• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

DNS resolution across domains

My setup:  2 Active Directory domains running in the same building.  Both fully are trusted by each other.  Each AD domain has one DC, running AD-integrated DNS for its domain.  For *some* of the devices in one domain (not all), they can be pinged from a PC in the other domain without the domain suffix, while others cannot.  I can't figure out what the difference is.

E.g. on PC pc1.domain.local, I can ping pc11.domain2.local just by typing 'ping pc11' but if I try 'ping pc12' I get no response.  I do get a successful ping by using 'ping pc12.domain2.local'.  (Pinging the FQDN of any device always works.)

I have conditional forwarders set up on both DNS servers to point to the other.  All desktop PCs have both DNS servers set in their IPv4 settings. All device names/IPs are unique across both domains.  One server is Server 2003 x32 Std SP2.  The other is Server 2008 R2 Std.  Any help here is appreciated.
0
cgtyoder
Asked:
cgtyoder
  • 13
  • 8
  • 7
  • +2
1 Solution
 
Neil RussellTechnical Development LeadCommented:
When you try pinging PC12 you said you get no response? That implies it was resolved correctly yes?
OR do you mean that it could not resolve the name PC12.
What happens if you use NSLOOKUP.EXE and type PC12?
 
0
 
Mike KlineCommented:
Do you have domain2 listed in the DNS suffix search list?
Thanks
Mike
0
 
briandunkleCommented:
Check the entries for domain.local to see if an entry for pc11 snuck in there (pointing to pc11.domain2.local) but not pc12...a non-suffix lookup should NOT be able to travel through a trust like that - "pc11" should ONLY refer to pc11.domain.local if the asking machine is on domain.local - otherwise you get problems if you have two machines named pc25.domain.local and pc25.domain2.local. Who should answer "pc25"?

I could see pc11 getting registered dynamically in domain.local if someone sat down on it and logged into that domain...POSSIBLY even if it used resources from the other domain...I don't think it should do that, but it wouldn't amaze me.

Definitely would make sense if it were a machine that switched domains...
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
cgtyoderAuthor Commented:
Neilsr:
Sorry for being imprecise - I meant the name does not resolve.  nsllokup output follows here:

C:\>nslookup
Default Server:  server1.domain1.local
Address:  192.168.0.20

> pc12
Server:  server1.domain1.local
Address:  192.168.0.20

*** server1.domain1.local can't find pc12: Non-existent domain
>
0
 
Neil RussellTechnical Development LeadCommented:
When ping PC11, does it show the resolved name as
PC11.DOMAIN2.LOCAL ?
0
 
briandunkleCommented:
suffix search list is a good idea, but wouldn't explain why the specific workstation he was on could see one machine in the other domain but not the other. :/
0
 
Neil RussellTechnical Development LeadCommented:
And if you nslookup PC11 ?
0
 
cgtyoderAuthor Commented:
mkline71:
Where is the "DNS suffix search list"?
0
 
briandunkleCommented:
yes, that's the question, whether it's pulling a record from the other domain or actually has one locally.
0
 
cgtyoderAuthor Commented:
Neilsr:
If I ping pc11, it does not show the FQDN.  
nslookup on pc11 fails.
0
 
briandunkleCommented:
DNS suffix search list is on the workstation itself, telling it what domains to append if you put in an unqualified name like "pc12". Doesn't apply here, though, because it would append it to both pc11 and pc12.
0
 
cgtyoderAuthor Commented:
> Check the entries for domain.local to see if an entry for pc11
> snuck in there (pointing to pc11.domain2.local) but not pc12

There are no such entries.  And the pingable machine did not switch domains.
0
 
Neil RussellTechnical Development LeadCommented:
IF an NSlookup fails for PC11 fails then It cant be pinging PC11.domain2.local
Have you checked the local host file to see if anyone has added host - IP mappings locally on the PC?
0
 
Neil RussellTechnical Development LeadCommented:
c:\windows\system32\drivers\etc\hosts on windows XP
0
 
Neil RussellTechnical Development LeadCommented:
"Neilsr:
If I ping pc11, it does not show the FQDN.  
nslookup on pc11 fails."
In that case it is NOT DNS resolution that is giving you the IP address.
0
 
Mike KlineCommented:
If you want to test DNS Suffix search order for one box
Go to the TCP/iP properties >> Advanced >> DNS  >> Append these DNS suffixes
You an also configure it via group policy
 
Thanks
Mike
0
 
briandunkleCommented:
that does sound more like a local hosts setting - if it can't nslookup the box, it's not getting the listing from DNS for the ping, either.
0
 
Neil RussellTechnical Development LeadCommented:
One other thought, are BOTH domains on completely different subnets? Mixed on one subnet? Mixed on two subnets?
0
 
Neil RussellTechnical Development LeadCommented:
IF PC1 & PC11 are on the same subnet then windows will resolve the address PC11 via a broadcast. IF PC12 is on another subnet then broadcasts wont traveres the router so it wont resolve. Thats another possible IF your on multiple subnets
0
 
briandunkleCommented:
Ah, good one. Would also work if they're on the same subnet but pc12 is on another switch that might not let broadcast traffic through. Good point, definitely.
0
 
Neil RussellTechnical Development LeadCommented:
VLANS?
0
 
sameeragayanCommented:
First try to PING PC12 using its IP address. If you can ping it using IP address then it is a DNS issue. Otherwise it could be a network connection issue or PC12 is not in same subnet as PC11.

If it is a DNS issue, first check that there is  a host record for your PC12 in DNS forward lookup zone. if there is no record,  create one manually under correct domain name and try to ping using PC12.

Is PC12 getting IP address from DHCP?

0
 
Neil RussellTechnical Development LeadCommented:
@sameeragayan
We have already proven that it is NOT a DNS resolution issue from servers, read above. NSLOOKUP fails for both, Ping does not show FQDN.....
0
 
cgtyoderAuthor Commented:
Neilsr:
No added entries in .../etc/hosts file.

mkline71:
There are no added domains in the DNS suffix search list.
All devices are in 192.168.0.x.
0
 
Neil RussellTechnical Development LeadCommented:
OK, IF ALL devices are in 192.168.0.x then you SHOULD be able to ping every device. Are you sure you dont have windows firewall enable on SOME and not on others?
0
 
briandunkleCommented:
doing it via broadcast, then...if they're not on different switches, you might compare the windows firewall settings of the two (pc11 and pc12).
I'm curious now what would happen if you put up a machine with the same name that was in the name domain, e.g. have one called pc12 in each. Which one would answer? :)
0
 
cgtyoderAuthor Commented:
They are on different switches - and some devices are W2K PCs, printers, DNS aliases - these are the items I cannot ping, which makes sense given the above comments.  (I have all semi-managed switches, with 1 dumb switch - would that cause broadcast traffic to be not relayed?)
0
 
Neil RussellTechnical Development LeadCommented:
Group policies......
Computer
Administrative Templates
Network/DNS
DNS Suffix Search Order
Add Domain1.local,domain2.local on domain 1
and
add Domain2.local,domain1.local on domain 2
 
0
 
Neil RussellTechnical Development LeadCommented:
Your issue is not that DNS is being resolved cros domain for SOME names. It is NOT being resolved for ANY names. Windows is doing some local resolution where it can.
So in answer to your question.....
There is no difference. There is no DNS problen affecting SOME machines.
Use the Group policy i posted above to force ALL computers to lookup names in both xxxx.domain1.local and then xxxx.domain2.local formats.
0
 
cgtyoderAuthor Commented:
Bingo!  Thanks for the resolution.
0
 
briandunkleCommented:
yep, good answer(s) neilsr
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 13
  • 8
  • 7
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now