Solved

Server 2003 DC - Recursive Query fails in DNS

Posted on 2011-09-19
6
344 Views
Last Modified: 2012-05-12
Have two servers (server1 and server 2) which are both DCs.
For some reason they are not replicating.  Believe the issue is with DNS on server1.
This was first noticed when server1 could not access the internet.  Can ping internal names and IP addresses.  But cannot ping outside names (e.g. www.google.com) - will not resolve.
Am not onsite but able to remote to server2.  Cannot RDP to server1.  All network shares cannot be seen on server1.  From DNS Manager on server2 cannot open DNS settings for server1.
Had an onsite user check and appears DNS is setup correctly on server1.  On server1 can open DNS Manager and can see the settings for server1.  It fails the recursive query test.
Tried to force AD replication but encountered DNS errors.
Am reviewing the even viewer for errors.
Have rebooted server1.  
Any ideas?  Anyone have a troubleshooting doc?
Thanks
0
Comment
Question by:abpExpert
  • 4
6 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36561960
What are your forwarders set to on the DNS server which can't communicate externally? Good troubleshooting guides listed here: http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 36561981
> For some reason they are not replicating

AD isn't? Or DNS isn't?

If it's AD, or the DNS zone you're having trouble with is AD Integrated, DCDiag, "repadmin /showreps" and the Directory Service event logs are a good steps.
> But cannot ping outside names (e.g. www.google.com) - will not resolve.

This is a different problem. Perhaps we should look at how your Forwarders are set (if any are set at all)? And we must consider Firewalls and other devices that may block DNS traffic (mostly UDP/53).

> From DNS Manager on server2 cannot open DNS settings for server1.

Error message? Could be related to replication, so back to AD.

> It fails the recursive query test.

Repeat of above really, it's the same problem you saw when you couldn't get www.google.com.

In summary:

If it's AD having trouble: DCDiag, RepAdmin, Directory Service event logs.
If it's just DNS having trouble: Start with checking the things you've set as Forwarders.

And, of course, post any findings and we can all help you work through it.

Chris
0
 

Author Comment

by:abpExpert
ID: 36566904
Got more/verified info from someone onsite.

SERVER1
can ping by name and IP on the LAN
ping resolves name but no reply when trying to ping the WAN
DNS setting (i.e. forwarders seem correct)
file shares are not accessible
RDP is not working
Cannot modify Group Policies through the snap in
DCDIAG fails the FRSEVENT test
Still reviewing the event viewer
Ran MalwareBytes and removed three trojans

SERVER2
DCDIAG fails all tests related to accessing SERVER1

Both servers are Domain Controllers and SERVER1 holds the FSMO roles

Came across KB 839499 article and looking into that.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:abpExpert
ID: 36567379
One other note.

SERVER1 had an ISP DNS server listed in the NIC DNS properties setting.  According to the person onsite it had always been there.

My experience is you never do that.  Removed it and rebooted the server and the issue remained.

Also, both servers are set up to use themselves as primary DNS and the other server as a secondary.  Thought the setup was to use only itself as the DNS server on the NIC.  Have seen both used but believe that is not recommended.

Bottom line the RPC service is started but not working.  Any ideas?  Thanks in advance.
0
 

Accepted Solution

by:
abpExpert earned 0 total points
ID: 36569942
Here was the fix:

The IPSec service had been enabled through the services
So we stopped the service
We had to go into the MMC
Add the snap in
IP Security Monitor and
IP Security Policy Management unassigned the Policy in the MMC
Then restart the IPSec Service.

Once we stopped the IPSec Service the computer came alive.
0
 

Author Closing Comment

by:abpExpert
ID: 36708116
found solution
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory not migrating to 2012 DC correctly 35 83
Windows DNS Server Caching 3 42
Windows 2012 DNS island on Domain Contoller 2 31
DNS zone 3 29
Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question