Avatar of kitsao
kitsao asked on

IP change in Domain Controller of a Trusted Forest

Hi. A client of our company has a Trust between two forests. The trust was ok and the two domains were working without any problem.

Then the DC of one of the trusted domains had a NIC problem and the IT administrator of our Client decided to enable the other NIC in the server and also changed the IP.

We did fix all DNS problems that arose after that IP change in the DC but there's a situation that we couldn't fix.

The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also only works with the FQDN or new IP, mapping also. Ping works fine.

We did cleared the DNS cache, flushed, reloaded, restarted but nothing did work. There are no more references to the old IP of that server in the DNS or anywhere else.

We want to be able to make nslookup, \\ and mapping using the name of the server not only the FQDN or IP.

I hope I was clear. Thanks.
DNSWindows Server 2008

Avatar of undefined
Last Comment
kitsao

8/22/2022 - Mon
Ernie Beek

Did you check WINS?
James

You need to create a Stub Zone and SRV Records of the other Forest.
Chris Dent

> The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also
> only works with the FQDN or new IP, mapping also. Ping works fine.

Either:

1. Your DNS Suffix Search List does not contain their domain name (without that you will not get the IP back using host name only for the remote domain).

Or:

2. You use WINS (as erniebeek suggests) and you need to fix that.

Chris
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
kitsao

erniebeek WINS is not been used.
Ernie Beek

Just thinking out loud here.

Normally the network connections auto appends the primary and connection specific DNS suffixes for unqualified names (and also parent suffixes of the primary). Might have a look in that direction.
Chris Dent


Agreed. You might run:

ipconfig /all

Check if that includes the DNS suffix for the server name you expect to resolve.

Chris
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
kitsao

Jbond2010 there's already a secondary forward zone configured for the other Forest.
Chris Dent


If that didn't exist you wouldn't be able to resolve the FQDN either. It's very unlikely to be a problem with the DNS server.

Chris
ASKER
kitsao

Chris-Dent the DNS Suffixes are included in the list, As I said, every configuration in DNS it's ok. The IP's, the suffixes, the zones, but somehow the nslookup, \\ and mapping still fails. it looks like this three tasks are looking for the old IP to run.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ernie Beek

One other thing I did not read: did you check the hosts file (windows\system32\drivers\etc\hosts)?
ASKER
kitsao

erniebeek, we did change the hosts file, it had the old IP and we did change to the new one. In fact I thought that would be the solution to the problem, but didn't solve also.
Chris Dent


None of them will work if the suffix is not appending.

Can you run:

nslookup -d servername

It will show you a lot, but most importantly it will show you the process of appending each of the suffixes you have configured on the system and the response it gets to the associated query. In the output from this you're interested in a number of fields:

rcode
Questions
Answers

If you cannot find a question that includes the FQDN of the server in that output you need to check the suffixes again. If you can find the right question, but the RCode says NXDOMAIN (doesn't exist), then you need to check the DNS servers your system is using.

Chris
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Chris Dent


\\ and mapping will use Hosts, nslookup will not. I advise you avoid using Hosts entirely unless you're really stuck because it only makes maintenance of this harder.

Chris
Ernie Beek

As long as we're brainstorming: Do you happen to have policies in effect pushing DNS settings?
ASKER
kitsao

Chris Dent, when I make the nslookup -d to the DC in the other forest (the one that IP was changed)

C:\Windows\system32>nslookup -d changedIPserver
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        112.91.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  112.91.168.192.in-addr.arpa
        name = myserver.mydomain.co.ao
        ttl = 1200 (20 mins)

------------
Server:  myserver.mydomain.co.ao
Address:  192.168.xx.xxx

DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        changedIPserver.mydomain.co.ao, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.co.ao
        ttl = 3600 (1 hour)
        primary name server = myserver.mydomain.co.ao
        responsible mail addr = hostmaster.mydomain.co.ao
        serial  = 9406
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
*** Request to myserver.mydomain.co.ao timed-out

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
kitsao

erniebeek no DNS Policies at all.
Chris Dent


We want it to get as far as this don't we?

changeIPserver.remotedomain.com

If so, you need to head to the DNS server and check the status of that Secondary zone. Refresh it, you might find it has expired. If the IP of the master has changed and the configuration of the secondary is not updated it will eventually end up in that state.

Chris
ASKER
kitsao

Chris, couldn't the issue be related to something in the trust? maybe the change of IP caused something there and now nslookup, \\ and mapping are been afected.

After the IP change I did validate the Trust successfully but maybe something is wrong. Could it be?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
James

Have you tried running Dcdiag and Netdiag?
Chris Dent


> couldn't the issue be related to something in the trust?

Not really, no. Name resolution operates on a different layer. You might bump into problems actually getting to \\server, but it'd come up as an authentication failure rather than a name resolution failure.

Chris
ASKER
kitsao

JBond I did run DCdiag and dcdiag fix in all DC's no problems found.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
kitsao

Chris, I dont think is an authentication problem because \\ works fine if I use the IP of the server or its FQDN.
Chris Dent

That tells us the trust is fine.

That the FQDN works does suggest that name resolution works.

What else do you have in your suffix search list? I'm curious why we're getting a timeout when using nslookup.

Chris
ASKER CERTIFIED SOLUTION
kitsao

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
kitsao

Because only half of the problem was solved.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.