Failing on Conditional Forwarders

  • 102 Views
  • Last Post 23 March 2017
Mano posted this 21 March 2017

Hi Experts,
I would like to have your expertise in one of the configuration in Conditional Forwarders.
There is a Conditional Forwarders created as xyz.com (an other forest) created in abc.com forest DC.
There are few more entries as NA.xyz.com, EU.xyz.com and AU.xyz.com. The entire conditional forwarders are having same 5 IP's which are 10.x.x.x or 172.x.x.x series.
Is this setup correct?
I am thinking that there will not be any request will go to xx.xyz.com if I ping or tracert due to xyz.com is already exist.
Please correct me if I am wrong.
Thank you,Sam

Order By: Standard | Newest | Votes
johnglenn posted this 22 March 2017

A conditional forwarder will forward queries for the specified domain and all subdomains.  So, the conditional forwarder for xyz.com will also cause queries for na.xyz.com to be forwarded automatically, as well - there is no need to create the lower-level conditional forwarders.
I don't understand your last question regarding tracert.
John Glenn


show

Mano posted this 22 March 2017


Hi John,
You are right!. I am getting no result / error when I nslookup of na.xyz.com and so on eventhough we have IPs configured. Moreover, the xyz.com having about 5 IPS configured as the forwarder by 10.x.x.x series but the ping, nslookup and tracert are pointing to public ip which is 80.x.x.x. Is this routing issue at the network layer level? Because forcefully routing to public ip.
By the way, those 10.x.x.x series 5 IPS are other forest dc/dns server ips.  We have created cross forest trust as well.
I will enable d2 in the nslookup to see the result to see who is providing the result on the other side.
Lastly, I am able to ping those 5 ips without resolving netbios name. I do not think that this is what is expected so please correct me if I am wrong.
Thank you,Sam 
On 22 Mar 2017 7:39 a.m., "John Glenn" <jglenn.tn@xxxxxxxxxxxxxxxx> wrote:
A conditional forwarder will forward queries for the specified domain and all subdomains.  So, the conditional forwarder for xyz.com will also cause queries for na.xyz.com to be forwarded automatically, as well - there is no need to create the lower-level conditional forwarders.
I don't understand your last question regarding tracert.
John Glenn


show

ken posted this 22 March 2017

Firstly check what DNS servers your client is using.

Then, on those DNS servers, check where they are sending the name resolution requests to.

 

The fact that tracert etc. are going to a public IP shows that name resolution is resolving na.xyz.com -> public IP address, not to the 10.x.x.x

address. That might be because of the DNS server you are using (or because it’s contacting the wrong authoritative DNS server). It’s very unlikely to be a network routing issue – name resolution would need to occur before any routing decision can be made.

 

show

Mano posted this 23 March 2017

Hi Ken,
I always try from dc/dns server at root and child domain because this zones are replicated forest wide. Also na.xyz.com, la.xyz.com are not resolving. I think dns pointing to xyz.com zone though I have seperate zone for na..., la... and the xyz.com is resolving public ip so failing at the end.
Is there any option me to trace this traffic without packet capturing?
I think, the nslookup d2 says it is from Internet. 
- Sampath


show

ken posted this 23 March 2017

I always try from dc/dns server at root and child domain because this zones are replicated forest wide

 

That still doesn’t answer the first point – what DNS servers is the client using? In this case, the client is your server. Just because the server is running DNS, doesn’t mean

that the server is configured to use itself as a DNS server…right?

Maybe it’s something you don’t think is worth mentioning. However, it’s obvious that

something isn’t working correctly, so you need to trace through each step of the process, end-to-end, until you find the spot where it’s broken/mis-configured.

 

 

show

Mano posted this 23 March 2017

Hi Ken,
Sorry, I missed it.
All the dns servers are pointing itself as primary dns. I performed from different dns server from few domains as it's our multi domain forest.
Sure, I will try to dig further and thank you very much!
- Sam


show

Close