Windows 2003 DNS: Recursive query fails when looking its own domai

Hi,

I recently setup a Windows 2003 server for a client. I use internet FQDN for
the AD domain.

When I tested the DNS service using NSlookup, I got a timeout issue in
forward lookup on the DC itself.

The server name is: dcserver1
The FQDN server name is: dcserver1.domain.com.au
I can get reply when I nslookup: dcserver1
I also got the reverse lookup working for dcserver1
But when I type: dcserver1.domain.com.au, it gives me timeout and then gives
the correct result.

The DC is not connected to the internet. When I add the "." zone, it doesn't
create the issue anymore.

The problem is: why the nslookup still wants to go out to another DNS server
to look for name resolution for the DC? I can't understand why it's
happening. I'm abit worried if there's an underlying problem as I need to
register several servers to the AD.

Any one could help me?
Thank you.

 

In

Is the zone configured properly in DNS? Is the SOA (this DNS server)
correctly configured in the nameservers tab under the zone properties?

Can you give us an example using:
nslookup -d2 dcserver1.domain.com.au
and
nslookup -d2 dcserver1

Please don't edit the results to hide or obsfucate the domain name or it
will make it difficult to diagnose.

Thanks

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, if I may suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx, you can easily find your post, track
threads, cross-post, and sort by date, poster's name, watched threads or
subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================

 

One thing to be aware of is the lookups for an internal system versus an
external system. If you just do an nslookup servername does it resolve?
Then when you do an nslookup servername.domain.com.au it states the timeout
and then resolve? This is generally a normal thing depending on different
DNS setups. Essentially if all is working this one I would not get to
worried about.

 

OK, there isn't a simple answer but here we go.

I'm sure it has something to do with the DNS suffix search list and the way
nslookup and the DNS client service appends the Primary DNS suffix.
When you do nslookup on just the server name the first query that goes to
DNS is dcserver1.domain.com.au, so it resolves locally right away.

However, when you do nslookup dcserver1.domain.com.au it does several
queries before it resolves.
1st query is:
"dcserver1.domain.com.au.domain.com.au"
Your local server replies with the SOA record from domain.com.au but
nslookup doesn't stop until it appends all DNS suffixes or resolves.

2nd query is:
"dcserver1.domain.com.au.com.au"
This query is the stopper because "domain.com.au.com.au." is so your DNS
forwards this query because "com.au.com.au." is an unknown domain and it has
to wait until the "com.au." parent server returns its SOA record, nslookup
doesn't stop because it is still using an appended suffix so it goes on
again this time by sending the name without an appended suffix, (both
nslookup and the DNS client only append down to the last two levels before
the root, (the root is the ".") in the search list, which is com.au.

3rd query is:
dcserver1.domain.com.au. which resolves.

so if you look at only what it appends it looks like this:
domain.com.au.
com.au.

Which when added to the domain name , it searches these domains:
domain.com.au.domain.com.au.
domain.com.au.com.au
domain.com.au
Notice that neither nslookup nor the DNS client will append the TLD "au" it
stops appending at "com.au"
Its the domain.com.au.com.au that times out.

Do this, in TCP/IP properties, select the DNS tab, then clear the check box
for "append parent suffixes of the primary DNS suffix".
Doing this stops nslookup and the DNS client from appending "com.au" (the
parent suffix), so that only "domain.com.au" is appended, which your DNS
server can handle without forwarding.

If you will add a trailing "." to your query, neither nslookup nor the DNS
client service will append DNS suffixes and will send only names before the
"." to DNS.
Example:
"dcserver1.domain.com.au."

The reason why this doesn't happen with the root zone is because since it
has the root zone, DNS "assumes" that is knows every TLD name below the root
and does not have to forward to find that domain.com.au.com.au. doesn't
exist.

This is further complicated if you also have a Connection specific DNS
suffix (the one labeled "DNS suffix for this connection") because it is
added the DNS suffix search list, too. Although, it does not append parent
suffixes of the connection suffix.

As you see, it is not a simple answer, it is just the way nslookup (and the
DNS client service) appends suffixes from TCP/IP properties. And this does
not include nslookup's "stupid" behavior of doing a reverse lookup on the IP
of every DNS server it queries.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

Thank you for everyone's reply. It has been mind-nourishing.

It is true that the "dcserver1.domain.com.au.com.au" is the reason of the
time out. If I do nslookup dcserver1.domain.com.au. (with the dot after the
"au"), it gives me the answer without forwarding the query.
Thank you for the nslookup -d2 clue. It's very helpful.
As mentioned, in the DNS tab, I tried to uncheck the appending parent DNS
suffix, but still, it does not want to stop appending the .com.au bit.

I'm thinking:
Does the query: dcserver1.domain.com.au.com.au require to receive an answer
from an authoritative DNS server? No matter if it's a positive answer (i.e.
"yes, the domain exists") or a negative answer (i.e. "no, the domain not
exist").

I believe this is what I don't have at the moment. The DNS for the AD is
totally separated and isolated from the Internet. It does not do forward to
the ISP DNS for any unresolved query.

Adding the "." zone would make the DNS authoritative, which I believe stops
the forwarding. Is this statement correct?

Thank you.

Result of nslookup -d2:

Got answer (121 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
dcserver1.domain.com.au.domain.com.au, type = A, class = IN
AUTHORITY RECORDS:
-> domain.com.au
type = SOA, class = IN, dlen = 44
ttl = 3600 (1 hour)
primary name server = dcserver1.domain.com.au
responsible mail addr = hostmaster
serial = 25
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 47
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
dcserver1.domain.com.au.com.au, type = A, class = IN

------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)

--
Lito Kusnadi
Technical Consultant
React Solutions AU

 

In

A reply can be negative or positive, either way, it's a reply. But unlike
the local machine's resolver service, which will stop looking if a negative
response is returned, nslookup will continue to devolve each suffix. As
Kevin said, go ahead and uncheck "append parent suffixes of the primary DNS
suffix" to stop it from appending com.au.

Ace

 

Yes, it does stop the forwarding, but it also stops DNS from being able to
resolve internet names, unless the root zone is delegated with all TLDs. You
can install a delegated root zone, but I think this puts you right back in
the same position. Your DNS server will still have to contact the com.au
servers to verify that domain.com.au.com.au does not exist.

Clearing the check box noted does stop the DNS client from appending parent
suffixes, nslookup being its own animal, appears ignore this setting, or at
least it does on my system.
However, If you assign a custom DNS suffix, nslookup will use it instead.
Use "Append these suffixes (in order)" then enter "domain.com.au" (without
the quotes) only.
You can assign either of these in a GPO to XP and 2k3 machines here:
Computer Configuration
-Administrative templates
-Network
-DNS client

Keep in mind, in an Active Directory environment, internet resolution is not
necessary, internal resolution is REQUIRED. No member of an AD domain should
ever have a DNS server in its list of DNS servers, in any position, on any
interface, that cannot resolve the AD domain. This means that if you need
internet resolution, you must get that resolution from a DNS server that
resolves the AD domain. So you cannot use your ISP's DNS especially, if the
internal DNS has the un-delegated root zone. If the internal DNS has an
un-delegated root zone, it cannot resolve internet names and will timeout,
this will move the ISP's DNS to the preferred DNS server and will leave it
there until TCP/IP is reset.





--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================