nslookup is failing from AD integrated DNS domain
Hi all. I have 8 DCs across 2 sites all configured as DNS servers in an Integrated Domain. We use a conditional forwarder to an external IP address to domain name resolution.
I have a task to change the conditional forwarders IP address. When I run nslookup NewIpAddress from 1 sever i get a positive result detailing the domain name. On all other 7 servers i get a error saying dns request timed out. So, i am being told to go ahead and make the change regardless because the DNS chap is saying that hosts can still be resolved via clients even when nslookup fails. This doesn't sound right to me, can anyone verify please?
I have a task to change the conditional forwarders IP address. When I run nslookup NewIpAddress from 1 sever i get a positive result detailing the domain name. On all other 7 servers i get a error saying dns request timed out. So, i am being told to go ahead and make the change regardless because the DNS chap is saying that hosts can still be resolved via clients even when nslookup fails. This doesn't sound right to me, can anyone verify please?
First ensure correct dns setting on DC and client as this.Also check the host file of DC for any invalid entry.
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
DNS Forwarders Problems in Windows 2008 R2 DNS Services
http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
DNS Forwarders Problems in Windows 2008 R2 DNS Services
http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx
ASKER
Hello and thanks for responding.
Yep, DNS setup is good.
I know it isn't firewall related as 1 of 8 of the DNS servers go through the same firewall and if one works...
Regarding:
There was no connectivity issues at all, what we found out this problem happens because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2008 R2 DNS and is enabled by default.
To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
Question. What exactly is it i would be disabling? And as we have 2003 R2 does this apply to me?
Many thanks.
Yep, DNS setup is good.
I know it isn't firewall related as 1 of 8 of the DNS servers go through the same firewall and if one works...
Regarding:
There was no connectivity issues at all, what we found out this problem happens because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2008 R2 DNS and is enabled by default.
To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
Question. What exactly is it i would be disabling? And as we have 2003 R2 does this apply to me?
Many thanks.
It is applicable to Windows 2003/R2 too see this:http://support.microsoft.com/?id=832223
http://support.microsoft.com/?id=828731 http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx
http://support.microsoft.com/?id=828731 http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx
ASKER
Ok thanks but what is it i am actually doing by running the EDNSProbe 0 command please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER