none
Windows Server 2008 - Nslookup - Request Time out

    Question

  • Hello Team,

    We have installed newly Windows server 2008 R2 SP1 domain controller with integrated DNS server. After installing dcpromo restarted the server and type nslookup.

    1. Recived 127.0.0.1 as output. Hence went to TCP/IP removed the 127.0.0.1 address from the dns server and created reverse lookup zone with pointer record.

    Now type nslookup... now it getting resolved but at the end getting "DNS error timeout was 2 second"

    Thought to disable to IPV6 but MS say it's not recommended..Let me know how to get rid of this..


    Exchange Queries


    Exchange Queries

    Sunday, July 01, 2012 12:58 PM

Answers

  • Hello Ace,

    Finally after breaking my head for longer time found that my domain name test.co.in should be added in the dns suffix name of the TCP/IP properities. This has resulted me to fix the issue without any "request time out" issue.

    Investigated much deeper and found that it was due to DNS desolution concept which is launched in 2008 server. Tried out in test lab with different name in same domain name format x.y.z and found adding dns suffix is only solution to get it rid out..

    Everytime MS launches new concept and I missed to get update that :P (Next is Win 2012 :(...

    Thought to share in the forum since it will help someone for the same


    Exchange Queries

    Tuesday, July 10, 2012 12:55 AM

All replies

  • Hello,

    please assure to use the fixed ip address on the DC/DNS server as preferred DNS and another domain DNS server as secondary, the loopback ip address configure as 3rd as recommended from the DNS BPA.

    There is no reason to disable IPv6 on Windows server 2008 or higher.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, July 01, 2012 1:15 PM
  • I have used fixed ip address. No DHCP server..this is a new enviroment implemented..

    Still i get the same error.


    Exchange Queries

    Sunday, July 01, 2012 4:57 PM
  • To better assist you, please provide the following:

    • An unedited ipconfig /all
    • An example nslookup with the results
    • Does a reverse zone exist, and if so, does a PTR exist for the server's IP?

    .

    Thank you.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 02, 2012 1:09 AM
  • We have PTR in reverse zone and find the o/p


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : server
       Primary Dns Suffix  . . . . . . . : test.co.in
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : test.co.in

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-2E-BE-00
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::a0b0:b3a:555f:21d0%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 20.20.48.39(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.224
       Default Gateway . . . . . . . . . : 20.20.48.33
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-6D-C6-60-00-15-5D-2E-BE-00
       DNS Servers . . . . . . . . . . . : 20.20.48.68
                                           20.20.48.69
                                           20.20.48.70
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{C8B14346-F1D0-4B89-BC10-B75209ADBD14}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\nslookup type=any

    Server:  server.test.co.in
    Address:  20.20.48.68

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.


    Exchange Queries


    Wednesday, July 04, 2012 10:23 AM
  • Are the ip addresses accesible by ping?

    Do the host records for these DNS servers exist in the zone?

    Are the DNS servers ip addresses added to the Name Servers tab of each DNS server?

    Make sure u used dnscmd /clearcache and ipconfig /flushdns to make sure you don't have negative name resolution.

    Also make sure that if you have these name servers configured in the forwarders tab, make sure that they are resolvable an check the number of seconds before a query times out. The default I think is 3 seconds.

    Hope it helps.


    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

    Wednesday, July 04, 2012 1:48 PM
  • Few of them are not accessible by PING command. The firewall is ON. If i switch off the PING i will get reply..But as MS best praticse ii have turned ON whcich leads Request time out...

    Rest of the things we have done already...


    Exchange Queries

    Thursday, July 05, 2012 2:28 AM
  • Best practice is to keep the firewall enabled, but you must exclude necessary traffic internally, otherwise the firewall will block necessary traffic and functionality.

    How is the firewall configured? Since this is a domain controller, it should have been automaticlly been set to "Domain."

    And if the only thing you're concerned with is pings replying, then you must exclude/allow ICMP Echo.

    .

    Also, are you saying too, that nslookup is not able to resolve names from your own DNS server? If so, and you disable the firewall and resolution works, then the logical conclusion indicates the firewall on the client and/or server is misconfigured.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 05, 2012 4:11 AM
  • Hello Ace,

    I can able to resolve DNS with firewall ON. I told that only ICMP packet is blocked in Firewall which i believe default behaviour when you install any new win2k8 server.

    The issue now is i am getting DNS resolved to the server but after that it shows this

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.


    Exchange Queries


    Thursday, July 05, 2012 10:40 AM
  • If you disable the Windows firewall and any AV that has a network protection feature (that acts like a firewall), does it work?

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 05, 2012 4:29 PM
  • No antivirus it was fresh computer..So antivirus is not installed...I done a test lab also still there also i receive the same error message when i type nslookup server.test.com in command prompt. We get response like

    c:\>nslookup server.test.com

    server.test.com

    10.0.0.1

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.

    c:\>


    Exchange Queries

    Saturday, July 07, 2012 1:42 AM
  • Does this happen with just when you invoke nslookup, or when you run a query? Try the following:

    c:\>nslookup
    > www.microsoft.com
    Post the results, please.

    Then while still in nslookup, run:
    > server.test.co.in

    Then run:
    > 10.0.0.1

    Also, check the nameservers tab in DNS, in the reverse zone's properties.

    .

    In your ipconfig, you posted a 20.x.x.x IP. In your recent post, you've posted a 10.0.0.1 IP. Was that a typo?

    Also, you posted the following for DNS addresses:

      IPv4 Address. . . . . . . . . . . : 20.20.48.39(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.224
       Default Gateway . . . . . . . . . : 20.20.48.33
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-6D-C6-60-00-15-5D-2E-BE-00
       DNS Servers . . . . . . . . . . . : 20.20.48.68
                                           20.20.48.69
                                           20.20.48.70

    Are they all domain controllers?

    Also, that .224 mask is a /27 subnet, which means that there are only 30 usable IPs in the subnet. The default gateway appears to be correct for a .39 IP address, however, the three DNS servers listed appear to be on different subnets. The IP range for this server;s IP address would be:

    20.20.48.32 - 20.20.48.63

    The next IP subnet range for a /27 would be:
    20.20.48.64 - 20.20.48.95

    Does the router (gateway 20.20.48.33) have a route to the 20.20.48.64/27 subnet? Or is that a typo?


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, July 07, 2012 2:49 AM
  • Hello Ace,

    I just modified the IP address not to get exposed to public..I am sure no issue on subnet or network part.

    We have 1 root and 2 additional domain controller...hence i have provided 3 dns ip address as the alternate dns.

    Just a guess - Is that we need to do something on the roothint tab of the dns server or we need add the dns suffix name in tcp/ip properities...We have single domain and single forest structure.


    Exchange Queries

    Sunday, July 08, 2012 2:16 AM
  • So there are no subnets or subnet mask inconsistencies? Instead of a 255.255.255.0 mask, you posted a 255.255.255.224 subnet mask, which only has a 30 IP address range, which makes it really confusing based on what you're saying. So you are NOT using this mask? Honestly if you posted the private IPs, we can't trace them, because they don't exist in the public IP space and would have avoided the confusion.

    The machine you are running this test on can ping the DNS server?

    Or are all three domain controllers on the same subnet and can ping each other?

    If you chose one of the other DC/DNS servers as the first entry in DNS, does it show the same problem?

    .

    "We have 1 root and 2 additional domain controllers..."

    And I'm not sure what you mean by "root." Can you elaborate on what you mean by "root," please?

    .

    Nothing really needs to be done in the Root hints tab. They are the 13 DNS Root servers on the internet. Are any of them missing? If so, you can choose the "copy from" button and choose a reliable DNS server on the internet such as 4.2.2.2 to copy a current set of Root servers to your DNS server.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, July 08, 2012 2:26 AM
  • Root i try to mean Root Domain Controller..the first domain controller hosted in the network. As i told earlier i am not able to use PING command since the firewall is on ..but i can access nslookup to get it resolved.

    Hope by default the OS firewall will block the ICMP packet


    Exchange Queries

    Sunday, July 08, 2012 9:30 AM
  • That's correct. The default WIndows Firewall setting blocks ICMP Echo, which is what ping needs.

    And thank you for clearing that up. Just an FYI, we don't refer to any of the DCs in such a scenario as a "root" domain controller. It's just another DC, because they are all "replica" DCs, and are all 'writeable" meaning you can make changes on any of them, unlike NT4 DCs. Each DC can hold one of the five FSMO roles (flexible storage master operations), which can be moved to another DC. They can also be Global Catalog servers, which is a service, not a role. So in your case, you simply have three DCs in one domain in one forest. I would also suggest to make all three GCs.

    And if you can now use nslookup, that's good! So that concern is resolved?

    .

    Here's more on the Windows firewall:

    Nobody Can Ping My Computer
    Updated: February 18, 2010
    Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
    "Enabling incoming ICMP Echo messages will allow others to ping your computer. However, it also leaves your computer vulnerable to the types of attacks that use ICMP Echo messages. Therefore, ..."
    http://technet.microsoft.com/en-us/library/cc749323(v=ws.10).aspx

    Manually Configuring Windows Firewall in Windows XP Service Pack 2
    The Cable Guy - February 2004
    "The settings for ICF in Windows XP with SP1 and Windows XP with no service packs installed consist of a single checkbox (the Protect my computer and network by limiting or preventing access to this computer from the Internet check box on the Advanced tab of the properties of a connection) and a Settings button from which you can configure excepted traffic, logging settings, and allowed ICMP traffic ...."
    http://technet.microsoft.com/en-us/library/bb877979.aspx


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, July 08, 2012 5:00 PM
  • Hello Ace,

    Finally after breaking my head for longer time found that my domain name test.co.in should be added in the dns suffix name of the TCP/IP properities. This has resulted me to fix the issue without any "request time out" issue.

    Investigated much deeper and found that it was due to DNS desolution concept which is launched in 2008 server. Tried out in test lab with different name in same domain name format x.y.z and found adding dns suffix is only solution to get it rid out..

    Everytime MS launches new concept and I missed to get update that :P (Next is Win 2012 :(...

    Thought to share in the forum since it will help someone for the same


    Exchange Queries

    Tuesday, July 10, 2012 12:55 AM
  • Interesting, but confusing because that is one of the first things I looked at in the ipconfig /all, because it already shows test.co.in as a Search Suffix, unless you were running the nslookup and other tests from a dufferent machine?

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Tuesday, July 10, 2012 2:29 AM
  • I know this disussion is old but I found it on google and there is a simple solution for that. (I still wonder how people can make things much more complicated as they are..) The reason for the timeout is just the fact that recursion needs time and by default, it´s been set to 3 seconds. It is best practice to increase recursion time to 8 seconds - and your timeout issue is gone.

    at elevated command prompt run:

    dnscmd [<ServerName>] /config /recursiontimeout

    that will set the timeout to 8 seconds.
    Or add any number after /recursiontimeout for custom timeout length

    Michael

    Sunday, April 06, 2014 8:54 PM
  • Hi Ace Fekay,

    Thanks for the solution, i configured reverslookup zone that worked fine for me..!!!!!!!!!!

    Monday, January 05, 2015 4:47 PM
  • Hi Ace Fekay,

    Thanks for the solution, i configured reverslookup zone that worked fine for me..!!!!!!!!!!

    I'm happy to hear that! 

    Cheers!


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, January 05, 2015 10:52 PM
  • Perfect. Its working now. Thank you.
    Monday, January 18, 2016 5:52 AM