Avatar of Albert Widjaja
Albert Widjaja
Flag for Australia asked on

DNS Forwarding and Delegation Test failed on newly configured 2012 R2 domain controllers ?

Hi All,

I've just promoted 2x new Win2012 R2 AD DC with integrated DNS server to replace the existing Physical server 2008 R2 domain controller.

However, when I issue the test dcdiag/test:DNS in both of my new 2012 R2 domain controller, it returns failed:

Auth Basc Forw Del  Dyn  RReg Ext
_________________________________

PASS PASS FAIL FAIL PASS PASS n/a

Open in new window


The error is in Delegation and the Forwarding.

While the existing old server all successfully PASSED, I can also ping to one of my forwarders that is 8.8.8.8.
The new servers cannot even ping 8.8.8.8

Any help would be greatly appreciated.

Thanks,
DNSActive DirectoryWindows NetworkingMicrosoft Server OSWindows Server 2012

Avatar of undefined
Last Comment
Albert Widjaja

8/22/2022 - Mon
SOLUTION
Mahesh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Albert Widjaja

ASKER
What does DNS delegation means ?

---------------------------
DNS Options
---------------------------
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "MyDomain.com.au". Otherwise, no action is required.
---------------------------
OK  
---------------------------

That was the error when I setup the server as DNS server this morning.
Albert Widjaja

ASKER
Mahesh,

Yes, I have listed and entered 8.8.8.8 as one of the forwarders. It works on the old server, while on the new servers it doesn't work.

From the new server when Telnet to 8.8.8.8 53 - in Putty, I selected Telnet and then Port# 53:
---------------------------
PuTTY Fatal Error
---------------------------
Network error: Connection refused
---------------------------
OK   
---------------------------

Open in new window


While on the old server, I can keep the Putty window open when Telnet to 8.8.8.8 on Port 53 using Putty.
SOLUTION
Mahesh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Albert Widjaja

ASKER
Mahesh,

I'm just adding 2x new DC in the same AD site (single AD domain).

The static IP address on the new server that doesn't work:
PRODDC11-VM
DNS1: 10.0.0.11 (itself)
DNS2: 10.0.0.12 (another new DC on the same AD subnet)

PRODDC12-VM
DNS1: 10.0.0.12 (itself)
DNS2: 10.0.0.11 (another new DC on the same AD subnet)

The static IP address on the old server that works:
PRODDC01-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 127.0.0.1 (local loopback)

PRODDC02-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 10.1.1.25 (another DNS server in the different AD site/Data Center)

No I cannot perform connection using Putty from the new server to 8.8.8.8 port 53. But from the old server it is possible using Putty. Does this means the DNS TCP/53 is blocked by the hardware firewall ?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Albert Widjaja

ASKER
Mahesh,

So in this case, i will ask the network team to open the TCP/53 for this new DomainController servers.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Albert Widjaja

ASKER
Also what about _msdcs delegated folder under domain.com zone on new DCs?

Mahesh, I can see the new servers is already have it's own NS record in there.

yes, there are some missing or decommissioned server with the NS records still there.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Albert Widjaja

ASKER
Mahesh,

I've created another thread here: https://www.experts-exchange.com/questions/29012705/DNS-server-TEST-Delegations-Del-FAILED-IP-Unavailable-Missing-glue-A-record.html

I can see there is PRODDC26-VM.MyDomain.com (NS) record entry under the MyDomain.com (greyed out folder). Not sure what this is for, but the server PRODDC26-VM.MyDomain.com still exist and running as Domain Controller in the other AD site.

Shall I delete it ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mahesh

for new DCs, Just point NS record in _msdcs folder to PDC master of your domain

I have explained in detailed what else can be done in another thread you posted
Albert Widjaja

ASKER
Thank you man !