nslookup problems

Hello experts,

I am having problems with setting up domain trusts and I need some help troubleshooting nslookup issues. Note that I am an entry level user with AD and DNS.

I have two independent domains. Following up on some google research, I built secondary forward zones on both domains for the other domain.

However, when I use the command line to use the command nslookup, i get DNS time outs:
   [On Domain 1 AD/DNS server] nslookup <name of AD/DNS Server of Domain 2>
         Server:      FQDN of Domain 1 Server
         Address:   IP address of Domain 1 server

         DNS Request timed out

When I look at the secondary forward zone I created for Domain 2 on Domain 1, I see that the server names and ip addresses are visible and populated for the other domain. But when I look at the properties of that forward lookup zone, I see a statement that says "zone never loaded" (not sure if this is a relevant message)

I read some blogs that merely suggest 'Reverse lookup zones' should also be created on both domains for the other (target) domain but I am not sure.

Please advice me how to troubleshoot and solve this issue?

By the way, I am also not confident about antivirus or server management software on the servers. I read some findings that they may be blocking the DNS requests. How can I check if this is the case? Note that there is no firewall in between servers.

Thank you in advance
bozerAsked:
Who is Participating?
 
arnoldCommented:
Conditional forwarders will only deal with Computer/web site resource access.
when a user enters on a domain2 system username@domain1 the authentication request from your this system is sent to a DC of domain2.

the credentials submitted by the user then need to be sent on to a domain1 dc.
The below link covers the trust that needs to exist to achieve this functionality.
http://msdn.microsoft.com/en-us/library/cc237016.aspx
0
 
DrDave242Commented:
You may find it easier to use conditional forwarders rather than secondary zones. With conditional forwarders, queries coming from domain 1 for machines in domain 2 will be forwarded to domain 2's DNS servers, and vice versa. The DNS servers won't maintain any records for the other domain, so no zone transfers are required.
0
 
footechCommented:
It's likely that the DNS servers in domain2 haven't been configured to allow zone transfers to domain1, or else a firewall is blocking the traffic.  Like DrDave242, I would recommend using conditional forwarders rather than setting up secondary zones on domain1 - or even better, I would set up stub zones, as those can update their name servers automatically.

On domain1 you should run
nslookup server.domain2.com x.x.x.x
where x.x.x.x is the IP of a DNS server on domain2.  This is to verify that DNS queries are allowed from domain1 to domain2.

Then, for either the conditional forwarder, or stub zone, all you need to specify is the IP(s) of DNS servers in domain2.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
bozerAuthor Commented:
Thank you for the replies. I'll try conditional forwarders today and see if that works. This may solve nslookup issues.

To take it up to another step, will this help for user authentication? My DNS Servers are co-located with their respective AD. Will the below scenario work?

   User 1 [a member of AD 1/Domain 1] -> Authenticated on server that belongs to AD 2/ Domain 2

This is why I wanted to have the trust in the first place; otherwise the statics 'host' file would help for name resolutions.
0
 
arnoldCommented:
The users must use their complete login username username@domain
Your domain trust setup would need to include the credential test.
Each domain GPO settings may need to account for that.
When authenticating user@domain1 while using a domain2 system, the query will be sent to a local,domain2 DC, that will then forward it to a domain1 DC.

The trust setup will dictate the limitations.
0
 
bozerAuthor Commented:
Hi Arnold,

Would Conditional forwarders be sufficient for this or do I need to work on secondary zones instead?

Thanks
0
 
footechCommented:
The trust depends on the DNS setup, but whether you use conditional forwarders, a stub zone, or a secondary zone is irrelevant (to the trust) as long each is configured correctly.  In certain scenarios one might be a better choice than the others, but as long whichever you chose is working correctly then the trust functionality is not impacted by the choice.
0
 
bozerAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.