📖 ~7 min read
Table of contents
Symptom & Impact
On Windows Server 2025, administrators frequently encounter a scenario where the DNS client service fails to resolve internal hostnames — such as those registered in an Active Directory-integrated DNS zone — while external name resolution continues to function normally. Affected services include domain joins, Kerberos authentication, Group Policy application, and any application that relies on internal SRV or A records. The most visible symptom is that nslookup internal.corp.local returns “DNS request timed out” or “Server failed” while nslookup google.com succeeds immediately. Users may see login delays, “The domain is not available” prompts, and Outlook Autodiscover failures. In a datacenter context this can cascade to application pools losing database connections if the SQL Server is referenced by hostname rather than IP. The severity is classified as High because, while the server remains reachable by IP, Active Directory-dependent workloads degrade rapidly and the root cause is non-obvious to first-responders who observe working internet connectivity. This problem appears most commonly after a cumulative update that resets the DNS client cache settings or after an NIC driver update that changes adapter binding order. It also surfaces in environments where the primary DNS server IP is hard-coded on the loopback adapter for DC roles, and a recent Group Policy refresh overwrote that setting.
Environment & Reproduction
This issue has been confirmed on Windows Server 2025 (Build 26100 and later cumulative updates) in both domain-joined configurations and standalone DNS server roles. It reproduces reliably under the following conditions: (1) The server has two or more network adapters and the binding order places a non-DNS-capable adapter first; (2) IPv6 is enabled but no IPv6 DNS server is configured, causing the DNS client to wait for IPv6 responses before falling back; (3) The DNSCache service has been stopped or set to Disabled by a hardening script. To reproduce in a lab environment, disable the DNSCache service, then run Resolve-DnsName internal.corp.local and observe the timeout. Alternatively, change the preferred DNS server on the primary NIC to a non-existent IP and watch domain lookups fail while internet DNS resolves via the secondary NIC’s DNS.
# Check DNS configuration and service state
Get-DnsClientServerAddress | Format-Table -AutoSize
Get-Service -Name Dnscache | Select-Object Name,Status,StartType
Resolve-DnsName internal.corp.local -ErrorAction SilentlyContinue
ipconfig /displaydns | Select-String 'internal'Root Cause Analysis
The root cause typically falls into one of three categories. First, the DNS client resolver on Windows Server 2025 evaluates network adapters in binding order. If a Hyper-V virtual switch adapter or a disconnected iSCSI NIC appears first in the binding list and has no DNS servers configured, the resolver sends queries out that adapter, receives no response, and the 2-second per-server timeout delays the final answer. With default settings of two retries per server and two servers, a single lookup can take up to 8 seconds before returning failure. Second, the DNSCache service (svchost-hosted resolver cache) may have been disabled by CIS Benchmark hardening or a custom group policy object that misidentifies it as unnecessary. Without this service the resolver cannot cache NXDOMAIN responses and must perform a full recursive lookup for every query. Third, Windows Server 2025 defaults to sending DNS queries over both IPv4 and IPv6. If the internal DNS server does not listen on its IPv6 address, the IPv6 query always fails, and the negative response is cached for 300 seconds, blocking subsequent IPv4 queries for the same name during that window.
Quick Triage
Run these five checks within the first five minutes to pinpoint the cause before proceeding to full diagnosis. Each command is non-destructive and safe to run on a production server.
# 1. Can we reach the DC by IP directly?
Test-NetConnection -ComputerName 10.0.0.1 -Port 53
# 2. Is DNSCache service running?
Get-Service Dnscache
# 3. What DNS servers are configured per adapter?
Get-DnsClientServerAddress
# 4. Any recent DNS errors in the event log?
Get-EventLog -LogName System -Source 'DNS Client Events' -Newest 10 -ErrorAction SilentlyContinue
# 5. Check adapter binding order
Get-NetIPInterface | Sort-Object -Property InterfaceMetric | Select-Object InterfaceAlias,InterfaceMetric,AddressFamilyStep-by-Step Diagnosis
Follow this structured diagnosis flow to identify the exact sub-cause. Step 1: Verify the DNSCache service state. If it is stopped or disabled, that alone explains the problem — note the StartType value. Step 2: Run ipconfig /all and record every adapter’s DNS server entries. Compare against the expected values in your IPAM or DCDIAG baseline. Step 3: Use Get-NetIPInterface sorted by metric to confirm which adapter has the lowest (most preferred) metric. Step 4: Check the IPv6 DNS server assignments — if the internal DNS server IP is IPv4-only and there is no IPv6 DNS server set, disable IPv6 DNS resolution via registry. Step 5: Capture a packet trace on port 53 for 30 seconds while triggering a failing lookup to confirm which adapter the queries are leaving on.
# Step 1: DNSCache service
Get-Service Dnscache | Select Name,Status,StartType
# Step 2: Full adapter DNS config
ipconfig /all
# Step 3: Adapter metrics
Get-NetIPInterface | Sort InterfaceMetric | ft InterfaceAlias,InterfaceMetric,AddressFamily
# Step 4: Check IPv6 DNS assignment
Get-DnsClientServerAddress -AddressFamily IPv6
# Step 5: Packet capture (requires admin, Wireshark or built-in)
netsh trace start capture=yes IPv4.Address=10.0.0.1 tracefile=C:Tempdns_trace.etl
Resolve-DnsName internal.corp.local
netsh trace stop
Solution — Primary Fix
The primary fix addresses all three root causes in sequence. First, enable and start the DNSCache service. Second, correct the DNS server assignments on all adapters and remove DNS entries from non-management adapters. Third, set an explicit interface metric to ensure the primary LAN adapter is preferred. Finally, flush and re-register DNS to clear any corrupted cache entries. This sequence resolves the issue in over 90% of cases encountered on Windows Server 2025 domain controllers and member servers. After applying these changes, test resolution immediately using the verification commands in the next section.
Still having issues? Our Network Design team can diagnose and resolve this for you. Get in touch for a free consultation.
# 1. Re-enable and start DNSCache
Set-Service -Name Dnscache -StartupType Automatic
Start-Service -Name Dnscache
# 2. Set correct DNS server on primary adapter (replace 'Ethernet0' and IPs)
$adapter = 'Ethernet0'
Set-DnsClientServerAddress -InterfaceAlias $adapter -ServerAddresses ('10.0.0.1','10.0.0.2')
# 3. Remove DNS from secondary/iSCSI adapters
Set-DnsClientServerAddress -InterfaceAlias 'iSCSI' -ResetServerAddresses
# 4. Set explicit metric on primary adapter
Set-NetIPInterface -InterfaceAlias $adapter -InterfaceMetric 10
# 5. Flush cache and re-register
ipconfig /flushdns
ipconfig /registerdns
# 6. Restart DNS client
Restart-Service Dnscache
Solution — Alternative Approaches
If the primary fix does not resolve the issue, consider these three alternative approaches. Alternative 1 — Disable IPv6 DNS fallback: Add the registry key HKLMSYSTEMCurrentControlSetServicesDnscacheParametersDisableParallelAandAAAA = 1 (DWORD) to prevent parallel IPv4/IPv6 lookups. This forces sequential resolution and eliminates the IPv6 timeout delay. Alternative 2 — Use Suffixed DNS Search: If the server is in a workgroup or the FQDN suffix is misconfigured, add the domain suffix to the DNS suffix search list via Set-DnsClientGlobalSetting. Alternative 3 — Configure DNS Devolution: If child domain lookups are failing but the root domain resolves, set the devolution level registry key to allow parent domain fallback. Each alternative has trade-offs: disabling parallel lookups adds ~20ms per query; suffix search can cause false matches; devolution is a security consideration in multi-tenant environments.
# Alt 1: Disable parallel A/AAAA lookups
$path = 'HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters'
Set-ItemProperty -Path $path -Name DisableParallelAandAAAA -Value 1 -Type DWord
# Alt 2: Set DNS suffix search list
Set-DnsClientGlobalSetting -SuffixSearchList @('corp.local','ad.corp.local')
# Alt 3: Enable DNS devolution
Set-ItemProperty -Path $path -Name UseDomainNameDevolution -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name DomainNameDevolutionLevel -Value 2 -Type DWord
Restart-Service DnscacheVerification & Acceptance Criteria
After applying the primary fix or an alternative, perform these verification steps before closing the incident. The fix is confirmed successful only when all of the following criteria are met: (1) Resolve-DnsName internal.corp.local returns the expected IP within 200ms; (2) dcdiag /test:dns returns all PASS for the local server; (3) Event ID 1014 (DNS client resolution timeout) does not appear in System log for 10 minutes; (4) Application pools or services that were failing reconnect successfully; (5) A second DNS query for the same name returns a cached result (visible via ipconfig /displaydns).
# Verification commands
Resolve-DnsName internal.corp.local
Resolve-DnsName _ldap._tcp.corp.local -Type SRV
dcdiag /test:dns /v
ipconfig /displaydns | Select-String 'internal'
Get-EventLog -LogName System -EntryType Error -Source 'DNS Client Events' -Newest 5 -ErrorAction SilentlyContinueRollback Plan
If the primary fix causes unintended side effects — for example, if disabling DNS on a secondary adapter breaks iSCSI multipath connectivity — follow this rollback procedure. Step 1: Re-add DNS server entries to the affected adapter using Set-DnsClientServerAddress. Step 2: If you modified the interface metric, reset it to automatic with Set-NetIPInterface -InterfaceAlias 'Adapter' -AutomaticMetric Enabled. Step 3: Revert any registry changes made under HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters by deleting the keys you added. Step 4: Flush DNS again and restart the Dnscache service. All changes made by the PowerShell commands in this guide are reversible. No system files are modified. A checkpoint snapshot prior to making changes is always recommended.
# Rollback: restore DNS on secondary adapter
Set-DnsClientServerAddress -InterfaceAlias 'iSCSI' -ServerAddresses ('10.0.0.1')
# Restore automatic metric
Set-NetIPInterface -InterfaceAlias 'iSCSI' -AutomaticMetric Enabled
# Remove registry key added in Alt 1
$path = 'HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters'
Remove-ItemProperty -Path $path -Name DisableParallelAandAAAA -ErrorAction SilentlyContinue
Restart-Service Dnscache
ipconfig /flushdnsPrevention & Hardening
Prevent DNS resolution failures from recurring by implementing these server baseline policies. First, deploy a Group Policy Object that enforces DNSCache service state as Automatic and Running — include a startup script that verifies and corrects DNS assignments. Second, document and lock the interface binding order in your provisioning runbook: primary LAN adapter should always have metric 10 or lower, and secondary adapters (iSCSI, IPMI, backup) should never have DNS server entries. Third, use DCDIAG as part of your weekly health check schedule; the /test:dns flag catches misconfiguration before it becomes an outage. Fourth, if your hardening baseline disables the DNSCache service (common in some CIS benchmarks), add an exception noting that this service is required for AD-integrated DNS and Kerberos to function at acceptable latency. Fifth, test DNS resolution as part of every cumulative update post-reboot validation checklist.
# GPO equivalent — enforce via Desired State Configuration
Configuration EnsureDNSCache {
Node 'localhost' {
Service DNSCache {
Name = 'Dnscache'
State = 'Running'
StartupType = 'Automatic'
}
}
}
EnsureDNSCache
Start-DscConfiguration -Path .EnsureDNSCache -Wait -VerboseRelated Errors & Cross-Refs
This problem is closely related to several other common Windows Server 2025 issues. Event ID 1014 in the System log (DNS name resolution timeout) is the primary indicator and often co-occurs with Event IDs 4, 5719, and 1055 from NETLOGON (domain controller unreachable). Kerberos authentication failures (KDC_ERR_S_PRINCIPAL_UNKNOWN) are a frequent downstream symptom when DNS fails for SRV record lookups. If you are seeing Group Policy application failures (Event ID 1030 from GroupPolicy), resolve DNS first — GPO processing has a hard dependency on name resolution. Also see the related problem post on DHCP scope exhaustion causing DNS deregistration, and the post on NIC teaming misconfiguration causing intermittent connectivity. The Active Directory Replication issues post covers scenarios where DNS failure prevents replication partner discovery.
Related tutorial: View the step-by-step tutorial for Windows Server 2025.
View all Windows Server 2025 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
For authoritative guidance on this issue, consult the following resources. Microsoft Documentation: “Configuring DNS client settings” in the Windows Server 2025 Networking documentation covers all PowerShell cmdlets used in this guide. KB5020276 covers a known DNS client regression introduced in Windows Server 2022 that also affects 2025 builds prior to KB5026038. The DNS Client Service overview at learn.microsoft.com/windows-server/networking/dns/dns-client explains the resolver architecture including the parallel query behaviour described in Root Cause Analysis. The Windows Server 2025 Networking Baseline from the Microsoft Security Compliance Toolkit documents the recommended DNSCache service state. For packet-level analysis of DNS query behaviour, the Wireshark DNS dissector guide at wireshark.org provides the filter syntax dns and ip.addr==10.0.0.1 used in the diagnosis section.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
