Albert Widjaja
asked on
DNS Forwarding and Delegation Test failed on newly configured 2012 R2 domain controllers ?
Hi All,
I've just promoted 2x new Win2012 R2 AD DC with integrated DNS server to replace the existing Physical server 2008 R2 domain controller.
However, when I issue the test dcdiag/test:DNS in both of my new 2012 R2 domain controller, it returns failed:
The error is in Delegation and the Forwarding.
While the existing old server all successfully PASSED, I can also ping to one of my forwarders that is 8.8.8.8.
The new servers cannot even ping 8.8.8.8
Any help would be greatly appreciated.
Thanks,
I've just promoted 2x new Win2012 R2 AD DC with integrated DNS server to replace the existing Physical server 2008 R2 domain controller.
However, when I issue the test dcdiag/test:DNS in both of my new 2012 R2 domain controller, it returns failed:
Auth Basc Forw Del Dyn RReg Ext
_________________________________
PASS PASS FAIL FAIL PASS PASS n/a
The error is in Delegation and the Forwarding.
While the existing old server all successfully PASSED, I can also ping to one of my forwarders that is 8.8.8.8.
The new servers cannot even ping 8.8.8.8
Any help would be greatly appreciated.
Thanks,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mahesh,
Yes, I have listed and entered 8.8.8.8 as one of the forwarders. It works on the old server, while on the new servers it doesn't work.
From the new server when Telnet to 8.8.8.8 53 - in Putty, I selected Telnet and then Port# 53:
While on the old server, I can keep the Putty window open when Telnet to 8.8.8.8 on Port 53 using Putty.
Yes, I have listed and entered 8.8.8.8 as one of the forwarders. It works on the old server, while on the new servers it doesn't work.
From the new server when Telnet to 8.8.8.8 53 - in Putty, I selected Telnet and then Port# 53:
---------------------------
PuTTY Fatal Error
---------------------------
Network error: Connection refused
---------------------------
OK
---------------------------
While on the old server, I can keep the Putty window open when Telnet to 8.8.8.8 on Port 53 using Putty.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mahesh,
I'm just adding 2x new DC in the same AD site (single AD domain).
The static IP address on the new server that doesn't work:
PRODDC11-VM
DNS1: 10.0.0.11 (itself)
DNS2: 10.0.0.12 (another new DC on the same AD subnet)
PRODDC12-VM
DNS1: 10.0.0.12 (itself)
DNS2: 10.0.0.11 (another new DC on the same AD subnet)
The static IP address on the old server that works:
PRODDC01-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 127.0.0.1 (local loopback)
PRODDC02-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 10.1.1.25 (another DNS server in the different AD site/Data Center)
No I cannot perform connection using Putty from the new server to 8.8.8.8 port 53. But from the old server it is possible using Putty. Does this means the DNS TCP/53 is blocked by the hardware firewall ?
I'm just adding 2x new DC in the same AD site (single AD domain).
The static IP address on the new server that doesn't work:
PRODDC11-VM
DNS1: 10.0.0.11 (itself)
DNS2: 10.0.0.12 (another new DC on the same AD subnet)
PRODDC12-VM
DNS1: 10.0.0.12 (itself)
DNS2: 10.0.0.11 (another new DC on the same AD subnet)
The static IP address on the old server that works:
PRODDC01-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 127.0.0.1 (local loopback)
PRODDC02-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 10.1.1.25 (another DNS server in the different AD site/Data Center)
No I cannot perform connection using Putty from the new server to 8.8.8.8 port 53. But from the old server it is possible using Putty. Does this means the DNS TCP/53 is blocked by the hardware firewall ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mahesh,
So in this case, i will ask the network team to open the TCP/53 for this new DomainController servers.
So in this case, i will ask the network team to open the TCP/53 for this new DomainController servers.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also what about _msdcs delegated folder under domain.com zone on new DCs?
Mahesh, I can see the new servers is already have it's own NS record in there.
yes, there are some missing or decommissioned server with the NS records still there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mahesh,
I've created another thread here: https://www.experts-exchange.com/questions/29012705/DNS-server-TEST-Delegations-Del-FAILED-IP-Unavailable-Missing-glue-A-record.html
I can see there is PRODDC26-VM.MyDomain.com (NS) record entry under the MyDomain.com (greyed out folder). Not sure what this is for, but the server PRODDC26-VM.MyDomain.com still exist and running as Domain Controller in the other AD site.
Shall I delete it ?
I've created another thread here: https://www.experts-exchange.com/questions/29012705/DNS-server-TEST-Delegations-Del-FAILED-IP-Unavailable-Missing-glue-A-record.html
I can see there is PRODDC26-VM.MyDomain.com (NS) record entry under the MyDomain.com (greyed out folder). Not sure what this is for, but the server PRODDC26-VM.MyDomain.com still exist and running as Domain Controller in the other AD site.
Shall I delete it ?
for new DCs, Just point NS record in _msdcs folder to PDC master of your domain
I have explained in detailed what else can be done in another thread you posted
I have explained in detailed what else can be done in another thread you posted
ASKER
Thank you man !
ASKER
That was the error when I setup the server as DNS server this morning.