Tuesday, April 30, 2019

domain name system - dcdiag DNS test fails, but DNS seems to be working properly

Active Directory setup:



Single forest, 3 domains, with 1 domain controller each. All running server 2008 R2, with the same domain/forest functional level.



DNS clients are configured as follows:



DC1 -> DC2 (prim), DC1 (sec)



DC2 -> DC1 (prim), DC2 (sec)




DC3 -> DC1 (prim), DC3 (sec)



All zones are replicated throughout the entire forest, and each DNS server is set-up with 8.8.8.8/8.8.4.4 as forwarders.



Problem:



Everything appears to be working as should. AD is replicating properly, DNS is responsive and not causing any issues, BUT when I run dcdiag /test:dns, the enterprise DNS test fails on DC2 and DC3 with the following error:



TEST: Forwarders/Root hints (Forw)
Error: All forwarders in the forwarder list are invalid.




Error: Both root hints and forwarders are not configured or



broken. Please make sure at least one of them works.



Symptoms:



Event viewer is constantly showing these 2 event ID's for DNS client:



ID 1017 - The DNS server's response to a query for name INTERNAL RECORD indicates that no records of the type queried are available, but could indicate that other records for the same name are present.




ID 1019 - There are currently no IPv6 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings. (strange, as IPv6 is disabled on the network card)



nslookup is working as expected, and finding any and all records appearing in ID 1017, no matter which DNS server I select to use.



While running dcdiag, the following events appear:



Event ID 10009: DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols.



DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.




Event ID 1014: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.



I've run wireshark while dcdiag is running its test, and the internal DNS servers do resolve anything thrown at them, but then the server continues querying Google DNS and root hints.



What the hell is going on? What am I missing here?



Edit: The actual enterprise DNS test error messages are:



         Summary of test results for DNS servers used by the above domain


controllers:



DNS server: 128.63.2.53 (h.root-servers.net.)

1 test failure on this DNS server

Name resolution is not functional. _ldap._tcp.domain1.local. failed on the DNS server 128.63.2.53


DNS server: 128.8.10.90 (d.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90 Name resolution is not functional. _ldap._tcp.domain1.local. failed on the DNS server 128.8.10.90

DNS server: 192.112.36.4 (g.root-servers.net.)

1 test failure on this DNS server


Name resolution is not functional. _ldap._tcp.domain1.local. failed on the DNS server 192.112.36.4


etc., etc.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...