Windows2000 server DNS and client network slowdown issues

I recently took over an IT position for a small company- the server crashed within the first week (the previous IT person was not doing any server upkeep), I don't have any of the configurations and took about a week of hardcore digging to find out how the system is kind of set up-
this is how the system is basically set up~

Windows 2000 server set up as an Active Directory Domain Controller as well as the File Server.  DNS is being controlled by the ISP and DHCP is being controlled by the router.
I have set up forwarding for DNS.  Here are my issues:

network slows down on client PC's (running XP Pro sp2) after being logged in for about 30-40 minutes this has only been happening since the server was rebuilt.

several event errors:
Description: Registration of the DNS record '_kpasswd._tcp.domain.com. 600 IN SRV 0 100 464 zeus.domain.com.' failed with the following error: DNS operation refused.
Description: Registration of the DNS record '_kerberos._udp.domain.com. 600 IN SRV 0 100 88 zeus.domain.com.' failed with the following error: DNS operation refused.  
Description: Registration of the DNS record '_gc._tcp.Default-First-Site-Name._sites.domain.com. 600 IN SRV 0 100 3268 zeus.domain.com.' failed with the following error: DNS operation refused.
Description: Registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.com. 600 IN SRV 0 100 389 zeus.domain.com.' failed with the following error: DNS operation refused.
Description: Registration of the DNS record '_ldap._tcp.dc._msdcs.domain.com. 600 IN SRV 0 100 389 zeus.domain.com.' failed with the following error: DNS operation refused.
Description:Registration of the DNS record '87130357-7a3b-4736-ab03-ec707019edd3._msdcs.domain.com. 600 IN CNAME zeus.domain.com.' failed with the following error: DNS operation refused.

I ran netdiag and got the following errors- (everything else passed)

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.DOMAIN.COM. re-registeration on DNS server 'xxx.xxx.xxx.xxx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.ab7418d7-c2ef-4713-b268-790a353d723c.domains._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry gc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry 667e6ece-2a60-4328-b3f2-02892a2550ed._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server 'xx.xx.xx.xx' .
[FATAL] No DNS servers have the DNS records for this DC registered.

Trust relationship test. . . . . . : Skipped
WAN configuration test . . . . . . : Skipped
No active remote access connections.

I'm also getting the SID trust relationship errors, but from what I've read, I need to remove the client PC from the domain and then add it back. Which I will be trying here momentarily.

Basically, I need to figure out why the network slows down and then how to correct the above errors?

If you need more error logs or test results, I have them available.
any help would be extremely appreciated.
cmr
nmcmrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Debsyl99Commented:
Hi
Eek - nasty log. Basically your server should be pointing to itself as presferred dns server in tcp/ip properties on it's nic. DNS should be active directory integrated, and set to enable dynamic updates. Clients should also point to the server as preferred dns server and the "." root zone in dns on the server can be deleted which would allow forwarders to be set that point to your isp's nameservers. DHCP really should be run off the server too, and disabled on the router to enable updating of the client's ip addresses
http:Q_20620074.html

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?kbid=237675
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382


Deb :))
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:

How do you have your DNS set? When you say the ISP controls DNS; Internal Clients and Servers using the Internal DNS? Then Forwarders on that DNS to the ISPs for unresolved queries?

Anyway, a few things to check:

1. In DNS Manager, check a Forward Lookup Zone exists for your Domain.
 - Check there are _msdcs service records registered in there, those will look like folders and should include LDAP, Kerberos etc.

2. Check the FSMO Roles are all happily sitting on the right servers
 - Try this tool:
    http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp
    And make sure each is running on a valid server.

3. Inside DNS Manager, right click on the Zone, select properties, and check Dynamic Updates is set to "Secure Updates Only".

4. If none of the above work, try deleting the zone (your domain name) from DNS Manager, then re-adding it as Primary Active Directory Integrated.

5. Check that a Reverse Lookup Zone is present for your network (will be based around your IP Range).

See how far that gets...
0
Chris DentPowerShell DeveloperCommented:

Deb beat me ;)
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

nmcmrAuthor Commented:
Thanks to both of you~
I will try all of this when I get back to work in a few hours.  
DNS is configured to point to the ISP DNS addresses first for resolution. I don't have the server IP configured in since my ISP couldn't answer any of my configuration questions. (you've got to love Qwest spirit of service)
I will change the DNS settings to point to the server first, then forward to the ISP for any unresolved issues.
I only have two of the client PC's pointing to dynamic update for DNS, the rest are pointing to the ISP DNS server IP's.
Dynamic Updates is set to "Yes".
_msdcs service record is not registered in DNS the forward lookup zone, only the local domain record is present.
The reverse lookup zone has several IP ranges, (this is what I remember, since I'm not sitting at the server right now)
a zone for localhost 0.0.127 arpa range
one for 0.0.10 arpa range
and two others that I don't recall... so yes, there is a reverse lookup zone present for the network (0.0.10)

As far as DHCP, I do have it running on the server, but it is also running on the router- I will disable it on the router at first chance.  It had been running like this for a few years from what I understand.
I did happen to try removing a client PC from the domain and then moving it back, it seems to work and be much quicker on the network, but it creates a new user account and so I have to go back and move everything over from the old user folder to the new one...

thanks,
cmr
0
nmcmrAuthor Commented:
so this is what I ended up doing...
since it appeared that my DNS was so messed up I uninstalled it. made the changes as per the instructions from http://support.microsoft.com/?kbid=237675, and set up both forwarding and reverse zones pointing directly to the local DNS server-
Once that was complete, I ran dcdiags and netdiags and didn't get any errors (yeah!), I checked the DNS manager and found the necessary folders under the forward lookup zone (_mdcs, _sites, _tcp, _udp).
The network appears to be working fine (for the most part) on the machines that I removed from the domain and then added back. Though those machines seem to take a extra long time to "load user settings" or to "establish network connections".
I have not made the changes to DHCP yet, and I'm still trying to figure out why I need to re-create the client account on the PC once I re-establish the connection with the domain for that PC. ???
But all in all, everything seems to be moving along much better than before!

I had been working on this for about two weeks while dealing with other issues that the last IT person neglected.
Thanks much for the assistance from both of you!
Let me know if you have any other bit of information before I close this topic out...
thanks again,
cmr
0
Debsyl99Commented:
Hi

The chances are the client pc's just need to register their ip address in dns. So longs as they are now pointing at the now functioning server as preferred dns server then you should be able to run the following command on them from a command prompt
ipconfig /registerdns

The only way you may run into trouble is if the pc's are picking up different addresses from the router in dhcp. DHCP servers aren't usually bright enough to know which pc has which address, so it's always better to just use one dhcp unledd csopes are configured to provide redundancy. DHCP  on the server can update the clients ip in dns, so running it from the server is always the best option,
Glad things are looking better,
Deb :))
0
nmcmrAuthor Commented:
thanks a bunch I'll try those changes and let you know if I have any other issues....

cmr
0
nmcmrAuthor Commented:
I removed the DHCP from the server, but before that I started having issues with a couple of users who weren't able to access the website that has the same domain name.
It appears as though they can connect now after running the below commands again- but I'm wondering what if it happens again...? any suggestions?
I greatly appreciate your continued assistance on this.
cmr

----------------------------------
a Side note: I made some other configuration changes to the server and rebooted, I got these errors  in the event log.

Description: Registration of the DNS record 'DOMAIN.COM. 600 IN A 10.0.0.2' failed with the following error: DNS operation refused.  
---------------------------------------
Description:Registration of the DNS record '_ldap._tcp.DOMAIN.COM. 600 IN SRV 0 100 389 zeus.DOMAIN.COM.' failed with the following error: DNS operation refused.  
------------------------------------
Description:Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
---------------------------------------
then I ran "dcdiag /fix" again- here are the results

 Starting test: systemlog
    An Error Event occured.  EventID: 0x0000168E
       Time Generated: 11/10/2004   03:31:38
       Event String: Registration of the DNS record
    An Error Event occured.  EventID: 0x0000168E
       Time Generated: 11/10/2004   03:31:38
       Event String: Registration of the DNS record
    ......................... ZEUS failed test systemlog

----------------------------------------
and then ran "netdiag /fix" again.

    Computer Name: ZEUS
    DNS Host Name: zeus.DOMAIN.COM
Netcard queries test . . . . . . . : Passed
Per interface results:
    Adapter : Local Area Connection
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : zeus.DOMAIN.COM
        IP Address . . . . . . . . : 10.XX.XX.XX
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.XX.XX.XX
        Dns Servers. . . . . . . . : 10.XX.XX.XX
                                     205.XX.XX.XX
                                     205.XX.XX.XX
        AutoConfiguration results. . . . . . : Passed
        Default gateway test . . . : Passed
        NetBT name test. . . . . . : Passed
        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interfac
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{B962D596-0D22-4F22-B477-44F475CA85FD}
    1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
   PASS - All the DNS entries for DC are registered on DNS server
Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{B962D596-0D22-4F22-B477-44F475CA85FD}
    The redir is bound to 1 NetBt transport.
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{B962D596-0D22-4F22-B477-44F475CA85FD}
    The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
    Directory IPSec Policy Active: 'Client (Respond Only)'
0
Chris DentPowerShell DeveloperCommented:

These DNS Servers aren't really necesary in your settings:

205.XX.XX.XX
205.XX.XX.XX

If you need to resolve external queries your Internal DNS can either use Root Hints or the above addresses as forwarders inside the DNS configuration.

By default Root Hints is setup, so you shouldn't really need to make any changes there if you don't want to.

You many need to add an entry to your internal DNS for www.domain.com and point it to the public IP Address if Internal users are having problems finding it.
0
Debsyl99Commented:

Agree with the unnecessary dns entries as Chris has said. You can run into trouble with root hints though if you use a firewall as you'll need to ensure you permit dns on tcp/udp 53 fully out of your network. If you configure forwarders then the only place your isp's name servers should appear is listed under the forwarders (you need to delete the root "." in 2000 server dns to configure forwarders). You can then permit tcp/udp 53 to your isp's nameservers through the firewall.

If your clients are pointing to your internal dns server as preferred dns server only (and really they should be) then they won't be able to resolve the external domain name if it's the same as your internal domain name. All you need to do though is to add the www entry in your forward lookup zone on the server as Chris described.
0
nmcmrAuthor Commented:
That all appears to have resolved my issues- much thanks!
0
Debsyl99Commented:
Great :))
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.