none
Forest One-Way Trust and DNS Issues RRS feed

  • Question

  • Hello,

    Let met give you guys a little background I'm in the middle of creating Environments for our Developers and I've ran into an issue (laziness if you ask me). We have created a Separate Forest with a One-Way trust and I've setup conditional forwarders in both domains for Prod Domain to Dev Domain and vice versa. The Problem I'm facing is that our developers do not want to go in and change their code of the FQDN they are using from the prod domain to the dev domain. So I was trying to create Forward Lookup Zones of the Prod Domain into the Dev Domain but the zone host a records would point back to the Dev Servers but then trust breaks. Is there something I'm missing? I've tried creating Host A records of the Prod DC's, Adding them as Name Servers to the Forward Lookup Zone, Creating Service Location Records/Kerberos and Forwarders on the DNS servers. or is there another approach to this? Please do not say host files..


    • Edited by MSHoyt Thursday, July 14, 2016 7:37 PM
    Thursday, July 14, 2016 7:34 PM

All replies

  • Hi,

    do I understand correctly: they wish to use host01.prod.com in dev environment and have it point to host01.dev.com? And it is dev.com taht is trusting prod.com? Host files, even if you asked not to.

    Maybe you can create a third DNS namespace ("current.com") and have it point to prod.com in prod and dev.com in dev. Then your developers can rewrite their code once and start using current.com in their apps.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Thursday, July 14, 2016 9:17 PM
  • Hi,

    do I understand correctly: they wish to use host01.prod.com in dev environment and have it point to host01.dev.com? And it is dev.com taht is trusting prod.com? Host files, even if you asked not to.

    Maybe you can create a third DNS namespace ("current.com") and have it point to prod.com in prod and dev.com in dev. Then your developers can rewrite their code once and start using current.com in their apps.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Yeah we have brought up the third namespace deal and they did not like the idea or re-writing code but they are up for "going forward will do this". So a Forward lookup zone wouldn't work in this case?
    Thursday, July 14, 2016 9:28 PM
  • I am pretty sure you can get a Forward Lookup Zone to work somehow without breaking trust, but it's not going to be easy. If I were in this situation, I would be very reluctant to go down this route.

    You can try adding zones such as host01.prod.com to your dev DNS and setting an A record without hostname to the IP address of host01.dev.com. This should/might work without breaking stuff.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Thursday, July 14, 2016 9:35 PM
  • I am pretty sure you can get a Forward Lookup Zone to work somehow without breaking trust, but it's not going to be easy. If I were in this situation, I would be very reluctant to go down this route.

    You can try adding zones such as host01.prod.com to your dev DNS and setting an A record without hostname to the IP address of host01.dev.com. This should/might work without breaking stuff.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Is there any certain records I need for the trust to still be working? Getting them to resolve with the Forward Lookup zone is the easy part its keeping Forest Trust still active that breaks.
    Friday, July 15, 2016 1:49 PM
  • Hi,

    Please check this similar thread for your reference:

    One-way Forest Trust and DNS namespace                                

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c3060d11-3c9d-48d4-8362-6be001c9ae86/oneway-forest-trust-and-dns-namespace?forum=winserverDS

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
    Friday, July 22, 2016 2:58 AM