3

So, I have two AWS-based environments that are largely separated, but are connected via an intermediary VPC that hosts a VPN server, and has routing into each of the individual environments. Let's call these "A", "B" and "Management" VPCs.

"A" and "B" each have an Active Directory (a Microsoft Directory in AWS Directory Services), and the VPN is configured to use "A" to resolve DNS. Now, I want to bring "B" into DNS scope, so connecting users don't need to use IP addresses to connect to "B"'s servers.

To that end I set up the routes in my VPCs to allow the DCs to talk to each other, and confirmed at a network level that everything is open. Then, I set up a conditional forwarder in "A" to forward requests to "B" for its suffix.

(Note: I have, obviously, redacted all the actual names. Not for privacy, but to avoid confusion, since they are very similar)

conditional forwarder setup

However, when I try and query a "B" from an "A" server, it doesn't work. If I manually specify "B"'s DNS, however, it does work. Am I missing something important here?

nslookup commands that aren't working right

Mike Caron
  • 237
  • 2
  • 13
  • This is where redaction gets even more confusing for us - is what you have typed under "DNS Domain" letter for letter identical to what's after PDBS01? Your "B" is in a different places which makes me wonder – Dan Jan 29 '18 at 16:52
  • Ok, that is an error. B is the exact same in all places, except for the very first ".com" - that's part of the original B text. – Mike Caron Jan 29 '18 at 17:01
  • I have fixed the screenshot, which should address your concern. "B" now represents the same domain in all places. – Mike Caron Jan 29 '18 at 17:04

1 Answers1

1

I managed to get this to work, though it was a real trial.

First and foremost, it's important to remember that AWS Directory Services controllers are in a separate security group that, by default, restricts all outbound access except to other domain controllers. In order for my situation to work, I needed to explicitly add outbound access to the other domain controllers.

However, even when I did that, it still wasn't working. I had to delete the forwarder and re-create it after fixing the security group in order for it to work.

Mike Caron
  • 237
  • 2
  • 13