Wednesday, December 21, 2016

DNS - limited forwarding delegated subdomain (in AD integrated zone)

If you find yourself in need to creating subdomains off of an existing AD integrated zone, which forward externally, you may encounter the problem that not all AD dns servers can access an external set of servers. To limit the domain controllers that do dns forwarding, while still allowing all dc's to know how to resolve records, you can combine delegated subdomains and conditional forwarders (non-AD integrated).


-Organization has AD integrated zone on all AD domain controllers.
-Organization is outsourcing dns for subdomain to external domain name servers
-Only 2 out of 50 domain controllers can access external dns for name resolution.  All others do general forwarding to these 2 domain controllers.

1) If we create a delegation in directly to the external dns servers, recursion is not available and name resolution is not going to happen.
2) if we create AD integrated conditional forwarding for the subdomain, all servers will try to forward to external dns and will be unable to do so, causing queries to fail

-Create a subdomain delegation in using only the name servers of the 2 internal domain controllers that have access to forward dns queries to external servers
-Create non-AD integrated conditional forwarders for on these same 2 servers, which use the dns server IP's of the external dns provider
-On the external provider, set up a dns zone for

No comments:

Post a Comment