Solved

DNS Issue with External Domain

Posted on 2014-02-07
17
1,955 Views
Last Modified: 2014-02-27
I'm working on setting up a Trust with a child company we just acquired.  I'm not new to Trusts.  It's typically a few minute process.  Step 1)  Setup DNS Conditional Forwarder, Step 2) establish Trust.  Well, I can't get the Conditional Forwarders to work here!

1. We're connecting through a VPN tunnel.
2. In the Conditional Forwarder I get:  Validated: OK but I get FQDN: Unable to resolve.
3. My side:  Server 2008 R2,  2003 Functional Level
4: Their side:  Server 2003, 2000 Native Functional Level

Until I can get the FQDN to resolve, I'm dead in the water.  I've had two of my co-workers look at this with me.  None of us can see where this problem is.

Anybody have any ideas?


Thanks!
0
Comment
Question by:GumbiDammit
  • 9
  • 8
17 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
1st of all from either side DCs telnet each other DCs IP on TCP port 53 and check if it opened

If not please open from both directions and then put-up conditional forwarder

If required setup host entry at both side pointing to each other domains

Mahesh
0
 

Author Comment

by:GumbiDammit
Comment Utility
Mahesh, thanks.
I'd already tried that and it's open on both sides.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Have you tried secondary zone options for domain.com zone vice versa.

Also enable zone transfer on  _msdcs.domain.com zone and create secondary zone vice versa.

Once you done above try below query from each domains domain controller

Go to CMD
Type nslookup
Hit enter
type set type=all
type _ldap._tcp.dc._msdcs.Active_Directory_domain_name   where replace active directory domain name with own domain and opposite domains one by one.
This should get resolved properly, if here you get error, its likely you have some problems exists with active directory and then your name resolution cannot work
http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx
let me know the results please

Mahesh
0
 

Author Comment

by:GumbiDammit
Comment Utility
Looks good to me...  But by all means, please confirm...  (Obviously I've obfuscated.)

Server:  my_dc.com
Address:  ###.###.###.###

my_domain.com
        primary name server = my_dc.my_domain.com
        responsible mail addr = admin.my_domain.com
        serial  = 1989635
        refresh = 3600 (1 hour)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)
> _ldap._tcp.dc._msdcs.their_domain.com
Server:  my_dc.my_domain.com
Address:  ###.###.###.###

Non-authoritative answer:
_ldap._tcp.dc._msdcs.their_domain.com       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = their_dc2.their_domain.com
_ldap._tcp.dc._msdcs.their_domain.com       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = their_dc1.their_domain.com

their_dc2.their_domain.com       internet address = ###.###.###.###
their_dc1.their_domain.com      internet address = ###.###.###.###
0
 

Author Comment

by:GumbiDammit
Comment Utility
I've been trying to find a definitive answer.  Could their 2000 Native Functional Level be causing the issue?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
DNS issue is not related to AD functional levels

if you ping domain.com from either side, is it resolves or giving error from both sides ?

On domain controllers at both side please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Also create reverse lookup entry for both domains domain controller vice versa

Also check NS records on both DCs if they are accurate and there is no stale entry at either side in DNS AD sites and services

Mahesh
0
 

Author Comment

by:GumbiDammit
Comment Utility
Mahesh, thanks for the reply.

Pinging works fine from either side.  Oddly enough, by IP or name.
DNS settings are fine on both sides regarding Advanced...

I think you're on the right track with rDNS.  But I can't figure out what the problem might be.  I was already thinking along those lines and I was thinking to create PTR Records on both sides in the corresponding Reverse Lookup Zones.  In other words, on my side I'd create a PTR for their DC within the Reverse Lookup Zone for their range.  And vice versa.
Can you confirm that that's what you're suggesting as well? (I'm not completely sure if PTR would be the correct record.  But it makes sense to me.)

Thanks!
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Yes you are right.
If DC subnet is not present in Reverse lookup zone , you need to create reverse lookup zone 1st and then create reverse lookup entry (PTR) pointing to DC vice versa.

For Ex: domainA.com and domainB.com are the two domains.
Now server1.domainA.com is the 1st DC and server2.domainB.com is the 2nd DC
On domainA.com if you have \ created reverse lookup zone for subnet of domainB.com, then reverse PTR entry would be x.x.x.x - server2.domainB.com
Where X.X.X.X is the actual IP of Server2.domainB.com

But before doing that I strongly suggest that check NS records on both side DCs if they are accurate and there is no stale entry at either side in DNS, AD sites and services and domain.com\system\file replication\domain system volume  container.

Mahesh
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:GumbiDammit
Comment Utility
Thanks.  I'd checked NS and found no issue.  But I'll check again with a closer look.

It'll be a couple of hours.  I'm EST, they're PST.


Thanks!
0
 

Author Comment

by:GumbiDammit
Comment Utility
Okay...  So...  Went over NS and all looks good.
I added PTRs on each side.  And DNS shows the FQDN now.  BUT!  That's cheating.  It's not actually resolving.  As a result, the Trust still cannot function.  When I try to create the Trust, it still states "The name you specified is not a valid Windows domain name.  Is the specified name a Kerberos V5 realm?"  So I think Windows must actually resolve the FQDN in order to create the Trust.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Please download Portqueryui tool from MS and run preconfigured tests with that tool to check all AD authentication ports are opened between both domains ?

The tool will check all required AD ports and report if any port is blocked ?

Also create hosts file entry for domain.com on both domain controllers

Mahesh
0
 

Author Comment

by:GumbiDammit
Comment Utility
This result kind of confirms what I'm seeing, but it's not leading me to an answer.


=============================================

 Starting portqry.exe -n ###.###.###.### -e 135 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 135 (epmap service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 135 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 389 -p BOTH ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 389 (ldap service): NOT LISTENING

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query to port 389 failed
Server did not respond to LDAP query

portqry.exe -n ###.###.###.### -e 389 -p BOTH exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 636 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 636 (ldaps service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 636 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 3268 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 3268 (msft-gc service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 3268 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 3269 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 3269 (msft-gc-ssl service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 3269 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 53 -p BOTH ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING or FILTERED

Sending DNS query to UDP port 53...

UDP port 53 is LISTENING
portqry.exe -n ###.###.###.### -e 53 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 88 -p BOTH ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 88 (kerberos service): NOT LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n ###.###.###.### -e 88 -p BOTH exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 445 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 445 (microsoft-ds service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 445 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 137 -p UDP ...

portqry.exe -n ###.###.###.### -e 137 -p UDP exits with return code 0x80000003.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 138 -p UDP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n ###.###.###.### -e 138 -p UDP exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 139 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 139 (netbios-ssn service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 139 -p TCP exits with return code 0x00000001.
=============================================

 Starting portqry.exe -n ###.###.###.### -e 42 -p TCP ...


Querying target system called:

 ###.###.###.###

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n ###.###.###.### -e 42 -p TCP exits with return code 0x00000001.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
It seems that AD ports are not opened except DNS, DNS query unable to connect your DC to destination domain due to lack of RPC, LDAP and GC ports

Please refer below article to required ports to build domain trust
http://support.microsoft.com/kb/179442

Once you setup \ open ports as appropriate, you should be able to setup trust

Mahesh
0
 

Author Comment

by:GumbiDammit
Comment Utility
Interesting result...  It turns out they were running Symantec Endpoint Protection on that Server and it was holding up the works!  It has been removed.

Here's where I am now...  I was able to create the Trust on this side.  But the other side still states "The name you specified is not a valid Windows domain name..."

Any thoughts?

Thanks!
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Do same port query stuff from other end as well

Ports need to be enabled bidirectional
0
 

Author Comment

by:GumbiDammit
Comment Utility
Sorry.  Forgot to mention that I did.  Everything coming back Listening with the exceptions of UDP only for 389, 88, and 138 which respond Listening or Filtered.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Above ports are not a problem
What error you get other side trust

Check at other side in ADUC for computer object having same NetBIOS name as your domain if exists. You need to delete that
Also go to adsiedit.msc \ connect to domain directory partition in other domain and check under users container if something like yourdomainnetbiosname$ object exists.
If you found one delete that and then try creating trust from that side

Mahesh
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now