How to test DNS Forwarders without disconnecting the Primary DNS Server

domain-controllerdomain-name-systemforwarding

I have two domain controllers in my domain in remote offices (Europe and China) and two domain controllers in the US, 4 in total. We had a network outage in our US office a few weeks back and during this time, the office in Europe and China experienced issues with DNS not working. I believe part of the issue is that the China server had no forwarder IP addresses set up and the Europe Server did, but it was for our local US ISP.

I want to play around with making some changes to the IP addresses of the DNS Forwarders on these servers but I'm unsure how to test if my changes fix the issue. I would like to avoid disconnecting these remote DC's from our primary DNS servers here in the US. Since everything is up and running well now, if I do nslookup to a website or visit a website in a browser, it will just use our primary DNS servers – how can I specifically test if the DNS forwarder IP addresses are working?

Thanks in advance, let me know if I can give more info or clarify anything

Best Answer

Without repeating the incident you can't troubleshoot it - there is no way to know what went screwy with your DNS traffic unless you make it happen again.

Given your problem description, my money is on "Wrong or missing forwarders" like you guessed.

If, as you describe, your European servers are pointing at the US server as a forwarder there are a few sub-optimal results:

Any time you ask for a zone the European server doesn't know about it asks America.
America doesn't know, so it asks it's forwarder (and so on until we get to the root).
America gets the answer, and sends it back to Europe.

That's at least two trips across the ocean -- not great. And if the American name server goes away Europe has nobody to ask.

For best results, each regional nameserver should have all your internal zones, and be configured with a nearby forwarder if it needs to ask someone else for the record.
This lets you benefit from the caches at your upstream provider, and if your domain gets fractured you can still resolve external DNS names.

How can you test this? On Unix we would use the dig tool (dig +trace).
This is not included with Windows as far as I know, but there are implementations of it available (Google dig for windows for more options).

The +trace option shows you which servers were queried in the process of getting you an answer.

Special Note

There are some circumstances where I suggest using an alternate forwarder (or the root servers directly) -- If you have an ISP that hijacks DNS requests and does not properly return NXDOMAIN for non-existent domain names you should not use their DNS servers.

If you have such an ISP configure an alternative forwarder (like Google Public DNS) instead, or use root hints and ensure that you keep your hints data current.

Related Solutions

Windows – Can’t log in using second domain controller when first DC is unreachable

Check to make sure that BOTH are Global Catalogs.

Howto:

1.) Open Active Directory Sites and Services.

2.) Scroll down, expand the site that your DC's are in. Expand
`Servers'.

3.) Expand each of your DC's so that they're showing `NTDS Settings'.

4.) Right-click on 'NTDS Settings', select `Properties'.

5.) Ensure that the `Global Catalog' checkbox on each is checked.

DISCLAIMER:

I'm assuming that you've already checked your replication, made sure everything else is working properly, etc. This is intended to be a quick-check option.

DNS Conditional forwarders being ignored on one of DC’s

Turns out one of the DC's had EnableDnsProbes set to 1. As soon as I set it to 0 on both and cleaned cache and restarted DNS Server/NetLogon on both controlers everything seems to resolve good.

dnscmd /config /enableednsprobes 0

As per Microsoft Article.

Best Answer

Special Note

Related Solutions

Windows – Can’t log in using second domain controller when first DC is unreachable

DNS Conditional forwarders being ignored on one of DC’s

Related Topic