Solved

Non existent domain when doing an nslookup to second domain

Posted on 2010-08-19
10
891 Views
Last Modified: 2012-05-10
I have recently build a new WIndows Forest/Domain with a single domain controller which is Windows Server 2003 SP2. I ran dcpromo to install AD on the box and allowed the wizard to create the DNS automatically.
When i look in DNS console i see under forward lookup zones - domain name, the _msdcs folder is greyed out, not sure why. Suppose this is the first issue.
 Everything else in DNS looks correct, dynamic updates are set to 'nonsecure and secure' and the name server is the name of my domain controller. The NS record for the domain controller is also present.
When i do an nslookup for the domain name, server or IP for the domain controller again it looks fine.

I have a second Windows Forest/Domain which has been establised for a few years now again all DCs in this domain are Windows server 2003. The purpose of building the new domain above is to establish a 2 way fully transitive forest trust between the two domains. Both forests exist on the same VLAN so there are no firewall rules in play here.
When i do an nslookup from the new domain to the old domain it all looks fine. It displays the IPs for all the DCs in the old domain and the fully qualified name of the old domain so again all looks good.
When i attempt an nslookup from the old domain to the new domain i get the error message 'cannot find the new domain: Non existent domain'. This is preventing me from establishing the trust.

Apologies if the above description is a little messy and all over the place. I don't know what else to try on this and would greatly appreciate any help.
0
Comment
Question by:NoelMCM
  • 5
  • 4
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
So, you msdcs folder is grayed out? Do you have a msdcs.domain.com zone? If not you need to delete the domain.com zone then recreate the zone.

0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Make sure there is a reverse lookup zone as well.
0
 

Author Comment

by:NoelMCM
Comment Utility
Yes i do have the msdcs.domain.com zone. But didn't have the reverse lookup zone configured. I have configured that now, restarted the net logon service but doesn't seem to have made a difference. I have attached a screen shot of the DNS console.
dns.bmp
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
Make sure you are DNS Forwarding to the other domain or create a secondary zone for each domain on the other DNS server
0
 

Author Comment

by:NoelMCM
Comment Utility
Apologies i should have mentioned that before. I have DNS forwarding configured in both Domains.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Can you ping the domain name?
0
 

Author Comment

by:NoelMCM
Comment Utility
Just to help stop any confusion.
The old domain is called allianz.ie
The new domain is called allianzire.ie

When i ping allianzire.ie from a DC in the allianz.ie domain i get an error saying 'Ping could not find host allianzire.ie. Please check name and try again'.

When i ping allianz.ie from the DC in the Allianzire.ie domain i get a reply from one of the DCs in the allianz.ie domain which is what i would expect.
0
 
LVL 2

Expert Comment

by:cnemcse1
Comment Utility
Create a the secondary zone for allianzire.ie in the SERVER004HO, and a secondary zone for allianz.ie in the other DNS Server, implement zone replication on each of the servers, and wait until the zones get fully replicated. Check with nslookup and then attempt to create the trusts. Make sure that your Domains are 2003 functional level and the forests are as well 2003 functional level. When creating the trust logon as a user that is member of the Enterprise Admins group in both forests (check the root Domain).
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
One your DNS forwarders are not setup properly or you can setup Secondary zones like I said here http:#a33479051
0
 

Author Comment

by:NoelMCM
Comment Utility
Firstly thank you both for your comments.

In the allianz.ie domain under the zone _msdcs.allianz.ie i have added the IP address of the DC in the allianzire.ie domain as a zone transfer server.

Likewise in the allianzire.ie domain under the zone _msdcs.allianzire.ie i have added the IP addresses of the DCs in the allianz.ie domain as a zone transfer servers.

The result of which means i can now do an nslookup from both domains and i get the expected response which is great. Is this normal practise? or have i done this wrong?

When i go to establish the Trust from the PDC server in allianz.ie to allianzire.ie i get an RPC server cannot be contacted in the allianzire.ie domain. But i have been able to get around this by creating both sides of the Trust from the allianzire.ie PDC server so the Trust has been established but i fear there is still an underline issue with this RPC error.

I will be adding an additional DC to the allianzire.ie domain at some stage today so hopefully the RPC error won't appear when i attempt to add the new DC to an existing domain but i suspect i will.

I will award points for your help later today.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now