Solved

nslookup is failing from AD integrated DNS domain

Posted on 2013-10-23
6
390 Views
Last Modified: 2013-11-11
Hi all. I have 8 DCs across 2 sites all configured as DNS servers in an Integrated Domain. We use a conditional forwarder to an external IP address to domain name resolution.

I have a task to change the conditional forwarders IP address. When I run nslookup NewIpAddress from 1 sever i get a positive result detailing the domain name. On all other 7 servers i get a error saying dns request timed out. So, i am being told to go ahead and make the change regardless because the DNS chap is saying that hosts can still be resolved via clients even when nslookup fails.  This doesn't sound right to me, can anyone verify please?
0
Comment
Question by:Jason Thomas
  • 3
  • 3
6 Comments
 
LVL 1

Author Comment

by:Jason Thomas
ID: 39593711
Hi, I have also set the nslookup retry to 5 and the timeout to 20 seconds but still get DNS timeout error. Any DNS experts about?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39594800
First ensure correct dns setting on DC and client as this.Also check the host file of DC for any invalid entry.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
 
EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
 
DNS Forwarders Problems in Windows 2008 R2 DNS Services
http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 39598730
Hello and thanks for responding.
Yep, DNS setup is good.

I know it isn't firewall related as 1 of 8 of the DNS servers go through the same firewall and if one works...

Regarding:
There was no connectivity issues at all, what we found out this problem happens because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2008 R2 DNS and is enabled by default.
To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

Question. What exactly is it i would be disabling? And as we have 2003 R2 does this apply to me?

Many thanks.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39598770
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 39598799
Ok thanks but what is it i am actually doing by running the EDNSProbe 0 command please?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39598847
Server 2003's DNS server has a new capability, it can handle UDP packets greater than 512 bytes. Unfortunately some firewalls cannot pass these packets so it is desirable to have the DNS server fall back to TCP in this case as it used to do in previous versions of NT DNS.

To turn off the EDNS-0 feature run this from a command prompt:
dnscmd /Config /EnableEDnsProbes 0

You can also configure the same by registry:http://technet.microsoft.com/en-us/library/cc787130(v=ws.10).aspx

Ace has good writeup on this:EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question