Announcement

Collapse
No announcement yet.

Missing NS record

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Missing NS record

    I need to set a trust between two domains, one set on 2000 server and the other on 2003 server
    Trying to do so, I get the 'domain x cannot be contacted' message.
    I have checked the DNS forward lookup zones on both domains.
    In the one on the 2000 server a NS record in the _msdcs folder for the local domain is missing and I suspect that it has to do withthe problem.
    When running nslook local domain on the DNS server it comes up with 'DNSserver can't fined domain: Non-existent domain
    Is there a way to create such a record? The option to create NS record does not appear when right-clicking the folder and selecting 'Other new records...' option

    Cheers,

  • #2
    Re: Missing NS record

    > When running nslook local domain on the DNS server it comes up with 'DNSserver can't fined domain: Non-existent domain

    A well-known bug in nslookup; this message is bogus. It just means that you have no reverse zone.

    How did you realize DNS connectivity between the domains? Forwarders, Secondaries, something else?

    Comment


    • #3
      Re: Missing NS record

      Thanks for your reply wkasdo,
      I will check reverse zone.
      The whole problem started when I removed and reinstalled terminal server (Jetro) service on one of the servers, prior tho that all worked fine.
      Maybe it is just a coincidenece....

      Comment


      • #4
        Re: Missing NS record

        I have checked connectivity to child domains on both sides of the trust using nslookup and no problem there.
        There is a reverse lookup zone, but still no joy....http://forums.petri.com/newreply.php...ote=1&p=20013#
        when trying to create new trust it come up with "The Local Security Authority is unable to obtain an RPC connection to the domain controller..."

        Comment


        • #5
          Re: Missing NS record

          Right. If DNS is OK (would still like to know how you did it!) now it is time to look elsewhere. For instance, are there any IP ports blocked between the two domains?

          This type of RPC error is almost always caused by bad DNS or network trouble

          Comment


          • #6
            Re: Missing NS record

            Since child domains on both sides see each other, does that not indicate that there is DNS connectivity or it is just me being daft here???
            I have checked the WatchGuard and could not find blocked ports.
            Comparing the DNS forward lookup zone for the domain in question to one that do have successful trust it seems as a NS record is missing. Does that have any implication?

            Comment


            • #7
              Re: Missing NS record

              > Since child domains on both sides see each other, does that not indicate that there is DNS connectivity or it is just me being daft here???

              I don't have enough information to judge if your DNS setup is right or wrong. That is why I asked, I just wanted to make sure. If you are sure that it's fine, I'll take you word for it.

              > trust it seems as a NS record is missing.

              Should not be critical, although there is no good reason why it should be missing.

              If you are up for it, make a network trace of the failing trust process. Then, compare it to an example of setting up a working trust. If all else fails, this is the way to go.

              Comment


              • #8
                Re: Missing NS record

                Fry - this is probably much too late to help you. Since this page is easily googled, I'll still reply with my findings so that others who find themselves in the same situation might be assisted.

                I recently configured a virtual environment in order to test some cross-forest applications for a client who is the midst of a complex domain restructure. I built a Windows 2003 virtual machine, applied service pack 1, configured vmtools and then cloned the machine.

                I had until today assumed that a Win2k3 machine will receive a new SID during the DCPROMO operation. Not so. Since I had intended to use both these machines as DCs, I didn't sidwalk them. So they had identical SIDs. After promoting both machines to separate forests, I attempted to create a trust between them, but received the same error you reported from the domains and trusts MMC:

                "The Local Security Authority is unable to obtain an RPC connection to the domain controller..."

                I tested with RPCPing, and the relevant RPC ports appeared to be functional and unblocked.

                I considered the possibility that the error was caused by the SID unlikely, but after an hour of troubleshooting I had eliminated all other possibilities. I demoted one of the DCs, ran a sysprep, and repromoted it. The next time I attempted the trust creation, it worked.

                So... without having time to test further, it would appear that DC's exchange SID information during a trust setup (seems logical), and are unprepared for the existence of duplicate SIDs, resulting in the RPC connection failure.

                I hope this info helps someone out there - I sure could have used it.

                Ceejay

                Comment

                Working...
                X