Nslookup unable to resolve on host server

2011-10-19

Question

_{Wednesday, October 19, 2011 3:34 PM}

Hi, I am trying to join a Web Server from a subnet to a domain controller in another subnet, but keeps getting an error stating that the domain controller cannot be found. I could ping the domain controller from the Web Server but using nslookup in command prompt, it cannot resolve the domain controller.

Back at the domain controller, I am able to resolve the web server name and its IP address using nslookup.

I have also opened up the ports in the Firewall as listed in: http://support.microsoft.com/kb/179442 but still cannot get it to work.

Any advice??

Thanks in advance.

All replies (11)

_{Thursday, October 20, 2011 10:47 AM ✅Answered}

Hi,

Thanks for posting here.

This result is expected coz we are not set DNS or host suffix for this Web server by manually setting it or through DHCP yet.

We may try to query the FQDN instead the host name by running “nslookup DCandDNSServer.somedomain.com”if want to check whether DNS name resolution is running properly and as a result if system can return the proper IP address (192.168.2.10)of that record then this just indicates the name resolution is work fine and we may start join it into domain . please also input the FQDN as domain name when join it.

http://technet.microsoft.com/en-us/library/cc959611.aspx

Thanks.

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

_{Thursday, October 20, 2011 1:50 PM ✅Answered}

I would like to add, once you join the machine, the Primary DNS Suffix takes on the AD domain name, which is also applied as the Search Suffix. Anytime we test with nslookup, we must take into account the machine's suffix because nslookup will use it when you use a single named query. If it's missing, it has no suffix to suffix a single named query.

As for TCP 42 not listening, that is the WINS server port. If not using WINS, don't worry. However, with multiple subnets, it's suggested to use itif you are running apps that still rely on NetBIOS name resolution, or you feel you want to use single name resolution all the time (as you've demonstrated with your nslookup attempts). NetBIOS resolution also provides the ability for Network Neighborhood Browsing across subnets.

Also, I would like to address the DC's configuration. It has multiple interfaces - the main interface, and two iSCSI interfaces. I realize that you are probably using multiple iSCSI storage drives, but this configuration turns the DC into a "multihomed DC," which is not a recommended configuration. Here's a link on what this means:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters -
A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly. http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, October 19, 2011 4:42 PM}

Make sure you also open:

TCP & UDP 1024 - 5000
TCP & UDP 49152 - 65535

ALso, make absolutely sure taht the only DNS address on the web server is the DC's DNS server IP address. If there are any other addresses, it won't be able to "find" the domain, the DCs, or anything else with AD. This also applies to all your AD machines and DCs. They should only point to the AD's DNS server(s), which is assuming your DC.

Ping is not a good tool to use. Nslookup if not resolving, indicates either port blocks, or more than likely not using the DC as its only DNS address.

You can use PortQRY to determine if any AD ports are blocked. If you get a "FILTERED" or "NOT LISTENING" in the results, well, that simply says the port is blocked. Download it and run it from each DC to other DCs in question, or from the bridgeheads in each site to the other bridgehead in the other site.

PortQryUI - User Interface for the PortQry Command Line Port Scanner (GUI version)
http://www.microsoft.com/download/en/details.aspx?id=24009

Also, to better help with your config, if you can post an ipconfig /all from the DC, a sample internal client, and from the web server, we can point out any config issues for you.

Also, if there are any event log errors on the DC, post them too, please.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, October 20, 2011 9:05 AM}

Hi,

The DNS address on the Web Server, is the DC' DNS server IP address. I have actually able to join other servers in the same subnet as the DC and it works out fine.

The PortQRY tool indicates that TCP Port 42 is Not Listening even though I have open up this port in the Firewall, I don't know what is wrong...is this required ?

Here's the config for the DC/DNS:

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DCandDNSServer
   Primary Dns Suffix . . . . . . . : somedomain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : somedomain.com

Ethernet adapter Team - PROD:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : HP Network Team #1 (PROD)
   Physical Address. . . . . . . . . : 98-4B-E1-63-EE-24
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.2.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.2.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter iSCSI-2:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : HP NC553i Dual Port FlexFabric 10Gb Conve
rged Network Adapter #4
   Physical Address. . . . . . . . . : 98-4B-E1-63-EE-26
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fc9c:3e35:a256:6a0f%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.158.2.102(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 419436452
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-EE-E1-30-00-17-A4-77-00-92

DNS Servers . . . . . . . . . . . : ::1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter iSCSI-1:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : HP NC553i Dual Port FlexFabric 10Gb Conve
rged Network Adapter #3
   Physical Address. . . . . . . . . : 98-4B-E1-63-EE-22
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7d2d:37e2:5122:1f05%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.158.2.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 352327588
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-EE-E1-30-00-17-A4-77-00-92

DNS Servers . . . . . . . . . . . : ::1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B1E819B1-33BB-4EDE-A8C9-FEE729256E0D}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{9757FCFC-79FF-40B8-A976-63F2B6E23A40}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{637EA953-F136-4227-9651-1C92CF845CE5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

And here's the config for the Web Server:

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WEBSERVER1
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client) #4
   Physical Address. . . . . . . . . : 18-A9-05-4D-A6-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5c0f:1db0:d0d0:4463%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.4.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . : 192.168.4.1
   DHCPv6 IAID . . . . . . . . . . . : 437823749
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-29-44-B8-18-A9-05-4D-A6-10

DNS Servers . . . . . . . . . . . : 192.168.2.10
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client) #3
   Physical Address. . . . . . . . . : 18-A9-05-4D-A6-14
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client) #2
   Physical Address. . . . . . . . . : 18-A9-05-4D-A6-12
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client)
   Physical Address. . . . . . . . . : 18-A9-05-4D-A6-10
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{F8A4D70D-8C1B-47F4-BF6F-F74C2B24B200}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{C4914394-268E-4F2A-B614-F4283694C1B0}:

Tunnel adapter isatap.{216A6FAF-83AE-4528-A698-8C283A7DF622}:

Tunnel adapter isatap.{E2BEABFE-09DE-4BE3-97E8-DD89A18E8808}:

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:c2e:c6e:3f57:fbfc(Prefer
red)
   Link-local IPv6 Address . . . . . : fe80::c2e:c6e:3f57:fbfc%18(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Users\Administrator>

_{Thursday, October 20, 2011 9:28 AM}

Now I'm able to do nslookup but this is what I have encounter from the Web Server:

C:\Users\Administrator>nslookup
Default Server: DCandDNSServer.somedomain.com
Address: 192.168.2.10

> DCandDNSServer
Server: DCandDNSServer.somedomain.com
Address: 192.168.2.10

*** DCandDNSServer.somedomain.com can't find DCandDNSServer: Server failed
>

_{Monday, October 24, 2011 2:37 AM}

Hi, now I able to resolve to my DCandDNS Server from nslookup, but I'm still unable to join the Web Server to the domain. Here's the error when I tried joining to the domain:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "somedomain.com":

The query was for the SRV record for _ldap._tcp.dc._msdcs.somedomain.com

The following domain controllers were identified by the query: DCandDNSServer.somedomain.com

However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

Funny as I thought the DC and the DNS servers are running?

_{Monday, October 24, 2011 3:33 AM}

Hi, now I able to resolve to my DCandDNS Server from nslookup, but I'm still unable to join the Web Server to the domain. Here's the error when I tried joining to the domain:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "somedomain.com":

The query was for the SRV record for _ldap._tcp.dc._msdcs.somedomain.com

The following domain controllers were identified by the query: DCandDNSServer.somedomain.com

However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

Funny as I thought the DC and the DNS servers are running?

This goes back to firewall blocks or the necessary ports have not been allowed. Can you list out the ports you have allowed for all TCP and UDP ports, please?

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, October 24, 2011 6:20 AM}

I have opened these ports based on this website http://support.microsoft.com/kb/179442:

TCP / UDP: 53

TCP: 389

TCP: 636

TCP: 3268, 3269

TCP / UDP: 88

TCP: 135

UDP: 123

TCP/ UDP: 464

TCP: 9389

UDP: 137

TCP: 139

TCP: 1024-5000

TCP: 49152-65535

TCP: 445

TCP:5722

TCP: 138

TCP: 42

Not sure if I have missed out anything else...

Thanks in advance.

_{Monday, October 24, 2011 7:13 AM}

Looks like we'll also need:

UDP 1024-5000
UDP 49152-65535

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, October 24, 2011 8:45 AM}

I have open these ports in the firewall, still can't join to the domain, one thing I do noticed is that when I tried to ping the DC/DNS server using the command prompt in the Web Server, this is what I get:

>ping DCandDNSServer

>Pinging DCandDNSServer.somedomain.com [10.158.2.102] with 32 bytes of data:

>Request timed out.

But when I do nslookup

>nslookup DCandDNSServer

>Name: DCandDNSServer.somedomain.com

>Addresses: 10.158.2.101

10.158.2.102

192.168.2.10

Is the above results expected and related to the multihomed DC you are referring to? Sorry as I sound confusing myself.

_{Monday, October 24, 2011 1:34 PM}

The previous list you posted didn't show these two UDP ranges listed, only the TCP ranges. Please review the following to make sure all ports have been added:

Protocol Port

TCP                 25
TCP                 42
TCP                135
TCP                 137
TCP                 139
TCP and UDP 389
TCP                636
TCP               3268
TCP               3269
TCP and UDP 88
TCP and UDP 53
TCP and UDP 445
TCP               9389
TCP               5722
TCP and UDP 464
UDP              123
UDP              137
UDP              138
UDP              67
UDP             2535
TCP & UDP 1025-5000
TCP & UDP 49152-65535

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
TCP & UDP 1024-65535

========================

The multiple IPs is one of the criteria that defines a multihomed DC, and is problematic for a DC. Please review my blog posted above in this thread for more specifics.

Pings require "ICMP Echo Response" to be opened. The ping time outs are expected behavior if:

ICMP being blocked either on the firewall, on the DC, and/or on the web server.
A third party antivirus program will block it, too. If there is an antivirus program, it's suggested to uninstall it until the problem is resolved.
Multihoming with the incorrect default gateway or interface on the DC is responding due to incorrect default route set, or interface binding order.

Nslookup will resolve all IPs a host has up to the EDNS0 byte limit. If you hit arrow up and hit enter again, you will see the result order rotate. Even though it is resolving, it is only part of the troubleshooting steps.

In summary, something is obviously affecting AD communications. It's either a multihoming, firewall block, or antivirus software blocking it on the web server and/or DC.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Nslookup unable to resolve on host server

Question

All replies (11)

Protocol Port

Additional resources