Hi. I got question about simple DNS scenario. I have DNS integrated zone in active directory local.example.com with forwarding to linux DNS zone example.com which makes DNS resolution to internet. Client computer (FQDN - xp.local.example.com) is connected to domain local.example.com and his DNS server is DNS.local.exmple.com. No DNS suffix list is specified on workstation. Windows server (server.example.com) is not connected to active directory domain and his A record is located in linux DNS server - DNS.example.com. When I start nslookup (name server dns.local.example.com) on xp.local.example.com and make query for record server I got non-authoritative answer from DNS.example.com. That's ok, forwarding works. But why can't I ping from xp workstation host record server but just can ping record server.example.com ?

From the XP machine, if you tired ping server, that would fail because how do you expect for your DNS server in your domain to resolve this query. It would be the same thing if you typed, ping Google. Since your DNS server cannot find a record for "server" it cannot resolve the name to IP. However, when you query server.example.com, your DNS server knows that the record should be located on the DNS server that hosts the example.com zone. Without fully qualifying the name, your DNS server doesnt know what to do with the record. You could configure your XP client to send 2 queries for records that you do not fully qualify. in the TCP/IP properties, DNS tab, you can add additional suffixes. If you add additional suffixes, your client will send requests to DNS for each domain. For example, in the case of ping server, if you specified both local.example.com, and example.com, your XP client will send two queries. Alternatively since these two domains are in a parent/child structure, you could also enable the option to search in the parent domain. Either will work, but it is always best to fully qualify your queries.Guides and tutorials, visit ITGeared.com.

From the XP machine, if you tired ping server, that would fail because how do you expect for your DNS server in your domain to resolve this query. It would be the same thing if you typed, ping Google. Since your DNS server cannot find a record for "server" it cannot resolve the name to IP. However, when you query server.example.com, your DNS server knows that the record should be located on the DNS server that hosts the example.com zone. Without fully qualifying the name, your DNS server doesnt know what to do with the record. You could configure your XP client to send 2 queries for records that you do not fully qualify. in the TCP/IP properties, DNS tab, you can add additional suffixes. If you add additional suffixes, your client will send requests to DNS for each domain. For example, in the case of ping server, if you specified both local.example.com, and example.com, your XP client will send two queries. Alternatively since these two domains are in a parent/child structure, you could also enable the option to search in the parent domain. Either will work, but it is always best to fully qualify your queries.Guides and tutorials, visit ITGeared.com.

I agree. Ok, so if I guery server to DNS.local.example.com and no suffix list is specified, default suffix is added (local.example.com) based on domain membership, right? So the query will look like I'm asking for server.local.example.com. This record is not located on my primary DNS server (dns.local.example.com) so the query is forwarded to DNS.example.com linux DNS server. If I'm right, what does the query looks like? Server or server.example.com ? Here is the A record located. So why nslookup works but ping won't when name resolution is working?

Ok, so if I guery server to DNS.local.example.com and no suffix list is specified, default suffix is added (local.example.com) based on domain membership, right? Correct This record is not located on my primary DNS server (dns.local.example.com) so the query is forwarded to DNS.example.com linux DNS server. Incorrect. If your workstation sends a query for server.local.example.com to your dns server (dns.local.example.com) and that server stores the local.example.com zone, if it doesnt find a record, it will return NXDOMAIN, which means could not resolve the name. Your DNS server will NOT forward any requests to another DNS server if it receives a request for a record in a zone that it is authoritative for. If it doesnt have the answer and it owns the zone, it is not going to forward it. Here is the A record located. So why nslookup works but ping won't when name resolution is working? Can you re-phrase that? In any case, keep in mind that when you open NSLOOKUP from a command prompt, you are talking directly to the DNS server. The response comes form the DNS server. If you use PING, your local computer is going to go through a complete name resolution process...checking its HOSTS file, DNS, Broadcasts, LMHOSTS, WINS, etc... Guides and tutorials, visit ITGeared.com.

Ok, so if I guery server to DNS.local.example.com and no suffix list is specified, default suffix is added (local.example.com) based on domain membership, right? Correct This record is not located on my primary DNS server (dns.local.example.com) so the query is forwarded to DNS.example.com linux DNS server. Incorrect. If your workstation sends a query for server.local.example.com to your dns server (dns.local.example.com) and that server stores the local.example.com zone, if it doesnt find a record, it will return NXDOMAIN, which means could not resolve the name. Your DNS server will NOT forward any requests to another DNS server if it receives a request for a record in a zone that it is authoritative for. If it doesnt have the answer and it owns the zone, it is not going to forward it. Here is the A record located. So why nslookup works but ping won't when name resolution is working? Can you re-phrase that? In any case, keep in mind that when you open NSLOOKUP from a command prompt, you are talking directly to the DNS server. The response comes form the DNS server. If you use PING, your local computer is going to go through a complete name resolution process...checking its HOSTS file, DNS, Broadcasts, LMHOSTS, WINS, etc... Guides and tutorials, visit ITGeared.com.

"This record is not located on my primary DNS server (dns.local.example.com) so the query is forwarded to DNS.example.com linux DNS server. Incorrect. If your workstation sends a query for server.local.example.com to your dns server (dns.local.example.com) and that server stores the local.example.com zone, if it doesnt find a record, it will return NXDOMAIN, which means could not resolve the name. Your DNS server will NOT forward any requests to another DNS server if it receives a request for a record in a zone that it is authoritative for. If it doesnt have the answer and it owns the zone, it is not going to forward it." OK. So ich I query a simple hostname (not FQDN) and no suffix list is specified on workstation (default domain suffux is added), record try to be resolved only on priamry dns (dns.local.exaple.com) because there is just one zone specified - local.example.com right? The answer is NXDOMAIN. Query is just forwarded if DNS server has no zone for specific record, right? So only chance to resolve server record is to add suffix list example.com on client workstation or to make secondary zone exaample.com on DNS server dns.local.example.com ? "Here is the A record located. So why nslookup works but ping won't when name resolution is working? Can you re-phrase that? In any case, keep in mind that when you open NSLOOKUP from a command prompt, you are talking directly to the DNS server. The response comes form the DNS server. If you use PING, your local computer is going to go through a complete name resolution process...checking its HOSTS file, DNS, Broadcasts, LMHOSTS, WINS, etc..." Client workstation has only 1 DNS server specified - dns.local.exaple.com. If I run nslookup and ask directly the same name server (dns.local.exapmple.com) as specified on network adapter for A record server , non-authoritative answer from linux dns dns.local.com is received with IP address of host server - A record for hostname server is located on dns.example.com. No record in host file, dns cache ..... So why can't I ping hostname server when nslookup will return IP address for host record server ?

"This record is not located on my primary DNS server (dns.local.example.com) so the query is forwarded to DNS.example.com linux DNS server. Incorrect. If your workstation sends a query for server.local.example.com to your dns server (dns.local.example.com) and that server stores the local.example.com zone, if it doesnt find a record, it will return NXDOMAIN, which means could not resolve the name. Your DNS server will NOT forward any requests to another DNS server if it receives a request for a record in a zone that it is authoritative for. If it doesnt have the answer and it owns the zone, it is not going to forward it." OK. So ich I query a simple hostname (not FQDN) and no suffix list is specified on workstation (default domain suffux is added), record try to be resolved only on priamry dns (dns.local.exaple.com) because there is just one zone specified - local.example.com right? The answer is NXDOMAIN. Query is just forwarded if DNS server has no zone for specific record, right? So only chance to resolve server record is to add suffix list example.com on client workstation or to make secondary zone exaample.com on DNS server dns.local.example.com ? "Here is the A record located. So why nslookup works but ping won't when name resolution is working? Can you re-phrase that? In any case, keep in mind that when you open NSLOOKUP from a command prompt, you are talking directly to the DNS server. The response comes form the DNS server. If you use PING, your local computer is going to go through a complete name resolution process...checking its HOSTS file, DNS, Broadcasts, LMHOSTS, WINS, etc..." Client workstation has only 1 DNS server specified - dns.local.exaple.com. If I run nslookup and ask directly the same name server (dns.local.exapmple.com) as specified on network adapter for A record server , non-authoritative answer from linux dns dns.local.com is received with IP address of host server - A record for hostname server is located on dns.example.com. No record in host file, dns cache ..... So why can't I ping hostname server when nslookup will return IP address for host record server ?

"OK. So ich I query a simple hostname (not FQDN) and no suffix list is specified on workstation (default domain suffux is added), record try to be resolved only on priamry dns (dns.local.exaple.com) because there is just one zone specified - local.example.com right? The answer is NXDOMAIN. Query is just forwarded if DNS server has no zone for specific record, right?" Correct. So only chance to resolve server record is to add suffix list example.com on client workstation (Correct) or to make secondary zone exaample.com on DNS server dns.local.example.com ? Incorrect- having the secondary zone is not going to help if the client sends the query as server.local.example.com. The DNS server will NOT check in the example.com zone. " So why can't I ping hostname server when nslookup will return IP address for host record server ?" You should be able to however, I would need to know your client's exact configuration and your DNS/NetBIOS configuration to give you an appropriate answer. Guides and tutorials, visit ITGeared.com.

Problem solved. Firewall issue. Thanx for help.

One more question Jorge, For example, in the case of ping server, if you specified both local.example.com, and example.com, your XP client will send two queries. Alternatively since these two domains are in a parent/child structure, you could also enable the option to search in the parent domain. Either will work, but it is always best to fully qualify your queries. How (where) can I enable this feature?

And another one :) If your DNS server has more than one zone, you need to specify suffix list on client workstation. Otherway the request wouldn't be resolved in other zones , except the one which is specific for your domain? In other words. Without suffix list, DNS query can't be resolved by other zones on DNS server?

And thirth question :) I have debugged my dns query. I asked for record google.local.exmple.com from client xp.local.example.com. 1. answer came from primary DNS(dns.local.exmaple.com) as NXDOMAIN for record google.local.example.com.local.example.com. 2. query was forwarded to linux DNS dns.example.com with answer NXDOMAIN for record google.local.example.com.example.com - dns forwarding is enablen on dns.local.exmaple.com for "All othes DNS domains" to dns.example.com. Why was this query forwarded ? You said that query is only forwarded when record was not found (NXDOMAIN) in local zone. But zone local.example.com is located on DNS server dns.local.exmaple.com. You wrote: This record is not located on my primary DNS server (dns.local.example.com) so the query is forwarded to DNS.example.com linux DNS server. Incorrect. If your workstation sends a query for server.local.example.com to your dns server (dns.local.example.com) and that server stores the local.example.com zone, if it doesnt find a record, it will return NXDOMAIN, which means could not resolve the name. Your DNS server will NOT forward any requests to another DNS server if it receives a request for a record in a zone that it is authoritative for. If it doesnt have the answer and it owns the zone, it is not going to forward it.

Got answer for my third question. Defaut behaviour of dns client is that automatically dns suffix list is added based on parent domain. For exmaple if your primary domain is local.example.sk, parent domain suffix example.sk is added. You see this settings in ipconfig /all command and tou can turn off this behaviour on network adapter.

Sounds like you go the information you were looking for. Guides and tutorials, visit ITGeared.com.