nslookup is failing from AD integrated DNS domain

Posted on 2013-10-23
Last Modified: 2013-11-11
Hi all. I have 8 DCs across 2 sites all configured as DNS servers in an Integrated Domain. We use a conditional forwarder to an external IP address to domain name resolution.

I have a task to change the conditional forwarders IP address. When I run nslookup NewIpAddress from 1 sever i get a positive result detailing the domain name. On all other 7 servers i get a error saying dns request timed out. So, i am being told to go ahead and make the change regardless because the DNS chap is saying that hosts can still be resolved via clients even when nslookup fails.  This doesn't sound right to me, can anyone verify please?
Question by:Jason Thomas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Author Comment

by:Jason Thomas
ID: 39593711
Hi, I have also set the nslookup retry to 5 and the timeout to 20 seconds but still get DNS timeout error. Any DNS experts about?
LVL 24

Expert Comment

ID: 39594800
First ensure correct dns setting on DC and client as this.Also check the host file of DC for any invalid entry.

Best practices for DNS client settings on DC and domain members.

If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
EDNS0 (Extension mechanisms for DNS)
DNS Forwarders Problems in Windows 2008 R2 DNS Services

Author Comment

by:Jason Thomas
ID: 39598730
Hello and thanks for responding.
Yep, DNS setup is good.

I know it isn't firewall related as 1 of 8 of the DNS servers go through the same firewall and if one works...

There was no connectivity issues at all, what we found out this problem happens because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2008 R2 DNS and is enabled by default.
To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

Question. What exactly is it i would be disabling? And as we have 2003 R2 does this apply to me?

Many thanks.
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

LVL 24

Expert Comment

ID: 39598770

Author Comment

by:Jason Thomas
ID: 39598799
Ok thanks but what is it i am actually doing by running the EDNSProbe 0 command please?
LVL 24

Accepted Solution

Sandeshdubey earned 500 total points
ID: 39598847
Server 2003's DNS server has a new capability, it can handle UDP packets greater than 512 bytes. Unfortunately some firewalls cannot pass these packets so it is desirable to have the DNS server fall back to TCP in this case as it used to do in previous versions of NT DNS.

To turn off the EDNS-0 feature run this from a command prompt:
dnscmd /Config /EnableEDnsProbes 0

You can also configure the same by registry:

Ace has good writeup on this:EDNS0 (Extension mechanisms for DNS)

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question