DNS Resoluition of Child Domain Workstation(s)

active-directorydomain-name-systemwindows-server-2012

I have three domain controllers:

DC-01 = CORP.LOCAL
DC-02 = A.CORP.LOCAL
DC-03 = B.CORP.LOCAL

All three have replication set to All DNS servers in the forest and I can see all three zones in each controller's DNS consoles.

I've added a workstation, PC-001, to A.CORP.LOCAL, but I can't ping it from CORP.LOCAL because it's not resolving the name. What am I missing? I thought now that all zones can see each other I can ping all machines from wherever by name? On that note, A and B can ping each other and CORP by name, but CORP can't ping either.

I can obviously cheat with CNAMEs in the CORP controller, but that's just silly to do for all the machines I'll be joining. I'd appreciate any pointers on how to get this to work.

For reference this is a Windows Server 2012 domain and forest running on Amazon EC2.

Best Answer

You need to add the necessary domain suffixes to the search list on all DNS clients (which is every machine; even DNS servers are also DNS clients.)

http://support.microsoft.com/kb/275553

Related Solutions

SCOM 2012 DNS Forwarder Availability Monitor

Answer found, and it's a bit unpleasant (at least if you were expecting the people creating management packs to actually know what they are doing).

Extracted from the monitor's description:

This monitor verifies forwarder availability by performing an NSLOOKUP on the targeted forwarder.

The script executes nslookup -timeout=<value> -querytype=<type> <name> <server>

<type> is A, NS, SOA.

<name> is target DNS name to resolve. If unconditional forwarder, the override value is used else the forwarder domain name is used.

<server> is the name of the server where the NSLOOKUP query occurs.
The value is $Target/Property[Type="DNS!Microsoft.Windows.DNSServer.Library.Server"]/ListeningIP$ which provides a listing of all IP addresses that the current DNS server is listening on.

<value> is timeout seconds/3 because timeout seconds is used to set the maximum time the script can run.

Unconditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.microsoft.com 10.0.0.5 would query server 10.0.0.5 for the DNS name for www.microsoft.com. In this case, you would set the actual timeout seconds to 90 monitor override.

Conditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.msn.com 10.0.0.5 would query server 10.0.0.5 for the actual name of the conditional forwarder targeted by this monitor.

What this means is that the SCOM agent will try to perform queries like these ones:

nslookup -timeout=30 -querytype=a domainB.dom <server>
nslookup -timeout=30 -querytype=a someotherzone.local <server>
nslookup -timeout=30 -querytype=a 0.0.10.in-addr.arpa <server>

This would work for the main AD domain's DNS zone (because DCs automatically register themselves as empty A records for that zone), but would fail for "someotherzone.local", which didn't have any empty A record (I can confirm that, after manually creating one, the alert disappeared and the monitor returned to green).

The third query, of course, would always fail, because it just doesn't make any sense at all to look for an A record in a reverse lookup zone.

Resolution: override the DNS Forwarder Availability Monitor to perform a NS or SOA query for the forwarded zone instead of an A query.
Which is what it should have been doing from the very beginning.

Domain Controller DNS Best Practice/Practical Considerations for Domain Controllers in Child Domains

I'd rather go with a single domain using your two servers for redundancy than to use two separate domains on single (point of failure) servers. What is driving your choice to go with a parent/child domain forest? You could just use the DNS space for the child domain since you said it's contiguous without requiring an AD domain unless you have security boundary concerns.

Against my better judgement, I'll answer the question assuming you have two servers for each domain (four total) -- just subtract two of the servers for your case.

Option 1.

With your desire to keep DNS local to the domain, the parent DCs point to one another and the child DCs point to one another as well. The easier configuration would be to use a scope that replicates the DNS zone forest-wide.

You have parent.local (or whatever) as your top-level and child.parent.local as the subdomain.

AD will replicate both domains throughout the forest making DNS resolution simple. You'll see overlap on a given DNS server with the zones, but Windows deals with that.

Option 2.

Another option is to not do forest-wide replication in which case I would simply configure a forwarder on the child DCs to send everything up to the parent DCs DNS, but on the parent you'll need to create a delegation for the child subdomain back down.