none
Split Brain Conditional Forwarder? RRS feed

  • Question

  • We have a DNS zone that we currently have a conditional forward configured to point to 3 external DNS servers at site A.  The conditional forward is stored in AD and replicated to all other DNS servers.  At another location, Site B, I have another Domain Controller\DNS server that can only reach those 3 external DNS servers by a different single IP address.  So with the conditional forwarder being replicated to Site B the queries cannot be resolved as the 3 external IP addresses are not reachable.  I was trying to find an appropriate solution to this problem. We are AD 2016 and have DNS policies available but that doesn't seem to cover conditional forwarders.  Could stop replication of the conditional forwarder and configure every dns server manually but I wanted to explore any other options or ideas that I might be overlooking.  Thanks.  
    Tuesday, September 10, 2019 5:33 PM

All replies

  • Hi,

    Thanks for your question.

    Could stop replication of the conditional forwarder>>>

    Yes, We can disable store this conditional forwarder in active direcory, and replicate it as below, please refer to the picture below,

    May I confirm your current situation that the clients in the site B query dns name, but it can't resolve, is that?

    Would you mind please posting a screenshot for "NSlookup -d2 <dns name>"  to show the detailed information of this name request, so that we can find more clue about this issue?

    Highly appreciate your effort and time. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, September 11, 2019 10:08 AM
  • Yes clients at site B cannot resolve as needed because the conditional forwarder needs to point to a different address.  I do think that stopping the replication of the conditional forwarder and not saving them in AD would work but wanted to explore any other options that I may be missing.

    output from the request nslookup pasted below.

    C:\Windows\system32>nslookup -d2 AppName.r53.contoso.com
    ------------
    SendRequest(), len 90
        HEADER:
            opcode = QUERY, id = 1, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa, type = PTR, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    Server:  UnKnown
    Address:  ::1

    ------------
    SendRequest(), len 64
        HEADER:
            opcode = QUERY, id = 2, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com.sub.contoso.com, type = A, class = IN

    ------------
    ------------
    Got answer (128 bytes):
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com.sub.contoso.com, type = A, class = IN
        AUTHORITY RECORDS:
        ->  sub.contoso.com
            type = SOA, class = IN, dlen = 33
            ttl = 3600 (1 hour)
            primary name server = DC.sub.contoso.com
            responsible mail addr = (root)
            serial  = 12696602
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 64
        HEADER:
            opcode = QUERY, id = 3, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com.sub.contoso.com, type = AAAA, class = IN

    ------------
    ------------
    Got answer (128 bytes):
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com.sub.contoso.com, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  sub.contoso.com
            type = SOA, class = IN, dlen = 33
            ttl = 3600 (1 hour)
            primary name server = DC.sub.contoso.com
            responsible mail addr = (root)
            serial  = 12696602
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 82
        HEADER:
            opcode = QUERY, id = 4, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com.us-west-2.ec2-utilities.amazonaws.com, type = A, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    ------------
    SendRequest(), len 82
        HEADER:
            opcode = QUERY, id = 5, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com.us-west-2.ec2-utilities.amazonaws.com, type = AAAA, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    ------------
    SendRequest(), len 44
        HEADER:
            opcode = QUERY, id = 6, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com, type = A, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    ------------
    SendRequest(), len 44
        HEADER:
            opcode = QUERY, id = 7, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            AppName.r53.contoso.com, type = AAAA, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    *** Request to UnKnown timed-out

    Wednesday, September 11, 2019 8:34 PM