nslookup is failing from AD integrated DNS domain

Posted on 2013-10-23
Last Modified: 2013-11-11
Hi all. I have 8 DCs across 2 sites all configured as DNS servers in an Integrated Domain. We use a conditional forwarder to an external IP address to domain name resolution.

I have a task to change the conditional forwarders IP address. When I run nslookup NewIpAddress from 1 sever i get a positive result detailing the domain name. On all other 7 servers i get a error saying dns request timed out. So, i am being told to go ahead and make the change regardless because the DNS chap is saying that hosts can still be resolved via clients even when nslookup fails.  This doesn't sound right to me, can anyone verify please?
Question by:Jason Thomas
  • 3
  • 3

Author Comment

by:Jason Thomas
ID: 39593711
Hi, I have also set the nslookup retry to 5 and the timeout to 20 seconds but still get DNS timeout error. Any DNS experts about?
LVL 24

Expert Comment

ID: 39594800
First ensure correct dns setting on DC and client as this.Also check the host file of DC for any invalid entry.

Best practices for DNS client settings on DC and domain members.

If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0
EDNS0 (Extension mechanisms for DNS)
DNS Forwarders Problems in Windows 2008 R2 DNS Services

Author Comment

by:Jason Thomas
ID: 39598730
Hello and thanks for responding.
Yep, DNS setup is good.

I know it isn't firewall related as 1 of 8 of the DNS servers go through the same firewall and if one works...

There was no connectivity issues at all, what we found out this problem happens because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2008 R2 DNS and is enabled by default.
To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

Question. What exactly is it i would be disabling? And as we have 2003 R2 does this apply to me?

Many thanks.
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

LVL 24

Expert Comment

ID: 39598770

Author Comment

by:Jason Thomas
ID: 39598799
Ok thanks but what is it i am actually doing by running the EDNSProbe 0 command please?
LVL 24

Accepted Solution

Sandeshdubey earned 500 total points
ID: 39598847
Server 2003's DNS server has a new capability, it can handle UDP packets greater than 512 bytes. Unfortunately some firewalls cannot pass these packets so it is desirable to have the DNS server fall back to TCP in this case as it used to do in previous versions of NT DNS.

To turn off the EDNS-0 feature run this from a command prompt:
dnscmd /Config /EnableEDnsProbes 0

You can also configure the same by registry:

Ace has good writeup on this:EDNS0 (Extension mechanisms for DNS)

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now