nslookup problems

Posted on 2014-08-26
Last Modified: 2014-08-27
Hello experts,

I am having problems with setting up domain trusts and I need some help troubleshooting nslookup issues. Note that I am an entry level user with AD and DNS.

I have two independent domains. Following up on some google research, I built secondary forward zones on both domains for the other domain.

However, when I use the command line to use the command nslookup, i get DNS time outs:
   [On Domain 1 AD/DNS server] nslookup <name of AD/DNS Server of Domain 2>
         Server:      FQDN of Domain 1 Server
         Address:   IP address of Domain 1 server

         DNS Request timed out

When I look at the secondary forward zone I created for Domain 2 on Domain 1, I see that the server names and ip addresses are visible and populated for the other domain. But when I look at the properties of that forward lookup zone, I see a statement that says "zone never loaded" (not sure if this is a relevant message)

I read some blogs that merely suggest 'Reverse lookup zones' should also be created on both domains for the other (target) domain but I am not sure.

Please advice me how to troubleshoot and solve this issue?

By the way, I am also not confident about antivirus or server management software on the servers. I read some findings that they may be blocking the DNS requests. How can I check if this is the case? Note that there is no firewall in between servers.

Thank you in advance
Question by:bozer
    LVL 25

    Expert Comment

    You may find it easier to use conditional forwarders rather than secondary zones. With conditional forwarders, queries coming from domain 1 for machines in domain 2 will be forwarded to domain 2's DNS servers, and vice versa. The DNS servers won't maintain any records for the other domain, so no zone transfers are required.
    LVL 38

    Expert Comment

    It's likely that the DNS servers in domain2 haven't been configured to allow zone transfers to domain1, or else a firewall is blocking the traffic.  Like DrDave242, I would recommend using conditional forwarders rather than setting up secondary zones on domain1 - or even better, I would set up stub zones, as those can update their name servers automatically.

    On domain1 you should run
    nslookup x.x.x.x
    where x.x.x.x is the IP of a DNS server on domain2.  This is to verify that DNS queries are allowed from domain1 to domain2.

    Then, for either the conditional forwarder, or stub zone, all you need to specify is the IP(s) of DNS servers in domain2.

    Author Comment

    Thank you for the replies. I'll try conditional forwarders today and see if that works. This may solve nslookup issues.

    To take it up to another step, will this help for user authentication? My DNS Servers are co-located with their respective AD. Will the below scenario work?

       User 1 [a member of AD 1/Domain 1] -> Authenticated on server that belongs to AD 2/ Domain 2

    This is why I wanted to have the trust in the first place; otherwise the statics 'host' file would help for name resolutions.
    LVL 76

    Expert Comment

    The users must use their complete login username username@domain
    Your domain trust setup would need to include the credential test.
    Each domain GPO settings may need to account for that.
    When authenticating user@domain1 while using a domain2 system, the query will be sent to a local,domain2 DC, that will then forward it to a domain1 DC.

    The trust setup will dictate the limitations.

    Author Comment

    Hi Arnold,

    Would Conditional forwarders be sufficient for this or do I need to work on secondary zones instead?

    LVL 76

    Accepted Solution

    Conditional forwarders will only deal with Computer/web site resource access.
    when a user enters on a domain2 system username@domain1 the authentication request from your this system is sent to a DC of domain2.

    the credentials submitted by the user then need to be sent on to a domain1 dc.
    The below link covers the trust that needs to exist to achieve this functionality.
    LVL 38

    Expert Comment

    The trust depends on the DNS setup, but whether you use conditional forwarders, a stub zone, or a secondary zone is irrelevant (to the trust) as long each is configured correctly.  In certain scenarios one might be a better choice than the others, but as long whichever you chose is working correctly then the trust functionality is not impacted by the choice.

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Recently, I was asked to look into SCCM 2007 by my employer, having a degree of experience of earlier versions of SMS and some previous SCCM knowledge I didn't expect the procedure to involve to much time. I read a number of guides concerning it…
    We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now