Child Domain DNS Woes

[Guest]

I recently took over a Windoes 2000/2003 AD domain (native mode). There are
two domains, one parent and one child (domain.company.com and
child.domain.company.com). There was only one DNS server, running on Windows
2000 Server, located in the parent domain. The DNS server had two forward
lookup zones; one for domain.company.com and one for
child.domain.company.com. The former was AD integrated and the latter was
standard primary. The two domains are on different subnets, separated by a
router. There were all kinds of name lookup issues on the network, so I did
the following:

1. Created a new delegation on the parent DNS server for the child domain.
2. Installed DNS on one child DC and made it a primary.
3. Copied the .dns file from the old primary zone (for the child domain)
from the parent to the child DNS server.
4. Created secondary zone for the child domain on the parent DNS server and
vice versa.
5. Put a forwarder for the parent DNS server on the child DNS server.

Everything now seems to work good. I can see all domains and name
resolution works, for the most part. The one remaining issue is that I can
only ping devices on the child domain (from the parent domain) using the FQDN
not NetBIOS name.

I can ping devices (using NetBIOS name) from the child to the parent domain.
I suspect something is amiss with the delegation I created. If I understand
it correctly you use forwarders for child to parent and delegation from
parent to child.

What am I missing?

Thanks!

 

[Herb Martin]

I recently took over a Windoes 2000/2003 AD domain (native mode). There are
two domains, one parent and one child (domain.company.com and
child.domain.company.com). There was only one DNS server, running on Windows
2000 Server, located in the parent domain. The DNS server had two forward
lookup zones; one for domain.company.com and one for
child.domain.company.com.
Ok.

The former was AD integrated and the latter was
standard primary.

Pretty much (not quite) irrelevant for a single DNS
server.

The two domains are on different subnets, separated by a
router.

Irrelevant unless their is some filtering preventing
DNS or some other routing problem -- DNS is a
UDP/TCP protocol and is quite routable.

There were all kinds of name lookup issues on the network, so I did
the following:

1. Created a new delegation on the parent DNS server for the child

domain.

That is not necessary if both zones run ONLY on the same
server. Did you delegate the other zone to itself (same DNS
server)?

2. Installed DNS on one child DC and made it a primary.

Now you need the delegation in the parent domain to every server
holding the child zone -- and probably the A record (in the parent
again) for each of those NS record server names.

3. Copied the .dns file from the old primary zone (for the child domain)
from the parent to the child DNS server.
Why?

4. Created secondary zone for the child domain on the parent DNS server and
vice versa.

Creating the secondary using the original Primary as master
would have covered the zone file (you didn't need to copy it
and doing unnecessary stuff like that is a sign that you might
be finding ways to mess it up.)

5. Put a forwarder for the parent DNS server on the child DNS server.

Probably ok. Probably better just to make BOTH DNS
servers hold BOTH zones -- unless they are VERY large.

Everything now seems to work good. I can see all domains and name
resolution works, for the most part.

The one remaining issue is that I can
only ping devices on the child domain (from the parent domain) using the FQDN
not NetBIOS name.

Of course. Go to the parent domain CLIENTS (which
usually includes SERVERS too) and set the NIC properties:
NIC->IP->Advanced->DNS tab

Add the child domain as an additional suffix

I can ping devices (using NetBIOS name) from the child to the parent

domain.

Do you have a WINS server? If so, this is why it works.

Other choices are LMHOSTS file, or allowing the broadcasts
through your router -- WINS server is best in almost all cases.

I suspect something is amiss with the delegation I created. If I understand
it correctly you use forwarders for child to parent and delegation from
parent to child.

Nope. It is because you are never sending the right name.

Allowing unqualified name lookups is a CLIENT only feature.

What am I missing?

Client suffixes.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Everything now seems to work good. I can see all domains
and name resolution works, for the most part. The one
remaining issue is that I can only ping devices on the
child domain (from the parent domain) using the FQDN not
NetBIOS name.

This has to do with the DNS Suffix search list, if you run ipconfig /all you
will see the DNS suffix search list that is your parent domain name. In
order to use host names for both domains you have to specify a DNS suffix
search list. To do that, in TCP/IP properties, on the DNS tab select "Append
these suffixes (in order)" then click add. type in the Parent DNS suffix and
click add again, type in the child DNS suffix.
If you run ipconfig /all it will show both suffixes, you can put this in a
GPO, Win2k does not have this GPO, however, there is a work around.
If you edit the GPO from an XP machine it will upgrade the GPO to an object
that includes this option. I'd do this from an XP SP2 client, IIRC SP2
includes more GPO options.
Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

Then you will have to install a hotfix on the Win2k DC to edit the GPO from
the Win2k DC.
http://www.microsoft.com/downloads/...46-3af7-4eaf-9ce6-e34ea2c74faf&displaylang=en

I don't think these objects will be applied to Win2k clients but it will be
applied to XP and Win2k3 clients for sure.

I can ping devices (using NetBIOS name) from the child to
the parent domain. I suspect something is amiss with the
delegation I created. If I understand it correctly you
use forwarders for child to parent and delegation from
parent to child.

The reason you can do this is the Primary DNS suffix on the child is
child.domain.company.com, and by default "Append parent suffixes of the
primary DNS suffix" is turned on, since domain.company.com is the parent
suffix of child.domain.company.com, it works.