DNS Issue - Client on Network can't resolve website names...

We have a windows network, with 2 DC's the primary DC is Windows Server 2012 R2 Standard and the secondary is Windows 2008 R2 Enterprise, both are DNS servers and they point to each other first then they point to themselves as the secondary and the loopback address is added as the third DNS address.

Our firewall has a public dns server (Google public DNS) as the primary, local DNS server as the secondary and ISP DNS server as the third DNS option.

Our problem is our clients cannot get to a website that is a forwarding address until I access that webpage from one of the DNS servers on our network, then it will resolve the domain address right away and it will keep resolving the address for about an hour or so then I have to repeat the process to get the site to pull up again.

Can someone please help or point me in the right direction?

I have tried numerous configurations and the problem has been going on for about a month or so now.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Do you have forwards configured on your DNS servers?

Also, you should really have your DNS server pointing to themselves for lookups.
Muhammad BurhanManager I.T.Commented:
Have you tried it with adding google dns in forwarders tab in Primary DC's DNS ?

your PDC's DNS is the DNS server for your clients and when clients asks for urls from PDC so your PDC dosn't know the answer because it has no DNS server for resolving external queries.

After adding forwarder PDC will communicate external dns servers and resolve external queries for clients.
clcurriAuthor Commented:
Thank you for the responses.

I do have forwarders configured on both DCs, I have our ISPs DNS servers listed first then Google's Public DNS servers after that.

I originally had both DNS servers pointing to themselves only in the interface IPv4 settings, but I changed them because the BPA analyzer on both DNS servers listed this as errors in my configuration. So I changed that until there were no more errors. Also the problem still happens with either configuration.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Kamal KhaleefaInformation Security SpecialistCommented:
Is the address client trying to access internal  or external
clcurriAuthor Commented:
The addresses are external forwarding addresses.
Muhammad BurhanManager I.T.Commented:
Test your DNS separately with removing all other DNS IPs in PDC's DNS fields except PDC's IP and then check the responses of the queries.
also select proper IP for listening DNS queries in DNS properties.
Kamal KhaleefaInformation Security SpecialistCommented:
Try run the following command
Tracert "external address " and post the result
clcurriAuthor Commented:
Ok, I removed all the other DNS server IP addresses and pointed the primary DNS to itself, also in the DNS properties I changed the interface to only listen for DNS queries from the DNS server's own address and I removed what looks like the IPv6 address that was checked  and still have the same problem.

Here is my tracert

C:\Program Files (x86)\PowerCmd>tracert www.cubpowercalculator.org

Tracing route to cubpowercalculator.org []
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  ip-66-80-30-121.static.megapath.net []
  2     4 ms     3 ms     4 ms  h-207-168-16-209.no.clli.megapath.net []
  3    50 ms     3 ms     3 ms  ae11-0.chcgilgb-mxc1.bb.megapath.net []
  4     3 ms     3 ms     3 ms  ae25-167.chi11.ip4.gtt.net []
  5     *        3 ms     3 ms  as3356.chi11.ip4.gtt.net []
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8    51 ms    52 ms    52 ms
  9     *        *        *     Request timed out.
 10    54 ms    54 ms    78 ms  ip-184-168-0-86.ip.secureserver.net []
 11    97 ms    66 ms    86 ms  te0-0-0-7.trmc0215-01.ars.mgmt.phx3.gdg []
 12    53 ms    53 ms    53 ms  ip-184-168-0-94.ip.secureserver.net []
 13    53 ms    53 ms    52 ms  ip-184-168-221-6.ip.secureserver.net []

Trace complete.
Muhammad BurhanManager I.T.Commented:
Clear the cache of your dns server and clear it at client side too.
ipconfig /Flushdns at server and client side
In cmd type nslookup wikipedia.org and check the results
Try other domains in nslookup
Try accessing urls at client side and verify that the dns server responds correctly
clcurriAuthor Commented:
Ok, I flushed the dns, cleared the cache, updated the server data files, scavenged stale resource records and restarted the dns server service  on the DNS servers,  and flushed the dns on the client side. I also did nslookups for the wikipedia.org website and for cubpowercalculator.org and .com and they responded correctly.

The client then seemed to be able to pull up the websites at first, then after 15 minutes or so the same problem returned with the client not being able to resolve web addresses unless I pull up the website on the dns server first.

Is there anything else I can try? Or in this case is it best to rebuild the dns zones?
On your DNS server have you checked the event logs for errors?

have you run dcdiag /v /e > c:\ dcidag.txt to check the health of AD & DNS
Muhammad BurhanManager I.T.Commented:
try nslookup at client side when they are not getting results and check nslookup returns.

there's any firewall exist ??
Muhammad BurhanManager I.T.Commented:
install on DNS sever and monitor live DNS traffic\queries from clients for troubleshooting.
clcurriAuthor Commented:
We do have a hardware firewall and the windows software firewall is configured on the clients.

I'll try each of these suggestions then report the results.
clcurriAuthor Commented:
Ok I ran dcdiag and came across a bunch of errors. I attached the txt file.
clcurriAuthor Commented:
I also ran the dns monitoring tool and when I did a nslookup the dns monitor displayed www.cubpowercalculator.org.mydomain.local a couple of times with a red light then the next couple displayed the actual www.cubpowercalculator.org without my domain at the end with a green light.
clcurriAuthor Commented:
Here is the dns query txt file
It looks like your server names dns2 is have problems. I would recommend moving all roles off of dns2 then demoting it then promoting it again.
Muhammad BurhanManager I.T.Commented:
The default behavior of nslookup is to append domain suffixes to your query. It will do that until it gets an answer to some question.

It appears that you probably had temporary network disconnection. the host then tried to resolve a name and since it could not resolve www.yahoo.com it started adding known domains suffixes to it. You should see www.yahoo.com.SUBDOMAIN.MYDOMAIN.COM, www.yahoo.com.MYDOMAIN.COM and www.yahoo.com.COM

When all works correctly (network and DNS server) this should not be a problem.

may be recreating zone will solve the issue

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clcurriAuthor Commented:
OK I have some new information, it seems as though our third party domain provider is partly responsible for the problem but they still haven't nailed down where exactly the problem is. But it still doesn't explain how we are able to get to the site from our DNS servers without issue but our clients can't get to the forwarded sites without first navigating to the sites from one of the dns servers.

So I still would like to solve whatever the problem is on our end but it doesn't look like I will be able to, so I am just going to rebuild our primary dns zone like some of you suggested. Is there a best practice article on how to rebuild our one and only dns zone to prevent any network disruption?
If you only have one DNS server there is no way of avoid an outage.
Muhammad BurhanManager I.T.Commented:
if this is your DC's DNS so you will definitely face the bother situation.
but everything will b fine after recreating zones.
select primary zone when creating zone see attached img
clcurriAuthor Commented:
The only way the problem was resolved was by rebuilding the dns zones, disabling the DC firewalls helped and the dns query tool also helped.  I also kept getting error connection timeout errors even after rebuilding the dns zones (mydomain and _msdcs). The following command resolved the error connection timeouts on all my browsers: netsh winsock reset catalog

Thank you everyone for all the feedback and support. Webpages seem to be resolving so much faster as a result too!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.