0

Lookup from non-domain controllers result is fine. But on the domain controller the nslookup times out twice and then it resolves the address. This DC is a fresh install and I'm unable to find out the cause of the issue. There is no firewall btw.

If I add a .(dot) to the end of the query then it resolves instantly on domain controller.

In network adapter properties, I have append these suffixes (domain.com, ca.domain.com, ny.domain.com).

Any suggestions on how to debug it?

domain controller and DNS server: 10.10.10.10

Client machine: 20.20.20.20

From Client machine - query is domain.com:

nslookup domain.com 10.10.10.10
Server: dc01.domain.com
Address: 10.10.10.0

Name: domain.com
Addresses: 10.10.10.10
      10.10.10.20

From domain controller - query is domain.com:

nslookup domain.com. 10.10.10.10 (or nslookup domain.com)
Server: dc01.domain.com
Address: 10.10.10.0

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name: domain.com
Addresses: 10.10.10.10
      10.10.10.20

From domain controller - query is now domain.com. with (dot):

nslookup domain.com 10.10.10.10 (or nslookup domain.com)
Server: dc01.domain.com
Address: 10.10.10.0

Name: domain.com
Addresses: 10.10.10.10
      10.10.10.20
user630702
  • 465
  • 6
  • 25
  • There is a sign of a wrong DNS resolver configuration or firewall. At the first, why do you need those suffices? – Nikita Kipriyanov Oct 23 '19 at 11:03
  • domain.com is the parent dc and it has some important records. ca.domain.com is the child dc and it has all the servers name records. There is no firewall in between this. I'm querying from the domain controller itself. What kind of wrong DNS resolver configuration are you referring to? Can you explain a bit so I can check on my end? – user630702 Oct 23 '19 at 11:07
  • The suffices shouldn't be causing the problem. because I tested it by removing the dns suffix and it still shows the same problem. – user630702 Oct 23 '19 at 11:09
  • A DNS resolver configuration is DNS servers, and, you know, the "domain name suffix" also. I am unsure it is safe to set it up this way on the domain controller. The fact it works with the dot at the end suggests suffices do affect resolution (because dot is the thing that disables them for a particular query). At least, try to put its own domain name first. Aslo, do other domains have proper glue records? Does your domain's DNS server have ability to correctly find parent domain's DC? – Nikita Kipriyanov Oct 23 '19 at 11:10
  • `domain.com` suffix is the main one (own domain name, I mean dc01.domain.com is the FQDN). I have another DC (old one which has no link to this and I compared settings and they all look similar. Mainly the suffix is in the old one too and it works fine. – user630702 Oct 23 '19 at 11:12
  • Which DNS server addresses are configured? Have you tried to run nslookup in interactive mode (without parameters) and set the server to query and verify they all answer and the answers are exactly same for same queries? – Nikita Kipriyanov Oct 23 '19 at 11:13
  • dc01.domain.com is pointing to its internal DNS and then the second one is google DNS. – user630702 Oct 23 '19 at 11:14
  • I suggest to set up DCs so that they have themselves (127.0.0.1) on the first line and some other domain's DNS server at the second. Upstreams are configured in the DNS server upstream settings, not in the system DNS resolver settings. – Nikita Kipriyanov Oct 23 '19 at 11:15
  • already tried 127.0.0,1 and secondary to other DC child DNS. If I point the DNS to old DNS servers and it resolves instantly. But I want to retire old dns and in order to do that this one has to resolve correctly. Some of the clients are pointed to this new dns and the client has no issues. But within the server it has some kinda of issue. – user630702 Oct 23 '19 at 11:18
  • Then this is the culprit. Google doesn't seem to know how to resolve names in your domain. Only your DCs do know. A resolver might have been configured to do round-robin (ask other server on each other query), instead of always asking first and only asking second if first doesn't answer. Because of this, it failed to resolve each other query. So, never specify a DNS that isn't able to resolve local domain names in the DNS resolver settings on any domain-enabled system. Want to live with only a single DC and single DNS? Good luck. Tried to leave other line empty? – Nikita Kipriyanov Oct 23 '19 at 11:26
  • google dns is used only for external domain names on primary network interface(internal DNS IP as primary and secondary is google dns).. For internal records, we use parent domain (usually 127.0.0,1 and other DC IP) using a secondary network interface. – user630702 Oct 23 '19 at 11:36
  • 1
    Again, it seems Google DNS is actually used for local names too. It should be set up in your DNS server upstream settings, and never in your DNS resolver settings. This way it will be used only for external doman names. And, for another domain and their DNS, do these servers have proper glue records pointing to your new DNS server? Are they able to resolve your local domain names? Check that, as I suggested before. Never specify servers which aren't able. – Nikita Kipriyanov Oct 23 '19 at 11:45

1 Answers1

1

Figured out the issue. In the list of suffixes (domain.com, ca.domain.com, ny.domain.com), ny.domain.com wasn't resolving. After looking it further there was a static route missing for the ny.domain.com network address. Adding that resolved the issue.

During nslookup it needed all suffixes to be reachable. When I removed ny.domain.com suffix from the network adapter the nslookup did not fail. But after adding the static route and adding back ny.domain.com to the list of suffixes it worked fine.

user630702
  • 465
  • 6
  • 25