none
DNS, Conditional Forwarders, 2 way trust - cannot find objects from other domain RRS feed

  • Question

  • I have server1 in domain1 that cannot enumerate objects from domain2 but the domain controllers in domain1 can.

    On server1, nslookup of "domain2" pulls a list of DC's from domain2.  Good

    On server1, nslookup of "domain2_DC1.domain2" resolves with a non-authoritative answer.  Good

    On server1, going to Users and Groups, Administrators, change location to domain2, it changes fine.  Good

    Then I try to add a user or group from domain2, Check Names, it churns and finally says it cannot find the object.  Bad

    Domain2 has many 2 way trusts with other domains, and is able to enumerate the same AD groups/users as I am trying in Domain1.

    If server1 has its primary DNS set to domain1_DC1 (which is one of the DC's with firewall ports open for AD ports) and domain1_DC1 can add AD groups from domain2.  Domain1_DC1 has Conditional Forwarder configured for Domain2 and its DCs.  Only thing I can think of is server1 is not using its primary DNS server, instead choosing a different DNS server.  Which I still think would be ok, because the Conditional Forwarder is stored in AD to all DNS servers in the domain.  Now, all DC's/DNS servers do not have their IP's open to domain2 but I would think they should forward to the DC's that do. 

    There is a lot of info and this is hard to explain so hopefully I can get some dialogue going with a Windows DNS expert here.  Thanks!

    Thursday, April 20, 2017 6:50 PM

All replies

  • Hi J.J.P,

    >> There is a lot of info and this is hard to explain so hopefully I can get some dialogue going with a Windows DNS expert here.

    We have test with the same situation as yours. Based on my experience, we recommend to configure the conditional forwarder for domain.

    There is no relevant information to explain this behavior in Microsoft official documents.

    You also could view the process of DNS resolution when you add the users from domain by network monitor.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 21, 2017 8:19 AM
  • Hi J.J.P ,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 25, 2017 5:16 AM
  • Right now I set a server to have one DNS server, which is one of the servers that has its FW ports open to the other domain.

    It still cannot enumerate objects from Domain2 even though NSLOOKUP pulls a list of DC's from Domain2. 

    Firewall team says some LDAP queries are going to a DC in Domain2 that is not open in the firewall.  I do not understand why that DC is trying to answer.

    How can I get just the 2 DC's from Domain2 to answer all DNS/LDAP queries instead of just a random DC from Domain2?   

    Wednesday, April 26, 2017 5:10 PM
  • Hi J.J.P,

    If you want to reply to this thread?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d6170f98-5e65-48a0-8042-3840250b0296/dns-conditional-forwarders-2-way-trust-cannot-find-objects-from-other-domain?forum=winserveripamdhcpdns

    I guess you might have mixed with two threads.

    If the information provided was helpful in this thread, please "mark it as answer" to help other community members find the helpful reply quickly.

    For another thread:

    >>It still cannot enumerate objects from Domain2 even though NSLOOKUP pulls a list of DC's from Domain2

    How many DCs are configured in the list of conditional forwarder?

    Based on your situation, it is recommended that you should configure the DCs with firewall opened in the list of conditional forwarder.  

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 28, 2017 5:28 AM
  • Hi Candy,

    There are 2 DC's configured in the Conditional Forwarder.  But an NSLOOKUP is pulling a list of many more DC's (nameservers) from that domain.  I think then the client is trying to use any one of those DC's from the list and because firewall ports are not open for all DC's it fails.

    Basically we are trying to control the trust, DNS, etc. by making it flow between 2 specific DC's.  But something is bringing in more DC's to play and causing failures.

    What I *think* is that because the conditional forwarder is stored in AD, all the DC's in the domain are aware of the conditional forwarder and they try to interact with the DC's in that conditional forwarder but are not allowed to. 

    I also think the reverse lookup zone in the remote domain is filled with a list of DC's (nameservers) and that list is being given to the client in the requesting domain and that client is trying to use that list to get name resolution but cannot due to firewall.

    But I am not sure if my theories are correct.  And even if they are what is the best practice to fix them.  I was considering removing the Conditional Forwarder from AD and manually configuring it on the 2 DC's.  I was also considering on the remote domain of removing all nameservers from the reverse lookup zone (but this doesn't seem like a good idea by instinct).

    Friday, April 28, 2017 3:43 PM
  • Hi Candy,

    There are 2 DC's configured in the Conditional Forwarder.  But an NSLOOKUP is pulling a list of many more DC's (nameservers) from that domain.  I think then the client is trying to use any one of those DC's from the list and because firewall ports are not open for all DC's it fails.

    Basically we are trying to control the trust, DNS, etc. by making it flow between 2 specific DC's.  But something is bringing in more DC's to play and causing failures.

    What I *think* is that because the conditional forwarder is stored in AD, all the DC's in the domain are aware of the conditional forwarder and they try to interact with the DC's in that conditional forwarder but are not allowed to. 

    I also think the reverse lookup zone in the remote domain is filled with a list of DC's (nameservers) and that list is being given to the client in the requesting domain and that client is trying to use that list to get name resolution but cannot due to firewall.

    But I am not sure if my theories are correct.  And even if they are what is the best practice to fix them.  I was considering removing the Conditional Forwarder from AD and manually configuring it on the 2 DC's.  I was also considering on the remote domain of removing all nameservers from the reverse lookup zone (but this doesn't seem like a good idea by instinct).

    Friday, April 28, 2017 4:15 PM
  • Hi J.J.P,

    >> What I *think* is that because the conditional forwarder is stored in AD, all the DC's in the domain are aware of the conditional forwarder and they try to interact with the DC's in that conditional forwarder but are not allowed to. 

    This behavior is most like a underlying mechanism which we can't control with the built-in GUI, there is another workaround, you could try to perform a port mapping on the firewall, map the non-port opened domain controller's port 53 to the port opened domain controller's.

    Appreciate your patience.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 5:59 AM
  • Hi J.J.P

    Was your issue resolved?

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 8, 2017 9:03 AM