Solved

Unable to resolve target system name

Posted on 2006-06-23
14
18,508 Views
Last Modified: 2013-01-10
Hi, got a curious DNS (I assume) problem which started a few days ago...

I have a network which has 4 DNS Servers, 2 at Head Office and 1 each at 2 remote sites.
They are active directory integrated zones and appear to be replicating correctly.

My laptop is pointed at the DNS servers at Head Office and I was unable access www.microsoft.com and also seemed to be getting a higher than normal number of pages which will not display until the refresh button is pressed, if I pointed my laptop at the DNS forwarder address listed in my DNS, at an external DNS address (e.g.: my ISP) OR to one of my INTERNAL DNS servers at one of the REMOTE sites I had no problems.

It only seemed to be the site mentioned (i.e.: I could get to www.support.micorsoft.com for example)

When I ping/tracert www.microsoft.com I get 'unable to resolve name' (while MS seems to disable ping response I should at lest get the first few hops of the tracert cmd)

My Head Office DNS servers don't seem to be doing the recursive query for this site correctly but why oh why only this site, surely even if all else fails the root hints should do the job?

The following day, came in the morning and could get the microsoft site, also got tracert responses through lb1.www.ms.akadns.net [207.46.19.60] until MS kills the ping.

Today I can get www.microsoft.com but not www.symantec.com with a tracert response of 'Unable to resolve target system name', however when set my secondary DNS to be one of my remote sites (remember, Integrated AD DNS) it all works fine, get a ping response and can tracert...

Can someone point me in the right direction for more investigation...?
0
Comment
Question by:SNRequip
  • 6
  • 2
  • 2
  • +3
14 Comments
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Weird.  Is there any issue with firewall rules allowing that server out to the internet -- maybe rules only allow that server to one of it's forwarders but the other servers are allowed out to any?  Unlikely I know...
0
 
LVL 30

Expert Comment

by:ded9
Comment Utility
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
What do you have listed as forwarders in each of your 4 DNS servers?
What do you have listed as the primary dns server in the individual TCP/IP settings on each DNS server?
This FAQ might help:
http://support.microsoft.com/kb/291382

More links that might help:

How to troubleshoot DNS name resolution on the Internet in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816567

Windows 2000 DNS - Diagnosing Name Resolution Problems
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_zvri.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;316341

Windows 2000 DNS - Solving other common DNS problems
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_ibxf.asp
0
 

Author Comment

by:SNRequip
Comment Utility
Hi Lrmoore,

Only one of my DNS servers had a forwarder, the rest relied on Root Hits file, I changed the forwarder on the on that had it to my ISP's DNS but no joy.

I am running AD integrated DNS so the DNS Servers are located on Domain Controllers, so they are pointing at themselves (either 127.0.0.1 or their own IP Address)

If it is a cache corruption then it has to have occurred on both Head Office Servers as neither will resolve the names.

My ISP which also looks after the configuration on our Firewalls & Routers swear blind that everything is ok, they have done some work on the their core network however our remote sites also run through that location to reach the Internet...

For the hell of it I may reload the cache files as suggessted in one of the articles...

0
 
LVL 30

Expert Comment

by:ded9
Comment Utility
did you check my links
0
 

Author Comment

by:SNRequip
Comment Utility
Yeap,

Link 1) as mentioned in my first post tried tracert/ping which seems to point to a DNS issue
Link 2) we have internet access but with a higher than normal number of refresh and some fairly random unable to access errors, also re-reading my post I should have been more specific, this doesn't just affect my PC, all PCs pointing to these servers have the problem, no one is complaining because so far they seem to be sites that the average using doesn't require (i.e. www.micorsoft.com or www.symantec.com) or they are passing it of as odd behviour but not bothering to report it.
Link 3) unfortunately not a lot of use, I have already added the destination to the hosts file and it found the site but this doesn't help me to correct the problem with my DNS Servers

I will change my DHCP Servers to give a 'good' internal DNS as the secondary which should stop peoples stress levels rising to high (except for those on static IP addresses) while I try to figure out what is going wrong...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Few things while setting DNS servers.

You said you have 4 DNS servers.

2 in one location and 1 each at other 2 remote sites.

Now each 3 locations will have their individual internet connections with different ISP(Or can be same ISP).

Now, why don't you put forwarders on atleast one DNS server at head office and on both remote site DNS servers.

These forwarders will be DNS server provided by ISP at each location.

Also, make sure, In Network Settings, each server should point itself as primary DNS server and any of the other internal DNS server as secondary.

With these settings, you must ensure that local firewall at each site should allow UDP/53 to forwarded DNS server IP addresses.
0
 

Author Comment

by:SNRequip
Comment Utility
Physically our sites are linked individually to the Internet by the same ISP, logically they are part of a VPN that accesses the Internet via a core location (which is hosted by our ISP and physically seperate from all our sites).

Tried putting our ISP DNS Server as a forwarder on the DNS Server at Head Office, no change in results, the two remote sites are quite happily resolving queries correctly and efficiently without forwarders.

The DNS Servers at Head Office where pointing at themselves as the primary and the other as the secondary, I have to admit I had not tried pointing them at one of our DNS servers at a remote location, did this and the DNS server can resolve some of the problem URLs e.g. www.symantec.com and gets a tracert response in 7 hops however my laptop which points at the Head Office DNS still cannot resolve the name and gets through 14 hops and then starts getting a timed out message, which is well outside my netwrk...!

After the initial hops which are my internal network both traces diverge through different paths...

I did flush the dns cache on both the DNS Server and my local PC.

I would assume that as our site has been opperating for several years ok that UDP/53 is configured correctly however will double check with our ISP.

Also, I thought that the secondary DNS was only used if the primary was unavailable, the primary is available, just giving some weird results so why does it make a difference when I make the secondary DNS the one at my remote site...

Curiouser & curiouser...

Anyway, beers are on the balcony so I will be leaving this for the day...
0
 

Author Comment

by:SNRequip
Comment Utility
Hi All,

It looks like I have resolved the problem (touch wood), having checked the DNS logs I found I was getting an occassional [8281   DR SERVFAIL] entry, it appears that DNS 2003 by default advertises that it can recieve MTU's greater than 512kb which causes some PIX firewalls to choke, I used dnscmd /Config /EnableEDnsProbes 0 to turn off this feature and can access www.symantec.com now...

Thanks for your assistance, hope this info is of use.

Rgds,
SNRequip
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
There is another solution for the PIX to allow greater than 512k with the fixup
  fixup protocol dns maximum-length 768  (512 is default)
0
 

Author Comment

by:SNRequip
Comment Utility
Did consider that, it would seem that it is only Head Office that has the problem, waiting for my ISP (who manage our PIX) whether there is a different setting for our Head Office, however it seems from reading that some had tried configuring their PIX but still had flakey (even if less so than before) results.
0
 

Author Comment

by:SNRequip
Comment Utility
The solution is as stated in my post on 07/11, I have set our DNS Servers to not advertise that they can accept an MTU of greater than 512kb.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
Comment Utility
Closed, 500 points refunded.
Netminder
Site Admin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now