1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS misunderstanding problem

Discussion in 'Active Directory Exams' started by lifeisshortmove, Jun 27, 2011.

  1. lifeisshortmove

    lifeisshortmove Bit Poster

    42
    0
    19
    The situation is as follows, I am trying to add a new tree domain to an existing forest. So I am using dcpromo to create the tree root domain. The name of the forest root domain is testlab.com.

    IP configuration for the forest root domain DC1
    IP: 192.168.1.2
    Subnet Mask: 255.255.255.0
    Default Gateway: -
    Preferred DNS: 192.168.1.2
    Secondary DNS: -

    IP configuration for the new tree root domain DC2
    IP: 192.168.1.3
    Subnet Mask: 255.255.255.0
    Default Gateway: -
    Preferred DNS: 192.168.1.3
    Secondary DNS: 192.168.1.2

    Now in the image below (trying to create the new tree):

    http://imageshack.us...837/picewp.jpg/

    According to my understanding to DNS the computer won't go to the secondary DNS server unless it cannot contact the preferred DNS server. So in this case it can contact 192.168.1.3 (itself) and it does not have any zones configured. It should show an error message and does not try to contact the secondary DNS sever. But that does not happen. Can you explain it to me?

    According to my understanding of DNS, I must create a secondary DNS zone on DC2 in order to add a new tree to the forest or change its preferred DNS server to be DC1 not itself.
     
  2. dales

    dales Gigabyte Poster

    1,998
    46
    97
    AFAIK (just getting to this bit of my 640 book) when you create trees in forests they are trusted by others in the forest but not set up for trusted actions. so it may be that a permissions issue that something in one domain is not allowed to query the dns of another!?!?! What do the DNS event logs of each DC say and the client

    I did have a much longer post all set but I pressed the reply to thread again by accident. BTW I cannot see your linked image so sorry if that discounts my wild theory straight away.
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  3. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    lifeisshortmove you have posted various threads over the last week or so but never responded to anyone who has replied to your questions/problems.

    Some of your questions look like homework we can't do your homework for you.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  4. lifeisshortmove

    lifeisshortmove Bit Poster

    42
    0
    19
    greenbrucelee, not a homework at all. Those are not exam or lab questions. The questions here are either problems I have faced while using VMs or things I could not find an explanation to and want somebody to help me.

    Considering this problem again, my understanding to DNS is that DNS client connect to the Secondary DNS IP address (in its IP configuration) ONLY if it cannot contact the first DNS IP address (i.e. preferred DNS). So in this case it's configured to point to itself which does not have any DNS zones and it went to the secondary DNS server IP to resolve it. How come?

    About replying, sometimes, I get an answer for a different question. For example, I am talking about a DNS problem but "dales" is talking about trusts and permissions. What should I say?
     
  5. sheepluv

    sheepluv Byte Poster

    114
    1
    32
    Because it cannot resolve the address it trys the next server. Maybe client would giveup if it had the same zone/domain but not actual record (?) but as it is will definately do the next dns when empty. I suggest doing some research when confused -

    Configuring Multiple IP Addresses and Gateways

    You can specify up to three servers to use for DNS resolution. These servers are used in priority order. If the first server can't resolve a particular host name, DNS attempts to use the next server on the list. If this server fails to resolve the name, the next server is used, and so on. To change the position of a server in the list box, click on it and then use the Up or Down button.

    DNS has permissions (when AD integrated) he was being helpful and giving you a possible cause of the problem. If one domain does not trust another / does not have permission, then DNS wont resolve
     
    Last edited: Jun 27, 2011
    Certifications: CCNA | HND | 70-646
  6. dales

    dales Gigabyte Poster

    1,998
    46
    97
    Thanks for that, it was just a wild guess but a sensible one to my little brain. I still cannot see the imageshack link. It would be worth trying to resolve from a client in one tree to the problem dns server in the other and checking what the dns event logs say. Also NSlookup will provide quite alot of handy information in this query I'm sure.
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  7. lifeisshortmove

    lifeisshortmove Bit Poster

    42
    0
    19
    Thanks a lot, sheepluv for your reply. That was my question.

    Sorry, Dale, I'm still a newbie and I did not get your idea :).

    Last thing, why while troubleshooting we go directly to nslookup not ping command to test if dns is working or not. According to name resolution process mentioned in the MOC it's as follows

    1)Client Resolver Cache (that involves hosts file)
    2)DNS server
    3)NetBIOS Name Cache
    4)WINS
    5)Broadcast
    6)LMhosts file
     
    Last edited: Jun 27, 2011
  8. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    Because its more detailed than ping. most of the time you would use dig these days instead of nslookup
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  9. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    Not in Windows you wouldn't, DIG is not included in windows, so most people (including me) would still use nslookup locally unless i really need some of the capabilities in DIG for a local DNS check
    although for remote connectivity tests i tend to SSH into a Linux or Mac and can use DIG to my hearts content, that's not really what most people have the luxury of doing
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  10. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    I use this when i can't be arsed to fire up a Linux box and want to get more detailied info than nslookup gives me
     
    Certifications: A few
    WIP: None - f*** 'em
  11. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    Me too Zeb :)
    cant use that on most of my clients systems though ;)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  12. lifeisshortmove

    lifeisshortmove Bit Poster

    42
    0
    19
    Ok, to be CLEAR if I ping a client by name and it works that does mean that DNS name resolution works correctly? Some say yes and others say NO because DNS may have a problem and it resolves the name using NetBIOS. Thus they don't use ping command to troubleshoot DNS problems. What do you think?
     
  13. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    DNS could be cached, or the name could be in the hosts file
    nslookup lets you check against your local DNS server (or a remote one if you want) for the resolution
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  14. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Yup, nslookup is fine for some quick DNS troubleshooting.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...