I manage hundreds of servers for many customers. Most are SMB segment, having 1 to 3 servers per customer max. In past few weeks I get more and more frequent DNS errors on random domain controllers, from 2008R2 to 2016. Simply put, DC does not resolve DNS anymore. This happened on some dozen of servers lately, and I haven't figured out the cause yet.
Weird is, that for example, on same premises, 2 VMs, 2 domain controllers for 2 different companies, each with 15 users. Same ISP, same router, same switch. 1 DC works OK, no problems, while 2nd DC cannot resolve DNS anymore:
On server 1 problem local DNS... but nslookup to 8.8.8.8 works!?:
C:\Users\Administrator>nslookup
Default Server: UnKnown
Address: ::1
> www.google.com
Server: UnKnown
Address: ::1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8
> www.google.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: www.google.com
Addresses: 2a00:1450:4001:81c::2004
172.217.16.68
>
On server 2 no problems:
C:\Users\Administrator>nslookup www.google.com
Server: localhost
Address: ::1
Non-authoritative answer:
Name: www.google.com
Addresses: 2a00:1450:4006:802::2004
216.58.206.132
Both are AD DC in single-domain setup, DNS configured with public forwarders, DC DNS points to itself only. IPv4 and IPv6 enabled on servers, but IPv6 is disabled on router. Did not touch any of those servers for past few months.
Did MS change anything? I do not remember DNS ever before switched to IPv6....why did it switch now? And why it works on one server and not on the other, still they are both the same (actually, same deployment, just configured for 2 different domains).
There are two possible reasons for a timeout.
Use
ipconfig /allto list the DNS servers. If they are different, correct them. If they are the same, use a packet sniffer on the server and on the router to find out what packets are sent.You should definitely NOT use a public DNS server. It can't possibly know about you Domain Controllers and which is the right server to ask anything about your domain.
It appears as though the local DNS server isn't listening on IPv6. Right-click on the server in the list on the left in DNS Server, select properties and on the Interfaces tab ensure that the server's local IPv6 address is checked or that All IP Addresses radio button is selected.
If the IPv6 address or All IP Addresses is already selected, I'd check outbound filtering to make sure that the network's firewall isn't restricting outbound IPv6 traffic. On the network I manage, we block all DNS traffic in or out of our firewall, with the exception of our AD servers (who operate as the internal resolvers and need to connect to Quad9 DNS and can only access 9.9.9.9 and 149.112.112.112).