Multiple Forest DNS queries, and DFS

Setup:
2 physical servers hosting several virtual machines with 3 forests (domains) and 3 subnets. The physical server has 4 NICs, each forest/subnets has its own dedicated NIC via virtual switch (so 1 NIC is empty). Each NIC connects to a switch to
allow workstations and other devices to connect to their proper forest/subnet directly. These switches then connect to the sonicwall (firewall/router) in an individual port. Each port has proper subnet defined in it.
The 3 forests are c.com, l.lan, and w.web named. c.com and l.lan use a 10.x.x.x/255.255.0.0 subnet. w.web uses 192.168.x.x/255.255.0.0 subnet. There are no trusts setup.
I can ping from one forest/subnet to the other using IP address without issue so the IP routes are fine. I can ping via FQDN without issue if I setup a forwarder, conditional forwarder, or stub zone. Sometimes using just the forwarder, FQDN does
NOT resolve. Conditional and Stub seems to resolve always.
I can get c.com and w.web to resolve single-name (host name) addresses, but at the moment (transitioning) they are on the same subnet. From some research, I can use single-name resolution if I setup a GlobalNameZone as well, which I might need to do.
So my question is which is best practice and most reliable way to setup these different forests and subnets to perform DNS resolution? I tried forwarders, but it wasn't always reliable. I suspected caching as an issue, but after a flush, a FQDN
would sometimes resolve and sometimes not. Conditional and Stub seem to work okay, but I'm not sure about what's best.
I've spent most of the day researching this, and nothing was every really definitive and sometimes even contradictory. Previously the DNS Forwarders worked fine for us, but that was on the same subnet. Differing subnets seems to break the internal-to-internal
forwarding.
Additionally the w.web domain has a domain level DFS. Neither of the other forests can access it via the
\\w.web\data address. Though they can access it if I point them directly to the server hosting the DFS namespace.

Windows Server doesn't work well with DNS Search Suffixes defined in DHCP scopes from what I read.
http://technet.microsoft.com/en-us/library/dd572752(v=office.13).aspx
Details how to set it up on Windows Server DHCP
http://social.technet.microsoft.com/Forums/en-US/2eed4d4f-8d1b-4989-ac49-d95e08b7d54a/dhcp-dns-suffix-search-list-supported?forum=winserverNIS
Details how Windows Server does not support it though.
http://technet.microsoft.com/en-us/library/bb847901(v=exchg.150).aspx
Details how to use Group Policy to deploy it.
How I fixed this:
1) Open Group Policy for the domain.
2) Edit the "Default Domain Policy" to include DNS Suffix search for current domain and all other domains.
3) Set normal forwarders on domain's DNS servers.
4) Repeat on all domain.
This partially fixed my problem. Things were resolving more reliably, but there would be a failure once in a while as well. I corrected this by adding a conditional forwarder along with the normal forwarder.
Now I get full resolution of all items. Additionally, I do not have to use the FQDN for my machines. Just hostname resolves just fine. HOWEVER I would suggest to anyone setting up machines to use FQDN where possible, don't be lazy.
This means I will not have to setup a GlobalName zone either. Though I may do it for the experience.
Another problem though is this only works on Windows machines. Mobile phones (such as Android and iPhone) and other such devices will not know about the DNS Suffix search. Fortunately most of those devices required the internet FQDN for services
to work anyway, and when behind the firewall via WiFi or like, they'll be able to still resolve the internet FQDN of devices since we're using a split-brain DNS for that domain.

Similar Messages

Home Hub 3 Firmware update stops DNS queries and m...

I am getting very poor service after 5 phones about my incident 1403**-******. The staff cannot understand my problem even though I have explained in clear technical detail. Basically a firmware update has caused my BT Home Hub 3 to have very slow management web interface and fails to handle DNS queries. It connects to the Internet Fine.
The Home Hub has been rebooted and reset many times and no improvement.
Help BT.

I have been DNS having problems with two Chromebooks accessing the internet ever since the latest firmware upgrade to my HH3 on 15 March - calls to BT went over their heads they just blamed it on the Chromebook as no other devices were having problems despite the fact that I made it clear that the problem only started after the latest upgrade - the muppet dealing with the problem even went as far as to say that BT does not support more than 6 devices connected to the hub at anyone time.
I found that the DNS problem does not affect you if you switch from the HH to BT FON even when you are on your own network.
I finaly got round the problem on the chromebooks by going into the settings page on the Chromebook, opening the HH3 settings and selecting the option to use 'Google name servers' from the 'Network' tab.
It has long been an issue for me that the HH3 does not allow me to set my own choice of DNS unless I subscribe to a Dynamic DNS provider from their list - I prefer to use Open DNS to control my network as it allows me to filter out content across the whole network but to do this I would need to replace the HH and that would mean I would lose the Vision service

ADFS single sign-on with office 365 and multiple forests

I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
to achieve single sign-on?

Hi,
Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
Multi-forest and Multi-tenant scenarios with Office 365
http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
Hybrid Deployment Prerequisites
http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
SupportMultipleDomain switch, when managing SSO to Office 365
http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
For more information about Office 365, I suggest you refer to Office 365 community below:
http://community.office365.com/en-us/f/default.aspx
Best Regards,
Amy

Deleting and or moving multiple adhoc/SAP queries in one go.

Hi,
I am wondering whether anyone knows of a method to deleting multiple SAP queries in a single go. I would also like to be able to bulk move queries from one user group to another. We are having a wholesale clear-up of queries and the thought of having to do each one individually is scary!
Many thanks in advance

To delete queries belonged to a user group, you can use SQ02 - GoTo - Query Directory, then key in the desired user group and execute. From the output list of this, you can select all queries and click on 'Delete Select Queries' .

Multiple Forests SSO with BO Edge 3.1

I have to setup and configure SSO on a 3.1 Edge with multiple forests. The setup looks like this right now.
BO Servers (call it BOXIServer) are in one forest (call it BODomain.top.local)
AD users and groups on another forest (call it UsersDomain.bottom.local)
My plan is to create 2 service accounts. One service account to integrate the AD and start up SIA (Call it ADServiceSSO) and the Second service account to implement the Vintela (call it VintelaServiceSSO) as I used to do it on the single domain setup.
The questions are:
1.     Is it possible to get SSO to work with this type of configuration (I think I read somewhere that u201CWhen operating with multiple forests, the users must be created on the domain in which the BOE server residesu201D which is not what I have here!)?
2.     Should I create the 2 service accounts on the forest where the BO server is (BODomain.top.local), or where the Users and groups are (UsersDomain.bottom.local)?
3.     How would I formulate the setspn and ktpass commands on this type of configuration?
Would it be true that I can create the 2 services account on BO Servers Forest (BODomain.top.local) and the commands would look like this:
setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO
Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ BOXIServer.BODomain.top.local
Or I can create the 2 services account on users and groups forest (UsersDomain.bottom.local) and the command would look like this:
setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO @ UsersDomain.bottom.local
Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ UsersDomain.bottom.local
Thank for your help
Aws

MF requires a 2-way transitive trust, so with this enabled there is no need to span forests with service accounts. 1 account in the same forest as the BO server is fine and straight forward to configure, although you are free to add more as you like.
Everything else is dependent on the 2 way trust as DNS will have certain records for each other forest that will allow the CMS to query remote forest users and MF users to access the CMS resources. Which is what we want.
The rules on groups is to put MF users in groups from their own forest and then map into BO, adding all users from multi forests int a single forest group may not work properly in our internal tests.
The last piece seems to be a Microsoft limitation, but when accessing an SSO URL from a remote forest the FQDN must be used for SPN recognition. When the host name or IP is used the request for SPN is sent to the wrong forest and SSO fails.
Regards,
Tim

Two similar queries and different result.

Hi! I have a problem and
with
sc as (select * from nc_objects where object_type_id = 9122942307013185081 and project_id=9062345122013900768),
cid as (select sccid.value AS CIRCUIT_ID,sc.description AS DESCRIPTION
from sc, nc_params sccid
where sccid.object_id = sc.object_id and sccid.attr_id = 9122948792013185590),
caloc as ( select
(*select value from nc_params sccid where sccid.object_id = sc.object_id and sccid.attr_id = 9122948792013185590*) as CIRCUIT_ID,
(select sl.name from nc_objects sl join nc_references scr on sl.object_id = scr.reference
where scr.attr_id = 3090562190013347600 and scr.object_id = sc.object_id ) as ALOCATION
from sc),
cbloc as ( select
(select value from nc_params sccid where sccid.object_id = sc.object_id and sccid.attr_id = 9122948792013185590) as CIRCUIT_ID,
(select sl.name from nc_objects sl join nc_references scr on sl.object_id = scr.reference
where scr.attr_id = 3090562190013347601 and scr.object_id = sc.object_id ) as BLOCATION
from sc)
select cid.CIRCUIT_ID,cid.DESCRIPTION,ALOCATION,BLOCATION from (
cid
join caloc on cid.CIRCUIT_ID = caloc.CIRCUIT_ID and ALOCATION is not null
join cbloc on cid.CIRCUIT_ID = cbloc.CIRCUIT_ID and BLOCATION is not null
it` returns and`s all ok!
ID desc aloc bloc
101     TEST1     AHAS     AGUS
102     TEST2     AKRE     AMJY
103     TEST3     AMJS     ASSE
109     TEST9     BAIA     AKIB
5     (null)     WELA AGUS
We have "sc as (select * from nc_objects where object_type_id = 9122942307013185081 and project_id=9062345122013900768)"
and identical subquery on caloc and cbloc
"select value from nc_params sccid where sccid.object_id = sc.object_id and sccid.attr_id = 9122948792013185590"
If i change query on
with
sc as (select * from nc_objects where object_type_id = 9122942307013185081 and project_id=9062345122013900768),
cid as (select sccid.value AS CIRCUIT_ID,sc.description AS DESCRIPTION
from sc, nc_params sccid
where sccid.object_id = sc.object_id and sccid.attr_id = 9122948792013185590),
caloc as ( select
*(select CIRCUIT_ID from cid) as CIRCUIT_ID,*
(select sl.name from nc_objects sl join nc_references scr on sl.object_id = scr.reference
where scr.attr_id = 3090562190013347600 and scr.object_id = sc.object_id ) as ALOCATION
from sc),
cbloc as ( select
(select value from nc_params sccid where sccid.object_id = sc.object_id and sccid.attr_id = 9122948792013185590) as CIRCUIT_ID,
(select sl.name from nc_objects sl join nc_references scr on sl.object_id = scr.reference
where scr.attr_id = 3090562190013347601 and scr.object_id = sc.object_id ) as BLOCATION
from sc)
select cid.CIRCUIT_ID,cid.DESCRIPTION,ALOCATION,BLOCATION from (
cid
join caloc on cid.CIRCUIT_ID = caloc.CIRCUIT_ID and ALOCATION is not null
join cbloc on cid.CIRCUIT_ID = cbloc.CIRCUIT_ID and BLOCATION is not null
query result will be:
ORA-01427: single-row subquery returns more than one row
01427. 00000 - "single-row subquery returns more than one row"
*Cause:
*Action:
Can you explain why so ?
Edited by: user12031606 on 07.05.2010 2:31
Edited by: user12031606 on 07.05.2010 2:32

Hi,
Welcome to the forum!
Whenever you post code, format it to show the extent of sub-queries, and the clauses in each one.
Type these 6 characters:
\(all small letters, inside curly brackets) before and after each section of formatted test; if you don't, this site will compress the spaces.
It also helps it you reduce your query as much as possible. For example, I think you're only asking about the sub-query called caloc, so just post caloc as if that were the entire query:select     ( select CIRCUIT_ID
     from cid
     )                as CIRCUIT_ID,
     ( select sl.name
     from nc_objects          sl
     join nc_references      scr on sl.object_id = scr.reference
     where scr.attr_id      = 3090562190013347600
     and scr.object_id      = sc.object_id
     )                as ALOCATION
from sc
This makes it much cleared that the query will produce 2 columns, called circuit_id and alocation.
Compare the query above with the query below:SELECT     object_id,
     'Okay'
FROM     sc
The basic structure is the same: both queries produce two columns, and both queries produce one row of output for every row that is in the sc table.
The only difference is the two items in the SELECT clause.
The second query has a column from the table as its first column, and a literal for its second column; those are just two of the kinds of things you can have in a SELECT clause. another thing you can have there is a +Scalar Sub-Query+ , a complete query enclosed in parentheses that produces exactly one column and at most one row.   If a scalar sub-query produces more than one row, then you get the run-time error: "ORA-01427: single-row subquery returns more than one row", as you did.
A scalar sub-query always takes the place of a single value: "scalar" means "having only one value". In the first example above, the main query is supposed to produce one row of output for every row in sc. How can it do that if some of the columns themselves contain multiple rows?
I don't know what your tables are like, or what output yu want to get from thiose tables.
If you'd like help getting certain results from your tables, then post CREATE TABLE and INSERT statements for a little sample data, and the resutls you want to get from that sample data. A scalar sub-query may help getting those results, or it may not.

DNS disaster and how can stop it for future

Hi
Last week, I found lots of static records were deleted automatically from DNS server console which cuased lots of P1 in my environment.
I found some below envents before the time when issue occurred.
I want to know why DNS randomely Host reocrds were deleted automatically. Even opned case with MS but could not get anything from MS that why this was happened.
finally we resotred the DNS zones from backup tool and after restoring everythying was working fine.
please see some below events:
=================
Log Name:      Directory Service
Source:        NTDS ISAM
Date:          12/29/2013 12:01:00 AM
Event ID:      2001
Task Category: (16)
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      DC101.prise.med.org
Description:
NTDS (528) NTDSA: Shadow copy instance 31 freeze started.
=
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/29/2013 12:05:22 AM
Event ID:      2094
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC101.prise.med.org
Description:
Performance warning: replication was delayed while applying changes to the following object. If this message occurs frequently, it indicates that the replication is occurring slowly and that the server may have difficulty keeping up with changes.
Object DN: CN=1 All Workstations_resultset_0_0\0ADEL:b6a014b6-ef00-459b-ae1e-f948bb38af2f,CN=Deleted Objects,DC=prise,DC=med,DC=org
Object GUID: b6a014b6-ef00-459b-ae1e-f948bb38af2f
Partition DN: DC=prise,DC=med,DC=org
Server: 1cdbccca-a84c-4095-ba55-1504137ef9c5._msdcs.med.org
Elapsed Time (secs): 17
User Action
A common reason for seeing this delay is that this object is especially large, either in the size of its values, or in the number of values. You should first consider whether the application can be changed to reduce the amount of data stored on the object,
or the number of values. If this is a large group or distribution list, you might consider raising the forest functional level to Windows Server 2003 or greater, since this will enable replication to work more efficiently. You should evaluate whether
the server platform provides sufficient performance in terms of memory and processing power. Finally, you may want to consider tuning the Active Directory Domain Services database by moving the database and logs to separate disk partitions.
If you wish to change the warning limit, the registry key is included below. A value of zero will disable the check.
Additional Data
Warning Limit (secs): 10
Limit Registry Key: System\CurrentControlSet\Services\NTDS\Parameters\Replicator maximum wait for update object (secs)
=======
Log Name:      Directory Service
Source:        NTDS ISAM
Date:          12/29/2013 12:36:03 AM
Event ID:      510
Task Category: Performance
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC101.prise.med.org
Description:
NTDS (528) NTDSA: A request to write to the file "D:\Windows\NTDS\ntds.dit" at offset 1731624960 (0x0000000067368000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (62 seconds) to be serviced by the OS. In addition, 6 other
I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 160409 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance
diagnosing the problem.
====
Log Name:      Directory Service
Source:        NTDS ISAM
Date:          12/31/2013 12:57:49 AM
Event ID:      509
Task Category: Performance
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC101.prise.med.org
Description:
NTDS (528) NTDSA: A request to read from the file "D:\Windows\NTDS\ntds.dit" at offset 967688192 (0x0000000039adc000) for 16384 (0x00004000) bytes succeeded, but took an abnormally long time (107 seconds) to be serviced by the OS. In addition, 7 other
I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 1328 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance
diagnosing the problem.
=
Log Name:      Directory Service
Source:        NTDS ISAM
Date:          12/31/2013 12:59:14 AM
Event ID:      510
Task Category: Performance
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC101.prise.med.org
Description:
NTDS (528) NTDSA: A request to write to the file "D:\Windows\NTDS\ntds.dit" at offset 978018304 (0x000000003a4b6000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (84 seconds) to be serviced by the OS. In addition, 148 other
I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 84 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance
diagnosing the problem.
==
Log Name:      File Replication Service
Source:        NtFrs
Date:          12/30/2013 7:08:20 AM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC101.prise.med.org
Description:
The File Replication Service is having trouble enabling replication from DC110 to DC101 for d:\windows\sysvol\domain using the DNS name DC110.prise.med.org. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name SHINFRPEMDC110.prise.med.org from this computer.
[2] FRS is not running on MDC110.prise.med.org.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Did you ever run dnscmd /ageallrecords, if yes, it will enable aging & scavenging on the static records too by setting the timestamps value on it. I would also suggest to review the below two article.
http://blogs.technet.com/b/askpfeplat/archive/2013/10/12/who-moved-the-dns-cheese-auditing-for-ad-integrated-dns-zone-and-record-deletions.aspx
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

How can I disable DNS queries in Firefox (when using a proxy) ?

I am behind a "Chinese wall" and use an HTTP proxy to tunnel and encrypt my data traffic.
Unfortunately, Firefox still sends DNS queries for the websites, that I visit and reveals more information than I want.
Is there a way to disable DNS, when I use an HTTP/S proxy ?
My current workaround is to set a firewall rule for outbound DNS traffic of Firefox. But not all users are able to configure their firewall.

That is done via an onbeforeunload or onunload event that displays a JavaScript alert.
*https://developer.mozilla.org/en/DOM/window.onbeforeunload
*https://developer.mozilla.org/en/DOM/window.onunload
You can try to search for a Greasemonkey script to reset and block such events.
*http://www.greasespot.net/ - Greasemonkey
*http://wiki.greasespot.net/Main_Page - GreaseSpot

Applications sending ipv6 dns queries, but ipv6 is disabled

Hi,
I had some problems with dns lookups a long time ago and so I followed every hint I could find here in the forums and the wiki, like disabling ipv6, installing dnsmasq, and so on. Firefox and other typical internet applications worked like a charm after that.
Pacman instead took a long time to lookup the ip for the chosen mirror url, but I didn't bother to look deeper into this issue, until now.
Wireshark revealed that the dns query that is sent by pacman (and some other console applications like w3m, wget, but not lynx ...) is an AAAA query for an ipv6 address. In spite of ipv6 being disabled.
Additionally my router (which is added in /etc/resolv.conf) ignores the query, it times out, and after 5 seconds, the AAAA query is sent again.
This happens 4 times and then a query for the A record is sent which is answered promptly.
(A simple "w3m google.com" takes up to 1min 20sec with all the lookups following the 301 and 302 answers...)
Well, a workaround for this is obvious. I could use a nameserver that answers the AAAA query, which I already tried with the opendns server.
But the question that I have is: Why are some applications sending dns queries for ipv6 addresses although ipv6 is disabled?
Regards,
Marc

Hi,
I had some problems with dns lookups a long time ago and so I followed every hint I could find here in the forums and the wiki, like disabling ipv6, installing dnsmasq, and so on. Firefox and other typical internet applications worked like a charm after that.
Pacman instead took a long time to lookup the ip for the chosen mirror url, but I didn't bother to look deeper into this issue, until now.
Wireshark revealed that the dns query that is sent by pacman (and some other console applications like w3m, wget, but not lynx ...) is an AAAA query for an ipv6 address. In spite of ipv6 being disabled.
Additionally my router (which is added in /etc/resolv.conf) ignores the query, it times out, and after 5 seconds, the AAAA query is sent again.
This happens 4 times and then a query for the A record is sent which is answered promptly.
(A simple "w3m google.com" takes up to 1min 20sec with all the lookups following the 301 and 302 answers...)
Well, a workaround for this is obvious. I could use a nameserver that answers the AAAA query, which I already tried with the opendns server.
But the question that I have is: Why are some applications sending dns queries for ipv6 addresses although ipv6 is disabled?
Regards,
Marc

LDAP Synchronisation with CUCM with multiple forest

Hello,
We have CUCM 10.5.
We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
If it not possible is there an easy way to achieve that?
Any help would be appreciate.
Thank you

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454

People Picker search order with multiple forest domains

I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
Any Solution for that?
Thanks for your feedback!
P.

Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
Trevor Seward
Follow or contact me at...
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker.

Some CNAME DNS queries fail after latest 10.6.5 update

Right after rebooting from the latest MacOS X update I noticed some DNS queries are failing. These happen to be DNS queries for CNAME records. Other computers in the same network are not affected by this problem, including Mac's to wich the update was not yet installed.
Here are the simple diagnostic steps:
snowboard:~ pmsjt$ nslookup imap.texair.net.
Server: 192.168.0.14
Address: 192.168.0.14#53
imap.texair.net canonical name = taz.warner.local.
Name: taz.warner.local
Address: 192.168.0.12
snowboard:~ pmsjt$ ping imap.texair.net
ping: cannot resolve imap.texair.net: Unknown host
snowboard:~ pmsjt$
snowboard:~ pmsjt$ ping taz.warner.local
PING taz.warner.local (192.168.0.12): 56 data bytes
64 bytes from 192.168.0.12: icmp_seq=0 ttl=64 time=2.818 ms
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=2.211 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=1.425 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=2.242 ms
64 bytes from 192.168.0.12: icmp_seq=4 ttl=64 time=4.882 ms
64 bytes from 192.168.0.12: icmp_seq=5 ttl=64 time=3.190 ms
^C
--- taz.warner.local ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.425/2.795/4.882/1.083 ms
snowboard:~ pmsjt$

Just as a sanity check, the second portion of the clause from the KB article doesn't apply in your situation, does it?
Additionally, Mac OS X v10.6 automatically detects when the local network operator has set up a name server that will answer name requests for a domain ending in ".local". It does this by checking to see if there is a Start Of Authority (SOA) record for the top level domain "local", which is how a DNS server indicates that it claims to have authority over a part of the DNS namespace. As long as the DNS server is properly configured with the required SOA record, Mac OS X v10.6 will detect this SOA record and automatically use this server to look up all host names in the domain.
Also, if you have time, you might want to check what mDNSResponder is actually doing by enabling logging; the man page describes the process in more detail:
LOGGING
There are several methods with which to examine mDNSResponder's internal state for debugging and
diagnostic purposes. The syslog(1) logging levels map as follows:
Error - Error messages
Warning - Client-initiated operations
Notice - Sleep proxy operations
Info - Informational messages
By default, only log level Error is logged.
A SIGUSR1 signal toggles additional logging, with Warning and Notice enabled by default:
% sudo killall -USR1 mDNSResponder
Once this logging is enabled, users can additionally use syslog(1) to change the log filter for the
process. For example, to enable log levels Emergency - Debug:
% sudo syslog -c mDNSResponder -d
A SIGUSR2 signal toggles packet logging:
% sudo killall -USR2 mDNSResponder
A SIGINFO signal will dump a snapshot summary of the internal state to /var/log/system.log:
% sudo killall -INFO mDNSResponder
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/mDNSResponder.8.html
I suspect in this case packet logging might be most informative.

[SCOM Forest] -- Certificate -- [Gateway Servers Forest] -- Trust Relationship -- [Multiple Forests]

Hello, and sorry for this strange title, i couldn't find a simple way to write my question.
- I want to use agent monitoring from my SCOM 2012 SP1 management servers
to servers in multiple forests.
- I don't want to set two-way trust between my scom forest and the monitored forests.
- I would prefer not to install 2 gateway servers in each forest.
So would it be possible to create a intermediate forest for my gateway servers, use certificate authentication between management and gateway servers, and use two way trust between this intermediate forest and forests to monitor.
[SCOM Forest]<-- Certificate --> [Gateway Servers Forest] <-- Trust Relationship --> [Multiple Forests]
Do you think this would work ?

Hello,
worked
your
approach?
I'm
in
a
similar
situation,
can you
share
the
results?

Can't do traceroute or DNS queries withing a non-global zone.

I'll start by outlining my servers and their roles
they are all on the same network, behind the same gateway, plugged into the same switch.
secure1 = a freebsd server running bind. It's a recursive DNS server. works perfectly.
secure2 = a solaris 10 server.
zone1 = a zone that was setup before i inherited this env.
zone2 = a zone i tried to create, and it mostly worked.
The problem:
From zone2 I cannot do DNS queries. And traceroutes past the gateway don't work. At first I suspected the firewall, but everything that doesn't work on zone2, works fine on zone 1.
What does work on zone2
I can ssh into it
I can ssh out of it
I can ping it
I can ping from it
I can trace route from it to secure1
I can ssh to other hosts out on the internet.
What doesn't work
I can't do any DNS queries, whether the DNS server is inside of my network or outside of it.
I can't traceroute past my gateway, tho I can from zone1.
Finally here's what happens when I do a dns query
zone2# /usr/sbin/host google.com 66.48.78.91
;; connection timed out; no servers could be reached
Oh, I diffed the zone1.xml and zone2.xml files in /etc/zones and except for things like ip addresses they are the same.
Any suggestions would be muchly appreciated. Thanks folks.

ifconfig -a and netstat -rn from the zone that isn't working properly would help.
Off the top of my head, my guess is that your default route isn't valid for zone 2.

Logging DNS queries

Is there a way to log all DNS queries going to a Novell DNS server?
The reason I ask is we're about to transition our DNS & DHCP services off of Novell and over to an appliance-based solution from Infoblox.
There are five main steps to our transition:
Transfer DNS zone data to Infoblox grid
Reconfigure Novell DNS servers to be Cache-Only servers (have them forward all queries to Infoblox)
Reconfigure DHCP options to use Infoblox DNS servers
Reconfigure devices with static IPs to use Infoblox DNS servers
Decommission Novell DNS servers
The tricky part is #4: our environment has numerous sites and thousands of devices, and I feel that telling my network techs to check everything isn't practical or reasonable.
If there's a way to log the DNS activity going to the old servers it'll give my techs something definitive to work with.
Any suggestions?

Most of them are NetWare 6.5 SP8, a few are OES 2 Linux.
>>> Simon Flood<[email protected]> 2/19/2013 12:26 PM >>>
On 19/02/2013 13:21, Wallace Marks wrote:
> Is there a way to log all DNS queries going to a Novell DNS server?
> The reason I ask is we're about to transition our DNS & DHCP services
> off of Novell and over to an appliance-based solution from Infoblox.
> There are five main steps to our transition:
>
> 1. Transfer DNS zone data to Infoblox grid
> 2. Reconfigure Novell DNS servers to be Cache-Only servers (have them
> forward all queries to Infoblox)
> 3. Reconfigure DHCP options to use Infoblox DNS servers
> 4. Reconfigure devices with static IPs to use Infoblox DNS servers
> 5. Decommission Novell DNS servers
>
> The tricky part is #4: our environment has numerous sites and thousands
> of devices, and I feel that telling my network techs to check everything
> isn't practical or reasonable.
> If there's a way to log the DNS activity going to the old servers it'll
> give my techs something definitive to work with.
> Any suggestions?
Are your Novell DNS servers running NetWare or OES (Linux)?
HTH.
Simon
Novell/SUSE/NetIQ Knowledge Partner
Do you work with Novell technologies at a university, college or school?
If so, your campus could benefit from joining the Novell Technology
Transfer Partner (TTP) program. See novell.com/ttp for more details.

Multiple Forest DNS queries, and DFS

Similar Messages

Maybe you are looking for