Dcdiag DNS test fails, but DNS seems to be working properly

Active Directory setup:

Single forest, 3 domains, with 1 domain controller each. All running server 2008 R2, with the same domain/forest functional level.

DNS clients are configured as follows:

DC1 -> DC2 (prim), DC1 (sec)

DC2 -> DC1 (prim), DC2 (sec)

DC3 -> DC1 (prim), DC3 (sec)

All zones are replicated throughout the entire forest, and each DNS server is set-up with 8.8.8.8/8.8.4.4 as forwarders.

Problem:

Everything appears to be working as should. AD is replicating properly, DNS is responsive and not causing any issues, BUT when I run dcdiag /test:dns, the enterprise DNS test fails on DC2 and DC3 with the following error:

TEST: Forwarders/Root hints (Forw)
Error: All forwarders in the forwarder list are invalid.

Error: Both root hints and forwarders are not configured or

broken. Please make sure at least one of them works.

Symptoms:

Event viewer is constantly showing these 2 event ID's for DNS client:

ID 1017 – The DNS server's response to a query for name INTERNAL RECORD indicates that no records of the type queried are available, but could indicate that other records for the same name are present.

ID 1019 – There are currently no IPv6 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings. (strange, as IPv6 is disabled on the network card)

nslookup is working as expected, and finding any and all records appearing in ID 1017, no matter which DNS server I select to use.

While running dcdiag, the following events appear:

Event ID 10009: DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols.

DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.

Event ID 1014: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.

I've run wireshark while dcdiag is running its test, and the internal DNS servers do resolve anything thrown at them, but then the server continues querying Google DNS and root hints.

What the hell is going on? What am I missing here?

Edit: The actual enterprise DNS test error messages are:

         Summary of test results for DNS servers used by the above domain

     controllers:



        DNS server: 128.63.2.53 (h.root-servers.net.)

           1 test failure on this DNS server

           Name resolution is not functional. _ldap._tcp.domain1.local. failed on the DNS server 128.63.2.53

        DNS server: 128.8.10.90 (d.root-servers.net.)

           1 test failure on this DNS server

           PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90               Name resolution is not functional. _ldap._tcp.domain1.local. failed on the DNS server 128.8.10.90

        DNS server: 192.112.36.4 (g.root-servers.net.)

           1 test failure on this DNS server

           Name resolution is not functional. _ldap._tcp.domain1.local. failed on the DNS server 192.112.36.4

etc., etc.

Best Answer

Enable IPv6 on Windows DCs. Just do it. You can modify the DNS server properties to only listen on the ipv4 interface.

Ensure port 53 is open to the Google DNS servers via UDP and TCP (it's better to use whatever DNS service is upstream to you rather than Google, by the way). You can use PortQry to check it.

On the Forwarders tab, untick the box Use root hints if no forwarders are available.

Remember that the dcdiag /test:dns includes a lot of sub-tests. Mine always shows delegation errors, even though the delegations are fine.

Try /DNSBasic, /DNSForwarders and /DnsResolveExtName tests separately.

(And you're overdue for getting off Server 2008 R2. It's completely at end-of-life next Jan, which means no security updates.)

Best Answer

Related Solutions

DcDiag: “Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)” meaning

Windows – DNS Issue Windows 2003 AD-The server holding the PDC role is down

Related Topic