locked
DNS Servers not working correctly when set as secondary DNS server RRS feed

  • Question

  • Hello everyone!

    I've a problem with 2 W2K8R2 servers running both as Domain Controller + DNS Server (FLZ only). They're both replicating well with each other.

    In my network, servers/clients have static IP addresses. I'm not using DHCP!

    So my clients have 2 DNS servers configured in their IPv4 configuration (primary and secondary).

    Now my problem:

    If I shut down the primary DNS server, every client won't be able to run a nslookup request like nslookup testserver1.test.local . They get a timeout answer.

    Now, if I set the secondary DNS server as the primary DNS server, the clients will be able to run the same request successfully.

    The conclusion: DNS request just are successfull if the working DNS server is set as primary DNS server.

    Is there a solution on how it is possible to let the clients know to ask the secondary DNS server when the first one is down?

    Best regards

    Christian

    Tuesday, January 10, 2012 11:27 AM

All replies

  • To avoid the issue the best practice is to have the Active Directory integrated DNS zone which will eventually give you the redudancy and ease to take the dns backup using the system state back.

    more on 

    http://technet.microsoft.com/en-us/library/cc978010.aspx

    http://support.microsoft.com/kb/198437


    http://www.virmansec.com/blogs/skhairuddin
    Tuesday, January 10, 2012 11:36 AM
  • Hi Syed,

    thanks for your reply.

    I forgot to mention that I'm using an AD integrated DNS zone. Both servers are replicating their DBs perfectly.

    Best regards

    Christian

    Tuesday, January 10, 2012 12:29 PM
  • Hi Christian

    The secondary DNS is only used when the client determines that primary is not reachable, in your case, could you shut down the primary DNS first and then either reboot client PCs and test if they cant reach the secondary or

    open command prompt and run

    ipconfig/flushdns

    then perform DNS querys  and see if this doesnot work.

     

    Also check this documentation http://technet.microsoft.com/en-us/library/dd197495(WS.10).aspx


    Regards Herbert Zimbizi
    • Marked as answer by Boo_MonstersInc Monday, January 16, 2012 8:57 AM
    • Unmarked as answer by Christian Zink Monday, January 16, 2012 9:47 AM
    • Proposed as answer by Meinolf Weber Thursday, August 15, 2013 9:49 AM
    Tuesday, January 10, 2012 1:51 PM
  • nslookup works only with primary dns server.just try to ping to the server name and check weather its working?
    Darshana Jayathilake
    Tuesday, January 10, 2012 3:20 PM
  • Hi Darshana,

    OK pinging the server name works with the prim. DNS server not working.

    Does it mean that just nslookup isn't working but every other DNS request?

    Best regards

    Christian

    Tuesday, January 10, 2012 4:04 PM
  • when you unplug the primary server users cannot login to the domain? using secondary dns server address.


    Darshana Jayathilake
    Tuesday, January 10, 2012 4:21 PM
  • I've a problem with 2 W2K8R2 servers running both as Domain Controller + DNS Server (FLZ only). They're both replicating well with each other.

    In my network, servers/clients have static IP addresses. I'm not using DHCP!

    So my clients have 2 DNS servers configured in their IPv4 configuration (primary and secondary).

    Now my problem:

    If I shut down the primary DNS server, every client won't be able to run a nslookup request like nslookup testserver1.test.local . They get a timeout answer.

    Now, if I set the secondary DNS server as the primary DNS server, the clients will be able to run the same request successfully.

     

    Please, run the following test:

    * make a note of the two DNS servers IP addresses, let's say (for example) that they're 192.168.1.1 and 192.168.1.2

    * go to a workstation (not one of the servers), log onto it and start a command prompt (cmd.exe)

    * at the command prompt enter the following

    nslookup testserver1.test.local. 192.168.1.1

    nslookup testserver1.test.local. 192.168.1.2

    and report here the output of the two commands; basically, what you'll be doing will be querying both the DNS servers asking them to return the IP address of "testserver1.test.local" (assuming such a host exists; if not, please, use an existing and valid hostname); what I'm trying to check is if BOTH DNS server are correctly answering to queries; if this isn't the case then you'll probably need to revise your setup and ensure that both DNS are correctly working and can receive queries from clients (and send back replies)

     


    • Edited by ObiWan Tuesday, January 10, 2012 5:50 PM
    Tuesday, January 10, 2012 5:49 PM
  • I've a problem with 2 W2K8R2 servers running both as Domain Controller + DNS Server (FLZ only). They're both replicating well with each other.

    In my network, servers/clients have static IP addresses. I'm not using DHCP!

    So my clients have 2 DNS servers configured in their IPv4 configuration (primary and secondary).

    Now my problem:

    If I shut down the primary DNS server, every client won't be able to run a nslookup request like nslookup testserver1.test.local . They get a timeout answer.

    Now, if I set the secondary DNS server as the primary DNS server, the clients will be able to run the same request successfully.

     

    Please, run the following test:

    * make a note of the two DNS servers IP addresses, let's say (for example) that they're 192.168.1.1 and 192.168.1.2

    * go to a workstation (not one of the servers), log onto it and start a command prompt (cmd.exe)

    * at the command prompt enter the following

    nslookup testserver1.test.local. 192.168.1.1

    nslookup testserver1.test.local. 192.168.1.2

    and report here the output of the two commands; basically, what you'll be doing will be querying both the DNS servers asking them to return the IP address of "testserver1.test.local" (assuming such a host exists; if not, please, use an existing and valid hostname); what I'm trying to check is if BOTH DNS server are correctly answering to queries; if this isn't the case then you'll probably need to revise your setup and ensure that both DNS are correctly working and can receive queries from clients (and send back replies)

     


     

    Hi ObiWan,

    here are my results. Both DNS servers are working properly I think:

     

    <blockquote>
    <p>when you unplug the primary server users cannot login to the domain? using secondary dns server address.</p>
    <hr class="sig" />
    Darshana Jayathilake</blockquote>
    <br />

    Hi Darshana,

    yes I'm able to login to domain when prim. DNS server is off.

    Wednesday, January 11, 2012 8:33 AM
  • Hmm... judging from what I see in your pic, it sounds like you may have some DNS config issues; first of all, it sounds like there's no reverse zone for your subnet (192.168.1.x) and/or that the reverse zone doesn't contain the entries related to your two DNS servers, so, start by ensuring that such a zone exists (and that it's AD integrated); next, check the IP settings (ipconfig /all) on the test client and on both DNS servers; they should be something like this

    * client: 192.168.1.1, 192.168.1.2

    * DNS1: 192.168.1.1, 192.168.1.2

    * DNS2: 192.168.1.2, 192.167.1.1

    that is, the client should point to both DNS servers, the DNS should point to themselves as the FIRST DNS and to the other DNS as the second (refer to the above example) - notice that neither the client nor the servers should, in any case, point to other DNS IPs (e.g. external DNS servers) since this will cause problems; also, and since we're at it, fire up the DNS management console on both servers and check if there are any forwarders, in particular if the servers are forwarding queries "each other" (e.g. DNS2 forwarding to DNS1) and, if this is the case, remove such forwarding

    Also, it puzzles me the fact that, in the pic you posted there's no domain name; you issued a query for "zs2" (that is a non FQDN entry) and the DNS servers apparenly answered with a NON FQDN name ! This is strange and may indicate some config issues... all in all, given you're running an AD you should have a domain and that should be used to complete the host name returned by queries (e.g. zs2.domain.local); I think it may be interesting to see the output of the "ipconfig /all" command from a client, DNS1 and DNS2

    What else, notice that to post the commands output you may just redirect it to a file and then use the "insert code block" button to add the file contents to messages; for example, willing to post the output of the "nslookup ..." command you may just run "nslookup ... >>somefile.txt 2>>&1" and then opening "somefile.txt" retrieve the full text output and post it here

     


    • Edited by ObiWan Wednesday, January 11, 2012 9:01 AM
    Wednesday, January 11, 2012 9:01 AM
  • Hi

    so far most of what has been said adds up but I decided to simulate what you described and my obeservation is that, using nslookup tests failed when primary DNS is Off.

    Unless you type

    nslookup

    server <your secondary ip>

    <pcname>

    nslookup will perform all tests using the primary only.

     

    However,dns requests from all other applications succeed, meaning the clients should still function correctly, that is to say secondary is used when primary is not reachable


    Regards Herbert Zimbizi
    Wednesday, January 11, 2012 9:33 AM
  •  * client: 192.168.1.1, 192.168.1.2

    * DNS1: 192.168.1.1, 192.168.1.2

    * DNS2: 192.168.1.2, 192.167.1.1

    First, thanks for your support!

    It's true, that I'm not using Reverse Lookup Zones. There is no need for the customer, there's just one Forward Lookup Zone (AD integrated).

    When I posted the picture, I took out the domain. You are right when you say that I'm not requesting with a FQDN but in result a FQDN came as answer. You can see on some lines that there is a hint at the domain name (like zs2.) or you can see the huge space between zs2 and [192.168....

    I've used a domain like xxx.local .

    The ipconfigs are exact as you posted above. Every DNS server is its own prim. DNS server.

    Yes, I'm forwarding DNS request each other, but I don't know why :D So I'll delete the forwardings on both servers.

    I'm not using root hints.

    Update: I deleted the forwardings but still experiencing the same problem.

    Could it really be a nslookup "bug"?

    Wednesday, January 11, 2012 9:49 AM
  • in addition to what I have already said (Nslookup resolves using the listed primary DNS only), DNS priority list is reset every 15minutes meaning that you probably need to test after 15 minutes http://support.microsoft.com/kb/320760/en-us?p=1
    Regards Herbert Zimbizi
    Wednesday, January 11, 2012 10:04 AM
  • Unless you type

    nslookup

    server <your secondary ip>

    <pcname>

    nslookup will perform all tests using the primary only.

    first of all, to test a specific server, you'll need to add it to the nslookup cmd line, that is

    nslookup your.query.xyz the.dns.server.it

    so, for example

    nslookup foobar.example.com 192.168.1.2

    that way nslookup will send the query to the specified DNS instead than sending it to the preferred DNS server; then, as for the tests, nslookup should (and usually will) switch to the secondary server in case the first one fails and this doesn't seem to happen in your case... hmm, could you please check if the "DNS client" service is running on the workstation and, if not, set it up to autostart, reboot the workstation and repeat the tests ?

     

    Wednesday, January 11, 2012 10:18 AM
  • in addition to what I have already said (Nslookup resolves using the listed primary DNS only), DNS priority list is reset every 15minutes meaning that you probably need to test after 15 minutes http://support.microsoft.com/kb/320760/en-us?p=1

    That's a different kind of thing; whenever the primary DNS fails, windows will (in your case it doesn't and we'll need to find out why) switch to the alternate one and keep using it until the primary won't get back online (answering); such a check (to switch back) is performed at 15 minutes intervals, but this isn't your case, in your case is the switch to the secondary server which doesn't seem to be working !

    Also, and since we're at it, have a look at this (old) document and, in particular, scroll down to the "DNS Queries" section (figures 6.4, 6.5, 6.6 and 6.7) those show how the resolver carries on queries and which timeouts are used for each attempt

    Notice that the DNS "switchover" is dealt with in a different way if the DNS client is running or if it isn't running; in the first case, the DNS switchover will be dealt with by the DNS client and will be "global" to the whole system, so all apps will then start querying the current DNS (be it the primary or the secondary); in the second case (DNS client stopped) the switchover will be handled by the resolver library and will ONLY affect the given application so, in such a second case, you may have a given process using the secondary server (due to switchover) and another process still trying to use the first one... by the way this isn't a desired behaviour, so, it would be a better idea ensuring that the DNS client is started and working

     

     

    • Edited by ObiWan Wednesday, January 11, 2012 10:36 AM
    Wednesday, January 11, 2012 10:20 AM
  • You're right ObiWan, that's exactly my problem :)

    I've checked the client and the DNS client service is autostarting and was started in the tests.

    For me it is OK to tell my customer that this is a nslookup bug but everything else, what has to do with name resolution, works fine (like Domain login).

    It's still curious why the Windows 7 client isn't switching automatically to the secondary DNS server but working fine when starting a nslookup request aksing the secondary DNS server directly...

    Wednesday, January 11, 2012 10:34 AM
  • It's true, that I'm not using Reverse Lookup Zones. There is no need for the customer, there's just one Forward Lookup Zone (AD integrated).

    The reverse zone IS still needed, even if you aren't using DHCP, the dynamic clients registration uses it and, in any case, the PTR records (reverse zone) will help speeding things up, so, please, create such a zone (AD integrated) and ensure that it will contain at least the PTR records for your DNS servers and for the DCs

    Yes, I'm forwarding DNS request each other, but I don't know why :D So I'll delete the forwardings on both servers.

    Forwarding DNS requests each other ? That's totally crazy, mind me !

    I'm not using root hints.


    Why ? If you need the DNS servers to resolve external hosts, you'll either need to use root hints and recursion (recommended) or to configure your DNS servers to forward queries to external DNS resolvers (e.g. your ISP ones)

    Sorry to say this, but the more I read this discussion, the more I suspect that the DNS setup is somewhat screwed and should be revised

     

    Wednesday, January 11, 2012 10:41 AM
  • It's still curious why the Windows 7 client isn't switching automatically to the secondary DNS server but working fine when starting a nslookup request aksing the secondary DNS server directly...

    Yes, I'm curious to understand why YOUR windows clients aren't switching over the preferred DNS (as a note and just to stay on the safe side, I tested the same here and the switchover works just fine, so it sounds like it's an issue on your setup, not a "general bug")

     

    Wednesday, January 11, 2012 10:44 AM
  • It's true, that I'm not using Reverse Lookup Zones. There is no need for the customer, there's just one Forward Lookup Zone (AD integrated).

    The reverse zone IS still needed, even if you aren't using DHCP, the dynamic clients registration uses it and, in any case, the PTR records (reverse zone) will help speeding things up, so, please, create such a zone (AD integrated) and ensure that it will contain at least the PTR records for your DNS servers and for the DCs

    Yes, I'm forwarding DNS request each other, but I don't know why :D So I'll delete the forwardings on both servers.

    Forwarding DNS requests each other ? That's totally crazy, mind me !

    I'm not using root hints.


    Why ? If you need the DNS servers to resolve external hosts, you'll either need to use root hints and recursion (recommended) or to configure your DNS servers to forward queries to external DNS resolvers (e.g. your ISP ones)

    Sorry to say this, but the more I read this discussion, the more I suspect that the DNS setup is somewhat screwed and should be revised

     


    OK, I'll need to give more information.

    - The network we are using is completely autarkic, so no connection to any other systems (ISP) outside our LAN. That's why I don't use root hints.

    - I don't think we need a RLZ because new clients are self-registering their names in DNS. This works pretty fine.

    - I took out the forwarders but it doesn't solve the problem

    As I said, pinging without FQDN and prim. DNS server works fine. It resolves the FQDN and IP.

    Wednesday, January 11, 2012 10:53 AM
  • I believe everything is working fine for you therefore no need to concern yourself with Reverse Zones and frorwarders.

    Unless I missed the point, you want to know nslookup is not querying the second dns server when the first dns is off or unreachable.

    Assuming that is correct

    nslookup the.server.xyz

    this would query for ip address for server the.server.xyz using the first dns server or primary dns server.

    nslookup foobar.example.com 192.168.1.2

    this would query the ip address for foobar.example.com using dns server 192.168.1.2

     

     


    Regards Herbert Zimbizi
    Wednesday, January 11, 2012 11:27 AM
  • Yep, that's right.

    With nslookup server.domain.name it just asks the prim. DNS server. If it is not reachable I get a DNS timeout message. The client isn't switching to the secondary DNS server.

    With nslookup server.domain.name 192.168.1.2 the name resolution works fine because with this command the secondary DNS server is asked.

    Wednesday, January 11, 2012 11:32 AM
  • - The network we are using is completely autarkic, so no connection to any other systems (ISP) outside our LAN. That's why I don't use root hints.

    I suspected it :) - as for the isolated LAN, I think you may also want to disable recursion in your DNS servers so that they'll be authoritative only (that is, they'll only answer to queries related to their domains)

    - I don't think we need a RLZ because new clients are self-registering their names in DNS. This works pretty fine.

    Make me a favour, given that creating an AD integrated reverse zone won't break your network (nor collapse the universe, for that :D), could you please try creating it (if I'm right, in your case it should be "1.168.192.in-addr.arpa."), ensuring it contains the DC/DNS PTR records at least and then retrying the nslookups ? If the behavior is the one I'm expecting, at least you shouldn't see those "request timeout" messages anymore (not to say that it should start populating with client entries in a while)

    - I took out the forwarders but it doesn't solve the problem

    As I said, pinging without FQDN and prim. DNS server works fine. It resolves the FQDN and IP.

    Pinging an IP or a hostname ? Also, ping uses the resolver library and the latter may use "netbios" (if enabled) while nslookup will only deal with DNS resolution; as for the latter, could you please try running the "dcdiag" tool to check everything's ok and, in particular to run the DNS tests (/DnsAll - see the above URL for details) ?

    Also, and since you're at it, you may try repeating the dcdiag test after "disconnecting" the primary DNS; the test will for sure give you some errors related to the "missing DC" but may also allow to find out some other infos which, in turn, may be useful to diagnose the issue



    • Edited by ObiWan Wednesday, January 11, 2012 11:51 AM
    Wednesday, January 11, 2012 11:47 AM
  • Assuming that is correct

    nslookup the.server.xyz

    this would query for ip address for server the.server.xyz using the first dns server or primary dns server.

    nslookup foobar.example.com 192.168.1.2

    this would query the ip address for foobar.example.com using dns server 192.168.1.2


    I beg your pardon, would you please explain to me where's the difference between the above and the "nslookup" tests I already suggested to run and/or what does the above add to what already discussed ?

    Thanks

     

    Wednesday, January 11, 2012 11:49 AM
  • Here are the dcdiag /dnsall results for prim. DNS server:


    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = SERVER11
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Site\SERVER1
          Starting test: Connectivity
             ......................... SERVER1 passed test Connectivity

    Doing primary tests
      
       Testing server: Site\SERVER1
          Starting test: Advertising
             ......................... SERVER1 passed test Advertising
          Starting test: FrsEvent
             ......................... SERVER1 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... SERVER1 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... SERVER1 passed test SysVolCheck
          Starting test: KccEvent
             A warning event occurred.  EventID: 0x80000B46
                Time Generated: 01/11/2012   13:39:38
                Event String:
                The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
             ......................... SERVER1 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... SERVER1 passed test
             KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... SERVER1 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... SERVER1 passed test NCSecDesc
          Starting test: NetLogons
             ......................... SERVER1 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... SERVER1 passed test
             ObjectsReplicated
          Starting test: Replications
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source ZS2
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             ......................... SERVER1 passed test Replications
          Starting test: RidManager
             ......................... SERVER1 passed test RidManager
          Starting test: Services
             ......................... SERVER1 passed test Services
          Starting test: SystemLog
             An error event occurred.  EventID: 0xC0000424
                Time Generated: 01/11/2012   13:38:25
                Event String:
                \??\C:\Windows\system32\Drivers\vmdebug.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
             A warning event occurred.  EventID: 0x8000001D
                Time Generated: 01/11/2012   13:39:33
                Event String:
                The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
             A warning event occurred.  EventID: 0x000003F6
                Time Generated: 01/11/2012   13:39:42
                Event String:
                Name resolution for the name _ldap._tcp.dc._msdcs.Domain.Name timed out after none of the configured DNS servers responded.
             A warning event occurred.  EventID: 0x000727AA
                Time Generated: 01/11/2012   13:43:10
                Event String:
                The WinRM service failed to create the following SPNs: WSMAN/SERVER11.Domain.Name; WSMAN/SERVER1.
             ......................... SERVER1 failed test SystemLog
          Starting test: VerifyReferences
             ......................... SERVER1 passed test VerifyReferences
      
      
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
      
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
      
       Running partition tests on : Domain
          Starting test: CheckSDRefDom
             ......................... Domain passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Domain passed test CrossRefValidation
      
       Running enterprise tests on : Domain.Name
          Starting test: LocatorCheck
             ......................... Domain.Name passed test LocatorCheck
          Starting test: Intersite
             ......................... Domain.Name passed test Intersite

    Here are the results for second. DNS server:


    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = ZS2
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Site\ZS2
          Starting test: Connectivity
             ......................... ZS2 passed test Connectivity

    Doing primary tests
      
       Testing server: Site\ZS2
          Starting test: Advertising
             ......................... ZS2 passed test Advertising
          Starting test: FrsEvent
             ......................... ZS2 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... ZS2 failed test DFSREvent
          Starting test: SysVolCheck
             ......................... ZS2 passed test SysVolCheck
          Starting test: KccEvent
             ......................... ZS2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... ZS2 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... ZS2 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... ZS2 passed test NCSecDesc
          Starting test: NetLogons
             ......................... ZS2 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... ZS2 passed test ObjectsReplicated
          Starting test: Replications
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: DC=ForestDnsZones,DC=Domain,DC=Name
                The replication generated an error (1256):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
               
                The failure occurred at 2012-01-11 12:54:34.
                The last success occurred at 2012-01-11 09:10:26.
                4 failures have occurred since the last success.
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: CN=Schema,CN=Configuration,DC=Domain,DC=Name
                The replication generated an error (1722):
                The RPC server is unavailable.
                The failure occurred at 2012-01-11 12:55:16.
                The last success occurred at 2012-01-10 16:46:01.
                5 failures have occurred since the last success.
                The source SERVER1 is responding now.
             ......................... ZS2 failed test Replications
          Starting test: RidManager
             ......................... ZS2 passed test RidManager
          Starting test: Services
             ......................... ZS2 passed test Services
          Starting test: SystemLog
             A warning event occurred.  EventID: 0x00000081
                Time Generated: 01/11/2012   13:10:14
                Event String:
                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3145779 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
             ......................... ZS2 passed test SystemLog
          Starting test: VerifyReferences
             ......................... ZS2 passed test VerifyReferences
      
      
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
      
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
      
       Running partition tests on : Domain
          Starting test: CheckSDRefDom
             ......................... Domain passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Domain passed test CrossRefValidation
      
       Running enterprise tests on : Domain.Name
          Starting test: LocatorCheck
             ......................... Domain.Name passed test LocatorCheck
          Starting test: Intersite
             ......................... Domain.Name passed test Intersite

    And here are the results for second. DNS server while prim. DNS server is off:


    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = ZS2
       * Identified AD Forest.
       Ldap search capabality attribute search failed on server SERVER1,
       return value = 81
       Got error while checking if the DC is using FRS or DFSR. Error:
       Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
       because of this error.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Site\ZS2
          Starting test: Connectivity
             ......................... ZS2 passed test Connectivity

    Doing primary tests
      
       Testing server: Site\ZS2
          Starting test: Advertising
             Warning: ZS2 is not advertising as a time server.
             ......................... ZS2 failed test Advertising
          Starting test: FrsEvent
             ......................... ZS2 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... ZS2 failed test DFSREvent
          Starting test: SysVolCheck
             ......................... ZS2 passed test SysVolCheck
          Starting test: KccEvent
             ......................... ZS2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             [SERVER1] DsBindWithSpnEx() failed with error 1722,
             The RPC server is unavailable..
             Warning: SERVER1 is the Schema Owner, but is not responding to
             DS RPC Bind.
             Warning: SERVER1 is the Schema Owner, but is not responding to
             LDAP Bind.
             Warning: SERVER1 is the Domain Owner, but is not responding to
             DS RPC Bind.
             Warning: SERVER1 is the Domain Owner, but is not responding to
             LDAP Bind.
             Warning: SERVER1 is the PDC Owner, but is not responding to DS
             RPC Bind.
             Warning: SERVER1 is the PDC Owner, but is not responding to
             LDAP Bind.
             Warning: SERVER1 is the Rid Owner, but is not responding to DS
             RPC Bind.
             Warning: SERVER1 is the Rid Owner, but is not responding to
             LDAP Bind.
             Warning: SERVER1 is the Infrastructure Update Owner, but is
             not responding to DS RPC Bind.
             Warning: SERVER1 is the Infrastructure Update Owner, but is
             not responding to LDAP Bind.
             ......................... ZS2 failed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... ZS2 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... ZS2 passed test NCSecDesc
          Starting test: NetLogons
             ......................... ZS2 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... ZS2 passed test ObjectsReplicated
          Starting test: Replications
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: DC=ForestDnsZones,DC=Domain,DC=Name
                The replication generated an error (1256):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
               
                The failure occurred at 2012-01-11 13:54:53.
                The last success occurred at 2012-01-11 09:10:26.
                5 failures have occurred since the last success.
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: DC=DomainDnsZones,DC=Domain,DC=Name
                The replication generated an error (1256):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
               
                The failure occurred at 2012-01-11 13:54:53.
                The last success occurred at 2012-01-11 13:39:39.
                1 failures have occurred since the last success.
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: CN=Schema,CN=Configuration,DC=Domain,DC=Name
                The replication generated an error (1722):
                The RPC server is unavailable.
                The failure occurred at 2012-01-11 13:55:35.
                The last success occurred at 2012-01-10 16:46:01.
                6 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: CN=Configuration,DC=Domain,DC=Name
                The replication generated an error (1722):
                The RPC server is unavailable.
                The failure occurred at 2012-01-11 13:55:14.
                The last success occurred at 2012-01-11 13:38:50.
                1 failures have occurred since the last success.
                The source remains down. Please check the machine.
             [Replications Check,ZS2] A recent replication attempt failed:
                From SERVER1 to ZS2
                Naming Context: DC=Domain,DC=Name
                The replication generated an error (1722):
                The RPC server is unavailable.
                The failure occurred at 2012-01-11 13:54:53.
                The last success occurred at 2012-01-11 13:52:14.
                1 failures have occurred since the last success.
                The source remains down. Please check the machine.
             ......................... ZS2 failed test Replications
          Starting test: RidManager
             ......................... ZS2 failed test RidManager
          Starting test: Services
             ......................... ZS2 passed test Services
          Starting test: SystemLog
             A warning event occurred.  EventID: 0x00000081
                Time Generated: 01/11/2012   13:10:14
                Event String:
                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3145779 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
             A warning event occurred.  EventID: 0x0000008E
                Time Generated: 01/11/2012   13:55:43
                Event String:
                The time service has stopped advertising as a time source because the Name clock is not synchronized.
             A warning event occurred.  EventID: 0x00000018
                Time Generated: 01/11/2012   13:56:47
                Event String:
                Time Provider NtpClient: No valid response has been received from domain controller SERVER11.Domain.Name after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The peer is unreachable.
             ......................... ZS2 passed test SystemLog
          Starting test: VerifyReferences
             ......................... ZS2 passed test VerifyReferences
      
      
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
      
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
      
       Running partition tests on : Domain
          Starting test: CheckSDRefDom
             ......................... Domain passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Domain passed test CrossRefValidation
      
       Running enterprise tests on : Domain.Name
          Starting test: LocatorCheck
             Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
             A Primary Domain Controller could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
             1355
             A Good Time Server could not be located.
             ......................... Domain.Name failed test LocatorCheck
          Starting test: Intersite
             ......................... Domain.Name passed test Intersite

    To the RLZ: These zones are not part of the contract between my company and the customer. I've recreated the two DNS servers in my VMWare VMs but I would like to keep RLZ out.

    According the pinging, I pinged ping zs2 and got the answer zs2.domain.name [192.168.1.2]

    I've disabled recursion on both server but still no success.

    Wednesday, January 11, 2012 1:27 PM
  • OK, despite I won't use RLZ in customers environment, I installed it on my VMs.

    I've still no success in nslookup requesting while prim. DNS server is off.

    I created a RLZ AD integrated. There are two PTR records for my DNS servers.

    When I run nslookup while prim. DNS server is on, I get the reversed translation. If I turn it off, nslookup still doesn't switch to the second. DNS server...


    Update: Zone is replicating well.
    Wednesday, January 11, 2012 2:00 PM
  • After some days, my problem is still unanswered. Does someone else have an idea about my problem? Any official Microsoft employees?

    Best regards

    Christian

    Monday, January 16, 2012 9:52 AM
  • Christian, have received any feedback on this issue?

    Николай

    Friday, October 5, 2012 2:04 PM
  • I had the same problem, I solved this by , uninstalling second DC's DNS server first, reboot the server. Set the network adapters DNS settings to only First DC's DNS ip (no loop back address) Install the DNS on the 2nd DC ,After the installation replicate the first DC to second DC. then change the primary DNS address to loopback address and secondary to first DC's ip address. on the first DC put secondary DNS ip address of 2nd DC. It should resolve the issue. If you have exchange installed , you need to point  exchange to second DC as well, if you need help please let me know, i rarely check my live email but ill get back to you eventualy

    maker


    Thursday, August 15, 2013 3:13 AM
  • Solution above costs time and does not help. You can simulate this szenario _very_ easily:

    - Go to your local PC, read out DNS settings

    - Go to Network settings, set primary DNS to 1.2.3.4, set secondary dns your "right" DNS server

    - ipconfig /flushdns

    - nslookup www.google.com -> Fail!

    - do the same under linux: works correct!

    Can't eat as much as I want to spill!


    • Edited by rienesl1 Thursday, September 17, 2015 8:18 AM
    Thursday, September 17, 2015 8:17 AM
  • I was facing the same issue - ipconfig /flushdns worked! almost forgot about it :)
    Wednesday, October 9, 2019 10:50 AM
  • use nslookup "hostname" "ip of secondary dns"
    Wednesday, October 9, 2019 10:51 AM
  • Hello everyone!

    I've a problem with 2 W2K8R2 servers running both as Domain Controller + DNS Server (FLZ only). They're both replicating well with each other.

    In my network, servers/clients have static IP addresses. I'm not using DHCP!

    So my clients have 2 DNS servers configured in their IPv4 configuration (primary and secondary).

    Now my problem:

    If I shut down the primary DNS server, every client won't be able to run a nslookup request like nslookup testserver1.test.local . They get a timeout answer.

    Now, if I set the secondary DNS server as the primary DNS server, the clients will be able to run the same request successfully.

    The conclusion: DNS request just are successfull if the working DNS server is set as primary DNS server.

    Is there a solution on how it is possible to let the clients know to ask the secondary DNS server when the first one is down?

    Best regards

    Christian

    Ok, quite belated, but I think it may be of help to others; there are a couple important points to watch when setting up a multiple DNS servers config (two in this case), that is, both server should be configured the same way AND (if possible) NOT using forwarders, plus, you may eventually need to use GPOs to change the time out values when querying DNS; also notice that you should ensure ALL your LAN devices are properly configured (including proxy servers and so on)

    As a side note, my currently preferred config is to setup one (or more) UnBound resolvers https://www.nlnetlabs.nl/projects/unbound/about/ inside a DMZ/Screened or in any case isolated network and then configure the windows DNS servers to use the unbound(s) as their forwarders so that the internal (LAN, Windows) DNS will deal with local resolution and all the AD stuff, while whatever "external" query will be carried on by the unbound resolver(s); in my experience such a setup has demonstrated to be rock solid and fast, and I think it may be worth a try (also since the unbound resolver(s) may just be installed into one or two VM(s))

    Wednesday, October 9, 2019 12:36 PM
  • Solution above costs time and does not help. You can simulate this szenario _very_ easily:

    - Go to your local PC, read out DNS settings

    - Go to Network settings, set primary DNS to 1.2.3.4, set secondary dns your "right" DNS server

    - ipconfig /flushdns

    - nslookup www.google.com -> Fail!

    - do the same under linux: works correct!

    Can't eat as much as I want to spill!


    Check this

    https://docs.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)?redirectedfrom=MSDN

    notice that those settings may be pushed to machines using a GPO

    Wednesday, October 9, 2019 12:38 PM