Reverse lookup zones

We have a trusted domain that's been setup prior to me arriving here and there seems to be some DNS issues across domains.  one one domain there is a reverse lookup zone (for that domain only) but domain2 has no reverse lookup at all.  The questions i have are...

Will adding the reverse lookup to the second domain (domain2) cause me any issues when I add it?

On domain1 do i need to add an entry for doamin2's DC?  

Any help is appreciated.  

Thanks
swilliamson-mwnsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
Reverse lookup zone - adding reverse lookup capabilities to an existing domain will not cause any issues. Reverse lookup records will be created automatically along with other dynamic DNS updates.

A DNS entry on domain1 for domain2's DC - this might or might not be needed depending upon the way the communication between the two domains is accomplished.  If you do decide to add it, then you'd do it by adding a conditional forwarder in the DNS zone on domain1. To do this, right-click on the Conditional Forwarders object in the DNS server object tree and click "New Conditional Forwarder."
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Short answer:

Adding PTR records to a new in_addr.arpa domain on your domain's DNS server should not affect any of the other current functions on either domain. It may or may not help any issues you're having, but quite honestly, it isn't likely to help. (The number of applications and/or services that use PTR records is relatively small -- though not insignificant).

Also, to resolve DomainB hosts from a DomainA system, you will need some kind of magic -- most likely a "conditional forwarder" (see here

However, to provide more than a generic answer, I would need more info.
 - Are Domains A&B co-located (same physical LAN)? Routed (disparate LANs)?
 - I hear you that they're trusted, but do they share resources?
 - Are hosts & users on one domain supposed to have specific access to the other's resources? Like what, for example?

In addition, it would help to know just what kinds of issues you're having.

Of course, if the general answers provide you enough of a jumping off point...

I hope this helps

Dan
IT4SOHO

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
swilliamson-mwnsAuthor Commented:
Dan,

Thanks for the reply!  To answer your questions here are the answers.

 - Are Domains A&B co-located (same physical LAN)? Routed (disparate LANs)?  Yes they are on teh same LAN.  Same bldg separate part.

 - I hear you that they're trusted, but do they share resources?  They don't share any resources but there are a few sites that they share and that is partially the reason for the post.

 Are hosts & users on one domain supposed to have specific access to the other's resources? Like what, for example?  NO.

In addition, it would help to know just what kinds of issues you're having.  The big issue is that we have a couple servers that have external accesss and internal access.  When inside the BLDG and Domain1 tries to access a webpage (pacs.xxxx.com) Domain1 can get there but doamin2 cannot.  There is a DNS entry on Domain1 that points to the Internal IP address but Domain2 doesn't see that.  When we are on Domain2 and do an NSLOOKUP for that sire, it returns the External IP address and name.  This happens for multiple sites internally.  

Hope that is explained correctly.  Thanks again for the reply!!

Perry
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Hypercat (Deb)Commented:
Additional questions - what is the routing situation between the two domains and out to the Internet?  I assume there must be an internal router between the two networks, correct?  From there, how does each network get out  to the Internet - does each have a separate Internet router? Or does each internal network go out through one Internet router?

Where are the websites hosted that Domain2 cannot browse? Are these websites on servers on Domain2 or Domain1 or completely external?
DLeaverCommented:
Basically Domain B does not resolve names in Domain A.  

reverse lookup isn't going to help you with that, but it is good practice to have it configured.  It basically provides you with the ability to lookup names against IP addresses - which is very useful and some applications require it.

In your case Domain A can resolve the site internally as it uses the record it has registered in DNS.  Domain B cannot resolve it as it has no record for it, so it goes through the DNS name resolution process which sends it externally eventually.  The answer is therefore to use a conditional forwarder as outlined above.  I considered stub zones for a moment but these are really for parent child relationships if I recall correctly....
swilliamson-mwnsAuthor Commented:
Hypercat and DLeaver

There are just switches with VLAN's setup on the network.  Everyone uses the same core router to hit the internet.  Those sites are Internal servers on Domain1.

DNS on both Domians have anA record that points to the internal address however when Domain2 tries to connect they gettimeouts.  If we try to ping or do an NSLOOKUP on any internal computer in either doamin it gets resolved.
DLeaverCommented:
On domain B does it load the site using an IP address?
swilliamson-mwnsAuthor Commented:
Yes it does but the issue with that is that these sites have certificates assigned to them.
Hypercat (Deb)Commented:
I would think that putting a conditional forwarder on the Domain2 DC that points to the Domain1 DC would resolve your issue.
swilliamson-mwnsAuthor Commented:
OK.  I will give that a shot!  I will report back.  Thanks
DLeaverCommented:
I wasn't suggesting that as a permanent fix, just wanted to confirm.

The issue you may be having is that the A record you have in place isn't sufficient, you may have other records such as CNAMEs that are related to the actual URL people use to connect.

Remove the A record and try the conditional forwarding
swilliamson-mwnsAuthor Commented:
Well, it won't let me create it becasue that zone already exist.  That domain (neero) is already in the forward lookup zone.  However, there is nothing in the reverse lookup zone for domain1. What gives
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
OK lots and lots of banter here... so let me explain why the conditional forwarding is HIGHLY PREFERABLE.

So, in a "normal" environment (only one local domain), one of your Windows AD servers is the DNS server (maybe several are), and it/they resolve names that end in the local domain name(s) with an authoritative reply (e.g.: server.domaina.local resolves to 192.168.0.1, and reversed). For those requests that are NOT in the local domain(s), they either forward the request to another resolver, or do the resolution themselves (if recursion is enabled).  

The sequence is simple:
- If the request is in one of my local domain(s) (like DOMAINA.LOCAL or 0.168.192.in_addr.arpa), then reply authoritatively
 - If the request is not local either resolve the address yourself recursively (using the Internet -- starting with a root, then a TLD DNS service), or forward the request to a recursing (resolving) DNS service (maybe your ISPs, or one of many public DNS services).

In the "old days", you would make the DNS server for the each domain ALSO act as a "slave" DNS server for the other domain. That way, they would be authoritative for BOTH domains, but that also meant the overhead of copying zones around, sending and receiving notifies, etc..

The preferable way now though is to setup (in each domain's DNS servers) a conditional forward that modifies the decision tree slightly:
- If the request is in one of my local domain(s) (like DOMAINA.LOCAL or 0.168.192.in_addr.arpa), then reply authoritatively
 - <inserted here> if the request is in one of my conditional domains (like DOMAINB.LOCAL or 1.168.192.in_addr.arpa), forward the request to the appropriate DNS server for that domain (there can be many conditional forwarders, each with their own DNS services)
 - If the request is not local (and not in the conditional list) either resolve the address yourself recursively (using the Internet -- starting with a root, then a TLD DNS service), or forward the request to a recursing (resolving) DNS service (maybe your ISPs, or one of many public DNS services).

The issue here is that you have to locally handle any local (non-internet) domains... and that means either becoming a slave server for all of the local domains, or using conditional forwarding to allow DNS services for each domain to handle their own requests.

The way you DO NOT want to do it is to create new "special" A records (or CNAMEs) for specific items in the other domain. You need to have the contents of your DNS updated as automatically as possible.

On a final note: DNS doesn't affect routing (at least not directly). If you can PING from 192.168.0.1 to 192.168.1.1, then your routing is working. But if you can't ping from server.domaina.local (192.168.0.1) to the name server.domainb.local (192.168.1.1), then you have a DNS issue that conditional forwarding (of both the forward and reverse zones) should resolve ... permanently, and with little overhead.

I hope this helps

Dan
IT4SOHO
Hypercat (Deb)Commented:
Reverse lookup and conditional forwarding are two completely separate things.  One doesn't affect the other at all. It may take a while to populate a rDNS zone because it's not used that frequently and will only update when the DNS registration is renewed.

It's not clear to me exactly what you're seeing or what's happening when you try to add a conditional forwarder to Domain2.  Could you take a screen shot of the DNS zone on Domain2 and post it (you can obscure the domain names to protect confidentiality, but please make sure we can identify which is Domain1 and which is Domain2 if they show up on the same DNS server).
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Reverse lookup is nothing more than a different zone. I have said nothing to the contrary.

= Having reverse lookups is optimal for your domains... ALL of them.

= Using conditional forwarding for multiple INTERNAL domains is also optimal.
= HOWEVER, using conditional forwarding for BOTH zones (forward and reverse) is also optimal -- assuming the "remote" domain has a zone for it.

The original question concerned BOTH topics, so I answered both.

NOTE TO swilliamson-mwns:

The error message is there because you probably have a locally defined zone for the other domain. (Probably as a result of you or a predecessor attempting to resolve the issue by duplicating zone entries locally.) You can't be authoritative and forward the domain lookups at the same time.  

Remove the second zone in your DNS service and then adding the conditional forwarder should work.

Dan
IT4SOHO
swilliamson-mwnsAuthor Commented:
Here is the error i get when i try to add a conditional Forwarder
DNS-Srror.JPG
Hypercat (Deb)Commented:
So, what is in the "neuro.com" zone? Did you create this zone yourself? If this is a series of manual DNS entries that you've created in an effort to fix your browsing issues, then you can just delete it and set up the forwarders instead.
DrDave242Senior Support EngineerCommented:
If you're trying to add a conditional forwarder for the neuro.com domain, that error is expected, since (as the screenshot shows) there's already a forward lookup zone by that name on the server. You can have one or the other, but not both. Since it appears that the conditional forwarder is preferred in this case, you should remove the neuro.com forward lookup zone from this server before creating it.
Hypercat (Deb)Commented:
@dan - I think you're confusing my comments as answers to your comments.  I did not intend to make any comments on your post, I was addressing swilliamson's questions and comments directly.
swilliamson-mwnsAuthor Commented:
neuro.com is domainA  MSH.com is DomainB.  

We have an A record pointing to an internal server (pacs.neuro.com  IP 10.0.X.X).  On the neuro side if we try to accesss it via browser everything works great.  Cert is added and looks good.  However is MSH if we try to go to pacs.neuro.com we get a time out.  Can't be fouind message.  If we use the Internal IP address it comes up but then the users have to bypass teh error message due to the cert not matching.   Wen we ping or an NSLOOKUP it comes back with the public IP address.  This happens to a few servers we have that are accessed from inside and outside.  

Hope this helps explain better.
swilliamson-mwnsAuthor Commented:
Obviously i'm not a DNS wizard but why on MSH is there no Reverse lookup zones??  The neuro domain has one for itself.
DrDave242Senior Support EngineerCommented:
neuro.com is domainA  MSH.com is DomainB.
In that case, my recommendation (and that of several others) stands: remove the neuro.com forward lookup zone from the MSH.com DNS servers and use a conditional forwarder instead. This will allow MSH.com clients to resolve names in the neuro.com domain in the same manner (and using the same servers) as those in the neuro.com domain.

Obviously i'm not a DNS wizard but why on MSH is there no Reverse lookup zones??  The neuro domain has one for itself.
The reverse lookup zone simply hasn't been created on the MSH.com DNS server(s). Sorry if that sounds tautological, but I don't believe reverse zones are created by default in Windows DNS. You may create one, and it will begin to be populated. Its absence really isn't affecting anything, though.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I would only add that:
 1) the conditional forwarders may need to exist on EACH DNS server: MSH.com conditionally forwarding for neuro.com; and neuro.com conditionally forwarding for MSH.com.
 2) If you have reverse zones (now or in the future), you should setup the conditional forwarding for those "domains" too.

Dan
IT4SOHO
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.