none
DNS Replication to allow Trust Relationship

    Question

  • Greetings all - wonder if anyone can give me some ideas on this one.

    First domain - 1 x exchange and 2 x AD servers - all server 2008R2, patched up to date.

    This runs a hosted Exchange environment

    Second domain 1 x AD server 2008R2, patched up to date.

    I want to have it so that domain two can trust domain one - so that we can use a single set of logins, whilst adding computers to domain two (this keeps domain one free of lots of junk - whilst allowing us to have one set of logins). The end point will be ultimately domains three, four, five  all with one way trust to domain one and so on.

    Domain one - default gateway = pfsense with route to domain two via ASA5550, subnet 192.168.1.0/24 - DGW 192.168.1.1 - route added to firewall 10.10.10.1/24 via 192.168.1.250 (note these are not the actual subnets)

    Domain two - subnet = 10.10.10.0 /24 default gateway = ASA5550 10.10.10.1 - ASA5550 has ACLs allowing all IP between 192.168.1.0 and 10.10.10.0

    Firstly I tested connectivity - I can ping between the DCs and I can also run nslookup, switch to the "opposing" server and get a response.

    Went to domain one and added a secondary zone for domain two - and it replicates immediately.

    Then comes the problem - go to domain two and add a secondary zone for domain one - and it refuses to replicate.

    Checked that the domain one DNS servers trust the domain two DNS servers and visa versa (currently allowing replicate to any server, on both sides). Logs show the standard 5623 error on domain two and don't show anything on domain one.

    Windows firewall is OFF on all servers

    Checked ASA that the problem doesn't relate to UDP max packet size (set it to client auto).

    Going to go low level on the 1st server - wireshark and see if I can see the actual request - however not sure how, if I have both ICMP and nslookup working - that DNS replication doesn't work. There is of course the curse of IPV6 - I've disabled it on domain two's AD server, but its still enabled on domain one. So where services bind to and how connections are made, may somewhat relate to the problem.

    Any thoughts - particularly to the actual mechanics of DNS replication, very much appreciated

    Thursday, April 12, 2012 12:35 PM

All replies