10-22-2015 12:52 PM
We inherited a configuration set up by an admin just before he left our organization and we are unable to figure out at least one important piece of it....
We have two DNS views:
- Internal, which is working fine and which the vast majority of clients use on our network.
- PCI, which a small number of desktops and servers use from within isolated subnets. This is the one which is affected by the problem.
Both views are hosted by the same 3 name servers.
In the PCI (problem) view, I see that all of the needed A records for the parent zone are available on all 3 name servers. However, delegated subzones were created for AD in the PCI view, yet they are only available (resolvable) using one of the three name servers. In other words, if I use DNS1 it can resolve my AD request by recursing to the AD name servers listed in the delegation, but if DNS2 or DNS3 is used, the request fails. Again, I can resolve all hosts in the parent zone on both DNS2 and DNS3 in the PCI view.
The delegated zones are fine in the Internal view. (All 3 name servers can answer queries for them.)
I think my question is simple: How do we get all 3 name servers to be "aware" of the delegated AD zones? I am an AD admin and not from the group that handles Infoblox DNS, so my knowledge is limited as well as my access, but none of us have been able to figure this out so far. We may be missing something straightforward for all I know.
10-22-2015 10:26 PM
Your best route may be to have Infoblox Support review the configuration but here are a couple of items to check:
1. Check the Views configuration on each member/appliance - (Data Management - > DNS - > Members/Servers - > and check Views configuration under each member to ensure they match the working member.
2. Verify there are no connectivity issues that would block the DNS address resolution from the members to the AD servers.
When you add a delegation the effect should be that an NS record is created for the delegation in the parent zone. This record will be automatically replicated to any of the Infoblox members that are associated with the parent zone.
You should also be able to drill down into the specific zone data on each server to validate that the NS record is present.
Hope that helps you down the path to resolving this!
10-23-2015 07:16 AM
Thanks for the reply. One of the DNS admins does have a support ticket open and hopefully she will speak with someone today. In any case, I want to pass along my experience:
1. I had already checked the working member. In fact I checked both views and this is what I get, which I don't understand: I go to Members > DNS1 (the one that "works" in both views), View (either one) > Parent zone > Subzones and I see nothing. However, if I go to the Zones tab > View (either one) > Parent zone > Subzones I *do* see the delegated zones there. I hadn't before looked for the NS records as you suggest, so that's helpful. For that I do see inconsistencies across views. Internal: I see the NS records for the subzones (and parent zone). PCI: I see no NS records for *anything*. Even if I go to the working member, I see no NS records in the PCI view.
2. All three members are okay in one of the views for the AD subzones, so I don't think it can be a connectivity
issue. (Unless somehow a different route is used depending on the view.)
I feel pretty confident that this will be resolved with the support call.
10-23-2015 09:21 AM
Thank you for the additional details!
It is odd that you do not find the NS records in the parent zone in your PCI view but I am confident that Support will be able to assist to resolve.
Please share the resolution when found - thanks!