Cannot resolve UNC name of child domain controller from win2k servers

Interesting. nbtstat -rr run on the Citrix server reports 439 names resolved by name server, 114 registered, and none by broadcast. The DC of the child domain reports 199 resolved by broadcast, with one registered. 86 resolved by name server, 11 registered. WINS is set to the DC of the parent domain, I did change it from the Default NetBIOS setting to "Enable NetBIOS over TCP/IP". I wonder if that will make a difference, running nbtstat -R and -RR didn't seem to make a difference.... The name still won't resolve.

The citrix server, and a few other servers that are having trouble resolving the child domain DC, seem to all have externally facing DNS and IP addresses as well as their internal addresses. This is how they've previously been configured, and all was working fine until a few weeks ago. I can't really figure out what broke it either, as it worked fine after the domain upgrade. Maybe running forestprep for our exchange 2k3 upgrade messed things up?

Suffice to say, I don't think its a firewall issue given that it worked fine with this same configuration previously, but maybe I'm missing something else?

I have some other ideas if you haven't resolved this.

Email me and let me know.

bob.hunt@adelphia.net

Its not just the citrix servers that aren't getting through. I've got about 5 Win2k servers that have dual IP addresses, one internal and one external, and none of these servers are able to resolve the Netbios name of the child domain controller. They can access it fine if the \\ipaddress is entered. They can access all member servers of the child domain, just not the DC itself. Both child and parent are Win2k3 servers, both are PDC Emulators as we are still in the midst of the upgrade away from NT. The WINS has the child DC name mapped correctly... testing trusts works fine. Not sure why a stub zone would help, not even sure what that would do. Not quite sure how the master browser works.

Thanks!

-Reg

1. Are each of the DC's in each domain DNS with both Active Directory Integrated Forward and Reverse lookup zones?

2. Assuming each DC has DNS, it has a primary zone for it's domain. Does it contain a secondary zone for the other domain?

3. If you have s secondary zone for each domain, what happens when you change the primary DNS server in the IP properties of the citrix server to the DNS on the DC of the child domain?

4. Each of the DC's with DNS needs both A and NS records for the DNS on the DC in the other domain?

5. Here's a link for Master Browser issues

http://support.microsoft.com/kb/188305

6. Grasping at straws here, there may be an issue with some of the service accounts on the new domain controllers. Did you run the Domain Prep programs before upgrading to 2003 domain? There are some service accounts that get added. You can reset the passwords on these if they are creating problems. Be careful with this.

but again is there a zone in DNS that encompasses the child domain which points to the DC of the child domain? note DNS zones can encompass contigious namespaces e.g. support.microsoft.com where support is the child domain of the parent microsoft.com

but if you have non contigious domain namespaces, you need seperate DNS Zones.

in any event you need a zone in DNS which is authoritative for the the namespace be it the . .com or .com & .com

At issue is logon servers can't be found. So that tells me that a client sends a query to DNS Hey! need a logon server for childdomain.parentdomain.com [or the non contigious namespace] and DNS comes back and says "Sorry don't know of any" .

WINS isn't just a big ole host file either. you can enter names resolving to addresses in WINS but in an Active Directory environment if those names and addresses aren't in DNS, then they aren't worth anything. AD requires DNS to function properly. DNS breaks AD breaks.

One thing I just tried doing was create a secondary zone on parent.dom called child.parent.dom, resolved from the childDC. That didn't seem to help, maybe I could make it a primary zone instead and nix the DNS server on the child domain entirely? This is confusing!

Thanks for your help!

Answers to your questions:

1) Both DC DNS servers are AD integrated with all zones

2)On the parent DC, under the parent.dom zone there is a "folder" called "child", which contains the child DNS info. The host records there contain the server name for the child domain, along with its IP address. The parent has three forward zones, the _msdcs.parent.dom, parent.dom, and parent.org (which I guess serves our DNS for web hosting purposes)

On the child DC, there is only one zone, child.parent.dom . Should the child.parent.dom zone appear on the main DC as well?

3) I tried changing the DNS to the child domain, that didn't make a difference

4) I've had the childdc.child.parent.dom server as both A and NS records in both domains and this hasn't made a difference

5) I've viewed the master browser pages, I can't seem to see how it applies actually...

6) We did do domain prep (and forest prep as well for the Exchange 2k3 install) ..service accounts seem OK, it wouldn't make sense that this would cause a problem on some servers and not others....

Thanks for your help!

the DNS zone for the parent domain can include the child domain provided the child domain is a contingious namespace with the parent domain. There must be DNS records in the DNS zone which resolves to child domain servers when a query is made.

this is about the best article I could find on Technet that explains DNS zones, namespaces, and delegations of primary and secondary zones. click on the How DNS Works link.

http://technet2.microsoft.com/windowsserver/en/library/6e45e81e-fb44-4a20-a752-ebe740e2acc61033.mspx?mfr=true

it's possible that DNS query information isn't being sent to clients requesting a name resolution. Note: DNS uses UDP and the Windows Firewall will block DNS traffic unless an exception is made [if the child domain servers traffic must come in from outside [different subnet]. but you can ping so mayben that's not the problems. DCs aren't necessarily DNS servers. The first server created for the domain typically must be a DNS server as AD won't function without a DNS server. You can have DNS running on a DC but you don't have to have DNS on a DC. So the domain controller for the child domain doesn't necessarily have to have DNS running on it, only that a DNS server on the network can resolve queries.

If memory holds right Citrix uses TCP port 1494 for ICA clients but other than that, not a Citrix person.

just throwing out ideas as it appears that DNS queries for the child domain are not being resolved by DNS.

That article is very good for helping me understand how DNS works, though this issue seems pretty complicated.

Windows Firewall isn't enabled. The problem is not just with Citrix servers, but all servers which have both outward facing and inward facing IP addresses. I tried Ethereal to see if that could help me get more of an idea but I'm not really that familiar on its usage so I wasn't able to get very far. It did seem that upon making the request some packets went out on the 64.xxx.xxx.xxx (external) ip scheme, as opposed to our internal 10.x.x.x scheme, so my thought is that maybe something is configured on the Child DC itself that is denying access to these requests thinking they are coming from the outside? It just doesn't make sense that other members of the child domain resolve without issue.

if queries are being sent out the wrong interface therefore not getting to a DNS server...

and yes it doesn't make sense that clients or servers can resolve while others can not.

the only other idea I came think of is that the servers and clients that can resolve are getting the right information on the right DNS server to query where as those that can't aren't being directed to the correct DNS server.

If you have a router in there somewhere or a DHCP server with the DNS option enabled, that has different scopes, it might be that the DNS option on a scope is incorrect.

So when things like this get really nuts, sometimes it requires looking at things from the bottom up. I have something simple you might try.

1) Am I right in assuming that the servers with two interfaces are members of the parent domain?

2) If so, I'd take a laptop (I know it probably has only one interface) that is a member of the parent domain and connect it to the same switch as the servers giving it a static IP on the same subnet as the servers and configure all other settings the same as the private interface on one of the member servers.

3) login with the same domain account you are using when you tried to connect with the servers and see if you have the same issue.

4) One thing to consider is are your member servers in an OU and your client computers in another? I'm just doing some research on GPOs right now so I'm light in this area and I don't know if different OUs would give different results. You might need to move the laptop into the same OU as the member servers.

5) I remember when we upgraded our domain to 2003 and put in 2003 servers, out of the box, those things are somewhat tight sercurity wise. I wonder if some security setting on the child domain DC is causing the issue.

6) Oh, another grasped straw, what happens if you login to a server with a user account in the child domain and try connecting?

Have fun

Interesting, Bob, I tried logging on as the Administrator account for the child domain to one of the problematic servers, and I cannot browse to any server within the domain whatsoever! This user account allows me access to everything else when logged into it from the child DC. Not sure what that is all about, but its certainly odd.

Thanks for your help!

I may be wrong, but if you logged in a member server in the parent domain with an account from the child domain and the child domain only has 1 DC, then I would assume that if there is nothing in the hosts file of the server indicating #DOM for the child domain, DNS was able to resolve the request and find the DC in the child domain.

Lack of browsing still leads me to believe that there may be some sort of WINS issue.

Do you have WINS servers running on both 2003 DCs in both domains? From my limited experience, I have found that in having DCs with both DNS and WINS works best. Cuts down on network traffic by having them on same server. May increase traffic to that server but overall things generally work well.

Oh and if at all possible, remove all other WINS servers from member servers. I would start there and see what happens.