DNS Forwarders Setup

I'm just reviewing DNS as it was configure by someone else.  We have 4 DCs all with AD integrated DNS.  One of the DCs is configured with Forwarders to our external ISPs two DNS servers, a rule is also in place in our firewall to allow all DCs
on to the internet everywhere via port 53 for DNS (not happy with this rule want to lock it down more).  The other 3 DCs are configured with 1 Forwarder pointing to the first DC which points to the external DNS servers.  I can see that this is a
single point of failure on the part of just one DC is getting external DNS, if that DC goes down external DNS won't work.  Also I'm not that happy about DCs connecting directly to the internet.  Can someone recommend if this is a poor setup and what
they would do differently.
Thanks

I would indeed consider having at least 2 dns servers that forward to the outside dns server(s).
all other dns servers should contain these 2 servers to forward to.
opening up port 53 to everywere might make sense if the dns server has to do a recursive lookup (ie if no forwarder is available). It seems the current design was to have that as a fallback on all dc's. It is not need if you have reliable forwarders (ie
not from one ISP)
There is not much security impact from opening port 53 from your server towards the internet. the reverse route should be closed (unless you want to host a public zone, but in that case you will have to do more than this for a design ;) )
MCP/MCSA/MCTS/MCITP

Similar Messages

  • DNS Forwarders say unable to resolve. Root Hints timeout during validation.

    I have a Windows Server 2012 Essentials server that has been up and running for a year. The Server is the domain controller with the DNS server role installed. There is only one NIC card used on the network. Today, DNS stopped working. The server and the
    clients can access internet websites if IP addresses are used; otherwise, accessing websites fails. Looking at the DNS properties page on the Forwarders tab, I see that each DNS server listed (which are the DNS servers given to me by my ISP
    provider) says <Unable to resolve>. When I saw that those addresses were not resolving, I added Open DNS IP addresses and I added google's DNS addresses in the DNS forwarders list but they too said <Unable to resolve>.
    I can ping the Open DNS IP addresses, the google DNS IP addresses and the ISP provider's DNS IP addresses. NOTES: 1) I tried unchecking IPv6 on the DNS' server's Ethernet adapter properties; 2) I have done a flushdns; 3) I have verified that
    my DNS services are running; 4) the first DNS on my server's Ethernet adapter properties is the IP address of the DNS server (which is 10.0.0.51) and the second is the loopback (127.0.0.1); 5) the power management on the NIC adapter is disabled; 6) nslookup
    works for 8.8.8.8 but not for www.google.com.
    I removed the Forwarders and tried to use just Root Hints. That didn't make any difference. I went back into DNS Manager->[DNS server name]->right-click properties->select Root Hints tab. I clicked on a.root-servers.net to edit. Under the Validated
    column it says "a timeout occurred during validation". I clicked cancel to back out of everything I was doing.
    As I mentioned, this was all working fine until this morning. Can someone tell my why the Forwarders are unable to resolve? An why the Root Hints timeout during validation?

    Hi,
    It could be a firewall issue. Try to use public DNS server to resolve names,
    nslookup
    server
    IP address of the public DNS server
    www.microsoft.com
    If timeout occurs, it means that firewall or some other similar device block the DNS traffic. Please disable the firewall and try again.
    If issue persists, please try to restart the DNS service.
    If it still doesn’t work after restarting the DNS services, please check if there is any warning or error in the event viewer of DNS servers.
    Best regards.
    Steven Lee
    TechNet Community Support

  • DNS proximity setup on the CSS 11152

    I have 2 CSS 11152 and I would like to set them up to load balanced between each other (no the box to box redundancy failover). Would the DNS proximity setup be possible in a single location ? If not, how can I achieve this ?
    Thaks in advance,
    Leonel

    Often times complex configuration and troubleshooting issues are best addressed in an interactive support session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.
    To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen
    If anyone else in the forum has some advice, please reply to this thread.
    Thank you for posting.

  • DNS Forwarders with no recursion

    As I understand it, Windows DNS has a problem with its recursion (being attacked recently). But if you turn it off, and turn off internet access (forwarders). Is there a way to turn off recursion, and still allow the DNS server to use the root hint servers? 
    Other DNS servers?
    If, as I suspect, the answer is no.  Is there a way to disable recursion, but still allow certain domains (say domains that I control) to resolve.  As an example;
    DomainA.edu is prod
    DomainB.edu is test
    I don't really care if DomainB can see google, but I do want DomainB too be able to resolve DomainA.  There is no Active Directory or other connection between the domains.
    Can I do an import of DomainA or something to that effect (A manual zone transfer say)

    Do you have a link that you can share with more information on that attack issue you are referring to? - Thanks.
    Or perhaps you are talking about DNS Cache Poisoning?
    There are two separate Recurision settings - one under the Advanced tab, and one under Forwarders.
    Advanced tab: If you disable the one under Advanced, then your DNS server effectively becomes a Root server and won't recurse at all, meaning it will not use root hints (because it thinks it's one of them), and won't Forward (since that's
    a recursion request. This effectively also makes it a content only server where whatever zones it hosts, is all it will resolve for requests.
    Forwarders tab: If you disable it under Forwarders, it won't look further if the forwarder(s) fail(s).
    You could theoretically set a conditional forwarder to a specific DNS, such as 2.2.2.2 for example, for DomainA.edu, and set the checkbox for no Recursion just for that domain, so it will only send the request to 2.2.2.2, then on 2.2.2.2 is set
    to not allow recursion under the Advanced tab.
    You could also setup one or two separate DNS servers in your DMZ that are not part of your domain and that have the MaxCacheTTL set to 0 so it won't cache, and have them just use the Roots and host no zones. Then internally, you can forward to
    them, which they in turn will resolve external data. This is a secure setup that meets PCI DSS requirements (Payment Card Industy Data Security Standards). I myself work at a university hospital with 27k mailboxes. Without getting into specifics, this is part
    of our setup, which meets HIPAA requirements.
    Here's a secure setup (not neccessarily what we have in our establishment):
    Here's a detailed discussion about Forwarders, recursion, etc:
    TechNet thread: "DNS Recursion:"
    https://social.technet.microsoft.com/Forums/en-US/24ea1094-0ae4-47b5-9b74-2f77884cce15/dns-recursion
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Can't get DNS forwarders to work

    Overview: NAT environment. Need DNS to resolve local hosts to LAN addresses and forward all other requests to OpenDNS servers.
    I've searched the forum high and low but can't get my new 10.5 server to resolve external hosts. I used to do this manually in the past by adding the forwarders directive in the named.conf file and never once had a problem. I used the GUI on this new 10.5 box, and when that didn't work I attempted to add it directly to the conf file as well, which didn't work as well.
    Forward and reverse lookups are working fine, but here's what I get when I attempt to resolve a public host:
    nslookup www.apple.com 10.0.0.2
    Server: 10.0.0.2
    Address: 10.0.0.2#53
    ** server can't find www.apple.com: NXDOMAIN
    I did find a post which mentioned that it could possibly be a firewall issue. I've since turned off the firewall on the server, added a mapping for port 53 and even added the server to the DMZ. Nothing seems to work here. Help!

    OK ... I feel stupid.
    I added 10.0.0.0 to the list of networks to accept recursive queries from. When I changed it to 10.0.0.2/24 everything worked as intended. Doh!

  • DNS Forwarders

    Hi I have a question from my boss that I would like a better answer for than what I told him. We have 4 DNS servers across our main Datacenter and one Disaster recovery site. We have forwarders configured on each server for several DNS servers on the Internet.
    The question was asked if there was a reason we do it that way instead of having all DNS requests forwarded to one DNS server and then have only that one configured with forwarders for outside the network. I told him it was mainly for redundancy and if everything
    was going to one server and that one goes down so would the Internet. 
    Are there other reasons this should not be done or maybe I am all wrong and the one server is the correct way to go. Any help is appreciated.
    Thanks,

    I prefer to use the root servers instead of forwarding.  Forwarding just adds another hop when it isn't needed.  Plus, there are privacy concerns when forwarding all internet DNS requests to a third-party DNS server.
    In high security environments, it isn't uncommon to deploy some caching only DNS servers in the perimeter network. Those servers are the only servers allowed to query external DNS servers (such as the root servers).  Then, internal DNS servers forward
    to your caching only servers.
    Brian

  • DNS Forwarders and last MacOS X Built

    Hello,
    I'm using the "forwarders" option in my named.conf file, for speed up my own DNS server. But with the last MacOS X update's (10.4.5 & 10.4.6) this option is not working. My DNS are slow to resolve,...
    Someone have the same issue ?
    Florent

    Hello,
    I'm using the "forwarders" option in my named.conf file, for speed up my own DNS server. But with the last MacOS X update's (10.4.5 & 10.4.6) this option is not working. My DNS are slow to resolve,...
    Someone have the same issue ?
    Florent

  • Error in dns client setup

    Hi everyone,
    after setting the /etc/resolv.conf file, i tried to nslookup command
    and the following error came:
    can'f find server name for address 203.88.240.88 (this address is given by isp): no response from server
    ok what should i do next?
    Chees!

    Please post the details of the application release, database version and OS.
    Please see these docs.
    R12.1: Loading Payables Option Extract into Target Fails with the Following Exception: java.lang.NullPointerException [ID 1323037.1]
    AZR12LOADER Failed with An exception occurred in API 'Chart Of Accounts API' [ID 832383.1]
    iSsetup Migrations Error Fails For Valuesets Using HR_LOOKUPS For Lookup Using Tags [ID 782030.1]
    How To Import Foundation Data into target instance from souce instanceusing iSetup [ID 790001.1]
    Thanks,
    Hussein

  • DNS, Certificates, and Active Directory - School Setup Issues

    Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
    1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
    2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
    3. About 90 iPads, and a handfull of Mac desktops
    In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
    However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
    a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
    b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
    c.) AD binding breaks randomly and I have to rebind the server to AD
    d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
    I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

    Yes, I am not giving the real domain name here.
    No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
    Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
    Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
    In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
    So you have set DNS forwarders on the Mac machine?
    I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
    On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
    Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
    Lookup has started…
    Trying "example.com"
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
    ;; QUESTION SECTION:
    ;example.com.                   IN        ANY
    ;; ANSWER SECTION:
    example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
    example.com.     10800          IN         NS          server.example.com.
    example.com.     10800          IN         MX          10 server.example.com.
    ;; ADDITIONAL SECTION:
    server.example.com. 10800       IN          A          192.168.1.20
    Received 145 bytes from 127.0.0.1#53 in 2 ms

  • Server Setup Help - DNS

    Hi,
    Hopefully someone can shine a light on this for me. I am sure I have confused myself more by doing all this research.
    I am attempting to setup OS X Server (Leopard Server 10.5.4) on my server and am getting a little confused at the primary DNS Name setup screen.
    I have a domain, lets call it macserver.com. It currently does not have any hosting. I plan on hosting it on my own server. I also created an A record (remote.macserver.com) and pointed it to my static IP address that my ISP gave me for remote desktop purposes, and eventually forward all MX records to it as well.
    I can ping the A record address (remote.macserver.com) from any other network just fine so I know that is working.
    My question is what do I put into the Primary DNS Name section during the setup? Would that be my domain name (macserver.com) or the remote.macserver.com? Should my server name be remote? Or could it be anything I want?
    I currently don't have any dns servers. The AEBS is doing DHCP and handling the DNS as well. From my understanding I can setup the server to handle the DNS, and then just put in the DNS information (ip address) for my server in the AEBS setup screen and all should be good.
    Thanks for the help.!!
    I am not an expert at DNS so any help would be appreciated

    My question is what do I put into the Primary DNS Name section during the setup? Would that be my domain name (macserver.com) or the remote.macserver.com? Should my server name be remote? Or could it be anything I want?
    From your description, your 'domain name' is 'macserver.com'.
    Your server name is 'remote', and your fully-qualified domain name is 'remote.macserver.com'.
    Note that you don't have to call your machine 'remote'. You can have multiple DNS records pointing to the same machine, so your machine could be called 'fred', but have DNS CNAME's that point 'remote.macserver.com', 'jack.macserver.com', and 'www.macserver.com' to the same machine. Other users use one (or any) of the names to get to the machine.

  • AD Integrated DNS Setup

    Hi All,
      I have 6 Site and SiteA(Prod) and SiteB (DR) connect to the Internet. All other sites are connect to internet via SiteA.
    How do i configure DNS Forwarders.
     SiteA : Internet Provider 1 / Internet Provider 2
     SiteB: Internet Provider 1 / Internet Provider 2
     SiteC: SiteA & SiteB DC
    SiteD: SiteA & SiteB DC
    Is this correct?
    Uncheck the box for "Use root hints if no forwarders are available".
    As

    Hi,
    How is it going? If you need further help regarding the question, please don't hesitate to let us know.
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Best regards,
    Frank Shen

  • Website DNS Setup

    Hi all,
    I am looking for advice on how to make https://learningportal.companyname.com resolve to an internal IP address.Current Setup:
    Server 2003 AD - company.parentcompany.local
    internal portal server = server003.company.parentcompany.local (192.168.1.2)
    We have no DNS zones setup for companyname.com on our internal DNS.
    How would i best go about setting traffic for "https://learningportal.companyname.com" to be directed to 192.168.1.2 without affecting internal traffic going to www.companyname.com or similar?
    Would I be right that I would need to create a new zone for learningportal.companyname.com and give it an A record for 192.168.1.2, with no zone created  for companyname.com meaning that traffic for www.companyname.com would be routed outbound to our
    webhosts and external DNS?
    Sorry if this question makes little sense - I'm not DNS guru by any means

    Hi,
    you are right that you can create a zone for learningportal.companyname.com and give it an a record to an internal ip address without affecting other names in the companyname.com zone.
    See the following thread on the exact same topic about more detailed steps:
    http://social.technet.microsoft.com/Forums/en-US/a3874285-6e4a-49f1-942b-0b0d19787ea2/redirect-dns-lookup-with-an-exception
    //Johan
    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

  • Snow Leopard Server DNS setup

    Where is there a step by step setup for making my Snow Leopard Server with DNS? Essentially, I am looking to setup a mail server but seem to be missing what information I need to gather from the folks that host my domain and how to point traffic to my network.

    When I started setting up my first Mac OS X Servers a few years ago I had to completely retrain my brain because the MacOS does not follow the traditional nomenclature of Windows Active Directory and DNS setup. That being said like AD for Windows MacOS relies very very heavily on a healthy and properly running DNS system, both internally and externally. So one great resource I found was about 10+ hours of training on Leopard Server over to Lynda.com. I think you can sign up for a month long membership but it's well worth the investment if your looking for some basics thru advanced setup of Leopard Server. Now SLS is much much easier at the setup and deployment and some of the fundamentals of the setup interface have changed greatly (as an improvement) but the videos are still very applicable.
    Basically it comes down to the following steps in order to get your website/e-mail/wiki services working.
    1. Purchase your .whatever with a registrar, godaddy, doster, network solutions ect...
    2. Make sure you have a fully routable PUBLIC IP address from your ISP that you can assign to the WAN (internet side of your router)
    3. Contact your ISP and ask then to create an rDNS entry for your .something to the IP address they assigned you. Usually this will look like xxx.xxx.xxx ---> mail.mydomain.com when you test later on.
    4. Modify the DNS records with your registrar to point the MX & A record to your new IP. You will log in create an A record for mail.mydomain.com ---> xxx.xxx.xxx (your public IP on router) and then you will create an MX record for e-mail which will simply be mail.mydomain.com with a value of 10 (there is usually a screen for this).
    5. Once all the DNS is setup and working properly (Can take several days for these changes to take affect and be visible by your ISP) then you can begin the configuration of your router. You will need to determine what IP internally you want your Mac to be. Usually 10.0.0.1 or 192.168.1.1 or other and document that. Program your router to port forward ports 25,110, 80, 143 to the IP that you decided your Mac will be at so those services will be publicly available to you to user. Otherwise nobody will ever be able to send you e-mail or visit your site.
    6. This is a good time to check your work and settings by visiting www.mxtoolbox.com and you verify your rDNS (setup by ISP) and your DNS (Setup by you) before beginning your setup of OS X SLS. If everything checks out then start the install if not STOP HERE and fix it because it will haunt you in the long run.
    7. Start the install of SLS and at some point the system will get you to the screens at which you input your domain information. If all was setup properly up to now SLS will auto-populate the domain and local hostname of your Mac Server. U can change the local hostname if you wish but the domain name information should reflect your rDNS and A record information of mail.mydomain.com and you can hit next and proceed with the rest of the install.
    8. Once up and running you will need to make a small adjustment to the alias of your e-mail. For some reason the engineers at Apple left a flaw in (my opinion) that is as such. Whenever you send e-mail it will go as [email protected] instead of what you really want which is [email protected]. So follow this post below and you will be all fixed up in a jiffy.
    http://discussions.apple.com/message.jspa?messageID=10110723#10110723
    Hope this helps.

  • Multiple Forest DNS queries, and DFS

    Setup:
    2 physical servers hosting several virtual machines with 3 forests (domains) and 3 subnets.  The physical server has 4 NICs, each forest/subnets has its own dedicated NIC via virtual switch (so 1 NIC is empty).  Each NIC connects to a switch to
    allow workstations and other devices to connect to their proper forest/subnet directly.  These switches then connect to the sonicwall (firewall/router) in an individual port.  Each port has proper subnet defined in it.
    The 3 forests are c.com, l.lan, and w.web named.  c.com and l.lan use a 10.x.x.x/255.255.0.0 subnet.  w.web uses 192.168.x.x/255.255.0.0 subnet.  There are no trusts setup.
    I can ping from one forest/subnet to the other using IP address without issue so the IP routes are fine.  I can ping via FQDN without issue if I setup a forwarder, conditional forwarder, or stub zone.  Sometimes using just the forwarder, FQDN does
    NOT resolve.  Conditional and Stub seems to resolve always. 
    I can get c.com and w.web to resolve single-name (host name) addresses, but at the moment (transitioning) they are on the same subnet.  From some research, I can use single-name resolution if I setup a GlobalNameZone as well, which I might need to do.
    So my question is which is best practice and most reliable way to setup these different forests and subnets to perform DNS resolution?  I tried forwarders, but it wasn't always reliable.  I suspected caching as an issue, but after a flush, a FQDN
    would sometimes resolve and sometimes not.  Conditional and Stub seem to work okay, but I'm not sure about what's best.
    I've spent most of the day researching this, and nothing was every really definitive and sometimes even contradictory.  Previously the DNS Forwarders worked fine for us, but that was on the same subnet.  Differing subnets seems to break the internal-to-internal
    forwarding.
    Additionally the w.web domain has a domain level DFS.  Neither of the other forests can access it via the
    \\w.web\data address.  Though they can access it if I point them directly to the server hosting the DFS namespace.

    Windows Server doesn't work well with DNS Search Suffixes defined in DHCP scopes from what I read.
    http://technet.microsoft.com/en-us/library/dd572752(v=office.13).aspx
    Details how to set it up on Windows Server DHCP
    http://social.technet.microsoft.com/Forums/en-US/2eed4d4f-8d1b-4989-ac49-d95e08b7d54a/dhcp-dns-suffix-search-list-supported?forum=winserverNIS
    Details how Windows Server does not support it though.
    http://technet.microsoft.com/en-us/library/bb847901(v=exchg.150).aspx
    Details how to use Group Policy to deploy it.
    How I fixed this:
    1) Open Group Policy for the domain.
    2) Edit the "Default Domain Policy" to include DNS Suffix search for current domain and all other domains.
    3) Set normal forwarders on domain's DNS servers.
    4) Repeat on all domain.
    This partially fixed my problem.  Things were resolving more reliably, but there would be a failure once in a while as well.  I corrected this by adding a conditional forwarder along with the normal forwarder.
    Now I get full resolution of all items.  Additionally, I do not have to use the FQDN for my machines.  Just hostname resolves just fine.  HOWEVER I would suggest to anyone setting up machines to use FQDN where possible, don't be lazy. 
    This means I will not have to setup a GlobalName zone either.  Though I may do it for the experience.
    Another problem though is this only works on Windows machines.  Mobile phones (such as Android and iPhone) and other such devices will not know about the DNS Suffix search.  Fortunately most of those devices required the internet FQDN for services
    to work anyway, and when behind the firewall via WiFi or like, they'll be able to still resolve the internet FQDN of devices since we're using a split-brain DNS for that domain.

  • Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

    We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
    I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
    Errors:
    Error 1043: Timeout during name resolution request
    Error 1129: Group policy updates could not be processed due to DC not available
    Error 5719: Could not establish secure connection to DC, DC not available
    Occasionally but disappears after a while
    Error 134: As a result of a DNS resolution timeout could not reach time server
    Symptoms
    On Win 7 Clients
    Network shares added through Group Policy will not show sometimes
    Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
    When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
    nslookup during the incident returns cannot resolve error
    ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
    Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
    On Win 8.1 Clients
    Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
    drive shares but usually only for the active session. After logoff / logon the shares are gone again.
    The issue does appear to be load related since it occurs even if there are only one or two workstations active.
    Server Configuration
    Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
    Zyxel 1910-48 Port Switch
    VDSL 50Mbps Down / 20Mbps Up
    Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
    Currently only one Network card is active for problem determination reasons.
    There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
    I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
    Best Practice Analyzer Results
    DNS server scavening not enabled
    Root hint server XYZ must respond to NS queries for the root zone
    More than one forwarding server should be configured (although 3 are configured)
    NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
    I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
    set to 3 second.
    Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
    issues. Any help would be appreciated

    Hello Milos thx for your reply.. my comments below
    1. What does it "switched"? You may mean migration or new installation. We do not know...
    >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
    removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
    2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
    >> Correct, and I am aware of that
    3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
    >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
    Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
    4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
    >> Will post as soon as available
    5. I do not use forwarders and the system works
    >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
    required apart from that it does work for you that way?
    6. DHCP should sit on DC (DHCP on router is disabled)
    >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
    7. NIC settings in DC points to itself (loopback address 127.0.0.1)
    >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
    8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
    >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
    9. Test your system with dcdiag.
    >> See result below
    10. Share your findings.
    Regards
    Milos
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
      Home Server = GSERVER2
       * Identified AD Forest.
       Done gathering initial info.
    Doing initial required tests
    Testing server: Default-First-Site-Name\GSERVER2
          Starting test: Connectivity
             ......................... GSERVER2 passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\GSERVER2
          Starting test: Advertising
             ......................... GSERVER2 passed test Advertising
          Starting test: FrsEvent
             ......................... GSERVER2 passed test FrsEvent
          Starting test: DFSREvent
             ......................... GSERVER2 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... GSERVER2 passed test SysVolCheck
          Starting test: KccEvent
             ......................... GSERVER2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... GSERVER2 passed test
             KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... GSERVER2 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... GSERVER2 passed test NCSecDesc
          Starting test: NetLogons
             ......................... GSERVER2 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... GSERVER2 passed test
             ObjectsReplicated
          Starting test: Replications
             ......................... GSERVER2 passed test Replications
          Starting test: RidManager
             ......................... GSERVER2 passed test RidManager
          Starting test: Services
             ......................... GSERVER2 passed test Services
          Starting test: SystemLog
             ......................... GSERVER2 passed test SystemLog
          Starting test: VerifyReferences
             ......................... GSERVER2 passed test VerifyReferences  
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
       Running partition tests on : GS2
          Starting test: CheckSDRefDom
             ......................... GS2 passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... GS2 passed test CrossRefValidation  
       Running enterprise tests on : GS2.intra
          Starting test: LocatorCheck
             ......................... GS2.intra passed test LocatorCheck
          Starting test: Intersite
             ......................... GS2.intra passed test Intersite
    Server:  gserver2.g2.intra
    Address:  192.168.240.6
    *** gserver2.g2.intra can't find g2: Non-existent domain
    > gserver2
    Server:  gserver2.g2.intra
    Address:  192.168.240.6
    g2.intra
            primary name server = gserver2.g2.intra
            responsible mail addr = hostmaster.g2.intra
            serial  = 443
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    > wikipedia.org
    Server:  gserver2.g2.intra
    Address:  192.168.240.6
    Non-authoritative answer:
    wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
    wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
    polonium.wikimedia.org  internet address = 208.80.154.90
    polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
    lead.wikimedia.org      internet address = 208.80.154.89
    lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
    Final benchmark results, sorted by nameserver performance:
     (average cached name retrieval speed, fastest to slowest)
      192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
      + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
      + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                 gserver2.g2.intra
                    Local Network Nameserver
      195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
      - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
      - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                         cns8.bluewin.ch
               BLUEWIN-AS Swisscom (Schweiz) AG,CH
      195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
      - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
      - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                         cns7.bluewin.ch
               BLUEWIN-AS Swisscom (Schweiz) AG,CH
        8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
      - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
      - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                 google-public-dns-a.google.com
                     GOOGLE - Google Inc.,US
      UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
    15: 40
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
      + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
      + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                 gserver2.g2.intra
                    Local Network Nameserver
      195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
      - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
      - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                         cns7.bluewin.ch
               BLUEWIN-AS Swisscom (Schweiz) AG,CH
      195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
      - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
      - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                         cns8.bluewin.ch
               BLUEWIN-AS Swisscom (Schweiz) AG,CH
        8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
      - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
      - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                 google-public-dns-a.google.com
                     GOOGLE - Google Inc.,US
      UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363

Maybe you are looking for

  • Changing from POP to IMAP

    I set up an account that I previously accessed through a web mail application, and Apple's Mail application automatically put in the settings. Unfortunately, it set the account up as a POP account instead of IMAP, so the first thing Mail did was down

  • Adobe Forms Date Format DD.MM.YYYY.

    Hi Experts, I am new to Adobe Forms(Transaction SFP) . The Client has requirement to display the data in DD.MM.YYYY format. I saw that the standard 'Date fields' in ADOBE forms does not have this format. Any Ideas. Thanks.

  • Mac Mail 10.9 - how to export Flagged emails

    right clicking any other type of box can lead to the "export mailbox" function, but sadly, this contextual option does not appear for the Flagged entry in the folder view on the left of Mavericks Mail. Using drag and drop to make copies (ala MS Outlo

  • Not show in taskbar?

    Is there any way to make a javafx application not show in the taskbar? This is the only thing I'm finding myself dissapointed with because I couldn't find it in the API. Otherwise I love javafx to death.

  • Paralleled objects in FI-AA & FI-GL

    Hi FICO Gurus, I am a new student in FICO, here i have a question as following, ask for help, 1. How to use paralleled Currency in GL & AA, i mean how to configure that? 2. How to use paralleled Depreciation Area & Chart of Depreciation for one compa