DNS is not doing recursive queries

Discussion in 'Server Migration' started by Rob Boylan, Aug 13, 2005.

  1. Rob Boylan

    Rob Boylan Guest

    I had a Windows NT PDC that was serving as the primary DNS server for the top
    level country code domain FM. I upgraded this server to be a Windows 2003 DC
    with the AD domain "fm". All forward and reverse zones seemed to migrate
    sucessfully. I manually added the entries for AD from the NetLogon.dns file.

    The problem: the server will not resolve any domains outside the FM
    hierarchy. (ie. Running a simple query test from the Monitoring tab will
    Pass, but the recursive query test will Fail).

    The root hints are present and no forwarders are defined. No private root
    (.) zone is defined. The Cached Lookups has only the following hierachy:
    ..(root) - net - root-servers. But there are no records at any level. Zone
    transfers to all secondary DNS servers are sucessful.

    The only odd thing I can see is the informational message displayed when I
    click on the sever object in the DNS management console. It says, "This DNS
    server has not been configured. Configuration includes creating forward and
    reverse lookup zones and specifying root hints and forwards."

    What can I do to resolve the problem?
     
    Rob Boylan, Aug 13, 2005
    #1
    1. Advertisements

  2. Rob Boylan

    Herb Martin Guest

    file.

    Not likely your reported problem but you really need a "two label"
    DNS AD domain name; i.e., domain.com or fm.org, and not just
    "domain" or "fm".

    If you have a single lable name then Google:

    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
    Can you perform a DIRECTED DNS lookup from the command line of
    the DNS Server?

    nslookup www.google.com SOME_SPECIFIC_DNS_SERVER_IP

    e.g., nslookup www.google.com 4.2.2.1

    If not, you likely have a problem at with firewall filters.
    Root hints are good. Forwarders don't actually require that
    recursion be disabled and so are largely irrelevant to the
    actual failure of recursion.
    Ignore cached lookups. If you do the recursion they will populate,
    and vice versa.

    No forward or reverse zones are actually required for recursion
    (a caching only server is perfectly fine FOR THAT purpose.)

    Not having Forward (and perhaps reverse) zones is BAD however
    for your AD if this DNS server is supposed to hold the corresponding
    DNS zone for AD.
    Start with isolating it -- use the NSLookup command and check your
    firewalls (on this machine OR at the routers.)

    Check that your "Root Hints" are up to date. Try updating root hints
    from that 4.2.2.1 external DNS server.
     
    Herb Martin, Aug 13, 2005
    #2
    1. Advertisements

  3. Rob Boylan

    Rob Boylan Guest

    Thanks for the reply

    Why do I need a "two label" name? If I understand the <a
    href="http://support.microsoft.com/?kbid=300684">knowledge base article</a>
    correctly, there are two things that do not work automatically in a single
    label domain: 1) dynamic updates do not work and 2) member computers cannot
    use DNS to locate DCs in a single-label domain that is in another forest. I'm
    not planning on allowing dynamic updates in this domain and I'm not dealing
    with multiple forests. So is there another gotcha that I'm overlooking?

    Windows Firewall is turned off.
    Outgoing, the router is permitting all traffic from this server.
    Incoming for this server, the router is permitting FTP on TCP, WWW on TCP,
    DNS on UDP and TCP, and ECHO on ICMP. All other traffic is denied.

    The above nslookup test fails when I try it from the Windows 2003 DNS
    server. My internal secondary DNS server also has similar access lists on the
    router. The nslookup fails on it as well. If I try the nslookup from a
    machine not protected by an incoming access list, the test succeeds.

    The secondary DNS server is still a Windows NT box, and it is resovling
    recursively. The server in question was also able to recurse normally when
    it was an NT machine. So, I guess the question becomes, what other ports do I
    need to enable for a Windows 2003 box to do recursive lookups?
     
    Rob Boylan, Aug 15, 2005
    #3
  4. Hi Rob,

    I appreciate that you giving me such a detailed description about your
    issue. But I think it is totally an DNS issue though it happens after
    migration.So I recommend you post it at:microsoft.public.windows.server.dns.

    Before you open a new post at dns group, please refer to following link to
    check your DNS upgrade steps:
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
    erHelp/6b03afbc-3d4f-4e3a-bda0-8fc408770837.mspx>

    Also, please refer to following link to varify if you configured your DNS
    server correctly.

    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Oper
    ations/dac536f2-958d-4a19-96f3-68b40f76d764.mspx>
    <http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRout
    ing/dd4b999f-b63e-43b9-ad39-697ef4869c25.mspx>

    Thank you for understanding and hope it helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Aug 15, 2005
    #4
  5. Rob Boylan

    devisbal Guest

    I'm having the same problem, and wonders how did you resolve it?
    I know that if I restart the DNS Server, it will start working OK, but
    having to restart it is not a solution.

    Davis Bal
    ===
     
    devisbal, Jun 15, 2006
    #5
  6. Hi Davis,

    I would like to confirm that if you performed the DNS recursive query test
    on the Monitoring tab of the DNS server properties.

    I am not sure if the DNS server is pointing to itself as the primary DNS
    server. If not, please check and modify it. Then check to see if you
    configure the ISP DNS server as a forwarder for the external resolution: in
    DNS mmc, right click the DNS server, click Properties, click the FOrwarders
    tab, and add the ISP DNS server. After that, test the recursive query again
    to check it.

    In addition, for recursion to work successfully, all DNS servers used in
    the path of a recursive query must be able to respond to and forward
    correct data. If not, a recursive query can fail for any of the following
    reasons:
    The recursive query times out before it can be completed.
    A remote DNS server fails to respond.
    A remote DNS server provides incorrect data.

    Additional Readings:
    =================
    Test a recursive query on the DNS server
    <http://www.microsoft.com/windows2000/en/server/help/sag_DNS_pro_RecursiveQu
    eryTest.htm>

    300202 HOW TO: Configure DNS for Internet Access in Windows 2000
    http://support.microsoft.com/?id=300202

    Hope this helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 16, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.