On the clients, under TCP/IP properties/Advanced/DNS, ensure that "Append primary and connection specific DNS suffixes" is selected and also that "Append parent suffixes of the primary DNS suffix" is checked.
Also, for the FQDN in System Properties, ensure that "change primary DNS suffix when domain membership changes" is checked.
Without repeating the incident you can't troubleshoot it - there is no way to know what went screwy with your DNS traffic unless you make it happen again.
Given your problem description, my money is on "Wrong or missing forwarders" like you guessed.
If, as you describe, your European servers are pointing at the US server as a forwarder there are a few sub-optimal results:
- Any time you ask for a zone the European server doesn't know about it asks America.
- America doesn't know, so it asks it's forwarder (and so on until we get to the root).
- America gets the answer, and sends it back to Europe.
That's at least two trips across the ocean -- not great. And if the American name server goes away Europe has nobody to ask.
For best results, each regional nameserver should have all your internal zones, and be configured with a nearby forwarder if it needs to ask someone else for the record.
This lets you benefit from the caches at your upstream provider, and if your domain gets fractured you can still resolve external DNS names.
How can you test this? On Unix we would use the dig
tool (dig +trace
).
This is not included with Windows as far as I know, but there are implementations of it available (Google dig for windows
for more options).
The +trace
option shows you which servers were queried in the process of getting you an answer.
Special Note
There are some circumstances where I suggest using an alternate forwarder (or the root servers directly) -- If you have an ISP that hijacks DNS requests and does not properly return NXDOMAIN
for non-existent domain names you should not use their DNS servers.
If you have such an ISP configure an alternative forwarder (like Google Public DNS) instead, or use root hints and ensure that you keep your hints data current.
Best Answer
When you cascade DNS recursing servers and introduce forwarders, that is the kind of problem you meet.
One of your DNS servers is not answering correctly. All but authoritative servers can have a cache.
Two possibilities:
dig command can help you know exactly which server is behaving incorrectly (but its output should be read carefully):
and so on.
The trick is: don't put forwarders in place: only recursive servers and authoritative ones. Keep It Simple Stupid.