Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2372
  • Last Modified:

DNS Issue with External Domain

I'm working on setting up a Trust with a child company we just acquired.  I'm not new to Trusts.  It's typically a few minute process.  Step 1)  Setup DNS Conditional Forwarder, Step 2) establish Trust.  Well, I can't get the Conditional Forwarders to work here!

1. We're connecting through a VPN tunnel.
2. In the Conditional Forwarder I get:  Validated: OK but I get FQDN: Unable to resolve.
3. My side:  Server 2008 R2,  2003 Functional Level
4: Their side:  Server 2003, 2000 Native Functional Level

Until I can get the FQDN to resolve, I'm dead in the water.  I've had two of my co-workers look at this with me.  None of us can see where this problem is.

Anybody have any ideas?


Thanks!
0
GumbiDammit
Asked:
GumbiDammit
  • 9
  • 8
1 Solution
 
MaheshArchitectCommented:
1st of all from either side DCs telnet each other DCs IP on TCP port 53 and check if it opened

If not please open from both directions and then put-up conditional forwarder

If required setup host entry at both side pointing to each other domains

Mahesh
0
 
GumbiDammitAuthor Commented:
Mahesh, thanks.
I'd already tried that and it's open on both sides.
0
 
MaheshArchitectCommented:
Have you tried secondary zone options for domain.com zone vice versa.

Also enable zone transfer on  _msdcs.domain.com zone and create secondary zone vice versa.

Once you done above try below query from each domains domain controller

Go to CMD
Type nslookup
Hit enter
type set type=all
type _ldap._tcp.dc._msdcs.Active_Directory_domain_name   where replace active directory domain name with own domain and opposite domains one by one.
This should get resolved properly, if here you get error, its likely you have some problems exists with active directory and then your name resolution cannot work
http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx
let me know the results please

Mahesh
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
GumbiDammitAuthor Commented:
Looks good to me...  But by all means, please confirm...  (Obviously I've obfuscated.)

Server:  my_dc.com
Address:  ###.###.###.###

my_domain.com
        primary name server = my_dc.my_domain.com
        responsible mail addr = admin.my_domain.com
        serial  = 1989635
        refresh = 3600 (1 hour)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)
> _ldap._tcp.dc._msdcs.their_domain.com
Server:  my_dc.my_domain.com
Address:  ###.###.###.###

Non-authoritative answer:
_ldap._tcp.dc._msdcs.their_domain.com       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = their_dc2.their_domain.com
_ldap._tcp.dc._msdcs.their_domain.com       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = their_dc1.their_domain.com

their_dc2.their_domain.com       internet address = ###.###.###.###
their_dc1.their_domain.com      internet address = ###.###.###.###
0
 
GumbiDammitAuthor Commented:
I've been trying to find a definitive answer.  Could their 2000 Native Functional Level be causing the issue?
0
 
MaheshArchitectCommented:
DNS issue is not related to AD functional levels

if you ping domain.com from either side, is it resolves or giving error from both sides ?

On domain controllers at both side please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Also create reverse lookup entry for both domains domain controller vice versa

Also check NS records on both DCs if they are accurate and there is no stale entry at either side in DNS AD sites and services

Mahesh
0
 
GumbiDammitAuthor Commented:
Mahesh, thanks for the reply.

Pinging works fine from either side.  Oddly enough, by IP or name.
DNS settings are fine on both sides regarding Advanced...

I think you're on the right track with rDNS.  But I can't figure out what the problem might be.  I was already thinking along those lines and I was thinking to create PTR Records on both sides in the corresponding Reverse Lookup Zones.  In other words, on my side I'd create a PTR for their DC within the Reverse Lookup Zone for their range.  And vice versa.
Can you confirm that that's what you're suggesting as well? (I'm not completely sure if PTR would be the correct record.  But it makes sense to me.)

Thanks!
0
 
MaheshArchitectCommented:
Yes you are right.
If DC subnet is not present in Reverse lookup zone , you need to create reverse lookup zone 1st and then create reverse lookup entry (PTR) pointing to DC vice versa.

For Ex: domainA.com and domainB.com are the two domains.
Now server1.domainA.com is the 1st DC and server2.domainB.com is the 2nd DC
On domainA.com if you have \ created reverse lookup zone for subnet of domainB.com, then reverse PTR entry would be x.x.x.x - server2.domainB.com
Where X.X.X.X is the actual IP of Server2.domainB.com

But before doing that I strongly suggest that check NS records on both side DCs if they are accurate and there is no stale entry at either side in DNS, AD sites and services and domain.com\system\file replication\domain system volume  container.

Mahesh
0
 
GumbiDammitAuthor Commented:
Thanks.  I'd checked NS and found no issue.  But I'll check again with a closer look.

It'll be a couple of hours.  I'm EST, they're PST.


Thanks!
0
 
GumbiDammitAuthor Commented:
Okay...  So...  Went over NS and all looks good.
I added PTRs on each side.  And DNS shows the FQDN now.  BUT!  That's cheating.  It's not actually resolving.  As a result, the Trust still cannot function.  When I try to create the Trust, it still states "The name you specified is not a valid Windows domain name.  Is the specified name a Kerberos V5 realm?"  So I think Windows must actually resolve the FQDN in order to create the Trust.
0
 
MaheshArchitectCommented:
Please download Portqueryui tool from MS and run preconfigured tests with that tool to check all AD authentication ports are opened between both domains ?

The tool will check all required AD ports and report if any port is blocked ?

Also create hosts file entry for domain.com on both domain controllers

Mahesh
0
 
GumbiDammitAuthor Commented:
This result kind of confirms what I'm seeing, but it's not leading me to an answer.


=============================================

 Starting portqry.exe -n ###.###.###.### -e 135 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 135 (epmap service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 135 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 389 -p BOTH ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 389 (ldap service): NOT LISTENING

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query to port 389 failed
Server did not respond to LDAP query

portqry.exe -n ###.###.###.### -e 389 -p BOTH exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 636 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 636 (ldaps service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 636 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 3268 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 3268 (msft-gc service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 3268 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 3269 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 3269 (msft-gc-ssl service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 3269 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 53 -p BOTH ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING or FILTERED

Sending DNS query to UDP port 53...

UDP port 53 is LISTENING
portqry.exe -n ###.###.###.### -e 53 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 88 -p BOTH ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 88 (kerberos service): NOT LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n ###.###.###.### -e 88 -p BOTH exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 445 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 445 (microsoft-ds service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 445 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 137 -p UDP ...

portqry.exe -n ###.###.###.### -e 137 -p UDP exits with return code 0x80000003.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 138 -p UDP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n ###.###.###.### -e 138 -p UDP exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 139 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 139 (netbios-ssn service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 139 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 42 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 42 -p TCP exits with return code 0x00000001.
0
 
MaheshArchitectCommented:
It seems that AD ports are not opened except DNS, DNS query unable to connect your DC to destination domain due to lack of RPC, LDAP and GC ports

Please refer below article to required ports to build domain trust
http://support.microsoft.com/kb/179442

Once you setup \ open ports as appropriate, you should be able to setup trust

Mahesh
0
 
GumbiDammitAuthor Commented:
Interesting result...  It turns out they were running Symantec Endpoint Protection on that Server and it was holding up the works!  It has been removed.

Here's where I am now...  I was able to create the Trust on this side.  But the other side still states "The name you specified is not a valid Windows domain name..."

Any thoughts?

Thanks!
0
 
MaheshArchitectCommented:
Do same port query stuff from other end as well

Ports need to be enabled bidirectional
0
 
GumbiDammitAuthor Commented:
Sorry.  Forgot to mention that I did.  Everything coming back Listening with the exceptions of UDP only for 389, 88, and 138 which respond Listening or Filtered.
0
 
MaheshArchitectCommented:
Above ports are not a problem
What error you get other side trust

Check at other side in ADUC for computer object having same NetBIOS name as your domain if exists. You need to delete that
Also go to adsiedit.msc \ connect to domain directory partition in other domain and check under users container if something like yourdomainnetbiosname$ object exists.
If you found one delete that and then try creating trust from that side

Mahesh
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now