none
Server 2012 DNS Issue (HELP!)

    Question

  • Hi:

    We have two DC's for each domain (corp.company.com & company.local).  We have most users and their computers in one and all servers in the other.  We upgraded the DC's from 2008R2 to 2012 and elevated our Forest & Domain Functional levels to 2012.

    When on a server in one domain, we aren't able to reach out to something in the other domain without the FQDN and vice versa.  This used to work just fine and now stopped.  What do we need to do to make it function so that we don't have to put in the FQDN's?

    Thank you,
    Stangride


    • Edited by stangride Tuesday, July 09, 2013 8:02 PM
    Tuesday, July 09, 2013 7:45 PM

Answers

  • The main way I know of that you'd normally achieve that would be via the DNS Search Suffixes, so I wonder if something about the upgrade process has caused those to be removed.

    There's a great blog post here http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx that goes into detail about how they work, and here http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx which does into more detail about the options for how to set them up.

    They could previously have been configured via GPO, or configured in the individual NIC, but in either case the upshot is that within the DNS settings of the NIC properties you specify the DNS suffixes that you want the machine to know about. So when on company.local if you ping mymachine and it can't resolve it the machine will automatically try pinging mymachine.company.local. By adding corp.company.com to your DNS search suffix list the machine will now also try pinging mymachine.corp.company.com if the first one (assuming they're configured in this order) fails to resolve.

    Tuesday, July 09, 2013 9:45 PM
  • Hello stangride,

    I agree with the Search Suffixes suggestions. Keith posted my blog on how that works, as well as DNS design options.

    My question is, how is your current DNS resolving infrastructure designed? If you can post specifics on how you have it designed between the two domain in the forest, we can provide specifics to get things back on track for you. Review my DNS design options, and then post back with how you have it designed.

    Thank you.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, July 12, 2013 3:36 PM
  • One more option for single name resolution, especially for apps and services that require NetBIOS name resolution, such as Network Neighborhood, Backup Exec, McAFee ePo, Symantec EP, etc, you may need to configure WINS. Here's more info on that:

    WINS - What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
    Published by acefekay on Oct 27, 2010 at 6:18 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, July 12, 2013 3:38 PM
  • corp.company.com:

    DC1 (192.168.1.84) for corp.company.com:
    DNS  192.168.1.83
     192.168.1.84
    Forwarders are pointing to our ISP's public DNS 4.2.2.2 & 4.2.2.1

    -

    DC2 (192.168.1.83) for corp.company.com:
    DNS 192.168.1.84
     192.168.1.83
    Forwarders: 4.2.2.2 & 4.2.2.1

    -

    company.local:

    DC1 (192.168.1.86) for company.local:
    DNS 192.168.1.88
     192.168.1.86
    Forwarders: are pointing to DC1 & DC2 of corp.company.com (192.168.1.83 & 192.168.1.84)

    -

    DC2 (192.168.1.88) for company.local:
    DNS 192.168.1.86
     192.168.1.88
    Forwarders are pointing to DC1 & DC2 of corp.company.com (192.168.1.83 & 192.168.1.84)

    -

    I thought I had replied a lengthy reply to this? I don't know what happened to it.

    Let's take it with baby steps to eliminate me posting suggestions based on assumptions.

    Are company.com and corp.company.local two Tree domains in the same forest? If so, which one is the Forest Root domain?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 15, 2013 4:06 AM

All replies

  • The main way I know of that you'd normally achieve that would be via the DNS Search Suffixes, so I wonder if something about the upgrade process has caused those to be removed.

    There's a great blog post here http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx that goes into detail about how they work, and here http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx which does into more detail about the options for how to set them up.

    They could previously have been configured via GPO, or configured in the individual NIC, but in either case the upshot is that within the DNS settings of the NIC properties you specify the DNS suffixes that you want the machine to know about. So when on company.local if you ping mymachine and it can't resolve it the machine will automatically try pinging mymachine.company.local. By adding corp.company.com to your DNS search suffix list the machine will now also try pinging mymachine.corp.company.com if the first one (assuming they're configured in this order) fails to resolve.

    Tuesday, July 09, 2013 9:45 PM
  • Hi,

    DC can receive changes and replicate those changes to the other DC in the domain. Since you have two domains and updated the DCs, maybe something of the upgrade process caused this issue.

    Just as Keith said, you can achieve it via configuring the DNS Search Suffixes. By adding the suffixes to the DNS suffix search list, you can search for short, unqualified computer names in the DNS domains instead of the Fully Qualified Domain Names.

    More information:

    What's New in DNS Server in Windows Server 2012

    http://technet.microsoft.com/en-us/library/dn305897.aspx

    I hope this helps!

    Thursday, July 11, 2013 7:14 AM
  • Did you setup DNS forwarding to the other domain? This will remove the need for DNS search suffixes and it will be maintained on the DNS servers only which would be replicated.
    Thursday, July 11, 2013 1:31 PM
  • Hello stangride,

    I agree with the Search Suffixes suggestions. Keith posted my blog on how that works, as well as DNS design options.

    My question is, how is your current DNS resolving infrastructure designed? If you can post specifics on how you have it designed between the two domain in the forest, we can provide specifics to get things back on track for you. Review my DNS design options, and then post back with how you have it designed.

    Thank you.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, July 12, 2013 3:36 PM
  • One more option for single name resolution, especially for apps and services that require NetBIOS name resolution, such as Network Neighborhood, Backup Exec, McAFee ePo, Symantec EP, etc, you may need to configure WINS. Here's more info on that:

    WINS - What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
    Published by acefekay on Oct 27, 2010 at 6:18 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, July 12, 2013 3:38 PM
  • Ace:

    This is how we have it configured right now:

    DC1 (192.168.1.84) for corp.company.com:

    - NIC - is pointing it's primary DNS to DC2(192.168.1.83) & secondary to itself

    - DNS - Forwarders are pointing to our ISP's public DNS 4.2.2.2 & 4.2.2.1

    DC2 (192.168.1.83) for corp.company.com:

    - NIC - is pointing it's primary DNS to DC1(192.168.1.84) & secondary to itself

    - DNS - Forwarders are pointing to our ISP's public DNS 4.2.2.2 & 4.2.2.1

    DC1 (192.168.1.86) for company.local:

    - NIC - is pointing it's primary DNS to DC2(192.168.1.88) & secondary to itself

    - DNS - Forwarders are pointing to DC1 & DC2 of corp.company.com (192.168.1.83 & 192.168.1.84)

    DC2 (192.168.1.88) for company.local:

    - NIC - is pointing it's primary DNS to DC2(192.168.1.86) & secondary to itself

    - DNS - Forwarders are pointing to DC1 & DC2 of corp.company.com (192.168.1.83 & 192.168.1.84)

    Let me know if you need any other information to help me with my design and obtain the best results for our company.

    Thank you,
    Stangride

    Friday, July 12, 2013 6:15 PM
  • corp.company.com:

    DC1 (192.168.1.84) for corp.company.com:
    DNS  192.168.1.83
     192.168.1.84
    Forwarders are pointing to our ISP's public DNS 4.2.2.2 & 4.2.2.1

    -

    DC2 (192.168.1.83) for corp.company.com:
    DNS 192.168.1.84
     192.168.1.83
    Forwarders: 4.2.2.2 & 4.2.2.1

    -

    company.local:

    DC1 (192.168.1.86) for company.local:
    DNS 192.168.1.88
     192.168.1.86
    Forwarders: are pointing to DC1 & DC2 of corp.company.com (192.168.1.83 & 192.168.1.84)

    -

    DC2 (192.168.1.88) for company.local:
    DNS 192.168.1.86
     192.168.1.88
    Forwarders are pointing to DC1 & DC2 of corp.company.com (192.168.1.83 & 192.168.1.84)

    -

    I thought I had replied a lengthy reply to this? I don't know what happened to it.

    Let's take it with baby steps to eliminate me posting suggestions based on assumptions.

    Are company.com and corp.company.local two Tree domains in the same forest? If so, which one is the Forest Root domain?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 15, 2013 4:06 AM
  • Yes, both company.local and corp.company.com are two trees in the same forest with corp.company.com being the root forest domain......it existed first!

    Thank you,

    Stangride

    Wednesday, July 17, 2013 9:23 PM
  • Yes, both company.local and corp.company.com are two trees in the same forest with corp.company.com being the root forest domain......it existed first!

    Thank you,

    Stangride

    Thank your for establishing that. The forwarders seem correct so far, based on what you said, however, you may not have read my DNS design blog yet to understand what I am trying to get at, therefore the next set of questions will help me totally understand your design. Read my blog to better understand why I'm asking. :-)

    • What replication scope is corp.company.com zone?
    • What replication scope is company.local zone?
    • What replication scope is the _msdcs.corp.company.com zone?

    -

    So I guess you haven't yet setup Search Suffixes in each domain? For example, I would create a GPO in each domain, and then link it at the domain level of their respective domain (DO NOT TOUCH THE DEFAULT DOMAIN POLICY in either domain - it should not have anything else in it other than password policies, if that - Create your own Search Suffix GPO in each domain) so they have these two settings for search suffixes in this order:

    • corp.company.com
    • company.local

    -

    The reason corp.company.com is first is because it's the forest root domain. That is important in the forest.

    Keith previously posted my blog on how to do that. I've already done this for a large customer with the same exact design you have.

    -

    Are you using WINS? Do your users use Network Neighborhood, Or do you you use Exchange 2003, or do you use Symantec Backup Exec, ePO, McAfee, some sort of ERP that requires NetBIOS resolution, or anything else that requires the ability to browse the network? If so, then you need it.

    The reason I am asking is because you didn't post a real ipconfig /all, therefore it leaves much for assumptions. If you had, it would have eliminated additional questions. Thanks for understanding. :-)

    WINS - What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
    Published by acefekay on Oct 27, 2010 at 6:18 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Wednesday, July 17, 2013 10:32 PM
    • What replication scope is corp.company.com zone?   All DNS Servers in the forest
    • What replication scope is company.local zone?  All DNS Servers in the forest
    • What replication scope is the _msdcs.corp.company.com zone?  _msdcs resides under corp.company.com's Forward lookup zone and therefore inherits it's repli scope.

    I did setup a GPO named "DNS Suffix Policy" and added the two domains in this order, this was pushed out to all computer obj's in AD:

    1) corp.company.com

    2) company.local

    So, now client machines that are in Corp.company.com can reach resources in the company.local domain with it's short name or "NETBIOS" name.  We don't have a need to go in the opposite direction and is why I haven't created a GPO in the domain company.local.

    Now that folks have pulled this GPO, we have noticed that when connecting to our clients VPN's, we now have to type in the FQDN and didn't have to before to RDP, etc. to their resources.

    We used to have WINS up and operational, but when we upgraded our DC's from 2008R2 to 2012, we didn't turn it back on.

    Thank you,

    Stangride

    Friday, July 19, 2013 1:47 AM
  • I would highly suggest to create the search suffix in the forest root domain, too. After all, domain resources in the forest root (corp.company.com) MUST be able to resolve the other tree, company.local.

    I'm a little confused about the client VPN and RDP. What client VPN are you referring to? Clients as in workstations, or separate entity?

    You may need to have WINS back in place, especially if you are in a multi-subnetted environment. Are you sure that any of your services you are running do not require NetBIOS? Have you inventoried all apps? For example, SEP, McAfee ePo, Symantec Backup Exec, and numerous others, need it.

    The way resolution works is rather simple. If you ping a single name, or an app tries to connect to a resource by a single name, then the client side resolver service (each machine has one, including DCs, member servers, workstations, Linux, unix, BEOS, etc - it's based on the RFCs) attempts to suffix the search suffix to the name to form a complete FQDN and then queries for it. If it fails to resolve, then it moves on the next suffix. It tries each suffix, one at a time, in the order you've created them, until it gets a hit. Does the ipconfig /all of each and every machine (including DCs, member servers and workstations), all show the search suffix from the GPO? I assume you've created it at the domain level and pushed it out to EVERYTHING. If not, that is important, and may have a factor in resolution.

    But if the app is looking for a NetBIOS name resolution, the above will fail if you have NetBIOS disabled or the resource is on another subnet. In RDP, if you see the single name show up as in all UPPERCASE, then that means it's looking for  a NetBIOS name, not a resolvable by suffix single name.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, July 19, 2013 2:52 AM