Inability to resolve names across domains

I posted a message on this issue a little over a week ago ("Name resolution
across domains"). I was not able to resolve it with the suggestion provided
(the Replication setting change would not stick). This is a more complete
description.

The two sites are in different states, connected via a IPSec VPN tunnel.

Installed Win 2K3 on the first server. Created a new forest and domain
(abc.fl.company.com). Also set up a DNS server as that was required to
create the forest and turn the machine into a domain controller. Added lots
of machines and accounts to the domain.

Install Win2k3 on the second server. Create a new parent domain
(def.nj.company.com) in an existing forest (abc.fl.company.com). Obviously
the new domain communicated with the existing domain over the VPN.

Now, from NJ I can ping any machine in FL by using a fully qualified name.
I can ping FLPC01 by pinging FLPC01.abc.fl.company.com. Of course, I can
ping by IP also.

The problem I'm having is that from FL I can only ping NJ by IP. So doing a
ping or nslookup on NJPC01.def.nj.company.com yields nothing. The name won'
t resolve. I'm guessing if that I would've created the forest on the NJ
server first, the problem would be reversed.

In checking the NJ DNS server, I see two forward lookup zone entries:
1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in Active
Directory forest abc.fl.company.com)
2. def.nj.company.com (set to replicate to all DOMAIN CONTROLLERS in Active
Directory domain def.nj.company.com).

In FL, the DNS server has two forward lookup zone entries also:
1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in Active
Directory forest abc.fl.company.com)
2. abc.fl.company.com (replicate to all DNS servers in Active Directory
domain abc.fl.company.com)

I believe the problem is in the replication setting for def.nj.company.com
(which is why it is absent in the FL DNS server). I've tried setting it to
all DNS servers in the forest, but every time I reboot the setting reverts
back.

Does anyone have any advice as to either how to get the Replication setting
to stick or another method to get these domains talking correctly?

Thanks
-joe

Instead of configuring each domain's DNS to forward to the other -- try
configured FL DNS as a secondary of NJ DNS, and visa-versa. This may serve
as a good workaround for you.

David Taylor

"Joe Ross" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I posted a message on this issue a little over a week ago ("Name
resolution
> across domains"). I was not able to resolve it with the suggestion
provided
> (the Replication setting change would not stick). This is a more complete
> description.
>
> The two sites are in different states, connected via a IPSec VPN tunnel.
>
> Installed Win 2K3 on the first server. Created a new forest and domain
> (abc.fl.company.com). Also set up a DNS server as that was required to
> create the forest and turn the machine into a domain controller. Added
lots
> of machines and accounts to the domain.
>
> Install Win2k3 on the second server. Create a new parent domain
> (def.nj.company.com) in an existing forest (abc.fl.company.com).
Obviously
> the new domain communicated with the existing domain over the VPN.
>
> Now, from NJ I can ping any machine in FL by using a fully qualified name.
> I can ping FLPC01 by pinging FLPC01.abc.fl.company.com. Of course, I can
> ping by IP also.
>
> The problem I'm having is that from FL I can only ping NJ by IP. So doing
a
> ping or nslookup on NJPC01.def.nj.company.com yields nothing. The name
won'
> t resolve. I'm guessing if that I would've created the forest on the NJ
> server first, the problem would be reversed.
>
> In checking the NJ DNS server, I see two forward lookup zone entries:
> 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
Active
> Directory forest abc.fl.company.com)
> 2. def.nj.company.com (set to replicate to all DOMAIN CONTROLLERS in
Active
> Directory domain def.nj.company.com).
>
> In FL, the DNS server has two forward lookup zone entries also:
> 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
Active
> Directory forest abc.fl.company.com)
> 2. abc.fl.company.com (replicate to all DNS servers in Active Directory
> domain abc.fl.company.com)
>
> I believe the problem is in the replication setting for def.nj.company.com
> (which is why it is absent in the FL DNS server). I've tried setting it
to
> all DNS servers in the forest, but every time I reboot the setting reverts
> back.
>
> Does anyone have any advice as to either how to get the Replication
setting
> to stick or another method to get these domains talking correctly?
>
> Thanks
> -joe
>
>

In FL DNS, add conditional forwarding for def.nj.company.com, forwading to
NJ DNS server.

Sharad

"Joe Ross" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I posted a message on this issue a little over a week ago ("Name
resolution
> across domains"). I was not able to resolve it with the suggestion
provided
> (the Replication setting change would not stick). This is a more complete
> description.
>
> The two sites are in different states, connected via a IPSec VPN tunnel.
>
> Installed Win 2K3 on the first server. Created a new forest and domain
> (abc.fl.company.com). Also set up a DNS server as that was required to
> create the forest and turn the machine into a domain controller. Added
lots
> of machines and accounts to the domain.
>
> Install Win2k3 on the second server. Create a new parent domain
> (def.nj.company.com) in an existing forest (abc.fl.company.com).
Obviously
> the new domain communicated with the existing domain over the VPN.
>
> Now, from NJ I can ping any machine in FL by using a fully qualified name.
> I can ping FLPC01 by pinging FLPC01.abc.fl.company.com. Of course, I can
> ping by IP also.
>
> The problem I'm having is that from FL I can only ping NJ by IP. So doing
a
> ping or nslookup on NJPC01.def.nj.company.com yields nothing. The name
won'
> t resolve. I'm guessing if that I would've created the forest on the NJ
> server first, the problem would be reversed.
>
> In checking the NJ DNS server, I see two forward lookup zone entries:
> 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
Active
> Directory forest abc.fl.company.com)
> 2. def.nj.company.com (set to replicate to all DOMAIN CONTROLLERS in
Active
> Directory domain def.nj.company.com).
>
> In FL, the DNS server has two forward lookup zone entries also:
> 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
Active
> Directory forest abc.fl.company.com)
> 2. abc.fl.company.com (replicate to all DNS servers in Active Directory
> domain abc.fl.company.com)
>
> I believe the problem is in the replication setting for def.nj.company.com
> (which is why it is absent in the FL DNS server). I've tried setting it
to
> all DNS servers in the forest, but every time I reboot the setting reverts
> back.
>
> Does anyone have any advice as to either how to get the Replication
setting
> to stick or another method to get these domains talking correctly?
>
> Thanks
> -joe
>
>

VPN links are very slow. Most likely your replication just isn't fully
completeing. Replication can create a fair amount of traffic and the VPN
link may not be able to stand up to it.

Maybe you might have been better with a Trust between two completely
separate Domains. You'd still have to cover DNS issues by possibly having
each DNS Server contain the other Domain's DNS as a "Forwarder" or something
like that, but it would not generate as much traffic over a slow link
because there would simply not be any replication going across it. Of
course your DNS NameSpace would not be "continuous" as it is now because
each Domain would have an independent namespace.

We have over 20 sites that span from Utah to Rhode Island (east-west) and
from Grand Rapids, MI to Puerto Rico (nort-south). It is all done by VPN
and works great. However each site's Domain is independent of all others and
each sites maintains it own unique DNS namespace.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Joe Ross" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I posted a message on this issue a little over a week ago ("Name
resolution
> across domains"). I was not able to resolve it with the suggestion
provided
> (the Replication setting change would not stick). This is a more complete
> description.
>
> The two sites are in different states, connected via a IPSec VPN tunnel.
>
> Installed Win 2K3 on the first server. Created a new forest and domain
> (abc.fl.company.com). Also set up a DNS server as that was required to
> create the forest and turn the machine into a domain controller. Added
lots
> of machines and accounts to the domain.
>
> Install Win2k3 on the second server. Create a new parent domain
> (def.nj.company.com) in an existing forest (abc.fl.company.com).
Obviously
> the new domain communicated with the existing domain over the VPN.
>
> Now, from NJ I can ping any machine in FL by using a fully qualified name.
> I can ping FLPC01 by pinging FLPC01.abc.fl.company.com. Of course, I can
> ping by IP also.
>
> The problem I'm having is that from FL I can only ping NJ by IP. So doing
a
> ping or nslookup on NJPC01.def.nj.company.com yields nothing. The name
won'
> t resolve. I'm guessing if that I would've created the forest on the NJ
> server first, the problem would be reversed.
>
> In checking the NJ DNS server, I see two forward lookup zone entries:
> 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
Active
> Directory forest abc.fl.company.com)
> 2. def.nj.company.com (set to replicate to all DOMAIN CONTROLLERS in
Active
> Directory domain def.nj.company.com).
>
> In FL, the DNS server has two forward lookup zone entries also:
> 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
Active
> Directory forest abc.fl.company.com)
> 2. abc.fl.company.com (replicate to all DNS servers in Active Directory
> domain abc.fl.company.com)
>
> I believe the problem is in the replication setting for def.nj.company.com
> (which is why it is absent in the FL DNS server). I've tried setting it
to
> all DNS servers in the forest, but every time I reboot the setting reverts
> back.
>
> Does anyone have any advice as to either how to get the Replication
setting
> to stick or another method to get these domains talking correctly?
>
> Thanks
> -joe
>
>

This did the trick!!! I had played with the conditional forwarding settings
earlier, but I did not completely understand them. Now they make more
sense.

Thanks for the suggestion Sharad!
-joe

"sharad" <(E-Mail Removed)> wrote in message
news:OE8u$(E-Mail Removed)...
> In FL DNS, add conditional forwarding for def.nj.company.com, forwading
to
> NJ DNS server.
>
> Sharad
>
> "Joe Ross" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I posted a message on this issue a little over a week ago ("Name
> resolution
> > across domains"). I was not able to resolve it with the suggestion
> provided
> > (the Replication setting change would not stick). This is a more
complete
> > description.
> >
> > The two sites are in different states, connected via a IPSec VPN tunnel.
> >
> > Installed Win 2K3 on the first server. Created a new forest and domain
> > (abc.fl.company.com). Also set up a DNS server as that was required to
> > create the forest and turn the machine into a domain controller. Added
> lots
> > of machines and accounts to the domain.
> >
> > Install Win2k3 on the second server. Create a new parent domain
> > (def.nj.company.com) in an existing forest (abc.fl.company.com).
> Obviously
> > the new domain communicated with the existing domain over the VPN.
> >
> > Now, from NJ I can ping any machine in FL by using a fully qualified
name.
> > I can ping FLPC01 by pinging FLPC01.abc.fl.company.com. Of course, I
can
> > ping by IP also.
> >
> > The problem I'm having is that from FL I can only ping NJ by IP. So
doing
> a
> > ping or nslookup on NJPC01.def.nj.company.com yields nothing. The name
> won'
> > t resolve. I'm guessing if that I would've created the forest on the NJ
> > server first, the problem would be reversed.
> >
> > In checking the NJ DNS server, I see two forward lookup zone entries:
> > 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
> Active
> > Directory forest abc.fl.company.com)
> > 2. def.nj.company.com (set to replicate to all DOMAIN CONTROLLERS in
> Active
> > Directory domain def.nj.company.com).
> >
> > In FL, the DNS server has two forward lookup zone entries also:
> > 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
> Active
> > Directory forest abc.fl.company.com)
> > 2. abc.fl.company.com (replicate to all DNS servers in Active Directory
> > domain abc.fl.company.com)
> >
> > I believe the problem is in the replication setting for
def.nj.company.com
> > (which is why it is absent in the FL DNS server). I've tried setting it
> to
> > all DNS servers in the forest, but every time I reboot the setting
reverts
> > back.
> >
> > Does anyone have any advice as to either how to get the Replication
> setting
> > to stick or another method to get these domains talking correctly?
> >
> > Thanks
> > -joe
> >
> >
>
>

Well, it of course would work, but frankly I don't know if that's all you
need.

Depending upon the kind of trust between the two, you might consider David
Taylor's
suggestion as well, ...i.e. add secondary zone def.nj.company.com in
abc.fl.company.com
and vice versa (and allow zone transfer on each, to the other)

Sharad

"Joe Ross" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This did the trick!!! I had played with the conditional forwarding
settings
> earlier, but I did not completely understand them. Now they make more
> sense.
>
> Thanks for the suggestion Sharad!
> -joe
>
> "sharad" <(E-Mail Removed)> wrote in message
> news:OE8u$(E-Mail Removed)...
> > In FL DNS, add conditional forwarding for def.nj.company.com, forwading
> to
> > NJ DNS server.
> >
> > Sharad
> >
> > "Joe Ross" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I posted a message on this issue a little over a week ago ("Name
> > resolution
> > > across domains"). I was not able to resolve it with the suggestion
> > provided
> > > (the Replication setting change would not stick). This is a more
> complete
> > > description.
> > >
> > > The two sites are in different states, connected via a IPSec VPN
tunnel.
> > >
> > > Installed Win 2K3 on the first server. Created a new forest and
domain
> > > (abc.fl.company.com). Also set up a DNS server as that was required
to
> > > create the forest and turn the machine into a domain controller.
Added
> > lots
> > > of machines and accounts to the domain.
> > >
> > > Install Win2k3 on the second server. Create a new parent domain
> > > (def.nj.company.com) in an existing forest (abc.fl.company.com).
> > Obviously
> > > the new domain communicated with the existing domain over the VPN.
> > >
> > > Now, from NJ I can ping any machine in FL by using a fully qualified
> name.
> > > I can ping FLPC01 by pinging FLPC01.abc.fl.company.com. Of course, I
> can
> > > ping by IP also.
> > >
> > > The problem I'm having is that from FL I can only ping NJ by IP. So
> doing
> > a
> > > ping or nslookup on NJPC01.def.nj.company.com yields nothing. The
name
> > won'
> > > t resolve. I'm guessing if that I would've created the forest on the
NJ
> > > server first, the problem would be reversed.
> > >
> > > In checking the NJ DNS server, I see two forward lookup zone entries:
> > > 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
> > Active
> > > Directory forest abc.fl.company.com)
> > > 2. def.nj.company.com (set to replicate to all DOMAIN CONTROLLERS in
> > Active
> > > Directory domain def.nj.company.com).
> > >
> > > In FL, the DNS server has two forward lookup zone entries also:
> > > 1. _msdcs.abc.fl.company.com (set to replicate to all DNS servers in
> > Active
> > > Directory forest abc.fl.company.com)
> > > 2. abc.fl.company.com (replicate to all DNS servers in Active
Directory
> > > domain abc.fl.company.com)
> > >
> > > I believe the problem is in the replication setting for
> def.nj.company.com
> > > (which is why it is absent in the FL DNS server). I've tried setting
it
> > to
> > > all DNS servers in the forest, but every time I reboot the setting
> reverts
> > > back.
> > >
> > > Does anyone have any advice as to either how to get the Replication
> > setting
> > > to stick or another method to get these domains talking correctly?
> > >
> > > Thanks
> > > -joe
> > >
> > >
> >
> >
>
>

In article <#(E-Mail Removed)>, sharadnaik@nospam-
vsnl.net says...
> Well, it of course would work, but frankly I don't know if that's all you
> need.
>
> Depending upon the kind of trust between the two, you might consider David
> Taylor's
> suggestion as well, ...i.e. add secondary zone def.nj.company.com in
> abc.fl.company.com
> and vice versa (and allow zone transfer on each, to the other)
>
Alternately, he can replicate the zones to all DNS servers in the
*forest*, which would eliminate the need for fowarders altogether.

Laura

> I believe the problem is in the replication setting for def.nj.company.com
> (which is why it is absent in the FL DNS server). I've tried setting it
to
> all DNS servers in the forest, but every time I reboot the setting reverts
> back.

What forest function level is set on NJ? If you have only Win 2003 DCs
and no any win 2000, try raising the FOREST function level to 'Windows
Server 2003'
See the link below:
http://support.microsoft.com/default...uct=winsvr2003

Sharad

"Laura A. Robinson [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
> In article <#(E-Mail Removed)>, sharadnaik@nospam-
> vsnl.net says...
> > Well, it of course would work, but frankly I don't know if that's all
you
> > need.
> >
> > Depending upon the kind of trust between the two, you might consider
David
> > Taylor's
> > suggestion as well, ...i.e. add secondary zone def.nj.company.com in
> > abc.fl.company.com
> > and vice versa (and allow zone transfer on each, to the other)
> >
> Alternately, he can replicate the zones to all DNS servers in the
> *forest*, which would eliminate the need for fowarders altogether.
>
> Laura

In article <(E-Mail Removed)>, sharadnaik@nospam-
vsnl.net says...
>
> > I believe the problem is in the replication setting for def.nj.company.com
> > (which is why it is absent in the FL DNS server). I've tried setting it
> to
> > all DNS servers in the forest, but every time I reboot the setting reverts
> > back.
>
> What forest function level is set on NJ? If you have only Win 2003 DCs
> and no any win 2000, try raising the FOREST function level to 'Windows
> Server 2003'
> See the link below:
> http://support.microsoft.com/default...uct=winsvr2003
>
This would have nothing to do with the issue at hand, actually.

Laura

It would also cause older Clients, if they exist, to no longer be able to
connect to the Domain. I left ours in 2000 mode even after all the 2000 DCs
were gone to cover the older clients.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Laura A. Robinson [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
> This would have nothing to do with the issue at hand, actually.
>
> Laura