DNS Conditional Forwarder stops working as soon as it's Domain Replicated

MIkeFi 6 Reputation points

Hi All,

I have a very strange situation in which when I create a Conditional Forwarder on a DC, it works great, but only if its a standalone forwarder on that 1 DC.

If i then domain replicate it, it no longer works, EVEN on that original DC....

I have PTR records created for the forwarder NS and that name shows correctly in the forwarder IP settings....

Again, it works with no issue, as long as its not replicated....

Has anyone seen this before?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,507 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,998 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,026 questions
{count} vote

5 answers

Sort by: Most helpful
  1. ceestep 26 Reputation points

    I’ve personally seen quite a few times where editing an existing local conditional forwarder and ticking the AD-integrated checkbox causes the forwarder to no longer respond to requests on only the DC where the change was made. Nslookup shows queries that should follow the forwarder fail with “non-existent domain” or nxdomain. Restarting the DNS Server service usually fixes it. I’ve been burned by it enough over the years it’s just ingrained to restart the service any time I make changes to a conditional forwarder. Seen it on every OS 2008 R2 through 2016 spanning multiple organizations. There’s a bug in there somewhere.

    5 people found this answer helpful.
    0 comments No comments

  2. Fan Fan 15,306 Reputation points Microsoft Vendor

    To know the issue more clearly, please confirm the following information:
    What did you configure the DNS Conditional Forwarder to do? For a trust creation or other purpose?
    What's the error message when the Conditional Forwarder stops working?
    How many DCs do you have, did the replication works well?

    Dcdiag /v >c:\dcdiag1.log
    Repadmin /showrepl >C:\repl.txt
    Repadmin /showrepl *

    Best Regards,

    0 comments No comments

  3. MIkeFi 6 Reputation points

    I setup the forwarder the same as i have at any other company.

    RIght click "Conditional Forwarder" --> give it the FQDN (DOMAIN.INT), and i add the NS records authoritative for DOMAIN .INT into the forwarder settings

    I created the PTR records for them so they show correctly in FQDN format, all checks are GREEN in the GUI.

    It works great as long as i dont replicate it.

    As soon as i replicate it, the forwarder no longer works.

    I confirmed, that as soon as i domain replicated it , all of my 8 DC's picked up the change....so it don't think its a replication issue.


    I have never seen anything like this. Its almost as if there is a setting preventing conditional forwarders from working.

    The catchalll forwarders work just fine (External DNS), and we are NOT blocking recursion or anything....

  4. Aiden Frearson 1 Reputation point

    @MIkeFi Did you end up finding a solution to this? Facing the exact same issue. :(

    0 comments No comments

  5. Rodrigo Melendez 0 Reputation points
    1. Check if DNSSEC is ON or OFF
    • if is ON, go here

    Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

    Key Name: EnableDnsSec

    • change the key to 0.
    • May have to reboot.
    • run: resolve-dnsname catalog.s.download.windowsupdate.com -server
    • If you can now resolve and your forwarders is working, then you verified is 1 of many moving pieces.
    • Now put everything the way you found it.
    • My environmet is in AZURE, with 2 DNS Servers, and NO Active Directory intergration.
    • We endup removing the trusted anchors for now.

    Get-DnsServerTrustAnchor -Name . | Remove-DnsServerTrustAnchor -Force

    (Before you do the above ask Microsofts whthefuge)

    1. If is off. then is something else.
    0 comments No comments