Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, November 18, 2019 1:52 PM
Good day
A DNS query for a BPA issue on my dashboard.
I cannot resolve this matter as it is being pulled up for two separate forwarding addresses on my machine.
I've been able to ping both addresses, but I am not permitted to delete them due to operational requirements.
Is there any way to resolve them at all to clear the dashboard?
Kindest regards
Darren
All replies (19)
Wednesday, November 20, 2019 8:12 AM ✅Answered
Hi ,
>>Is there any way to force a resolution or a workaround?
Internal sites are meant to be resolved internally and external sites are meant to use the forwarders to get their queries.
The BPA results and Dcdiag results just tell us there is a unresponsive forwarder.
When multiple DNS forwarders are configured, a query would only be sent to the first IP address in the list of forwarders; if that server doesn't respond within the configured timeout period (3s) it would query the second IP address in the list of forwarders.
Since other DNS forwarder can works fine and if you indeed not want to remove it,you could just ignore the message.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, November 20, 2019 8:48 AM ✅Answered
Hi Darren,
>>*Would there be any issues in removing the unresponsive forwarders from the list? If it is unresponsive, does that mean it is not doing anything at all and is functionally useless? *
There is no impact on removing the unresponsive forwarders. As your said, unresponsive forwarders is functionally useless. Don't worry about it.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, November 25, 2019 6:58 AM ✅Answered
Hi ,
Please remove those 4 forwarders and it will not affect your environment.
Note: since this is a public forum, everyone could view your information, please remove private information that might leak your privacy.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, November 19, 2019 3:03 AM
Hi ,
>>I cannot resolve this matter as it is being pulled up for two separate forwarding addresses on my machine.
What did you meant about two separate forward address on your machine?
Unresponsive forwarders can cause delays and failures in DNS resolution.
Did you have any issues when you resolve DNS internally or externally?
If everything works fine and you did not want to delete the forwarder IP address in the Edit Forwarders dialog box, I would suggest you ignore the BPA output but focus on users lookup problems.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, November 19, 2019 6:05 AM
Hi there Candy
Thanks for the reply.
On my server dashboard, I get 2x DNS BPA warnings, for a separate IP address each for the title error.
I can't determine from my side and access as to any delays or failures in DNS resolution etc. Network monitoring etc. is handled separately - is there anything I can look for from within server?
Kindest regards
Darren
Tuesday, November 19, 2019 6:32 AM
Hi Darren,
>>is there anything I can look for from within server?
Please use nslookup command to check domain resolution.
For more details about Nslookup, you could refer to the following link:
If this DNS server is also a DC, you could also run dcdiag /test:dns to check DNS health.
For your reference:
Dcdiag for DNS: Test details explained
If everything works fine, you could just ignore the BPA errors.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, November 19, 2019 8:40 AM
Hi there Candy
I got this when running NSLOOKUP versus www.google.com. I ran it off my DC2 (which is in a load balance with DC1).
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>nslookup www.google.com
Server: **DC1 FQDN**
Address: **DC 1 IP address**
DNS request timed out.
*** timeout was 2 seconds.***
Non-authoritative answer:
Name: www.google.com
Address: 216.239.38.120
C:\Windows\system32>
I'm not sure why it pulled up DC1's IP and FQDN when running it, especially since I ran it from DC2, which is also a DNS server.
For DCDIAG /TEST:DNS I got the following (also running on DC2):
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
*** Trying to find home server...***
*** Home Server = **DC2*****
*** * Identified AD Forest.***
*** Done gathering initial info.***
Doing initial required tests
*** Testing server: **SITE**\*DC2*****
*** Starting test: Connectivity***
*** ......................... **DC2** passed test Connectivity***
Doing primary tests
*** Testing server: **SITE**\*DC2*****
*** Starting test: DNS***
*** DNS Tests are running and not hung. Please wait a few minutes...***
*** ......................... **DC2**2 passed test DNS***
*** Running partition tests on : ForestDnsZones***
*** Running partition tests on : DomainDnsZones***
*** Running partition tests on : Schema***
*** Running partition tests on : Configuration***
*** Running partition tests on : **DOMAIN*****
*** Running enterprise tests on : **DOMAIN*****
*** Starting test: DNS***
*** Summary of test results for DNS servers used by the above domain controllers:***
*** DNS server: **IP ADDRESS OF ONE OF THE FAILED FORWARDERS** (<name unavailable>)***
*** 1 test failure on this DNS server***
*** PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server **IP ADDRESS OF ONE OF THE FAILED FORWARDERS*****
*** ......................... **DOMAIN** passed test DNS***
C:\Windows\system32>
So I see that one of the two IP addresses given is listed in dcdiag, but not the other.
Am I missing something?
Kindest regards
Darren***
Tuesday, November 19, 2019 9:54 AM
Hi ,
>>IP ADDRESS OF ONE OF THE FAILED FORWARDERS
According to the message, there is something wrong with your forwarder address.
Please delete the unresponsive forwarder and add a validated IP address.
The forwarders tab in DNS Manager is the place where you would type in the DNS server addresses provided to you by your ISP so that you would have a reference point to resolve Internet Domain Names.
Like:8.8.8.8(Google Public DNS IP Address )
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, November 20, 2019 7:20 AM
Good morning Candy
Thank you very much for the feedback.
I have gone to forwarders on the DC (DC2) in this particular instance), and there are 16 forwarders listed (mix between our environment, public, and governmental ones specified. Out of them all 4 do not resolve (which are the governmental ones).
I do not know where the IPs connect to, function or location of machines in question, but apparently they must stay.
The IP address that failed in the test is one of the four listed. I do not know why the others that cannot resolve do not show in tests.
Is there any way to force a resolution or a workaround?
Kindest regards
Darren
Wednesday, November 20, 2019 8:37 AM
Good morning Candy
Thank you very much for your help, it has been really appreciated.
In the forwarders list, the unresponse one is 13 out of 16 in order, the other three unresolved ones underneath it. The first forwarder is the address of the other on-prem DC.
Would there be any issues in removing the unresponsive forwarders from the list? If it is unresponsive, does that mean it is not doing anything at all and is functionally useless? Or is it serving a purpose still? I am just worried about doing that due to not having an idea on where they fit into the architecture so far. I'm worried about removing those unresponsive ones (they are all governmental ones) and then there is no resolution or connectivity/networking issues crop up. What are the ramifications of removing them?
Again, thank you for your help.
Kindest regards
Darren
Wednesday, November 20, 2019 8:55 AM
Thank you very much Candy, much appreciated!
I was worried about removing the forwarders in a live environment and things going horribly wrong!
Kindest regards
Darren
Wednesday, November 20, 2019 9:02 AM
Hi ,
You are welcome!
Remove the unresponsive forwarder has no effect on your environment.
Have a nice day!
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, November 20, 2019 9:23 AM
Thanks Candy
Sorry, quick question *sigh*
I just went to remove the unresolved forwarders, where I see that the server FQDN are unable to resolve for those 4, but 2 of the 4 validate. The other two have a continuous time out even at max timeout value permissible, and an unknown error.
The test failure from dcdiag is the one that shows for the timeout.
Must I delete all that are unable to resolve the server FQDN, or just those that do not validate (and don't get that lovely green tick)?
Kindest regards
Darren
(PS sorry for the question after the fact)
Wednesday, November 20, 2019 9:39 AM
Hi ,
>> where I see that the server FQDN are unable to resolve for those 4, but 2 of the 4 validate. The other two have a continuous time out even at max timeout value permissible, and an unknown error.
If possible, could you please upload the image directly? What did you mean that the server FQDN are unable to resolve for those 4? Did you mean that query it directly using nslookup and the result is time out?
If you cannot upload the image, your account just needs to be verified. You can expedite verification by replying to this thread with your request:
>>Must I delete all that are unable to resolve the server FQDN, or just those that do not validate (and don't get that lovely green tick)?
First remove those do not validate (don't get that lovely green tick).
>>The test failure from dcdiag is the one that shows for the timeout.
>>but 2 of the 4 validate
Did you mean that dcdiag failed result points to this validated forwarder? If yes, please remove it.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, November 20, 2019 12:46 PM
Hi there Candy
I have requested verification, but nothing since I've requested, so am waiting so I can post image.
Will advise soonest.
Kindest regards
Darren
Thursday, November 21, 2019 1:43 AM
HI Darren,
I will wait for your updates.
In addition ,I want to clarify more details.
DNS forwarder is a DNS server that is used to forward DNS queries for external DNS names to DNS servers outside that network.
We always recommend to have at least 2 working DNS servers acting as forwarders because if one fails you will still have name resolution.
If you have enough forwarders that can resolve external resource, you could just remove those useless forwarder.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, November 25, 2019 6:44 AM
Hi there Candy
Please find the image of the forwarders on my DC2. The first address (x.x.x.x) is for our DC1, which is on-prem with DC2 and they look at each other as first DNS entries, then secondary loopback specified. DC1 has the same forwarders list.
We also have multiple DC's across sites that also are DNS servers.
Out of the last 4 that cannot resolve, when I run nslookup for x.x.x.x and x.x.x.x they return as non existent domains, querying against the first forwarder x.x.x.x (the other DC this looks to - DC1), and x.x.x.x keeps on timing out.
The dcdiag test failure address is the x.x.x.x address.
Is there anything I must do here?
Kindest regards
Darren
Monday, November 25, 2019 10:47 AM
Hi there Candy
I have removed those 4 forwarders (I've kept the addresses in a text document just in case!) and the DNS errors have been resolved.
Thank you very much!
Kindest regards
Darren
Tuesday, November 26, 2019 1:24 AM
Hi ,
I am pleased to know that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.
Have a nice day!
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]