Solved

Server 2003 DC - Recursive Query fails in DNS

Posted on 2011-09-19
6
345 Views
Last Modified: 2012-05-12
Have two servers (server1 and server 2) which are both DCs.
For some reason they are not replicating.  Believe the issue is with DNS on server1.
This was first noticed when server1 could not access the internet.  Can ping internal names and IP addresses.  But cannot ping outside names (e.g. www.google.com) - will not resolve.
Am not onsite but able to remote to server2.  Cannot RDP to server1.  All network shares cannot be seen on server1.  From DNS Manager on server2 cannot open DNS settings for server1.
Had an onsite user check and appears DNS is setup correctly on server1.  On server1 can open DNS Manager and can see the settings for server1.  It fails the recursive query test.
Tried to force AD replication but encountered DNS errors.
Am reviewing the even viewer for errors.
Have rebooted server1.  
Any ideas?  Anyone have a troubleshooting doc?
Thanks
0
Comment
Question by:abpExpert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36561960
What are your forwarders set to on the DNS server which can't communicate externally? Good troubleshooting guides listed here: http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 36561981
> For some reason they are not replicating

AD isn't? Or DNS isn't?

If it's AD, or the DNS zone you're having trouble with is AD Integrated, DCDiag, "repadmin /showreps" and the Directory Service event logs are a good steps.
> But cannot ping outside names (e.g. www.google.com) - will not resolve.

This is a different problem. Perhaps we should look at how your Forwarders are set (if any are set at all)? And we must consider Firewalls and other devices that may block DNS traffic (mostly UDP/53).

> From DNS Manager on server2 cannot open DNS settings for server1.

Error message? Could be related to replication, so back to AD.

> It fails the recursive query test.

Repeat of above really, it's the same problem you saw when you couldn't get www.google.com.

In summary:

If it's AD having trouble: DCDiag, RepAdmin, Directory Service event logs.
If it's just DNS having trouble: Start with checking the things you've set as Forwarders.

And, of course, post any findings and we can all help you work through it.

Chris
0
 

Author Comment

by:abpExpert
ID: 36566904
Got more/verified info from someone onsite.

SERVER1
can ping by name and IP on the LAN
ping resolves name but no reply when trying to ping the WAN
DNS setting (i.e. forwarders seem correct)
file shares are not accessible
RDP is not working
Cannot modify Group Policies through the snap in
DCDIAG fails the FRSEVENT test
Still reviewing the event viewer
Ran MalwareBytes and removed three trojans

SERVER2
DCDIAG fails all tests related to accessing SERVER1

Both servers are Domain Controllers and SERVER1 holds the FSMO roles

Came across KB 839499 article and looking into that.
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:abpExpert
ID: 36567379
One other note.

SERVER1 had an ISP DNS server listed in the NIC DNS properties setting.  According to the person onsite it had always been there.

My experience is you never do that.  Removed it and rebooted the server and the issue remained.

Also, both servers are set up to use themselves as primary DNS and the other server as a secondary.  Thought the setup was to use only itself as the DNS server on the NIC.  Have seen both used but believe that is not recommended.

Bottom line the RPC service is started but not working.  Any ideas?  Thanks in advance.
0
 

Accepted Solution

by:
abpExpert earned 0 total points
ID: 36569942
Here was the fix:

The IPSec service had been enabled through the services
So we stopped the service
We had to go into the MMC
Add the snap in
IP Security Monitor and
IP Security Policy Management unassigned the Policy in the MMC
Then restart the IPSec Service.

Once we stopped the IPSec Service the computer came alive.
0
 

Author Closing Comment

by:abpExpert
ID: 36708116
found solution
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question