1

With few words, the problem is that few domain names are not resolved by workstations in our network, while doing it from Remote Desktop session on the server succeeds.

Now the details.

We have a Windows domain network behind a router. Internal addresses are from 192.168.1.x range. There is a tunnel build to a customer site, where addresses are from 10.x.x.x range. This works properly for a long time.
There are some domain names defined by the customer, pointing to servers in their internal network. They are not publicly visible so to access them I added conditional forwarders on our domain controller (192.168.1.1, Windows Server 2008 R2), but some of them, sometimes, are resolved by public name servers. I'm not aware of the configuration, but client's network admin claims we should query their name servers directly, thus the conditional forwarders. This worked without issues for a long time.

I needed to upgrade the domain controller to Windows Server 2016. To do this, I added a secondary domain (192.168.1.7, Windows Server 2012 R2). The AD, including the conditional forwarders, were replicated to this new server. At this point we had no issues. There were workstations with primary DNS set to the primary DC (192.168.1.1) and others where primary DNS was set to the secondary DC (192.168.1.7). The client's domains were resolved successfully on all workstations.

Then I installed Windows Server 2016 on the main server (192.168.1.1) and promoted it as a primary DC. AD is replicated and the conditional forwarders are in place. However when a workstation tries to resolve a client's domain, it succeeds if it's DNS is the secondary DC (192.168.1.7), but fails if it is the primary DC (192.168.1.1). Interesting enough, the DNS query is resolved on the server itself (in a Remote Desktop session to it). Otherwise DNS looks to work properly, because there are no issues with other domain names (internet access is working properly for a couple of weeks). Network configuration of the clients is as follows:

  • IP address: 192.168.1.x
  • Mask: 255.255.255.0
  • GW: 192.168.1.10 (router's IP)
  • Primary DNS: 192.168.1.1 or 192.168.1.7 (primary and secondary DC)
  • Secondary DNS: empty

DNS on both domain controllers are configured the same way (at least I couldn't find any significant differences):

  • Listen on all IP addresses
  • Forwarders are the same, in same order, as follows - Google public DNS (8.8.8.8), primary router IP (192.168.1.10), backup line router (192.168.1.11)
  • Same root hints on both servers (the default)
  • Same default options in DNS properties dialog (recursion is not disabled)
  • Same security options in DNS properties dialog
  • Same list of conditional forwarders on both domain controllers (their are replicated automatically, I didn't re-entered them on each server separately)

At this point I'm able to resolve customer's domain on both servers. If I try to ping this domain on a workstation, it succeeds if it's primary DNS is 192.168.1.7, but fails if it is 192.168.1.1.

I'm able to ping internet domains on a workstation, regardless of it's primary DNS (both 192.168.1.1 and 192.168.1.7 works properly).

When using nslookup with a server, it fails with "DNS request timed out" when the server is 192.168.1.1, but succeeds if it is 192.168.1.7 or client's name server (10.x.x.x), regardless of the DNS set (192.168.1.1 or 192.168.1.7). I used Nir Sofer's DNSQuerySniffer on the workstation when pinging client's domain. When it's DNS is 192.168.1.1, I see 5 requests - 4 with no response, and the 5th returns "Server Failure", all from workstation's IP and with 192.168.1.1 as destination address. When workstation's DNS is set to 192.168.1.7, I see only one request, which succeeds. When run it on the servers however, on 192.168.1.1 I see DNS request to my router, while it should be to the client's name server, i.e. conditional forwarders does not work and this domain was resolved by a public DNS (which may, or may not resolve it, but to follow client's instructions, I have to query their name server directly). On 192.168.1.7 I see one request to their name server's IP (10.x.x.x), i.e. conditional forwarding works.

I feel extremely stupid! Obviously I'm missing something. What do you think I should check? What could be the reason conditional forwarding to not work on this DC? I will be very grateful for any help!

Thank you in advance!

Andrey Nikolov
  • 153
  • 1
  • 9
  • I forgot to mention, that both server's primary DNS is set to 127.0.0.1 and there are no other DNS servers set in their network configuration. – Andrey Nikolov Jan 05 '17 at 09:42

1 Answers1

3

It turns out that one Hyper-V Virtual Network Adapter was left with DHCP on and it get a default gateway that is our backup internet provider. It has no tunnel established to the customer's site, thus you can't reach their name servers using this internet connection, thus queries fallbacks to the public name servers, which sometimes resolves the queries and sometimes not (this is customer's problem however). I configured properly this network adapter with static IP address and removed the backup gateway. Now all DNS queries are routed through the main internet, which has a tunnel to the client's site (and name servers) and all domain names are resolved successfully.

Andrey Nikolov
  • 153
  • 1
  • 9