Why doesn’t the conditional forwarder work

aws-directory-servicedomain-name-systemwindows-server-2016

So, I have two AWS-based environments that are largely separated, but are connected via an intermediary VPC that hosts a VPN server, and has routing into each of the individual environments. Let's call these "A", "B" and "Management" VPCs.

"A" and "B" each have an Active Directory (a Microsoft Directory in AWS Directory Services), and the VPN is configured to use "A" to resolve DNS. Now, I want to bring "B" into DNS scope, so connecting users don't need to use IP addresses to connect to "B"'s servers.

To that end I set up the routes in my VPCs to allow the DCs to talk to each other, and confirmed at a network level that everything is open. Then, I set up a conditional forwarder in "A" to forward requests to "B" for its suffix.

(Note: I have, obviously, redacted all the actual names. Not for privacy, but to avoid confusion, since they are very similar)

However, when I try and query a "B" from an "A" server, it doesn't work. If I manually specify "B"'s DNS, however, it does work. Am I missing something important here?

Best Answer

I managed to get this to work, though it was a real trial.

First and foremost, it's important to remember that AWS Directory Services controllers are in a separate security group that, by default, restricts all outbound access except to other domain controllers. In order for my situation to work, I needed to explicitly add outbound access to the other domain controllers.

However, even when I did that, it still wasn't working. I had to delete the forwarder and re-create it after fixing the security group in order for it to work.

Related Solutions

SCOM 2012 DNS Forwarder Availability Monitor

Answer found, and it's a bit unpleasant (at least if you were expecting the people creating management packs to actually know what they are doing).

Extracted from the monitor's description:

This monitor verifies forwarder availability by performing an NSLOOKUP on the targeted forwarder.

The script executes nslookup -timeout=<value> -querytype=<type> <name> <server>

<type> is A, NS, SOA.

<name> is target DNS name to resolve. If unconditional forwarder, the override value is used else the forwarder domain name is used.

<server> is the name of the server where the NSLOOKUP query occurs.
The value is $Target/Property[Type="DNS!Microsoft.Windows.DNSServer.Library.Server"]/ListeningIP$ which provides a listing of all IP addresses that the current DNS server is listening on.

<value> is timeout seconds/3 because timeout seconds is used to set the maximum time the script can run.

Unconditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.microsoft.com 10.0.0.5 would query server 10.0.0.5 for the DNS name for www.microsoft.com. In this case, you would set the actual timeout seconds to 90 monitor override.

Conditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.msn.com 10.0.0.5 would query server 10.0.0.5 for the actual name of the conditional forwarder targeted by this monitor.

What this means is that the SCOM agent will try to perform queries like these ones:

nslookup -timeout=30 -querytype=a domainB.dom <server>
nslookup -timeout=30 -querytype=a someotherzone.local <server>
nslookup -timeout=30 -querytype=a 0.0.10.in-addr.arpa <server>

This would work for the main AD domain's DNS zone (because DCs automatically register themselves as empty A records for that zone), but would fail for "someotherzone.local", which didn't have any empty A record (I can confirm that, after manually creating one, the alert disappeared and the monitor returned to green).

The third query, of course, would always fail, because it just doesn't make any sense at all to look for an A record in a reverse lookup zone.

Resolution: override the DNS Forwarder Availability Monitor to perform a NS or SOA query for the forwarded zone instead of an A query.
Which is what it should have been doing from the very beginning.

Domain Controller DNS Best Practice/Practical Considerations for Domain Controllers in Child Domains

I'd rather go with a single domain using your two servers for redundancy than to use two separate domains on single (point of failure) servers. What is driving your choice to go with a parent/child domain forest? You could just use the DNS space for the child domain since you said it's contiguous without requiring an AD domain unless you have security boundary concerns.

Against my better judgement, I'll answer the question assuming you have two servers for each domain (four total) -- just subtract two of the servers for your case.

Option 1.

With your desire to keep DNS local to the domain, the parent DCs point to one another and the child DCs point to one another as well. The easier configuration would be to use a scope that replicates the DNS zone forest-wide.

You have parent.local (or whatever) as your top-level and child.parent.local as the subdomain.

AD will replicate both domains throughout the forest making DNS resolution simple. You'll see overlap on a given DNS server with the zones, but Windows deals with that.

Option 2.

Another option is to not do forest-wide replication in which case I would simply configure a forwarder on the child DCs to send everything up to the parent DCs DNS, but on the parent you'll need to create a delegation for the child subdomain back down.