Solved

IP change in Domain Controller of a Trusted Forest

Posted on 2010-11-16
25
719 Views
Last Modified: 2012-05-10
Hi. A client of our company has a Trust between two forests. The trust was ok and the two domains were working without any problem.

Then the DC of one of the trusted domains had a NIC problem and the IT administrator of our Client decided to enable the other NIC in the server and also changed the IP.

We did fix all DNS problems that arose after that IP change in the DC but there's a situation that we couldn't fix.

The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also only works with the FQDN or new IP, mapping also. Ping works fine.

We did cleared the DNS cache, flushed, reloaded, restarted but nothing did work. There are no more references to the old IP of that server in the DNS or anywhere else.

We want to be able to make nslookup, \\ and mapping using the name of the server not only the FQDN or IP.

I hope I was clear. Thanks.
0
Comment
Question by:kitsao
  • 11
  • 8
  • 4
  • +1
25 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143168
Did you check WINS?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34143170
You need to create a Stub Zone and SRV Records of the other Forest.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143205
> The nslookup to that DC only works when we use the FQDN or the new IP of it, the access to shared folders in that DC using \\ also
> only works with the FQDN or new IP, mapping also. Ping works fine.

Either:

1. Your DNS Suffix Search List does not contain their domain name (without that you will not get the IP back using host name only for the remote domain).

Or:

2. You use WINS (as erniebeek suggests) and you need to fix that.

Chris
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:kitsao
ID: 34143238
erniebeek WINS is not been used.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143258
Just thinking out loud here.

Normally the network connections auto appends the primary and connection specific DNS suffixes for unqualified names (and also parent suffixes of the primary). Might have a look in that direction.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143600

Agreed. You might run:

ipconfig /all

Check if that includes the DNS suffix for the server name you expect to resolve.

Chris
0
 

Author Comment

by:kitsao
ID: 34143653
Jbond2010 there's already a secondary forward zone configured for the other Forest.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143695

If that didn't exist you wouldn't be able to resolve the FQDN either. It's very unlikely to be a problem with the DNS server.

Chris
0
 

Author Comment

by:kitsao
ID: 34143723
Chris-Dent the DNS Suffixes are included in the list, As I said, every configuration in DNS it's ok. The IP's, the suffixes, the zones, but somehow the nslookup, \\ and mapping still fails. it looks like this three tasks are looking for the old IP to run.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143736
One other thing I did not read: did you check the hosts file (windows\system32\drivers\etc\hosts)?
0
 

Author Comment

by:kitsao
ID: 34143765
erniebeek, we did change the hosts file, it had the old IP and we did change to the new one. In fact I thought that would be the solution to the problem, but didn't solve also.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143767

None of them will work if the suffix is not appending.

Can you run:

nslookup -d servername

It will show you a lot, but most importantly it will show you the process of appending each of the suffixes you have configured on the system and the response it gets to the associated query. In the output from this you're interested in a number of fields:

rcode
Questions
Answers

If you cannot find a question that includes the FQDN of the server in that output you need to check the suffixes again. If you can find the right question, but the RCode says NXDOMAIN (doesn't exist), then you need to check the DNS servers your system is using.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143788

\\ and mapping will use Hosts, nslookup will not. I advise you avoid using Hosts entirely unless you're really stuck because it only makes maintenance of this harder.

Chris
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34143804
As long as we're brainstorming: Do you happen to have policies in effect pushing DNS settings?
0
 

Author Comment

by:kitsao
ID: 34143881
Chris Dent, when I make the nslookup -d to the DC in the other forest (the one that IP was changed)

C:\Windows\system32>nslookup -d changedIPserver
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        112.91.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  112.91.168.192.in-addr.arpa
        name = myserver.mydomain.co.ao
        ttl = 1200 (20 mins)

------------
Server:  myserver.mydomain.co.ao
Address:  192.168.xx.xxx

DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        changedIPserver.mydomain.co.ao, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.co.ao
        ttl = 3600 (1 hour)
        primary name server = myserver.mydomain.co.ao
        responsible mail addr = hostmaster.mydomain.co.ao
        serial  = 9406
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
*** Request to myserver.mydomain.co.ao timed-out

0
 

Author Comment

by:kitsao
ID: 34143889
erniebeek no DNS Policies at all.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143899

We want it to get as far as this don't we?

changeIPserver.remotedomain.com

If so, you need to head to the DNS server and check the status of that Secondary zone. Refresh it, you might find it has expired. If the IP of the master has changed and the configuration of the secondary is not updated it will eventually end up in that state.

Chris
0
 

Author Comment

by:kitsao
ID: 34152900
Chris, couldn't the issue be related to something in the trust? maybe the change of IP caused something there and now nslookup, \\ and mapping are been afected.

After the IP change I did validate the Trust successfully but maybe something is wrong. Could it be?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34153031
Have you tried running Dcdiag and Netdiag?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34153167

> couldn't the issue be related to something in the trust?

Not really, no. Name resolution operates on a different layer. You might bump into problems actually getting to \\server, but it'd come up as an authentication failure rather than a name resolution failure.

Chris
0
 

Author Comment

by:kitsao
ID: 34153428
JBond I did run DCdiag and dcdiag fix in all DC's no problems found.
0
 

Author Comment

by:kitsao
ID: 34153440
Chris, I dont think is an authentication problem because \\ works fine if I use the IP of the server or its FQDN.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34153524
That tells us the trust is fine.

That the FQDN works does suggest that name resolution works.

What else do you have in your suffix search list? I'm curious why we're getting a timeout when using nslookup.

Chris
0
 

Accepted Solution

by:
kitsao earned 0 total points
ID: 34162410
Hi guys. I've found out that the DC of the trusted forest that had the IP changed was listed In the Servers (not DC's) OU in the AD of the other forest. I did delete it from that OU and the \\ using the server name and the mapping issues are solved.

But the nslookup problem still there. I'll just have to deal with that in another time because now I have more important stuff to take care. And as nslookup is working with the FQDN to one forest to other I'm not so worried about it now.

Thanks for Everything Chris and JBond.
0
 

Author Closing Comment

by:kitsao
ID: 34194877
Because only half of the problem was solved.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question