ITPOL
asked on
DNS: Forwarding server 8.8.8.8 should respond to DNS queries
Hi,
I have two DCs running WS2008 R2 with integrated DNS. I have the google DNS servers setup as forwards on the DNS servers.
I have other servers getting DNS from these DCs. On the servers, I can ping external addresses, and browse to web addresses without issue.
However, if I run the best practice analyser it gives the above issue. Also if I run the tests on the DNS monitoring tab, I get a fail for recursive query.
The best practice analyser also gives errors about root hint servers not responding to NS queries.
It seems as though DNS is working, but presumably something is not right?
thanks
I have two DCs running WS2008 R2 with integrated DNS. I have the google DNS servers setup as forwards on the DNS servers.
I have other servers getting DNS from these DCs. On the servers, I can ping external addresses, and browse to web addresses without issue.
However, if I run the best practice analyser it gives the above issue. Also if I run the tests on the DNS monitoring tab, I get a fail for recursive query.
The best practice analyser also gives errors about root hint servers not responding to NS queries.
It seems as though DNS is working, but presumably something is not right?
thanks
Hi,
Not sure why you choose for 8.8.8.8 but wouldt it be better to use the DNS servers from your provider?
8.8.8.8 should be considered really more or less a kind of test DNS server.
Not sure why you choose for 8.8.8.8 but wouldt it be better to use the DNS servers from your provider?
8.8.8.8 should be considered really more or less a kind of test DNS server.
ASKER
Also, DCDiag gives me this;
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = POLDC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BridgeHouse\POLDC1
Starting test: Connectivity
......................... POLDC1 passed test Connectivity
Doing primary tests
Testing server: BridgeHouse\POLDC1
Starting test: Advertising
......................... POLDC1 passed test Advertising
Starting test: FrsEvent
......................... POLDC1 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... POLDC1 failed test DFSREvent
Starting test: SysVolCheck
......................... POLDC1 passed test SysVolCheck
Starting test: KccEvent
......................... POLDC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... POLDC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... POLDC1 passed test MachineAccount
Starting test: NCSecDesc
......................... POLDC1 passed test NCSecDesc
Starting test: NetLogons
......................... POLDC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... POLDC1 passed test ObjectsReplicated
Starting test: Replications
......................... POLDC1 passed test Replications
Starting test: RidManager
......................... POLDC1 passed test RidManager
Starting test: Services
......................... POLDC1 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 09/12/2013 12:26:05
Event String:
Name resolution for the name 10.20.168.192.in-addr.arpa timed out af
ter none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00001695
Time Generated: 09/12/2013 12:32:55
Event String:
Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'xxx.xxx.com.' failed. These records are use
d by other computers to locate this server as a domain controller (if the specif
ied domain is an Active Directory domain) or as an LDAP server (if the specified
domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 09/12/2013 12:32:56
Event String:
Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'DomainDnsZones.xxx.xxx.com.' failed. These
records are used by other computers to locate this server as a domain controller
(if the specified domain is an Active Directory domain) or as an LDAP server (i
f the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 09/12/2013 12:32:56
Event String:
Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'ForestDnsZones.xxx.xxx.com.' failed. These
records are used by other computers to locate this server as a domain controller
(if the specified domain is an Active Directory domain) or as an LDAP server (i
f the specified domain is an application partition).
......................... POLDC1 passed test SystemLog
Starting test: VerifyReferences
......................... POLDC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : internal
Starting test: CheckSDRefDom
......................... internal passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... internal passed test CrossRefValidation
Running enterprise tests on : xxx.xxx.com
Starting test: LocatorCheck
......................... xxx.xxx.com passed test
LocatorCheck
Starting test: Intersite
......................... xxx.xxx.com passed test
Intersite
C:\Users\Administrator>
ASKER
Hi,
Not sure why you choose for 8.8.8.8 but wouldt it be better to use the DNS servers from your provider?
8.8.8.8 should be considered really more or less a kind of test DNS server.
Hi,
Yeah, I actually put in the ISP's DNS servers too, but got the same error.
Could you show us the part (unedited) ipconfig /all primairy and seondary DNS servers are mentioned ?
ASKER
From DC1;
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : POLDC1
Primary Dns Suffix . . . . . . . : xxx.xxx.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxx.xxx.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC107i PCIe Gigabit Server Adapter
Physical Address. . . . . . . . . : D8-D3-85-D7-08-31
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e4b8:8389:a1c8:117b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DHCPv6 IAID . . . . . . . . . . . : 249090949
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-C0-0E-AC-D8-D3-85-D7-08-31
DNS Servers . . . . . . . . . . . : ::1
192.168.20.11
192.168.20.10
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{545D5C29-771E-4EFD-8AF6-6DA39A5BB385}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Administrator>
Best pratice does not give me any errors regarding the issue you are having.
There are some errors shown but i declare them as false negatives.
Could you show us the error or warning?
There are some errors shown but i declare them as false negatives.
Could you show us the error or warning?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Helge,
For me, being European, i have (for example) a small problem with NSA-sensative related servers.
Should the USA be aware of all our DNS queries while located in Europe? (yeah yeah i know, we also use Google search engines)
Near perfectly reliable doesnt count for me, DNS is important so in case it is not 'perfectly reliable' where load balancers can die, who am i going to call for support?
Else i do support your input by saying if nslookup debug shows up clean there is probably nothing much to worry about because the posters shown info seems correct.
For me, being European, i have (for example) a small problem with NSA-sensative related servers.
Should the USA be aware of all our DNS queries while located in Europe? (yeah yeah i know, we also use Google search engines)
Near perfectly reliable doesnt count for me, DNS is important so in case it is not 'perfectly reliable' where load balancers can die, who am i going to call for support?
Else i do support your input by saying if nslookup debug shows up clean there is probably nothing much to worry about because the posters shown info seems correct.
ASKER
ASKER
Here's the NS Lookup output;
C:\Users\Administrator>nslookup -debug <random.public.fqdn>
The syntax of the command is incorrect.
C:\Users\Administrator>nslookup -debug twitter.com
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
twitter.com.xxx.xxx.com, type = A, class = IN
AUTHORITY RECORDS:
-> xxx.xxx.com
ttl = 3600 (1 hour)
primary name server = poldc1.xxx.xxx.com
responsible mail addr = hostmaster.xxx.xxx.com
serial = 80
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
twitter.com.xxx.xxx.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> xxx.xxx.com
ttl = 3600 (1 hour)
primary name server = poldc1.xxx.xxx.com
responsible mail addr = hostmaster.xxx.xxx.com
serial = 80
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
twitter.com.xxx.com, type = A, class = IN
AUTHORITY RECORDS:
-> xxx.com
ttl = 900 (15 mins)
primary name server = ns67.1and1.co.uk
responsible mail addr = hostmaster.1and1.co.uk
serial = 2011092701
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
twitter.com.xxx.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> xxx.com
ttl = 900 (15 mins)
primary name server = ns67.1and1.co.uk
responsible mail addr = hostmaster.1and1.co.uk
serial = 2011092701
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 3, authority records = 0, additional = 0
QUESTIONS:
twitter.com, type = A, class = IN
ANSWERS:
-> twitter.com
internet address = 199.16.156.198
ttl = 2 (2 secs)
-> twitter.com
internet address = 199.16.156.230
ttl = 2 (2 secs)
-> twitter.com
internet address = 199.16.156.102
ttl = 2 (2 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
twitter.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> twitter.com
ttl = 3 (3 secs)
primary name server = ns1.p26.dynect.net
responsible mail addr = zone-admin.dyndns.com
serial = 2007115729
refresh = 3600 (1 hour)
retry = 600 (10 mins)
expire = 604800 (7 days)
default TTL = 60 (1 min)
------------
Name: twitter.com
Addresses: 199.16.156.198
199.16.156.230
199.16.156.102
C:\Users\Administrator>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
will do thanks for your help...
ASKER
Thanks again
ASKER