Solved

How to Force DNS update on W2K Server?

Posted on 2006-11-06
16
12,821 Views
Last Modified: 2012-05-05
I'm over my head with a DNS issue with W2K.  I'm helping a small business change their third party e-mail provider; I made the changes to MX records and CNAME records on Saturday night using the public website hosting company's DNS configuration tool.  Within a few hours everything was working just fine from my office:  nslookup and ping tests all pointed to the new e-mail servers, and I successfully configured MS Outlook to send/receive some test messages.  But this morning the client arrived at his office, and he couldn't access the new mail servers from there.  Ping tests from his office showed that his DNS was still mapping mail.theirdomain.com to the old mail server, now 36 hours after the zone records had been updated.    I'm thinking that the problem is something about his local W2K network DNS not receiving or not accepting the DNS updates that should have propagated everywhere by now.  I don't have any experience with troubleshooting server DNS settings, I am thinking I need to find a way to force his local DNS to refresh itself, but would appreciate it if someone could give me a few pointers to make sure I'm headed in the right direction.
0
Comment
Question by:yessirnosir
  • 6
  • 4
  • 3
  • +1
16 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Did you point his DNS forwarders to the new DNS  email provider  ?

Did you try dnsstuff.com ad do a DNS report ?

Did you run any local DNS checks on AD ?

0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
here is a list of good tools including a DNS checker.

Many of the following tools were included in previous Windows Resource Kits, but are now part of the Windows 2000 Support Tools, located on the Windows 2000 operating system CD-ROM in the \support directory. The Support Tools must be installed separately from the Windows 2000 operating system.

Each Support Tool is listed below by both its filename and its friendly name, if it has one, to facilitate finding the tool.

Tool Description
Acldiag.exe: ACL Diagnostics  Outputs information on security attributes on Active Directory objects.
Active Directory Replication Monitor (Replmon.exe)  Displays replication topology, status and performance of Active Directory domain controllers.
Advanced Power Management Status (Apmstat.exe)  Determines a computer's ability to exploit power management features in Windows 2000.
ADSI Edit  Microsoft Management Console snap-in that acts as a low-level editor for Active Directory.
Apmstat.exe: Advanced Power Management Status  Determines a computer's ability to exploit power management features in Windows 2000.
Browstat.exe: Browser Status  General purpose network-browser diagnostic tool.
Clonepr.dll: ClonePrincipal  Creates clones of Windows NT 4.0 users and groups and migrates them to Windows 2000.
Depends.exe: Dependency Walker  Displays a hierarchical diagram of the dependent modules of an executable or DLL.
Dfsutil.exe: Distributed File System Utility Helps administrators diagnose the Distributed File System from the command prompt.
DiskProbe (Dskprobe.exe)  Allows users with Administrator privileges to directly edit, save and copy data on the physical hard drive that is not accessible in any other way.
Distributed File System Utility (Dfsutil.exe) Helps administrators diagnose the Distributed File System from the command prompt.
Dnscmd.exe: DNS Server Troubleshooting Tool  Enables user to administer and obtain statistics from local and remote DNS servers.
Dommig.doc: Planning Migration from Microsoft Windows NT to Microsoft Windows 2000  Guides administrators through the planning process for migrating Windows NT domains to Windows 2000.
Dsacls.exe  Facilitates management of access-control lists for directory services.
Dsastat.exe: Active Directory Diagnostic Tool  Compares and detects differences between naming contexts on domain controllers.
Dskprobe.exe: DiskProbe  Allows users with Administrator privileges to directly edit, save and copy data on the physical hard drive that is not accessible in any other way.
Dumpchk.exe  Verifies that a memory dump file has been created correctly.
File and Directory Comparison (Windiff.exe)  Compares two text files or folders and displays differences.  
Filever.exe  Displays version information on executable files.
Gflags.exe: Global Flags Editor  Allows user to edit NtGlobalFlag settings for the Windows 2000 operating system.
Kerberos Keytab Setup (Ktpass.exe)  Configures an account for a non-windows-based Kerberos service and generates a keytab.
Kerberos Setup (Ksetup.exe)  Configures a computer for using a non-windows-based Kerberos realm.
Kill.exe: Task Killing Utility  Allows user to terminate selected tasks or processes.
Ksetup.exe: Kerberos Setup  Configures a computer for using a non-windows-based Kerberos realm.
Ktpass.exe: Kerberos Keytab Setup  Configures an account for a non-windows-based Kerberos service and generates a keytab.
Ldp.exe: Active Directory Administration Tool  Allows users to perform LDAP operations against any LDAP compatible directory such as Active Directory.
Memsnap.exe: Memory Profiling Tool  Takes a snapshot of memory resources consumed by running processes.
Movetree.exe: Active Directory Object Manager  Moves an Organizational Unit from one domain tree to another.
Msicuu.exe: Windows Installer Cleanup Utility  Removes registry settings for applications installed with Windows Installer.
Msizap.exe: Windows Installer Zapper  Removes registry settings for applications installed with Windows Installer.
Netdiag.exe: Network Connectivity Tester  Tests the state and functionality of a network client.
Netdom.exe: Windows 2000 Domain Manager  Enables administrators to manage domains.
Network Connectivity Tester (Netdiag.exe)  Tests the state and functionality of a network client.
Nltest.exe  Administers and tests domains and user accounts.
Planning Migration from Microsoft Windows NT to Microsoft Windows 2000 (Dommig.doc)  Guides administrators through the planning process for migrating Windows NT domains to Windows 2000.
Pmon.exe: Process Resource Monitor  Shows per-process usage of CPU and memory.
Poolmon.exe  Monitors memory tags, including total paged and non-paged pool bytes.
PPTP Ping: Point-to-Point Tunneling Protocol Ping Utilities  Verifies that the required protocol and port for Point-to-Point Tunneling Protocol are being routed from a PPTP client to a PPTP server.
Process Resource Monitor (Pmon.exe)  Shows per-process usage of CPU and memory.
Pviewer.exe: Process Viewer  Displays information about a running process and allows you to stop it.
Reg.exe: Registry Management Utility  Manipulates registry entries on local or remote computers from the command prompt.
Remote.exe: Remote Command Line  Runs command-line programs on remote computers.
Repadmin.exe: Replication Diagnostics Tool  Assists administrators in diagnosing replication problems between Windows 2000 domain controllers.
Replmon.exe: Active Directory Replication Monitor  Displays replication topology, status and performance of Active Directory domain controllers.
Rsdiag.exe: Remote Storage Diagnostic Utility  Examines Remote Storage (HSM) databases and displays diagnostic information.
Rsdir.exe: Remote Storage File Information Utility  Examines Remote Storage reparse points and displays Remote Storage information for files.
Sdcheck.exe: Security Descriptor Check Utility  Displays the security descriptor for an object, including any inherited ACL's, as well as the security descriptor metadata.
Search.vbs  Performs a search against an LDAP (Lightweight Directory Access Protocol) server.
Security Administration Tools (SIDWalker)  Manages access-control policies.
Security Descriptor Check Utility (Sdcheck.exe)  Displays the security descriptor for an object, including any inherited ACL's, as well as the security descriptor metadata.
SIDWalker: Security Administration Tools  Manages access-control policies.
Snmputilg.exe: SNMP Troubleshooting Tool  Queries a Simple Network Management Protocol host or community for Management Information Base values from graphical user interface.
Task Killing Utility (Kill.exe)  Allows user to terminate selected tasks or processes.
Tlist.exe: Task List Viewer  Displays a list of IDs, names, and windows of processes running on the local computer.
W2000msgs.chm: Windows 2000 Error and Event Messages Help  Provides explanations of Windows 2000 error messages.
Windiff.exe: File and Directory Comparison  Compares two text files or folders and displays differences.
Windows 2000 Domain Manager (Netdom.exe)  Enables administrators to manage domains.
Windows 2000 Error and Event Messages Help (W2000msgs.chm)  Provides explanations of Windows 2000 error messages.
Windows Installer Cleanup Utility (Msicuu.exe)  Removes registry settings for applications installed with Windows Installer.
Windows Installer Zapper (Msizap.exe)  Removes registry settings for applications installed with Windows Installer.
Wsremote.exe: Winsock Remote Console  Starts a console application on the server and connects to it from the client using sockets or named pipes.

0
 
LVL 14

Author Comment

by:yessirnosir
Comment Utility
>Did you point his DNS forwarders to the new DNS  email provider  ?
>Did you try dnsstuff.com ad do a DNS report ?
>Did you run any local DNS checks on AD ?

I'm not sure what you mean by "point his DNS forwarders to the new DNS email provider".  What I did exactly was enter two new MX records for primary and secondary e-mail servers, and then two new CNAME records that map mail.theirdomain.com to the new pop server and email.theirdomain.com to the new webmail server.   The client was actually able to use his e-mail today from his laptop while connected to a network outside of his office, but not when his laptop is connected to his own LAN.

I just ran the dnsstuff.com test (both the overall test and the e-mail test) and everything looks good to me.  Mostly "pass" and a few warnings that don't look like a problem.      

No I didn't run any local DNS checks on AD because 1) I don't know what the heck I'm doing! and 2) I haven't even gone into their office yet...  I just  didn't anticipate that the changes I made would fail to propagate into his internal network automatically.  

The client did reboot his DSL modem, network switch, and server, hoping that might solve the problem, but no luck.    

One thing I wondered about is that the MX record have a 86400s time setting attached to them, which I take it means that they will only update once every 24 hours, so is it possible that I should just be patient and wait until tomorrow to conclude this hasn't worked?   We are still not at the 48 hour mark from when I made the changes.

If it isn't working tomorrow morning, I'm planning to make a house call at his office, so am hoping with all of your help to have a game plan of specific steps I need to do on his server to diagnose and fix the problem.
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 125 total points
Comment Utility
You may need to do some reading.

The short version for a start.

         -In DNS add forwarders & enter your ISP's dns server IP's.
 -In TCP/ip properties of the Nic's on the 2000 server, point the dns option to your local DNS server
              IP. (Forwarders will take care of non local queries)

also

http://support.microsoft.com/search/default.aspx?query=change+DNS+new+ISP&x=0&y=0&catalog=LCID%3D1033&pd=&spid=1131&qryWt=&mode=r&cus=False

0
 
LVL 14

Author Comment

by:yessirnosir
Comment Utility
Does the fact that the new DNS records have not yet propagated into his LAN suggest that his current server DNS settings are somehow incorrect?  Or is this normal behavior that an experienced server admin would have expected when changing external e-mail providers?  
0
 
LVL 14

Author Comment

by:yessirnosir
Comment Utility
One thing that bugged me the first time I saw the client's network setup (which was a turnkey installation about 5 years ago by a professional networking company) is that the internal network domain name is exactly the same as the public website address, i.e. "theirdomain.com".  I couldn't see any reason why the LAN in the office needed to have that domain name, because the web server and e-mail server are hosted by third parties anyway, and the only thing the LAN server in the office really does is file serving, backup, print serving, user administration, and network routing.  Now that there seems to be a DNS problem, I wonder if it has something to do with that double-usage of the domain name to refer to both the local and public faces of this company.  Is that an issue I should be concerned with?  
0
 
LVL 9

Accepted Solution

by:
FixingStuff earned 125 total points
Comment Utility
Sounds like a DNS server exists on the LAN with static entries to the old email provider/server.    Or, possibly the HOSTS files on local machines modified with the old email server. Also, make sure to "IPCONFIG /FLUSHDNS" on desktops.

There is a utility called DIG that will tell you where the LAN machines are getting their answers from. There a many free DIG utils available for Windows, or it is built into unix like OS.
FS-
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
THe same DNS for internal and external could lead to a problem as that is not the recommended config, unless you use local.domainname.com

or similar.

You will need to take a look at the config, DHCP and all the DNS stuff.

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 14

Author Comment

by:yessirnosir
Comment Utility
Thanks FS... I think you must be right about static DNS entries; that would explain all the symptoms.    What I can't figure out is why static entries would have been set up in the first place, because if I understand some of the documentation SysExpert referenced (Like KB300202 How to Configure DNS for Internet Access in Windows 2000), I should be able to configure forwarders to external nameservers, rather than to the actual IP addresses of my mail and web hosts.  Then future changes to web or email hosts could be made without manually updating the server DNS setup.  It seems too easy; am I missing some key information that would make static DNS entries necessary?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
Comment Utility

Hi guys,

The key is a little bit you mentioned earlier:

> is that the internal network domain name is exactly the same as the public website address

DNS is essential to AD, so if the domain name is the same inside then the internal DNS Server is claiming Authority for the Public Domain Name. That means that any request about an address within that domain will go to the internal DNS and stop there.

> It seems too easy; am I missing some key information that would make static DNS entries necessary?

Requests for a domain the server is authoritative for will not be passed onto a Forwarder (or the Root Servers) if unresolved, after all the internal DNS Server has been told it knows everything about that particular domain.

This means is that if you want to resolve www.internaldomain.com to a public IP then it must be statically added to both the Interal and Public DNS Servers seperately (known as Split Brain DNS). As mentioned above the most likely cause is a statically configured MX Record (or rather a statically configured A Record for the Mail Server) on the internal DNS Server.

HTH,

Chris
0
 
LVL 9

Expert Comment

by:FixingStuff
Comment Utility
Chris has done a good job of explaining this. Let us know if you need additional info.
FS-

0
 
LVL 14

Author Comment

by:yessirnosir
Comment Utility
Hi guys... thanks for all your help .  I especially enjoyed reading about "Split Brain DNS", which accurately describes how my brain was feeling!

I went in this morning and thanks to your advice was able to get things working in just a few minutes, although I have a few follow-up questions if you don't mind:

1.  The existing configuration used "A" records in the DNS forward lookup zones to forward mail, www, and smtp to static external IP addresses.  I  read one tutorial (www.tek-tips.com/faqs.cfm?fid=3017) that said to use alias/CNAME entries to resolve the external website.  I wasn't clear about whether there were any advantages to using "A" or "CNAME", so I deleted the A records for mail and smtp and replaced them with CNAMEs mapped to the server names for the pop and smtp servers.   The www I left as is with an A record because the web host provides a static IP, but no corresponding FQDN as far as I know, plus I didn't need to change webhost, so that entry was working properly.  Any thoughts about whether using A's or CNAME's is the preferred approach, and why?  (eg. is one more reliable?)

2.  After making the changes, I flushed the DNS on the server and workstations, and immediately everything worked fine; was able to send and receive multiple test e-mails from both Outlook and webmail interfaces.  Life was good, the sun was shining, music filled the air --- then bam! just as I was packing up to leave, two of the workstations suddenly had an Outlook error -- couldn't find the incoming mail server.  Agh!  So I played with it for a couple of minutes, but didn't find anything wrong.  nslookup queries from the workstations seemed to point to the correct mail server.  I couldn't ping the mail server because the Cisco firewall apparently blocks outbound pings (why?), and I didn't have the time to figure out how to change that.  Then I logged into another workstation, and e-mail worked perfectly there.  So I went back to the original workstations, and they worked again too.  Spooky.   I suppose it is possible that the actual mail server was briefly unavailable, but that seems like a stretch because the mail provider is a major outfit with racks of servers handling this stuff.  Is there some reason why changed DNS settings might work for a few minutes, then not work, then work again???

3.  I didn't add any MX entries in the local DNS.  Am I right that there is no purpose for those on the local network, given that there are public MX records for mail servers to find?

4.  I noticed WINS in the list of running tasks on the server, and wondered if it was necessary.   At least one of the zillion webpages I looked at last night said something about conflicts between DNS and WINS, but presumably since this network has been running with almost no IT support for >5 years, DNS and WINS must be working side by side OK.  Should I have any concerns about it?

5.  The forward lookup zones include A records with static IP addresses for every workstation on the LAN, including a handful of entries for machines that don't even exist anymore.  (LAN is running static IPs, no DHCP).  It was really tempting to start nuking the obsolete entries, but I decided to stick to the "if it ain't broke, don't fix it" approach and left them alone.  Next time I'm there, can I just delete those entries with impunity?

Thanks.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
Comment Utility

Hey again,

1. There are some rules about these in the public domain names. For example, MX Records should point to a Host (A) Record and not a CNAME or IP. But really that's about it.

In more general terms the use of CNAME records should be kept to a minimum, they are very useful but any ns lookup for a CNAME record will also have to lookup the associated A Record (the record the CNAME points at) which takes more time and increases the load on the Name Server. Whatever happens it all comes back to a Host record, without that the CNAME doesn't really mean anything.

2. ICMP... not sure about what you would need to configure on a Cisco Firewall to allow that through. Certainly a useful thing to be able to get to though.

If you need to do connection testing you can also use Telnet:

C:\> Telnet <MailServer> 25

Which should return with the banner of the outbound SMTP Server.

Do the workstations in question use more than one DNS Server in their configuration? If it's an AD Domain they should use the Internal DNS Server and nothing else.

3. Correct, there's no need unless you have other mail servers which need to be able to send mail to the local domain via DNS resolution.

4. Not really anything to worry about. It's common to still see WINS Servers around, the API they're there to help along (NetBIOS) is remarkably hard to get rid of and despite AD Domains being almost completely independant of it some functionality still uses it (File and Printer Sharing relies on NetBIOS unless you disable "NetBIOS Over TCP/IP" for absolutely everything you use).

5. Sure, you can remove anything you want from there. MS have included processes to do that for you though, all that needs to be done is to turn them on, onto Scavenging.

If you want to try that out then open up DNS Manager, right click on the domain name under Forward Lookup Zones and select Properties. Under there you should see an Aging button. Click that one and it shows you a new window with a tick box and two other values. Tick the box, then we have the No-Refresh and Refresh Intervals.

No-Refresh and Refresh Intervals are used by your DNS Server to help it determine when a Dynamically Added record is finished with. It needs both the time limits (in days) to expire before the automatic process will do away with it, and each of those periods runs one after the other. First the No-Refresh Interval, then the Refresh Interval. Ideally you want those two values, added together, to be somewhere close to your DHCP Lease Time (that tends to be neatest), so if the DHCP Lease Time on the internal network is 8 days then setting No-Refresh to 5 Days and Refresh to 3 Days would be pretty ideal.

Once you've done all that you need to tell one of the DNS Servers on your network (if you have more than one, you only need one to run this process) that it can help you clean up. Open the Properties page for the DNS Server itself. Under the Advanced Tab you should see a box to Enable Scavenging and another box that allows you to say how often that happens: 1 Day is normally good. Now, every day, your DNS Server will look through everything it has and remove any entry that's officially old.

It should be noted that Scavenging has no effect on Static Records (records added through DNS Manager).

You can configure the same for any Reverse Lookup Zones you have configured, or any other dynamically updated Forward Lookup Zones you have.

To dig a little deeper into those two periods (for the sake of completion - there's always more, so this remains simplified).

No-Refresh is the time period after a Record has been dynamically registered with a DNS Server where the server will ignore Refresh Requests. That is, where the computer says to the DNS Server "I'm still here". It does this to reduce the amount of unnecessary DNS Data to be replicated over then network in AD Integrated Zones when nothing has changed.

After the No-Refresh Period has expired the server will start listening again, as soon as the Client sends an "I'm still here" message it starts the count-down over again. If the machine doesn't say "I'm here" right away it has the rest of the Refresh Interval to do so. If it doesn't even after that then the record will be marked as Expired and the record elligible for Scavenging next time the process runs.

Hope that all makes sense.

Chris
0
 
LVL 14

Author Comment

by:yessirnosir
Comment Utility
Wow, thanks Chris for taking the time to provide all that extra detail.  Very helpful.

I have split the points between all three of you; with your help I actually looked like I had half a clue today.

 
0
 
LVL 9

Expert Comment

by:FixingStuff
Comment Utility
Wow indeed. Chris rocks!
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Glad you found it helpful :)

Chris
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now