No internet connection and forward-Lookup-Zone in my AD DNS?
Solution 1
EUREKA !!!!
I found the error (off course it's me) for some reason, the default gateway on the server was set to it's own (192.168.0.2) while it should be - 192.168.0.254 !!!
I will also check all other settings, and make sure all works well. thanks for all your tips, and support.
I still have the problem with my netdiag /l but I will start a new Q for that.
Thanks again
Solution 2
You don't have to use forwarders. The Microsoft DNS server is capable of resolving via root hints "out of the box". Having said that, you can use forwarders, too.
You should only have an Active Directory DNS server specified as the DNS server for all domain members (including DCs, member servers, and client PCs). According to your ipconfig
output above you've got ISP DNS server specified in DHCP to be handed out to clients. That's not good. Clients should only be using the AD DNS server. Make sure that you don't have the ISP DNS server specified for any devices with static IP addresses (including all DCs and servers).
The netdiag
output makes me think that you don't have the DC set to be its own DNS server (with no other DNS servers specified). I'd make sure you've got that set and do a net stop netlogon
and net start netlogon
, followed by an ipconfig /registerdns
and, finally, re-run the netdiag
and see how bad it looks.
Use nslookup
and check queries for Internet names against your DC's DNS server (use the command server 192.168.0.2
in nslookup
to be sure the queries are running against the DC's DNS server). If it won't resolve Internet names using nslookup
double-check your firewall (and sniff traffic there as necessary) to be sure that DNS queries from the DC are being allowed out onto the Internet and replies are coming back.
As an aside: YIKES! You've got a single-label DNS name (OptiTex). If this is a new domain and a new installation you'll do yourself a MAJOR favor to change this to a multi-label DNS name now. (There are some good questions on Server Fault about AD domain naming, including:
- Windows Active Directory naming best practices?
- Choosing local versus public domain name for Active Directory
Single-label AD DNS domain names are bad news! Microsoft recommends against them because some applications don't support them and migration away can become impossible (meaning that you'll have to throw away the entire AD forest and start over).
Solution 3
Your AD clients and servers, including all DCs should have only AD DNS servers in their client DNS setup. The only question is whether the DNS server has forwarders or resolves root hints on its own. My preference is to use forwarders to my ISP, OpenDNS or google so that this work is offloaded to a well run DNS.
Solution 4
Check that you have forwarders setup in your DNS server.
Open your DNS Management, right click on your Server and go to Properties. Go to the Forwarders Tab, make sure you have your DNS servers listed there.
Also look at this Microsoft KB to see if this fixes your issue with the dcdiag error
Related videos on Youtube
Saariko
Updated on September 18, 2022Comments
-
Saariko almost 2 years
We have an 2K3 R2 AD server. It is also serves as our DNS server.
When I look at the DNS entries I see the following:
do I really need all these entries?
I currently have a problem that my AD can not access the internet. From SF-Q I can guess it has to do with my dns entries, and I think that fixing that will solve my network access.
Running NetDiag /l shows me an error in the DNS entry as follow
DNS test . . . . . . . . . . . . . : Failed [WARNING] Cannot find a primary authoritative DNS server for the name 'OptiTexDC.optitex.'. [ERROR_TIMEOUT] The name 'OptiTexDC.optitex.' may not be registered in DNS. [WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.0.2'. Please wait for 30 minutes for DNS server replication. [WARNING] The DNS entries for this DC cannot be verified right now on DNS server 80.179.52.100, ERROR_TIMEOUT. [FATAL] No DNS servers have the DNS records for this DC registered.
I want to point, all of my users/computers et el. can access the internet.
I am not really sure what to do?!
<< edit >> DNS management forwaders are defined as my ISP provider gave me. This usually propogates to all users.
Should I add my DC (192.168.0.2) as one as well?
This is a ipcnofig /all from a client. Both my ISP DNS are listed, as well as my Domain.
Adding some more information: Looking at the Server Event viewer, Under DNS, I see the following:
Event Type: Warning Event Source: DNS Event Category: None Event ID: 7062 Date: 8/10/2011 Time: 16:03:03 User: N/A Computer: OPTITEXDC Description: The DNS server encountered a packet addressed to itself on IP address 192.168.0.2. The packet is for the DNS name "localhost.OPTITEX.OPTITEX.". The packet will be discarded. This condition usually indicates a configuration error. Check the following areas for possible self-send configuration errors: 1) Forwarders list. (DNS servers should not forward to themselves). 2) Master lists of secondary zones. 3) Notify lists of primary zones. 4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server. 5) Root hints. Example of self-delegation: -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, (bar.example.microsoft.com NS dns1.example.microsoft.com) -> BUT the bar.example.microsoft.com zone is NOT on this server. Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record. You can use the DNS server debug logging facility to track down the cause of this problem. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 50 25 00 00 P%..
- I visited the link provided. Did not help me.
<< edit - Add Server connection settings >> I am also adding my server network settings. I don't think I can make these settings dynamically from DHCP as I am the DHCP. I do have set as a DNS - my own IP, and 1 of my ISP's. Do I need to change?
Checklist: Both DNS Client and DNS Server are working on the server.
Thanks
-
Philip almost 13 yearsI don't see a domain "OptiTexDC.optitex"; which is probably why
netdiag
can't find it... Sounds like something is screwed up; was there another domain in the past? -
Saariko almost 13 yearsno other domain in the past.
-
Saariko almost 13 yearsWhat I did in the past is add the ISP DNS's. I had my own listed once as well.
-
joeqwerty almost 13 yearsThe OP could use the root hints rather than forwarders, which is the default setting for an install of the DNS service.
-
Saariko almost 13 yearsI edited my Q with the DNS management data. The DNS there are what my ISP provided. Do I need to add my DC as well?
-
Nixphoe almost 13 years@Saariko No, you're good
-
Nixphoe almost 13 yearsIs root hints vs forwarders more of a personal choice, or is there a best practice? This KB seems to indicate that it would be better to use forwarders (I'm assuming depending on how large your network is). technet.microsoft.com/en-us/library/cc782142(WS.10).aspx
-
Saariko almost 13 yearsThanks for a detailed answer. I will try to act step by step, and see what will solve my problem: 1. Can I delete both forward zones than? the optitex and _msdsc.optitex ? just like that?
-
Spence almost 13 years@Saariko: You don't want to delete those zones! They're necessary for Active Directory to function properly.
-
Saariko almost 13 years@evan_anderson As for my single-label domain - That's all I have. A local domain in my intranet, no forest, no delegates, no clones. I guess it's the simplest of all domains, so I never figured i need to do the optitex.com name
-
Spence almost 13 years@Nixphoe: I suppose it's personal choice. I've had bad experiences with ISPs who can't keep basic services (like DNS) running so I prefer to root-resolve versus relying the ISP. You could argue that forwarding to the ISP is friendlier because it allows their DNS caches to minimize traffic to other DNS servers (saving on bandwidth and DNS server resources), but I'd rather have reliable DNS than be a bit "friendly" with such small amounts of traffic.
-
Spence almost 13 years@Saariko: If this domain isn't in production yet you really should change the name to be a multi-label. This isn't my preference-- it's a recommendation from Microsoft. (I don't know what you mean by "no forest, no delegates, no clones"-- you have an AD forest if you have even a single domain. I don't know what a "delegate" or a "clone" is.) You also shouldn't use a valid Internet domain name for an AD domain name, either. You may find that the single-label name limits your abilities down the road. That would be my concern.
-
Nixphoe almost 13 years@Evan: Thanks, great way of putting it. I've ran into that same issue with ISP dns servers, I usually just change over to 8.8.8.8 or 4.2.2.2. Root hints seem like a better solution to solve the problem, not the symptom.
-
Saariko almost 13 yearsEvan - do you have time/do you mind going to a chat room on this?
-
Spence almost 13 years@Saariko: I'm sorry, but I don't have time right now. I'm heading out the door in a couple of minutes. I'll probably be back on in 2 - 3 hours, assuming this issue I'm going to go look at is easily resolved.
-
Saariko almost 13 yearsIf I have forwarders set on my DC in DNS management, don't they get set to my clients? According to what you say, if on a client I write: ipconfig /all - all I need to see in DNS is my DC IP?
-
Saariko almost 13 yearsI have edited my Q with the settings of the network on my server. I have DNS settings there, but it's my own IP as well. So I am even more confused now. do I need to remove these settings?
-
joeqwerty almost 13 years@Saariko: The DNS clients (including the server) should only have your internal DNS server set as their DNS server, and that should be reflected when you run ipconfig/all. You should see only your internal DNS server listed. The DNS server's forwarders are for the DNS server component to use to forward requests to for DNS zones that it's not authoratative for. The forwarders do not need to be, and should not be, set as the DNS servers for any internal computer, including the DNS server itself. The DNS server component and the DNS client component on the server are independent components.
-
joeqwerty almost 13 yearsThe DNS client component on the server is a client to the DNS server component on the server, but they're 2 independent components. If that idea is confusing, then when you're configuring the DNS client component on the server just forget that it's also the DNS server and configure it as you would every other DNS client on your network... it should only point to your internal DNS server (which is itself) for DNS.
-
Saariko almost 13 years@joequwerty by forwarders I guess you mean the DNS IP's i got from my ISP?
-
joeqwerty almost 13 years@Saariko: Yes, exactly.
-
Saariko almost 13 yearsThanks all for your tips. Problem solved as it was a error in the default gateway on the Server - was set to 192.168.0.2 instead of 192.168.0.254
-
Saariko almost 13 yearsThanks all for your tips. Problem solved as it was a error in the default gateway on the Server - was set to 192.168.0.2 instead of 192.168.0.254