2

I am learning AD DS currently.

The scenario in my company looks like the following.

WorkingPC.Asia.Corp.domain.com 172.10.212.62

FileServerA.Asia.Corp.domain.com 172.11.13.21

Asia-DNS-01.Aisa.Corp.domain.com 172.20.10.45

FileServerB.Eur.Corp.domain.com 10.21.11.213

If I use nslookup in WorkingPC which is joined domain Asia domain.

> FileServerA
 Server:  Asia-DNS-01.Asia.corp.domain.com
 Address:  172.20.10.45

 Name:    FileServerA.Asia.corp.domain.com
 Address:  172.11.13.21

> FileServerB
 Server:  Asia-DNS-01.Asia.corp.domain.com
 Address:  172.20.10.45

 Non-authoritative answer:
 Name:    FileServerB.Eur.corp.domain.com
 Address:  10.21.11.213
 Aliases:  FileServerB.corp.domain.com

Problem is:

In my test environment, I can't resolve host in another domain by using a single host name.

> FileServerA
 Server:  Asia-DNS-01.Asia.corp.domain.com
 Address:  172.20.10.45

 Name:    FileServerA.Asia.corp.domain.com
 Address:  172.11.13.21

 > FileServerB
 Server:  Asia-DNS-01.Asia.corp.domain.com
 Address:  172.20.10.45

 *** Asia-DNS-01.Asia.corp.domain.com can't find FileServerB: Non-existent domain

Assuming I deployed several sites by using AD DS.

There are domains:

Eur.Corp.Domain.com 

UK.Eur.Corp.Domain.com

UK is a child domain of Eur.

Updating Question for unclear description.

There are two resource servers in two domains.

FileServer1 in root domain, so the FQDN of the server is FileServer1.Eur.Corp.Domain.com.

FileServer2 in child name, soe the FQDN of the server is FileServer2.UK.Eur.Corp.Domain.com.

When I try to nslookup the both server in child by using single name like FileServer1 & FileServer2, both of servers can be resovled.

When I try to nslookup the both server in Parent by using single name. FileServer1 can be resolved, but the FileServer2 is showed as non-existent. And Then I use the FileServer2.UK, it works.

Is this normal?

A server in Eur is named LAB.UK.Eur.Corp.Domain.com.

When I use NSLOOKUP to resolve 'LAB' in site UK.EUR, it can return the correct ip address. But if I try to NSLOOKUP in the EUR site, it fails.

My company create a CNAME for every resource in Child domain. For example, there will be a CNAME LAB.Eur.Corp.Domain.com. But how to do this?

Is there any solution for this problem?

Ray
  • 21
  • 3

2 Answers2

3

I'm going to make several points here. Some are related to your specific question and some are general information about AD DNS.

  1. The default behavior for DNS in an AD domain is for the _msdcs zone to be set to Ad-integrated and replicated to all DNS servers in the Forest. This means that all DNS servers in the Forest will hold a copy of this zone.

  2. The default behavior for DNS in an AD domain is for the domain FQDN zone to be set to Ad-integrated and replicated to all DNS servers in the domain. This means that all DNS servers in each domain will hold a copy of their FQDN zone.

  3. During the DCPROMO process for the child domain, a delegation for the child domain to the child DNS server will be created in the parent zone at the parent DNS server. Fully qualified DNS queries for the child domain from the parent domain will be "referred" to the child DNS server.

  4. During the DCPROMO process for the child domain, a forwarder will be created in the child DNS server to the parent DNS server. This is not a conditional forwarder (and doesn't need to be). You should see this on the Forwarders tab in the child DNS server properties. The child DNS server will forward queries for DNS zones it is not authoritative for to the parent server. This ties into my next point.

  5. DNS devolution accomplishes name resolution of single-label queries of parent zone records from the child domain. For example, if you run nslookup from the child domain for FileServer1, the first query is actually FileServer1.UK.Eur.Corp.Domain.com (because the child domain primary DNS suffix is appended to the query). When that fails (NXDOMAIN is returned), DNS devolution sends a query for FileServer1.Eur.Corp.Domain.com, which is forwarded to the parent DNS server (because the child DNS server is authoritative only for the UK.Eur.Corp.Domain.com zone. Queries for all other domain names are forwarded to the parent server.). The parent server is authoritative for the Eur.Corp.Domain.com zone and therefore resolves the query. If the query had been for www.google.com then the child DNS server would again forward the query to the parent DNS server and the parent DNS server would use it's configured forwarders or root hints to resolve the query.

  6. For hosts in the parent domain to resolve single-label names in the child domain they'll need to be configured with a DNS suffix search list that includes the child domain's DNS suffix. You can configure this for all of the parent domain members by using Group Policy. Note that this GPO setting over-rides the primary DNS suffix and connection specific DNS suffix, so you'll need to add both the parent and the child DNS suffixes to this Group Policy setting (Eur.Corp.Domain.com and UK.Eur.Corp.Domain.com). Also note that you need to configure this ONLY in the parent domain.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks. I have more information provided in my question. Except the GPO to add primary DNS suffix. any other ways? – Ray May 10 '15 at 08:12
1

There are about 3 ways you can do this without the CNAME horror you've described.

All of these are configured via the DNS management console or via powershell (module needs to be downloaded pre-server 2012). Obviously DNS connectivity is required between DC's.

EDIT: All of this presumes that both that all three domains are not fully visible from the www.

Global Forwarders DNS resolution tends to follow a "downward" path via delegation. Your setup already has this working (ie LAB.UK.Eur.Corp.Domain.com resolves from it's parent domain) which should be due to NS records pointing to the DC's of LAB (or conditional forwarding - see below). You could set a "Global Forwarder" which will send all requests for records not hosted locally to, say, the DC's of the parent domain.

This setup could interfere with internet connectivity, as queries for "www.google.com" (and everything else) will go via your global forwarder.

Conditional Forwarding Similar to global forwarding, you specify exactly where queries should go for a specific domain. So you could have queries for UK go directly to the UK DC's, and queries for EURO go straight to the EURO DC's.

Internal Root Hints I don't recommend this one, and there's too much involved in this setup for me to go into (I've done it once and badly) but the concept is here for completeness.

Andy
  • 1,101
  • 1
  • 7
  • 10
  • Thanks. But my question is unclear. I update the description. Could you give some suggestion? – Ray May 09 '15 at 08:40
  • Oh, that's much easier. Yes, it is normal. The host only has a *DNS Search Suffix* of the local domain. See http://blogs.msmvps.com/acefekay/2011/02/12/configuring-dns-search-suffixes/ – Andy May 09 '15 at 08:55
  • Thanks a lot.I have read this article. two servers: **fileUK.uk.corp** and **fileIE.ie.corp**. So they are in different domain. Only use server name can't nslookup the server in another domain. In my company, **fileUk.uk.corp** has a alias **fileUk.corp** and **fileIE.ie.corp** has the same, so host in UK can use single name **'fileIE'** to find fileIE.ie.corp. – Ray May 10 '15 at 03:19
  • I provide more information for this question. Could you help? – Ray May 10 '15 at 08:19