How to Configure Two Isolated Active Directory Domains with Separate DNS on a Single Network


4 views

Running two completely isolated Active Directory domains on the same physical network presents unique technical challenges, particularly around DNS resolution. The primary issue stems from having:

  • Two independent domain controllers (DC1.domainA.local and DC2.domainB.local)
  • Single DHCP server providing IP configuration
  • No trust relationship between domains
  • Shared physical network infrastructure

The most critical component is implementing proper DNS forwarding between the domains. Here's how to configure conditional forwarding in PowerShell:

# On DomainA's DNS server
Add-DnsServerConditionalForwarderZone -Name "domainB.local" -MasterServers 192.168.1.2 -PassThru

# On DomainB's DNS server  
Add-DnsServerConditionalForwarderZone -Name "domainA.local" -MasterServers 192.168.1.1 -PassThru

For DHCP configuration, you'll want to specify both DNS servers in your scope options:

# Windows DHCP Server configuration
Set-DhcpServerv4OptionValue -DnsServer 192.168.1.1,192.168.1.2 -Router 192.168.1.254

For more advanced scenarios, consider these options:

DNS Forwarder Chain

# Configure forwarders on both DNS servers
Set-DnsServerForwarder -IPAddress @("8.8.8.8","1.1.1.1") -PassThru

Split DNS with Views

If using BIND instead of Windows DNS:

view "domainA" {
    match-clients { 192.168.1.0/24; };
    zone "domainA.local" {
        type master;
        file "domainA.local.zone";
    };
    zone "domainB.local" {
        type forward;
        forwarders { 192.168.1.2; };
    };
};

While keeping domains isolated, implement these security measures:

  • Disable LLMNR and NetBIOS across both domains
  • Configure firewall rules between domain controllers
  • Implement DNS Security Extensions (DNSSEC)

When DNS resolution fails between domains:

# Test basic connectivity
Test-NetConnection -ComputerName DC2.domainB.local -Port 53

# Verify DNS records
Resolve-DnsName -Name DC1.domainA.local -Server 192.168.1.2

For packet-level inspection:

# Network trace for DNS queries
netsh trace start scenario=NetConnection capture=yes tracefile=C:\temp\dns_trace.etl
# [reproduce issue]
netsh trace stop

When running multiple AD domains on the same physical network, DNS becomes the critical integration point. Both domain controllers will attempt to register their SRV records in the same DNS namespace unless properly segmented.

The most practical approach is to configure conditional forwarding between the DNS servers. Here's how to implement it using PowerShell:

# On DomainA's DNS server
Add-DnsServerConditionalForwarderZone 
   -Name "domainb.local" 
   -MasterServers 192.168.1.2 
   -ForwarderTimeout 3 
   -ReplicationScope "Forest"

# On DomainB's DNS server 
Add-DnsServerConditionalForwarderZone 
   -Name "domaina.local" 
   -MasterServers 192.168.1.1 
   -ForwarderTimeout 3 
   -ReplicationScope "Forest"

For single DHCP server environments, configure DNS server assignment like this:

# DHCP scope configuration example
Set-DhcpServerv4OptionValue 
   -ScopeId 192.168.1.0 
   -DnsServer 192.168.1.1,192.168.1.2 
   -Router 192.168.1.254

To prevent accidental trust establishment:

# On both domain controllers
Set-ADDomainMode -Identity domaina.local -DomainMode Windows2016Domain
Set-ADForestMode -Identity domaina.local -ForestMode Windows2016Forest
# Disable automatic trust creation
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" 
   -Name "AvoidPdcOnWan" -Value 1

While VLANs aren't strictly necessary, consider these IP assignments:

Device IP Address Domain
DC1 192.168.1.1 domaina.local
DC2 192.168.1.2 domainb.local
DHCP 192.168.1.10 N/A

Use these diagnostic commands to verify proper DNS forwarding:

# Test forward lookup
Resolve-DnsName server1.domainb.local -Server dc1.domaina.local

# Test reverse lookup
Resolve-DnsName 192.168.1.2 -Server dc1.domaina.local

# Verify SRV records
nslookup -type=srv _ldap._tcp.domainb.local