Solved

Unable to resolve target system name

Posted on 2006-06-23
14
19,112 Views
Last Modified: 2013-01-10
Hi, got a curious DNS (I assume) problem which started a few days ago...

I have a network which has 4 DNS Servers, 2 at Head Office and 1 each at 2 remote sites.
They are active directory integrated zones and appear to be replicating correctly.

My laptop is pointed at the DNS servers at Head Office and I was unable access www.microsoft.com and also seemed to be getting a higher than normal number of pages which will not display until the refresh button is pressed, if I pointed my laptop at the DNS forwarder address listed in my DNS, at an external DNS address (e.g.: my ISP) OR to one of my INTERNAL DNS servers at one of the REMOTE sites I had no problems.

It only seemed to be the site mentioned (i.e.: I could get to www.support.micorsoft.com for example)

When I ping/tracert www.microsoft.com I get 'unable to resolve name' (while MS seems to disable ping response I should at lest get the first few hops of the tracert cmd)

My Head Office DNS servers don't seem to be doing the recursive query for this site correctly but why oh why only this site, surely even if all else fails the root hints should do the job?

The following day, came in the morning and could get the microsoft site, also got tracert responses through lb1.www.ms.akadns.net [207.46.19.60] until MS kills the ping.

Today I can get www.microsoft.com but not www.symantec.com with a tracert response of 'Unable to resolve target system name', however when set my secondary DNS to be one of my remote sites (remember, Integrated AD DNS) it all works fine, get a ping response and can tracert...

Can someone point me in the right direction for more investigation...?
0
Comment
Question by:SNRequip
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +3
14 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16967403
Weird.  Is there any issue with firewall rules allowing that server out to the internet -- maybe rules only allow that server to one of it's forwarders but the other servers are allowed out to any?  Unlikely I know...
0
 
LVL 30

Expert Comment

by:ded9
ID: 16967481
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16968166
What do you have listed as forwarders in each of your 4 DNS servers?
What do you have listed as the primary dns server in the individual TCP/IP settings on each DNS server?
This FAQ might help:
http://support.microsoft.com/kb/291382

More links that might help:

How to troubleshoot DNS name resolution on the Internet in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816567

Windows 2000 DNS - Diagnosing Name Resolution Problems
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_zvri.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;316341

Windows 2000 DNS - Solving other common DNS problems
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_ibxf.asp
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:SNRequip
ID: 16968651
Hi Lrmoore,

Only one of my DNS servers had a forwarder, the rest relied on Root Hits file, I changed the forwarder on the on that had it to my ISP's DNS but no joy.

I am running AD integrated DNS so the DNS Servers are located on Domain Controllers, so they are pointing at themselves (either 127.0.0.1 or their own IP Address)

If it is a cache corruption then it has to have occurred on both Head Office Servers as neither will resolve the names.

My ISP which also looks after the configuration on our Firewalls & Routers swear blind that everything is ok, they have done some work on the their core network however our remote sites also run through that location to reach the Internet...

For the hell of it I may reload the cache files as suggessted in one of the articles...

0
 
LVL 30

Expert Comment

by:ded9
ID: 16968694
did you check my links
0
 

Author Comment

by:SNRequip
ID: 16969259
Yeap,

Link 1) as mentioned in my first post tried tracert/ping which seems to point to a DNS issue
Link 2) we have internet access but with a higher than normal number of refresh and some fairly random unable to access errors, also re-reading my post I should have been more specific, this doesn't just affect my PC, all PCs pointing to these servers have the problem, no one is complaining because so far they seem to be sites that the average using doesn't require (i.e. www.micorsoft.com or www.symantec.com) or they are passing it of as odd behviour but not bothering to report it.
Link 3) unfortunately not a lot of use, I have already added the destination to the hosts file and it found the site but this doesn't help me to correct the problem with my DNS Servers

I will change my DHCP Servers to give a 'good' internal DNS as the secondary which should stop peoples stress levels rising to high (except for those on static IP addresses) while I try to figure out what is going wrong...
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16969345
Few things while setting DNS servers.

You said you have 4 DNS servers.

2 in one location and 1 each at other 2 remote sites.

Now each 3 locations will have their individual internet connections with different ISP(Or can be same ISP).

Now, why don't you put forwarders on atleast one DNS server at head office and on both remote site DNS servers.

These forwarders will be DNS server provided by ISP at each location.

Also, make sure, In Network Settings, each server should point itself as primary DNS server and any of the other internal DNS server as secondary.

With these settings, you must ensure that local firewall at each site should allow UDP/53 to forwarded DNS server IP addresses.
0
 

Author Comment

by:SNRequip
ID: 16969849
Physically our sites are linked individually to the Internet by the same ISP, logically they are part of a VPN that accesses the Internet via a core location (which is hosted by our ISP and physically seperate from all our sites).

Tried putting our ISP DNS Server as a forwarder on the DNS Server at Head Office, no change in results, the two remote sites are quite happily resolving queries correctly and efficiently without forwarders.

The DNS Servers at Head Office where pointing at themselves as the primary and the other as the secondary, I have to admit I had not tried pointing them at one of our DNS servers at a remote location, did this and the DNS server can resolve some of the problem URLs e.g. www.symantec.com and gets a tracert response in 7 hops however my laptop which points at the Head Office DNS still cannot resolve the name and gets through 14 hops and then starts getting a timed out message, which is well outside my netwrk...!

After the initial hops which are my internal network both traces diverge through different paths...

I did flush the dns cache on both the DNS Server and my local PC.

I would assume that as our site has been opperating for several years ok that UDP/53 is configured correctly however will double check with our ISP.

Also, I thought that the secondary DNS was only used if the primary was unavailable, the primary is available, just giving some weird results so why does it make a difference when I make the secondary DNS the one at my remote site...

Curiouser & curiouser...

Anyway, beers are on the balcony so I will be leaving this for the day...
0
 

Author Comment

by:SNRequip
ID: 17080050
Hi All,

It looks like I have resolved the problem (touch wood), having checked the DNS logs I found I was getting an occassional [8281   DR SERVFAIL] entry, it appears that DNS 2003 by default advertises that it can recieve MTU's greater than 512kb which causes some PIX firewalls to choke, I used dnscmd /Config /EnableEDnsProbes 0 to turn off this feature and can access www.symantec.com now...

Thanks for your assistance, hope this info is of use.

Rgds,
SNRequip
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17080649
There is another solution for the PIX to allow greater than 512k with the fixup
  fixup protocol dns maximum-length 768  (512 is default)
0
 

Author Comment

by:SNRequip
ID: 17080677
Did consider that, it would seem that it is only Head Office that has the problem, waiting for my ISP (who manage our PIX) whether there is a different setting for our Head Office, however it seems from reading that some had tried configuring their PIX but still had flakey (even if less so than before) results.
0
 

Author Comment

by:SNRequip
ID: 17088398
The solution is as stated in my post on 07/11, I have set our DNS Servers to not advertise that they can accept an MTU of greater than 512kb.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 17118354
Closed, 500 points refunded.
Netminder
Site Admin
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question