Windows 2003 A.D. integrated DNS - nslookup timeout errors

I'm in the process of configuring 2 new domain controllers running Windows 2003 to replace our existing DC's.  The DC's will run Active Directory, DNS, WINS and DHCP.  I configured DNS as Active Directory integrated.  Both 2003 servers are plugged into a switch.  When I connect a laptop to the switch and test DNS there is a delay.  I use nslookup on the laptop and set the type to any.  When I type in the domain name I get the error "DNS request timed out. time out was 2 seconds" then the information appears on the screen.  AD is replicating correctly and there are no errors in the event log.  I have no clue why there is a timeout error when using nslookup.  Forward and reverse entries are configured.  The DC's are not connected to the Internet.  I have to install the new DC's on Saturday and I'm worried that there is a DNS related problem that is going to effect the network.

I'm stumped.  Any idea why I'm getting time outs when the only devices connected to the switch are a laptop and two DC's?


DNS request timed out.
      time out was 2 seconds

Thanks for the assistance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

How long are you waiting after you plug in the laptop?  If you use higher-end switches, you may not have portfast enabled and spanning tree is enabled by default on VLAN one.  This means the port takes about 30-60 seconds (depending on what else is not enabled) before the port enters the Forwarding state.

Do you also point the laptop exclusively to your DNS servers?  Is the DNS suffix for this laptop the same suffix as the domain you are querying?

steno1122Author Commented:
Hi Netmann66, thanks for the reply.

I'm waiting a few minutes after I plug in the laptop.  The switch is a low end Dell model that we no longer use on our network.  

The laptop is getting the DNS server IP's via DHCP.  The suffix for the laptop is the same as the domain.

This is a guess but could the timeout be caused because the servers are not connected to the Internet?  When I type use nslookup and type in our domain name does the nslookup tool try to make queries outside of the domain?  I do have forwarders configured but they are not doing anything since the servers are not on our network yet.  Nslookup does work it just gives me the timeout error before completing.  It obviously shouldn’t do that and I have no clue why I’m getting the error.
Perhaps, if the query is something not in it's own DNS.

It should not try to go outside the domain if the SOA is on your server for what you are querying.

It could also be a speed/duplex mismatch or the patch cable you are connecting with is less than 3 feet.

Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Hi Steno -

A few things to try, forgive me if you have already:

We want to confirm

Connectivity -

A few items to test:
Ping the ip of the server from the laptop to verify connectivity
 - if you can't ping, then let's look at each machine's ip configuration, the cabling, & the switch.
 - verify that all gateways, subnet masks, etc. are correct on the servers and the laptop
 - Even if you're not connected to the internet, make sure you have proper gateways set.
 - Even if you're not connected to the internet, you should be able to do a simple lookup

Services/Config -
Make sure the DNS service is running on the server(s)
Open the DNSMgmt mmc (Administrative Tools>DNS), verify the zone name and check that it is active.
Run nslookup from the server itself to test.

Naming -
What is your domain name?  Are you using the FQDN or the simple name?
Run ipconfig/all on the server, and make sure the domain you're typing name matches the Primary DNS.

In nslookup try the following:
server X.X.X.X (where x.x.x.x is the ip of the dns server)
    -  this forces nslookup to use that server regardless of the default config.

enter just the netbios name of either server, and see if it resolves:
> JoBob
Server:  jobob.whateverdomain.local

Let me know what happens!

I think this might be the reverse lookup problem. Please create a reverse lookup zone on your dns server and make sure your dns server has created the PTR record. You may launch "ipconfig /registerdns" after creating the reverse lookup zone on the dns server.
When I was starting to use LDAP / starting to learn LDAP I found these tools great.

Both of these require Java - and both allow add/delete/modify:

LDAP Browser Editor

This one is just for windows  - really easy to use, I think the free version has limited functions. And there is a trial of the full release, I am not sure if they limit functions there.

All LDAPs have a schema (set of rules/requirements), object classes (defines different types of objects), and then different sets of attributes. Most object classes have sets of attributes that are required or optional.

If you have any problems creating users then make sure what ever tool you choose to create users is attempting to set the required attributes.

This is in the Windows 2003 section, Windows 2003 using Microsoft implementation of LDAP which is called by Microsoft "Active Directory". If this is for "Active Directory" then the best method is to use the Microsoft tools, "Active Directory Users and Computers Management Console". - See Windows 2003 Help.

Good Luck,
Sorry posted mine to the wrong spot. - Mark
AS tatw stated, this is a reverse lookup zone problem:

"I think this might be the reverse lookup problem. Please create a reverse lookup zone on your dns server and make sure your dns server has created the PTR record."

You need a reverse lookup zone created for your subnet...

For example, if you are using a ( subnet, create a reverse lookup zone:

1) Open the DNS console
2) Right click REVERSE LOOKUP ZONE and choose new ZONE --> primary zone (in wizard)
3) network ID:  enter 10.1.2
4) a new zone called: will appear

now create a PTR record for you DNS servers:
5) In the zone, right click and choose New Pointer (PTR)
6) if you DC/DNS server's IP is 55 for example, type 55 for HOST IP Number.  and browse to the host name (usdcdns1, for example)

now go into NSLOOKUP... the time out should not appear.
steno1122Author Commented:
Thanks for all the replies!!

It seems everyone ls thinking its a reverse DNS problem.  The reverse zone was created along with the associated PTR records before I noticed the problem.  Just to be sure that the reverse zone wasn't the issue I deleted it and recreated the zone and PTR records.  I then typed ipconfig /registerdns on the servers.  I still have the problem!!

I ran the query tests from the DNS Management console.  (right clicked on a server, properties, monitoring).  Both DC's passed the test for "A simple query against this DNS server" but both servers failed the test for "A recursive query to another DNS server".  DNS is working between the servers.  When I deleted the reverse zone from one server it was automatically deleted on the other.  When I recreated the zone it was replicated to the other server automatically.

The ping -a command uses reverse name resolution, correct?  I can ping the servers by IP and by DNS names successfully.  When I type ping -a <IP> I get a reply but it doesn't include the server name.

When initially testing I was getting the timeouts while on a laptop.  I tested from the command prompt on both domain controllers and I still get time outs.  I have no idea what to try next.  I know there is a problem and I’m hesitant to deploy these servers until this issue is fixed.  I'm supposed to deploy the DC’s on Saturday.  Management where I work will be pretty upset if I miss the scheduled install date.

I really appreciate all the help.


A failed ping -a would certainly point to a Reverse Lookup problem, but you seem to have confirmed it is setup properly.

You are sure there is no ISP DNS addresses anywhere?

Can you try this:

set server=yournewserver

steno1122Author Commented:
I have tryed the set server command in nslookup and had it use the domain controller.  I still get time outs.  I just ran nslookup -d2 which runs the application in debugging mode.  It doesn't state there is a problem when testing the reverse entries.  It does time out when testing "SendRequest(), len 56".  It doesn't get a reply or answer from this request.  I have no idea what that request is.  I can't find anything searhing online describing this error.  Below is the nslookup -d2 from one of the DC's.  The domain name has been changed.


C:\>nslookup -d2
SendRequest(), len 42
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:, type = PTR, class = IN

Got answer (85 bytes):
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:, type = PTR, class = IN
        type = PTR, class = IN, dlen = 31
        name =
        ttl = 1200 (20 mins)


SendRequest(), len 61
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:, type = A, class = IN

Got answer (134 bytes):
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:, type = A, class = IN
        type = SOA, class = IN, dlen = 40
        ttl = 3600 (1 hour)
        primary name server =
        responsible mail addr =
        serial  = 173
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

SendRequest(), len 56
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:, type = A, class = IN

DNS request timed out.                              <===
    timeout was 2 seconds.
timeout (2 secs)
SendRequest failed                                    <===
SendRequest(), len 39
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:, type = A, class = IN

Got answer (71 bytes):
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:, type = A, class = IN
        type = A, class = IN, dlen = 4
        internet address =
        ttl = 600 (10 mins)
        type = A, class = IN, dlen = 4
        internet address =
        ttl = 600 (10 mins)

Did you really put an Underscore in your domain name?
What OS is the laptop running?
steno1122Author Commented:
OK problem solved!! (I assume)

I got really frustrated so I got Bill Gates on the phone to help me with the problem.   OK, maybe not.

NJComputerNetworks - No, I don't have an underscore in our REAL domain name.  I changed the output of nslookup by removing our corporate domain name and added "domain_name" in its place before posting the info to this thread.  :-).

The problem was caused by the forwarders.  I had forwarding IP's in the DNS configuration but the servers don't have Internet access yet.  I didn't think adding the forwarders would cause a problem.  The servers obviously will have Internet access when they are deployed to our corporate network.  I added the IP's ahead of time.  Once I removed the forwarders the time outs went away.

Netman66 - You mentioned that queries should not go outside of the domain if the SOA is on the server I'm querying.  Apparently that isn't the case, unless something is still screwed up with DNS on the servers.  Nslookup was trying to query the forwarding IP’s and that’s what caused the timeouts.  

I hoping that the problem doesn't reappear once the servers have Internet connectivity and the forwarding IP's are added again.

So as a general rule, don't add forwarders until the server has Internet connectivity.

I will split the points since you all have been very helpful.

When querying DNS, if the domain name being queried is on the DNS server (because the SOA is there) then the query should stop there.  Since the Start of Authority for a zone is king, then either the client gets a good reply or a bad reply - but it should get a reply from the server since it is Authoritative for the domain you queried.

An example:

your AD domain is microsoft.local
you query for
if the Host exists, you get a reply
if the Host does not exist you get a reply stating no such host

if you query then you should experience what you did - a timeout.  Since your server is NOT the SOA for then it will forward the request.

I would be concerned if your internal AD namespace query is being forwarded when it shouldn't be.

steno1122Author Commented:
Netman66 - Do you have any idea why the query is being forwarded when it shouldn't be?

Removing the forwarders fixed the problem to an extent because DNS doesn't have any place outside of the domain to query.  I'm curious if domain querys from a client might use the forwarders once I add the IP's back and the servers have Internet connectivity.  Unfortunately I can't test this until I deploy the servers.

I guess this isn't completely fixed.  Any ideas?
one thing to check might be your local DNS Suffixes listed on each client.

Check you TCP/IP settings...

DNS Suffixes are automatically appended to your queries in DNS.  For example, if you have company.local listed as a DNS suffix, you will automatically append company.local to each query.

So, server1 query becomes ....  this makes it so you don't have to put the FQDN all the time.

If your DNS suffix is set to the wrong, for example, and you search for server1....  the DNS suffix of company.other gets appended.

So the search will be  Because you DNs is only authoritive for company.local, it will try to forward to the internet...

-just a thought.
Note: you can have multiple DNS Suffixes if you want multiple names appended:

For example:

if you have DNS suffixes listed:

Your clients would automatically append these names in order when doing searches:

server1 search....becomes
and if not found

Have you tested this with a machine that belongs to this new domain yet?  This could simply be a security issue where non-domain PCs can't query and must be forwarded - just a thought.

I think (given the state you're at) that you will be just fine deploying this on the weekend.  Any small issues can be taken care of then.

I had already mentioned the DNS suffix, but you can double-check it.

(sorry Netman66... I didn't notice that you had already mentioned this... fairly long post to read through)
To add to that -
If you can ping & nslookup from each of the servers themselves, then we're probably back to the laptop ip config (connectivity), DNS naming or forward-lookups.

To add to NJ's comment -
It is a common issue for internal domains w/a .com suffix to forward-lookup to the internet.  If we narrow down to that, there are some changes we can make.

Forgive me if you're already confident about these, but please triple-check your subnet masks and gateways

1st question:
Which server is the root server?
- On each server, open the DNS Management Console.
- Expand the DNS Server object for your server in the left pane of the console.
- Expand Forward Lookup Zones.
- look for a zone that is marked with a (.) period  

2nd -
DNS running on both servers?  
If we still thinks it's a DNS server issue, A good sledgehammer approach is to uninstall/reinstall DNS - (one server at a time)
this is a MS recommended procedure to eliminate any zone corruption.
Try eliminating the 2nd DNS server, confirm that the remaining one is the root.

steno1122Author Commented:
Thanks for the replies.

The laptop I have been testing with is joined to the domain.  The domain suffixes are correct on the laptop.

This doesn't seem to be a client related issue.  I get the time outs on the servers too.  When I type "nslookup" on the DC's I still get time out errors when the forwarder IP's are in place.

I just added the forwarders back and reloaded the forward and reverse zones.  The time outs still occur.  When I remove the forwarders the time outs go away.  Very strange.

Once again, I'm at a loss as to what is causing this.
Is your AD namespace registered publicly?

It shouldn't matter if this is all a closed system right now, but I'm at a loss also.

steno1122Author Commented:
Are domain name is registered publicly.  the AD namespace is

I've read that there shouldn't be a "." entry under the forward lookup for a zone.  There isn't one on either server.  There is a "Cached Lookups" zone with a .(root) entry below it.  I would assume that wouldn't cause a problem, correct?

The root hints entries have been removed since we will be using forwarder IP's.  Would removing the root hints cause any issues?
"." root should be gone from the forward lookup zone (Need this gone for forwarding to the internet to work)  You are good here...

"." root should be in cache...this is OK and normal

Is "" your internal and external DNS name?

or is  <-- internal

and  <-- external registered internet domain name?

- Just to be clear...or are these names both identicle?
Well your domain is, but the root is - the parent suffix is appended also which may be why is going outside the network.

steno1122Author Commented:
Our registered domain name is "".  Our internal AD domain is "".  They are the same except our internal network has corp. in front of it.

Is there any way to prevent querys from going outside the network?  I assume the set up that we have is a very common one, that's why I can't figure out why its not working.

I really appreciate the help you guys are giving me with this issue.

You can prevent this from going out to the internet on adding a forward lookup zone called

Once you do this, your internal DNS servers will not try to forward to the internet on either or

you will have to manaually add any records (like for you external website) on your internal Windows DNs server in the zone

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
To clarify, I would ask you to create a new forward lookup zone on your internal Windows DNS server.  Call this zone

create A records for you external websites (if you don't do this, you will be able to get to any website on the internet except for ones name or

You can do this, yes.  But unless the wesite can be accessed from an internal address then requests for an external address won't route back through the firewall from an internal source.  It would be considered spoofing and be blocked.

This assumes the site is hosted locally.

(yes...I was assuming an externally hosted website...good point though)
steno1122Author Commented:
I'm going to be tied up in meetings most of the afternoon but I'll try to set up the forward zone shortly.  I'll let you know if that solves the problem or not.

To complicate things even more...our site is not hosted locally.  The domain controllers will obviously be used for our corporate network.  Our production network is in a co-location data center where we rent a lot of rack space.  We initially hosted our web site but part of the service contract that we have with the co-location is free web hosting.  We moved our site to their server to free up our existing web server for other things.

Our domain is but to access the web site we actually have to use a public address that the co-location assigned to the site.

Netman66 - I see your point about the external address not routing back through the firewall.  Do you know if there is a work-around for this?
It sounds like your website is hosted externally... not locally.  So, you will simply have to create an A record for this web site (www = public IP address of website)
do this in the forward lookup zone..
Agreed on the zone and entries.  It's not going to complicate things much by having an externally hosted website - it's actually better in your case.

This is why MS recommends that you NOT use publicly registered names for AD.  In your case it's worse, since your ad domain is really looked at by DNS as a child domain of which is registered and publicly accessible.

You would have been better with domain.local for AD - no confusion with the real deal.

Hey guys,

  Lets take a look at the typical reverse DNS lookup path: DNS resolver => root servers => ARIN (North American IP registry) => Local ISP => corresponding DNS servers.

If you delete all the root servers, the DNS resolver will then use your IP forwarder setting for the reverse DNS lookup.
So you could to add your own AD DNS servers as root server. I think this could solve the problem. I also use this setting for AD empty root design.
Dear steno1122,

I look into more detail in you debug output of nslookup. How come you have included? Where is it used?

I see two very funny entries in your d2 output

steno1122Author Commented:
The addition of another forward zone for worked!!!

There are now two forward zones ( and  I noticed that under the forward zone there is a folder called corp with A records for both domain controllers.  Will this cause a problem?  I want to make sure that all queries use the zone and not reference the corp folder under the zone.

tatw - Before I created a new forward zone I added both DC's as root servers.  The timeouts still occurred.  I had to create a new zone to eliminate the problem.  I removed the root.hints server info so the forwarder IP's would be utilized.

Is is possible to give out more than 500 points?  You guys were a HUGE help so I'd like to give out more points then just split up the 500 that I allocated for the question.
Glad that worked...  It took a bit to understand the exact nature of your problem; however, this is a somewhat typical issue people run into when using the public internet registered domain name as part of the local Windows 200x internal domain name.  
You will likely need to change this once it's connected to the internet, but try it this way first.

No, there is no way to give out more than 500 per question.  Do what you feel is right and we'll be okay with that.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.