Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

IP change in Domain Controller of a Trusted Forest

Hi. A client of our company has a Trust between two forests. The trust was ok and the two domains were working without any problem.

Then the DC of one of the trusted domains had a NIC problem and the IT administrator of our Client decided to enable the other NIC in the server and also changed the IP.

We did fix all DNS problems that arose after that IP change in the DC but there's a situation that we couldn't fix.

The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also only works with the FQDN or new IP, mapping also. Ping works fine.

We did cleared the DNS cache, flushed, reloaded, restarted but nothing did work. There are no more references to the old IP of that server in the DNS or anywhere else.

We want to be able to make nslookup, \\ and mapping using the name of the server not only the FQDN or IP.

I hope I was clear. Thanks.
0
kitsao
Asked:
kitsao
  • 11
  • 8
  • 4
  • +1
1 Solution
 
Ernie BeekCommented:
Did you check WINS?
0
 
JBond2010Commented:
You need to create a Stub Zone and SRV Records of the other Forest.
0
 
Chris DentPowerShell DeveloperCommented:
> The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also
> only works with the FQDN or new IP, mapping also. Ping works fine.

Either:

1. Your DNS Suffix Search List does not contain their domain name (without that you will not get the IP back using host name only for the remote domain).

Or:

2. You use WINS (as erniebeek suggests) and you need to fix that.

Chris
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
kitsaoAuthor Commented:
erniebeek WINS is not been used.
0
 
Ernie BeekCommented:
Just thinking out loud here.

Normally the network connections auto appends the primary and connection specific DNS suffixes for unqualified names (and also parent suffixes of the primary). Might have a look in that direction.
0
 
Chris DentPowerShell DeveloperCommented:

Agreed. You might run:

ipconfig /all

Check if that includes the DNS suffix for the server name you expect to resolve.

Chris
0
 
kitsaoAuthor Commented:
Jbond2010 there's already a secondary forward zone configured for the other Forest.
0
 
Chris DentPowerShell DeveloperCommented:

If that didn't exist you wouldn't be able to resolve the FQDN either. It's very unlikely to be a problem with the DNS server.

Chris
0
 
kitsaoAuthor Commented:
Chris-Dent the DNS Suffixes are included in the list, As I said, every configuration in DNS it's ok. The IP's, the suffixes, the zones, but somehow the nslookup, \\ and mapping still fails. it looks like this three tasks are looking for the old IP to run.
0
 
Ernie BeekCommented:
One other thing I did not read: did you check the hosts file (windows\system32\drivers\etc\hosts)?
0
 
kitsaoAuthor Commented:
erniebeek, we did change the hosts file, it had the old IP and we did change to the new one. In fact I thought that would be the solution to the problem, but didn't solve also.
0
 
Chris DentPowerShell DeveloperCommented:

None of them will work if the suffix is not appending.

Can you run:

nslookup -d servername

It will show you a lot, but most importantly it will show you the process of appending each of the suffixes you have configured on the system and the response it gets to the associated query. In the output from this you're interested in a number of fields:

rcode
Questions
Answers

If you cannot find a question that includes the FQDN of the server in that output you need to check the suffixes again. If you can find the right question, but the RCode says NXDOMAIN (doesn't exist), then you need to check the DNS servers your system is using.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

\\ and mapping will use Hosts, nslookup will not. I advise you avoid using Hosts entirely unless you're really stuck because it only makes maintenance of this harder.

Chris
0
 
Ernie BeekCommented:
As long as we're brainstorming: Do you happen to have policies in effect pushing DNS settings?
0
 
kitsaoAuthor Commented:
Chris Dent, when I make the nslookup -d to the DC in the other forest (the one that IP was changed)

C:\Windows\system32>nslookup -d changedIPserver
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        112.91.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  112.91.168.192.in-addr.arpa
        name = myserver.mydomain.co.ao
        ttl = 1200 (20 mins)

------------
Server:  myserver.mydomain.co.ao
Address:  192.168.xx.xxx

DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        changedIPserver.mydomain.co.ao, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.co.ao
        ttl = 3600 (1 hour)
        primary name server = myserver.mydomain.co.ao
        responsible mail addr = hostmaster.mydomain.co.ao
        serial  = 9406
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
*** Request to myserver.mydomain.co.ao timed-out

0
 
kitsaoAuthor Commented:
erniebeek no DNS Policies at all.
0
 
Chris DentPowerShell DeveloperCommented:

We want it to get as far as this don't we?

changeIPserver.remotedomain.com

If so, you need to head to the DNS server and check the status of that Secondary zone. Refresh it, you might find it has expired. If the IP of the master has changed and the configuration of the secondary is not updated it will eventually end up in that state.

Chris
0
 
kitsaoAuthor Commented:
Chris, couldn't the issue be related to something in the trust? maybe the change of IP caused something there and now nslookup, \\ and mapping are been afected.

After the IP change I did validate the Trust successfully but maybe something is wrong. Could it be?
0
 
JBond2010Commented:
Have you tried running Dcdiag and Netdiag?
0
 
Chris DentPowerShell DeveloperCommented:

> couldn't the issue be related to something in the trust?

Not really, no. Name resolution operates on a different layer. You might bump into problems actually getting to \\server, but it'd come up as an authentication failure rather than a name resolution failure.

Chris
0
 
kitsaoAuthor Commented:
JBond I did run DCdiag and dcdiag fix in all DC's no problems found.
0
 
kitsaoAuthor Commented:
Chris, I dont think is an authentication problem because \\ works fine if I use the IP of the server or its FQDN.
0
 
Chris DentPowerShell DeveloperCommented:
That tells us the trust is fine.

That the FQDN works does suggest that name resolution works.

What else do you have in your suffix search list? I'm curious why we're getting a timeout when using nslookup.

Chris
0
 
kitsaoAuthor Commented:
Hi guys. I've found out that the DC of the trusted forest that had the IP changed was listed In the Servers (not DC's) OU in the AD of the other forest. I did delete it from that OU and the \\ using the server name and the mapping issues are solved.

But the nslookup problem still there. I'll just have to deal with that in another time because now I have more important stuff to take care. And as nslookup is working with the FQDN to one forest to other I'm not so worried about it now.

Thanks for Everything Chris and JBond.
0
 
kitsaoAuthor Commented:
Because only half of the problem was solved.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 11
  • 8
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now