Cannot add Conditional Forwarder in Active Directory

active-directorydomain-name-system

Right now, I have three forests I'm trying to create trusts between.

Let's call them hopelessn00b.local, hopelessn00b.com and internal.hopelessn00b.com.

I got trusts configured between hopelessn00b.local and hopelessn00b.com, as well as between hopelessn00b.local and internal.hopelessn00b.com, but when I went to set up the trust between hopelessn00b.com and internal.hopelessn00b.com, it bombed out, because hopelessn00b.com cannot contact internal.hopelessn00b.com.

So, I checked DNS, and sure enough, there's no forwarders or stub zones or anything that might tell hopelessn00b.com how to get to internal.hopelessn00b.com. I checked my hopelessn00b.local forest, and it was using a conditional forwarder to reach both the other domains, so I tried to set up a conditional forwarder on hopelessn00b.com with the IPs of my internal.hopelessn00b.com domain controllers. That fails with a "zone configuration error," after telling me that my internal.hopelessn00b.com domain controllers are not authoritative for the internal.hopelessn00b.com domain (they are). I assume that's because internal.hopelessn00b.com is a DNS sub-domain of hopelessn00b.com, even though they're completely different and unrelated AD forests.

Functional levels involved are 2008 R2 and 2012, if it makes a difference (but I don't think it does), and I'd very much like to get these trusts set up so that I can migrate everything off these improperly named forests and then blow them away, so only internal.hopelessn00b.com will remain.

Accordingly, my questions are:

Is a conditional forwarder the thing I want here, or should I be using something else? (Stub zone, maybe?)
How do I force (or finesse) hopelessn00b.com into taking my word for it that the DCs for internal.hopelessn00b.com are actually authoritative for internal.hopelessn00b.com?

Best Answer

Since the two domains, even though they are in unrelated AD forests, are part of the same DNS namespace, you must use DNS delegation.

Related Solutions

SCOM 2012 DNS Forwarder Availability Monitor

Answer found, and it's a bit unpleasant (at least if you were expecting the people creating management packs to actually know what they are doing).

Extracted from the monitor's description:

This monitor verifies forwarder availability by performing an NSLOOKUP on the targeted forwarder.

The script executes nslookup -timeout=<value> -querytype=<type> <name> <server>

<type> is A, NS, SOA.

<name> is target DNS name to resolve. If unconditional forwarder, the override value is used else the forwarder domain name is used.

<server> is the name of the server where the NSLOOKUP query occurs.
The value is $Target/Property[Type="DNS!Microsoft.Windows.DNSServer.Library.Server"]/ListeningIP$ which provides a listing of all IP addresses that the current DNS server is listening on.

<value> is timeout seconds/3 because timeout seconds is used to set the maximum time the script can run.

Unconditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.microsoft.com 10.0.0.5 would query server 10.0.0.5 for the DNS name for www.microsoft.com. In this case, you would set the actual timeout seconds to 90 monitor override.

Conditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.msn.com 10.0.0.5 would query server 10.0.0.5 for the actual name of the conditional forwarder targeted by this monitor.

What this means is that the SCOM agent will try to perform queries like these ones:

nslookup -timeout=30 -querytype=a domainB.dom <server>
nslookup -timeout=30 -querytype=a someotherzone.local <server>
nslookup -timeout=30 -querytype=a 0.0.10.in-addr.arpa <server>

This would work for the main AD domain's DNS zone (because DCs automatically register themselves as empty A records for that zone), but would fail for "someotherzone.local", which didn't have any empty A record (I can confirm that, after manually creating one, the alert disappeared and the monitor returned to green).

The third query, of course, would always fail, because it just doesn't make any sense at all to look for an A record in a reverse lookup zone.

Resolution: override the DNS Forwarder Availability Monitor to perform a NS or SOA query for the forwarded zone instead of an A query.
Which is what it should have been doing from the very beginning.

Force a new conditional forwarder to propagate to other DNS servers in forest

As you know, AD Integrated zones are stored in AD and therefore are replicated along the same schedule. Inter-site replication occurs by default every three hours but can be configured to as little as 15 minutes (I can't think of a reason not to go down to 15 minutes, anyone?)

Although relatively miniscule, there is a second, shorter interval to be aware of. After the data has replicated to the DC, the DNS service must read this data from the local directory. How often this is done is based on the DsPollingInterval value, which defaults to three minutes.

So the latency is Inter-site replication interval + DsPollingInterval. In a default environment, the maximum latency is as long as 183 minutes.

References:

Absolute must-read on how AD replication works: http://technet.microsoft.com/en-us/library/cc755994%28WS.10%29.aspx
Great post describing DsPollingInterval: https://blogs.technet.com/b/askpfeplat/archive/2013/03/22/mailbag-how-often-does-the-dns-server-service-check-ad-for-new-or-modified-data.aspx?Redirected=true

Best Answer

Related Solutions

SCOM 2012 DNS Forwarder Availability Monitor

Force a new conditional forwarder to propagate to other DNS servers in forest

Related Topic