locked
Adding a new DNS zone on a new DNS server RRS feed

  • Question

  • Dear Server Expert,

    Currently our company are using Windows Server 2008 R2 for our AD and this server is hosting the DNS and DHCP roles.  Our company is using the domain called "company.com". Below are our AD and DNS infra:

    HQ:

    1 Primary AD that host DNS server called "HQAD_Server". Joined to "Company.com" domain. (Subnet 192.168.10.x)

    All our clients computer are joining to the same domain called "company.com".

    Remote Entity office:

    1 AD Server that also host DNS server called "REMAD_Server". Joined to "Company.com" domain. (Subnet 192.168.20.x)

    These AD and DNS servers are mainly used for exchange servers as we have DAG and ipsec tunnel that being built for email communication.

    Both 192.168.10.x and 192.168.20.x are able to communicate with each other due to the use of IPSec Tunnel.

    However, Remote entity office has also their own AD and DNS server that join to their own domain called "entity.com" and the server name called "Entity_AD_Server". all of their clients computers are joined to the "entity.com" domain and it is on different network subnet, 192.168.18.x. However, 192.168.20.x and 192.168.18.x are able to communicate with each other.

    They have sent a request to add another dns zone into their DNS server that joned to "entity.com" domain, thus they will have the records of DNS entry from the "REMAD_Server" as well.

    May i know what is the best way and steps to accomplish this? is this risky to do?

    Thanks

    Regards,

    H

    Saturday, August 19, 2017 10:09 AM

All replies

  • http://www.pearsonitcertification.com/articles/article.aspx?p=102617&seqNum=6
    Saturday, August 19, 2017 10:29 AM
  • what is the purpose of adding another zone? If it just for name resolution, it is very simple to create a new zone and add DNS entries for the name resolution.

    Saturday, August 19, 2017 10:58 AM
  • what is the purpose of adding another zone? If it just for name resolution, it is very simple to create a new zone and add DNS entries for the name resolution.

    Hi Manoj,

    Yes.  of course the purpose is for the name to ip address resolution.

    1 x "REMAD_Server" -> Join to company.com domain. it is an AD and also DNS Server that connect to HQ AD and also DNS server. (Subnet 192.168.20.x)

    1 x "ENTITY_AD_Server" -> Join to entity.com domain. It is an AD and also DNS server used by local entity clients.(Subnet 192.168.18.x)

    Subnet 192.168.20.x and 192.168.18.x both are able to communicate to each other.

    Thus in order for 192.168.18.x clients are able to resolve the servers' hostname to ip address located in subnet 182.168.20.x, we have to add secondary dns zone into the "ENTITY_AD_Server" DNS right?

    Thanks

    Regards,

    H

    Saturday, August 19, 2017 3:17 PM
  • Hello Henry2050,

    the best design will remain on how things works : as your networks are able to communicate together, just ensure that DNS can communicate to each other on port 53. Once done, add a new conditional forwarder for the target zone and set in the DNS server's ip address hosting it.

    I may alert you however : you will allow (or be allowed) to target a DNS server that host an Active Directory Zone. If your company are trusting each other (in an active directory sens of "trust"), then you don't have to worry about.

    • Proposed as answer by Loïc Veirman Monday, August 21, 2017 6:42 AM
    Saturday, August 19, 2017 3:51 PM
  • Please go through below link, it explains about secondary zone, stub zone and conditional forwarding and their advantages and risk associated.

    Secondary zone may not be the best option as you will be exposing all your DNS records to someone else's network.

    https://blogs.msmvps.com/acefekay/2012/09/18/what-should-i-use-a-stub-conditional-forwader-forwarder-or-secondary-zone/

    Saturday, August 19, 2017 5:01 PM
  • how is it going? do not forget mark as Answer if you found above info helpful.
    Tuesday, August 29, 2017 1:29 PM
  • Hi Henry2050,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 12, 2017 7:32 AM