for each domain. The client machines on Test.COM use the TEST.COM DNS servers for DNS resolution. On the TEST.COM DNS server, I have forward lookup zones for both TEST.COM and PRODUCTION.COM. Each DNS Server in TEST.COM have forwarders configured to the PRODUCTION.COM DNS Servers. The DHCP server is sending OPTION 015 to each client machine with the value TEST.COM and nothing else. Users are reporting that at one point, users connected to client machines within TEST.COM, could resolve short names for hosts in PRODUCTION.COM. an example of this maybe SITE1 would automatically resolve to SITE1.PRODUCTION.COM. From my knowledge of DNS, I cannot figure out how the user was able to short hand resolve PRODUCTION.COM DNS names without a FQDN. The user's NIC and DNS settings are all default, they are not statically mapping the DNS suffixes in their NIC configuration. Apparenlty this functionality just stopped working but as far as I can tell the configuration does not support their claims that it used to resolve short hand DNS names.  What could potentially be enabled to allow the user to resolve these names via short hand? Obvious answers would be if option 15 was manipulated to push PRODUCTION.COM as the DNS server, the server was joined to PRODUCTION.COM instead of TEST.COM, or their NIC settings had a manual mapping to PRODUCTION.COM.
0
Comment
Question by:jbla9028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 41

Expert Comment

by:footech
ID: 40589546
Perhaps with NetBIOS broadcasts?  That would depend on your network topology though.

My question would be do you really want this to happen?  If someone wants to access a machine in another domain I say they should have to use the FQDN.

There could have been a CNAME entry in the TEST.COM zone that pointed to an entry in the PRODUCTION.COM zone.  You can configure multiple DNS suffixes to search with Group Policy.  You would not want to change DHCP Option 15.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 40590220
I agree that I do not want this. The test team is arguing that a change was recently made to prevent previous functionality. I am more curious as to what caused it to work in the first place. I thought it could a NetBIOS broadcast. I have some more info that was perplexing. If I have a client machine that belongs to PRODUCTION.COM but is in a VLAN that uses DHCP and option 015 for TEST.COM is propagated, + the DNS servers are pointing to the DNS servers for TEST.COM the client machine can actually resolve both PRODUCTION.COM and TEST.COM. I ran wireshark and the trace shows the client machine actually sent a request for SITE1.PRODUCTION.COM, even though I asked to resolve just SITE1.
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1000 total points
ID: 40591319
If that client is a member of the PRODUCTION.COM domain, it's normal for it to use that domain name as its primary DNS suffix, so it will be one of its search suffixes. If you run ipconfig /all on the client and look near the top of the output, what's listed in the DNS Suffix Search List?
0
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 1000 total points
ID: 40592468
Could LLMNR resolution (Local Link Multicast Name Resolution) which machines can use when a DNS server is not available or unable to resolve a name. Otherwise do you have a WINS server around anywhere? The easiest thing to do would be to capture the DNS traffic and have a look in Wireshark as to how the request is being answered.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question