How to correctly enable DNS forwarding on secondary DC at secondary location

I utilize a IPSec tunnel to connect up to another business location.  I have my main DC (Windows Server 2008 R2 ESXi vm) at my home location and a full secondary (read/write) DC at the secondary location.  On the secondary, as the first, I have enabled DHCP and DNS.  I am using OpenDNS as my forwarders at both locations.  DHCP is working fine at the secondary location, but DNS is not.  I first noticed this when I could see that web searches were not properly hitting the OpenDNS content filter where applicable.  When looking at the secondary DC's, DNS Manager, I am seeing everything I see on the primary.  However, I do not see cached lookups nor any reverse lookup zones (save for the zone my primary DC is in which I imagine is just copied over).  Also, when running nslookup on each DC it is obvious something is off on the secondary.  Here is the output of nslookup 8.8.8.8 on the primary DC:

Server:  <<redacted>>
Address:  192.168.1.102

Name:    google-public-dns-a.google.com
Address:  8.8.8.8


This is obviously functioning correctly.  Here, by contrast is the output of nslookup 8.8.8.8 on the secondary DC:

230.100.120.10.in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  10.120.100.230

Name:    google-public-dns-a.google.com
Address:  8.8.8.8


I have configured everything on the secondary DC that I know to.  I have compared settings on the primary and made sure to perform similar settings on the secondary.  I don't know what I could be missing.  The only thing I could see as being a potential cause is the fact that before this DC was put in place about a week and a half ago, the router was performing DHCP and DNS operations.  I do not control this router (it is controlled by an outside entity as per the decision on the location), but I requested that the controlling entity disable DHCP and DNS.  This was done and I can see dynamic devices are picking up the correct settings (ipconfig /all):

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : <<redacted>>
   Description . . . . . . . . . . . : Intel(R) 82566DM Gigabit Network Connection
   Physical Address. . . . . . . . . : <<redacted>>
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.120.100.112(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 13, 2015 3:33:23 PM
   Lease Expires . . . . . . . . . . : Wednesday, October 14, 2015 7:33:27 AM
   Default Gateway . . . . . . . . . : 10.120.100.1
   DHCP Server . . . . . . . . . . . : 10.120.100.230
   DNS Servers . . . . . . . . . . . : 10.120.100.230
   NetBIOS over Tcpip. . . . . . . . : Enabled


10.120.100.230 is the secondary DC.  Can anyone think of what could be wrong here?
Dustin23IT DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Can you post an ipconfig /all from the second DC?

Dan
0
Dustin23IT DirectorAuthor Commented:
Sure here it is:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : MDC1
   Primary Dns Suffix  . . . . . . . : <<redacted>>
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : <<redacted>>

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B2-17-B1
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.120.100.230(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.120.100.1
   DNS Servers . . . . . . . . . . . : 10.120.100.230
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
Dan McFaddenSystems EngineerCommented:
Can you show the configuration of the DNS service?  What IP is it bound to, what is the forwarder config?

Dan
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Dustin23IT DirectorAuthor Commented:
Not really sure what all screens you would like to see here...DNS is bound to 10.120.100.230 (the domain controller at the secondary location).  I have attached screenshots of the interfaces and forwarders tabs of the DC properties.
MDC1_interfaces.png
MDC1_forwarders.png
0
Dan McFaddenSystems EngineerCommented:
I would verify the PTR record in DNS for this DC.

What is the command output when you do an NSLOOKUP on the server's name and the server IP?

Dan
0
Dustin23IT DirectorAuthor Commented:
Ok Dan, I do not see a PTR record for this DC, but that must be because I do not see a reverse lookup zone for this subnet (10.120.100.0).  Am I supposed to create one?  Here is the output of nslookup mdc1:

Server:  dc1.<<redacted>>
Address:  192.168.1.102

Name:    mdc1.<<redacted>>
Address:  10.120.100.230


And the output of nslookup 10.120.100.230:

Server:  dc1.<<redacted>>
Address:  192.168.1.102

230.100.120.10.in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 10.120.100.230
0
Dan McFaddenSystems EngineerCommented:
You need a reverse zone for every subnet on your network.  As with most things in DNS, you have to manually create the zones.

I would verify that all your subnets have a reverse zone in your DNS service and when you manually create new DNS A records, make sure you check off the box that creates the PTR record.

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dustin23IT DirectorAuthor Commented:
So after I posted the latest reply, I went and did exactly that.  I created the reverse zone on the primary DC at the main office.  After a reboot of the secondary DC, the addition propagated and everything started working fine.  First time creating a secondary DC, you live and learn...thanks for all the help Dan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.