• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

Server 2003 DC - Recursive Query fails in DNS

Have two servers (server1 and server 2) which are both DCs.
For some reason they are not replicating.  Believe the issue is with DNS on server1.
This was first noticed when server1 could not access the internet.  Can ping internal names and IP addresses.  But cannot ping outside names (e.g. www.google.com) - will not resolve.
Am not onsite but able to remote to server2.  Cannot RDP to server1.  All network shares cannot be seen on server1.  From DNS Manager on server2 cannot open DNS settings for server1.
Had an onsite user check and appears DNS is setup correctly on server1.  On server1 can open DNS Manager and can see the settings for server1.  It fails the recursive query test.
Tried to force AD replication but encountered DNS errors.
Am reviewing the even viewer for errors.
Have rebooted server1.  
Any ideas?  Anyone have a troubleshooting doc?
Thanks
0
abpExpert
Asked:
abpExpert
  • 4
1 Solution
 
GovvyCommented:
What are your forwarders set to on the DNS server which can't communicate externally? Good troubleshooting guides listed here: http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx
0
 
Chris DentPowerShell DeveloperCommented:
> For some reason they are not replicating

AD isn't? Or DNS isn't?

If it's AD, or the DNS zone you're having trouble with is AD Integrated, DCDiag, "repadmin /showreps" and the Directory Service event logs are a good steps.
> But cannot ping outside names (e.g. www.google.com) - will not resolve.

This is a different problem. Perhaps we should look at how your Forwarders are set (if any are set at all)? And we must consider Firewalls and other devices that may block DNS traffic (mostly UDP/53).

> From DNS Manager on server2 cannot open DNS settings for server1.

Error message? Could be related to replication, so back to AD.

> It fails the recursive query test.

Repeat of above really, it's the same problem you saw when you couldn't get www.google.com.

In summary:

If it's AD having trouble: DCDiag, RepAdmin, Directory Service event logs.
If it's just DNS having trouble: Start with checking the things you've set as Forwarders.

And, of course, post any findings and we can all help you work through it.

Chris
0
 
abpExpertAuthor Commented:
Got more/verified info from someone onsite.

SERVER1
can ping by name and IP on the LAN
ping resolves name but no reply when trying to ping the WAN
DNS setting (i.e. forwarders seem correct)
file shares are not accessible
RDP is not working
Cannot modify Group Policies through the snap in
DCDIAG fails the FRSEVENT test
Still reviewing the event viewer
Ran MalwareBytes and removed three trojans

SERVER2
DCDIAG fails all tests related to accessing SERVER1

Both servers are Domain Controllers and SERVER1 holds the FSMO roles

Came across KB 839499 article and looking into that.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
abpExpertAuthor Commented:
One other note.

SERVER1 had an ISP DNS server listed in the NIC DNS properties setting.  According to the person onsite it had always been there.

My experience is you never do that.  Removed it and rebooted the server and the issue remained.

Also, both servers are set up to use themselves as primary DNS and the other server as a secondary.  Thought the setup was to use only itself as the DNS server on the NIC.  Have seen both used but believe that is not recommended.

Bottom line the RPC service is started but not working.  Any ideas?  Thanks in advance.
0
 
abpExpertAuthor Commented:
Here was the fix:

The IPSec service had been enabled through the services
So we stopped the service
We had to go into the MMC
Add the snap in
IP Security Monitor and
IP Security Policy Management unassigned the Policy in the MMC
Then restart the IPSec Service.

Once we stopped the IPSec Service the computer came alive.
0
 
abpExpertAuthor Commented:
found solution
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now