Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
DNS Forwarding and Delegation Test failed on newly configured 2012 R2 domain controllers ?
Hi All,
I've just promoted 2x new Win2012 R2 AD DC with integrated DNS server to replace the existing Physical server 2008 R2 domain controller.
However, when I issue the test dcdiag/test:DNS in both of my new 2012 R2 domain controller, it returns failed:
The error is in Delegation and the Forwarding.
While the existing old server all successfully PASSED, I can also ping to one of my forwarders that is 8.8.8.8.
The new servers cannot even ping 8.8.8.8
Any help would be greatly appreciated.
Thanks,
I've just promoted 2x new Win2012 R2 AD DC with integrated DNS server to replace the existing Physical server 2008 R2 domain controller.
However, when I issue the test dcdiag/test:DNS in both of my new 2012 R2 domain controller, it returns failed:
Auth Basc Forw Del Dyn RReg Ext
_________________________________
PASS PASS FAIL FAIL PASS PASS n/a
The error is in Delegation and the Forwarding.
While the existing old server all successfully PASSED, I can also ping to one of my forwarders that is 8.8.8.8.
The new servers cannot even ping 8.8.8.8
Any help would be greatly appreciated.
Thanks,
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
have you setup 8.8.8.8 as forwarder on new server? if not please add on both servers
Ensure that you can telnet 8.8.8.8 server on TCP 53 from new servers
also check domain.com zone, expand it and under _msdcs delegation folder check its pointing to which server, if that server is stale \ unknown, your delegation test will fail. Replace stale entry with PDC server FQDN
Then try again test
Ensure that you can telnet 8.8.8.8 server on TCP 53 from new servers
also check domain.com zone, expand it and under _msdcs delegation folder check its pointing to which server, if that server is stale \ unknown, your delegation test will fail. Replace stale entry with PDC server FQDN
Then try again test
What does DNS delegation means ?
That was the error when I setup the server as DNS server this morning.
---------------------------
DNS Options
---------------------------
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "MyDomain.com.au". Otherwise, no action is required.
---------------------------
OK
---------------------------
That was the error when I setup the server as DNS server this morning.
Mahesh,
Yes, I have listed and entered 8.8.8.8 as one of the forwarders. It works on the old server, while on the new servers it doesn't work.
From the new server when Telnet to 8.8.8.8 53 - in Putty, I selected Telnet and then Port# 53:
While on the old server, I can keep the Putty window open when Telnet to 8.8.8.8 on Port 53 using Putty.
Yes, I have listed and entered 8.8.8.8 as one of the forwarders. It works on the old server, while on the new servers it doesn't work.
From the new server when Telnet to 8.8.8.8 53 - in Putty, I selected Telnet and then Port# 53:
---------------------------
PuTTY Fatal Error
---------------------------
Network error: Connection refused
---------------------------
OK
---------------------------
While on the old server, I can keep the Putty window open when Telnet to 8.8.8.8 on Port 53 using Putty.
Since you are creating DC in parent domain, the dns zone is itself authoritative for Ad domain it hosts
When you promote DC and add dns role on same server, server install DNS role and start configuring AD
So in that case server don't have copy of dns zone received because its not replicated yet and server is trying to lookup at its own as being DNS server, since zone copy is not available, you are getting warning message.
server then lookup for another DC which you set as primary DNS and get connected to AD and start replicating
Once replication is done and zone is populated, the error is no more.
This is default behavior and hence ignore the error
are you able to telnet 8.8.8.8 from new servers on TCP 53, until that works, your forwarder test won't pass
When you promote DC and add dns role on same server, server install DNS role and start configuring AD
So in that case server don't have copy of dns zone received because its not replicated yet and server is trying to lookup at its own as being DNS server, since zone copy is not available, you are getting warning message.
server then lookup for another DC which you set as primary DNS and get connected to AD and start replicating
Once replication is done and zone is populated, the error is no more.
This is default behavior and hence ignore the error
are you able to telnet 8.8.8.8 from new servers on TCP 53, until that works, your forwarder test won't pass
Mahesh,
I'm just adding 2x new DC in the same AD site (single AD domain).
The static IP address on the new server that doesn't work:
PRODDC11-VM
DNS1: 10.0.0.11 (itself)
DNS2: 10.0.0.12 (another new DC on the same AD subnet)
PRODDC12-VM
DNS1: 10.0.0.12 (itself)
DNS2: 10.0.0.11 (another new DC on the same AD subnet)
The static IP address on the old server that works:
PRODDC01-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 127.0.0.1 (local loopback)
PRODDC02-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 10.1.1.25 (another DNS server in the different AD site/Data Center)
No I cannot perform connection using Putty from the new server to 8.8.8.8 port 53. But from the old server it is possible using Putty. Does this means the DNS TCP/53 is blocked by the hardware firewall ?
I'm just adding 2x new DC in the same AD site (single AD domain).
The static IP address on the new server that doesn't work:
PRODDC11-VM
DNS1: 10.0.0.11 (itself)
DNS2: 10.0.0.12 (another new DC on the same AD subnet)
PRODDC12-VM
DNS1: 10.0.0.12 (itself)
DNS2: 10.0.0.11 (another new DC on the same AD subnet)
The static IP address on the old server that works:
PRODDC01-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 127.0.0.1 (local loopback)
PRODDC02-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 10.1.1.25 (another DNS server in the different AD site/Data Center)
No I cannot perform connection using Putty from the new server to 8.8.8.8 port 53. But from the old server it is possible using Putty. Does this means the DNS TCP/53 is blocked by the hardware firewall ?
yes, that's right
some where connection is getting blocked
Also what about _msdcs delegated folder under domain.com zone on new DCs?
The NS record in that folder pointing to which server? most probably its configured to look some old non -existent server
U should point it to itself or PDC server, then delegation test will also pass
some where connection is getting blocked
Also what about _msdcs delegated folder under domain.com zone on new DCs?
The NS record in that folder pointing to which server? most probably its configured to look some old non -existent server
U should point it to itself or PDC server, then delegation test will also pass
Mahesh,
So in this case, i will ask the network team to open the TCP/53 for this new DomainController servers.
So in this case, i will ask the network team to open the TCP/53 for this new DomainController servers.
just add few more DNS servers when you open ports from google dns while opening ports for redundancy
Also what about _msdcs delegated folder under domain.com zone on new DCs?
Mahesh, I can see the new servers is already have it's own NS record in there.
yes, there are some missing or decommissioned server with the NS records still there.
OK
If there are any more delegations exists in zone like _msdcs and if it pointing to stale servers, still your delegation test fails
If there are any more delegations exists in zone like _msdcs and if it pointing to stale servers, still your delegation test fails
Mahesh,
I've created another thread here: https://www.experts-exchange.com/questions/29012705/DNS-server-TEST-Delegations-Del-FAILED-IP-Unavailable-Missing-glue-A-record.html
I can see there is PRODDC26-VM.MyDomain.com (NS) record entry under the MyDomain.com (greyed out folder). Not sure what this is for, but the server PRODDC26-VM.MyDomain.com still exist and running as Domain Controller in the other AD site.
Shall I delete it ?
I've created another thread here: https://www.experts-exchange.com/questions/29012705/DNS-server-TEST-Delegations-Del-FAILED-IP-Unavailable-Missing-glue-A-record.html
I can see there is PRODDC26-VM.MyDomain.com (NS) record entry under the MyDomain.com (greyed out folder). Not sure what this is for, but the server PRODDC26-VM.MyDomain.com still exist and running as Domain Controller in the other AD site.
Shall I delete it ?
Premium Content
You need an Expert Office subscription to comment.Start Free Trial