Secondary Zones between two separate forrests?

liddane

Hi

I have set up two domains, domain1.local and domain2.local - in two separate forests. I would like to set up secondary zones for each server on the other server, is this possible?

The Zones for each domain are active directory integrated.
So far I have...

Set up stub zones for each domain, on the other domain so that they know each other exist and can see each other.

Then I tried to convert these stub zones to secondary zones but I cannot seem to transfer the zone, I made sure each server was set to transfer zones to each other. I then set up a cross forest trust to see if this helped, and it still didn't.

Anyone know if this is actually possible to do (I presume it is..)

Thanks in advance!

rjbarlow

Because are two separate trees and the zones are AD integrated, I think You have to work with Trusts in order to fuse the two trees. After that I think You would not have problems, because zones are automatically replicated on all DC/DNS server in the forest.

liddane

Thanks very much for the reply,
So once the trust is set up, and replication is set ro "All DNS servers in the forrest" replication should put a copy of each zone on each domain controller?


Thanks!

Essendon

liddane wrote:

So once the trust is set up, and replication is set ro "All DNS servers in the forrest" replication should put a copy of each zone on each domain controller?Thanks!

Correct.

dave0212

You shouldn't need a trust as a secondary zone is independant of AD

I have this set up with no trust and it works with no issues, to set up ensure your Zone Transfers are allowed to the server you want to replicate to

Essendon

Hey there, Dave. I was watching the CBT Nuggets a while ago and somewhere near the end of the Nugget DNS -2, James said you dont need zone transfers to be configured as DNS servers are designed to give up such information freely. Is that wrong?

dave0212

MobilOne wrote:

Hey there, Dave. I was watching the CBT Nuggets a while ago and somewhere near the end of the Nugget DNS -2, James said you dont need zone transfers to be configured as DNS servers are designed to give up such information freely. Is that wrong?

If you want to setup a secondary zone from a DNS server then you will need to enable Zone Transfers to allow this. If this wasn't enabled then you would be unable to pull the information. You can query information from the DNS server and get information that way but if you want to set up a Secondary zone and copy the entire zone then it needs to be enabled.

Essendon

Whoops, sorry, my bad. He was referring to zone transfers to child domains. When you have a child domain, you dont need to configure zone transfers from the AD-Integrated DNS server in let's say, contoso.com to another AD-Integrated DNS server in say melbourne.contoso.com. He very clearly deomstrated this. Thanks for clearing that up, dave.

dave0212

I think he may have been referring to STUB zones also as they do not require Zone Transfers to be enabled due to the limited information you get with the transfer

Glad to help

dave0212

liddane wrote:

Hi

I have set up two domains, domain1.local and domain2.local - in two separate forests. I would like to set up secondary zones for each server on the other server, is this possible?

The Zones for each domain are active directory integrated.
So far I have...

Set up stub zones for each domain, on the other domain so that they know each other exist and can see each other.

Then I tried to convert these stub zones to secondary zones but I cannot seem to transfer the zone, I made sure each server was set to transfer zones to each other. I then set up a cross forest trust to see if this helped, and it still didn't.

Anyone know if this is actually possible to do (I presume it is..)

Thanks in advance!

If you can get STUB Zones to work but not secondary then it seems to point to a problem with the Zone Transfers config, try allowing all for test purposes and see what that allows you to do

Essendon

dave0212 wrote:

I think he may have been referring to STUB zones also as they do not require Zone Transfers to be enabled due to the limited information you get with the transfer

Glad to help

I think so too. Thanks once again, dave.

dynamik

Mobil/Dave, I believe he was referring to stub zones. The information that was "given up freely" was simply the list of name servers for the domain, not all the records, which would be included in a zone transfer. Wasn't the example setting up a stub zone for yahoo.com?

Essendon

dynamik wrote:

Wasn't the example setting up a stub zone for yahoo.com?

It was the one just before setting up a stub zone for yahoo. Wasnt an example really, just maybe a scneario, if you will.

royal

He was referring to stub zones. I remember that part very well in the videos. The reason why is DNS servers allow the NS records to be given up freely. Just go to nslookup, set type=ns, and you'll get it back. The reason why is any time you look for an A record, the whole process of recursion involves of finding the NS records so the requesting DNS server can talk to it so the target DNS server can respond with the IP Address.

So in Windows 2000, any server can request a zone transfer. Obviously bad. In 2k3, they restricted this to any server in the NS list can get a zone transfer. You can even further restrict this to specified IPs only which is more secure obviously but requires more administrative upkeep. So if you have a server that is not a specific Name Server (by default) for a given zone, and you want another server to become a secondary, you will have to allow zone transfers to occur to the requesting DNS' Servers IP Address.

Now the requesting DNS Server will be allowed to request a zone transfer. You can test this by going into NSlookup and initiating the ls command which does a zone ****.

You also don't need any type of AD Trust to allow for any type of Primary to Secondary and Stub Zone Transfers. For AD-Integrated Zone transfers, you'll of course need trusts which are automatically taken care of since the only options are for DNS servers within the domain, all DCs within the domain, and all DCs within a forest. Since trusts are automatically created and every domain within a forest trusts eachother through tree to tree transitive trusts and child to parent transitive trusts, this is all automatically taken care of for you.