I've got four DCs acting as DNS servers and Internet access works fine. Our Windows DNS servers are only authoritative for internal DNS and I've got two authoritative UNIX DNS server setup as forwarders. The servers are: dc01 10.1.1.2 (IP) 255.255.248.0 (Subnet) 10.1.1.3 (Preferred DNS server) 192.168.10.1 (Alternate DNS. This is one of the UNIX DNS servers mentioned above) dc02 10.1.1.3 (IP) 255.255.248.0 (Subnet) 10.1.1.2 (Preferred DNS server) 127.0.0.1 (Alternate DNS) dc03 10.1.1.4 (IP) 255.255.248.0 (Subnet) 10.1.1.3 (Preferred DNS server) 127.0.0.1 (Alternate DNS) dc04 (this is at a different site) 10.10.1.2 255.255.252.0 10.1.1.3 (Preferred DNS server) 10.10.1.2 (Alternate DNS) I'm getting intermittent nslookup failures on dc03 and dc04. When I do, it looks like this: C:\Users\mhashemi>nslookup Default Server: UnKnown Address: ::1 > cnn.com Server: UnKnown Address: ::1 DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-out I don't see any DNS errors in the event logs and ran dcdiag on dc03. Each test passed except for the following: Starting test: NCSecDesc * Security Permissions check for all NC's on DC dc03. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=DomainDnsZones,DC=domainName,DC=com (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=domainName,DC=com * Security Permissions Check for DC=ForestDnsZones,DC=domainName,DC=com (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=domainName,DC=com * Security Permissions Check for CN=Schema,CN=Configuration,DC=domainName,DC=com (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=domainName,DC=com (Configuration,Version 3) * Security Permissions Check for DC=domainName,DC=com (Domain,Version 3) ......................... dc03 failed test NCSecDesc TEST: Forwarders/Root hints (Forw) Recursion is enabled Forwarders Information: 10.1.1.196 () [Invalid (unreachable)] 192.168.10.2 () [Valid] DNS server: 10.1.0.4 (dc03.domainName.com.) 1 test failure on this DNS server Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered DNS delegation for the domain domainName.com.domainName.com. is broken on IP 10.1.0.4 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)] DNS server: 10.1.0.2 (dc01.domainName.com.) 1 test failure on this DNS server DNS delegation for the domain domainName.com.domainName.com. is broken on IP 10.1.0.2 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)] DNS server: 10.1.1.196 () 1 test failure on this DNS server PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.1.1.196 [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)] DNS server: 10.1.0.3 (dc02.domainName.com.) 1 test failure on this DNS server Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered DNS delegation for the domain domainName.com.domainName.com. is broken on IP 10.1.0.3 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)] DNS server: 10.1.1.2 (dc04.domainName.com.) 1 test failure on this DNS server DNS delegation for the domain domainName.com.domainName.com. is broken on IP 10.1.1.2 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)] DNS server: 192.168.10.2 () All tests passed on this DNS server Where am I mis-configured? Thanks.

Oh yeah, I verified that each server is listed in the appropriate reverse lookup zone.

hi you have for shure problems with the reverse lookup zone, as you can find out from the nslookup C:\Users\mhashemi>nslookup Default Server: UnKnown Address: ::1 defalutl server:unknown so check the reverse configuration also do you use for internet resolving root hints or forwarders?

Hello, ---------------------------------------Starting test: NCSecDesc * Security Permissions check for all NC's on DC dc03. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=DomainDnsZones,DC=domainName,DC=com (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have --------------------------------------- The above part of your thread belongs to the NOT run adprep /rodcprep, so i suggest to run it, this doesn't create any overhead in the domain and removes the errors. If you use Forwarders in the domain then configure them also as FORWARDERS in the DNS server properties in the DNS management console and NOT on the NIC of a DC. Talk about 192.168.10.1 and the other UNIX DNS. Which machine is 10.1.1.196, configured as Forwarder also? If it doesn't exist or isn;t accessible remove it. If you use firewalls in between the DCs and the UNIX DNS make sure to open ports according to: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

@icecore: I don't know what else to do to ensure the reverse lookup is good. I opened the DNC MMC -> expanded Reverse Lookup Zones -> expanded the subnet and see each computer name listed @Meinolf Weber: To configure forwarders, I right-clicked on the server name in the DNS MMC and used the Forwarders tab. I believe 10.1.1.196 was the IP of a UNIX DNS server that is now defunct but I don't know where it is set. It is not listed on the Forwarders tab and I don't see it anywhere in the NIC properties of any of the DCs. There are no firewalls between our DCs.

it seems that uou've put incorrect information into your DNS database. Correct it. You've used non-fully-qualified domain names, which are being converted to domain names such a qualification process. look at this line DNS delegation for the domain domainName.com.domainName.com also change the primary DNS server to the IP address of the primary network connection

you can also try in nslookup to > set q=ptr > ipaddress of server and see if it'sresolving to the correct name

Hello, please use the support tools and provide the following output files including an unedited ipconfig /all from the DCs: dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I'm not completely comfortable posting details of our infrastructure on the Internet. I have run the commands you requested, but modified the output. All the IPs and names I changed are valid in our network. The zip file can be found here.

Hello, the output is ok that way, keep in mind that the private ip range you use is not accessible form the public. See the article from Paul Bergson about "the account MHASHEMI755W7$@companyDNSName.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1." http://blogs.dirteam.com/blogs/paulbergson/archive/2010/09/28/windows-7-2008-kerberos-default-encryption-and-windows-2003-2000.aspx Please chec about 1IIKZC1$ as mentioned in the dcdiag output, if member machine rejoin, if DC demote or cleanup AD database if not longer exist or remove the trust. On DC1 10.1.1.196 is listed as forwarder, so please check this again. Also DC1 is not able to connect correct to the other DCs, see the RPC errors in the DNS test part of the dcdiag output. I assume this belongs to the UNIX DNS on the NIC, please remove it, meaning 192.168.0.1, and run ipconfig /flushdns, ipconfig /registerdns and restart the netlogon service or reboot it. I am missing the repadmin output from DC1. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi, Thanks for posting here. In addition that please also empty the primary DNS server entry in IPV6 protocol properties on DC03 and DC04 , I think this may the cause the nslookup result . Thanks. Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

@Meinolf Weber: I understood that in our environment, event 27 is really just informational, but thanks for the link. I've implemented the solution so we'll have fewer errors in the event log. Due to some software in the environment, clients occasionally drop off the domain. I'm not worried about it. Finally, I found where 10.1.1.196 was listed and removed it. I'll try random nslookups from the various DCs over the next few days to see if the intermittent problem is resolved but I'm optimistic. @Tiger Li: That's also useful info, thanks.

Hi, If there is any update on this issue, please feel free to let us know. We are looking forward to your reply. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.