yessirnosir
asked on
How to Force DNS update on W2K Server?
I'm over my head with a DNS issue with W2K. I'm helping a small business change their third party e-mail provider; I made the changes to MX records and CNAME records on Saturday night using the public website hosting company's DNS configuration tool. Within a few hours everything was working just fine from my office: nslookup and ping tests all pointed to the new e-mail servers, and I successfully configured MS Outlook to send/receive some test messages. But this morning the client arrived at his office, and he couldn't access the new mail servers from there. Ping tests from his office showed that his DNS was still mapping mail.theirdomain.com to the old mail server, now 36 hours after the zone records had been updated. I'm thinking that the problem is something about his local W2K network DNS not receiving or not accepting the DNS updates that should have propagated everywhere by now. I don't have any experience with troubleshooting server DNS settings, I am thinking I need to find a way to force his local DNS to refresh itself, but would appreciate it if someone could give me a few pointers to make sure I'm headed in the right direction.
here is a list of good tools including a DNS checker.
Many of the following tools were included in previous Windows Resource Kits, but are now part of the Windows 2000 Support Tools, located on the Windows 2000 operating system CD-ROM in the \support directory. The Support Tools must be installed separately from the Windows 2000 operating system.
Each Support Tool is listed below by both its filename and its friendly name, if it has one, to facilitate finding the tool.
Tool Description
Acldiag.exe: ACL Diagnostics Outputs information on security attributes on Active Directory objects.
Active Directory Replication Monitor (Replmon.exe) Displays replication topology, status and performance of Active Directory domain controllers.
Advanced Power Management Status (Apmstat.exe) Determines a computer's ability to exploit power management features in Windows 2000.
ADSI Edit Microsoft Management Console snap-in that acts as a low-level editor for Active Directory.
Apmstat.exe: Advanced Power Management Status Determines a computer's ability to exploit power management features in Windows 2000.
Browstat.exe: Browser Status General purpose network-browser diagnostic tool.
Clonepr.dll: ClonePrincipal Creates clones of Windows NT 4.0 users and groups and migrates them to Windows 2000.
Depends.exe: Dependency Walker Displays a hierarchical diagram of the dependent modules of an executable or DLL.
Dfsutil.exe: Distributed File System Utility Helps administrators diagnose the Distributed File System from the command prompt.
DiskProbe (Dskprobe.exe) Allows users with Administrator privileges to directly edit, save and copy data on the physical hard drive that is not accessible in any other way.
Distributed File System Utility (Dfsutil.exe) Helps administrators diagnose the Distributed File System from the command prompt.
Dnscmd.exe: DNS Server Troubleshooting Tool Enables user to administer and obtain statistics from local and remote DNS servers.
Dommig.doc: Planning Migration from Microsoft Windows NT to Microsoft Windows 2000 Guides administrators through the planning process for migrating Windows NT domains to Windows 2000.
Dsacls.exe Facilitates management of access-control lists for directory services.
Dsastat.exe: Active Directory Diagnostic Tool Compares and detects differences between naming contexts on domain controllers.
Dskprobe.exe: DiskProbe Allows users with Administrator privileges to directly edit, save and copy data on the physical hard drive that is not accessible in any other way.
Dumpchk.exe Verifies that a memory dump file has been created correctly.
File and Directory Comparison (Windiff.exe) Compares two text files or folders and displays differences.
Filever.exe Displays version information on executable files.
Gflags.exe: Global Flags Editor Allows user to edit NtGlobalFlag settings for the Windows 2000 operating system.
Kerberos Keytab Setup (Ktpass.exe) Configures an account for a non-windows-based Kerberos service and generates a keytab.
Kerberos Setup (Ksetup.exe) Configures a computer for using a non-windows-based Kerberos realm.
Kill.exe: Task Killing Utility Allows user to terminate selected tasks or processes.
Ksetup.exe: Kerberos Setup Configures a computer for using a non-windows-based Kerberos realm.
Ktpass.exe: Kerberos Keytab Setup Configures an account for a non-windows-based Kerberos service and generates a keytab.
Ldp.exe: Active Directory Administration Tool Allows users to perform LDAP operations against any LDAP compatible directory such as Active Directory.
Memsnap.exe: Memory Profiling Tool Takes a snapshot of memory resources consumed by running processes.
Movetree.exe: Active Directory Object Manager Moves an Organizational Unit from one domain tree to another.
Msicuu.exe: Windows Installer Cleanup Utility Removes registry settings for applications installed with Windows Installer.
Msizap.exe: Windows Installer Zapper Removes registry settings for applications installed with Windows Installer.
Netdiag.exe: Network Connectivity Tester Tests the state and functionality of a network client.
Netdom.exe: Windows 2000 Domain Manager Enables administrators to manage domains.
Network Connectivity Tester (Netdiag.exe) Tests the state and functionality of a network client.
Nltest.exe Administers and tests domains and user accounts.
Planning Migration from Microsoft Windows NT to Microsoft Windows 2000 (Dommig.doc) Guides administrators through the planning process for migrating Windows NT domains to Windows 2000.
Pmon.exe: Process Resource Monitor Shows per-process usage of CPU and memory.
Poolmon.exe Monitors memory tags, including total paged and non-paged pool bytes.
PPTP Ping: Point-to-Point Tunneling Protocol Ping Utilities Verifies that the required protocol and port for Point-to-Point Tunneling Protocol are being routed from a PPTP client to a PPTP server.
Process Resource Monitor (Pmon.exe) Shows per-process usage of CPU and memory.
Pviewer.exe: Process Viewer Displays information about a running process and allows you to stop it.
Reg.exe: Registry Management Utility Manipulates registry entries on local or remote computers from the command prompt.
Remote.exe: Remote Command Line Runs command-line programs on remote computers.
Repadmin.exe: Replication Diagnostics Tool Assists administrators in diagnosing replication problems between Windows 2000 domain controllers.
Replmon.exe: Active Directory Replication Monitor Displays replication topology, status and performance of Active Directory domain controllers.
Rsdiag.exe: Remote Storage Diagnostic Utility Examines Remote Storage (HSM) databases and displays diagnostic information.
Rsdir.exe: Remote Storage File Information Utility Examines Remote Storage reparse points and displays Remote Storage information for files.
Sdcheck.exe: Security Descriptor Check Utility Displays the security descriptor for an object, including any inherited ACL's, as well as the security descriptor metadata.
Search.vbs Performs a search against an LDAP (Lightweight Directory Access Protocol) server.
Security Administration Tools (SIDWalker) Manages access-control policies.
Security Descriptor Check Utility (Sdcheck.exe) Displays the security descriptor for an object, including any inherited ACL's, as well as the security descriptor metadata.
SIDWalker: Security Administration Tools Manages access-control policies.
Snmputilg.exe: SNMP Troubleshooting Tool Queries a Simple Network Management Protocol host or community for Management Information Base values from graphical user interface.
Task Killing Utility (Kill.exe) Allows user to terminate selected tasks or processes.
Tlist.exe: Task List Viewer Displays a list of IDs, names, and windows of processes running on the local computer.
W2000msgs.chm: Windows 2000 Error and Event Messages Help Provides explanations of Windows 2000 error messages.
Windiff.exe: File and Directory Comparison Compares two text files or folders and displays differences.
Windows 2000 Domain Manager (Netdom.exe) Enables administrators to manage domains.
Windows 2000 Error and Event Messages Help (W2000msgs.chm) Provides explanations of Windows 2000 error messages.
Windows Installer Cleanup Utility (Msicuu.exe) Removes registry settings for applications installed with Windows Installer.
Windows Installer Zapper (Msizap.exe) Removes registry settings for applications installed with Windows Installer.
Wsremote.exe: Winsock Remote Console Starts a console application on the server and connects to it from the client using sockets or named pipes.
Many of the following tools were included in previous Windows Resource Kits, but are now part of the Windows 2000 Support Tools, located on the Windows 2000 operating system CD-ROM in the \support directory. The Support Tools must be installed separately from the Windows 2000 operating system.
Each Support Tool is listed below by both its filename and its friendly name, if it has one, to facilitate finding the tool.
Tool Description
Acldiag.exe: ACL Diagnostics Outputs information on security attributes on Active Directory objects.
Active Directory Replication Monitor (Replmon.exe) Displays replication topology, status and performance of Active Directory domain controllers.
Advanced Power Management Status (Apmstat.exe) Determines a computer's ability to exploit power management features in Windows 2000.
ADSI Edit Microsoft Management Console snap-in that acts as a low-level editor for Active Directory.
Apmstat.exe: Advanced Power Management Status Determines a computer's ability to exploit power management features in Windows 2000.
Browstat.exe: Browser Status General purpose network-browser diagnostic tool.
Clonepr.dll: ClonePrincipal Creates clones of Windows NT 4.0 users and groups and migrates them to Windows 2000.
Depends.exe: Dependency Walker Displays a hierarchical diagram of the dependent modules of an executable or DLL.
Dfsutil.exe: Distributed File System Utility Helps administrators diagnose the Distributed File System from the command prompt.
DiskProbe (Dskprobe.exe) Allows users with Administrator privileges to directly edit, save and copy data on the physical hard drive that is not accessible in any other way.
Distributed File System Utility (Dfsutil.exe) Helps administrators diagnose the Distributed File System from the command prompt.
Dnscmd.exe: DNS Server Troubleshooting Tool Enables user to administer and obtain statistics from local and remote DNS servers.
Dommig.doc: Planning Migration from Microsoft Windows NT to Microsoft Windows 2000 Guides administrators through the planning process for migrating Windows NT domains to Windows 2000.
Dsacls.exe Facilitates management of access-control lists for directory services.
Dsastat.exe: Active Directory Diagnostic Tool Compares and detects differences between naming contexts on domain controllers.
Dskprobe.exe: DiskProbe Allows users with Administrator privileges to directly edit, save and copy data on the physical hard drive that is not accessible in any other way.
Dumpchk.exe Verifies that a memory dump file has been created correctly.
File and Directory Comparison (Windiff.exe) Compares two text files or folders and displays differences.
Filever.exe Displays version information on executable files.
Gflags.exe: Global Flags Editor Allows user to edit NtGlobalFlag settings for the Windows 2000 operating system.
Kerberos Keytab Setup (Ktpass.exe) Configures an account for a non-windows-based Kerberos service and generates a keytab.
Kerberos Setup (Ksetup.exe) Configures a computer for using a non-windows-based Kerberos realm.
Kill.exe: Task Killing Utility Allows user to terminate selected tasks or processes.
Ksetup.exe: Kerberos Setup Configures a computer for using a non-windows-based Kerberos realm.
Ktpass.exe: Kerberos Keytab Setup Configures an account for a non-windows-based Kerberos service and generates a keytab.
Ldp.exe: Active Directory Administration Tool Allows users to perform LDAP operations against any LDAP compatible directory such as Active Directory.
Memsnap.exe: Memory Profiling Tool Takes a snapshot of memory resources consumed by running processes.
Movetree.exe: Active Directory Object Manager Moves an Organizational Unit from one domain tree to another.
Msicuu.exe: Windows Installer Cleanup Utility Removes registry settings for applications installed with Windows Installer.
Msizap.exe: Windows Installer Zapper Removes registry settings for applications installed with Windows Installer.
Netdiag.exe: Network Connectivity Tester Tests the state and functionality of a network client.
Netdom.exe: Windows 2000 Domain Manager Enables administrators to manage domains.
Network Connectivity Tester (Netdiag.exe) Tests the state and functionality of a network client.
Nltest.exe Administers and tests domains and user accounts.
Planning Migration from Microsoft Windows NT to Microsoft Windows 2000 (Dommig.doc) Guides administrators through the planning process for migrating Windows NT domains to Windows 2000.
Pmon.exe: Process Resource Monitor Shows per-process usage of CPU and memory.
Poolmon.exe Monitors memory tags, including total paged and non-paged pool bytes.
PPTP Ping: Point-to-Point Tunneling Protocol Ping Utilities Verifies that the required protocol and port for Point-to-Point Tunneling Protocol are being routed from a PPTP client to a PPTP server.
Process Resource Monitor (Pmon.exe) Shows per-process usage of CPU and memory.
Pviewer.exe: Process Viewer Displays information about a running process and allows you to stop it.
Reg.exe: Registry Management Utility Manipulates registry entries on local or remote computers from the command prompt.
Remote.exe: Remote Command Line Runs command-line programs on remote computers.
Repadmin.exe: Replication Diagnostics Tool Assists administrators in diagnosing replication problems between Windows 2000 domain controllers.
Replmon.exe: Active Directory Replication Monitor Displays replication topology, status and performance of Active Directory domain controllers.
Rsdiag.exe: Remote Storage Diagnostic Utility Examines Remote Storage (HSM) databases and displays diagnostic information.
Rsdir.exe: Remote Storage File Information Utility Examines Remote Storage reparse points and displays Remote Storage information for files.
Sdcheck.exe: Security Descriptor Check Utility Displays the security descriptor for an object, including any inherited ACL's, as well as the security descriptor metadata.
Search.vbs Performs a search against an LDAP (Lightweight Directory Access Protocol) server.
Security Administration Tools (SIDWalker) Manages access-control policies.
Security Descriptor Check Utility (Sdcheck.exe) Displays the security descriptor for an object, including any inherited ACL's, as well as the security descriptor metadata.
SIDWalker: Security Administration Tools Manages access-control policies.
Snmputilg.exe: SNMP Troubleshooting Tool Queries a Simple Network Management Protocol host or community for Management Information Base values from graphical user interface.
Task Killing Utility (Kill.exe) Allows user to terminate selected tasks or processes.
Tlist.exe: Task List Viewer Displays a list of IDs, names, and windows of processes running on the local computer.
W2000msgs.chm: Windows 2000 Error and Event Messages Help Provides explanations of Windows 2000 error messages.
Windiff.exe: File and Directory Comparison Compares two text files or folders and displays differences.
Windows 2000 Domain Manager (Netdom.exe) Enables administrators to manage domains.
Windows 2000 Error and Event Messages Help (W2000msgs.chm) Provides explanations of Windows 2000 error messages.
Windows Installer Cleanup Utility (Msicuu.exe) Removes registry settings for applications installed with Windows Installer.
Windows Installer Zapper (Msizap.exe) Removes registry settings for applications installed with Windows Installer.
Wsremote.exe: Winsock Remote Console Starts a console application on the server and connects to it from the client using sockets or named pipes.
ASKER
>Did you point his DNS forwarders to the new DNS email provider ?
>Did you try dnsstuff.com ad do a DNS report ?
>Did you run any local DNS checks on AD ?
I'm not sure what you mean by "point his DNS forwarders to the new DNS email provider". What I did exactly was enter two new MX records for primary and secondary e-mail servers, and then two new CNAME records that map mail.theirdomain.com to the new pop server and email.theirdomain.com to the new webmail server. The client was actually able to use his e-mail today from his laptop while connected to a network outside of his office, but not when his laptop is connected to his own LAN.
I just ran the dnsstuff.com test (both the overall test and the e-mail test) and everything looks good to me. Mostly "pass" and a few warnings that don't look like a problem.
No I didn't run any local DNS checks on AD because 1) I don't know what the heck I'm doing! and 2) I haven't even gone into their office yet... I just didn't anticipate that the changes I made would fail to propagate into his internal network automatically.
The client did reboot his DSL modem, network switch, and server, hoping that might solve the problem, but no luck.
One thing I wondered about is that the MX record have a 86400s time setting attached to them, which I take it means that they will only update once every 24 hours, so is it possible that I should just be patient and wait until tomorrow to conclude this hasn't worked? We are still not at the 48 hour mark from when I made the changes.
If it isn't working tomorrow morning, I'm planning to make a house call at his office, so am hoping with all of your help to have a game plan of specific steps I need to do on his server to diagnose and fix the problem.
>Did you try dnsstuff.com ad do a DNS report ?
>Did you run any local DNS checks on AD ?
I'm not sure what you mean by "point his DNS forwarders to the new DNS email provider". What I did exactly was enter two new MX records for primary and secondary e-mail servers, and then two new CNAME records that map mail.theirdomain.com to the new pop server and email.theirdomain.com to the new webmail server. The client was actually able to use his e-mail today from his laptop while connected to a network outside of his office, but not when his laptop is connected to his own LAN.
I just ran the dnsstuff.com test (both the overall test and the e-mail test) and everything looks good to me. Mostly "pass" and a few warnings that don't look like a problem.
No I didn't run any local DNS checks on AD because 1) I don't know what the heck I'm doing! and 2) I haven't even gone into their office yet... I just didn't anticipate that the changes I made would fail to propagate into his internal network automatically.
The client did reboot his DSL modem, network switch, and server, hoping that might solve the problem, but no luck.
One thing I wondered about is that the MX record have a 86400s time setting attached to them, which I take it means that they will only update once every 24 hours, so is it possible that I should just be patient and wait until tomorrow to conclude this hasn't worked? We are still not at the 48 hour mark from when I made the changes.
If it isn't working tomorrow morning, I'm planning to make a house call at his office, so am hoping with all of your help to have a game plan of specific steps I need to do on his server to diagnose and fix the problem.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does the fact that the new DNS records have not yet propagated into his LAN suggest that his current server DNS settings are somehow incorrect? Or is this normal behavior that an experienced server admin would have expected when changing external e-mail providers?
ASKER
One thing that bugged me the first time I saw the client's network setup (which was a turnkey installation about 5 years ago by a professional networking company) is that the internal network domain name is exactly the same as the public website address, i.e. "theirdomain.com". I couldn't see any reason why the LAN in the office needed to have that domain name, because the web server and e-mail server are hosted by third parties anyway, and the only thing the LAN server in the office really does is file serving, backup, print serving, user administration, and network routing. Now that there seems to be a DNS problem, I wonder if it has something to do with that double-usage of the domain name to refer to both the local and public faces of this company. Is that an issue I should be concerned with?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
THe same DNS for internal and external could lead to a problem as that is not the recommended config, unless you use local.domainname.com
or similar.
You will need to take a look at the config, DHCP and all the DNS stuff.
or similar.
You will need to take a look at the config, DHCP and all the DNS stuff.
ASKER
Thanks FS... I think you must be right about static DNS entries; that would explain all the symptoms. What I can't figure out is why static entries would have been set up in the first place, because if I understand some of the documentation SysExpert referenced (Like KB300202 How to Configure DNS for Internet Access in Windows 2000), I should be able to configure forwarders to external nameservers, rather than to the actual IP addresses of my mail and web hosts. Then future changes to web or email hosts could be made without manually updating the server DNS setup. It seems too easy; am I missing some key information that would make static DNS entries necessary?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Chris has done a good job of explaining this. Let us know if you need additional info.
FS-
FS-
ASKER
Hi guys... thanks for all your help . I especially enjoyed reading about "Split Brain DNS", which accurately describes how my brain was feeling!
I went in this morning and thanks to your advice was able to get things working in just a few minutes, although I have a few follow-up questions if you don't mind:
1. The existing configuration used "A" records in the DNS forward lookup zones to forward mail, www, and smtp to static external IP addresses. I read one tutorial (www.tek-tips.com/faqs.cfm?fid=3017) that said to use alias/CNAME entries to resolve the external website. I wasn't clear about whether there were any advantages to using "A" or "CNAME", so I deleted the A records for mail and smtp and replaced them with CNAMEs mapped to the server names for the pop and smtp servers. The www I left as is with an A record because the web host provides a static IP, but no corresponding FQDN as far as I know, plus I didn't need to change webhost, so that entry was working properly. Any thoughts about whether using A's or CNAME's is the preferred approach, and why? (eg. is one more reliable?)
2. After making the changes, I flushed the DNS on the server and workstations, and immediately everything worked fine; was able to send and receive multiple test e-mails from both Outlook and webmail interfaces. Life was good, the sun was shining, music filled the air --- then bam! just as I was packing up to leave, two of the workstations suddenly had an Outlook error -- couldn't find the incoming mail server. Agh! So I played with it for a couple of minutes, but didn't find anything wrong. nslookup queries from the workstations seemed to point to the correct mail server. I couldn't ping the mail server because the Cisco firewall apparently blocks outbound pings (why?), and I didn't have the time to figure out how to change that. Then I logged into another workstation, and e-mail worked perfectly there. So I went back to the original workstations, and they worked again too. Spooky. I suppose it is possible that the actual mail server was briefly unavailable, but that seems like a stretch because the mail provider is a major outfit with racks of servers handling this stuff. Is there some reason why changed DNS settings might work for a few minutes, then not work, then work again???
3. I didn't add any MX entries in the local DNS. Am I right that there is no purpose for those on the local network, given that there are public MX records for mail servers to find?
4. I noticed WINS in the list of running tasks on the server, and wondered if it was necessary. At least one of the zillion webpages I looked at last night said something about conflicts between DNS and WINS, but presumably since this network has been running with almost no IT support for >5 years, DNS and WINS must be working side by side OK. Should I have any concerns about it?
5. The forward lookup zones include A records with static IP addresses for every workstation on the LAN, including a handful of entries for machines that don't even exist anymore. (LAN is running static IPs, no DHCP). It was really tempting to start nuking the obsolete entries, but I decided to stick to the "if it ain't broke, don't fix it" approach and left them alone. Next time I'm there, can I just delete those entries with impunity?
Thanks.
I went in this morning and thanks to your advice was able to get things working in just a few minutes, although I have a few follow-up questions if you don't mind:
1. The existing configuration used "A" records in the DNS forward lookup zones to forward mail, www, and smtp to static external IP addresses. I read one tutorial (www.tek-tips.com/faqs.cfm?fid=3017) that said to use alias/CNAME entries to resolve the external website. I wasn't clear about whether there were any advantages to using "A" or "CNAME", so I deleted the A records for mail and smtp and replaced them with CNAMEs mapped to the server names for the pop and smtp servers. The www I left as is with an A record because the web host provides a static IP, but no corresponding FQDN as far as I know, plus I didn't need to change webhost, so that entry was working properly. Any thoughts about whether using A's or CNAME's is the preferred approach, and why? (eg. is one more reliable?)
2. After making the changes, I flushed the DNS on the server and workstations, and immediately everything worked fine; was able to send and receive multiple test e-mails from both Outlook and webmail interfaces. Life was good, the sun was shining, music filled the air --- then bam! just as I was packing up to leave, two of the workstations suddenly had an Outlook error -- couldn't find the incoming mail server. Agh! So I played with it for a couple of minutes, but didn't find anything wrong. nslookup queries from the workstations seemed to point to the correct mail server. I couldn't ping the mail server because the Cisco firewall apparently blocks outbound pings (why?), and I didn't have the time to figure out how to change that. Then I logged into another workstation, and e-mail worked perfectly there. So I went back to the original workstations, and they worked again too. Spooky. I suppose it is possible that the actual mail server was briefly unavailable, but that seems like a stretch because the mail provider is a major outfit with racks of servers handling this stuff. Is there some reason why changed DNS settings might work for a few minutes, then not work, then work again???
3. I didn't add any MX entries in the local DNS. Am I right that there is no purpose for those on the local network, given that there are public MX records for mail servers to find?
4. I noticed WINS in the list of running tasks on the server, and wondered if it was necessary. At least one of the zillion webpages I looked at last night said something about conflicts between DNS and WINS, but presumably since this network has been running with almost no IT support for >5 years, DNS and WINS must be working side by side OK. Should I have any concerns about it?
5. The forward lookup zones include A records with static IP addresses for every workstation on the LAN, including a handful of entries for machines that don't even exist anymore. (LAN is running static IPs, no DHCP). It was really tempting to start nuking the obsolete entries, but I decided to stick to the "if it ain't broke, don't fix it" approach and left them alone. Next time I'm there, can I just delete those entries with impunity?
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow, thanks Chris for taking the time to provide all that extra detail. Very helpful.
I have split the points between all three of you; with your help I actually looked like I had half a clue today.
I have split the points between all three of you; with your help I actually looked like I had half a clue today.
Wow indeed. Chris rocks!
Glad you found it helpful :)
Chris
Did you try dnsstuff.com ad do a DNS report ?
Did you run any local DNS checks on AD ?