| Author |
Message |
Padraig
Guest
|
 Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
urgent-DNS forwarder problem |
|
|
Hi,
I've recently inherited a child domain containing 4 DCs that is part of a
global forest containing approx 20 other child domains.
I am experiencing a very strange problem as follows:
My DNS is AD integrated.
3 of my 4 domain controllers are unable to resolve addresses outside of the
child domain for other child domains or for the forest root domain.
the forwarder config on all DNS servers is identical and contains two options:
1. All other DNS domains : goes to the ISP firewall
2. root domain name : goes to the forest root DC.
All Dcs can resolve external internet addresses perfectly.
Help please...I'm going nuts |
|
| Back to top |
|
 |
Ace Fekay [MVP]
Guest
|
| Posted:
Tue Oct 18, 2005 7:54 pm Post subject:
Re: urgent-DNS forwarder problem |
|
|
In news:C207CFF4-FC39-46A3-BE96-89BB9A1AB4BA@microsoft.com,
Padraig <Padraig@discussions.microsoft.com> made this post, which I then
commented about below:
| Quote: | Hi,
I've recently inherited a child domain containing 4 DCs that is part
of a global forest containing approx 20 other child domains.
I am experiencing a very strange problem as follows:
My DNS is AD integrated.
3 of my 4 domain controllers are unable to resolve addresses outside
of the child domain for other child domains or for the forest root
domain.
the forwarder config on all DNS servers is identical and contains two
options:
1. All other DNS domains : goes to the ISP firewall
2. root domain name : goes to the forest root DC.
All Dcs can resolve external internet addresses perfectly.
Help please...I'm going nuts
|
Is the forest root DC/DNS operational or any errors on it? Any firewall in
place?
How are you trying to resolve the other domains, by FQDN or by NetBIOS name?
WINS in place?
For forwarding, we usually check off "Do not use recursion" under the
forwarding tab so it forces DNS not to use the Root hints and only use the
forwarder to go to the parent DNS.
But if you are connecting by single name (NetBIOS), and the domain is in a
different physical subnet, then WINS is required and the forwarder will
fail. The reason is the local DNS resolver will devolve the name based on
the search suffix listed on a machine. In a child scenario, the search
suffix is the child.domain.com name, as well as the domain.com parent name,
that;s it, unless you've populated that manually or by scriptr on every
child domain's machine. If the search suffix for the other domains are not
listed in the machine, then a single name lookup won't work to another
child, but FQDN will, unless you have WINS.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
Kevin D. Goodknecht Sr. [
Guest
|
| Posted:
Tue Oct 18, 2005 8:50 pm Post subject:
Re: urgent-DNS forwarder problem |
|
|
Padraig <Padraig@discussions.microsoft.com> wrote:
| Quote: | Hi,
I've recently inherited a child domain containing 4 DCs that is part
of a global forest containing approx 20 other child domains.
I am experiencing a very strange problem as follows:
My DNS is AD integrated.
3 of my 4 domain controllers are unable to resolve addresses outside
of the child domain for other child domains or for the forest root
domain.
the forwarder config on all DNS servers is identical and contains two
options:
1. All other DNS domains : goes to the ISP firewall
2. root domain name : goes to the forest root DC.
|
Select the root domain conditional forwarder and check the box "Do not use
recursion for this domain" This prevents DNS from trying to find the parent
DNS through root hints.
If all the child domains are delegated in the parent zone this will give you
resolution to all child domains.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
=================================== |
|
| Back to top |
|
|
Padraig
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Re: urgent-DNS forwarder problem |
|
|
Hey Guys.
Thanks for the help so far.
There is a firewall between my DCs and the root domain which I'm a little
suspicious of, unfortunately I dont have access.
Using nslookup I've tried connecting to DNS servers in domains on the other
side of this firewall and also to the root domain Dc. Each time I get a dns
request timed-out.
when I try to resolve servers in the other domains, I get
"Domain non-existent" from nslookup.
"Ace Fekay [MVP]" wrote:
| Quote: | In news:C207CFF4-FC39-46A3-BE96-89BB9A1AB4BA@microsoft.com,
Padraig <Padraig@discussions.microsoft.com> made this post, which I then
commented about below:
Hi,
I've recently inherited a child domain containing 4 DCs that is part
of a global forest containing approx 20 other child domains.
I am experiencing a very strange problem as follows:
My DNS is AD integrated.
3 of my 4 domain controllers are unable to resolve addresses outside
of the child domain for other child domains or for the forest root
domain.
the forwarder config on all DNS servers is identical and contains two
options:
1. All other DNS domains : goes to the ISP firewall
2. root domain name : goes to the forest root DC.
All Dcs can resolve external internet addresses perfectly.
Help please...I'm going nuts
Is the forest root DC/DNS operational or any errors on it? Any firewall in
place?
How are you trying to resolve the other domains, by FQDN or by NetBIOS name?
WINS in place?
For forwarding, we usually check off "Do not use recursion" under the
forwarding tab so it forces DNS not to use the Root hints and only use the
forwarder to go to the parent DNS.
But if you are connecting by single name (NetBIOS), and the domain is in a
different physical subnet, then WINS is required and the forwarder will
fail. The reason is the local DNS resolver will devolve the name based on
the search suffix listed on a machine. In a child scenario, the search
suffix is the child.domain.com name, as well as the domain.com parent name,
that;s it, unless you've populated that manually or by scriptr on every
child domain's machine. If the search suffix for the other domains are not
listed in the machine, then a single name lookup won't work to another
child, but FQDN will, unless you have WINS.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: urgent-DNS forwarder problem |
|
|
In news:7FA71F77-3474-43C0-9646-5C022C12B86E@microsoft.com,
Padraig <Padraig@discussions.microsoft.com> made this post, which I then
commented about below:
| Quote: | Hey Guys.
Thanks for the help so far.
There is a firewall between my DCs and the root domain which I'm a
little suspicious of, unfortunately I dont have access.
Using nslookup I've tried connecting to DNS servers in domains on the
other side of this firewall and also to the root domain Dc. Each time
I get a dns request timed-out.
when I try to resolve servers in the other domains, I get
"Domain non-existent" from nslookup.
|
"Domain non-existent" from nslookup is a message saying it can't find your
DNS server's IP address in your reverse zone. Don't have a reverse zone?
Create one and a PTR for the server and the message will disappear.
For resolution, DNS uses TCP 53 and UPD 53. Are they allowed thru the
firewall?
More importantly, there are 29 ports that need to be opened in a firewall to
allow AD replication. You will need to find out from the firewall admins how
it's setup.
But this could be a forwarding configuration issue, and nothing more,
provided full access is allowed thru the wall.
Ace |
|
| Back to top |
|
|
Padraig
Guest
|
| Posted:
Thu Oct 20, 2005 8:50 am Post subject:
Re: urgent-DNS forwarder problem |
|
|
Hi Ace,
Thanks, I isolated the problem down to the firewall rules for UDP traffic.
Everything is running sweet again.
Do you have a link for the 29 AD ports ? would be really useful
"Ace Fekay [MVP]" wrote:
| Quote: | In news:7FA71F77-3474-43C0-9646-5C022C12B86E@microsoft.com,
Padraig <Padraig@discussions.microsoft.com> made this post, which I then
commented about below:
Hey Guys.
Thanks for the help so far.
There is a firewall between my DCs and the root domain which I'm a
little suspicious of, unfortunately I dont have access.
Using nslookup I've tried connecting to DNS servers in domains on the
other side of this firewall and also to the root domain Dc. Each time
I get a dns request timed-out.
when I try to resolve servers in the other domains, I get
"Domain non-existent" from nslookup.
"Domain non-existent" from nslookup is a message saying it can't find your
DNS server's IP address in your reverse zone. Don't have a reverse zone?
Create one and a PTR for the server and the message will disappear.
For resolution, DNS uses TCP 53 and UPD 53. Are they allowed thru the
firewall?
More importantly, there are 29 ports that need to be opened in a firewall to
allow AD replication. You will need to find out from the firewall admins how
it's setup.
But this could be a forwarding configuration issue, and nothing more,
provided full access is allowed thru the wall.
Ace
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Thu Oct 20, 2005 4:50 pm Post subject:
Re: urgent-DNS forwarder problem |
|
|
In news:F74FD7D5-0D57-4219-A567-EBDAF770D88E@microsoft.com,
Padraig <Padraig@discussions.microsoft.com> made this post, which I then
commented about below:
| Quote: | Hi Ace,
Thanks, I isolated the problem down to the firewall rules for UDP
traffic. Everything is running sweet again.
Do you have a link for the 29 AD ports ? would be really useful
|
179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/?id=179442 |
|
| Back to top |
|
|
Padraig
Guest
|
| Posted:
Thu Oct 20, 2005 4:50 pm Post subject:
RE: Oops, hit send too soon. Read these firewall related art |
|
|
Thanks Ace...thats perfect
"Ace Fekay [MVP]" wrote:
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Thu Oct 20, 2005 4:50 pm Post subject:
Re: Oops, hit send too soon. Read these firewall related art |
|
|
In news:B991CCC6-C40B-4AF5-8028-662A55233852@microsoft.com,
Padraig <Padraig@discussions.microsoft.com> made this post, which I then
commented about below:
| Quote: | Thanks Ace...thats perfect
|
You're welcome!
Ace |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in