DNS issue between two .local domains

[Mushkins]

My ultimate goal is to set up domain trusts between my companies two Forests/domains which are in two separate physical locations. Both companies have their own independent .local domain set up, and we want to access resources on each network seamlessly from the other(printers, network shares, remote desktop, etc).

Each location has a Sonicwall security appliance running, and there is a permanent active VPN tunnel between them. I can ping internal IPs until I'm blue in the face from either location, it's only when I went to set up DNS that things got hairy.

ABC.local
DC= SERVERA.ABC.local
10.2.12.3/24
Server 2008 R2

XYZ.local
DC= SERVERX.XYZ.local
192.168.1.5/24
Server 2012 Standard

First attempt: I set up each DC with secondary forward and reverse zones for the other domain in DNS. Designated both servers as authoritative name servers on both sides, allowed zone transfers to/from both sides with notifications enabled. They're replicating from the masters ok, you can see the DNS records in DNS manager from either server. I can ping workstations on XYZ.local using their FQDN successfully from ServerA, I CANNOT ping workstations on ABC.local using their FQDN from ServerX.

Restarted ServerX and FQDN-based pings magically started working from both sides, but the Trust Wizard cannot find the other domain from either side.

Second attempt: Added Root Hints and Forwarders to both sides as well just to be safe, the little Add New... wizards for both had no issues resolving the opposite server via FQDN.

I can now ping "XYZ.local" from ServerA and it resolves ServerX's IP (192.168.1.5). I CANNOT ping ABC.local from ServerX, it throws the standard "name cannot be resolved" DNS error. Maybe a restart would fix this, but these are both production servers. The Trust Wizard still throws the "Other domain cannot be found" error.

Is there something i'm missing here? If the names are resolving shouldn't the trust wizard pick up on the other domain? I've tried the FQDN of the server, the ABC.local domain, just "ABC", the server NETBIOS name, from both sides of it and nada.

And before anyone suggests "Just make it all one domain and keep both DCs for redundancy!" i'd jump on that in a heartbeat if I had the time and money to properly break down and rebuild both networks from scratch and do it right There's business reasons why I can't make that happen right now, so trusts and aggravating DNS problems it is.

 

[theevilsharpie]

It sounds like ServerX may not view its secondary forward zone for ABC.local as authoritative, or the zone transfer process may not be transferring all of the records.

For simplicity's sake, if all you're doing is establishing trusts, you may want to eliminate the secondary zones entirely, and just set up conditional forwarders on each DC for the appropriate domains.

 

[drebo]

Use nslookup to verify that your DNS is properly replicated and that lookups are working properly.

If your domain controllers are 2008 or higher, I'd recommend conditional forwarders instead of secondary zones.

Also, both servers should not be authoritative for each zone. The servers should be authoritative only for their own zones.

 

[AFurryReptile]

I have a very similar setup; almost identical, actually. Here's what I've done.

1) VPN between two Sonicwalls. If properly setup, you should be able to ping the opposite both firewalls and servers from each side.
2) For each domain, add a forward lookup zone for the opposite domain. It should be secondary. Make sure you add the IP address of the opposite domain's DNS server under both "Master Servers" and "Name Servers". I would force a new replication on each domain, to make sure it's working properly.
3) Rebuild the trust. Sounds like you need it two-way.

Possible troubleshooting steps:

- Make sure there's no weird hosts entries or legacy DNS records. Clear the cache both locally and on the DNS server if you have to.
- Make sure the VPN has access to the opposite network's subnet.
- Is the domain functional level different between DNS servers? That can cause problems.
- Disable Windows firewall, and antivirus, see if that helps.
- Don't be afraid to get Sonicwall involved. They've been rather helpful when I've contacted them (even if they're hard to understand)

Advice:

- Take the opportunity to get off the 192.168.1.xxx subnet while you haven't yet integrated with it. It'll save you a lot of headache in the future when people want to connect to a VPN from home!
- If you want to eventually merge domains, look into the DFS service. It's been immensely helpful in my domain migration (I'm cutting over my last domain controller this weekend!)

 

[Mushkins]

Thanks for the tips.

I wiped out all the secondary forward/reverse lookup zones and replaced them with conditional forwarders as suggested.

The "new conditional forwarder" box throws an error saying the opposite server is not authoritative, but ignoring it will still let me create them.

Same issue: I can ping things on XYZ.local from ABC.local using their FQDN, pinging things on ABC.local from XYZ.local cannot resolve. NSlookup indicates its pushing it to the ISP's DNS server like any other internet DNS query instead of using the conditional forwarder.

The forests *do* have different functional levels. ABC.local is at Server 2008R2 while XYZ.local is still set to Server 2003 due to an older document management server running legacy software still sitting on the domain that I can't get rid of for a few more months, and i'm not sure if raising the functional level of the forest is going to mess with it.