Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Inter-Forest Reverse Lookup

Home Forums Microsoft Networking and Management Services DNS Inter-Forest Reverse Lookup

Viewing 1 post (of 1 total)
  • Author
    Posts

  • Robert R.
    Participant
    Jun 08, 2011 at 4:43 pm #154987

    Environment:

    FOREST 01: x.tld : 172.18.50.0
    domain 01: x.tld : domain controllers = dc01.x.tld , dc02.x.tld
    domain 02: prod.x.tld : domain controllers = dcp01.x.tld , dcp02.x.tld
    domain 03: office.x.tld : domain controllers = dco01.x.tld , dco02.x.tld

    FOREST 02: dev.x.tld : 172.17.50.0
    domain 01: dev.x.tld : domain controllers = dc01.dev.x.tld , dc02.dev.x.tld

    A trust relationship exists between office.x.tld and dev.x.tld

    All domain controllers (Windows 2008 R2) are DNS servers.

    Within each forest, DNS zones are replicated to every domain controller.

    In the x.tld forest, conditional forwarders are configured for dev.x.tld

    In the dev.x.tld forest, conditional forwarders are configured for x.tld and prod.x.tld

    PROBLEM: From any server in dev.x.tld , reverse lookups for prod.x.tld are failing if the DNS server queried is in dev.x.tld

    [[email protected] ~]$ nslookup 172.18.50.159 dcp02.prod.x.tld
    Server: dcp02.prod.x.tld
    Address: 172.18.50.132#53

    159.50.18.172.in-addr.arpa name = soa.prod.x.tld. [works]

    [[email protected] ~]$ nslookup 172.18.50.159 dco01.office.x.tld
    Server: dco01.office.x.tld
    Address: 172.18.50.150#53

    159.50.18.172.in-addr.arpa name = soa.prod.x.tld. [works]

    [[email protected] ~]$ nslookup 172.18.50.159 dco02.office.x.tld
    Server: dco02.office.x.tld
    Address: 172.18.50.151#53

    159.50.18.172.in-addr.arpa name = soa.prod.x.tld. [works]

    Why o’ why does this one fail?

    [[email protected] ~]$ nslookup 172.18.50.159 dc01.dev.x.tld
    Server: dc01.dev.x.tld
    Address: 172.17.50.103#53

    ** server can’t find 159.50.18.172.in-addr.arpa.: NXDOMAIN [fails]

    Certainly has something to do with Reverse zone lookups/transfers, but I haven’t got the Window’s knowledge to fix it.

    I think the best way to resolve this would be to have the DNS zones replicated from x.tld to dev.x.tld.

    Can this be done across two different forests?

    When I look in the zone replication properties, the options are to replicate

    To all DNS servers running on domain controllers in this forest
    To all DNS servers running on domain controllers in this domain
    To all domain controllers in this domain (for Windows 2000 compatibility)

    I don’t see any option to replicate zone data across a forest.

  • Author
    Posts
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Reach Out
Learn More
Sitemap

© 2021 BWW Media Group Privacy Policy

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by:

 
Register Now!