Learn how to a build a cloud-first strategyRegister Now


nslookup problems

Posted on 2014-08-26
Medium Priority
Last Modified: 2014-08-27
Hello experts,

I am having problems with setting up domain trusts and I need some help troubleshooting nslookup issues. Note that I am an entry level user with AD and DNS.

I have two independent domains. Following up on some google research, I built secondary forward zones on both domains for the other domain.

However, when I use the command line to use the command nslookup, i get DNS time outs:
   [On Domain 1 AD/DNS server] nslookup <name of AD/DNS Server of Domain 2>
         Server:      FQDN of Domain 1 Server
         Address:   IP address of Domain 1 server

         DNS Request timed out

When I look at the secondary forward zone I created for Domain 2 on Domain 1, I see that the server names and ip addresses are visible and populated for the other domain. But when I look at the properties of that forward lookup zone, I see a statement that says "zone never loaded" (not sure if this is a relevant message)

I read some blogs that merely suggest 'Reverse lookup zones' should also be created on both domains for the other (target) domain but I am not sure.

Please advice me how to troubleshoot and solve this issue?

By the way, I am also not confident about antivirus or server management software on the servers. I read some findings that they may be blocking the DNS requests. How can I check if this is the case? Note that there is no firewall in between servers.

Thank you in advance
Question by:bozer
  • 3
  • 2
  • 2
  • +1
LVL 27

Expert Comment

ID: 40286762
You may find it easier to use conditional forwarders rather than secondary zones. With conditional forwarders, queries coming from domain 1 for machines in domain 2 will be forwarded to domain 2's DNS servers, and vice versa. The DNS servers won't maintain any records for the other domain, so no zone transfers are required.
LVL 41

Expert Comment

ID: 40286793
It's likely that the DNS servers in domain2 haven't been configured to allow zone transfers to domain1, or else a firewall is blocking the traffic.  Like DrDave242, I would recommend using conditional forwarders rather than setting up secondary zones on domain1 - or even better, I would set up stub zones, as those can update their name servers automatically.

On domain1 you should run
nslookup server.domain2.com x.x.x.x
where x.x.x.x is the IP of a DNS server on domain2.  This is to verify that DNS queries are allowed from domain1 to domain2.

Then, for either the conditional forwarder, or stub zone, all you need to specify is the IP(s) of DNS servers in domain2.

Author Comment

ID: 40287091
Thank you for the replies. I'll try conditional forwarders today and see if that works. This may solve nslookup issues.

To take it up to another step, will this help for user authentication? My DNS Servers are co-located with their respective AD. Will the below scenario work?

   User 1 [a member of AD 1/Domain 1] -> Authenticated on server that belongs to AD 2/ Domain 2

This is why I wanted to have the trust in the first place; otherwise the statics 'host' file would help for name resolutions.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 81

Expert Comment

ID: 40287138
The users must use their complete login username username@domain
Your domain trust setup would need to include the credential test.
Each domain GPO settings may need to account for that.
When authenticating user@domain1 while using a domain2 system, the query will be sent to a local,domain2 DC, that will then forward it to a domain1 DC.

The trust setup will dictate the limitations.

Author Comment

ID: 40287163
Hi Arnold,

Would Conditional forwarders be sufficient for this or do I need to work on secondary zones instead?

LVL 81

Accepted Solution

arnold earned 2000 total points
ID: 40287200
Conditional forwarders will only deal with Computer/web site resource access.
when a user enters on a domain2 system username@domain1 the authentication request from your this system is sent to a DC of domain2.

the credentials submitted by the user then need to be sent on to a domain1 dc.
The below link covers the trust that needs to exist to achieve this functionality.
LVL 41

Expert Comment

ID: 40288111
The trust depends on the DNS setup, but whether you use conditional forwarders, a stub zone, or a secondary zone is irrelevant (to the trust) as long each is configured correctly.  In certain scenarios one might be a better choice than the others, but as long whichever you chose is working correctly then the trust functionality is not impacted by the choice.

Author Closing Comment

ID: 40289658

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question