SBS 2003 DNS request times out


I'm managing a small enterprise network that has a an SBS 2003 server.
There are multiple unsolved issues of which the DNS problem is the most impacting one.

Problem is that if ISP or gateway's IPes are not added on the worksations as secondary DNS server (and even on the server itself), Internet browsing is a nightmare (pages need to be refreshed 2/3 times to fullly load, when they load ...). I know there should only be the SBS server as primary DNS server, but this is not sustainable.

There is only one SBS 2003 server acting as DC, DNS and Echange server. Server is configured with its own IP address as DNS and nothing else (

Primary DNS server of the SBS server is himself
Forwarders are also configured.
On PCs, I needed to add the ISP's gateway IP address ( as second DNS entry to allow normal Internet browsing.
Behaviour is the same on the server itself: as soon as the ISP gateway's IP address is added as second DNS entry (which I didn't do), normal Internet browsing is possible, otherwise not !
Forward and reverse lookup zone are there
I have already rebuilt DNS but it didn't change anything
I dond't find particular DNS error messages in the DNS log
What is interesting to know:

nslookup is NOT working fine with one primary DNS server only (tilming out 3 times out of 4)
Once a day in average, I have error 2013 in the system log: "SMTP could not connect to any DNS server. Either none are configured, or all are down. "
I have no _msdc.domain.local forward lookup zone, Could this be the problem?


Who is Participating?
aoakeleyConnect With a Mentor Commented:
I have done a bit of research for you, and cannot come up with any (quantifiable) case where the DNS service has been faulty to the point that forwarders do not work.

- we have proved that DNS ports are open on the firewall through the use of NSLookup
- we have proved that the ISP DNS server you are using works through the use of NSLookup
- we have proved that recursion works through the use of Root Hints

My recommendation at this stage is to leave the forwarders out and use "Root Hints" only. Your server will perform just fine with this configuration. Set all workstations to point to the sever only for DNS.

Please also run the SBS BPA and see if that comes up with any errors
Radhakrishnan RSenior Technical LeadCommented:
1) Check from DNS (forward) whether any A record is there for your server, also create a ptr record
2) If you are using DHCP - you can configure your ISP's DNS as secondary, so all the users will get the same IP and DNS from DHCP
UrbantraxAuthor Commented:
There is a A record for the server
DHCP is done by the ISP Gateway/Router device and DNS IPs are not pushed
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Radhakrishnan RSenior Technical LeadCommented:
Then you have  to add those IP's from DNS
How you are  configuring your client IP's now - Manually? If manually, ask your ISP to configure the router as DHCP.
What do you mean "not sustainable"

Forget about adding secondary DNS servers and telling your ISP to switch DHCP on the router.  If you don't fix this DNS problem now it will cause bigger problems in the future.  this is realllly bad practice.

You can reinstall DNS on SBS 2003, and this can be achieved by looking at the following link ;

Follow it through and let us know your results.

All clients need to look at the DC and the DC needs to look at itself with no secondary DNS records (this causes issues).

Rebuild DNS, set up forwarders to some good DNS servers out in the real world (any good ones you can find), and then set your client machines to only look at this one DC.

This is your solution, not playing about getting the second DNS record working.

Sorry to be blunt.
UrbantraxAuthor Commented:
I think that you misunderstood me:

Workstations are manually configured with the IP of the SBS server (DC/DNS) as primary DNS.
This is how it should be configured.

The ISP router IS the DHCP. It distributes IPs. The only think is that I didn't configure it to push DNS information. This shouldn't change anything as the manually introduced primary DNS IPs would only be replaced by a DHCP-given IP address with the same value
Agreed, so you have a problem with DNS on your server.  Your router shouldn't be issuing DHCP addresses, your server should.

standard small company single server configuration :

Router : static IP and NAT - one external IP and one internal IP (lets say - No DHCP functions
Server :
IP :
SN :

DHCP ON, serving clients with a suitable scope, a gateway of and a single DNS setting of

the router is only the gateway and deals with anything outside of the LAN

As this is SBS, try the Connect to the Internet Wizard, this rejigs some settings.

If you have set the above configuration and it is not working, then you have a problem.  90% of problems are DNS based, so look towards that first.

UrbantraxAuthor Commented:
Draytec router is the DHCP server because it is able to issue addresses in the two VLANs we have (one for IP telephony and the other for Internet, mails, etc). The SBS DHCP cannot do this.

Tried already the wizard. Beside that it frequently fails in the firewall step, it didn't change anything.

Please note that this configuration used to work for years !
Cliff GaliherCommented:
In your initial post you mention "forwarders are already configured" ...can you be more explicit? What have you changed?
Lets completely ignore the Router, DHCP, and workstations for now. If we concentrate on only working on the server, and we fix that then we can build out from there to fix everything else:

> There is only one SBS 2003 server acting as DC, DNS and Echange server. Server is configured with its own IP address as DNS and nothing else (
- this is good, and as it should be

> as soon as the ISP gateway's IP address is added as second DNS entry (which I didn't do), normal Internet browsing is possible, otherwise not
- this indicates that your DNS Serevr is not forwarding DNS requests properly

> forwarders are already configured
Please confirm the only forward DNS server is the " ISP gateway's IP address" (screenshot would be nice)

> nslookup is NOT working
- what address are you trying to lookup?
 - if it is an external address then yes it may not be working if forwarder is not configured properly.
 - if you do "nslookup sbsservername" does that resolve OK

I agree with cliff - this looks like a DNS forwarder issue


UrbantraxAuthor Commented:
Hello aoakeley, Cliff. Yes, we should forget about the router, DHCP and workstations as these shouldn't be the cause of the problem. I also agree that the issue looks like a DNS forwarder issue.

Primary forwarder is the ISP's gateway IP address.
I have now added OpenDNS servers as second and third forwarder but it didn't change anything

nslookup on the SBS server works fine
only nslookups to the external world don't work

Here the screenshot:

UrbantraxAuthor Commented:
Second set of screenshots
Cliff GaliherCommented:
Based on the IP scheme, the first DNS server is actually the local subnet router (which I suppose could be the ISP's gateway, a significant security concern, but the topic for different conversation).
Try removing the and let the other forwarders get used directly. It is possible that the DNS server that the gateway employs is having issues. Not uncommon on low-end consumer devices.
UrbantraxAuthor Commented:
Tried already. Didn't change anything !
First nslookup screenshot is with the OpenDNS servers only and second nslookup screenshot is with the local subnet router (the ISP's gateway) added as primary forwarder.
You say:
>Primary forwarder is the ISP's gateway IP address

I take it what you meant to say is "Primary forwarder is the router"

I would take out all three DNS servers that you have there and put in the actual DNS Server being provided by the ISP. Give that a try and report back.

UrbantraxAuthor Commented:
Could it be linked to the network card ?
UrbantraxAuthor Commented:
aoakeley. tried already the ISP DNSes as well. It doesn't change anything.

Please note that, as I said in my problem description, when I add the ISP's DNS as secondary DNS on the workstations, Internet browsing is fine. This is the proof that the problem is on the SBS box and not with the ISP's DNSes
if you do
#> nslookup   - start nslookup

#> server x.x.x.x    - where x.x.x.x is either the ISP serevr or some other DNS Server

#>    - lookup this address

Does this work. smaple image attached
with image
UrbantraxAuthor Commented:
Yes, it does work.

First try with OpenDNS's DNS
Second try with ISP's DNS

Sorry for the delay, went on a bucks day that took a while to come back from....

Sorry if you feel we have gone around in circles, but i need to be sure that the problem was isolated to the server DNS Service not using the forwarders properly

Please check the following:
Properties of dns server, advanced tab,
 - Disable Recursion = unticked

Try updating your root server list and using only the Root servers (take out all forwarders)
 - make sure you have an up-to-date list of root servers
    - delete servers that are in there, press "copy from server", enter ip, press OK

Check there is not "Root zone" (i.e. zone with only a . in the zone name) in forward lookup zones

Clear the Cached lookups (right click "clear cache") and check that it starts re-populating after successful lookups


UrbantraxAuthor Commented:
Hello aoakeley

No problem. I have been away myself for a couple of days.
Thanlks for your help.

As you'll see, we (you) are close to the solution

Disable recursion was unticked
Forwarders deleted
Root hints updated (already tried before)
No "root zone" found

As soon as forwarders are added again, I get requests that time out (whatever the forwarders: ISP or OpenDNS)

The issue is thus clearly related to a problem with the forwarders that don't handle requests appropriately

It seems thus that these forwarders are not really needed because of the root hints.

Can we investigate further ?
So just to confirm I am interpreting your response correctly.. If you take all the forwarders out and use only root hints only then DNS works ok?
UrbantraxAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.