I’ve personally seen quite a few times where editing an existing local conditional forwarder and ticking the AD-integrated checkbox causes the forwarder to no longer respond to requests on only the DC where the change was made. Nslookup shows queries that should follow the forwarder fail with “non-existent domain” or nxdomain. Restarting the DNS Server service usually fixes it. I’ve been burned by it enough over the years it’s just ingrained to restart the service any time I make changes to a conditional forwarder. Seen it on every OS 2008 R2 through 2016 spanning multiple organizations. There’s a bug in there somewhere.
DNS Conditional Forwarder stops working as soon as it's Domain Replicated
I have a very strange situation in which when I create a Conditional Forwarder on a DC, it works great, but only if its a standalone forwarder on that 1 DC.
If i then domain replicate it, it no longer works, EVEN on that original DC....
I have PTR records created for the forwarder NS and that name shows correctly in the forwarder IP settings....
Again, it works with no issue, as long as its not replicated....
Has anyone seen this before?
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Sign in to comment
Sort by: Most helpful
To know the issue more clearly, please confirm the following information：
What did you configure the DNS Conditional Forwarder to do? For a trust creation or other purpose?
What's the error message when the Conditional Forwarder stops working?
How many DCs do you have, did the replication works well?
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showrepl *
I setup the forwarder the same as i have at any other company.
RIght click "Conditional Forwarder" --> give it the FQDN (DOMAIN.INT), and i add the NS records authoritative for DOMAIN .INT into the forwarder settings
I created the PTR records for them so they show correctly in FQDN format, all checks are GREEN in the GUI.
It works great as long as i dont replicate it.
As soon as i replicate it, the forwarder no longer works.
I confirmed, that as soon as i domain replicated it , all of my 8 DC's picked up the change....so it don't think its a replication issue.
I have never seen anything like this. Its almost as if there is a setting preventing conditional forwarders from working.
The catchalll forwarders work just fine (External DNS), and we are NOT blocking recursion or anything....
@MIkeFi Did you end up finding a solution to this? Facing the exact same issue. :(
- Check if DNSSEC is ON or OFF
- if is ON, go here
Key Name: EnableDnsSec
- change the key to 0.
- May have to reboot.
- run: resolve-dnsname catalog.s.download.windowsupdate.com -server 127.0.0.1
- If you can now resolve and your forwarders is working, then you verified is 1 of many moving pieces.
- Now put everything the way you found it.
- My environmet is in AZURE, with 2 DNS Servers, and NO Active Directory intergration.
- We endup removing the trusted anchors for now.
Get-DnsServerTrustAnchor -Name . | Remove-DnsServerTrustAnchor -Force
(Before you do the above ask Microsofts whthefuge)
- If is off. then is something else.