From CentOS6.9, how to communicate with two Windows Domain Controllers Simultaneously?

Question

From a CentOS6.9 box, its not possible to resolv two windows Domain Controllers at a time but to only the first one, where both the Domain Controllers IP is reachable from the CentOS node

ping 192.168.59.132                            # Works
ping 192.168.59.156                            # Works

The windows set up is as below,

There are a number of windows hosts configured using Active directory in a Domain Controller node.

Once the entry of this Domain Controller is there in the etc/resolv.conf of the CentOS host, its possible to communicate with all the nodes under that.

options timeout:1 attempts:1
nameserver 192.168.59.156      # it's hostname is IDMTMG1.IDMT.iSyntax.net


ping IDMTMG1.IDMT.iSyntax.net # Works with out any issue, and all the nodes under that

But when it comes to more than one set up, say there are two Domain Controllers configured, and there are nodes under each of them, then the communication is happening for only the first one and the nodes under that..

That is,

The /etc/resolv.cong entry look as below,

options timeout:1 attempts:1
nameserver 192.168.59.156 # hostname IDMTMG1.IDMT.iSyntax.net
nameserver 192.168.59.132 # hostname ISTMG1.IST.iSyntax.net

Now ping works only for the first one,

ping IDMTMG1.IDMT.iSyntax.net  # Works, also for all the nodes under it.
ping ISTMG1.IST.iSyntax.net    # Fails

if the order is changed in the etc/resolv.conf file,

options timeout:1 attempts:1
nameserver 192.168.59.132 # hostname  ISTMG1.IST.iSyntax.net
nameserver 192.168.59.156 # hostname  IDMTMG1.IDMT.iSyntax.net

Now also the behavior is the same, its work for the first one, not for the second one.

 ping ISTMG1.IST.iSyntax.net      # Works, Works, also for all the nodes under it.
 ping IDMTMG1.IDMT.iSyntax.net    # Fails

See the nslookup command out put.

nslookup -type=any IDM04MG1.IDM04.iyntax.net

  Server:         192.168.59.132
  Address:        192.168.59.132#53

  Name:   IDM04MG1.IDM04.iyntax.net
  Address: 192.168.59.132
  IDM04MG1.IDM04.iSyntax.net      has AAAA address fd00:59::250:56ff:febc:75ee

##################################
nslookup -type=any SHDMG1.SHD.iyntax.net
  ;; Got recursion not available from 192.168.59.132, trying next server
  Server:         192.168.59.156
  Address:        192.168.59.156#53

  Name:   SHDMG1.SHD.iyntax.net
  Address: 192.168.59.156

How could I establish connection to this both Domain Controllers simultaneously..? If its possible to ping using the hostname of the DC, communication to all the nodes under that is happening.

Maybe you should include some drawings of your AD setup because I think that's badly designed. — Tommiie, Sep 11 '18 at 09:35

Sven · Accepted Answer · 2018-09-10T11:21:09.407

This is expected behaviour. You specify multiple name servers for redundancy purposes, not to have different servers answering for different domains. Only the first one listed will ever be asked if it answers.

You need to either have one the working name servers forwarding requests for the other NS (or all of them to keep having the redundancy) or have an intermediary NS that forwards the requests to the appropriate domains (non-recursive resolution would work as well of course).

Some hints (note: I am not an AD user, so this is vague):

First, it sounds like your different domain controllers are part of the the same AD forest. In that case, they should already enable cross domain name resolution (at least to my understanding). Ask your Windows admins why this isn't working
If they are not part of the same forest, the Windows admins need to set up records in the DNS part of AD that either points your client to another DNS server (so, example1.com would answer "to ask about example2.com hosts, ask this name server instead") or just ask the other server and send you the answer back (this is called recursive and usually only a good idea in a private network).
If all this is not possible for whatever reason, you need a third name server that does this job for you (so either it recursively resolves addresses in all AD domains for you or point you to the right NS server to ask). In a minimal solution, this could be done only on your CentOS machine with a small DNS server like dnsmasqd or unbound.

As an example: If you use dnsmasqd locally for this purpose, you would add configuration statements like the following to the dnsmasqd config:

 server=/IDMT.iSyntax.net/192.168.59.156
 server=/IST.iSyntax.net/192.168.59.132

and then point your resolv.conf to 127.0.0.1 (for more information, google countless tutorials about dnsmasqd and read the docs).

I badly need it to work, Could you provide some more clarity to the solution approach..? OR its impossible to communicate two Domain Controllers in parallel ..? — user2264738, Sep 10 '18 at 10:53
But here, IDMT.iSyntax.net and IST.iSyntax.net are the hostnames, Basically I want to communicate ping IDMT.iSyntax.net, ping IDMTDB.iSyntax.net, ping IDMTCR.iSyntax.net. Similarly ping IST.iSyntax.net, ping ISTDB.iSyntax.net, ping ISTCR.iSyntax.net. After configuring dnsmasq, I'm not able to achieve this. — user2264738, Sep 11 '18 at 06:14

From CentOS6.9, how to communicate with two Windows Domain Controllers Simultaneously?

1 Answers1