Results 1 to 8 of 8

Thread: Forwarders cannot be validated and recursive query fails

  1. #1
    Bennett Guest

    Forwarders cannot be validated and recursive query fails

    I'm migrating one of my clients from Windows Server 2003 to 2008. However,
    DNS recursive query and nslookup are failing on the new 2008 DC. Yes,
    recursion is enabled (or rather not disabled on Advanced tab). I have the
    same forwarders and root hints as my working 2003 DC and I can telnet to the
    forwarders' port 53 from the 2008 DC. Event logs show no errors.

    Odd thing is, when adding the forwarders, their FQDN resolved, but the
    Validated column said "An unknown error occurred while validating the
    server." Can't find anything about this message online and can't find any
    event, log entry, or other explanation of what this error is. Guess that's
    why it says "unknown error". ;)

    Seems obvious problem is recursion/forwarding, but I can't figure out how to
    diagnose the problem since recursion is already enabled. Help!

  2. #2
    Ace Fekay [Microsoft Certified Trainer] Guest

    Re: Forwarders cannot be validated and recursive query fails

    In news:FE3163AC-5F17-4ABB-847E-3FE86C5F1F3E@microsoft.com,
    Bennett <Bennett@discussions.microsoft.com>, posted the following:
    > I'm migrating one of my clients from Windows Server 2003 to 2008.
    > However, DNS recursive query and nslookup are failing on the new 2008
    > DC. Yes, recursion is enabled (or rather not disabled on Advanced
    > tab). I have the same forwarders and root hints as my working 2003
    > DC and I can telnet to the forwarders' port 53 from the 2008 DC.
    > Event logs show no errors.
    >
    > Odd thing is, when adding the forwarders, their FQDN resolved, but the
    > Validated column said "An unknown error occurred while validating the
    > server." Can't find anything about this message online and can't
    > find any event, log entry, or other explanation of what this error
    > is. Guess that's why it says "unknown error". ;)
    >
    > Seems obvious problem is recursion/forwarding, but I can't figure out
    > how to diagnose the problem since recursion is already enabled. Help!


    I see you tested with telnet, but that only indicates if TCP is responding.
    Telnet is TCP based, not UDP. Keep in mind, by default, DNS on Windows 2003
    and newer, uses EDNS0, which uses UDP to query (if the response packet is
    under 1280 bytes, not like the old 500 bytes using non-EDNS0). It will
    switch to TCP if the response packet is greater than 1280 bytes.

    Use nslookup to test it. If it doesn't work with a simple nslookup test,
    use the 'set vc' option in nslookup to force TCP and see if it works. If it
    does, it says UDP is blocked.

    Example:

    nslookup
    testmachine.yourdomain.com
    www.OnSomeOtherOutsideDomain.com
    www.yahoo.com

    if it doesn't work, try:

    nslookup
    set vc
    (and retry the queries)

    Also try nslookup diagnostic mode:
    nslookup
    set d2

    and post your results, please



    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer
    aceman@mvps.RemoveThisPart.org

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.



  3. #3
    Bennett Guest

    Re: Forwarders cannot be validated and recursive query fails



    "Ace Fekay [Microsoft Certified Trainer]" wrote:

    > In news:FE3163AC-5F17-4ABB-847E-3FE86C5F1F3E@microsoft.com,
    > Bennett <Bennett@discussions.microsoft.com>, posted the following:
    > > I'm migrating one of my clients from Windows Server 2003 to 2008.
    > > However, DNS recursive query and nslookup are failing on the new 2008
    > > DC. Yes, recursion is enabled (or rather not disabled on Advanced
    > > tab). I have the same forwarders and root hints as my working 2003
    > > DC and I can telnet to the forwarders' port 53 from the 2008 DC.
    > > Event logs show no errors.
    > >
    > > Odd thing is, when adding the forwarders, their FQDN resolved, but the
    > > Validated column said "An unknown error occurred while validating the
    > > server." Can't find anything about this message online and can't
    > > find any event, log entry, or other explanation of what this error
    > > is. Guess that's why it says "unknown error". ;)
    > >
    > > Seems obvious problem is recursion/forwarding, but I can't figure out
    > > how to diagnose the problem since recursion is already enabled. Help!

    >
    > I see you tested with telnet, but that only indicates if TCP is responding.
    > Telnet is TCP based, not UDP. Keep in mind, by default, DNS on Windows 2003
    > and newer, uses EDNS0, which uses UDP to query (if the response packet is
    > under 1280 bytes, not like the old 500 bytes using non-EDNS0). It will
    > switch to TCP if the response packet is greater than 1280 bytes.
    >
    > Use nslookup to test it. If it doesn't work with a simple nslookup test,
    > use the 'set vc' option in nslookup to force TCP and see if it works. If it
    > does, it says UDP is blocked.
    >
    > Example:
    >
    > nslookup
    > testmachine.yourdomain.com
    > www.OnSomeOtherOutsideDomain.com
    > www.yahoo.com
    >
    > if it doesn't work, try:
    >
    > nslookup
    > set vc
    > (and retry the queries)
    >
    > Also try nslookup diagnostic mode:
    > nslookup
    > set d2
    >
    > and post your results, please
    >
    >
    >
    > --
    > Ace
    >
    > This posting is provided "AS-IS" with no warranties or guarantees and
    > confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    > Microsoft Certified Trainer
    > aceman@mvps.RemoveThisPart.org
    >
    > For urgent issues, you may want to contact Microsoft PSS directly. Please
    > check http://support.microsoft.com for regional support phone numbers.
    >


    Never considered the TCP/UDP aspect of telnet. Have to remember that. :)

    Already used nslookup d2 to test & failed (hadn't tried set vc, but that
    failed, too). I had even compared d2 output to my 2003 server and didn't see
    anything significant. Only real difference was a nondescript "rcode =
    SERVFAIL" instead of NOERROR. Pretty worthless, but maybe you can glean
    something from the results that I missed:

    ==================================================
    > microsoft.com

    Server: xxx.xxxxxx.com
    Address: xxx.xxx.xxx.xxx

    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 78, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    microsoft.com.xxxxxx.com, type = A, class = IN
    AUTHORITY RECORDS:
    -> xxxxxx.com
    ttl = 3600 (1 hour)
    primary name server = xxx.xxxxxx.com
    responsible mail addr = hostmaster
    serial = 10377
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    ------------
    Got answer: HEADER:
    opcode = QUERY, id = 79, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    microsoft.com.xxxxxx.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    -> xxxxxx.com
    ttl = 3600 (1 hour)
    primary name server = xxx.xxxxxx.com
    responsible mail addr = hostmaster
    serial = 10377
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 80, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    microsoft.com, type = A, class = IN

    ------------
    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 81, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    microsoft.com, type = AAAA, class = IN

    ------------
    *** xxx.xxxxxx.com can't find microsoft.com: Server failed
    ==================================================

  4. #4
    Ace Fekay [Microsoft Certified Trainer] Guest

    Re: Forwarders cannot be validated and recursive query fails

    In news:4BDEE339-ED75-4D9E-B08B-78A444CD8474@microsoft.com,
    Bennett <Bennett@discussions.microsoft.com>, posted the following:

    >
    > Never considered the TCP/UDP aspect of telnet. Have to remember that.
    > :)
    >
    > Already used nslookup d2 to test & failed (hadn't tried set vc, but
    > that failed, too). I had even compared d2 output to my 2003 server
    > and didn't see anything significant. Only real difference was a
    > nondescript "rcode = SERVFAIL" instead of NOERROR. Pretty worthless,
    > but maybe you can glean something from the results that I missed:
    >
    > ==================================================
    >> microsoft.com

    > Server: xxx.xxxxxx.com
    > Address: xxx.xxx.xxx.xxx
    >
    > ------------
    > Got answer:
    > HEADER:
    > opcode = QUERY, id = 78, rcode = NXDOMAIN
    > header flags: response, auth. answer, want recursion,
    > recursion avail.
    > questions = 1, answers = 0, authority records = 1,
    > additional = 0



    The Servfail is saying that it could not get the response from the server it
    was using, and NXDDOMAIN is saying the domain doesn't exist. It sounds like
    the query is not passing through or returning through a firewall. What type
    of firewall are you using? Is UDP53 permitted through it? But you said set
    vc did not work either? Canyou describe your setup a little, please?

    Ace


  5. #5
    Bennett Guest

    Re: Forwarders cannot be validated and recursive query fails



    "Ace Fekay [Microsoft Certified Trainer]" wrote:

    > The Servfail is saying that it could not get the response from the server it
    > was using, and NXDDOMAIN is saying the domain doesn't exist. It sounds like
    > the query is not passing through or returning through a firewall. What type
    > of firewall are you using? Is UDP53 permitted through it? But you said set
    > vc did not work either? Canyou describe your setup a little, please?
    >
    > Ace


    My suspicions were port 53 blocked, too, because if I add the old 2003
    server to the 2008's forwarders, it works. However, I can't find where (or
    even if) its blocked. Firewall is pfSense (FreeBSD-based packet filter).
    All outbound LAN traffic is allowed except port 25 from non-mail servers.
    Even so, I added a rule to explicitly allow TCP/UDP port 53 from this server.
    I disabled Windows Server 2008 firewall to eliminate it from the picture,
    even though it has multiple built-in rules on all profiles to explicitly
    allow port 53 and even allow all traffic from DNS Service.

    However, as I said before I added firewall rules and disabled firewalls, I
    can telnet port 53 from this server to the external DNS but nslookup with set
    vc still fails. So the port works, but DNS service doesn't.

    Something interesting I didn't notice earlier. When I first open nslookup,
    it doesn't find this DNS server it's running on and I have manually set the
    server. The startup looks like this:

    C:\>nslookup
    Default Server: UnKnown
    Address: ::1

    Colons made me suspicious of IP6, so I disabled it, and now nslookup finds
    server localhost 127.0.0.1, but still no worky. Still same nondescript
    SERVFAIL error, but nothing else. Aaaarrrggghh!

  6. #6
    Ace Fekay [Microsoft Certified Trainer] Guest

    Re: Forwarders cannot be validated and recursive query fails

    In news:DB2EF9E8-3028-437B-BA22-DDF84E4032ED@microsoft.com,
    Bennett <Bennett@discussions.microsoft.com>, posted the following:
    >
    > My suspicions were port 53 blocked, too, because if I add the old 2003
    > server to the 2008's forwarders, it works. However, I can't find
    > where (or even if) its blocked. Firewall is pfSense (FreeBSD-based
    > packet filter). All outbound LAN traffic is allowed except port 25
    > from non-mail servers. Even so, I added a rule to explicitly allow
    > TCP/UDP port 53 from this server. I disabled Windows Server 2008
    > firewall to eliminate it from the picture, even though it has
    > multiple built-in rules on all profiles to explicitly allow port 53
    > and even allow all traffic from DNS Service.
    >
    > However, as I said before I added firewall rules and disabled
    > firewalls, I can telnet port 53 from this server to the external DNS
    > but nslookup with set vc still fails. So the port works, but DNS
    > service doesn't.
    >
    > Something interesting I didn't notice earlier. When I first open
    > nslookup, it doesn't find this DNS server it's running on and I have
    > manually set the server. The startup looks like this:
    >
    > C:\>nslookup
    > Default Server: UnKnown
    > Address: ::1
    >
    > Colons made me suspicious of IP6, so I disabled it, and now nslookup
    > finds server localhost 127.0.0.1, but still no worky. Still same
    > nondescript SERVFAIL error, but nothing else. Aaaarrrggghh!


    Is there an 'established' rule to allow any outbound requests (other than
    http and https) to the 2008 server? Can you mimic the 2003 server's rules in
    the firewall for the 2008's server's IP?

    As a test, unplug the 2003 server, then change the 2008 server's IP to the
    one the 2003 server is using, then test it. Does it work? (of course do this
    after hours, especially if the 2003 server is a prod server).

    Remove the loopback and change the DNS address to the actual server's IP.

    Ace





  7. #7
    Bennett Guest

    Re: Forwarders cannot be validated and recursive query fails

    "Ace Fekay [Microsoft Certified Trainer]" wrote:

    > Is there an 'established' rule to allow any outbound requests (other than
    > http and https) to the 2008 server? Can you mimic the 2003 server's rules in
    > the firewall for the 2008's server's IP?
    >
    > As a test, unplug the 2003 server, then change the 2008 server's IP to the
    > one the 2003 server is using, then test it. Does it work? (of course do this
    > after hours, especially if the 2003 server is a prod server).
    >
    > Remove the loopback and change the DNS address to the actual server's IP.
    >
    > Ace


    Found problem/solution! Just for giggles, I tried OpenDNS and viola,
    they're validated and everything works! If I set nslookup server to Time
    Warner DNS servers on both 2003/2008 boxes, I get "rcode = REFUSED" on
    lookups. Frankly, now I'm not sure how 2003 server was working at all since
    these are the only external DNS listed anywhere in it. I'll try to figure
    that out after the 2008 switch is complete but before I decommission the 2003
    box. In the meantime, I'm using OpenDNS & some Time Warner DNS snagged from
    another local Time Warner client because all the other DNS servers I could
    find on the worthless Time Warner business-class "support" website fail, too.
    :P

    Thanks for assistance, Ace. Problem was all Time Warner's DNS servers.

  8. #8
    Ace Fekay [Microsoft Certified Trainer] Guest

    Re: Forwarders cannot be validated and recursive query fails

    In news:EA1DDA4B-407E-40AE-9E3A-2D36489001DB@microsoft.com,
    Bennett <Bennett@discussions.microsoft.com>, posted the following:
    >
    > Found problem/solution! Just for giggles, I tried OpenDNS and viola,
    > they're validated and everything works! If I set nslookup server to
    > Time Warner DNS servers on both 2003/2008 boxes, I get "rcode =
    > REFUSED" on lookups. Frankly, now I'm not sure how 2003 server was
    > working at all since these are the only external DNS listed anywhere
    > in it. I'll try to figure that out after the 2008 switch is complete
    > but before I decommission the 2003 box. In the meantime, I'm using
    > OpenDNS & some Time Warner DNS snagged from another local Time Warner
    > client because all the other DNS servers I could find on the
    > worthless Time Warner business-class "support" website fail, too.
    >> P

    >
    > Thanks for assistance, Ace. Problem was all Time Warner's DNS
    > servers.


    Ahh, interesting. I bet if you ran nslookup with the d2 switch (set d2),
    that you will find at the recursion request portion, it would say recursion
    is not available. Apparently they have it turned off for customers outside
    of their network, or turned off period. I would have suggested to try
    4.2.2.2, but it didn't occur to me it would be an external DNS issue.

    Good to see you have it working. Good luck. Post back if you have any other
    questions.

    Ace



Similar Threads

  1. Replies: 4
    Last Post: 07-02-2011, 11:42 AM
  2. Using 4.2.2.2 and 4.2.2.1 as forwarders
    By Bob in forum Windows Server Help
    Replies: 8
    Last Post: 03-08-2010, 03:45 PM
  3. Recursive Problems With BSOD
    By Aakarshan.d in forum Operating Systems
    Replies: 4
    Last Post: 18-03-2009, 08:35 AM
  4. Using Forwarders Verses Root Hints
    By PP in forum Windows Server Help
    Replies: 9
    Last Post: 12-08-2008, 10:16 PM
  5. Replies: 6
    Last Post: 20-06-2006, 07:20 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,673,328.46713 seconds with 17 queries