Re: DNS resolving issue with new child domain

From: Dana Brash (dbrash_at_NOSPAM.gmail.com)
Date: 11/17/04 

Date: Wed, 17 Nov 2004 21:02:38 +0800

Hi Brian,

You really need to review and understand this article:

255248 HOW TO: Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;255248

Please see my in-line comments in CAPS... 

-- 
HTH,
=d=
Dana Brash
MCSE, MCDBA, MCSA
dbrash@NOSPAM.gmail.com
"ITOpMan" <ITOpMan@discussions.microsoft.com> wrote in message
news:7858998F-1F66-4B82-99F4-C0F9B7453B71@microsoft.com...
> Hi..Dana, Thanks for the response. I will try and answer all your
questions.
>
> What can you tell us about your DNS setup?
>
> Where are the servers? All child domains are internal of ISA fire wall,
> 10.0.0.0 for main domain and 10.0.1.0 and 10.0.2.0 for child domains (new
> child domian been 10.0.2.0) ther is a router at 10.0.0.8 for 10.0.1.0
child
> domain (Pix router route for new child domian added as this is our default
> gateway for 10.0.0.0 domain).
>
SO THE PIX ROUTER NEEDS TO HAVE PORT 53 OPEN.
> Which zones are on which servers?  Their are 3 DNS server on the main
domain
> and these have forward and reverse lookup zones as for as I'm aware no
> Delegation,
REVIEW THE FIRST LINK I SENT YOU, AND PARTICULARLY PAY ATTENTION TO CREATING
THE DELEGATION.  THIS IS THE ROOT OF YOUR ISSUE.
WHERE ARE THE DNS SERVERS FOR THE CHILD DOMAINS?  OR, WHY ARE THE DNS
SERVERS FOR THE CHILD DOMAINS ON THE MAIN DOMAIN?
ALSO CHECK THE REVERSE LOOKUP ZONES.  YOU NEED TO HAVE ACCESS TO THE REVERSE
LOOKUP ZONE THAT MANAGES THE 10.0.1.0 AND 10.0.2.0 SUBNETS ON THE DNS
SERVERS IN THE MAIN DOMAIN.  THIS WILL ALLOW YOU TO USE NSLOOKUP TO RESOLVE
BY IP ADDRESS.
ACTUALLY THOUGH, IF YOU'RE NOT EXPERIENCING ANY OTHER ISSUES USING YOUR
NETWORK, IT'S SIMPLY NOT WORTH BOTHERING TO CHASE THE REVERSE LOOKUP ZONE
ISSUE.  YOU CAN PROBABLY IGNORE IT FOR NOW.  IT'S NOT WORTH FIXING JUST FOR
NSLOOKUP....
>
> What type of zones are they? all dns servers including child domians are
AD
> integrated
>
> Are the servers properly configured to use themselves ONLY for DNS?  Good
> question not sure! all worked fine before the new child domian was added
so I
> would of thought this is yes.
>
> What forwarders do you have configured? I did add forwarders on the child
> domian for the main domain but errors reported error 7063 DNS so removed
them.
>
> What client are you testing from? I am testing from a my desktop using
> nslookup I do the tests from all dns servers. so I am test each dns server
> with the same tests.
>
> Which DNS server is the client using? My PC is on the main domain and is
> using 2 dns server primery 10.0.0.6 and 10.0.0.2 (fixed IP with DNS and
> gateway added)
>
> Perhaps I should remove the dns server on the child domain and recreate it
> following your instructions?, I did try this once but as soon as I added
it
> again it picked up the old zone settings even when I deleted the folder
> c:\windows\system32\DNS,
>
> What is the correct way to remove dns server completely?
>
YOUR ZONES ARE AD INTEGRATED, SO WHEN YOU RE-INSTALL DNS, IT WILL PROPAGATE
THE ZONES TO THE 'NEW' SERVER AGAIN.  THIS IS CORRECT BEHAVIOR.
> Hope this is enough info and i have answered all the questions, but if you
> hae any more please ask.
>
> NB: initionaly the main domain did not resolve any thing in the new child
> domain but since I added the secondary zone of the child domian into the
main
> dns server 10.0.0.6 it does resolve. although I can not resolve ip
addresses
> as stated.
>
> Brian
>
> "Dana Brash" wrote:
>
> > Hi Brian,
> >
> > nslookup's ability to resolve a hostname is not related to WINS.
> > nslookup's ability to resolve IP => Domain Name is related to Reverse
Lookup
> > Zones being properly confiugred in DNS.
> > If nslookup can resolve a hostname, then DNS is working.  If you really
want
> > to test it, turn WINS off, you probably don't need it anyway.
> > You can also try pinging back and forth using FQDN.
> >
> > Let's back up for a minute though.....  What exactly are you actually
trying
> > to do when you receive an error?  My understanding from your original
post
> > was that you can not resolve NSLookup queries from the parent to the
child
> > domain, but that nslookup queries from the child domain resolve parent
> > domain hosts.
> >
> > You also mentioned that you had a router routing between the domains:
> >
> > > > > DC which is also acting as a router (additional NIC added) between
the
> > > > > domains
> >
> > and so I assumed that the parent was on one side and child domain was on
the
> > other side.  I would also assume that the parent and child domains would
be
> > on separate subnets, which would make some logical sense as well (hence
the
> > need for routing).  It is this router between the two subnets that needs
to
> > be able to pass port 53 for DNS lookup.  Both subnets should be behind a
> > firewall, and incoming port 53 requests should be blocked at the
firewall.
> > However, IF both parent and child domains are on the same subnet, then
they
> > both want to be using the same reverse lookup zone.  You can host a
> > secondary lookup zone in the child domain.
> >
> > What can you tell us about your DNS setup?
> > Where are the servers?
> > Which zones are on which servers?  Forward Lookup? Reverse Lookup?
> > Delegation?
> > What type of zones are they? AD integrated? Primary? Secondary?
> > Are the servers properly configured to use themselves ONLY for DNS?
What
> > forwarders do you have configured?
> > What client are you testing from?  Which DNS server is the client using?
> >
> > -- 
> > HTH,
> > =d=
> >
> >
> > Dana Brash
> > MCSE, MCDBA, MCSA
> >
> > dbrash@NOSPAM.gmail.com
> >
> > "ITOpMan" <ITOpMan@discussions.microsoft.com> wrote in message
> > news:EF634D4A-781F-448B-8023-F461FE94AEBB@microsoft.com...
> > > Hi...The child domain is inside the firewall so there is no issues
with
> > > firewall but worth asking.  I have just tested nslookup from the main
> > domain
> > > server and this works fine now with the secondary zone resolves
ntebios
> > and
> > > ip addresses for the child domain, But the server in the child domain
> > solves
> > > netbios names to ip (which i think is using wins) but can not resolve
ip
> > > addresses.
> > >
> > > all dns servers have reverse lookup zones.
> > >
> > > How can I test if dns is working? nslookup as i said waorks on netbios
> > names
> > > but can not resolve ip addresses so believe its the wins thats
resolving
> > the
> > > netbios names.
> > >
> > > Any help would be greatfully recieved.
> > >
> > > Brian
> > >
> > > "Dana Brash" wrote:
> > >
> > > > Hi,
> > > >
> > > > If the parent zone and child zone are on either side of a router,
you'll
> > > > need to route port 53 for DNS resolution between DNS servers.
> > > >
> > > > If it's not simply a routing problem, this should get you on the
right
> > > > track...
> > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;255248
> > > >
> > > > Can the child domain perform successful DNS lookups for itself?  If
so,
> > > > where is the child zone hosted?
> > > >
> > > >
> > > > -- 
> > > > HTH,
> > > > =d=
> > > >
> > > >
> > > > Dana Brash
> > > > MCSE, MCDBA, MCSA
> > > >
> > > > dbrash@NOSPAM.gmail.com
> > > >
> > > > "ITOpMan" <ITOpMan@discussions.microsoft.com> wrote in message
> > > > news:53F2B58E-93C4-4A10-AE4B-28442EDA1EC4@microsoft.com...
> > > > > We have just added a new child domain to our network and installed
a
> > > > win2000
> > > > > DC which is also acting as a router (additional NIC added) between
the
> > > > > domains, We are running DNS with AD and we can resolve nslookup
> > querrys
> > > > from
> > > > > this child domain for the main domain but can not resolve anything
> > from
> > > > the
> > > > > main domain for the child domains.
> > > > >  'none-existing domain'
> > > > >
> > > > > Has any one any idea why this is happening and How we can resolve
it.
> > > > >
> > > > > Cheer's
> > > > >
> > > > > I have now moved the routing to a new machine as I read some were
that
> > you
> > > > > shpould not put routing on a DC!  any way same probem with dns.
> > > > >
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >

Relevant Pages

  • Re: DNS Redesign Issue
    ... This is because tbe TLD DNS server is the only ... set the new child domain DNS server as primary for the domain controllers? ... -Using DNS console you can right-click the zone and export to a File, ...
    (microsoft.public.windows.server.dns)
  • Re: Replication issues
    ... We basically have a DNS zone in the root domain and another in the child. ... The DHCP client service is already started but the replication isnt happening. ... I have decided that tonight we are going to demote and re-promote the backup dc in the child domain and see what happens. ... Point both DCs to the same DNS server,> ensure that the DHCP *client* service is running and restart netlogon. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication issues
    ... > We basically have a DNS zone in the root domain and another in the child. ... The DHCP client> service is already started but the replication isnt happening. ... > re-promote the backup dc in the child domain and see what happens. ... Point both DCs to the same DNS server, ...
    (microsoft.public.windows.server.active_directory)
  • Child domain dns server resolves all queries except those by itself???
    ... with child domain having one dns server. ... computer in the parent domain it gives me "unknown host". ...
    (microsoft.public.win2000.dns)
  • Re: ad and dns setup
    ... The child domains must be able to resolve the root domain and each other. ... In the child domains you can configure forwarding pointing to the DNS at the ... search in the Root DC/DNS to search for any other DNS that the child domain ... error no logon servers.. ...
    (microsoft.public.windows.server.active_directory)
Loading