cgtyoder
asked on
DNS resolution across domains
My setup: 2 Active Directory domains running in the same building. Both fully are trusted by each other. Each AD domain has one DC, running AD-integrated DNS for its domain. For *some* of the devices in one domain (not all), they can be pinged from a PC in the other domain without the domain suffix, while others cannot. I can't figure out what the difference is.
E.g. on PC pc1.domain.local, I can ping pc11.domain2.local just by typing 'ping pc11' but if I try 'ping pc12' I get no response. I do get a successful ping by using 'ping pc12.domain2.local'. (Pinging the FQDN of any device always works.)
I have conditional forwarders set up on both DNS servers to point to the other. All desktop PCs have both DNS servers set in their IPv4 settings. All device names/IPs are unique across both domains. One server is Server 2003 x32 Std SP2. The other is Server 2008 R2 Std. Any help here is appreciated.
E.g. on PC pc1.domain.local, I can ping pc11.domain2.local just by typing 'ping pc11' but if I try 'ping pc12' I get no response. I do get a successful ping by using 'ping pc12.domain2.local'. (Pinging the FQDN of any device always works.)
I have conditional forwarders set up on both DNS servers to point to the other. All desktop PCs have both DNS servers set in their IPv4 settings. All device names/IPs are unique across both domains. One server is Server 2003 x32 Std SP2. The other is Server 2008 R2 Std. Any help here is appreciated.
Do you have domain2 listed in the DNS suffix search list?
Thanks
Mike
Thanks
Mike
Check the entries for domain.local to see if an entry for pc11 snuck in there (pointing to pc11.domain2.local) but not pc12...a non-suffix lookup should NOT be able to travel through a trust like that - "pc11" should ONLY refer to pc11.domain.local if the asking machine is on domain.local - otherwise you get problems if you have two machines named pc25.domain.local and pc25.domain2.local. Who should answer "pc25"?
I could see pc11 getting registered dynamically in domain.local if someone sat down on it and logged into that domain...POSSIBLY even if it used resources from the other domain...I don't think it should do that, but it wouldn't amaze me.
Definitely would make sense if it were a machine that switched domains...
I could see pc11 getting registered dynamically in domain.local if someone sat down on it and logged into that domain...POSSIBLY even if it used resources from the other domain...I don't think it should do that, but it wouldn't amaze me.
Definitely would make sense if it were a machine that switched domains...
ASKER
Neilsr:
Sorry for being imprecise - I meant the name does not resolve. nsllokup output follows here:
C:\>nslookup
Default Server: server1.domain1.local
Address: 192.168.0.20
> pc12
Server: server1.domain1.local
Address: 192.168.0.20
*** server1.domain1.local can't find pc12: Non-existent domain
>
Sorry for being imprecise - I meant the name does not resolve. nsllokup output follows here:
C:\>nslookup
Default Server: server1.domain1.local
Address: 192.168.0.20
> pc12
Server: server1.domain1.local
Address: 192.168.0.20
*** server1.domain1.local can't find pc12: Non-existent domain
>
When ping PC11, does it show the resolved name as
PC11.DOMAIN2.LOCAL ?
PC11.DOMAIN2.LOCAL ?
suffix search list is a good idea, but wouldn't explain why the specific workstation he was on could see one machine in the other domain but not the other. :/
And if you nslookup PC11 ?
ASKER
mkline71:
Where is the "DNS suffix search list"?
Where is the "DNS suffix search list"?
yes, that's the question, whether it's pulling a record from the other domain or actually has one locally.
ASKER
Neilsr:
If I ping pc11, it does not show the FQDN.
nslookup on pc11 fails.
If I ping pc11, it does not show the FQDN.
nslookup on pc11 fails.
DNS suffix search list is on the workstation itself, telling it what domains to append if you put in an unqualified name like "pc12". Doesn't apply here, though, because it would append it to both pc11 and pc12.
ASKER
> Check the entries for domain.local to see if an entry for pc11
> snuck in there (pointing to pc11.domain2.local) but not pc12
There are no such entries. And the pingable machine did not switch domains.
> snuck in there (pointing to pc11.domain2.local) but not pc12
There are no such entries. And the pingable machine did not switch domains.
IF an NSlookup fails for PC11 fails then It cant be pinging PC11.domain2.local
Have you checked the local host file to see if anyone has added host - IP mappings locally on the PC?
Have you checked the local host file to see if anyone has added host - IP mappings locally on the PC?
c:\windows\system32\driver
"Neilsr:
If I ping pc11, it does not show the FQDN.
nslookup on pc11 fails."
In that case it is NOT DNS resolution that is giving you the IP address.
If I ping pc11, it does not show the FQDN.
nslookup on pc11 fails."
In that case it is NOT DNS resolution that is giving you the IP address.
If you want to test DNS Suffix search order for one box
Go to the TCP/iP properties >> Advanced >> DNS >> Append these DNS suffixes
You an also configure it via group policy
Thanks
Mike
Go to the TCP/iP properties >> Advanced >> DNS >> Append these DNS suffixes
You an also configure it via group policy
Thanks
Mike
that does sound more like a local hosts setting - if it can't nslookup the box, it's not getting the listing from DNS for the ping, either.
One other thought, are BOTH domains on completely different subnets? Mixed on one subnet? Mixed on two subnets?
IF PC1 & PC11 are on the same subnet then windows will resolve the address PC11 via a broadcast. IF PC12 is on another subnet then broadcasts wont traveres the router so it wont resolve. Thats another possible IF your on multiple subnets
Ah, good one. Would also work if they're on the same subnet but pc12 is on another switch that might not let broadcast traffic through. Good point, definitely.
VLANS?
First try to PING PC12 using its IP address. If you can ping it using IP address then it is a DNS issue. Otherwise it could be a network connection issue or PC12 is not in same subnet as PC11.
If it is a DNS issue, first check that there is a host record for your PC12 in DNS forward lookup zone. if there is no record, create one manually under correct domain name and try to ping using PC12.
Is PC12 getting IP address from DHCP?
If it is a DNS issue, first check that there is a host record for your PC12 in DNS forward lookup zone. if there is no record, create one manually under correct domain name and try to ping using PC12.
Is PC12 getting IP address from DHCP?
@sameeragayan
We have already proven that it is NOT a DNS resolution issue from servers, read above. NSLOOKUP fails for both, Ping does not show FQDN.....
We have already proven that it is NOT a DNS resolution issue from servers, read above. NSLOOKUP fails for both, Ping does not show FQDN.....
ASKER
Neilsr:
No added entries in .../etc/hosts file.
mkline71:
There are no added domains in the DNS suffix search list.
All devices are in 192.168.0.x.
No added entries in .../etc/hosts file.
mkline71:
There are no added domains in the DNS suffix search list.
All devices are in 192.168.0.x.
OK, IF ALL devices are in 192.168.0.x then you SHOULD be able to ping every device. Are you sure you dont have windows firewall enable on SOME and not on others?
doing it via broadcast, then...if they're not on different switches, you might compare the windows firewall settings of the two (pc11 and pc12).
I'm curious now what would happen if you put up a machine with the same name that was in the name domain, e.g. have one called pc12 in each. Which one would answer? :)
I'm curious now what would happen if you put up a machine with the same name that was in the name domain, e.g. have one called pc12 in each. Which one would answer? :)
ASKER
They are on different switches - and some devices are W2K PCs, printers, DNS aliases - these are the items I cannot ping, which makes sense given the above comments. (I have all semi-managed switches, with 1 dumb switch - would that cause broadcast traffic to be not relayed?)
Group policies......
Computer
Administrative Templates
Network/DNS
DNS Suffix Search Order
Add Domain1.local,domain2.loca
and
add Domain2.local,domain1.loca
Computer
Administrative Templates
Network/DNS
DNS Suffix Search Order
Add Domain1.local,domain2.loca
and
add Domain2.local,domain1.loca
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bingo! Thanks for the resolution.
yep, good answer(s) neilsr
OR do you mean that it could not resolve the name PC12.
What happens if you use NSLOOKUP.EXE and type PC12?