DNS Issues after adding UPN Suffix/Removing

Well, it would have been easier to add a new internal UPN (contoso.local) and then managing all from there since creating the same domain as a DNS zone. Well, what's done is done, in your case, I'd  try nslookup and search for the www in the local server. what you need to do is to make sure that your DNS is using the contoso.com to reach the web instead of the site.contoso.com.

did you check if any entry for contoso.com in conditional forwarding? also, check Forwarder and Root hint tabs in DNS property.

are you able to resolve any other internet names from your internal network?

The internal ADDNS was setup as site.contoso.com and does not exist on the web.

Our Externally hosted website is  contoso.com and our emails address leverage that domain    jhon@contoso.com

They had me add the internal UPN Suffix of contoso.com so that the emails would maintain the domain of contoso.com when leveraging our AD as the AUTH server instead of the domain it was setup as "site.contoso.com".  However, we needed to have alias capabilites which is why none of this was necessary, backing these changes out did not fix our issue with not being able to access our website.

When I was first setting up our ADDNS a couple of years ago I was going off of the latest microsoft docs on best practices where it said to never use .local and that you should use something that didn't match your FQDN hence site.contoso.com was born.

No using .local or .anything is always optional, but if you're migrating or doing hybrid stuff with exchange you could just use the root domain "contoso.com" that would have saved you a lot of headaches right now Zach. well If everything is already on "site.contoso.com" just try to resolve internally the www, using nslookup and selecting your DNS server (domain controller, not a router).

Thank you for the response Manoj Vishwakarma here is what I found.

Expert Commentby:Manoj Vishwakarma
ID: 422556803m
did you check if any entry for contoso.com in conditional forwarding? also, check Forwarder and Root hint tabs in DNS property.

are you able to resolve any other internet names from your internal network?

We are able to resolve external address, just not websites related to our domain.    *.contoso.com or contoso.com will not resolve even with new zones created pointing to those services.

Conditional forwarding is blank, there are none in our environment currently.

Forwarders tab only has our ISPs DNS servers.   Root Hints has the defaults of a.root-servers.net etc nothing that I recognize(appears to be the defaults in screenshots in help docs).

how many DNS servers do you have? have you checked on all DNS servers that contoso.com is not hiding anywhere?

J0rt3g4,
The o365 account is setup with our root domain of "contoso.com".  This is a godaddy managed DNS and the website is a hosted solution.  Our internal active directory operates as site.contoso.com.  When we thought we could auth off of our AD we needed to add a upn suffix of contoso.com to retain our normal email domain.

I'm fairly new to DNS in general and I may be misunderstanding.

Thank you for the responses!

Currently we only have one ADDNS.  So I only have one server to troubleshoot currently.  

I'm working to get this one squared away before we Up another DNS for load balancing.  (Next years budget will give me the hardware to do so)

Couple of steps:

Can you right click on DNS server and click on "Update Server Data Files"

Do you any entry for contoso.com here HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DNS Server\Zones

And
HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Search List

I right clicked DNS server and did "Update Server Data Files"

Do you any entry for contoso.com here HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DNS Server\Zones

I only see:
 site.contoso.com
_msdcs.site.contoso.com
16.16.172.in-addr.arpa
TrustAnchors
And one i created recently to try to get outlook working  autodiscover.contoso.com

HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Search List

There isn't a "Search List" after parameters.

I just noticed this error in the DNS Logs:  "The DNS server has detected that it is no longer the Key Master for zone site.contoso.com. The Key Master role has been seized or transferred to HOSTNAME.site.contoso.com"

An nslookup internally of "contoso.com" reports back our websites external IP address.

Reset-DnsServerZoneKeyMasterRole -ZoneName site.contoso.com -KeyMasterServer dcname.contoso.com -Force

from Powershell

I havn't ran "Reset-DnsServerZoneKeyMasterRole -ZoneName site.contoso.com -KeyMasterServer dcname.contoso.com -Force" yet

This is the output:

Get-DnsServerDnsSecZoneSetting -ZoneName site.contoso.com


ZoneName                      : site.contoso.com
IsKeyMasterServer             : False
KeyMasterServer               : HOSTNAME.site.contoso.com
KeyMasterStatus               : Online
DenialOfExistence             : NSec3
NSec3HashAlgorithm            : RsaSha1
NSec3Iterations               : 50
NSec3OptOut                   : False
IsNSec3SaltConfigured         : True
NSec3RandomSaltLength         : 8
NSec3UserSalt                 : -
DnsKeyRecordSetTTL            : 00:00:00
DSRecordSetTTL                : 00:00:00
DSRecordGenerationAlgorithm   : {Sha1, Sha256}
DistributeTrustAnchor         : {None}
EnableRfc5011KeyRollover      : True
ParentHasSecureDelegation     : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime               : 2.00:00:00
SignatureInceptionOffset      : 01:00:00

It is my understanding that the DC name is site.contoso.com   as we only have the one ADDNS all on one server currently.  So that command would look like this?

Reset-DnsServerZoneKeyMasterRole -ZoneName site.contoso.com -KeyMasterServer site.contoso.com -Force  

?

Attempt 1 Output:
PS C:\Users\Administrator> Reset-DnsServerZoneKeyMasterRole -ZoneName site.contos.com -KeyMasterServer HOSTNAME.site.contoso.com -Force
Reset-DnsServerZoneKeyMasterRole : The zone site.contoso.com was not found on server HOSTNAME.site.contoso.com.
At line:1 char:1
+ Reset-DnsServerZoneKeyMasterRole -ZoneName site.contoso.com -KeyMasterServer  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (site.contoso.com:root/Microsoft/...neKeyMasterRole) [Reset-DnsServer
   ZoneKeyMasterRole], CimException
    + FullyQualifiedErrorId : WIN32 9601,Reset-DnsServerZoneKeyMasterRole
      
Attempt 2 Output:
PS C:\Users\Administrator> Reset-DnsServerZoneKeyMasterRole -ZoneName site.contoso.com -KeyMasterServer HOSTNAME.contoso.com -Force
Reset-DnsServerZoneKeyMasterRole : There was an error in contacting the DNS server HOSTNAME.Contoso.com. Please
verify that HOSTNAME.contoso.com is a valid DNS server.
At line:1 char:1
+ Reset-DnsServerZoneKeyMasterRole -ZoneName site.contoso.com -KeyMasterServer  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (HOSTNAME.contoso.com:root/Microsoft/...neKeyMasterRole) [Reset-DnsServer
   ZoneKeyMasterRole], CimException
    + FullyQualifiedErrorId : WIN32 1722,Reset-DnsServerZoneKeyMasterRole

GUI worked output:

PS C:\Users\Administrator> Get-DnsServerDnsSecZoneSetting -ZoneName afi.aerofliteinc.com


ZoneName                      : site.contoso.com
IsKeyMasterServer             : True
KeyMasterServer               : HOSTNAME.site.contoso.com
KeyMasterStatus               : Online
DenialOfExistence             : NSec3
NSec3HashAlgorithm            : RsaSha1
NSec3Iterations               : 50
NSec3OptOut                   : False
IsNSec3SaltConfigured         : True
NSec3RandomSaltLength         : 8
NSec3UserSalt                 : -
DnsKeyRecordSetTTL            : 01:00:00
DSRecordSetTTL                : 01:00:00
DSRecordGenerationAlgorithm   : {Sha1, Sha256}
DistributeTrustAnchor         : {None}
EnableRfc5011KeyRollover      : True
ParentHasSecureDelegation     : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime               : 2.00:00:00
SignatureInceptionOffset      : 01:00:00

how about name resolution for contoso.com?

Still doesn't load the page.  Flushed DNS, and cleared dns cache.  Didn't resolve.

Under forward lookup zones folder  "_msdcs.site.contoso.com"  i'm notices a CNAME record with what appears to be a random string of characters like when you delete a users account and their record reflects a random string on shares.

nslookup google.com

nslookup yourwebsite.com

what happens if you type in command prompt?

thats fine.. what records do you have inside site.contoso.com? can send a screen shot?

Server:  hostname.site.contos.com
Address:  172.16.16.#

Name:    google.com
Addresses:  2607:f8b0:400a:800::200e
        216.58.193.78

Server:  hostname.site.contos.com
Address:  172.16.16.#

Name:    contoso.com
Address:  ##.###.###.41     <----correct external ip for our website

After we signed the zone a ton of these showed up:

The rest of the file shows our computer hostnames .

Ill send a real screen shot to your inbox.

No proxy in play.  Our network switches are configured to leverage our DNS first than ISP DNS servers.

Quick Update:

By adding a new zone of autodiscover.contoso.com to our DNS server outlook clients are now working.  (We had a certificate error until we did Manoj Vishwakarma steps to sign the zones, Thanks again Manoj).  I had done this step originally but added the wrong IPs for our area.  If you do an nslookup for autodiscover.outlook.com you will find the correct ips for your region to add to this zone.  I added all of them listed as A records.  THis fixed our outlook would not connect issue.

Current Issue:
Manoj helped me identify that our DNS is routing properly but there is an issue with navigating to our website via the web.  An nslookup shows the correct IP to our external website, but still will not connect via browsers.  This is what I'm currently trying to troubleshoot.

@Zach - you may benefit from starting a whole new question on this.  However, going back to your original question I have some notes.

Fasttrax engineer had me install Azure Active Directory Sync and add a UPN suffix of contoso.com to our ADDNS.

A UPN suffix is completely different from DNS (even though a UPN looks like an email address). Adding a UPN suffix should not involve creating anything in your DNS.  You can add an alternate UPN suffix by opening AD Domains and Trusts, right-click the root object and select Properties > you can add "contoso.com" here.

It's easiest if your users' UPN and email address are the same.  E.g. user John Doe with email jdoe@contoso.com would also have their UPN set to jdoe@contoso.com.

After testing the sync and realizing that we could not use Alias's in o365 mailbox without an on prem exchange server

What do you mean by this?

You said you deleted the UPN suffix, but did you actually delete the UPN suffix, or did you delete a zone in DNS?
I would say that you should not have any zone for contoso.com in your internal DNS, let that be handled by your public DNS servers.  This is also where you would have the autodiscover record as recommended by MS for O365.

Many websites use the domain name like "contoso.com" instead of "www.contoso.com" (a practice which I abhor).  A network capture done while trying to navigate to the website (first clear the DNS cache) would likely tell you if other records in the contoso.com domain are being queried.

I actually went to domains and trusts and removed the upn suffix, yesterday I added it back when we realized the Auto discover was pulling the wrong domain.  All users have been set to the new UPN suffix in AD so that the autodiscover pulls correctly. We are on the same page as far as UPN suffix and it is working as intended.  No DNS records were created for contoso.com

As for the Alias thing, we had ADSYNC installed and the accounts that would sync over could not have an Alias set.  We were told by the Fastrax team that we would have to have an on prem exchange server to configure Alias's on the accounts.  So we had to use local accounts on the o365 portal to configure Alias's.  (We needed this feature as we standardized our naming convention and didn't want users to lose any mail sent to their non standard naming convention that they used for 10+ years)

I have been clearing the dns cache on the server and flushing dns on clients before every test.  There is not currently a dns record for contoso.com in our dns.  That being said an nslookup shows the correct ip, but you still can't navigate to the site via the web.  SO confusing.

Thank you for your reply footech.  I am extremely happy/shocked with how fast this community has helped me :)

Regarding aliases, you mean so that user John Doe could have email addresses "jdoe@contoso.com" and "johnd@contoso.com" and john.doe@contoso.com"?
If so, you don't need on-prem Exchange for that.  You just need to add the additional smtp addresses in the user's proxyAddresses attribute.  The format is prefix with "SMTP:" for the primary address (what it will appear from), and "smtp:" for any additional addresses.

It is easier to manage with Exchange though.  You can get a license for this purpose free (don't worry about the mentions of Ex2007/2003).
https://support.microsoft.com/en-us/help/2939261/how-to-obtain-an-exchange-hybrid-edition-product-key-for-your-on-premi

Can you navigate to your site just by using the IP?

"Regarding Aliases" yes that is exactly what we needed.

The host that houses our website also houses websites for our parent company using virtual hosts to direct you to the different websites on the same IP.  So trying the IP in the browser seems to go no where, but I feel that is a by product of the virtual hosts our Web Host has in place.

At this point in time, moving over to the SSO we wanted from our AD will be too much of a headache for our users, but I'm saving that information for a later date to get on SSO.  I'm surprised the Fastrax Engineer didn't give us that information.

I think MS pretty much says that on-prem Exchange is needed to manage mail attributes, because most people wouldn't want to figure out which attributes to edit, and then edit them manually.  Scripting makes it much easier.

I think you've already answered this, but I'd like to confirm - do the following return the same IP?

nslookup contoso.com.
nslookup www.contoso.com.

Select allOpen in new window

If so, then I'd say the network capture is your next bet.
Also, try setting a workstation inside your network to use 8.8.8.8 for DNS and try to browse to the website.
I can't see anyway that making changes to move to Office 365 as you've described would impact your ability to reach your website.

I added 8.8.8.8 and 8.8.4.4 into the mix to for testing prior to creating this thread, no luck there.  Tried it as a manual setting on my pcs network adapter too.

I hadn't tried the nslookup on www until you said that, but they do show the same ip.

I think the o365 part is a coincidence.

What does it show when you try to go to the webpage?
Have you tried a tracert?

I've heard of the scenario where the web host was actually blocking the company's IP or it wasn't allowed to access the site in the ACL - never encountered it personally though.

At this point it doesn't seem like the issue has anything to do with DNS.

The issue with resolving our external address was ISP DNS server related, not an issue with our on prem setup.