question

RobertSanders-8082 avatar image
0 Votes"
RobertSanders-8082 asked AlexBalcanquall-1081 answered

IPv4 root hints being removed in the presence of an IPv6 enabled Domain Controller

Hello,

Still trying to reproduce the conditions however it appears that our IPv4 root hints have been removed and in place have been only IPv6. We have 1 IPv6 enabled domain controller while the others only had link local, default IPv6 configuration.

Eventually, the IPv4 root hints are gone and we are left with only IPv6. Restarting the DNS service did not fix it and clicking resolve on the record did not bring them back. I had to manually re-enter or copy them from a server that only had the IPv4.

Why is this happening? I have heard there is a bug that was introduced in January 2018 with this issue that affects both server 2012/R2 and 2016 but I cannot find any official documentation from Microsoft on this behavior. Any info?

windows-server-2016windows-server-2012windows-dhcp-dns
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

0 Votes 0 ·

Just want to confirm the current situations.

Please Accept as answer if the reply is helpful.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered RobertSanders-8082 commented

I haven't heard of this happening before. Root hints will resolve internet queries in a top-level down fashion. As a work-around you could add ISP or your favorite public DNS as forwarders. This should be slightly faster than relying solely on root hints.


--please don't forget to Accept as answer if the reply is helpful--






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Well in that case I'd suggest starting a case here with product support. Only microsoft can fix known or confirmed bugs.
https://support.microsoft.com/hub/4343728/support-for-business

the other option for you is to report it here on uservoice,.
https://windowsserver.uservoice.com/forums/295047-general-feedback

the work-around I described should solve it in the interim.



--please don't forget to Accept as answer if the reply is helpful--







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Based on my research,it seems that this issue is DNS submits 2 different LDAP modification requests, one for A records, one for AAAA records, one immediately after the other. Since both requests modify the same AD object (RootDNSServers) the last one wins (AAAA), and A records are overwritten in the AD zone.

It is rare that IPv6 addresses need to be added to root hints. Root hint lookup should be sufficient with IPv4 addresses alone. If not absolutely required, do not add IPv6 address to root hints that already have valid IPv4 addresses.

As a workaround, you can copy them from a working DNS server.

If you have a working DNS server on your domain:

Go to domain >>right click properties >>root hints >>copy from server and select a server from your domain

21101-image.png

If you don't have a working DNS server on the domain:

Go to domain >>right click properties >>root hints >>copy from server >>select ONE OF THE ROOT HINTS SERVER from the following list
( make sure the server is reachable via ping )

https://www.iana.org/domains/root/servers

21065-image.png

Hope this can help you.

--Please Accept as answer if the reply is helpful--

Best Regards,

Candy





image.png (82.1 KiB)
image.png (46.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErikCarlseen-9003 avatar image
1 Vote"
ErikCarlseen-9003 answered ErikCarlseen-9003 published

Microsoft has made it quite clear that they could not care less about this problem, and have no intentions of fixing it. Having a server unilaterally alter critical configuration variables in a way that massively breaks functionality across the entire domain is apparently acceptable to them, which is a reason we are moving as many systems away from Microsoft as possible. That being said, some systems can't be moved and so here is a script to fix the problem. This is provided as-is, use-at-your-own-risk, may destroy your network and your life, etc. Hope it helps you out, because Microsoft sure won't.

 @ECHO OFF
    
 REM *********************************************
 REM This script checks to make sure that DNS Server Root Hints match the values in this script.
 REM It does not check to ensure that these values are up-to-date.
 REM Please periodically review the official Root Hint data at this URI and update this script as needed:
 REM    http://www.internic.net/domain/named.root
 REM *********************************************
    
 REM To-do:
 REM 1) Re-write in PowerShell
 REM 2) Update all DNS servers in Domain or Forest.
    
    
 CALL :CheckRootDNSARecord a 198.41.0.4
 CALL :CheckRootDNSARecord b 199.9.14.201
 CALL :CheckRootDNSARecord c 192.33.4.12
 CALL :CheckRootDNSARecord d 199.7.91.13
 CALL :CheckRootDNSARecord e 192.203.230.10
 CALL :CheckRootDNSARecord f 192.5.5.241
 CALL :CheckRootDNSARecord g 192.112.36.4
 CALL :CheckRootDNSARecord h 198.97.190.53
 CALL :CheckRootDNSARecord i 192.36.148.17
 CALL :CheckRootDNSARecord j 192.58.128.30
 CALL :CheckRootDNSARecord k 193.0.14.129
 CALL :CheckRootDNSARecord l 199.7.83.42
 CALL :CheckRootDNSARecord m 202.12.27.33
    
 GOTO :SCRIPT_END
    
 REM *********************************************
    
 :CheckRootDNSARecord
 %SYSTEMROOT%\System32\DNSCMD.EXE localhost /EnumRecords /RootHints %1.root-servers.net. /Type A | FIND "%2" >NUL
 IF NOT "%ERRORLEVEL%"=="0" GOTO :FixRootDNSARecord
 ECHO %1.root-servers.net resolves fine.
 EXIT /b
    
 :FIXROOTDNSARecord
 IF "%3"=="FINAL" EXIT /b 
 ECHO %1.root-servers.net FAILED RESOLUTION. Attempting to repair.
 %SYSTEMROOT%\System32\DNSCMD.EXE localhost /RecordAdd /RootHints %1.root-servers.net. A %2 >NUL
 IF NOT "%ERRORLEVEL%"=="0" GOTO :FixRootARecordFailed
 CALL :CheckRootDNSARecord %1 %2 FINAL
 EXIT /b
    
 REM *********************************************
    
 :SCRIPT_END
 ECHO Complete.
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobL-7392 avatar image
2 Votes"
RobL-7392 answered AlexBalcanquall-1081 commented

To help others in the future, as I couldn't find a solution, but stumbled upon it in trying.

Copying from another DNS server did not permanently solve the problem. Every time the DNS service restarted, it would wipe the root hints out and rewrite them as IPv6 only. After a bunch of random testing, won't bore you with it, I found the answer to be to delete them all. Save it, restart the service. Manually add a.root-servers.net. as 198.41.0.4. Then I could manually add and resolve b-k. I tested a bunch of service restarts and then a computer restart and the root hints are still that as IPv4 only.

Hope this helps someone in their searches.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

They should give you a medal my friend! This was the only way to permanently fix the issue. Microsoft descibes it vagely in the purple section on this page:
https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/root-hints-reappear-after-removed

Quote:

Microsoft does not support the removal of all root hints from a Microsoft DNS server. A Microsoft DNS server must have at least one root hint. However, you can replace the existing root hints with new root hints. When you replace root hints, the change is permanent, and the old root hints do not reappear.

0 Votes 0 ·

thanks, i just had this start happening 8 days ago too - not sure why, i have noted that i get weird repsonses using a dns query tool when i try and query root names from a cellular network - sometimes i get nothing returned, sometimes i get just the AAAA record returned and sometimes the A and the AAAA record.

I could only add the IP of each root hint server (never the name). i have not managaed to resolve b-k either 0 just add them as IPv4 addresses with no names.

i think something changed in how root hints work that exacerbated this issue....

your post helped, thanks, thought i was going insane and looked at so many other possible causes

0 Votes 0 ·
AlexBalcanquall-1081 avatar image
0 Votes"
AlexBalcanquall-1081 answered

I have done more investigation and think i have got closer to the cause of this.

When i disable netmask ordering ALL my issues are instantly resolved, I can correctly populate the root hints using copy and specifying any DNS server say 8.8.8.8 or a.root-servers.net.

On a server with IPv6 disabled on the adapters it will load IPv4 root hints correctly (it was previously only loading IPv6 addresses)
On a server with IPv4 and 6 enabled it will load both IPv4 and IPv6 variants correctly (it was previously only loading IPv6 addresses)

This also fixed unresolvable address like www.bing.com that were not resolving when I had root hints disabled too.

This is not a root-hints bug - this is a bug in the netmask ordering logic IMHO.

tl;dr make sure the highlighted is disabled, hope this work for y'all too

145030-image.png



image.png (122.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.