Solved

DNS resolution across domains

Posted on 2010-08-23
31
406 Views
Last Modified: 2012-08-14
My setup:  2 Active Directory domains running in the same building.  Both fully are trusted by each other.  Each AD domain has one DC, running AD-integrated DNS for its domain.  For *some* of the devices in one domain (not all), they can be pinged from a PC in the other domain without the domain suffix, while others cannot.  I can't figure out what the difference is.

E.g. on PC pc1.domain.local, I can ping pc11.domain2.local just by typing 'ping pc11' but if I try 'ping pc12' I get no response.  I do get a successful ping by using 'ping pc12.domain2.local'.  (Pinging the FQDN of any device always works.)

I have conditional forwarders set up on both DNS servers to point to the other.  All desktop PCs have both DNS servers set in their IPv4 settings. All device names/IPs are unique across both domains.  One server is Server 2003 x32 Std SP2.  The other is Server 2008 R2 Std.  Any help here is appreciated.
0
Comment
Question by:cgtyoder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 8
  • 7
  • +2
31 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503549
When you try pinging PC12 you said you get no response? That implies it was resolved correctly yes?
OR do you mean that it could not resolve the name PC12.
What happens if you use NSLOOKUP.EXE and type PC12?
 
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33503577
Do you have domain2 listed in the DNS suffix search list?
Thanks
Mike
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33503588
Check the entries for domain.local to see if an entry for pc11 snuck in there (pointing to pc11.domain2.local) but not pc12...a non-suffix lookup should NOT be able to travel through a trust like that - "pc11" should ONLY refer to pc11.domain.local if the asking machine is on domain.local - otherwise you get problems if you have two machines named pc25.domain.local and pc25.domain2.local. Who should answer "pc25"?

I could see pc11 getting registered dynamically in domain.local if someone sat down on it and logged into that domain...POSSIBLY even if it used resources from the other domain...I don't think it should do that, but it wouldn't amaze me.

Definitely would make sense if it were a machine that switched domains...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:cgtyoder
ID: 33503675
Neilsr:
Sorry for being imprecise - I meant the name does not resolve.  nsllokup output follows here:

C:\>nslookup
Default Server:  server1.domain1.local
Address:  192.168.0.20

> pc12
Server:  server1.domain1.local
Address:  192.168.0.20

*** server1.domain1.local can't find pc12: Non-existent domain
>
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503676
When ping PC11, does it show the resolved name as
PC11.DOMAIN2.LOCAL ?
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33503678
suffix search list is a good idea, but wouldn't explain why the specific workstation he was on could see one machine in the other domain but not the other. :/
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503680
And if you nslookup PC11 ?
0
 

Author Comment

by:cgtyoder
ID: 33503689
mkline71:
Where is the "DNS suffix search list"?
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33503698
yes, that's the question, whether it's pulling a record from the other domain or actually has one locally.
0
 

Author Comment

by:cgtyoder
ID: 33503709
Neilsr:
If I ping pc11, it does not show the FQDN.  
nslookup on pc11 fails.
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33503715
DNS suffix search list is on the workstation itself, telling it what domains to append if you put in an unqualified name like "pc12". Doesn't apply here, though, because it would append it to both pc11 and pc12.
0
 

Author Comment

by:cgtyoder
ID: 33503739
> Check the entries for domain.local to see if an entry for pc11
> snuck in there (pointing to pc11.domain2.local) but not pc12

There are no such entries.  And the pingable machine did not switch domains.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503753
IF an NSlookup fails for PC11 fails then It cant be pinging PC11.domain2.local
Have you checked the local host file to see if anyone has added host - IP mappings locally on the PC?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503763
c:\windows\system32\drivers\etc\hosts on windows XP
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503794
"Neilsr:
If I ping pc11, it does not show the FQDN.  
nslookup on pc11 fails."
In that case it is NOT DNS resolution that is giving you the IP address.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33503803
If you want to test DNS Suffix search order for one box
Go to the TCP/iP properties >> Advanced >> DNS  >> Append these DNS suffixes
You an also configure it via group policy
 
Thanks
Mike
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33503807
that does sound more like a local hosts setting - if it can't nslookup the box, it's not getting the listing from DNS for the ping, either.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503809
One other thought, are BOTH domains on completely different subnets? Mixed on one subnet? Mixed on two subnets?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503846
IF PC1 & PC11 are on the same subnet then windows will resolve the address PC11 via a broadcast. IF PC12 is on another subnet then broadcasts wont traveres the router so it wont resolve. Thats another possible IF your on multiple subnets
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33503954
Ah, good one. Would also work if they're on the same subnet but pc12 is on another switch that might not let broadcast traffic through. Good point, definitely.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33503992
VLANS?
0
 
LVL 2

Expert Comment

by:sameeragayan
ID: 33504001
First try to PING PC12 using its IP address. If you can ping it using IP address then it is a DNS issue. Otherwise it could be a network connection issue or PC12 is not in same subnet as PC11.

If it is a DNS issue, first check that there is  a host record for your PC12 in DNS forward lookup zone. if there is no record,  create one manually under correct domain name and try to ping using PC12.

Is PC12 getting IP address from DHCP?

0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33504128
@sameeragayan
We have already proven that it is NOT a DNS resolution issue from servers, read above. NSLOOKUP fails for both, Ping does not show FQDN.....
0
 

Author Comment

by:cgtyoder
ID: 33504140
Neilsr:
No added entries in .../etc/hosts file.

mkline71:
There are no added domains in the DNS suffix search list.
All devices are in 192.168.0.x.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33504221
OK, IF ALL devices are in 192.168.0.x then you SHOULD be able to ping every device. Are you sure you dont have windows firewall enable on SOME and not on others?
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33504251
doing it via broadcast, then...if they're not on different switches, you might compare the windows firewall settings of the two (pc11 and pc12).
I'm curious now what would happen if you put up a machine with the same name that was in the name domain, e.g. have one called pc12 in each. Which one would answer? :)
0
 

Author Comment

by:cgtyoder
ID: 33504327
They are on different switches - and some devices are W2K PCs, printers, DNS aliases - these are the items I cannot ping, which makes sense given the above comments.  (I have all semi-managed switches, with 1 dumb switch - would that cause broadcast traffic to be not relayed?)
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33504468
Group policies......
Computer
Administrative Templates
Network/DNS
DNS Suffix Search Order
Add Domain1.local,domain2.local on domain 1
and
add Domain2.local,domain1.local on domain 2
 
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 33504494
Your issue is not that DNS is being resolved cros domain for SOME names. It is NOT being resolved for ANY names. Windows is doing some local resolution where it can.
So in answer to your question.....
There is no difference. There is no DNS problen affecting SOME machines.
Use the Group policy i posted above to force ALL computers to lookup names in both xxxx.domain1.local and then xxxx.domain2.local formats.
0
 

Author Closing Comment

by:cgtyoder
ID: 33504869
Bingo!  Thanks for the resolution.
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 33505004
yep, good answer(s) neilsr
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question