Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DNS Resolution NOT working through VPN

Posted on 2016-09-13
16
Medium Priority
?
73 Views
Last Modified: 2017-04-10
I am trying to set up an internal DNS resolution. Here is the situation.
Company A acquired company B.
Both companies have their own internal wiindows AD/DNS servers.
I setup VPN between A and B..

I can ping company B PC's by IP's from company A
I can ping company A PC's by IP's from company B


The issue is:
 I cannot ping company B PC's by host name from company A
I cannot ping company A PC's by host name from company B

Where should this be configured?
1-From windows DNS servers from both A and B?
2-From  both firewalls used to setup the VPN between company A and B?

Thanks in advance....
0
Comment
Question by:VMCity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
16 Comments
 
LVL 41

Expert Comment

by:footech
ID: 41796627
When you say host name, do you mean only the host name, or the FQDN (host name plus domain).
If only the host name, you should test with the FQDN, and the better tool to test name resolution is nslookup.
If you try something like the following from a machine in companyA (notice the trailing dot), do you get a correct result?
nslookup host.companyB.com.

Open in new window

0
 
LVL 17

Assisted Solution

by:Ivan
Ivan earned 500 total points (awarded by participants)
ID: 41796639
Hi,
You can configure on dns servers, in both companies, a stub zone or conditional forwarder. That should allow both companies to resolve dns requests.

Regards,
Ivan.
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1000 total points (awarded by participants)
ID: 41796646
There are a number of ways to make this work, but two of the simplest are conditional forwarders and stub zones. From an end user's perspective, they'll work the same: the DNS client will query a local DNS server for a record in the other domain, and it'll get a response. Under the hood, they work differently, though.

A conditional forwarder tells a DNS server to forward queries for records in a particular domain to a list of DNS servers - typically the authoritative DNS servers for that domain. For example, if you create a conditional forwarder for the contoso.com domain on your DNS server, it'll forward any queries for names in that domain to the servers that you specify. As long as it gets a response, it'll send that response to the client.

A stub zone, of the other hand, contains a list of the authoritative name servers for a domain, as well as glue records for those name servers. When a client queries the DNS server for a name in that domain, the DNS server uses those name servers to get a response, either by querying the servers itself or by sending a referral to the client.

One advantage of stub zones is that they are periodically updated from a list of master servers (supplied during the creation of the zone), so that if the list of name servers for the domain in question changes, the stub zone will be automatically updated to reflect that change. Conditional forwarders simply forward queries to a static list of servers; if the list of name servers for the target domain changes, the forwarder has to be updated manually.
1
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:VMCity
ID: 41796728
Footech..here is the result of the nslookup test you requested:

 
C:\Users\Administrator>nslookup host.companyB.com.
Server:  UnKnown
Address:  192.168.5.10   ------>  local DNS server of companyA from where the nslookup is been run

*** UnKnown can't find nslookup host.companyB.com: Non-existent domain

 Thanks,
0
 
LVL 17

Expert Comment

by:Ivan
ID: 41796772
Hi,

your dns server does not know of domain dns, and that is why it is failing. You need to use stub or conditional forwarder, that will tell dns server from companyA where dns for company is located, and vice versa.

Regards,
Ivan.
1
 

Author Comment

by:VMCity
ID: 41796850
Ivan thanks for your reply..

Assuming I go with a stub zone, it is correct that, one stub zone will have to be created on each company's DNS server?

Thanks,
0
 
LVL 17

Assisted Solution

by:Ivan
Ivan earned 500 total points (awarded by participants)
ID: 41796863
Hi,

yes, that is correct. Same would happened with conditional forwarder.

Regards,
Ivan.
0
 
LVL 41

Assisted Solution

by:footech
footech earned 500 total points (awarded by participants)
ID: 41797105
OK, assuming you used an actual FQDN that exists for the nslookup command, that confirms that you don't have a stub zone, forwarder, or delegation in place.  I just wanted to make sure before asking you to put one in place.  The others have already pointed out what is needed.

One thing to keep in mind, is that clients will need to use the FQDN to reach a machine in the other domain unless you also configure DNS suffixes to be appended (i.e. companyA would need companyB's DNS suffix in addition to their own, and vice versa).  If you want people to be able to reach resourcs in the other domain while just specifying the host name, Group Policy would be the best tool to configure this.
0
 

Author Comment

by:VMCity
ID: 41798116
Thanks DrDave242 for your detailed answer and the links....

Is a stub zone or conditional forwarders a requirement in order to have userA from companyA authenticate with companyB  Active directory server as if userA was created in companyB hence be able to use companyB ressources?
0
 

Author Comment

by:VMCity
ID: 41798122
Footech , can you please point me to an online ref for an example of such a GP configuration?
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 1000 total points (awarded by participants)
ID: 41798133
Is a stub zone or conditional forwarders a requirement in order to have userA from companyA authenticate with companyB  Active directory server as if userA was created in companyB hence be able to use companyB ressources?
Yes. In order for users in one domain to authenticate with the other domain, you'll need to set up a trust between the two (most likely a forest trust, as I'm assuming the two companies have separate AD forests). One of the prerequisites of this trust is name resolution between the two sides, and that's where stub zones and conditional forwarders come in. In addition to providing simple name-to-address resolution, they also allow resolution of domain controller SRV records, which is essential for authentication to take place.
0
 
LVL 41

Assisted Solution

by:footech
footech earned 500 total points (awarded by participants)
ID: 41798304
No, but the setting is under
Computer Configuration/Policies/Administrative Templates/Network/DNS Client/DNS Suffix Search List
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 41827708
Lot of helpful answers here. I feel a little dirty giving myself more points, so please object if you'd rather see them allocated differently.
0
 

Author Comment

by:VMCity
ID: 42078222
Hi DrDave242,

I do not remember distributing points. From your last message I believe someone else did. Can you explain how this works?
I didn't do it because i was still waiting till after implementation (maybe there is a time limit i am not aware of). I did it a couple of days ago and it worked. Thank you to for all of you.
It is only after implementation that I understood what "footech" was really talking about (I was more focused on just getting it to work than the convenience part of just being able to use the host name without the DNS suffix between).

If you do not mind I would add 40 points to "feetech".

All of you have been great.

Thank you
0
 
LVL 41

Expert Comment

by:footech
ID: 42078655
@VMCity - When a question is abandoned, experts who have participated in the thread can give recommendations on how the question should be closed.  If no recommendations are received, then a cleanup volunteer will take action as they see appropriate.  A question is considered abandoned if there hasn't been any comment in 14 days (I think I'm remembering the number of days correctly).  I'm fine with the points distribution - no need to reopen the question again to redistribute.  Thanks.
0
 

Author Comment

by:VMCity
ID: 42087272
Thanks for the clarification. I was not aware of these details.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question