?
Solved

Windows2000 server DNS and client network slowdown issues

Posted on 2004-11-08
12
Medium Priority
?
735 Views
Last Modified: 2012-05-05
I recently took over an IT position for a small company- the server crashed within the first week (the previous IT person was not doing any server upkeep), I don't have any of the configurations and took about a week of hardcore digging to find out how the system is kind of set up-
this is how the system is basically set up~

Windows 2000 server set up as an Active Directory Domain Controller as well as the File Server.  DNS is being controlled by the ISP and DHCP is being controlled by the router.
I have set up forwarding for DNS.  Here are my issues:

network slows down on client PC's (running XP Pro sp2) after being logged in for about 30-40 minutes this has only been happening since the server was rebuilt.

several event errors:
Description: Registration of the DNS record '_kpasswd._tcp.domain.com. 600 IN SRV 0 100 464 zeus.domain.com.' failed with the following error: DNS operation refused.
Description: Registration of the DNS record '_kerberos._udp.domain.com. 600 IN SRV 0 100 88 zeus.domain.com.' failed with the following error: DNS operation refused.  
Description: Registration of the DNS record '_gc._tcp.Default-First-Site-Name._sites.domain.com. 600 IN SRV 0 100 3268 zeus.domain.com.' failed with the following error: DNS operation refused.
Description: Registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.com. 600 IN SRV 0 100 389 zeus.domain.com.' failed with the following error: DNS operation refused.
Description: Registration of the DNS record '_ldap._tcp.dc._msdcs.domain.com. 600 IN SRV 0 100 389 zeus.domain.com.' failed with the following error: DNS operation refused.
Description:Registration of the DNS record '87130357-7a3b-4736-ab03-ec707019edd3._msdcs.domain.com. 600 IN CNAME zeus.domain.com.' failed with the following error: DNS operation refused.

I ran netdiag and got the following errors- (everything else passed)

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.DOMAIN.COM. re-registeration on DNS server 'xxx.xxx.xxx.xxx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.ab7418d7-c2ef-4713-b268-790a353d723c.domains._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry gc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry 667e6ece-2a60-4328-b3f2-02892a2550ed._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.DOMAIN.COM. re-registeration on DNS server 'xx.xx.xx.xx' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server 'xx.xx.xx.xx' .
[FATAL] No DNS servers have the DNS records for this DC registered.

Trust relationship test. . . . . . : Skipped
WAN configuration test . . . . . . : Skipped
No active remote access connections.

I'm also getting the SID trust relationship errors, but from what I've read, I need to remove the client PC from the domain and then add it back. Which I will be trying here momentarily.

Basically, I need to figure out why the network slows down and then how to correct the above errors?

If you need more error logs or test results, I have them available.
any help would be extremely appreciated.
cmr
0
Comment
Question by:nmcmr
  • 5
  • 4
  • 3
12 Comments
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 1200 total points
ID: 12526169
Hi
Eek - nasty log. Basically your server should be pointing to itself as presferred dns server in tcp/ip properties on it's nic. DNS should be active directory integrated, and set to enable dynamic updates. Clients should also point to the server as preferred dns server and the "." root zone in dns on the server can be deleted which would allow forwarders to be set that point to your isp's nameservers. DHCP really should be run off the server too, and disabled on the router to enable updating of the client's ip addresses
http:Q_20620074.html

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?kbid=237675
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382


Deb :))
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12526254

How do you have your DNS set? When you say the ISP controls DNS; Internal Clients and Servers using the Internal DNS? Then Forwarders on that DNS to the ISPs for unresolved queries?

Anyway, a few things to check:

1. In DNS Manager, check a Forward Lookup Zone exists for your Domain.
 - Check there are _msdcs service records registered in there, those will look like folders and should include LDAP, Kerberos etc.

2. Check the FSMO Roles are all happily sitting on the right servers
 - Try this tool:
    http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp
    And make sure each is running on a valid server.

3. Inside DNS Manager, right click on the Zone, select properties, and check Dynamic Updates is set to "Secure Updates Only".

4. If none of the above work, try deleting the zone (your domain name) from DNS Manager, then re-adding it as Primary Active Directory Integrated.

5. Check that a Reverse Lookup Zone is present for your network (will be based around your IP Range).

See how far that gets...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12526259

Deb beat me ;)
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:nmcmr
ID: 12529531
Thanks to both of you~
I will try all of this when I get back to work in a few hours.  
DNS is configured to point to the ISP DNS addresses first for resolution. I don't have the server IP configured in since my ISP couldn't answer any of my configuration questions. (you've got to love Qwest spirit of service)
I will change the DNS settings to point to the server first, then forward to the ISP for any unresolved issues.
I only have two of the client PC's pointing to dynamic update for DNS, the rest are pointing to the ISP DNS server IP's.
Dynamic Updates is set to "Yes".
_msdcs service record is not registered in DNS the forward lookup zone, only the local domain record is present.
The reverse lookup zone has several IP ranges, (this is what I remember, since I'm not sitting at the server right now)
a zone for localhost 0.0.127 arpa range
one for 0.0.10 arpa range
and two others that I don't recall... so yes, there is a reverse lookup zone present for the network (0.0.10)

As far as DHCP, I do have it running on the server, but it is also running on the router- I will disable it on the router at first chance.  It had been running like this for a few years from what I understand.
I did happen to try removing a client PC from the domain and then moving it back, it seems to work and be much quicker on the network, but it creates a new user account and so I have to go back and move everything over from the old user folder to the new one...

thanks,
cmr
0
 

Author Comment

by:nmcmr
ID: 12533257
so this is what I ended up doing...
since it appeared that my DNS was so messed up I uninstalled it. made the changes as per the instructions from http://support.microsoft.com/?kbid=237675, and set up both forwarding and reverse zones pointing directly to the local DNS server-
Once that was complete, I ran dcdiags and netdiags and didn't get any errors (yeah!), I checked the DNS manager and found the necessary folders under the forward lookup zone (_mdcs, _sites, _tcp, _udp).
The network appears to be working fine (for the most part) on the machines that I removed from the domain and then added back. Though those machines seem to take a extra long time to "load user settings" or to "establish network connections".
I have not made the changes to DHCP yet, and I'm still trying to figure out why I need to re-create the client account on the PC once I re-establish the connection with the domain for that PC. ???
But all in all, everything seems to be moving along much better than before!

I had been working on this for about two weeks while dealing with other issues that the last IT person neglected.
Thanks much for the assistance from both of you!
Let me know if you have any other bit of information before I close this topic out...
thanks again,
cmr
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12533876
Hi

The chances are the client pc's just need to register their ip address in dns. So longs as they are now pointing at the now functioning server as preferred dns server then you should be able to run the following command on them from a command prompt
ipconfig /registerdns

The only way you may run into trouble is if the pc's are picking up different addresses from the router in dhcp. DHCP servers aren't usually bright enough to know which pc has which address, so it's always better to just use one dhcp unledd csopes are configured to provide redundancy. DHCP  on the server can update the clients ip in dns, so running it from the server is always the best option,
Glad things are looking better,
Deb :))
0
 

Author Comment

by:nmcmr
ID: 12538392
thanks a bunch I'll try those changes and let you know if I have any other issues....

cmr
0
 

Author Comment

by:nmcmr
ID: 12542860
I removed the DHCP from the server, but before that I started having issues with a couple of users who weren't able to access the website that has the same domain name.
It appears as though they can connect now after running the below commands again- but I'm wondering what if it happens again...? any suggestions?
I greatly appreciate your continued assistance on this.
cmr

----------------------------------
a Side note: I made some other configuration changes to the server and rebooted, I got these errors  in the event log.

Description: Registration of the DNS record 'DOMAIN.COM. 600 IN A 10.0.0.2' failed with the following error: DNS operation refused.  
---------------------------------------
Description:Registration of the DNS record '_ldap._tcp.DOMAIN.COM. 600 IN SRV 0 100 389 zeus.DOMAIN.COM.' failed with the following error: DNS operation refused.  
------------------------------------
Description:Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
---------------------------------------
then I ran "dcdiag /fix" again- here are the results

 Starting test: systemlog
    An Error Event occured.  EventID: 0x0000168E
       Time Generated: 11/10/2004   03:31:38
       Event String: Registration of the DNS record
    An Error Event occured.  EventID: 0x0000168E
       Time Generated: 11/10/2004   03:31:38
       Event String: Registration of the DNS record
    ......................... ZEUS failed test systemlog

----------------------------------------
and then ran "netdiag /fix" again.

    Computer Name: ZEUS
    DNS Host Name: zeus.DOMAIN.COM
Netcard queries test . . . . . . . : Passed
Per interface results:
    Adapter : Local Area Connection
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : zeus.DOMAIN.COM
        IP Address . . . . . . . . : 10.XX.XX.XX
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.XX.XX.XX
        Dns Servers. . . . . . . . : 10.XX.XX.XX
                                     205.XX.XX.XX
                                     205.XX.XX.XX
        AutoConfiguration results. . . . . . : Passed
        Default gateway test . . . : Passed
        NetBT name test. . . . . . : Passed
        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interfac
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{B962D596-0D22-4F22-B477-44F475CA85FD}
    1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
   PASS - All the DNS entries for DC are registered on DNS server
Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{B962D596-0D22-4F22-B477-44F475CA85FD}
    The redir is bound to 1 NetBt transport.
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{B962D596-0D22-4F22-B477-44F475CA85FD}
    The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
    Directory IPSec Policy Active: 'Client (Respond Only)'
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 800 total points
ID: 12544469

These DNS Servers aren't really necesary in your settings:

205.XX.XX.XX
205.XX.XX.XX

If you need to resolve external queries your Internal DNS can either use Root Hints or the above addresses as forwarders inside the DNS configuration.

By default Root Hints is setup, so you shouldn't really need to make any changes there if you don't want to.

You many need to add an entry to your internal DNS for www.domain.com and point it to the public IP Address if Internal users are having problems finding it.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12544885

Agree with the unnecessary dns entries as Chris has said. You can run into trouble with root hints though if you use a firewall as you'll need to ensure you permit dns on tcp/udp 53 fully out of your network. If you configure forwarders then the only place your isp's name servers should appear is listed under the forwarders (you need to delete the root "." in 2000 server dns to configure forwarders). You can then permit tcp/udp 53 to your isp's nameservers through the firewall.

If your clients are pointing to your internal dns server as preferred dns server only (and really they should be) then they won't be able to resolve the external domain name if it's the same as your internal domain name. All you need to do though is to add the www entry in your forward lookup zone on the server as Chris described.
0
 

Author Comment

by:nmcmr
ID: 12548749
That all appears to have resolved my issues- much thanks!
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12548811
Great :))
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Most folks would know the basics of how Dropbox works, so that’s not the purpose of this article. Security is what it’s all about, so here I’ll share how I choose to secure my Dropbox Account and the Data it contains.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question