Solved

nslookup is failing from AD integrated DNS domain

Posted on 2013-10-23
6
386 Views
Last Modified: 2013-11-11
Hi all. I have 8 DCs across 2 sites all configured as DNS servers in an Integrated Domain. We use a conditional forwarder to an external IP address to domain name resolution.

I have a task to change the conditional forwarders IP address. When I run nslookup NewIpAddress from 1 sever i get a positive result detailing the domain name. On all other 7 servers i get a error saying dns request timed out. So, i am being told to go ahead and make the change regardless because the DNS chap is saying that hosts can still be resolved via clients even when nslookup fails.  This doesn't sound right to me, can anyone verify please?
0
Comment
Question by:Jason Thomas
  • 3
  • 3
6 Comments
 
LVL 1

Author Comment

by:Jason Thomas
ID: 39593711
Hi, I have also set the nslookup retry to 5 and the timeout to 20 seconds but still get DNS timeout error. Any DNS experts about?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39594800
First ensure correct dns setting on DC and client as this.Also check the host file of DC for any invalid entry.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
 
EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
 
DNS Forwarders Problems in Windows 2008 R2 DNS Services
http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 39598730
Hello and thanks for responding.
Yep, DNS setup is good.

I know it isn't firewall related as 1 of 8 of the DNS servers go through the same firewall and if one works...

Regarding:
There was no connectivity issues at all, what we found out this problem happens because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2008 R2 DNS and is enabled by default.
To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

Question. What exactly is it i would be disabling? And as we have 2003 R2 does this apply to me?

Many thanks.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39598770
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 39598799
Ok thanks but what is it i am actually doing by running the EDNSProbe 0 command please?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39598847
Server 2003's DNS server has a new capability, it can handle UDP packets greater than 512 bytes. Unfortunately some firewalls cannot pass these packets so it is desirable to have the DNS server fall back to TCP in this case as it used to do in previous versions of NT DNS.

To turn off the EDNS-0 feature run this from a command prompt:
dnscmd /Config /EnableEDnsProbes 0

You can also configure the same by registry:http://technet.microsoft.com/en-us/library/cc787130(v=ws.10).aspx

Ace has good writeup on this:EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question