Windows 2k8 R2 DNS server - DNS request timed out

Hello everyone!

I have a problem with fresh installed AD/DNS server.

I have one domain controller that works as it should, without any issues.

Tried to install second DC at the second office. I've installed Active Directory role, executed dcpromo - everything went smoothly. But the DNS server on that new server doesn't work. When I tried to execute nslookup command, it says "DNS request timed out. timed out was 2 seconds."
And I don't have any ideas why.
I've checked:
- DNS server service is running;
- it received info about zones from AD;
- DNS server is listening on all ip addresses (netstat confirms it);
- DNS has a reverse lookup zone with the ptr record for the new server;
- I don't see any DNS-related errors in the Event Viewer;
- firewall is completely off for a tests.

ipconfig from the server. 192.168.250.125 - LAN address, 10.0.9.103 - VPN tunnel, 192.168.0.11 - main DC
C:\Users\myuser>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : EX-DC2
   Primary Dns Suffix  . . . . . . . : MyDomain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MyDomain.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : mydomain.com
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : 00-0C-29-C6-AF-56
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.250.125(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.250.1
   DNS Servers . . . . . . . . . . . : 192.168.250.125
                                       192.168.0.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter OpenVPN:

   Connection-specific DNS Suffix  . : mydomain.com
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-8A-C9-A1-FE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.9.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 24, 2018 3:17:18 AM
   Lease Expires . . . . . . . . . . : Thursday, January 24, 2019 3:17:17 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.0.9.254
   DNS Servers . . . . . . . . . . . : 192.168.250.125
                                       192.168.0.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.mydomain.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mydomain.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\myuser>

Open in new window


nslookup
C:\Users\myuser>nslookup ex-dc
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.250.125

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\myuser>

Open in new window

Andriy MudrenkoSystem EngeneerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

65tdRetiredCommented:
Ensure the new server is listed on the original DNS server.

Could try:
Open cmd prompt enter ipconfig, set d2, then the IP of the new DNS server then host name.
set d2 will give a detail listing of the dns query.

Also is NetBIOS required on your net work?
0
65tdRetiredCommented:
I am made a typo instead of ipconfig enter nslookup!
0
Andriy MudrenkoSystem EngeneerAuthor Commented:
Seems like everything ok on the original DNS:

C:\Users\myuser>nslookup
Default Server:  localhost
Address:  127.0.0.1

> set d2
> 192.168.250.125
Server:  localhost
Address:  127.0.0.1

------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        125.250.168.192.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (88 bytes):
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        125.250.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  125.250.168.192.in-addr.arpa
        type = PTR, class = IN, dlen = 30
        name = ex-dc2.mydomain.com
        ttl = 1200 (20 mins)

------------
Name:    ex-dc2.mydomain.com
Address:  192.168.250.125

>
>
> ex-dc2.mydomain.com
Server:  localhost
Address:  127.0.0.1

------------
SendRequest(), len 68
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = A, class = IN


------------
------------
Got answer (136 bytes):
    HEADER:
        opcode = QUERY, id = 4, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = A, class = IN

    AUTHORITY RECORDS:
    ->  mydomain.com
        type = SOA, class = IN, dlen = 35
        ttl = 3600 (1 hour)
        primary name server = ex-dc.mydomain.com
        responsible mail addr = admin
        serial  = 34990
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 68
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = AAAA, class =
 IN

------------
------------
Got answer (136 bytes):
    HEADER:
        opcode = QUERY, id = 5, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com.mydomain.com, type = AAAA, class =
 IN
    AUTHORITY RECORDS:
    ->  mydomain.com
        type = SOA, class = IN, dlen = 35
        ttl = 3600 (1 hour)
        primary name server = ex-dc.mydomain.com
        responsible mail addr = admin
        serial  = 34990
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = A, class = IN

------------
------------
Got answer (78 bytes):
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = A, class = IN
    ANSWERS:
    ->  ex-dc2.mydomain.com
        type = A, class = IN, dlen = 4
        internet address = 10.0.9.103
        ttl = 3600 (1 hour)
    ->  ex-dc2.mydomain.com
        type = A, class = IN, dlen = 4
        internet address = 192.168.250.125
        ttl = 3600 (1 hour)

------------
------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = AAAA, class = IN

------------
------------
Got answer (93 bytes):
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        ex-dc2.mydomain.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.com
        type = SOA, class = IN, dlen = 35
        ttl = 3600 (1 hour)
        primary name server = ex-dc.mydomain.com
        responsible mail addr = admin
        serial  = 34990
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
Name:    ex-dc2.mydomain.com
Addresses:  10.0.9.103
          192.168.250.125

>

Open in new window

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Freddy Medina MajetićIT System AdministratorCommented:
Hi,

Try to configure 192.168.0.11 (--asuming it's hostname is EX-DC) as DNS server for EX-DC2 (192.168.250.125), and 192.168.250.125 as DNS server for EX-DC.

This can help you on identify if EX-DC2 has something wrong.
0
Andriy MudrenkoSystem EngeneerAuthor Commented:
Additional info. DNS server for some reasons accepts requests only on 10.0.9.103 interface (OpenVPN):

C:\Users\myuser> telnet 127.0.0.1 53
Connecting To 127.0.0.1...Could not open connection to the host, on port 53: Connect failed
C:\Users\myuser> telnet 192.168.250.125 53
Connecting To 192.168.250.125...Could not open connection to the host, on port 53: Connect failed
C:\Users\myuser>
C:\Users\myuser>
C:\Users\myuser> nslookup ex-dc 127.0.0.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  127.0.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Users\myuser>
C:\Users\myuser>
C:\Users\myuser> nslookup ex-dc 192.168.250.125
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.250.125

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Users\myuser>
C:\Users\myuser>
C:\Users\myuser> nslookup ex-dc 10.0.9.103
Server:  ex-dc2.mydomain.com
Address:  10.0.9.103

Name:    ex-dc.mydomain.com
Address:  192.168.0.11

PS C:\Users\myuser>

Open in new window


Radiobutton "Listen on ALL IP addresses" is enabled.
0
65tdRetiredCommented:
Can the two servers ping each other via IP and hos name?
0
Life1430Commented:
Go to DNS Server properties and under below tab please select the internal IP address.

New-Bitmap-Image.bmp
0
Andriy MudrenkoSystem EngeneerAuthor Commented:
Sarang Tinguria, all IP's are selected.
netstat shows that port 53 TCP and port 53 UDP are open for all IP's. But in fact, DNS responds only on one IP-address. It seems like firewall is blocking other connections. But Windows firewall is off. And there are no other firewalls installed.

dns.png
0
Andriy MudrenkoSystem EngeneerAuthor Commented:
65td, After I've configured 10.0.9.103 (OpenVPN address) as a DNS server on the new DC, I can use nslookup on it and can ping main DC by hostname and by IP. And I can ping new DC from the main DC by hostname and by IP.
So DNS s working as it should.
The only problem is that it accepts connections only on one IP-address...
0
Life1430Commented:
Hey Andriy,

Please select the specific internal IP which you want DNS to work on in my above screenshot and see if it works as expected
0
Andriy MudrenkoSystem EngeneerAuthor Commented:
Hello everyone!
The problem is solved. In my case the OpenVPN was the cause. The "block-outside-dns" option was pushed by the OpenVPN server to ex-dc2. So as soon as a tunnel became up and running, OpenVPN began to block DNS requests on all other interfaces.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Andriy Mudrenko (https:#a42448719)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.