none
One-way connectivity and disabled DNS on DC RRS feed

  • Question

  • Hi there, I have a Windows Server 2012 R2 server as a domain controller and DNS server for the AD-integrated domain.  
    Using the server's IP, the server can be pinged, the default IIS website can be accessed, VPN/RAS can be dialed, and so the services like proxy servers and etc.  
    However no service or application can establish any kind of outbound connectivity, external FQDNs are not resolved, and additionally, the DNS server is not responding to clients. When I call the domain name for resolution on my home PC, I get timeout messages with no other error.  
    I've already:

     - Checked the Firewall, all outbound connections are allowed.
     - Checked the DNS log, no warning or error has occurred.
     - Done dcdiag and ipconfig check and found no error.
     - Done some nslookup and ping checks which the results are:

            > nslookup
            DNS request timed out.
                timeout was 2 seconds.
            Default Server: UnKnown
            Address:  ::1

            > nslookup microsoft.com
            DNS request timed out.
                timeout was 2 seconds.
            Default Server: UnKnown
            Address:  ::1

            Name: microsoft.com.mydomain.co.uk
            Address: My IP

            > ping 66.220.158.68 // Facebook
            ...
            Ping statistics for 66.220.158.68:
            Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
            Approximate round trip times in milli-seconds:
            Minimum = 92ms, Maximum = 93ms, Average = 92ms

    Btw, it's curious how the ping service can access the remote server.
    Can anyone help me troubleshoot the problem?

    I of course use 127.0.0.1 as the primary DNS server and after the problem happened, I added OpenDNS as the alternative DNS server, however no change. I rebooted the server two times but it's just the same, however, I suspect that the server has full connectivity in the first few minutes after start up. The DNS server/client services are running as well and the DNS management console is completely accessible.  

    The server is controlling and hosting a domain name which is integrated to the active directory, let's call it mydomain.co.uk, when I try nslookup mydomain.co.uk on my home PC which is not connected to the VPN nor is in the same network with the server, it gets timed out. The primary and alternative DNS servers I mentioned above are set inside the IPv4 settings of the main network adapter.

    Windows IP Configuration

           Host Name . . . . . . . . . . . . : CFS
           Primary Dns Suffix  . . . . . . . : mydomain.co.uk
           Node Type . . . . . . . . . . . . : Hybrid
           IP Routing Enabled. . . . . . . . : Yes
           WINS Proxy Enabled. . . . . . . . : No
           DNS Suffix Search List. . . . . . : mydomain.co.uk

        Ethernet adapter Local Area Connection:

           Media State . . . . . . . . . . . : Media disconnected
           Connection-specific DNS Suffix  . :
           Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2
           Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
           DHCP Enabled. . . . . . . . . . . : Yes
           Autoconfiguration Enabled . . . . : Yes

        Ethernet adapter Ethernet 2:
        
           Media State . . . . . . . . . . . : Media disconnected
           Connection-specific DNS Suffix  . :
           Description . . . . . . . . . . . : TAP-Windows Adapter V9
           Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
           DHCP Enabled. . . . . . . . . . . : Yes
           Autoconfiguration Enabled . . . . : Yes
        
        Ethernet adapter Ethernet:
        
           Connection-specific DNS Suffix  . :
           Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
           Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
           DHCP Enabled. . . . . . . . . . . : No
           Autoconfiguration Enabled . . . . : Yes
           Link-local IPv6 Address . . . . . : fe80::65fa:4976:4508:552d%12(Preferred)
           IPv4 Address. . . . . . . . . . . : MyIP(Preferred)
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Default Gateway . . . . . . . . . : MyI.254
           DHCPv6 IAID . . . . . . . . . . . : 302010454
           DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-C8-30-F4-00-50-56-88-B4-CB
        
           DNS Servers . . . . . . . . . . . : ::1
                                               127.0.0.1
           NetBIOS over Tcpip. . . . . . . . : Disabled
        
        PPP adapter RAS (Dial In) Interface:
        
           Connection-specific DNS Suffix  . :
           Description . . . . . . . . . . . : RAS (Dial In) Interface
           Physical Address. . . . . . . . . :
           DHCP Enabled. . . . . . . . . . . : No
           Autoconfiguration Enabled . . . . : Yes
           IPv4 Address. . . . . . . . . . . : 192.168.7.5(Preferred)
           Subnet Mask . . . . . . . . . . . : 255.255.255.255
           Default Gateway . . . . . . . . . :
           NetBIOS over Tcpip. . . . . . . . : Enabled
    Wednesday, April 6, 2016 8:56 PM

All replies

  • Please remove ::1 from being your DNS server for IPv6. Just make sure that it is set for automatic configuration. You can refer to what I published here for the IP settings of your DC: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23
    Do not forget to make sure that you are pointing to your ISP DNS servers as forwarders and that port 53 to internet is not blocking or filtered.

    Please also note that installing RRAS on a DC is not recommended.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, April 7, 2016 12:13 AM
  • Hi Darkness,

    Agree with MR X.

    Here is the link for your reference:

    How to disable IPv6 or its components in Windows

    https://support.microsoft.com/en-us/kb/929852

    Active Directory communication fails on multihomed domain controllers            

    https://support.microsoft.com/en-us/kb/272294

    Symptoms of multihomed browsers

    https://support.microsoft.com/en-us/kb/191611

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 7, 2016 1:34 AM
  • Thanks for your answer, I removed ::1 from IPv6 DNS configurations and set it to auto, no change. I'm using the ISP DNS servers as forwarders as I've been using before the problem occured. The port 53 is open outbound and inbound.

    p.s. it's our only server we have to run everything we need just there.

    and... is it natural that the nslookup is resolving FQDNs as a subdomain for mydomain.co.uk?
    • Edited by Darkness SB Thursday, April 7, 2016 2:04 PM
    Thursday, April 7, 2016 1:31 PM
  • Hi Darkness,

    Please try to disable IPv6 and test again.By the way,do you have a reverse zone?

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 8, 2016 1:15 AM
  • I tried the autofix you mentioned, I also disabled the IPv6 protocol from the service list in the external adapter. However, that gave no change, not about the DNS problem nor to open up the outbound connectivity. And no, we don't have any reserve zones defined, is one needed?

    ps. the DNS server cannot resolve the pre-defined IP addresses used as forwarders. they've been working from the moment we started using this server.
    Friday, April 8, 2016 8:46 AM
  • Hi Darkness,

    >>And no, we don't have any reserve zones defined, is one needed?

    Please create a reverse zone for the scope,and run 'ipconfig /registerdns' on the DNS server,then test 'nslookup'.

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 8, 2016 8:53 AM
  • Tried it, no change, nslookup is just doing normal in resolving localhost, but it still resolves microsoft.com as 'microsoft.com.mydomain.co.uk' with the server's IP.
    By this, I guessed if I would browse 'account' which is a controlled subdomain hosted by IIS, it would load the website as it always adds a 'mydomain.co.uk' suffix, but it's loading the default website.
    Friday, April 8, 2016 9:23 AM
  • Hi Darkness,

    Follow this thread for auto add domain suffix:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/8f29df1a-46dc-4b3b-946c-528b10f7223e/weird-nslookup-results?forum=winserverNIS

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 8, 2016 9:43 AM
  • I don't understand it, I followed the instructions to disable suffix appending, I also manually added a reverse zone which led to enable the inbound DNS, which could only resolve mydomain.co.uk and no subdomain! Now after a couple of minutes the DNS seems to be broken again, reason? I don't know! However, outbound DNS resolutions still time out, even reverse resolutions, it means I cannot resolve the forwarders I need yet.
    Friday, April 8, 2016 2:35 PM
  • Hi Darkness,

    1.Please run 'dcdiag' on dns server.

    2.Please  try to perform a DNS best practices Analyze:

    https://technet.microsoft.com/en-us/library/dd391963(v=ws.10).aspx

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 11, 2016 4:30 AM