Solved

DNS for 2003/2008 trust

Posted on 2013-06-06
5
387 Views
Last Modified: 2013-06-09
I am creating a trust between two domains over a vpn. The ports seem to be ok but I am unable to lookup the remote domain. The forwarders are in place. When I do an nslookup on one domain and set the server as the other domain it gives me the below and then fails to return details for a machine that I know exists on the remote network.

> server 192.168.0.1
192.168.0.1in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
Default Server:  [192.168.0.1]
Address:  192.168.0.1
0
Comment
Question by:Sid_F
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 500 total points
ID: 39224915
First, open ports.
Inbound port TCP 53 (for zone transfer) and UDP 53 (for dns query) should be opened on server firewall.

Then use nslookup, for example:
192.168.0.1 / server1 = you
192.168.0.2 / server2 = the other server

nslookup
lserver 192.168.0.2
server 2
#should return answer
xy machine name
# shoul return IP of that machine, if not, then XY machine might not have an entry in server2 DNS zone

Open in new window

0
 
LVL 6

Author Comment

by:Sid_F
ID: 39225004
Ok I have those ports open. Any idea why I get the output from my original post as normally when I use the command

nslookup
server 192.168.0.1

it will return the server name or else fail but not sure why the output shows?
0
 
LVL 40

Expert Comment

by:footech
ID: 39228465
That's weird.  It appears the output includes an SOA record when you change which name server you're using.  I haven't been able to duplicate what you're seeing and I've never heard of that happening before.
Do you get the same output if you change to some other DNS server (for example 8.8.8.8) or is it only when you change to remote DNS over the VPN?
It shouldn't make any difference to this issue (that I can think of), but you might want to set up Stub zones for the other domain instead of Conditional Forwarders since they update their name server info automatically.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39229141
Doh ports were not opened correctly on both sides! working now thanks
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39233485
Great to hear you solved the problem!

BTW...regarding nslookup, there is a difference using command "server" vs. "lserver".
lserver switches to new DNS server, but tries to resolve the given name of new server using the INITIAL DNS server, which was used when you ran nslookup
While server command does the same, except that it resolves the new DNS given server using the LAST dns server you were using

So, let's say, you have:
first.dns.com
bad.dns.com (does not work)
third.dns.com (should resolve to 1.2.3.4)

And you do this in the row:
nslookup (starting, will use "first.dns.com")
set type=a
third.dns.com


you get the correct answer:
Server:  first.dns.com
Address:  1.1.1.1

Non-authoritative answer:
Name:    third.dns.com
Address:  1.2.3.4


Then you switch to bad.dns.com
server bad.dns.com

and query for third.dns.com again:
third.dns.com

you get timeout!

Then the difference between "lserver" and "server" comes in.
If you continue with:
server first.dns.com

it will fail, because, the LAST DNS does not answer - it is bad!

But if you would continue with
lserver first.dns.com

it will be OK, because nslookup will not use the LAST, but rather the INITIAL dns to resolve "first.dns.com" and this is working.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question