Link to home
Create AccountLog in
Avatar of bguilliams100
bguilliams100

asked on

Two domains, same subnet. How to make DNS forward to the other domain.

Our firm is starting a small subsidiary company that must remain separate from our current company for compliance reasons.  There will only be 5 users in this new company.  They will be employees of our Firm (We will call this domain A and company A) and also employees of this separate entity (domain B and company B) and will split their time between the two.  

My thought process was to create a new domain for company B and also create virtual workstations for each of the 5 employees.  These virtual workstations will be in Domain B.  Staff will RPD into these virtual workstations from their machines in domain A to do work for company B.  For the most part they will be using e-mail, Internet and creating office documents on the company B virtual machines.  They will keep these RDP sessions minimized while working on Company A items and then switch to the RDP session for the company B virtual machine when they need to perform work for company B.

I built a new Windows 2012 server for company B and created a new domain, domain B.  This DC for company B is on the same subnet as the servers for company A.  We will not be using DHCP for any of the Company B machines.  Server or workstations.  We will keep all of this static.

My question is how to configure DNS on domain A to allow name resolution to domain B?  Can I create a new zone on the domain A DNS server for Domain B and add static entries for each of the virtual machines in domain B?  This is really only needed to allow friendly names for the RDP sessions.  should this be completed with forwarders on the domain A DNS server and if so how is this configured?  I only want requests on domain A for domain B to be forwarded to the Domain B DNS server.  I obviously don't want all DNS requests from domain A forwarded to domain B.    

Thanks for your advice.
Avatar of Andy M
Andy M
Flag of United Kingdom of Great Britain and Northern Ireland image

I wouldn't have the two domains on the same subnet, especially if they have their own DC's - this could lead to all sorts of issues.

Have them on separate subnets and setup a trust between the two domains.

https://technet.microsoft.com/en-us/library/cc740018%28WS.10%29.aspx - creating trusts between 2 domains.
All you need to do for this configuration for DNS is add Domain A DNS server in the Zone Transfers Tab on the DNS server in domain B. Once you have done that, open DNS on Domain A and then create the new secondary Zone for Domain B. This will populate all of the A records from domain B.

You could also do forwarding as well rather than creating a secondary zone. But you still need to make sure that you have the DNS server from domain A listed in the Zone transfers tab on Domain B DNS zone.

See screenshot below.
User generated image

Will.
I wouldn't have the two domains on the same subnet, especially if they have their own DC's

As long as the user is using static addresses in domain b (because he is only using 6 IP's DC + 5 workstations) this should not be an issue. All you need to do is make sure that you have excluded these IP's from your DHCP server in domain a.

Will.
Avatar of bguilliams100
bguilliams100

ASKER

Thank you Will.  This is exactly what I want to accomplish but when I follow the steps outlined above I receive an error that states

"The DNS server encountered a problem while attempting to load the zone.  The transfer of Zone data from the master server failed."  

Also, when I created the secondary forward lookup zone on the Domain A DNS server, it displays the message "The server with this IP address (referring to IP of the DC for Domain B) is not authoritative for the required zone."  I also receive this same message on the Domain B DNS server after adding the Domain A DNS server to the allow zone transfers list.  I assume I need to make the DNS server for Domain A authoritative over the DNS zone for Domain B?  If this is correct how do you do this?
Try following the link below for more detailed steps on setting this up. Zone Transfer are pretty straightforward.
https://technet.microsoft.com/en-us/library/cc816885%28v=ws.10%29.aspx

"The DNS server encountered a problem while attempting to load the zone.  The transfer of Zone data from the master server failed."

Also related to the issue above check out the technet below for more info
https://technet.microsoft.com/en-us/library/cc776973%28v=ws.10%29.aspx

Will.
Why not use AD-integrated zones and conditional forwarders? Let's say domain A is 'comp1.local' and domain B is 'comp2.local'. Each domain has a one or more domain controllers and they are authoritative for their DNS zone. Now set up either a condititonal forwarder or a stub zone and whenever a client in comp1.local asks for a name in comp2.local the request ist forwarded to the DC in that domain. That way you don't have do configure any zone transfers etc. Seems like the simplest and most straight-forward setup to me.
Will,
I read through both of these articles and tried to apply the settings they outline but I'm still stuck.  On the DC for domain A, when I try to ping the domain controller in domain B, I am receiving a response from an external IP address.  I think this IP address may be what is listed at authoritative for the domain name.  I registered the domain name for domain B with network solutions as domainname.com and my internal Windows domain name for domain B is corp.domainname.com.  When I try to ping serverB.corp.domainname.com from the domain A domain controller I receive a response from the external address.  I think this is my issue with the zone transfers. I know this kind of changes the scope of the initial question but do you have any suggestions or input on this scenario?  Should I change my internal domain name to something other than a subdomain of my external domain name?  That is Microsoft's best practice though.  

Thanks.
You need to be able to have complete routing in place for this to work. If you cannot ping the DC/DNS server then this is why it is not working. Is there a route in place for you to ping the domain controller directly? If not, you need to create one. This is usually done via VPN or doing a NAT translation on your firewall to your DNS server on port 53.

Will.
Domain B server must be able to access the internet.
Its domain name must NOT exist on the internet and it must not be known as a domain that is accessible to Domain A nodes but that it is NOT Domain B per se. In the past, I usd to have issues when my AD domain name was "mycompany.com" and when I also had a "mycompany.com" domain name known from my ISP's DNS (and other DNS on the Internet).

Make sure that routing is OK on Domain B (it must be able to ping 8.8.8.8 and Domain A's nodes, by IP adresses) and use DNS forwarders in Domains B's DC for the DNS configuration (forward to Domain A's DNS) so that it can resolve names (and thus be able to ping google-public-dns-a.google.com and Domain A's nodes, by name).
I am able to access the Internet on Domain B server.  It is on the same subnet as Domain A server and I can ping between the two by name without issue.  No routes needed.  I simply need machines in domain A to be able to resolve names in domain B.  Albatros99, I will try the conditional forwarders.  I will have to read up about stub zones.
ASKER CERTIFIED SOLUTION
Avatar of albatros99
albatros99

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer