Unable to resolve target system name

Hi, got a curious DNS (I assume) problem which started a few days ago...

I have a network which has 4 DNS Servers, 2 at Head Office and 1 each at 2 remote sites.
They are active directory integrated zones and appear to be replicating correctly.

My laptop is pointed at the DNS servers at Head Office and I was unable access www.microsoft.com and also seemed to be getting a higher than normal number of pages which will not display until the refresh button is pressed, if I pointed my laptop at the DNS forwarder address listed in my DNS, at an external DNS address (e.g.: my ISP) OR to one of my INTERNAL DNS servers at one of the REMOTE sites I had no problems.

It only seemed to be the site mentioned (i.e.: I could get to www.support.micorsoft.com for example)

When I ping/tracert www.microsoft.com I get 'unable to resolve name' (while MS seems to disable ping response I should at lest get the first few hops of the tracert cmd)

My Head Office DNS servers don't seem to be doing the recursive query for this site correctly but why oh why only this site, surely even if all else fails the root hints should do the job?

The following day, came in the morning and could get the microsoft site, also got tracert responses through lb1.www.ms.akadns.net [] until MS kills the ping.

Today I can get www.microsoft.com but not www.symantec.com with a tracert response of 'Unable to resolve target system name', however when set my secondary DNS to be one of my remote sites (remember, Integrated AD DNS) it all works fine, get a ping response and can tracert...

Can someone point me in the right direction for more investigation...?
Who is Participating?
NetminderConnect With a Mentor Commented:
Closed, 500 points refunded.
Site Admin
Steve KnightIT ConsultancyCommented:
Weird.  Is there any issue with firewall rules allowing that server out to the internet -- maybe rules only allow that server to one of it's forwarders but the other servers are allowed out to any?  Unlikely I know...
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

What do you have listed as forwarders in each of your 4 DNS servers?
What do you have listed as the primary dns server in the individual TCP/IP settings on each DNS server?
This FAQ might help:

More links that might help:

How to troubleshoot DNS name resolution on the Internet in Windows Server 2003

Windows 2000 DNS - Diagnosing Name Resolution Problems

Windows 2000 DNS - Solving other common DNS problems
SNRequipAuthor Commented:
Hi Lrmoore,

Only one of my DNS servers had a forwarder, the rest relied on Root Hits file, I changed the forwarder on the on that had it to my ISP's DNS but no joy.

I am running AD integrated DNS so the DNS Servers are located on Domain Controllers, so they are pointing at themselves (either or their own IP Address)

If it is a cache corruption then it has to have occurred on both Head Office Servers as neither will resolve the names.

My ISP which also looks after the configuration on our Firewalls & Routers swear blind that everything is ok, they have done some work on the their core network however our remote sites also run through that location to reach the Internet...

For the hell of it I may reload the cache files as suggessted in one of the articles...

did you check my links
SNRequipAuthor Commented:

Link 1) as mentioned in my first post tried tracert/ping which seems to point to a DNS issue
Link 2) we have internet access but with a higher than normal number of refresh and some fairly random unable to access errors, also re-reading my post I should have been more specific, this doesn't just affect my PC, all PCs pointing to these servers have the problem, no one is complaining because so far they seem to be sites that the average using doesn't require (i.e. www.micorsoft.com or www.symantec.com) or they are passing it of as odd behviour but not bothering to report it.
Link 3) unfortunately not a lot of use, I have already added the destination to the hosts file and it found the site but this doesn't help me to correct the problem with my DNS Servers

I will change my DHCP Servers to give a 'good' internal DNS as the secondary which should stop peoples stress levels rising to high (except for those on static IP addresses) while I try to figure out what is going wrong...
Few things while setting DNS servers.

You said you have 4 DNS servers.

2 in one location and 1 each at other 2 remote sites.

Now each 3 locations will have their individual internet connections with different ISP(Or can be same ISP).

Now, why don't you put forwarders on atleast one DNS server at head office and on both remote site DNS servers.

These forwarders will be DNS server provided by ISP at each location.

Also, make sure, In Network Settings, each server should point itself as primary DNS server and any of the other internal DNS server as secondary.

With these settings, you must ensure that local firewall at each site should allow UDP/53 to forwarded DNS server IP addresses.
SNRequipAuthor Commented:
Physically our sites are linked individually to the Internet by the same ISP, logically they are part of a VPN that accesses the Internet via a core location (which is hosted by our ISP and physically seperate from all our sites).

Tried putting our ISP DNS Server as a forwarder on the DNS Server at Head Office, no change in results, the two remote sites are quite happily resolving queries correctly and efficiently without forwarders.

The DNS Servers at Head Office where pointing at themselves as the primary and the other as the secondary, I have to admit I had not tried pointing them at one of our DNS servers at a remote location, did this and the DNS server can resolve some of the problem URLs e.g. www.symantec.com and gets a tracert response in 7 hops however my laptop which points at the Head Office DNS still cannot resolve the name and gets through 14 hops and then starts getting a timed out message, which is well outside my netwrk...!

After the initial hops which are my internal network both traces diverge through different paths...

I did flush the dns cache on both the DNS Server and my local PC.

I would assume that as our site has been opperating for several years ok that UDP/53 is configured correctly however will double check with our ISP.

Also, I thought that the secondary DNS was only used if the primary was unavailable, the primary is available, just giving some weird results so why does it make a difference when I make the secondary DNS the one at my remote site...

Curiouser & curiouser...

Anyway, beers are on the balcony so I will be leaving this for the day...
SNRequipAuthor Commented:
Hi All,

It looks like I have resolved the problem (touch wood), having checked the DNS logs I found I was getting an occassional [8281   DR SERVFAIL] entry, it appears that DNS 2003 by default advertises that it can recieve MTU's greater than 512kb which causes some PIX firewalls to choke, I used dnscmd /Config /EnableEDnsProbes 0 to turn off this feature and can access www.symantec.com now...

Thanks for your assistance, hope this info is of use.

There is another solution for the PIX to allow greater than 512k with the fixup
  fixup protocol dns maximum-length 768  (512 is default)
SNRequipAuthor Commented:
Did consider that, it would seem that it is only Head Office that has the problem, waiting for my ISP (who manage our PIX) whether there is a different setting for our Head Office, however it seems from reading that some had tried configuring their PIX but still had flakey (even if less so than before) results.
SNRequipAuthor Commented:
The solution is as stated in my post on 07/11, I have set our DNS Servers to not advertise that they can accept an MTU of greater than 512kb.
All Courses

From novice to tech pro — start learning today.