I currently have two separate AD forests that exist within the same subnet. The two forests have independent copies of the reverse lookup zone for that subnet.
Example:
Domain A DC1: 10.1.1.1/24
Domain A DC2: 10.1.1.2/24
Domain A AppServer1:10.1.1.3/24
Domain B DC1: 10.1.1.11/24
Domain B DC2: 10.1.1.12/24
Domain B Appserver1:10.1.1.13/24
What I'm after, is a configuration that allows this reverse zone to be shared between them so that both sets of DNS servers can make updates to the zone.
This kind of thing is a little far from my everday work, so a kick in the right direction is a welcome suggestion as well. Decoupling one AD into new segments is a possibility I'm open to but would like to avoid if possible. If there is a DNS related solution I'd prefer that.
Best Answer
I don't think there's a way for two DNS servers in different forests to do multi-master two-way sync... but maybe there's another way:
This may reduce security but what if you setup one forest as a primary rDNS zone, and the other forest as the secondary rDNS zone. I don't think secondary could be stored in AD so you'd need to setup secondary on each DNS server in second forest.
Then configure both forests' rDNS zone to allow zone transfers and enable notify. Limit to DNS server IP's for security sake.
The snag is what will a client on second forest do? It updates DDNS in it's forest but I'm not sure if client or DNS Service is what updates the rDNS zone. And since I think secondary zone for the rDNS is read-only, then somehow a referral needs to be made to the primary rDNS in first forest. If that actually happened, then I would imagine first forest rDNS would need to be changed from secure updates only to nonsecure and secure. Not as big a deal for rDNS zones, but still.
This is a rare scenario but curious myself if it can be done. Let us know how it goes. I could be totally wrong in my thinking here.