[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DNS Issues on new Domain created in Forest

Posted on 2011-10-08
9
Medium Priority
?
301 Views
Last Modified: 2012-06-22
I've recently configured a new domain in a forest and am having issues with the DNS setup. I cannot ping one forest from the other. If I ping domain1.net from domain2.net it does not work. If I try to ping a server in the original domain I cannot by just using the name. I have to say server.domain.net to get a reply. I'm also getting this message when I ran BPA on the new domain controller.

Restore the Active Directory integrated DNS zone _msdcs.domain.net.

Please let me know what other information you need and I'll be glad to get it for you. Thanks
0
Comment
Question by:hh_techservices
  • 5
  • 2
  • 2
9 Comments
 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 36937030
If we ping with the IP, then what happens?

~SG~
0
 
LVL 1

Author Comment

by:hh_techservices
ID: 36937249
SG,

Sorry for the delay and thanks for the quick response. I did a restart of the server and it seems to be working better. The server was up before I had a new VPN connection for a couple of hours so I think it just got lost in translation. I tried to do one thing and it mentioned errors that were fixed during a restart.

I'm giving it a thorough look at and will let you know if I see anything else.

Thanks again!
0
 
LVL 8

Expert Comment

by:Sushant Gulati
ID: 36937267
Surething and thanks for responding back. And also what one thing that you have tried? And great finding by the way which seemingly shown up the results..

Good Luck..!!
~SG~
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:hh_techservices
ID: 36937324
SG,

When I was in the event viewer I ran the BPA which brought new things. I think looked more deeply into the event logs and saw an information notice that told me about the KCC being fixed.

I am seeing one weird thing still and I'm racking my head right now to figure out what it could. In AD Sites & Services this new domain only has one VPN connection back to HQ, but under Sites & Services it keeps getting "automatically connected" to another location of mine but I don't want it to because it doesn't have a VPN connection to that location which means it can't see that server. Can you limit what sites you try to replicate to?

This new domain in the forest is in one location so I just want it to replicate to the forest in HQ. That is why I don't need it to go to other domains.

Thanks

0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1500 total points
ID: 36938252
It seems that you have not configured the site lnk in Active Directory Sites and Service correctly.
You need to create sites and subnets,associate subnet with appropiate site,move the server to required site and then create site link for the sites to replicate.

Once done delete the unwanted conncetion.Ran repadmin /kcc and repadmin /replsum /AdeP on all DC for the new connectioned  to be establish and wait for some time for replication to take place.

Refernce article:
http://technet.microsoft.com/en-us/library/cc758663(WS.10).aspx
http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml
http://technet.microsoft.com/en-us/library/cc754697.aspx

0
 
LVL 1

Author Comment

by:hh_techservices
ID: 36938776
Sandeshdubey,

Thanks for the information. I did the site link yesterday but still hasn't done anything. After researching today I believe it has to do with my DNS zones because HQ is missing the new domains zone. Now my question is what is the best way to get the zone on HQ. Can I just click "New Zone" and type the new domains name or is there something else that we have to do. I can ping HQ from the new domain by name, but I can't ping the new domain from HQ by name, only by IP so I know its DNS.

Do I need to use a Conditional Forwarder at HQ to point to the new domains DC for it to work or just add the zone. Any help you can offer is greatly appreciated. I've never had to do two domains in a forest in all my years.

Thanks

0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36946745
It seems you have two forest and not parent-child architecture correct me if I am wrong.
If you have two forest then you need to create the Forward lookup zone and make the zone AD integrated.Once the DNS zone is configured.You can create the forest trust.

Before you can create a trust between forests, you must do a little bit of prep work to prepare the forests that will be involved in the trusts.

1.The first thing that you must do is to raise the forest functional level of the two forests to Windows Server 2003.To do so, select the Active Directory Domains and Trusts command from the server’s Administrative Tools menu. When the console opens, right click on the Active Directory Domains and Trusts container and select the Raise Forest Functional Level command from the resulting shortcut menu. When the Raise Forest Functional Level dialog box appears, select the Windows Server 2003 option and click the Raise button.

2.Setup conditional forwarder DNS zones in each network.You won’t accomplish much if each network can’t properly resolve resources in the other. Adding forwarder zones to your DNS setup in each network allows them to forward DNS requests to the other network’s DNS servers for resources in that network.

3.Create a forest-forest trust relationship.Open the Active Directory Domains and Trusts console (domain.msc) in one of the domains. Go to the properties of the domain and, under the Trusts tab, click New Trust and enter the required details

Note:Make sure you are not blocking any traffic between the domain controllers in each forest.

Refernce KB article:
http://technet.microsoft.com/en-us/library/cc778851(WS.10).aspx
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
0
 
LVL 1

Author Comment

by:hh_techservices
ID: 36962802
Sorry for the delay. Most of my issues where do to my stupidity and how the original top domain was setup (it is just one forest with two domains). It was setup to push it's DNS to all domains in the forest which wasn't allowing me to do Conditional Forwarding instead for that domain. Once we removed that so both of the domains only publish DNS to their respective domain and setup the Conditional Forwarders we were good to go. Of course, the thing I can't forgetting to do was the ipconfig /flushdns. Its a valueable lesson that I learned to always make sure the DNS is flushed when making the changes and expecting quick results.

Thanks for you help.
0
 
LVL 1

Author Closing Comment

by:hh_techservices
ID: 36962809
The Site Link was something I was missing.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question