Solved

slow internal DNS / user security resolution

Posted on 2006-11-21
11
485 Views
Last Modified: 2010-04-18
We are experiencing two issues which I think are related.  First, when I open properties of DNS, a folder, etc and look at the security tab, the system is extremely slow to resolve account names from the SIDs.  It eventually does resolve all of the usernames, but it takes up to a minute or two.

Second, logged on to the DC/DNS server, I open a command prompt and "ping <internal name>".  There is a pause of 5 seconds or so, then the name is resolved and the ping is successful.  If I ping an IP address of an internal machine, the response is instant.  If I use NSLOOKUP to resolve an internal machine name, it is instantaneous.

We are running Active Directory with two Win2k3SP1 servers that are DC's and DNS.  Both DNS servers list 127.0.0.1 in tcp/ip settings, and the primary DNS forwards to an Internet DNS server.  The secondary does not forward.

The testing I have been doing is from the DC/DNS servers.  So, name resolution is slow while logged on directly to the DNS server.

Any ideas?
0
Comment
Question by:blotto99
11 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17989102
1.  You are having problems pinging externally and not internally, correct?
2.  You are testing this on both DNS servers?  What do you mean by primary and secondary?  I'm assuming they are AD integrated zones and you are referring to the DNS server order, right?  In that case I'm not sure which is the "secondary"...as both servers would need to be able to forward out to the internet if you have both servers listed as primaries at some point...which is seems you do since you are listing them as 127.0.0.1.  So if one of them isn't set to forward out and you are on that server, then it's not going to be able to do nslookups or ping name resolution unless the name is already in its cache.
3.  On the DNS zones, you just have a single forward zone for the internal domain, right?  You aren't setting them as root DNS servers, correct?
4.  Have you ran dcdiag, dnsdiag, netdiag on them?
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17989487
I'm assuming that the 127.0.0.1 means the DNS servers are pointing to themselves first for resolution.  One server is forwarding requests to the internet and the other one has no forwarders configured.  Generally you want one server doing lookups on the internet and the other servers have their forwarders pointing to the 'primary' server (the one that can get to the internet).  If you are seeing slowdowns it could be because the first DNS server that gets queried fails on the lookup and it moves to the second dns server.  Once you configure the forwarder properly it should resolve this issue.  This slowdown can also be caused by general network latency issues as well as server latency issues but the forwarder is what I would check first.
0
 

Author Comment

by:blotto99
ID: 17989611
1.  The slowness is pinging internally and externally.

2.  I'm probably just using incorrect terminology.  The "primary" dns is set to forward to Internet the "secondary" is not.  As far as I've read, with Windows 2003, you should always have a DNS server point to itself in tcp/ip settings.

3.  There are actually several forward zones, but the one I'm concerned with is the main internal domain.  How can I check that they are not set as root DNS servers?

4. dcdiag was fine.  netdiag produced the following errors:

[warning] Cannot find a primary authoritative DNS server for the name 'server1.ourdomain.local' [WSAEADDRNOTAVAIL             ]
The name 'server1.ourdomain.local' may not be registered in DNS server '0.0.0.0'.  Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

This DC is a DNS server.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17989733
1.  The slowness is pinging internally and externally.

             Well you said, "If I ping an IP address of an internal machine, the response is instant.  If I use NSLOOKUP to resolve an internal machine name, it is instantaneous."  originally...hence my question.

2.  I'm probably just using incorrect terminology.  The "primary" dns is set to forward to Internet the "secondary" is not.  As far as I've read, with Windows 2003, you should always have a DNS server point to itself in tcp/ip settings.

            Is the "secondary" DNS server, let's call it DC2, pointing to itself for name resolution?  Are any clients pointing to it as their "primary"?  If so on either case, they shouldn't be able to resolve internet names UNLESS either your DC2's dns has forwarders set OR it is using the built in root name servers list.

3.  There are actually several forward zones, but the one I'm concerned with is the main internal domain.  How can I check that they are not set as root DNS servers?

            If there is no forward lookup zone for * then it's not a root server.

4. dcdiag was fine.  netdiag produced the following errors:

[warning] Cannot find a primary authoritative DNS server for the name 'server1.ourdomain.local' [WSAEADDRNOTAVAIL             ]
The name 'server1.ourdomain.local' may not be registered in DNS server '0.0.0.0'.  Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

                 Is "ourdomain.local" your internal domain?  Are you running DNS as AD-integrated or as Primary/Secondary zones?  Sounds like DNS is configured incorrectly at this point.  Are there SRV records in the forward lookup zone for ourdomain.local?
0
 

Author Comment

by:blotto99
ID: 17989804
1. Mistype on my part...the '5 second pause' is with internal and external machines.

3. No, there is no lookup zone for *.

4. Yes, "ourdomain.local" is the internal domain.

In DNS, I have entries for:

_msdcs.ourdomain.local
ourdomain.local

If I check the properties of "ourdomain.local", the type is Active Directory-Integrated.

No, there are no SRV records.  There are SOA, NS, MX and a bunch of A records
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:blotto99
ID: 17989938
Under _msdcs.ourdomain.local there are SRV records under dc, domains, gc and pdc.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17990387
Are either of your DC's multihomed or running RRAS?

Can you do this:

1.  Restart the netlogon service on the DC you are on
2.  run netdiag /fix
3.  run netdiag /test:dns /v

and post the resluts of the verbose test, so I can see what's happening.
0
 
LVL 16

Expert Comment

by:kshays
ID: 17992248
Along with the others here I would set the IP of the DNS server to the actual IP and not the 127.0.0.1  What it seems like is it's trying to use an external IP from your ISP's DNS or whatever you have listed as a forwder there.

Was this an issue since you brought up your AD and DNS services or has it just happened?

I would check your forward and reverse lookup zones anyway ( though I doubt that is the problem though ).
0
 

Author Comment

by:blotto99
ID: 18013650
I found that IPv6 was installed on both DC's.  I uninstalled it and the issue went away.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18414290
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now