DNS Forwarding and Delegation Test failed on newly configured 2012 R2 domain controllers ?

Hi All,

I've just promoted 2x new Win2012 R2 AD DC with integrated DNS server to replace the existing Physical server 2008 R2 domain controller.

However, when I issue the test dcdiag/test:DNS in both of my new 2012 R2 domain controller, it returns failed:

Auth Basc Forw Del  Dyn  RReg Ext
_________________________________

PASS PASS FAIL FAIL PASS PASS n/a

Open in new window


The error is in Delegation and the Forwarding.

While the existing old server all successfully PASSED, I can also ping to one of my forwarders that is 8.8.8.8.
The new servers cannot even ping 8.8.8.8

Any help would be greatly appreciated.

Thanks,
LVL 12
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
have you setup 8.8.8.8 as forwarder on new server? if not please add on both servers
Ensure that you can telnet 8.8.8.8 server on TCP 53 from new servers
also check domain.com zone, expand it and under _msdcs delegation folder check its pointing to which server, if that server is stale \ unknown, your delegation test will fail. Replace stale entry with PDC server FQDN

Then try again test
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
What does DNS delegation means ?

---------------------------
DNS Options
---------------------------
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "MyDomain.com.au". Otherwise, no action is required.
---------------------------
OK  
---------------------------

That was the error when I setup the server as DNS server this morning.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Mahesh,

Yes, I have listed and entered 8.8.8.8 as one of the forwarders. It works on the old server, while on the new servers it doesn't work.

From the new server when Telnet to 8.8.8.8 53 - in Putty, I selected Telnet and then Port# 53:
---------------------------
PuTTY Fatal Error
---------------------------
Network error: Connection refused
---------------------------
OK   
---------------------------

Open in new window


While on the old server, I can keep the Putty window open when Telnet to 8.8.8.8 on Port 53 using Putty.
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

Download eBook
MaheshArchitectCommented:
Since you are creating DC in parent domain, the dns zone is itself authoritative for Ad domain it hosts
When you promote DC and add dns role on same server, server install DNS role and start configuring AD
So in that case server don't have copy of dns zone received because its not replicated yet and server is trying to lookup at its own as being DNS server, since zone copy is not available, you are getting warning message.
server then lookup for another DC which you set as primary DNS and get connected to AD and start replicating
Once replication is done and zone is populated, the error is no more.
This is default behavior and hence ignore the error

are you able to telnet 8.8.8.8 from new servers on TCP 53, until that works, your forwarder test won't pass
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Mahesh,

I'm just adding 2x new DC in the same AD site (single AD domain).

The static IP address on the new server that doesn't work:
PRODDC11-VM
DNS1: 10.0.0.11 (itself)
DNS2: 10.0.0.12 (another new DC on the same AD subnet)

PRODDC12-VM
DNS1: 10.0.0.12 (itself)
DNS2: 10.0.0.11 (another new DC on the same AD subnet)

The static IP address on the old server that works:
PRODDC01-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 127.0.0.1 (local loopback)

PRODDC02-VM
DNS1: 10.1.1.26 (another DNS server in the different AD site/Data Center)
DNS2: 10.1.1.25 (another DNS server in the different AD site/Data Center)

No I cannot perform connection using Putty from the new server to 8.8.8.8 port 53. But from the old server it is possible using Putty. Does this means the DNS TCP/53 is blocked by the hardware firewall ?
MaheshArchitectCommented:
yes, that's right

some where connection is getting blocked

Also what about _msdcs delegated folder under domain.com zone on new DCs?

The NS record in that folder pointing to which server? most probably its configured to look some old non -existent server

U should point it to itself or PDC server, then delegation test will also pass
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Mahesh,

So in this case, i will ask the network team to open the TCP/53 for this new DomainController servers.
MaheshArchitectCommented:
just add few more DNS servers when you open ports from google dns while opening ports for redundancy
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Also what about _msdcs delegated folder under domain.com zone on new DCs?

Mahesh, I can see the new servers is already have it's own NS record in there.

yes, there are some missing or decommissioned server with the NS records still there.
MaheshArchitectCommented:
OK
If there are any more delegations exists in zone like _msdcs and if it pointing to stale servers, still your delegation test fails

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Mahesh,

I've created another thread here: https://www.experts-exchange.com/questions/29012705/DNS-server-TEST-Delegations-Del-FAILED-IP-Unavailable-Missing-glue-A-record.html

I can see there is PRODDC26-VM.MyDomain.com (NS) record entry under the MyDomain.com (greyed out folder). Not sure what this is for, but the server PRODDC26-VM.MyDomain.com still exist and running as Domain Controller in the other AD site.

Shall I delete it ?
MaheshArchitectCommented:
for new DCs, Just point NS record in _msdcs folder to PDC master of your domain

I have explained in detailed what else can be done in another thread you posted
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thank you man !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.