Link to home
Start Free TrialLog in
Avatar of jackbenson
jackbensonFlag for United Kingdom of Great Britain and Northern Ireland

asked on

DNS Server Errors - Zone TrustAnchors secondard, Name Servers, Forwarders

Hi,

I am getting a lot of errors/warnings in the Server 2012 Best Practice Tool for my DNS server.

I have 2 sites:

Local Network: 192.168.16.0
-- DC/DNS Server1 (win 2012): 192.168.16.11 / fc;1234:5678:9abc::11
-- DC/DNS Server2 (win 2012): 192.168.16.21 / fc;1234:5678:9abc::21
Azure: 10.4.2.0
-- DC/DNS Server3 (win 2012): 10.4.2.5

The errors/warnings i am getting (and there alot):

Errors:
(1) Zone TrustAnchors secondard servers must respond to queries for the zone
(2) At least one name server in the list of root hiints must respond to queries for the root zone.
(3) At Least one DNS server on the list of forwarders must respond to DNS queries

Warnings:
Zone TrustAnchones secondard server 192.168.16.21 should respond to queries for the zone
Zone TrustAnchones secondard server 10.4.2.5 should respond to queries for the zone
(plus i have this for the following IP addresses: fc00:1234:5678:9abc:a42d:8f0:d407:c572, fc00:1234:5678:9abc:3827:74d2:8c82:c2ca,  fc00:1234:5678:9abc:a157:ec04:1a5f:8b90,  fc00:1234:5678:9abc::6, fc00:1234:5678:9abc:3b32:c635:33e3:52f2,  fc00:1234:5678:9abc::11,  fc00:1234:5678:9abc::17, fc00:1234:5678:9abc::21,  fc00:1234:5678:9abc:d0d0:39d9:1db2:51b5 )

Root hint server 192.33.4.12 must respond to NS queries for the root zone
(i have this for every route hint)

Forwarding server 8.8.4.4 should respond to DNS queries.
(Also the same for 8.8.4.4

All my computers on my network are confiremd to use 192.168.16.11/192.168.16.21/fc00:1234:5678:9abc::11/fc00:1234:5678:9abc::21 as their DNS servers - and every computer can access the internet properly.

When i go into DNS manager - into Root Hints, press edit - it fails to validate the root hint.

what am i doing wrong - the error message i get is:A timeout occured during validation.

i beleive i only have a primary DNS zone that is replicated to my 3 DNS servers.

Forward Lookup Zones
_msdcs.DomainName.Local
DomainName.Local

Reverse Lookup Zones:
0.0.0.1.8.7.6.54.3.2.1.0.0.c.f.ip6.arpa (ipv6 local network range)
16.168.192.in-addr.arp (ipv5 local network range)
2.4.10.in-addr.arpa (azure network range)
c.b.a.9.8.7.6.5.4.3.2.1.0.0.c.f.ip6.arpa (DirectAccess Clients)

can anyone help me out?

many thanks

jack
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

First guess is you have routing issues. It is also possible that you have some firewall issues, but routing seems more likely given the extent of the errors you are posting. If your routes are screwed up between your on-site network and your Azure virtual network, that will cause all manner of issues.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jackbenson

ASKER

cgaliher,

thanks for your reply.

I have created a virtual network on Azure and have established a VPN connection between my ADSL router (192.168.16.1) and the Azure Virtual Network.

the connection is working - and it handles the routing from my 192.168.16.0 local network to the Azure Network 10.4.2.0

is there something else I should have done to ensure that routing is working properly?

some background on my network.

ipv4 - the default gateway is 192.168.16.1 which is my DrayTek ADSL router

ipv6 - I have a Windows Server 2012 VM that runs DirectAccess Server and RRAS (DirAccServer1 192.168.16.19/fc00:1234:5678:9abc::16). This is broadcasts itself as the ipv6 gateway using the ip address: fe80::2833:3db9:c825:7dfe

I do not know if it is related - but DC1 is my DHCP server. It gives out ipv4 addresses without a problem - but it does not give out ipv6 addresses

ve3ofa,

Yes - that is where I have set the forwarders as 8.8.8.8 and 8.8.4.4

jack
when i run:

nslookup -type=ns 199.7.83.42

The result is:

Server:  DC2.DomainName.local
Address:  fc00:1234:5678:9abc::21

DNS request timed out.
    timeout was 2 seconds.
*** Request to DC2.DomainName.local timed-out


BUT when i run:

nslookup 199.7.83.42

i get the following result:

Server:  DC2.DomainName.local
Address:  fc00:1234:5678:9abc::21

Name:    l.root-servers.net
Address:  199.7.83.42

Any idea why the switch -type=ns leads to a failure?

thanks

jack
with type=ns you are querying only the ns (name server records) of which l.root-servers.net is has a misconfiguration i.e. no ns records
i don't know if this is a stupid question - where should i put the ns records?
turned out to be a problem with my Draytek router - when I applied new firmware the problem was solved