Re: Trust between child and domain broken
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Mon, 25 Jul 2005 12:44:09 -0500
> -->Does the root DNS delegate to the child or in some other
> way (secondary, stub, etc.) provide for finding the child DNS
> servers when contacting the parent?
> -->What about the child to the parent? Do the child DNS servers
> have a copy of the parent zone (secondary or stub) or conditionally
> forward to the parent?
>
> No, I didn't use forwarder and delegation, coz I think of using AD
integrated
> for entire forest.
Ok, this CAN work but you must establish that the resolution from
child to parent DNS actually has a pathway and works.
The delegation cannot hurt even if the two zones are on the same
server (as long as it is setup correctly.)
> -->Do you expect/allow the internal DNS servers to go out and visit
> the ENTIRE Internet to resolve external names or do you just disallow
> Internet access? (Forwarders are USUALLY better for security if nothing
> else.)
>
> No, internal DNS servers are not allowed to go out of the network.
Then presumably they forward (general forwarding) to some forwarder
to take care of Internet resolution.
> > 8.) Enable Global Catalog checkbox for child domain in Actuve Directory
Sites
> > and Services in root DC.
> >This (every) is fine for small forests -- do not do this in most cases
where
> >one or both domains are very large. (e.g., Large forest.)
>
> But, if I wanna use AD integrated for entire forest, isn't that I must
make
> the DNS server global catalog?
DNS and GCs are largely unrelated. But you can easily make all DCs into
GCs and DNS servers.
> > 9.) Enable Active Directory Replication for entire forest for forward
lookup
> > zone and reverse lookup zone for both root DC and child DC.
> >This is fine but has NO USEFUL effect if the "other" zone does not get
> >created (either automatically or manually) in the Parent and the Child
DNS
> >servers.
>
> Don't really get you. Can you elaborate more on "if the "other" zone does
> not get created in the Parent and the Child DNS servers"? Does it mean
that
Is the DNS server INSTALLED on every DC and is each DC showing a
copy of the zone in the DNS MMC?
Furthermore, is the each zone POPULATED with the correct entries.
> we need to create the zones and create A record before we perform DCPROMO?
Generally you need to create it if it was not automatically created.
After replication, it is perfectly fine to create the AD Integrated zone
on every DC where it doesn't appear -- you do NOT want to create the
zone if AD replication has not occurred (back to DCDiag to check.)
> Should we create DNS zones before DCPROMO for parent and child DC or
should
> we create the zone after DCPROMO?
Doesn't really matter as long as they get created correctly -- usually
after is EASIER.
Notice this: They CANNOT be "AD Integrated" BEFORE the DCPromo
so if you wish to use AD for DNS you must at least change the type after
the Promotion (and replication.)
> The ipconfig /all for parent DC is:
> Host Name: syhq1
> Primary DNS Suffix: shinyang.com.my
> Node Type: Hybrid
> IP Routing Enabled: No
> WINS Proxy Enabled: No
> DNS Suffix Search List: shinyang.com.my
> bld.shinyang.com.my
> DNS Servers: 172.16.0.1
This is NOT "Ipconfig /all" but some subset -- or worse you
just retyped part of it.
You really need to post the FULL IPconfig when troubleshooting;
and you need to cut and paste the TEXT (or redirect to a file) so
there are not typos or graphics involved.
> >AND MORE IMPORTANT it must not be used before you have AD and
> >forest replication since AD is always dependent on DNS, you must never
> >allow DNS to be made dependent on AD (AD Integration) UNTIL you have
> >AD replication working.
> >DCPromo on every DC is a good way to check for such problems.
>
> The problem is, I couldn't perform DCPROMO. It prompted DNS lookup error.
That makes sense as you likely have a partially replicated DNS OR you have
clients pointing to the wrong DNS server.
Remember, DNS Servers are DCs are DNS clients themselves.
Go back through my guidelines (below) for DNS.
> After I set the NIC of child DC to point to parent DC, it still prompted
the
> same error. I tried to delete all zones in DNS and restarted and could
> perform DCPROMO. Will the OS be corrupted or can I proceed on to
> troubleshoot without having to reinstall W2003?
And you really don't want to post multiple messages to different newsgroups
but
rather CROSSPOST a SINGLE message to multiple groups.
Guidelines to using DNS for AD:
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
....or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
.
- References:
- Trust between child and domain broken
- From: kevin via WinServerKB.com
- Re: Trust between child and domain broken
- From: Ace Fekay [MVP]
- Re: Trust between child and domain broken
- From: Herb Martin
- Re: Trust between child and domain broken
- From: kevin via WinServerKB.com
- Re: Trust between child and domain broken
- From: Herb Martin
- Re: Trust between child and domain broken
- From: kevin via WinServerKB.com
- Trust between child and domain broken
- Prev by Date: Re: DNS CORRUPT AND ALL SYSTEMS DOWN
- Next by Date: Re: Trust between child and domain broken
- Previous by thread: Re: Trust between child and domain broken
- Next by thread: Re: Trust between child and domain broken
- Index(es):
Relevant Pages
|
Loading
