-2

The situation is as follows: Currently three DNS servers are separated from each other, these are to be merged into one. The goal is to have only one DNS server that handles all requests of the three domains. The problem is that we can not access from one domain to the other two. We have to keep all three Domains. It is an exercise for us trainees :)

We are working with Windows Server 2008R2

user3161212
  • 1
  • 1
  • If you can't access from one domain to another, it's impossible. You must have some network connection between them or at least the ability to create one. – EliadTech Jun 27 '14 at 10:01
  • Those are AUTH servers? Would it not make more sense to keep all three servers and have each of them handle all three zones? – Felix Frank Jun 27 '14 at 10:07

1 Answers1

1

You haven't described the parameters of the exercise enough to make answering in a way that's acceptable to your instructor apparent. I'll take a stab for fun ('cuz, ya' know, I like answering questions for fun), though.

Presumably, since you mentioned "domains", you have three DNS servers hosting Active Directory-integrated DNS zones. These three DNS servers must be members of domains hosted in separate AD forests, since there are implicit trust relationships between domains in the same forest. To achieve the "we can not access from one domain to the other two" criteria we'll assume three separate forests with one domain in each.

I'd add a fourth machine, not domain-joined, running the DNS Server service. I'd configure that machine with standard secondary DNS zones for each of the three DNS zones hosted by the three domain-joined DNS servers. In each of the domain-joined DNS servers I'd add the IP address of this fourth machine as a secondary DNS server and make sure that the zone transfer permission was such that it could zone transfer (which I'd probably test with nslookup on the fourth machine, just to be sure it worked).

This fourth machine would be an authoritative DNS server for the DNS zones hosted by the three domain-joined DNS servers but would not require any communication between the three domain-joined DNS servers and no trust relationships between the domains (since you're doing all of this over the DNS protocol).

In the "we can not access from one domain to the other two" vein, you could even get all crazy with the firewall rules, if you wanted to, since all the communication between the servers, in this scenario, would be TCP/UDP port 53 traffic.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • I'm having a hard time understanding how to set this up with AD integrated zones in order to replicate the zones to the non-domain joined secondary. There are only 3 options for replicating AD integrated zones and none of those options would seem to allow for replicating to a non-domain joined secondary. – joeqwerty Jun 27 '14 at 14:49
  • @joeqwerty - What? Just add the standard secondary DNS server on the "Name Servers" tab, then on the "Zone Transfers" tab check to "Allow Zone Transfers" and move the radio button to "Only the servers listed on the Name Servers tab". You can definitely zone transfer to standard secondary DNS servers from AD-integrated zones. I'm doing this in production in at least 2 Customer sites to allow for cross-forest name resolution from an in-forest DNS server. – Evan Anderson Jun 27 '14 at 14:55
  • Got it now. It's always the little things that I miss. Thanks. – joeqwerty Jun 27 '14 at 14:58