Solved

IP change in Domain Controller of a Trusted Forest

Posted on 2010-11-16
25
715 Views
Last Modified: 2012-05-10
Hi. A client of our company has a Trust between two forests. The trust was ok and the two domains were working without any problem.

Then the DC of one of the trusted domains had a NIC problem and the IT administrator of our Client decided to enable the other NIC in the server and also changed the IP.

We did fix all DNS problems that arose after that IP change in the DC but there's a situation that we couldn't fix.

The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also only works with the FQDN or new IP, mapping also. Ping works fine.

We did cleared the DNS cache, flushed, reloaded, restarted but nothing did work. There are no more references to the old IP of that server in the DNS or anywhere else.

We want to be able to make nslookup, \\ and mapping using the name of the server not only the FQDN or IP.

I hope I was clear. Thanks.
0
Comment
Question by:kitsao
  • 11
  • 8
  • 4
  • +1
25 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143168
Did you check WINS?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34143170
You need to create a Stub Zone and SRV Records of the other Forest.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143205
> The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also
> only works with the FQDN or new IP, mapping also. Ping works fine.

Either:

1. Your DNS Suffix Search List does not contain their domain name (without that you will not get the IP back using host name only for the remote domain).

Or:

2. You use WINS (as erniebeek suggests) and you need to fix that.

Chris
0
 

Author Comment

by:kitsao
ID: 34143238
erniebeek WINS is not been used.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143258
Just thinking out loud here.

Normally the network connections auto appends the primary and connection specific DNS suffixes for unqualified names (and also parent suffixes of the primary). Might have a look in that direction.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143600

Agreed. You might run:

ipconfig /all

Check if that includes the DNS suffix for the server name you expect to resolve.

Chris
0
 

Author Comment

by:kitsao
ID: 34143653
Jbond2010 there's already a secondary forward zone configured for the other Forest.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143695

If that didn't exist you wouldn't be able to resolve the FQDN either. It's very unlikely to be a problem with the DNS server.

Chris
0
 

Author Comment

by:kitsao
ID: 34143723
Chris-Dent the DNS Suffixes are included in the list, As I said, every configuration in DNS it's ok. The IP's, the suffixes, the zones, but somehow the nslookup, \\ and mapping still fails. it looks like this three tasks are looking for the old IP to run.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143736
One other thing I did not read: did you check the hosts file (windows\system32\drivers\etc\hosts)?
0
 

Author Comment

by:kitsao
ID: 34143765
erniebeek, we did change the hosts file, it had the old IP and we did change to the new one. In fact I thought that would be the solution to the problem, but didn't solve also.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143767

None of them will work if the suffix is not appending.

Can you run:

nslookup -d servername

It will show you a lot, but most importantly it will show you the process of appending each of the suffixes you have configured on the system and the response it gets to the associated query. In the output from this you're interested in a number of fields:

rcode
Questions
Answers

If you cannot find a question that includes the FQDN of the server in that output you need to check the suffixes again. If you can find the right question, but the RCode says NXDOMAIN (doesn't exist), then you need to check the DNS servers your system is using.

Chris
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143788

\\ and mapping will use Hosts, nslookup will not. I advise you avoid using Hosts entirely unless you're really stuck because it only makes maintenance of this harder.

Chris
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143804
As long as we're brainstorming: Do you happen to have policies in effect pushing DNS settings?
0
 

Author Comment

by:kitsao
ID: 34143881
Chris Dent, when I make the nslookup -d to the DC in the other forest (the one that IP was changed)

C:\Windows\system32>nslookup -d changedIPserver
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        112.91.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  112.91.168.192.in-addr.arpa
        name = myserver.mydomain.co.ao
        ttl = 1200 (20 mins)

------------
Server:  myserver.mydomain.co.ao
Address:  192.168.xx.xxx

DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        changedIPserver.mydomain.co.ao, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.co.ao
        ttl = 3600 (1 hour)
        primary name server = myserver.mydomain.co.ao
        responsible mail addr = hostmaster.mydomain.co.ao
        serial  = 9406
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
*** Request to myserver.mydomain.co.ao timed-out

0
 

Author Comment

by:kitsao
ID: 34143889
erniebeek no DNS Policies at all.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143899

We want it to get as far as this don't we?

changeIPserver.remotedomain.com

If so, you need to head to the DNS server and check the status of that Secondary zone. Refresh it, you might find it has expired. If the IP of the master has changed and the configuration of the secondary is not updated it will eventually end up in that state.

Chris
0
 

Author Comment

by:kitsao
ID: 34152900
Chris, couldn't the issue be related to something in the trust? maybe the change of IP caused something there and now nslookup, \\ and mapping are been afected.

After the IP change I did validate the Trust successfully but maybe something is wrong. Could it be?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34153031
Have you tried running Dcdiag and Netdiag?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34153167

> couldn't the issue be related to something in the trust?

Not really, no. Name resolution operates on a different layer. You might bump into problems actually getting to \\server, but it'd come up as an authentication failure rather than a name resolution failure.

Chris
0
 

Author Comment

by:kitsao
ID: 34153428
JBond I did run DCdiag and dcdiag fix in all DC's no problems found.
0
 

Author Comment

by:kitsao
ID: 34153440
Chris, I dont think is an authentication problem because \\ works fine if I use the IP of the server or its FQDN.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34153524
That tells us the trust is fine.

That the FQDN works does suggest that name resolution works.

What else do you have in your suffix search list? I'm curious why we're getting a timeout when using nslookup.

Chris
0
 

Accepted Solution

by:
kitsao earned 0 total points
ID: 34162410
Hi guys. I've found out that the DC of the trusted forest that had the IP changed was listed In the Servers (not DC's) OU in the AD of the other forest. I did delete it from that OU and the \\ using the server name and the mapping issues are solved.

But the nslookup problem still there. I'll just have to deal with that in another time because now I have more important stuff to take care. And as nslookup is working with the FQDN to one forest to other I'm not so worried about it now.

Thanks for Everything Chris and JBond.
0
 

Author Closing Comment

by:kitsao
ID: 34194877
Because only half of the problem was solved.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now