So here's what I think is happening, still awaiting confirmation from other site admin. Everything you asked below is exactly how I'm set up. What I discovered is they have a dozen or so DNS servers at their main and other remote sites which are all connected via their MPLS links. I'm connecting in via a VPN tunnel. Pretty sure my VPN tunnel only has access to the core subnet where their main DNS is at that I'm already successfully exchanging zone information with. When their zone populates with their SRV records it loads all their DC's for all their sites, and they are all weighted equally. Therefore when I try to ping their "domain.local" I get random responses from the various DC's they have, most of which I can't connect to because I'm guessing the VPN tunnel isn't allowing traffic to any subnet other than the core. I've asked their admin to weight their SRV record for the core DC's higher than all the others and see if this fixes the problem.
________________________________ From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, March 05, 2013 5:06 PM To: NT System Admin Issues Subject: RE: DNS settings for Trusts Hi, Can you please 100% confirm your DNS setup. The servers in question (b) and (d) are different, so when you say "answered above", I begin to worry that we're overlooking something. - Are you saying that the DC in DomainA hosts a secondary copy of the DomainB zone? - And that the DC in DomainB hosts a secondary copy of the DomainA zone? - And that the DC in DomainA looks at itself for name resolution? - And that the DC in DOmainB also looks at itself for name resolution? The above 4 are all separate, independent configuration options, and given that this should work, but isn't, we'd need to work through each item until we get to the point where we identify what the culprit is. Cheers Ken From: N Parr [mailto:[email protected]] Sent: Wednesday, 6 March 2013 8:29 AM To: NT System Admin Issues Subject: RE: DNS settings for Trusts ________________________________ From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, March 05, 2013 2:42 PM To: NT System Admin Issues Subject: RE: DNS settings for Trusts a) DomainA and DomainB are in separate Forests? - Yes b) Where does the PDCe in DomainA look first for name resolution (itself? Another DNS server?) Itself (Secondary Forward Lookup Zones created on both sides) c) The DNS server in (b) - how does it know where to send requests for DomainB? Does it host a secondary copy? You have configured forwarders? You have glue records? Hosts secondary Copy. Tried Forwarders but from what I'm ready you use either a zone or a forwarder, not both. I tried a forwarder any way and it didn't make a difference. Glue Records? I don't think these come in to play internally. d) For the DC in domainB where you are attempting to create the trust: where does it look for name resolution (itself? Another DNS server?) Can't get to the point of making a trust yet because domainB can't ping domainA.local e) The DNS server in (d) - how does it know where to send requests for DOmainA? Does it host a secondary copy? You have configured forwarders? You have glue records? Answered in C) Cheers Ken From: N Parr [mailto:[email protected]] Sent: Wednesday, 6 March 2013 6:46 AM To: NT System Admin Issues Subject: RE: DNS settings for Trusts Domain B can't resolve Domain A. Can't ping domain.local or any host. And if we can't ping domain.local then we can't begin to create the trust. No errors in the event log. ________________________________ From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, March 05, 2013 12:20 PM To: NT System Admin Issues Subject: Re: DNS settings for Trusts Can you describe the type of lookup failures you are receiving? ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Tue, Mar 5, 2013 at 12:43 PM, N Parr <[email protected]<mailto:[email protected]>> wrote: I'm having some issues getting DNS to resolve properly on a trust we are trying to set up and it doesn't make much sense why I'm having problems. Domain A can resolve everything on Domain B just fine but Domain B can't resolve Domain A. Both are 08 Domains. The zones are fully populated and there's no issues replicating records. All the ports are open across the VPN, I can telnet back and forth, I can ping any IP. According to this article I need to make sure my SRV and Host A records are properly created. But we didn't have to do this on Domain A to get it to work. Either way where am I suppose to create these records? Under my primary Zone? It doesn't give any detail and my Google is failing me. http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx Thanks ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
