Child domain controller cannot contact parent

  • Thread starter Thread starter paulcc
  • Start date Start date
P

paulcc

Hi all,
AD 2003 forest. Three domains, we'll call them
parent.net,
parent_child.parent.net,
child.parent_child.parent.net

child.parent_child.parent.net is a domain that spans many sites (14).
I have added 7 domain controllers to this domain without issue. The
process has been to point the new DC to the forest root DNS server on
another subnet. Have had no problems until now.

I'm attempting to add another DC to the child domain but when I run
dcpromo it fails because it cannot find the SRV record for
_ldap.tcp.dc._msdcs.parent.net - I have verified this record is present
in the DNS server.

When I run nslookup from the new DC it fails. I ran dcdiag
/test:dcpromo /childdomain /dnsdomain:child.parent_child.parent.net /v
this also failed saying it could not find the domain. I have verified
that DNS is running on the server, and I have verified that Operations
masters are available in each domain.

I'm at a loss as to why it would not work.
It seems to me that the DNS server is not responding to requests only
from this client. No idea why. is there a way to force the top level
DNS server to accept queries from non-authenticated clients? The zone
in question is a primary AD integrated zone.

Any help is much appreciated! If there are questions that might help
you help me, ask and I will do my best to answer them.


Thanks!
Paul
 
paulcc said:
Hi all,
AD 2003 forest. Three domains, we'll call them
parent.net,
parent_child.parent.net,
child.parent_child.parent.net

child.parent_child.parent.net is a domain that spans many sites (14).
I have added 7 domain controllers to this domain without issue. The
process has been to point the new DC to the forest root DNS server on
another subnet. Have had no problems until now.

I'm attempting to add another DC to the child domain but when I run
dcpromo it fails because it cannot find the SRV record for
_ldap.tcp.dc._msdcs.parent.net - I have verified this record is
present in the DNS server.

When I run nslookup from the new DC it fails. I ran dcdiag
/test:dcpromo /childdomain /dnsdomain:child.parent_child.parent.net /v
this also failed saying it could not find the domain. I have verified
that DNS is running on the server, and I have verified that Operations
masters are available in each domain.

I'm at a loss as to why it would not work.
It seems to me that the DNS server is not responding to requests only
from this client. No idea why. is there a way to force the top level
DNS server to accept queries from non-authenticated clients? The zone
in question is a primary AD integrated zone.

Any help is much appreciated! If there are questions that might help
you help me, ask and I will do my best to answer them.
Click to expand...

Since nslookup cannot find the domain it likely leaves one of two problems,
port 53 is blocked or it is not pointing to the right DNS server. You should
not have to authenticate for DNS to resolve names.
 
Back
Top