Windows 2k8 R2 DNS server - DNS request timed out

Hello everyone!

I have a problem with fresh installed AD/DNS server.

I have one domain controller that works as it should, without any issues.

Tried to install second DC at the second office. I've installed Active Directory role, executed dcpromo - everything went smoothly. But the DNS server on that new server doesn't work. When I tried to execute nslookup command, it says "DNS request timed out. timed out was 2 seconds."
And I don't have any ideas why.
I've checked:
- DNS server service is running;
- it received info about zones from AD;
- DNS server is listening on all ip addresses (netstat confirms it);
- DNS has a reverse lookup zone with the ptr record for the new server;
- I don't see any DNS-related errors in the Event Viewer;
- firewall is completely off for a tests.

ipconfig from the server. 192.168.250.125 - LAN address, 10.0.9.103 - VPN tunnel, 192.168.0.11 - main DC
C:\Users\myuser>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : EX-DC2
   Primary Dns Suffix  . . . . . . . : MyDomain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MyDomain.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : mydomain.com
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : 00-0C-29-C6-AF-56
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.250.125(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.250.1
   DNS Servers . . . . . . . . . . . : 192.168.250.125
                                       192.168.0.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter OpenVPN:

   Connection-specific DNS Suffix  . : mydomain.com
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-8A-C9-A1-FE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.9.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 24, 2018 3:17:18 AM
   Lease Expires . . . . . . . . . . : Thursday, January 24, 2019 3:17:17 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.0.9.254
   DNS Servers . . . . . . . . . . . : 192.168.250.125
                                       192.168.0.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.mydomain.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mydomain.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\myuser>

Open in new window


nslookup
C:\Users\myuser>nslookup ex-dc
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.250.125

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\myuser>

Open in new window

Andriy MudrenkoAsked:
Who is Participating?
 
Andriy MudrenkoConnect With a Mentor Author Commented:
Hello everyone!
The problem is solved. In my case the OpenVPN was the cause. The "block-outside-dns" option was pushed by the OpenVPN server to ex-dc2. So as soon as a tunnel became up and running, OpenVPN began to block DNS requests on all other interfaces.
0
 
65tdCommented:
Ensure the new server is listed on the original DNS server.

Could try:
Open cmd prompt enter ipconfig, set d2, then the IP of the new DNS server then host name.
set d2 will give a detail listing of the dns query.

Also is NetBIOS required on your net work?
0
 
65tdCommented:
I am made a typo instead of ipconfig enter nslookup!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Andriy MudrenkoAuthor Commented:
Seems like everything ok on the original DNS:

C:\Users\myuser>nslookup
Default Server:  localhost
Address:  127.0.0.1

> set d2
> 192.168.250.125
Server:  localhost
Address:  127.0.0.1

------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        125.250.168.192.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (88 bytes):
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        125.250.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  125.250.168.192.in-addr.arpa
        type = PTR, class = IN, dlen = 30
        name = ex-dc2.mydomain.com
        ttl = 1200 (20 mins)

------------
Name:    ex-dc2.mydomain.com
Address:  192.168.250.125

>
>
> ex-dc2.mydomain.com
Server:  localhost
Address:  127.0.0.1

------------
SendRequest(), len 68
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = A, class = IN


------------
------------
Got answer (136 bytes):
    HEADER:
        opcode = QUERY, id = 4, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = A, class = IN

    AUTHORITY RECORDS:
    ->  mydomain.com
        type = SOA, class = IN, dlen = 35
        ttl = 3600 (1 hour)
        primary name server = ex-dc.mydomain.com
        responsible mail addr = admin
        serial  = 34990
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 68
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = AAAA, class =
 IN

------------
------------
Got answer (136 bytes):
    HEADER:
        opcode = QUERY, id = 5, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = AAAA, class =
 IN
    AUTHORITY RECORDS:
    ->  mydomain.com
        type = SOA, class = IN, dlen = 35
        ttl = 3600 (1 hour)
        primary name server = ex-dc.mydomain.com
        responsible mail addr = admin
        serial  = 34990
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = A, class = IN

------------
------------
Got answer (78 bytes):
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = A, class = IN
    ANSWERS:
    ->  ex-dc2.mydomain.com
        type = A, class = IN, dlen = 4
        internet address = 10.0.9.103
        ttl = 3600 (1 hour)
    ->  ex-dc2.mydomain.com
        type = A, class = IN, dlen = 4
        internet address = 192.168.250.125
        ttl = 3600 (1 hour)

------------
------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = AAAA, class = IN

------------
------------
Got answer (93 bytes):
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.com
        type = SOA, class = IN, dlen = 35
        ttl = 3600 (1 hour)
        primary name server = ex-dc.mydomain.com
        responsible mail addr = admin
        serial  = 34990
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
Name:    ex-dc2.mydomain.com
Addresses:  10.0.9.103
          192.168.250.125

>

Open in new window

0
 
Freddy Medina MajetićIT System AdministratorCommented:
Hi,

Try to configure 192.168.0.11 (--asuming it's hostname is EX-DC) as DNS server for EX-DC2 (192.168.250.125), and 192.168.250.125 as DNS server for EX-DC.

This can help you on identify if EX-DC2 has something wrong.
0
 
Andriy MudrenkoAuthor Commented:
Additional info. DNS server for some reasons accepts requests only on 10.0.9.103 interface (OpenVPN):

C:\Users\myuser> telnet 127.0.0.1 53
Connecting To 127.0.0.1...Could not open connection to the host, on port 53: Connect failed
C:\Users\myuser> telnet 192.168.250.125 53
Connecting To 192.168.250.125...Could not open connection to the host, on port 53: Connect failed
C:\Users\myuser>
C:\Users\myuser>
C:\Users\myuser> nslookup ex-dc 127.0.0.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  127.0.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Users\myuser>
C:\Users\myuser>
C:\Users\myuser> nslookup ex-dc 192.168.250.125
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.250.125

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Users\myuser>
C:\Users\myuser>
C:\Users\myuser> nslookup ex-dc 10.0.9.103
Server:  ex-dc2.mydomain.com
Address:  10.0.9.103

Name:    ex-dc.mydomain.com
Address:  192.168.0.11

PS C:\Users\myuser>

Open in new window


Radiobutton "Listen on ALL IP addresses" is enabled.
0
 
65tdCommented:
Can the two servers ping each other via IP and hos name?
0
 
Sarang TinguriaSr EngineerCommented:
Go to DNS Server properties and under below tab please select the internal IP address.

New-Bitmap-Image.bmp
0
 
Andriy MudrenkoAuthor Commented:
Sarang Tinguria, all IP's are selected.
netstat shows that port 53 TCP and port 53 UDP are open for all IP's. But in fact, DNS responds only on one IP-address. It seems like firewall is blocking other connections. But Windows firewall is off. And there are no other firewalls installed.

dns.png
0
 
Andriy MudrenkoAuthor Commented:
65td, After I've configured 10.0.9.103 (OpenVPN address) as a DNS server on the new DC, I can use nslookup on it and can ping main DC by hostname and by IP. And I can ping new DC from the main DC by hostname and by IP.
So DNS s working as it should.
The only problem is that it accepts connections only on one IP-address...
0
 
Sarang TinguriaSr EngineerCommented:
Hey Andriy,

Please select the specific internal IP which you want DNS to work on in my above screenshot and see if it works as expected
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Andriy Mudrenko (https:#a42448719)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.