Solved

Windows 2008 Forwarders unable to resolve ISP IP address

Posted on 2010-11-20
31
3,319 Views
Last Modified: 2012-05-10
Hi I have windows 2008 DCs. We have recently decommissioned old Windows 2003 DC that had forwarders pointing to our ISP DNS servers to resolve Internet IP addresses. Im trying to add forwarders to my 2008 DC but its only giving me "Edit" option and then it tries to resolve the my ISP DNS record and fails. Im unable to ping any public url like www.google.com. I was under impression that root hints should be able to resolve public urls for me but that doesnt seem true

Any ideas?
0
Comment
Question by:MANGO247
  • 18
  • 11
  • +1
31 Comments
 
LVL 7

Expert Comment

by:tstritof
ID: 34180461
Hi,

please run the following commands in elevated command prompt on your 2008 DC and check the output files for problems (files should be placed in c:\windows\temp).

ipconfig /all > c:\windows\temp\001-problem-ipconfig.txt
nslookup www.google.com > c:\windows\temp\001-problem-nslookup.txt
dcdiag /c /v /e > c:\windows\temp\001-problem-dcdiag_cve.txt

If it's OK with you post the output files here.

Regards,
Tomislav
0
 
LVL 13

Expert Comment

by:markusdamenous
ID: 34180465
If you have forwarder addresses, then root hints will not be used.  Either remove the forwarders, or add/change the existing forwarders to be correct for your ISP.
0
 
LVL 7

Accepted Solution

by:
tstritof earned 375 total points
ID: 34180488
Hi,

root hints should be used if the "Use root hints if no forwarders are available" flag is set. However, there may be a problem with this setting depending on you W2K8 build/sp (link here).

If you are connected to the internet through the same link and to the same ISP as you were with W2K3 server then this shouldn't be the issue. I believe you may be having some sort of connectivity issues (IP configuration/routers/firewalls).

Let me know abot the errors you receive in diagnostic.

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34180955
markusdamenous:

Im trying to configure my forwarders to point to my isp but its not letting me do it. It gives me an option to edit (even when there is no forwarder IP address in the list) and when i enter my isp nameserver it tries to validate it and then fails. It was pretty straight forward in 2003 but cant work out how we should do it in 2008
0
 

Author Comment

by:MANGO247
ID: 34180965
tstritof:
I will try the above and get back to you - Many thx
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34180972
Mango, what do you mean when you say that adding the forwarder fails?

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34181029
on my w2k8 DC im right clicking and taking properties and then in forwarders im trying to add ip address of my ISP name server. It then attempts to validate and fails. Im unable to resolve any external websites like www.google.com etc

I had added forwarders in my 2003DC and all external websites were resolving without any problems.
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34181059
OK, that is what I thought. The point here is that your DNS server can't perform a reverse lookup on the IP address of your ISP's DNS server. However, this doesn't stop you from adding the forwarder to your DNS although DNS will probably fail to use it.

Your problem is probably related to network connectivity issues. You may have IP configuration problems, firewall problems or any other network issue. For example your NIC settings on the W2K8 server might have the DNS still pointing to your decomissioned server which results that your server (although running DNS service) fails to resolve anything.

Please run the tests - at least ipconfig /all and nslookup www.google.com on your server, post them here and we'll have better insight into what is causing (or not causing your problem).

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34181079
I will send you results tomorrow. But i can confirm that my Pri Sec DNS are pointing to new 2008 DC and its resolving internal names without any problems. I cant however resolve internet site names

Im finding it strange that in 2k8 when you add ip address of your isp nameserver it tries to validate and then fails. That made me wonder if it was any way different in 2k8

Are you suggesting that even though it fails to validate it should still work and provided i dont have any other issues like firewall etc i should be able to resolve external site names?
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34181123
Well, the fact that your DNS server can't perform a reverse lookup for ISP DNS server is usually bad news, but isn't always a "showstopper". However, your DNS should function even without a forwarder (using root hints). So try removing the forwarder alltogether and see how DNS resolution behaves in that setup.

The fact that the internal name resolution works is not much of an indicator. The thing is that if your network clients point to new 2K8 server for DNS resolution and the server is authoritative for DNS zone - everything works filne even with misconfigured NICs on the server itself.

But since you have the DC up and running I would agree that the problem is probably limited to external name resolution (this may be because misconfigured gateway address or because the gateway is blocking the traffic from your server).

Anyway, both you and us here will know more after you run the tests.

Regards,
Tomislav
0
 
LVL 7

Assisted Solution

by:Mohamed Khairy
Mohamed Khairy earned 125 total points
ID: 34181555
Hi Mango,

Firstly let me explain that If you are going to use a Forwarder, you must make sure that the Forwarder is always available, no matter which internet connection you use because some ISPs block access to their DNS servers unless you are connecting from one of their IP addresses.

Also, You must be sure the they doesn't plan on changing their DNS infrastructure by decommissioning old name servers, deploying new ones, or changing the IP addresses of existing ones because If they do change their infrastructure and don't inform you of this, then your name server may suddenly find itself forwarding queries to non-existing name servers resulting in failed name queries and frustrated users flooding help desk with calls.

In this case I think that it's too much better to not use forwarders at all and let your DNS server use the default Root Hint.

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Now after you decide whether you will go with root hints or forwarders, try to test the NIC configuration as tstritof said in his previous comment and make sure that you have the correct IP, subnetmask and gateway and the dns should be 127.0.0.1 if the primary dns is in this servers or the DC ip " both are the same ", also try to ping the gateway to make sure that you are going through it without any problems.

Hope this may helps.
0
 

Author Comment

by:MANGO247
ID: 34182147
I will do the tests and let everyone know

Just so you know i can ping public ip addressess w/o any problem so traffic is passing thru but im unable to resolve names of external sites. Other thing is that i still have 1 2k3 DC on my DR site and i have set forwarders successfully on that 2k3 DC server. Infact if i use that 2k3 DC as sec DNS server i can resolve names of external sites.

Will send you results in couple of hours time. FYI we are using Content filtering service from Messagelabs and internet is working fine. My only problem is that my exchange server is unable to resolve Messagelabs cluster IP address as its MX record so emails are all queuing up. I can do some work arounds but i need a stable permanent solution for this.
0
 

Author Comment

by:MANGO247
ID: 34182153
I have 2 authoritative servers for my DNS in my forest. Is there any command to get a list of them? I can see only one authoritative server from normal DNS console. Also could someone advice if its normal that im only getting "edit" option when i try to add forwarders? Shouldnt it be "Add" instead? (i.e. when we right click on server name in DNS console and take properties and change to "Forwarders" tabe)
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34182671
Hi,

I hsve a few questions/comments:

1) When you say that you get DNS resolution when you set up the secondary DNS - where do you set it? On your network clients or your W2K8 server? What address is W2K8 server using as primary DNS?

2) Did you sucessfully ping public IP addresses only from your network clients or W2K8 DNS too?

3) Your servers are authoritative for your internal DNS zones. Are you using AD integrated zones or primary/secondary DNS scenario? I don't think it matters much here because it's the names your servers aren't authoritative for (external names) that your 2K8 can't resolve?

4) The /e option in dcdiag tests all DCs in your enterprise. The "dcdiag /c /v /e" I suggested above performs comprehensive tests with verbose output for all DCs in your enterprise. If you'd like to manage all your DNS servers from a single DNS console you can right click the DNS node in your DNS manager and choose the "Connect to DNS Server...". However I'm not sure of the interoperability between W2K8 MMC console and W2K3 DNS service but I think you should be OK there.

4) "Edit" is standard option on Forwarders tab. When you click on the button you'll have the option to type as many forwarder IP addresses as you like.

5) I haven't used MessageLabs myself but I believe that it's role is with e-mail and web traffic (http, https) and not DNS - however if tests don't return anything and if there's no other router/firewall between your server and the internet (but I doubt this), we'll look into it.

6) Eagerly expecting results of your testing :).

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34182818
Please find attached info as advised  001-problem-nslookup.txt
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:MANGO247
ID: 34182821
Please find attached info as advised   001-problem-ipconfig.txt
0
 

Author Comment

by:MANGO247
ID: 34182825
Please find attached info as advised   001-problem-dcdiag-cve.txt
0
 

Author Comment

by:MANGO247
ID: 34182847
1) When you say that you get DNS resolution when you set up the secondary DNS - where do you set it? On your network clients or your W2K8 server? What address is W2K8 server using as primary DNS?
Ans: I configured forwarders on one of my 2003 DC in DR site (DR-DC1) and i could ping www.google.com. I then made my DR-DC1 to be secondary DNS on one of my 2k8 server (not DC) and a workstation (XP) and i could ping www.google.com

2) Did you sucessfully ping public IP addresses only from your network clients or W2K8 DNS too?
Ans:As mentioned above. If i setup forwarders on my 2k3 DC (DR-DC1) and then change sec dns to point to DR-DC1 on a server or PC i can ping www.google.com

3) Your servers are authoritative for your internal DNS zones. Are you using AD integrated zones or primary/secondary DNS scenario? I don't think it matters much here because it's the names your servers aren't authoritative for (external names) that your 2K8 can't resolve?
Ans: im using AD integrated zones. Actually i transferred my DNS zone from old 2003 DC and then changed SOA to point to my new 2008 DC. I then decomissioned my 2003 server.


4) The /e option in dcdiag tests all DCs in your enterprise. The "dcdiag /c /v /e" I suggested above performs comprehensive tests with verbose output for all DCs in your enterprise. If you'd like to manage all your DNS servers from a single DNS console you can right click the DNS node in your DNS manager and choose the "Connect to DNS Server...". However I'm not sure of the interoperability between W2K8 MMC console and W2K3 DNS service but I think you should be OK there.
Ans: I cant access win 2008 dns server from my xp but thats probably mmc


4) "Edit" is standard option on Forwarders tab. When you click on the button you'll have the option to type as many forwarder IP addresses as you like.
Ans: OK

5) I haven't used MessageLabs myself but I believe that it's role is with e-mail and web traffic (http, https) and not DNS - however if tests don't return anything and if there's no other router/firewall between your server and the internet (but I doubt this), we'll look into it.
Ans: Yes, Messagelabs doing Web and Email filtering and i can access public internet sites. but cant resolve dns for them


0
 
LVL 7

Assisted Solution

by:tstritof
tstritof earned 375 total points
ID: 34183010
I've looked into the logs posted. Here's what I can tell from the logs:
1) Your AD reports 3 DCs: DR-DC1, EBDMC01 and EBFIL01.
2) All servers report LDAP connectivity test failure with error "Message 0x621 not found.". From your ipconfig output I see you are using the network team on your NIC on your W2K8 server. Follow the instructions here to fix the issue.
3) Due to the failure in LDAP connectivity many other tests are skipped.
4) DNS tests from EBDMC01 basically fail for all 3 DNS srevers (both forwarders and root hints).

After you fix the teaming issue on your W2K8 NIC try configuring the EBDMC01 to only point to itsels for DNS resolution (without secondary DNS) and check the Interfaces tab in DNS management on that server to verify that it actually listens on the IP address configured for your NIC team.

Manually log ALL actions you take on EBDMC01. The starting point index in your diag filenames was 001. For every subsequent test you run make an entry in your log after which step you reran the tests and make sure you change the index in test output file name to keep the history of your tests intact.

If you fail to fix the issue with the NIC team active, try disbanding the team, disabling one NIC, and configuring a single NIC with proper IP configuration. If that succeeds then you can attribute the problem to NIC team and proceed from there.

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34187068
Tomislav, I have unteam my nic on 2k8 dc "ebdmc01". Decided not to go for hotfix. My other 2k8 dc ebfil01 and 2003 dc in DR site namely dr-dc1 is still teamed.

Many Thanks for your kind interested 001-problem-dcdiag-cve.txt 001-problem-ipconfig.txt 001-problem-nslookup.txt
0
 

Author Comment

by:MANGO247
ID: 34187086
My apologies i resent you older versions of the results. Please ignore and find ver2 of all commands now 002-problem-dcdiag-cve.txt 002-problem-ipconfig.txt


002-problem-nslookup.txt
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34187651
Hi,

if you intend using nic teaming on your W2K8 servers you will need to apply the fix sooner or later.

The first thing I noticed is that your current ipconfig shows no default gateway. This would effectively disable access to IP addresses that can't be found on your local network. Plese fix that or you won't be able to access any external IP adresses (forwarders or root hint servers) nor your dr-dc1 which is placed in a different subnet.

There are replication and other authentication issues reported in dcdiag. The dr-dc1 remains inaccessible (this is consistent with missing gateway on your NIC) but it seems that replication fails with the other W2K8 server too. This can be caused by:
- network issues (one of them is the nic teaming on W2K8, other may be malfunctioning switches, firewalls or invalid IP configurations)
- errors during demotion of old DC or promotion of new DCs (try rechecking your steps with recommended migration procedures on TechNet)

Right now, please set up your nic with default gateway, set up a forwarder in DNS to point to your ISP DNS server address and rerun the tests. You'll probably need to restart your server after changing the gateway.

I suspect that connectivity and replication issues between EBDMC01 and DR-DC01 and external name resolution will be resolved by that (since you disbanded nic team on EBDMC01 and if your gateway can route traffic between 10.237.1.0/24 and 10.238.1.0/24) and that the replication issues with EBFIL01 could be resolved by applying the fix for nic teaming (or disbanding a team on that server too.).

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34187808
Tomislav, i have now added default gateway. Please find attached dcdiag cve-3

I have added 208.67.222.222 as a forwarder and its "Attempting to resolve".

I have not rebooted ebdmc01 (2008 DC) yet. 003-problem-dcdiag-cve.txt

I will look into re-teaming issues once i have resolved dns issues. I still cant ping any external sites not even from ebdmc01
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34187983
OK,

things definitely look better now, dr-dc1 is reachable (although some AD errors still persist). However, DNS still fails. But the fact that DNS is working on DR-DC1 (according to your post - however not visible in posted logs since they were run only on EBDMC01) and also the fact that DR-DC1 is on different subnet leads me to believe that there is a routing issue between your 10.237.1.0/24 subnet and the internet.

So please try runnng the following commands in command prompt on your servers:
tracert 208.67.222.222 (on EBDMC01)
tracert 208.67.222.222 (on DR-DC01)
ipconfig /all (on DR-DC01)

My guess is that the result will be that tracert on EBDMC01 fails on some address on your LAN (likely the gateway you configured) and that tracert on DR-DC01 will happily bounce to the ISP's DNS server through your actual internet gateway.

And if it is the same gateway - you may have routing or firewall setup that prevents normal LAN-internet routing for 10.237.1.0/24 subnet.

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34188521
On my DR-DC1 (2003 DC) that has no forwarder setup (currently) and is going out to interenet through a different ISP / connection and has a different public ip

tracert 208.67.222.222

Tracing route to resolver1.opendns.com [208.67.222.222]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5  ^C
0
 

Author Comment

by:MANGO247
ID: 34188542
on ebdmc01 (2008 DC on main site) that has 208.67.222.222 as forwarder (although un-resolved) i get following

tracert 208.67.222.222

Tracing route to 208.67.222.222 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  217.x.x.x (My public IP)
  2     4 ms     4 ms     4 ms  86.54.65.205
  3     3 ms     3 ms     3 ms  86.54.135.16
  4     9 ms     3 ms     3 ms  195.50.122.125
  5    36 ms    82 ms    13 ms  195.50.122.86
  6    20 ms    20 ms    20 ms  208.67.222.222

Trace complete.
0
 

Author Comment

by:MANGO247
ID: 34188561
ipconfig /all on DR-DC1

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dr-dc1
   Primary Dns Suffix  . . . . . . . : mydomain.co.uk
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.co.uk
                                       co.uk

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP Network Team #1
   Physical Address. . . . . . . . . : 00-14-38-C5-42-59
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.238.1.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.238.1.1
   DNS Servers . . . . . . . . . . . : 10.238.1.6
                                       10.237.1.48
   Primary WINS Server . . . . . . . : 10.238.1.6
   Secondary WINS Server . . . . . . : 10.237.1.48
0
 

Author Comment

by:MANGO247
ID: 34188602
Please note, i have different isp connections at main and dr site

Im using Web content filtering service from Messagelabs only at main site. My DR site has connection supplied by building management.

My DR-DC1 has NIC Teaming working

I really find it strange the way 2008 DC wants us to add forwarders. Dont know why they keep resolving it and then fails. It was pretty straight forward in 2003
0
 
LVL 7

Assisted Solution

by:tstritof
tstritof earned 375 total points
ID: 34188956
Well, I missed the fact that DR-DC1 connects to a different ISP alltogether.

Just to summarize the facts regarding network traffic:
1) The DNS traffic normally flows between your two sites.
2) The DNS traffic normally flows between DR site and the internet.
3) The DNS traffic doesn't flow between new W2K8 servers on EB site and the internet.
4) The DNS traffic flowed normally between old W2K3 server on EB site and the internet.
5) Public IP addresses of ISP DNS server and other public IP addresses CAN be pinged and traced from EB site.

If the above is correct I'm suspecting firewall configuration problems and the following firewall setup:
1) Firewall allows all traffic between DR and EB sites.
2) Filrewall allows standard tcp traffic from EB site to internet (http, https, icmp...)
3) Firewall is configured ONLY to allow DNS traffic (UDP and TCP port 53 I believe) between the internet and the IP address of your old decommissioned W2K3 server.

Setups like this can be easily deployed with ISA server as your firewall. Could you please confirm the firewall settings on your EB internet router to confirm this is not the issue?

One way to test this would be to try the folowing:
1) Set some client on your network to the fixed IP of the decomissioned server (I suppose the server is offline).
2) Set the primary DNS on that client to point to 208.67.222.222 and no secondary DNS.
3) Set the gateway to the IP address of your gateway.
4) Run nslookup www.google.com in command prompt on the client.

If your old server is not offline, just set the DNS to 208.67.222.222 instead of 10.237.1.48 on that old server and do nslookup for www.google.com.

I don't suggest messing with the IP addresses on your DCs because that could lead to AD DNS updates and other problems.

If testing nslookup succeeds from computer that uses the IP address of your old W2K3 DC that means that it's probably firewall issue. I don't know how the setup with MessageLabs work so I can't speculate if the problem is related to the service. If it is then maybe the IP tweak won't help because it is possible that some sort of custom firewall or service client had been installed on your old W2K3 DC that is missing or somehow misconfigured on your new DCs.

This would explain why your new DCs reach the IP address of your ISP DNS server but can't resolve the name and also why no DNS traffic is allowed between your new server and the external address space.

Regards,
Tomislav
0
 

Author Comment

by:MANGO247
ID: 34189479
Tomislav, you were right. It was a firewall issue. My forwarders are working. Should i worry about dcdiag errors and warnings or leave it ? Many thanks
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34190068
Great, I'm glad you solved it.

Regarding the remaining errors I myself would attempt to get the setup fully operative with NIC teaming in place (it does provide more failure proof environment) and eliminate more serious errors in diagnostics.

I don't think this should be a major problem in your case since I believe that 99% of errors regarding AD comes from your nic teamed W2K8 servers and possibly firewall issues (you might want to review the rest of your firewall settings too).

In the first step you can leave your EBDMC01 machine without teaming for now and try applying the team patch on EBFIL01. After you test and prove such config is stable you can rebuld the team on your EBDMC01 machine.

In any scenario you choose the important thing is that your AD and DNS data does get properly replicated across your DCs because any other situation sooner or later leads to serious headaches (unfortunately there are no great tools available from Microsoft for cleaning up AD mess once it happens).

Regards and good luck,
Tomislav

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now