trust help.

Hi all,

We are going to create a two-way forest with CompanyB. The companyB has
same internal and external public naming b.com. I just create the
conditional forwarder for b.com to use their internal DNS server IPs. Now,
when I ping b.com, it still routes to the external IP. Is this supposed to
be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
build a two-way forest trust or any additiona steps I need to configure?

Thank you.

If you are getting a different address when pinging and using NSLOOKUP on
the same computer it is probably just the local DNS cache. It probably still
contains the old record. Ping will use the cache, NSLOOKUP will not. You
can clear it manually using ipconfig /flushdns but by the time you had posted
this message it was probably clear anyway.

If you are still getting problems post back.

Best regards
Joe Dunn
MBCS, MCITP:EA, MCSE, CCNA


"ed" wrote:

> Hi all,
>
> We are going to create a two-way forest with CompanyB. The companyB has
> same internal and external public naming b.com. I just create the
> conditional forwarder for b.com to use their internal DNS server IPs. Now,
> when I ping b.com, it still routes to the external IP. Is this supposed to
> be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> build a two-way forest trust or any additiona steps I need to configure?
>
> Thank you.

Hi Joe,

Thanks for your help.

I did flushdns and try it again. When I ping b.com, it still shows the
external IP. But, when I do nslookup b.com, it returns all internal IPs and
external too. Even in the root domain controller, it returns the external IP
when I ping. Is this supposed to be? I can not pig servername.b.com either?
Do you see any problem if we need to establish a forest trust?

Thank you.

"Joe Dunn" wrote:

>
> If you are getting a different address when pinging and using NSLOOKUP on
> the same computer it is probably just the local DNS cache. It probably still
> contains the old record. Ping will use the cache, NSLOOKUP will not. You
> can clear it manually using ipconfig /flushdns but by the time you had posted
> this message it was probably clear anyway.
>
> If you are still getting problems post back.
>
> Best regards
> Joe Dunn
> MBCS, MCITP:EA, MCSE, CCNA
>
>
> "ed" wrote:
>
> > Hi all,
> >
> > We are going to create a two-way forest with CompanyB. The companyB has
> > same internal and external public naming b.com. I just create the
> > conditional forwarder for b.com to use their internal DNS server IPs. Now,
> > when I ping b.com, it still routes to the external IP. Is this supposed to
> > be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> > build a two-way forest trust or any additiona steps I need to configure?
> >
> > Thank you.

It sounds like the internal DNS zone of b.com has both internal and external
records. This could be normal if you were to have DCs with external IP
addresses but this isn't recommended in a single domain. Or someone could
have just added manual A records for the parent. You should be able to ping
all the servers in b.com though. If you can't you need to check they have A
records in the zone.

Pinging is not the always a good mechanism of testing where AD is concerned
however. Pinging uses A records whereas AD will use SRV records to find DCs
(plus some pinging as well to test network connectivity). Nslookup also
looks for A records by default. Try using Nslookup with these commands to
get a list of DCs.

nslookup
set type=srv
_ldap._tcp.dc._msdcs.b.com

Best regards
Joe Dunn
MBCS, MCITP:EA, MCSE, CCNA


"ed" wrote:

> Hi Joe,
>
> Thanks for your help.
>
> I did flushdns and try it again. When I ping b.com, it still shows the
> external IP. But, when I do nslookup b.com, it returns all internal IPs and
> external too. Even in the root domain controller, it returns the external IP
> when I ping. Is this supposed to be? I can not pig servername.b.com either?
> Do you see any problem if we need to establish a forest trust?
>
> Thank you.
>
> "Joe Dunn" wrote:
>
> >
> > If you are getting a different address when pinging and using NSLOOKUP on
> > the same computer it is probably just the local DNS cache. It probably still
> > contains the old record. Ping will use the cache, NSLOOKUP will not. You
> > can clear it manually using ipconfig /flushdns but by the time you had posted
> > this message it was probably clear anyway.
> >
> > If you are still getting problems post back.
> >
> > Best regards
> > Joe Dunn
> > MBCS, MCITP:EA, MCSE, CCNA
> >
> >
> > "ed" wrote:
> >
> > > Hi all,
> > >
> > > We are going to create a two-way forest with CompanyB. The companyB has
> > > same internal and external public naming b.com. I just create the
> > > conditional forwarder for b.com to use their internal DNS server IPs. Now,
> > > when I ping b.com, it still routes to the external IP. Is this supposed to
> > > be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> > > build a two-way forest trust or any additiona steps I need to configure?
> > >
> > > Thank you.

Joe,

thanks for your help.
If I do nslookup
set type=srv
_ldap._tcp.dc._msdcs.b.com

all their internal IPs returned.

Just woner If I do nslookup qtype=A servername.b.com
It returns "Non-existent domain"

Is it supposed to be? Should we ave any problem for establishing a trust?

Thank you.

"Joe Dunn" wrote:

>
> It sounds like the internal DNS zone of b.com has both internal and external
> records. This could be normal if you were to have DCs with external IP
> addresses but this isn't recommended in a single domain. Or someone could
> have just added manual A records for the parent. You should be able to ping
> all the servers in b.com though. If you can't you need to check they have A
> records in the zone.
>
> Pinging is not the always a good mechanism of testing where AD is concerned
> however. Pinging uses A records whereas AD will use SRV records to find DCs
> (plus some pinging as well to test network connectivity). Nslookup also
> looks for A records by default. Try using Nslookup with these commands to
> get a list of DCs.
>
> nslookup
> set type=srv
> _ldap._tcp.dc._msdcs.b.com
>
> Best regards
> Joe Dunn
> MBCS, MCITP:EA, MCSE, CCNA
>
>
> "ed" wrote:
>
> > Hi Joe,
> >
> > Thanks for your help.
> >
> > I did flushdns and try it again. When I ping b.com, it still shows the
> > external IP. But, when I do nslookup b.com, it returns all internal IPs and
> > external too. Even in the root domain controller, it returns the external IP
> > when I ping. Is this supposed to be? I can not pig servername.b.com either?
> > Do you see any problem if we need to establish a forest trust?
> >
> > Thank you.
> >
> > "Joe Dunn" wrote:
> >
> > >
> > > If you are getting a different address when pinging and using NSLOOKUP on
> > > the same computer it is probably just the local DNS cache. It probably still
> > > contains the old record. Ping will use the cache, NSLOOKUP will not. You
> > > can clear it manually using ipconfig /flushdns but by the time you had posted
> > > this message it was probably clear anyway.
> > >
> > > If you are still getting problems post back.
> > >
> > > Best regards
> > > Joe Dunn
> > > MBCS, MCITP:EA, MCSE, CCNA
> > >
> > >
> > > "ed" wrote:
> > >
> > > > Hi all,
> > > >
> > > > We are going to create a two-way forest with CompanyB. The companyB has
> > > > same internal and external public naming b.com. I just create the
> > > > conditional forwarder for b.com to use their internal DNS server IPs. Now,
> > > > when I ping b.com, it still routes to the external IP. Is this supposed to
> > > > be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> > > > build a two-way forest trust or any additiona steps I need to configure?
> > > >
> > > > Thank you.

You need to check there is an A record for servername.b.com in the DNS zone.
You should be able to resolve all the server names.

It's hard for me to say if you will have any problems with the information
here. You should just try to create one. Just a further note. You need to
ensure resolution works in the other direction as well. i.e. from the other
domain to b.com.

Best regards
Joe Dunn
MBCS, MCITP:EA, MCSE, CCNA




"ed" wrote:

> Joe,
>
> thanks for your help.
> If I do nslookup
> set type=srv
> _ldap._tcp.dc._msdcs.b.com
>
> all their internal IPs returned.
>
> Just woner If I do nslookup qtype=A servername.b.com
> It returns "Non-existent domain"
>
> Is it supposed to be? Should we ave any problem for establishing a trust?
>
> Thank you.
>
> "Joe Dunn" wrote:
>
> >
> > It sounds like the internal DNS zone of b.com has both internal and external
> > records. This could be normal if you were to have DCs with external IP
> > addresses but this isn't recommended in a single domain. Or someone could
> > have just added manual A records for the parent. You should be able to ping
> > all the servers in b.com though. If you can't you need to check they have A
> > records in the zone.
> >
> > Pinging is not the always a good mechanism of testing where AD is concerned
> > however. Pinging uses A records whereas AD will use SRV records to find DCs
> > (plus some pinging as well to test network connectivity). Nslookup also
> > looks for A records by default. Try using Nslookup with these commands to
> > get a list of DCs.
> >
> > nslookup
> > set type=srv
> > _ldap._tcp.dc._msdcs.b.com
> >
> > Best regards
> > Joe Dunn
> > MBCS, MCITP:EA, MCSE, CCNA
> >
> >
> > "ed" wrote:
> >
> > > Hi Joe,
> > >
> > > Thanks for your help.
> > >
> > > I did flushdns and try it again. When I ping b.com, it still shows the
> > > external IP. But, when I do nslookup b.com, it returns all internal IPs and
> > > external too. Even in the root domain controller, it returns the external IP
> > > when I ping. Is this supposed to be? I can not pig servername.b.com either?
> > > Do you see any problem if we need to establish a forest trust?
> > >
> > > Thank you.
> > >
> > > "Joe Dunn" wrote:
> > >
> > > >
> > > > If you are getting a different address when pinging and using NSLOOKUP on
> > > > the same computer it is probably just the local DNS cache. It probably still
> > > > contains the old record. Ping will use the cache, NSLOOKUP will not. You
> > > > can clear it manually using ipconfig /flushdns but by the time you had posted
> > > > this message it was probably clear anyway.
> > > >
> > > > If you are still getting problems post back.
> > > >
> > > > Best regards
> > > > Joe Dunn
> > > > MBCS, MCITP:EA, MCSE, CCNA
> > > >
> > > >
> > > > "ed" wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > We are going to create a two-way forest with CompanyB. The companyB has
> > > > > same internal and external public naming b.com. I just create the
> > > > > conditional forwarder for b.com to use their internal DNS server IPs. Now,
> > > > > when I ping b.com, it still routes to the external IP. Is this supposed to
> > > > > be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> > > > > build a two-way forest trust or any additiona steps I need to configure?
> > > > >
> > > > > Thank you.

Great help.

For a two-way forest trust, should we configure it at one forest or have to
configure it at both forests?

"Joe Dunn" wrote:

>
> You need to check there is an A record for servername.b.com in the DNS zone.
> You should be able to resolve all the server names.
>
> It's hard for me to say if you will have any problems with the information
> here. You should just try to create one. Just a further note. You need to
> ensure resolution works in the other direction as well. i.e. from the other
> domain to b.com.
>
> Best regards
> Joe Dunn
> MBCS, MCITP:EA, MCSE, CCNA
>
>
>
>
> "ed" wrote:
>
> > Joe,
> >
> > thanks for your help.
> > If I do nslookup
> > set type=srv
> > _ldap._tcp.dc._msdcs.b.com
> >
> > all their internal IPs returned.
> >
> > Just woner If I do nslookup qtype=A servername.b.com
> > It returns "Non-existent domain"
> >
> > Is it supposed to be? Should we ave any problem for establishing a trust?
> >
> > Thank you.
> >
> > "Joe Dunn" wrote:
> >
> > >
> > > It sounds like the internal DNS zone of b.com has both internal and external
> > > records. This could be normal if you were to have DCs with external IP
> > > addresses but this isn't recommended in a single domain. Or someone could
> > > have just added manual A records for the parent. You should be able to ping
> > > all the servers in b.com though. If you can't you need to check they have A
> > > records in the zone.
> > >
> > > Pinging is not the always a good mechanism of testing where AD is concerned
> > > however. Pinging uses A records whereas AD will use SRV records to find DCs
> > > (plus some pinging as well to test network connectivity). Nslookup also
> > > looks for A records by default. Try using Nslookup with these commands to
> > > get a list of DCs.
> > >
> > > nslookup
> > > set type=srv
> > > _ldap._tcp.dc._msdcs.b.com
> > >
> > > Best regards
> > > Joe Dunn
> > > MBCS, MCITP:EA, MCSE, CCNA
> > >
> > >
> > > "ed" wrote:
> > >
> > > > Hi Joe,
> > > >
> > > > Thanks for your help.
> > > >
> > > > I did flushdns and try it again. When I ping b.com, it still shows the
> > > > external IP. But, when I do nslookup b.com, it returns all internal IPs and
> > > > external too. Even in the root domain controller, it returns the external IP
> > > > when I ping. Is this supposed to be? I can not pig servername.b.com either?
> > > > Do you see any problem if we need to establish a forest trust?
> > > >
> > > > Thank you.
> > > >
> > > > "Joe Dunn" wrote:
> > > >
> > > > >
> > > > > If you are getting a different address when pinging and using NSLOOKUP on
> > > > > the same computer it is probably just the local DNS cache. It probably still
> > > > > contains the old record. Ping will use the cache, NSLOOKUP will not. You
> > > > > can clear it manually using ipconfig /flushdns but by the time you had posted
> > > > > this message it was probably clear anyway.
> > > > >
> > > > > If you are still getting problems post back.
> > > > >
> > > > > Best regards
> > > > > Joe Dunn
> > > > > MBCS, MCITP:EA, MCSE, CCNA
> > > > >
> > > > >
> > > > > "ed" wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > We are going to create a two-way forest with CompanyB. The companyB has
> > > > > > same internal and external public naming b.com. I just create the
> > > > > > conditional forwarder for b.com to use their internal DNS server IPs. Now,
> > > > > > when I ping b.com, it still routes to the external IP. Is this supposed to
> > > > > > be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> > > > > > build a two-way forest trust or any additiona steps I need to configure?
> > > > > >
> > > > > > Thank you.

It needs to be configured in both forests. But if you have accounts which
are members of the Enterprise Admins group of each forest you can create them
in both forests in one go. If not, someone with these rights will have to
create it in the other forest separately. To do this you will need to share
the password you set when creating the trust.

Best regards
Joe Dunn
MBCS, MCITP:EA, MCSE, CCNA

"ed" wrote:

> Great help.
>
> For a two-way forest trust, should we configure it at one forest or have to
> configure it at both forests?
>
> "Joe Dunn" wrote:
>
> >
> > You need to check there is an A record for servername.b.com in the DNS zone.
> > You should be able to resolve all the server names.
> >
> > It's hard for me to say if you will have any problems with the information
> > here. You should just try to create one. Just a further note. You need to
> > ensure resolution works in the other direction as well. i.e. from the other
> > domain to b.com.
> >
> > Best regards
> > Joe Dunn
> > MBCS, MCITP:EA, MCSE, CCNA
> >
> >
> >
> >
> > "ed" wrote:
> >
> > > Joe,
> > >
> > > thanks for your help.
> > > If I do nslookup
> > > set type=srv
> > > _ldap._tcp.dc._msdcs.b.com
> > >
> > > all their internal IPs returned.
> > >
> > > Just woner If I do nslookup qtype=A servername.b.com
> > > It returns "Non-existent domain"
> > >
> > > Is it supposed to be? Should we ave any problem for establishing a trust?
> > >
> > > Thank you.
> > >
> > > "Joe Dunn" wrote:
> > >
> > > >
> > > > It sounds like the internal DNS zone of b.com has both internal and external
> > > > records. This could be normal if you were to have DCs with external IP
> > > > addresses but this isn't recommended in a single domain. Or someone could
> > > > have just added manual A records for the parent. You should be able to ping
> > > > all the servers in b.com though. If you can't you need to check they have A
> > > > records in the zone.
> > > >
> > > > Pinging is not the always a good mechanism of testing where AD is concerned
> > > > however. Pinging uses A records whereas AD will use SRV records to find DCs
> > > > (plus some pinging as well to test network connectivity). Nslookup also
> > > > looks for A records by default. Try using Nslookup with these commands to
> > > > get a list of DCs.
> > > >
> > > > nslookup
> > > > set type=srv
> > > > _ldap._tcp.dc._msdcs.b.com
> > > >
> > > > Best regards
> > > > Joe Dunn
> > > > MBCS, MCITP:EA, MCSE, CCNA
> > > >
> > > >
> > > > "ed" wrote:
> > > >
> > > > > Hi Joe,
> > > > >
> > > > > Thanks for your help.
> > > > >
> > > > > I did flushdns and try it again. When I ping b.com, it still shows the
> > > > > external IP. But, when I do nslookup b.com, it returns all internal IPs and
> > > > > external too. Even in the root domain controller, it returns the external IP
> > > > > when I ping. Is this supposed to be? I can not pig servername.b.com either?
> > > > > Do you see any problem if we need to establish a forest trust?
> > > > >
> > > > > Thank you.
> > > > >
> > > > > "Joe Dunn" wrote:
> > > > >
> > > > > >
> > > > > > If you are getting a different address when pinging and using NSLOOKUP on
> > > > > > the same computer it is probably just the local DNS cache. It probably still
> > > > > > contains the old record. Ping will use the cache, NSLOOKUP will not. You
> > > > > > can clear it manually using ipconfig /flushdns but by the time you had posted
> > > > > > this message it was probably clear anyway.
> > > > > >
> > > > > > If you are still getting problems post back.
> > > > > >
> > > > > > Best regards
> > > > > > Joe Dunn
> > > > > > MBCS, MCITP:EA, MCSE, CCNA
> > > > > >
> > > > > >
> > > > > > "ed" wrote:
> > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > We are going to create a two-way forest with CompanyB. The companyB has
> > > > > > > same internal and external public naming b.com. I just create the
> > > > > > > conditional forwarder for b.com to use their internal DNS server IPs. Now,
> > > > > > > when I ping b.com, it still routes to the external IP. Is this supposed to
> > > > > > > be? If I do nslookup b.com and it returns all their internal DNS IPs. Can I
> > > > > > > build a two-way forest trust or any additiona steps I need to configure?
> > > > > > >
> > > > > > > Thank you.