Windows Server 2022 — DNS Server Returns SERVFAIL for Internal Zones — Fix & Prevention

📖 ~1 min read

Table of contents

1. Symptom & Impact
2. Quick Checks
3. Deep Diagnosis
4. Primary Fix
5. Verification
6. Prevention & Hardening

Symptom & Impact

Clients receive SERVFAIL responses when resolving records in internal AD-integrated zones. Critical apps fail to discover domain services and name-based connections become intermittent. Authentication delays and login issues can cascade across site locations.

Quick Checks

Inspect DNS service health, zone loading status, and forwarder configuration for corruption or timeout behavior.

Get-Service DNS
Resolve-DnsName dc1.contoso.local -Server 127.0.0.1
Get-DnsServerZone
Get-DnsServerForwarder

Deep Diagnosis

Check event logs for zone transfer, signing, or database errors and verify AD replication for DNS application partitions.

Get-WinEvent -LogName 'DNS Server' -MaxEvents 100 | Select TimeCreated,Id,Message
dnscmd /enumzones
repadmin /showrepl * /errorsonly
Get-ADObject -SearchBase 'DC=DomainDnsZones,DC=contoso,DC=local' -LDAPFilter '(objectClass=dnsZone)'

Primary Fix

Restart DNS, clear stale cache entries, and re-register SRV/A records from affected domain controllers and servers.

Restart-Service DNS
Clear-DnsServerCache -Force
ipconfig /flushdns
ipconfig /registerdns
Restart-Service Netlogon

Verification

Internal queries should return NOERROR and expected records from each DNS server in the rotation list.

Resolve-DnsName _ldap._tcp.dc._msdcs.contoso.local -Type SRV -Server dc1
Resolve-DnsName app01.contoso.local -Server dc2
nslookup app01.contoso.local dc1

Prevention & Hardening

Standardize forwarders, monitor DNS event IDs, and periodically validate partition replication and record aging/scavenging.

Set-DnsServerScavenging -ScavengingState $true -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00
Get-DnsServerDiagnostics
Get-ADReplicationFailure -Target * -Scope Forest