Solved

Server 2003 DC - Recursive Query fails in DNS

Posted on 2011-09-19
6
341 Views
Last Modified: 2012-05-12
Have two servers (server1 and server 2) which are both DCs.
For some reason they are not replicating.  Believe the issue is with DNS on server1.
This was first noticed when server1 could not access the internet.  Can ping internal names and IP addresses.  But cannot ping outside names (e.g. www.google.com) - will not resolve.
Am not onsite but able to remote to server2.  Cannot RDP to server1.  All network shares cannot be seen on server1.  From DNS Manager on server2 cannot open DNS settings for server1.
Had an onsite user check and appears DNS is setup correctly on server1.  On server1 can open DNS Manager and can see the settings for server1.  It fails the recursive query test.
Tried to force AD replication but encountered DNS errors.
Am reviewing the even viewer for errors.
Have rebooted server1.  
Any ideas?  Anyone have a troubleshooting doc?
Thanks
0
Comment
Question by:abpExpert
  • 4
6 Comments
 
LVL 13

Expert Comment

by:Govvy
Comment Utility
What are your forwarders set to on the DNS server which can't communicate externally? Good troubleshooting guides listed here: http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
> For some reason they are not replicating

AD isn't? Or DNS isn't?

If it's AD, or the DNS zone you're having trouble with is AD Integrated, DCDiag, "repadmin /showreps" and the Directory Service event logs are a good steps.
> But cannot ping outside names (e.g. www.google.com) - will not resolve.

This is a different problem. Perhaps we should look at how your Forwarders are set (if any are set at all)? And we must consider Firewalls and other devices that may block DNS traffic (mostly UDP/53).

> From DNS Manager on server2 cannot open DNS settings for server1.

Error message? Could be related to replication, so back to AD.

> It fails the recursive query test.

Repeat of above really, it's the same problem you saw when you couldn't get www.google.com.

In summary:

If it's AD having trouble: DCDiag, RepAdmin, Directory Service event logs.
If it's just DNS having trouble: Start with checking the things you've set as Forwarders.

And, of course, post any findings and we can all help you work through it.

Chris
0
 

Author Comment

by:abpExpert
Comment Utility
Got more/verified info from someone onsite.

SERVER1
can ping by name and IP on the LAN
ping resolves name but no reply when trying to ping the WAN
DNS setting (i.e. forwarders seem correct)
file shares are not accessible
RDP is not working
Cannot modify Group Policies through the snap in
DCDIAG fails the FRSEVENT test
Still reviewing the event viewer
Ran MalwareBytes and removed three trojans

SERVER2
DCDIAG fails all tests related to accessing SERVER1

Both servers are Domain Controllers and SERVER1 holds the FSMO roles

Came across KB 839499 article and looking into that.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:abpExpert
Comment Utility
One other note.

SERVER1 had an ISP DNS server listed in the NIC DNS properties setting.  According to the person onsite it had always been there.

My experience is you never do that.  Removed it and rebooted the server and the issue remained.

Also, both servers are set up to use themselves as primary DNS and the other server as a secondary.  Thought the setup was to use only itself as the DNS server on the NIC.  Have seen both used but believe that is not recommended.

Bottom line the RPC service is started but not working.  Any ideas?  Thanks in advance.
0
 

Accepted Solution

by:
abpExpert earned 0 total points
Comment Utility
Here was the fix:

The IPSec service had been enabled through the services
So we stopped the service
We had to go into the MMC
Add the snap in
IP Security Monitor and
IP Security Policy Management unassigned the Policy in the MMC
Then restart the IPSec Service.

Once we stopped the IPSec Service the computer came alive.
0
 

Author Closing Comment

by:abpExpert
Comment Utility
found solution
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Resolve DNS query failed errors for Exchange
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now