Client DNS issue after Domain controller migration

Question

question

SabirShibley-3818 asked Dec 6, '20 SabirShibley-3818 commented Dec 7, '20

Client DNS issue after Domain controller migration

i had migrated from 2008 R2 Domain controller to 2016, all FSMO roles transferred to 2016 server. after migration existing clients machines not resolving new server DNS, it gives below error.

C:\Users\administrator.CLOUD>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.201.11

new servers are able to resolve 2016 server DNS without any issue.

i did not demoted 2008 R2 domain due to DNS issue. i tried registering DNS manually but no luck

windows-active-directory windows-dhcp-dns windows-server-migration

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2020-12-06T14:25:20.443Z

Thameur-BOURBITA answered Dec 6, '20

Hi,

it seems a network issue. check if the DNS network flow port 53 used by the client to send DNS request is opened between client and new DNS server. you can use this tools https://www.microsoft.com/en-us/download/details.aspx?id=24009
It can be also a DC problem because the DNS zone is active directory integrated so , it can be impacted if there is a replication issue.

Please don't forget to mark this reply as answer if it help you to fix your issue

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2020-12-06T13:13:10.44Z

Thameur-BOURBITA answered Dec 6, '20

Hi,

Default Server: UnKnown this message means that there is no PTR entry (it's DNS entry to identify the server name by its IP addresse) for new DNS server. but the PTR dns entry is not required to let client send DNS requests to the server 192.168.201.11 .

check if the client is able to resolve FQDN of any machine to test if it get answer from DNS server 192.168.201:

nslookup domainName:

Please don't forget to mark this reply as answer if it help you to fix your issue

image.png (8.1 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2020-12-06T13:23:22.36Z

DSPatrick answered Dec 6, '20

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt

then put unzipped text files up on OneDrive and share a link.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2020-12-06T13:31:25.49Z

SabirShibley-3818 answered Dec 6, '20 SabirShibley-3818 edited Dec 6, '20

Hello Thmeur,
PRT record is fine

C:\Users\administrator.CLOUD>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.201.11

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

if i use my old domain IP it works fine, old domain 201.1 and new 201.11

C:\Users\administrator.CLOUD>nslookup
Default Server: dc.cloud.local
Address: 192.168.201.1

192.168.201.11

Server: dc.cloud.local
Address: 192.168.201.1

Name: ad2016.cloud.local
Address: 192.168.201.11

ptr.jpg (30.8 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 5 · 2020-12-06T14:00:34.29Z

Thameur-BOURBITA answered Dec 6, '20 SabirShibley-3818 commented Dec 6, '20

Hi,

The PTR you shared it in your last answer is for : 192.168.201.3

Create new PTR for 192.168.201.11.

Try to resolve a FQDN with local DNS suffix : nslookup dc.cloud.local to check if you get the same timeout

Please don't forget to mark this reply as answer if it help you to fix your issue

image.png (73.6 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SabirShibley-3818 · Dec 06, 2020 at 02:14 PM

C:\Users\administrator.CLOUD>nslookup dc.cloud.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.201.11

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

0 ·

ptr-11.jpg (26.6 KiB)

Answer 6 · 2020-12-06T14:06:23.127Z

SabirShibley-3818 answered Dec 6, '20

@DSPatrick

https://buzinessware-my.sharepoint.com/:f:/p/sabir/EoqULhOs4RFDo1NcpVanuhwBo_bptjnjZ0WnmoeOuz-hFA?e=qVqUgb

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 7 · 2020-12-06T14:21:21.993Z

DSPatrick answered Dec 6, '20 DSPatrick edited Dec 6, '20

There is a time difference between the two domain controllers, this needs to be corrected. May need to look at the domain time service configuration. Looks like there are replication problems between the two. I'd check the event logs for more details of issues. Also check that problem clients are getting the ip address of new DC listed for DNS on connection properties.

--please don't forget to Accept as answer if the reply is helpful--

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 8 · 2020-12-07T03:35:52.71Z

GloriaGu-MSFT answered Dec 7, '20

@SabirShibley-3818 Hi,

Thank you for posting in Q&A!

Please try to point the DNS server list to each other, rather than point to itself first.

If multiple DCs are configured as DNS servers, they should be configured to use each other for resolution first and themselves second. If the DC point to itself as the primary DNS server, it might cause some unexpected AD replication issue.

For more details, please refer to:
https://www.dell.com/support/article/en-sg/sln155801/best-practices-for-dns-configuration-in-an-active-directory-domain?lang=en

Hope you have a nice day : )
Gloria
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 9 · 2020-12-07T08:56:30.1Z

SabirShibley-3818 answered Dec 7, '20 SabirShibley-3818 commented Dec 7, '20

Dear All,

Issue fixed as our firewall is blocking port 53, Thanks @Thameur-BOURBITA @DSPatrick @GloriaGu-MSFT

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick · Dec 07, 2020 at 02:35 PM

Glad to hear, you're welcome.

--please don't forget to Accept as answer if the reply is helpful--

0 ·

SabirShibley-3818 DSPatrick · Dec 07, 2020 at 02:45 PM

Accept as answer is not visible

0 ·

question