DNS Replication to allow Trust Relationship
-
Thursday, April 12, 2012 12:35 PM
Greetings all - wonder if anyone can give me some ideas on this one.
First domain - 1 x exchange and 2 x AD servers - all server 2008R2, patched up to date.
This runs a hosted Exchange environment
Second domain 1 x AD server 2008R2, patched up to date.
I want to have it so that domain two can trust domain one - so that we can use a single set of logins, whilst adding computers to domain two (this keeps domain one free of lots of junk - whilst allowing us to have one set of logins). The end point will be ultimately domains three, four, five all with one way trust to domain one and so on.
Domain one - default gateway = pfsense with route to domain two via ASA5550, subnet 192.168.1.0/24 - DGW 192.168.1.1 - route added to firewall 10.10.10.1/24 via 192.168.1.250 (note these are not the actual subnets)
Domain two - subnet = 10.10.10.0 /24 default gateway = ASA5550 10.10.10.1 - ASA5550 has ACLs allowing all IP between 192.168.1.0 and 10.10.10.0
Firstly I tested connectivity - I can ping between the DCs and I can also run nslookup, switch to the "opposing" server and get a response.
Went to domain one and added a secondary zone for domain two - and it replicates immediately.
Then comes the problem - go to domain two and add a secondary zone for domain one - and it refuses to replicate.
Checked that the domain one DNS servers trust the domain two DNS servers and visa versa (currently allowing replicate to any server, on both sides). Logs show the standard 5623 error on domain two and don't show anything on domain one.
Windows firewall is OFF on all servers
Checked ASA that the problem doesn't relate to UDP max packet size (set it to client auto).
Going to go low level on the 1st server - wireshark and see if I can see the actual request - however not sure how, if I have both ICMP and nslookup working - that DNS replication doesn't work. There is of course the curse of IPV6 - I've disabled it on domain two's AD server, but its still enabled on domain one. So where services bind to and how connections are made, may somewhat relate to the problem.
Any thoughts - particularly to the actual mechanics of DNS replication, very much appreciated
- Moved by Vincent HuModerator Thursday, April 12, 2012 2:29 PM (From:Server Core)
All Replies
-
Friday, April 13, 2012 8:58 AMModerator
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
-
Monday, April 16, 2012 5:22 AM
Hello,
Have you also checked if the TCP 53 ports are allowed on your ASA as both incoming and outgoing traffics?
Best regards,
Steven Xiao
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Monday, April 16, 2012 5:42 AM
Hello,
see here about required ports on AD: http://support.microsoft.com/kb/179442/
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
It is NOT recommended to disable IPv6 on the servers, even not from Microsoft. http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx and http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Edited by Meinolf WeberMVP Monday, April 16, 2012 5:45 AM
-
Monday, April 16, 2012 9:13 AM
Don't disable IPv6, let it be default as many of the services utilize in the newer OS like Direct access, exchange 2010 etc.Windows 2008 R2/7 uses IPv6 and it should be configured to dynamic (Automatically).
Ensure the required firewall port are open for domain and trustHow to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442
Active Directory Firewall Ports - http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspxBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Monday, April 16, 2012 11:17 AMModerator
It is wise to download and run free tool from the Microsoft portquery tool for scanning the necessary ports(for ports refer Meinolf's link) are allowed in the firewall.
For DNS you require port 53 both TCP and UDP. What did you see when you run wireshark tool, did you see source and destination packet transmission information and where exactly termination of the packets are happening? Can you also post exact error event id along with the details.
There is no issues if proper permission and connectivity is established. The other reason i can think of high latency in the network.
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Thursday, April 19, 2012 2:21 AM
Hello,
What's the current status of your DNS replication? Has any suggestion here made sense to you to help resolve the issue?
Best Regards,
Steven Xiao
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
.png)
