Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

I have a single DC running in Hyper-V.  This was migrated from an old Essentials (SBS).  I think that may be part of the issue here.

Host Server is just a workgroup server/stand alone.  The Hyper-V is a 2019 Standard.  It's all pretty vanilla, just running AD, File/Print, and one or two small apps for a very small domain.

Server IP is 10.1.10.7 / Subnet is set to 255.255.255.0 / DNS is 127.0.0.1

DNS Logs are throwing:

Event ID 407 - DNS Server could not bind a User Datagram Protocol (UDP) socket to 10.1.10.7.

Event ID 408 - The DNS Server could not open socket for address 10.1.10.7.  Verify that this is a valid IP address for the server computer.  If it is NOT valid use the interfaces dialog under server properties in the DNS Manager to remove it from the list of IP interfaces.  Then stope and restart the DNS server...

Event ID 404 - The DNS Server could not bind a Transmission Control Protocol (TCP) socket to address 10.1.10.7.  The event data is the error code.  An IP address of 0.0.0.0 can indicate a valid "any address" configuration in which all configure IP addresses on the computer are available for use.

I've gone through DNS and made sure the old SBS/Essentials server was removed.  I've compared my DNS entries there to a working/good server.

In the Properties of the DNS Server | Forwarder Tab - I've got the ISP DNS listed and Google - but it cannot resolve their names.  On the Monitoring tab, simple query and recursive query both fail.

DCDiag/Test:DNS returns these errors:

the host 7608a78c-b34a-96e2-177161aeb529._msdcs.mydomain.local could not be resolved to an IP address.  Check the DNS server, DHCP, Server name, etc.  Got error while checking LDAP and RPC connectivity.  Please check your firewall settings. (note: single DC, Windows firewall is off)

TEST: Basic - Error: No LDAP connectivity.  Warning adapter [00000001] Microsoft Hyper-V Network Adapter has invalid DNS server: 10.1.10.7 (server_name.Domain.local)   Error: all DNS servers are invalid.  No host records (A or AAAA) were found for this DC

TEST: Delegations (Del) Error: DNS server:  server_name.Domain.local. IP: 10.1.10.7 [Broken delegated domain _msdcs.DOMAIN.LOCAL.]

TEST: REcords registration (rreg)  Error: Record registrations cannot be found for all the network adapters.

DNS Server: 10.1.10.7 ( server_name.Domain.local)  2 test failure on this DNS server  PTR record query for the 1.0.0.127.in-addr.arpa. failed on teh DNS server 10.1.10.7       Name resolution is not functional.  _ldap._tcp.DOMAIN.LOCAL. failed on the DNS server 10.1.10.7

I've checked the specific DNS records mentioned and made sure they compared correctly to a working server's entries.  This server can ping 8.8.8.8 but cannot resolve outside DNS name, pinging www.yahoo.com for instance fails.

The virtual switch is setup as an External Network switch and set to a dedicated NIC.  The host server has it's own NIC for connectivity.  I do not have the "Allow management operating system to share this network adapter" checked.


Spiceworks Help Desk

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

23 Replies

· · ·
m@ttshaw
Habanero
OP
m@ttshaw

can you ping the server by its IP 10.1.10.7 from outside the hyper-v host? this will prove that the nic is setup correctly. does it work if you restart the DNs service?
The most common explanation from ms is that system resources are low - check sufficient memory is free. But really i suspect the is a networking error - try resetting the nic and ipv4 etc.

0
· · ·
tfl
Mace
OP
tfl This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Sounds like that DC has another service bound to the DNS address? 

And " .mydomain.local" raises a concern - .Local is not supported on the internet (so passing a query to google will result in an error). 

0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Thanks for the reply

You can ping it by name or IP from another PC on the network. DNS service restart has no impact on the problem. System resources are not low, it has more than enough CPU/Memory/HDD.


0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

How would I tell if there is another service bound to the DNS address?

0
· · ·
greggmh123
Datil
OP
greggmh123 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

spicehead-c1msv wrote:

How would I tell if there is another service bound to the DNS address?

You can run 

netstat -ano -p udp

to see if anything else has taken UDP port 53. Or just run 

netstat -ano

to see if it is taking TCP and/or UDP.

You may want to dump the output to a file.

netstat -ano -p udp > c:\temp\netstatresult.txt

Gregg

0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

running "netstat -ano -p udp" gave me 2 entries for port 53:

UDP 10.1.10.7:53    *:*    3932
UDP 127.0.0.1:53   *:*   3932

10.1.10.7 is the server's assigned address and of course the 127.0.0.1 is the loopback, is this the expected output?

Running the "netstat -ano" gave me these entries for port 53:

TCP 10.1.10.7:53    0.0.0.0:0   LISTENING   3932
TCP 127.0.0.1:53   0.0.0.0:0  LISTENING  3932
TCP [::1]:53     [::]:0     LISTENING  3932
TCP [fe80:5911:3fa0:8957:649c%9]:53    [::]:0   LISTENING  3932
UDP 10.1.10.7:53   *:*   3932
UDP 127.0.0.1:53   *:*   3932
UDP [fe80:5911:3fa0:8957:649c%9]:53    [::]:0   LISTENING  3932

Thank you again!

0
· · ·
m@ttshaw
Habanero
OP
m@ttshaw

In the output it is showing that a process with ID  "3932" is listening on port 53.
To find out what the process is - use task manager, show processed from all users and look for that PID to find out what the process is.

I suspect it will end up being the dns service which doesn't really get you anywhere, but maybe it is a different service that needs stopping.

1
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Confirmed, the only things running on 3932 is dns.exe - so at least we can rule that out.

Thank you for the response

0
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Can you run an nslookup from the DC and manually tell it to use the Google DNS (or other ISP or public DNS server) to see if that is successful?

Like this:

nslookup www.google.com 8.8.8.8

0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

The result of the nslookup command was:

Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
DNS request times out timeout was 2 seconds
Name: forcesafesearch.google.com
Address: 216.239.38.120
Aliases: www.google.com

0
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Do you have NAT or DNS Proxy installed on the DC?

Do you have a firewall / UTM with a DNS Proxy running?

Just to verify, the DC only has one virtual NIC and one IP address right?

0
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Also, the VM DC is the only DC right?

If so, can you run this and make sure all of the FSMO roles are held by the VM DC?

netdom query fsmo

0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

We are behind a SonicWall but we aren't running any sort of DNS Proxy.
The Hyper-V DC has one virtual NIC and only one IP address
All FSMO Roles are held by the Hyper-V DC - the Host machine is not domain joined - the DC is the only server and domain controller on the network.

Thanks for all your ideas!

0
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

In the DNS Manager MMC on the Hyper-V DC can you go to DNS >> <server> >> Forward Lookup Zones >> right click _msdcs.mydomain.local >> properties >> Name Servers tab and make sure there is an IP address listed there for the Hyper-V DC (the actual IP and not 127.0.0.1)

- If you add the IP, try to restart DNS and see if your problem persists.

Also, in the _msdcs.rileyind.local forward lookup zone, do the SOA, NS, and CNAME records all look accurate to you?  Maybe you can post a screen shot of that zone and obfuscate any private data?

0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Did as you said with the RC on _msdcs.mydomain.local - it has the 10.1.10.7 listed.  I did look around in those tabs and everything there seems to be ok.

Below/attached is a screen snip of DNS


0
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

If you right click the server >> properties >> Interfaces tab

Does it say to listen on All IP addresses or a particular one?

It might be worth a shot to have it only listen on 10.1.10.7 - and then configure the NIC / TCP/IP settings to only use 10.1.10.7 for DNS.

0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Did as you suggested with the Interfaces tab, and changed NIC DNS from 127.0.0.1 to 10.1.10.7.  Restarted NetLogon and DNS Server services following that.

Results seem to be the same, can ping to internet by IP but not by name.

Thank you

0
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.
On your DNS forwarders tab, you mentioned that you have your ISP DNS and Google listed.
Can you run an nslookup for each one listed there manually specifying the server each time?  Are the lookups successful?
like this:
nslookup www.google.com <ISP DNS IP 1>
nslookup www.google.com <ISP DNS IP 2>
nslookup www.google.com <Google DNS IP 1>
nslookup www.google.com <Google DNS IP 2>
If any of those fail, you could remove them from your forwarders list at least for a test.
Also on the forwarders tab, do you have use root hints enabled?  I would recommend disabling that.
Could you post the results of ipconfig /all (with any private addresses or info obfuscated)?
0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

I've deselected the root hints.  Attaching the screenshots, I don't really think there is anything that private about this information.

Google NSLookup

ISP DNS Lookup of Google

IPCONFIG /ALL

Restarted DNS Server Service and NetLogon - same results so far

1
· · ·
nhnm
Tabasco
OP
nhnm This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.
In the NIC settings:
Do you have client for microsoft networks enabled?
Can you go tot he TCP/IPv6 properties and add this as the preferred DNS server:
::1
Also for your TCP/IPv4 settings
- add 127.0.0.1 as the secondary DNS server.
- Advanced >> DNS >> Is "Register this connection's addresses in DNS" checked?
......................
Also, can you have a look at these?
0
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Sorry for delayed reply - it's been a rough couple of days.

Client for MS Networks is enabled.

Added ::1 for IPv6 DNS and Added 127.0.0.1 to IPv4 secondary DNS -- the check mark was already in "Register this connection's address in DNS"

I'll look into the hyperlinks and reply as soon as possible.

1
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Ok, quick update, after following your steps I can now ping www.yahoo.com, www.google.com, and other domains by name, so an improvement for sure!

I checked the second  https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/verify-srv-dns-records-have-....out and everything they say to check is setup correctly and checks out.  I'll dig into the first article in a moment.

1
· · ·
spicehead-c1msv
Pimiento
OP
spicehead-c1msv

Followed first link and renamed my netlogon.dnb and netlogon.dns files to .old, restarted and then did a comparison, it DID make some small changes.  DNS is still failing the simple query and recursive query in the Properties of the DNS Server (Monitoring tab) but now I can ping to outside domains by name and actually browse the web.  So something is still not right but it's less broken.  So an improvement!  Maybe we can just live with it as it is and when we are ready to change out the DC we just rebuild the domain from scratch - painful but I can't seem to find where DNS is broken on this 1 DC domain.  Thanks for all your help... if you have any additional ideas I'll keep trying them.

1
Oops, something's wrong below.