DNS server failure
Internal DNS down — authentication fails, applications can't find services, mail flow breaks. AD DNS especially critical.
Indicators
- Clients can't resolve internal names
- External resolution fails (forwarders not working)
- AD authentication failing because SRV records can't be located
- DNS service stopped on a DC
- DNS scavenging removed live records (rare but devastating)
Likely causes
- DNS service crashed / stopped
- Forwarder server unreachable
- Zone replication broken between DCs
- Aggressive scavenging removed records
- Conditional forwarder pointing at retired server
Diagnostic steps
-
Test resolution from a client: nslookup of an internal A record explicitly against the DNS server
-
Verify DNS service running on every DC; restart DNS Server service if hung
-
Test forwarder: nslookup on external name, set server=<forwarder>
-
Check zone replication: zones must be AD-integrated, replicating with the rest of the directory
-
Audit conditional forwarders and forwarders for stale targets
-
Validate scavenging settings — never aggressive on volatile environments
Resolution path
- Restore DNS service on at least one DC
- Repair forwarders / conditional forwarders
- Re-create any missing critical records
- Verify resolution end-to-end before declaring resolved
Prevention
- Two DNS servers, both on every client (DHCP / GPO managed)
- Conservative scavenging (or off) for static-record environments
- Conditional forwarder cleanup as part of decommissioning checklist
- DNS health monitoring (resolve a known record every minute)
Tools
- DNS Manager
- nslookup, Resolve-DnsName
- PowerShell DnsServer module: Get-DnsServerForwarder, Get-DnsServerZone, Get-DnsServerScavenging
- Wireshark for resolution path tracing
References
- Microsoft Learn — DNS troubleshooting
- Microsoft Learn — DNS scavenging best practice