Troubleshoot Windows DNS Problems

DNS is one of the most critical services running on your network. Here's what to do when DNS isn't working on your Windows systems.

 By Jabez Gan
Page 1 of 2
Print Article

In any enterprise, DNS services are a crucial backbone for network connectivity. DNS is used for name resolution, allowing one client to locate another client. If DNS fails, it will disrupt connectivity to the Internet. In this article, we'll consider some common issues caused by misconfiguration of DNS.

Incorrect Configuration of Primary/Secondary Zones

Creating a new zone, whether primary or secondary, is just a matter of few clicks. However there are other settings that you might want to check to ensure that DNS is working properly.

Zones are not replicating

You have created a new zone, but for some reason it is not replicating with the primary zone. There might be many reasons for this, but here are some possibilities:

  • Zone Transfers are enabled and the secondary DNS server IP is not specified. As a best practice, it is always recommended to specify the IP addresses of the servers that will need to download the zone data from the primary zone. See Figure 1.
  • Secure Dynamic Updates are enabled, and the secondary zone does not have Active Directory DNS Integrated Zones configured. Secure Dynamic Updates only works if both DNS servers are running in Active Directory Integrated DNS Zones. If either the DNS server is not on Active Directory Integrated DNS Zones, or running on BIND (Linux), then Dynamic Updates need to be set to Non-Secure. See Figure 2.
Zone Transfer.png
Figure 1: Zone Transfers is enabled and only replicating to a specific server.
Dynamic Updates - secure.png
Figure 2: Dynamic Updates is set to Secure by default for Windows Server DNS.

Users are not able to do DNS queries from your DNS Server

You have done the basic troubleshooting, and users were able to ping to the DNS server with response. However when they tried to query specific DNS zones which is hosted on your DNS server, it fails. In this case, you might want to check:

  • The "Everyone" group does not have read permission for the zone. Due to misconfiguration, the "Everyone" group might not have the necessary permission entries for the DNS zone. See Figure 3.
Figure 3: Everyone group has permission to read and list the content of the Zone
This article was originally published on May 20, 2011
Get the Latest Scoop with Networking Update Newsletter