DNS Recursive Query Failure

[Greg]

I have (1) Win2k domain with (8) Domain Controllers across
(7) subnets all of which have DNS installed (Active
Directory Integrated). Recently (1) of the DNS servers
started exhibiting problems. It happens to be the first
DNS server that was installed prior to our migration from
WINNT4 (2 years ago). The symptom is that clients assigned
to that specific DNS server via their DHCP scope are
unable to attach to the internet, they can browse the LAN
however (we are also running WINS for some legacy stuff).
If I change the DNS assignment to another DC everything
works fine. There does not appear to be any errors inside
of the event log. The only thing I can find is that the
DNS server in question will fail it's recursive query test
(run from within the dns msc).
What would cause this failure?
Since this was the first DNS server installed can it be
removed directly or do I have to perform some type of
demotion / promotion?

Greg

 

[Kevin D. Goodknecht [MVP]]

In Greg <[email protected]> posted a question
Then Kevin replied below:
: I have (1) Win2k domain with (8) Domain Controllers across
: (7) subnets all of which have DNS installed (Active
: Directory Integrated). Recently (1) of the DNS servers
: started exhibiting problems. It happens to be the first
: DNS server that was installed prior to our migration from
: WINNT4 (2 years ago). The symptom is that clients assigned
: to that specific DNS server via their DHCP scope are
: unable to attach to the internet, they can browse the LAN
: however (we are also running WINS for some legacy stuff).
: If I change the DNS assignment to another DC everything
: works fine. There does not appear to be any errors inside
: of the event log. The only thing I can find is that the
: DNS server in question will fail it's recursive query test
: (run from within the dns msc).
: What would cause this failure?
: Since this was the first DNS server installed can it be
: removed directly or do I have to perform some type of
: demotion / promotion?
:
: Greg

Look in the DNS server's forward lookup zone to see if it has a "." (dot)
zone, if it does delete it.
If the "." zone is not there are the root hint servers resolved on the root
hints tab?
Can it ping its Gateway?
Does it have a forwarder? (on the Forwarder tab)

 

[Greg]

Kevin,

There was no "." in the forward lookup zone
The root hint servers appear to be resolved - all have ip
addresses
Yes, I can ping my gateway
Yes, there are (2) ip addresses listed in the forwarder
area.

Since this was the first DNS server installed can I remove
it directly, or would I need to transfer it's status to
another DNS server? All DNS servers in the domain are
active directory integrated, which if I understand
correctly means there are no primary or secondary zone
assignments. Is this a correct assumption?

Greg

 

[Ace Fekay [MVP]]

In

Kevin,

There was no "." in the forward lookup zone
The root hint servers appear to be resolved - all have ip
addresses
Yes, I can ping my gateway
Yes, there are (2) ip addresses listed in the forwarder
area.

Since this was the first DNS server installed can I remove
it directly, or would I need to transfer it's status to
another DNS server? All DNS servers in the domain are
active directory integrated, which if I understand
correctly means there are no primary or secondary zone
assignments. Is this a correct assumption?

Greg

Try adding a reverse zone for your subnet and try the test again.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Kevin,

There was no "." in the forward lookup zone
The root hint servers appear to be resolved - all have ip
addresses
Yes, I can ping my gateway
Yes, there are (2) ip addresses listed in the forwarder
area.

Since this was the first DNS server installed can I remove
it directly, or would I need to transfer it's status to
another DNS server? All DNS servers in the domain are
active directory integrated, which if I understand
correctly means there are no primary or secondary zone
assignments. Is this a correct assumption?

Greg

Also configure a forwarder and try the test again.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

G> The symptom is that clients assigned to that specific
G> DNS server via their DHCP scope are unable to attach
G> to the internet, [...]

Make sure that you have performed all of the necessary steps
for having that DNS server provide proxy DNS service.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-proxy.html>

 

[Timothy E. Roberts]

Hi Jonathan,

Can you go to that DNS server and get access to the internet? What do you have in option 006 of the DHCP scope? Can
you ping the DNS server from the Client and get the FQDN back? can you do a nslookup from your client? What is his
default server? If we are allowing zone transfer to all, can we do nslookup from the Client and then do ls -d
yourdomainname.com and get all the records. What type of client do we have? Can I get a IPconfig /all from the client
and from the DNS server?

Thanks,
Tim Roberts [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jonathan de Boyne Pollard]

G> The symptom is that clients assigned to that specific
G> DNS server via their DHCP scope are unable to attach
G> to the internet, [...]

JdeBP> Make sure that you have performed all of the necessary steps
JdeBP> for having that DNS server provide proxy DNS service.
JdeBP>
JdeBP>
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-proxy.html>

TERM> Hi Jonathan,
TERM>
TERM> Can you go to that DNS server and get access to the internet? [...]

Please *read* the messages that you reply to.

 

[Timothy E. Roberts]

Hi Jonathan,

I understand that the symptom is " clients assigned to that specific DNS server via their DHCP scope are unable to
attach to the internet". Can that DNS resolve external names? What happens when you do a NSLookup on that specific
server? What happens when you a nslookup on the client?

Thanks,
Tim Roberts [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jonathan de Boyne Pollard]

G> The symptom is that clients assigned to that specific
G> DNS server via their DHCP scope are unable to attach
G> to the internet, [...]

JdeBP> Make sure that you have performed all of the necessary steps
JdeBP> for having that DNS server provide proxy DNS service.
JdeBP>
JdeBP>
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-proxy.html>

TERM> Hi Jonathan,
TERM>
TERM> Can you go to that DNS server and get access to the internet? [...]

JdeBP> Please *read* the messages that you reply to.

TERM> I understand that the symptom is " clients assigned to that specific
TERM> DNS server via their DHCP scope are unable to attach to the
TERM> internet". [...]

Are you a brick wall or something? Please *read* the messages that you
reply to.

TERM> This posting is provided "AS IS" with no warranties, and confers
TERM> no rights.

And is utterly worthless because Tim Roberts doesn't seem to grasp the
difference between people who are *asking* questions and people who are
*answering* them.

You're doing this in several threads, Tim, and you're confusing the heck out
of people like Deji, who haven't yet realised, as I have, that you simply
*are* *not* *reading* the posts that you reply to. Get yourself a decent
threaded NUA, and *read* the messages that you reply to.