Will Windows Server 2012 support a nested conditional forwarder

domain-name-systemwindows-dnswindows-server-2012

I work for a company with a split DNS configuration on the AD domain. I know that this is less than ideal, but I'm not in a position to drive change in this area. I own authoritative DNS (internal and external) where Active Directory is not involved, and another team owns the domain controllers.

Background:

We have a split domain called example.com which lives on all the domain controllers.
The DCs are configured to use forwarders for all domains that they are not authoritative for.
There is a subdomain of that (sub.example.com) that is delegated to public IP addresses in a DMZ using NS records. I have a need to eliminate these IP addresses use internal IP addresses that are outside the DMZ.
The new IP addresses are reachable from the forwarders, but not the domain controllers.

To represent this visually:

    example.com. (DCs are authoritative)
sub.example.com. (subdomain not managed by the DCs)

I would like to have the sub.example.com. NS records converted to a conditional forwarder that sends traffic along to the standard forwarders, but I am being told by our domain admins that Windows DNS will not allow a forwarder within a forward lookup zone.

Is it true that this is an unsupported configuration? Other DNS products have no problem with a forwarder that is beneath an authoritative zone, so I want to make sure I'm working with the correct information before I move on to a different strategy, such as firewall holes for every DC that bypass the forwarders. (argh)

I've already reviewed Forward requests for subdomain to another DNS server in Windows 2k3 and the accepted answer that recommends a NS delegation, which doesn't answer this question.

Best Answer

I'll preface this with the disclaimer that I'm not very familiar with the MSDNS specifics.

First of all, I can confirm that if you try to just add such a forwarding zone (eg a sub.example.com forwarding zone when example.com exists as a regular zone) you are met with this error dialog:

---------------------------
DNS
---------------------------
A problem occurred while trying to add the conditional forwarder.
A zone configuration problem occurred.
---------------------------
OK   
---------------------------

(Glorious ASCII representation auto-generated by Windows.)

However, as is noted in the Using Forwarders documentation (emphasis added):

A DNS server cannot forward queries for the domain names in the zones it hosts. For example, the authoritative DNS server for the zone microsoft.com cannot forward queries according to the domain name microsoft.com. The DNS server authoritative for microsoft.com can forward queries for DNS names that end with example.microsoft.com, if example.microsoft.com is delegated to another DNS server.

Ie, if you delegate sub.example.com elsewhere first (limiting the scope of your example.com zone) it then does allow you to add a forwarding zone for sub.example.com.

Whether going down this path actually works out for you will probably depend on the nitty gritty details of your scenario.

For what it's worth, I did notice is that it appears that MSDNS for some reason ignores the RD (recursion desired) bit for forwarding zones (ie, it forwards even when RD is not set), so it appears the above mentioned delegation is not actually visible in this setup.

Related Solutions

SCOM 2012 DNS Forwarder Availability Monitor

Answer found, and it's a bit unpleasant (at least if you were expecting the people creating management packs to actually know what they are doing).

Extracted from the monitor's description:

This monitor verifies forwarder availability by performing an NSLOOKUP on the targeted forwarder.

The script executes nslookup -timeout=<value> -querytype=<type> <name> <server>

<type> is A, NS, SOA.

<name> is target DNS name to resolve. If unconditional forwarder, the override value is used else the forwarder domain name is used.

<server> is the name of the server where the NSLOOKUP query occurs.
The value is $Target/Property[Type="DNS!Microsoft.Windows.DNSServer.Library.Server"]/ListeningIP$ which provides a listing of all IP addresses that the current DNS server is listening on.

<value> is timeout seconds/3 because timeout seconds is used to set the maximum time the script can run.

Unconditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.microsoft.com 10.0.0.5 would query server 10.0.0.5 for the DNS name for www.microsoft.com. In this case, you would set the actual timeout seconds to 90 monitor override.

Conditional Forwarder Example: NSLOOKUP -timeout=30 -querytype=a www.msn.com 10.0.0.5 would query server 10.0.0.5 for the actual name of the conditional forwarder targeted by this monitor.

What this means is that the SCOM agent will try to perform queries like these ones:

nslookup -timeout=30 -querytype=a domainB.dom <server>
nslookup -timeout=30 -querytype=a someotherzone.local <server>
nslookup -timeout=30 -querytype=a 0.0.10.in-addr.arpa <server>

This would work for the main AD domain's DNS zone (because DCs automatically register themselves as empty A records for that zone), but would fail for "someotherzone.local", which didn't have any empty A record (I can confirm that, after manually creating one, the alert disappeared and the monitor returned to green).

The third query, of course, would always fail, because it just doesn't make any sense at all to look for an A record in a reverse lookup zone.

Resolution: override the DNS Forwarder Availability Monitor to perform a NS or SOA query for the forwarded zone instead of an A query.
Which is what it should have been doing from the very beginning.

Cannot add Conditional Forwarder in Active Directory

Since the two domains, even though they are in unrelated AD forests, are part of the same DNS namespace, you must use DNS delegation.

Best Answer

Related Solutions

SCOM 2012 DNS Forwarder Availability Monitor

Cannot add Conditional Forwarder in Active Directory

Related Topic