2

I have a small, Simple Active Directory domain set up in AWS using their Directory Service. It's been running fine for a year now. However, this morning, certain DNS queries that run through the domain fail mysteriously.

C:\>nslookup merrimack.com
Server:  AWS-68AE5FCF56.xxx.yyy.com
Address:  10.50.11.113

DNS request timed out.
    timeout was 2 seconds.
*** Request to AWS-68AE5FCF56.xxx.yyy.com timed-out

However, if I ask Google, it gives me the right answer immediately:

C:\>nslookup merrimack.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    merrimack.com
Address:  166.78.30.154

This worked fine yesterday, and as I alluded, for a year prior. All servers joined to this AD domain have the same results, and other queries than to this one domain name seem fine.

C:\>nslookup pfizer.com
Server:  AWS-68AE5FCF56.xxx.yyy.com
Address:  10.50.11.113

Non-authoritative answer:
Name:    pfizer.com
Address:  184.73.156.141

I am not a very experienced domain operator. How might I diagnose or resolve this error?

Minor edit: the AWS console doesn't show anything wrong with the domain, and all other services (authentication, etc) seem to be working fine.

Mike Caron
  • 237
  • 2
  • 13
  • What external forwarder your DNS is set to query for unknown record ? as I guess it's not google 8.8.8.8 as it's not working – yagmoth555 Nov 14 '16 at 15:23
  • Um, I have no idea how to check. I assume it would be a reasonable default. But, I don't know. – Mike Caron Nov 14 '16 at 15:44
  • If you got a server login, right click your DNS's console, and check the redirector it should be named. – yagmoth555 Nov 14 '16 at 15:58
  • I assume you're speaking in terms of a normal DC. An AWS Simple Directory is, I believe, based on smbd, and I don't have a login. Can I check this remotely using the AD tools some how? – Mike Caron Nov 14 '16 at 16:20
  • oh ok, I dont have experiance in aws, but I assumed it was like in Azure. – yagmoth555 Nov 14 '16 at 16:22

1 Answers1

1

Delete the directory and start again.

I had a similar problem to you. I had created a new record in Route53, which could be picked up by querying Google's DNS servers, but my Amazon servers couldn't resolve it. I created a new directory service to see if it would work with it, and it did.

Robin Salih
  • 133
  • 1
  • 8