Announcement

Collapse
No announcement yet.

Problem trusting another forest.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem trusting another forest.

    I have two forests which I need to create a trust b/w, but I think I am having DNS issues as I can not ping each forest from the other. The forests are "scl.signet.com.au" & "arrowcorp.arrowpharma.com"

    On the PDC for the SCL domain/forest, I setup forwarding by highlighting the servername and clicking on the properties item for the "Forwarders" item. On the Forwarders tab, in the DNS Domain box, I added "arrowcorp.arrowpharma.com" and put in the IP 192.168.101.150. I even tried to simply add the IP 192.168.101.150 to the "All other DNS domains" item but still nothing.

    On the PDC for the Arrow domain/forest, I setup forwarding by highlighting the servername and clicking on the properties item for the "Forwarders" item. On the Forwarders tab, in the DNS Domain box, I added "scl.signet.com.au" and put in the IP 10.3.0.50.

    I still can not ping the other forest/domain names from the respectively opposite PDC. I can tho, ping the respectively opposite PDC via IP for both. So while in the SCL domain, I can ping 192.168.101.150 and while in the Arrow domain, I can ping 10.3.0.50.

    Both forests are at the Windows 2003 functional level.

    What else can I do to fix the DNS issue?
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Problem trusting another forest.

    I don't know what's causing the problem but here are two ideas:

    1. does the DNS service need to be stopped and restarted or do you need to run ipconfig /flushdns on each DC?

    2. Install Microsoft Network Monitor 3 on each DC and start a capture filtering on DNS, then ping each FQDN from each DC and look at the capture. It should show you where the DNS queries are going and help you find the problem.

    Comment


    • #3
      Re: Problem trusting another forest.

      Thanks JoeQ. Already tried restarting the DNS services but nothing yet. I've installed MS NM3 but am trying to figure out how to setup a capture criteria which will:

      * Capture only traffic from 192.168.xxx.xxx
      * Capture only DNS to 10.3.0.50

      Any pointers?
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: Problem trusting another forest.

        Sorry i read wrongly.

        What happens if you setup a secondary zone that pulls the information from the other site?? or even setting up a stub zone.

        What are the results of a ping -a on both sides??

        Have you setup a trust for these yet??
        Last edited by wullieb1; 18th March 2008, 07:27.

        Comment


        • #5
          Re: Problem trusting another forest.

          Your filter would be (on the capture filter tab):

          DNS

          IPv4.Address == 192.168.0.100 AND IPv4.Address == 192.168.0.200

          putting your ip addresses in, don't forget to click the apply button, then switch to the display filter tab and start the capture

          But I would recommend not filtering on the ip addresses initially in case the DNS queries are going somewhere else. I would filter only on DNS to see what queries are being sent and where.
          Last edited by joeqwerty; 18th March 2008, 12:28.

          Comment


          • #6
            Re: Problem trusting another forest.

            Originally posted by wullieb1 View Post
            Sorry i read wrongly.

            What happens if you setup a secondary zone that pulls the information from the other site?? or even setting up a stub zone.

            What are the results of a ping -a on both sides??

            Have you setup a trust for these yet??
            Ping minus A nor a trust will work until I have DNS flowing b/w the sites/forests. This is my problem!
            |
            +-- JDMils
            |
            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
            |

            Comment


            • #7
              Re: Problem trusting another forest.

              JoeQwerty,

              Not getting any DNS from the Arrow domain. I just don't know where to start looking to see where it stops. It's not like we have a TRACERT for DNS!

              Thanks.
              |
              +-- JDMils
              |
              +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
              |

              Comment


              • #8
                Re: Problem trusting another forest.

                So if you'r running netmon on the arrow dc and pinging the scl domain and filtering your capture for only DNS you don't see any DNS queries issued by the arrow dc?

                Comment


                • #9
                  Re: Problem trusting another forest.

                  As per your request, the results are attached. I've also attached the IP Config for the Arrow DC:
                  C:\>ipconfig /all

                  Windows IP Configuration

                  Host Name . . . . . . . . . . . . : ARRSVR20
                  Primary Dns Suffix . . . . . . . : arrowcorp.arrowpharma.com
                  Node Type . . . . . . . . . . . . : Unknown
                  IP Routing Enabled. . . . . . . . : Yes
                  WINS Proxy Enabled. . . . . . . . : Yes
                  DNS Suffix Search List. . . . . . : arrowcorp.arrowpharma.com
                  arrowpharma.com

                  Ethernet adapter Public:

                  Connection-specific DNS Suffix . :
                  Description . . . . . . . . . . . : VMware PCI Ethernet Adapter
                  Physical Address. . . . . . . . . : 00-0C-29-82-B8-1E
                  DHCP Enabled. . . . . . . . . . . : No
                  IP Address. . . . . . . . . . . . : 192.168.101.62
                  Subnet Mask . . . . . . . . . . . : 255.255.254.0
                  IP Address. . . . . . . . . . . . : 192.168.101.150
                  Subnet Mask . . . . . . . . . . . : 255.255.254.0
                  Default Gateway . . . . . . . . . : 192.168.101.254
                  DNS Servers . . . . . . . . . . . : 192.168.101.150
                  192.168.101.65
                  Primary WINS Server . . . . . . . : 192.168.101.151
                  Secondary WINS Server . . . . . . : 192.168.101.65

                  C:\>
                  Thanks!
                  Attached Files
                  |
                  +-- JDMils
                  |
                  +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                  |

                  Comment


                  • #10
                    Re: Problem trusting another forest.

                    Would it be possible for you to post the actual trace file so that I can open it in netmon and look at it?

                    Comment


                    • #11
                      Re: Problem trusting another forest.

                      Thanks JoeQwerty for your time here. I didn't keep the capture file so I redid the capture but this time at the same time on both servers which does show DNS traffic from either forest getting thru! Now I just need to figger out why DNS lookups are not resolving on each end.

                      Details:
                      Our forest: SCL.signet.com.au
                      Our PDC: CLA-DC1 [DHCP, DNS]
                      Our DC's IP: 10.3.0.50

                      The other forest: arrowcorp.arrowpharma.com
                      The other PDC: ARRSVR20
                      The other DC's IP: 192.168.101.150
                      Attached Files
                      |
                      +-- JDMils
                      |
                      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                      |

                      Comment


                      • #12
                        Re: Problem trusting another forest.

                        Well I started crafting a response after looking at both traces but there were too many things that didn't make sense. So here are a few questions:

                        Is each DNS server authorative for both the parent and child domains?

                        Does each DNS server use itself for DNS?

                        Are you using forwarders (other than the conditional forwarders you set up for each respective domain)?

                        Are there other DNS servers? If so, do they point to themselves for DNS or to the other DNS server?

                        Do you have reverse lookup zones set up on each DNS server for their respective subnets?

                        Do the DNS servers accept dynamic updates from client machines?

                        Is there a firewall or ACL that blocks any DNS traffic from one forest (network) to or from the other?

                        Comment


                        • #13
                          Re: Problem trusting another forest.

                          Originally posted by joeqwerty View Post
                          Is each DNS server authorative for both the parent and child domains?
                          Each of the forests have one domain each. Both servers are the authorative DNS servers for the respective forest/domain.

                          Does each DNS server use itself for DNS?
                          Yes. The network settings for DNS are to itself first using its public IP (not localhost) then a secondary server.

                          Are you using forwarders (other than the conditional forwarders you set up for each respective domain)?
                          See thumbnails below....

                          Are there other DNS servers? If so, do they point to themselves for DNS or to the other DNS server?
                          On the SCL domain, there are numerous DNS servers in the remote sites who all point to themselves. In the local site (HO), there is a Unix DNS server 10.3.0.64 which is the proxy to the internet.

                          Do you have reverse lookup zones set up on each DNS server for their respective subnets?
                          Yes.

                          Do the DNS servers accept dynamic updates from client machines?
                          Dynamic Updates is set to "Secure Only".

                          Is there a firewall or ACL that blocks any DNS traffic from one forest (network) to or from the other?
                          NO. The sites are connected via a WAN with no restrictions.
                          Attached Files
                          Last edited by JDMils; 20th March 2008, 03:42.
                          |
                          +-- JDMils
                          |
                          +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                          |

                          Comment


                          • #14
                            Re: Problem trusting another forest.

                            Ok, now I understand some of the stuff I was seeing in your trace files. Would you be able to (as a test):

                            1. Set each DNS server to use itself using it's internal address instead of it's public address.

                            2. On the ARRSVR20 server remove the 10.3.0.50 forwarder entry (and optionally the 202 addresses which will force it to use the root hint servers for all other domains). Then add the 10.3.0.50 address only for the SCL.signet.com.au and signet.com.au domains.

                            3. On the CLA-DC1 server remove the 192.168.101.150 forwarder entry (and optionally the 10.3.0.64 address and force it to use the root hint servers for all other domains). then add the 192.168.101.150 address only for the arrowcorp.arrowpharma.com and the arrowpharma.com domains.

                            Comment


                            • #15
                              Re: Problem trusting another forest.

                              Question for you:

                              (and optionally the 202 addresses which will force it to use the root hint servers for all other domains)
                              I think these are the DNS addresses of the Arrow domain's ISP DNS servers. They have their own internet connection and I feel that removing the 202 addys will hinder their ability to browse the net. Do you agree?

                              Then add the 10.3.0.50 address only for the SCL.signet.com.au and signet.com.au domains.
                              Sorry for my ignorance. I might have done this in the past but exactly what steps do I follow to do this?
                              |
                              +-- JDMils
                              |
                              +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                              |

                              Comment

                              Working...
                              X