Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

NSLOOKUP does not return an response for a reverse zone request from a child domain

Posted on 2008-10-06
9
Medium Priority
?
613 Views
Last Modified: 2012-05-05
My environment has a parent domain (alpha.com) and a child domain (euorpe.alpha.com).  When I attempt an NSLOOKUP for a reverse zone while on a machine in the alpha.com domain, and the reverse lookup request is for a machine on the euorpe.alpha.com domain, I recieve an error: "dc01.alpha.com can't find 10.15.x.x: Non-existent domain".  It appears I cannot do a reverse lookup via nslookup for machines in child domains.  If I goto the europe.alpha.com domain, I can perform this reverse lookup with no problem.

What could cause this inability to query a pointer record in a child domains dns structure.
0
Comment
Question by:dgeile
  • 4
  • 3
  • 2
9 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 22652887
make sure the DNS server of aplpha.com consiste the reverse zone of theeurope.alpha.com. If not, you may want to replicate(transfer) it there. There is a few options you can do this depending on how your DNS infrastructure is setup. One common one is secondary zone of europe.alpha.com in alpha.com.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22652928

For the Reverse Lookup Zone... it will only show you answers from that zone in one of two circumstances:

1. The server you ask is authoritative
2. A delegation, forwarder or other resolution path exists

The second simply means that you won't be able to resolve PTR records unless you can find the zone hosting the record from the server you ask. Remember that Reverse Lookup zones are not delegated simply because the Forward is.

Chris
0
 

Author Comment

by:dgeile
ID: 22652946
It does work if I transfer the reverse zone to alpha.com, but was not aware that that was a requirement.  I assumed since forward zones of child domains were not in the parent zone, the reverse zone could also remain separate.  Should I make all reverse zones available on all domains in the forest?  Is there another option?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 18

Accepted Solution

by:
Americom earned 375 total points
ID: 22652979
Yes, if you want to be able to do reverse lookup from alpha.com.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22652991

> I assumed since forward zones of child domains were not in the parent zone, the reverse zone could
> also remain separate.

No, but the child is likely to be delegated for the Forward Lookup. Do you see a greyed out folder for the child domain in the parent?

Delegations on reverse lookup zones aren't automatically added, unlike delegations for the Foward which should have been added when the child domain was created.

For the Reverse you either need to create a delegation for the sub-domain or create a Secondary copy, or increase the scope so the reverse lookup zone replicates to the parent domain as well.

If you want to look more into the delegation please let me know the Reverse Lookup Zone name in the parent as well. The delegation will only work if you host the parent. e.g. 10.x.x.x or 10.in-addr.arpa.

Conditional Forwarders would work as well, except you cannot maintain those through the GUI unless you upgrade to Server 2008 (due to bad design in 2003), limits us a bit.

Chris
0
 
LVL 18

Expert Comment

by:Americom
ID: 22652998
Samething if you have multiple forest, and want to be ablet o do nslookup both forward and reverse, sure, you need to duplicate them.
0
 
LVL 18

Expert Comment

by:Americom
ID: 22653011
BTW, are you using ADIZ?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22653013

You don't necessarily need to duplicate them at all. It depends on the environment and configuration. Reverse Lookup Zones can be forwarded or delegated in the same way as Forward Lookup Zones.

Chris
0
 

Author Closing Comment

by:dgeile
ID: 31503536
I will replicate the reverse zones to the other child domians to allow nslookups on reverse zones throughout the enterprise.  It is the simplest solution with little overhead.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question