IPv4 root hints being removed in the presence of an IPv6 enabled Domain Controller

Question

Hello,

Still trying to reproduce the conditions however it appears that our IPv4 root hints have been removed and in place have been only IPv6. We have 1 IPv6 enabled domain controller while the others only had link local, default IPv6 configuration.

Eventually, the IPv4 root hints are gone and we are left with only IPv6. Restarting the DNS service did not fix it and clicking resolve on the record did not bring them back. I had to manually re-enter or copy them from a server that only had the IPv4.

Why is this happening? I have heard there is a bug that was introduced in January 2018 with this issue that affects both server 2012/R2 and 2016 but I cannot find any official documentation from Microsoft on this behavior. Any info?

Answer 1

I have done more investigation and think i have got closer to the cause of this.

When i disable netmask ordering ALL my issues are instantly resolved, I can correctly populate the root hints using copy and specifying any DNS server say 8.8.8.8 or a.root-servers.net.

On a server with IPv6 disabled on the adapters it will load IPv4 root hints correctly (it was previously only loading IPv6 addresses)
On a server with IPv4 and 6 enabled it will load both IPv4 and IPv6 variants correctly (it was previously only loading IPv6 addresses)

This also fixed unresolvable address like www.bing.com that were not resolving when I had root hints disabled too.

This is not a root-hints bug - this is a bug in the netmask ordering logic IMHO.

tl;dr make sure the highlighted is disabled, hope this work for y'all too

Answer 2

I have this issue on all Windows Server 2016 and 2019 domain controllers.

Add a scheduled task with the PowerShell code below. When setting up the file to execute the call PowerShell as the program and -File [file path] for command args. Ensure you setup the script to run once the DNS has started, e.g. when the Event ID 2 has been written, meaning "DNS Started" (see image).

Ignore whatever it says as the root hints in the DNS server client UI Properties tab. That list won't reflect the values created by the script. As soon as the script runs the DNS will begin using the root hints.

For your script:

Get-DnsServerRootHint | Remove-DnsServerRootHint -Confirm: $false -Force

@(
    @{DomainName="a.root-servers.net"; Ipv4Address="198.41.0.4"; Ipv6Address="2001:503:ba3e::2:30";},
    @{DomainName="b.root-servers.net"; Ipv4Address="199.9.14.201"; Ipv6Address="2001:500:200::b";},
    @{DomainName="c.root-servers.net"; Ipv4Address="192.33.4.12"; Ipv6Address="2001:500:2::c";},
    @{DomainName="d.root-servers.net"; Ipv4Address="199.7.91.13"; Ipv6Address="2001:500:2d::d";},
    @{DomainName="e.root-servers.net"; Ipv4Address="192.203.230.10"; Ipv6Address="2001:500:a8::e";},
    @{DomainName="f.root-servers.net"; Ipv4Address="192.5.5.241"; Ipv6Address="2001:500:2f::f";},
    @{DomainName="g.root-servers.net"; Ipv4Address="192.112.36.4"; Ipv6Address="2001:500:12::d0d";},
    @{DomainName="h.root-servers.net"; Ipv4Address="198.97.190.53"; Ipv6Address="2001:500:1::53";},
    @{DomainName="i.root-servers.net"; Ipv4Address="192.36.148.17"; Ipv6Address="2001:7fe::53";},
    @{DomainName="j.root-servers.net"; Ipv4Address="192.58.128.30"; Ipv6Address="2001:503:c27::2:30";},
    @{DomainName="k.root-servers.net"; Ipv4Address="193.0.14.129"; Ipv6Address="2001:7fd::1";},
    @{DomainName="l.root-servers.net"; Ipv4Address="199.7.83.42"; Ipv6Address="2001:500:9f::42";},
    @{DomainName="m.root-servers.net"; Ipv4Address="202.12.27.33"; Ipv6Address="2001:dc3::35";}
) | 
ForEach-Object {
    Add-DnsServerRootHint -NameServer $_.DomainName -IPAddress $_.Ipv4Address;
    Add-DnsServerRootHint -NameServer $_.DomainName -IPAddress $_.Ipv6Address;
}

For your scheduled task:

F