Solved

slow internal DNS / user security resolution

Posted on 2006-11-21
11
489 Views
Last Modified: 2010-04-18
We are experiencing two issues which I think are related.  First, when I open properties of DNS, a folder, etc and look at the security tab, the system is extremely slow to resolve account names from the SIDs.  It eventually does resolve all of the usernames, but it takes up to a minute or two.

Second, logged on to the DC/DNS server, I open a command prompt and "ping <internal name>".  There is a pause of 5 seconds or so, then the name is resolved and the ping is successful.  If I ping an IP address of an internal machine, the response is instant.  If I use NSLOOKUP to resolve an internal machine name, it is instantaneous.

We are running Active Directory with two Win2k3SP1 servers that are DC's and DNS.  Both DNS servers list 127.0.0.1 in tcp/ip settings, and the primary DNS forwards to an Internet DNS server.  The secondary does not forward.

The testing I have been doing is from the DC/DNS servers.  So, name resolution is slow while logged on directly to the DNS server.

Any ideas?
0
Comment
Question by:blotto99
11 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17989102
1.  You are having problems pinging externally and not internally, correct?
2.  You are testing this on both DNS servers?  What do you mean by primary and secondary?  I'm assuming they are AD integrated zones and you are referring to the DNS server order, right?  In that case I'm not sure which is the "secondary"...as both servers would need to be able to forward out to the internet if you have both servers listed as primaries at some point...which is seems you do since you are listing them as 127.0.0.1.  So if one of them isn't set to forward out and you are on that server, then it's not going to be able to do nslookups or ping name resolution unless the name is already in its cache.
3.  On the DNS zones, you just have a single forward zone for the internal domain, right?  You aren't setting them as root DNS servers, correct?
4.  Have you ran dcdiag, dnsdiag, netdiag on them?
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17989487
I'm assuming that the 127.0.0.1 means the DNS servers are pointing to themselves first for resolution.  One server is forwarding requests to the internet and the other one has no forwarders configured.  Generally you want one server doing lookups on the internet and the other servers have their forwarders pointing to the 'primary' server (the one that can get to the internet).  If you are seeing slowdowns it could be because the first DNS server that gets queried fails on the lookup and it moves to the second dns server.  Once you configure the forwarder properly it should resolve this issue.  This slowdown can also be caused by general network latency issues as well as server latency issues but the forwarder is what I would check first.
0
 

Author Comment

by:blotto99
ID: 17989611
1.  The slowness is pinging internally and externally.

2.  I'm probably just using incorrect terminology.  The "primary" dns is set to forward to Internet the "secondary" is not.  As far as I've read, with Windows 2003, you should always have a DNS server point to itself in tcp/ip settings.

3.  There are actually several forward zones, but the one I'm concerned with is the main internal domain.  How can I check that they are not set as root DNS servers?

4. dcdiag was fine.  netdiag produced the following errors:

[warning] Cannot find a primary authoritative DNS server for the name 'server1.ourdomain.local' [WSAEADDRNOTAVAIL             ]
The name 'server1.ourdomain.local' may not be registered in DNS server '0.0.0.0'.  Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

This DC is a DNS server.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17989733
1.  The slowness is pinging internally and externally.

             Well you said, "If I ping an IP address of an internal machine, the response is instant.  If I use NSLOOKUP to resolve an internal machine name, it is instantaneous."  originally...hence my question.

2.  I'm probably just using incorrect terminology.  The "primary" dns is set to forward to Internet the "secondary" is not.  As far as I've read, with Windows 2003, you should always have a DNS server point to itself in tcp/ip settings.

            Is the "secondary" DNS server, let's call it DC2, pointing to itself for name resolution?  Are any clients pointing to it as their "primary"?  If so on either case, they shouldn't be able to resolve internet names UNLESS either your DC2's dns has forwarders set OR it is using the built in root name servers list.

3.  There are actually several forward zones, but the one I'm concerned with is the main internal domain.  How can I check that they are not set as root DNS servers?

            If there is no forward lookup zone for * then it's not a root server.

4. dcdiag was fine.  netdiag produced the following errors:

[warning] Cannot find a primary authoritative DNS server for the name 'server1.ourdomain.local' [WSAEADDRNOTAVAIL             ]
The name 'server1.ourdomain.local' may not be registered in DNS server '0.0.0.0'.  Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

                 Is "ourdomain.local" your internal domain?  Are you running DNS as AD-integrated or as Primary/Secondary zones?  Sounds like DNS is configured incorrectly at this point.  Are there SRV records in the forward lookup zone for ourdomain.local?
0
 

Author Comment

by:blotto99
ID: 17989804
1. Mistype on my part...the '5 second pause' is with internal and external machines.

3. No, there is no lookup zone for *.

4. Yes, "ourdomain.local" is the internal domain.

In DNS, I have entries for:

_msdcs.ourdomain.local
ourdomain.local

If I check the properties of "ourdomain.local", the type is Active Directory-Integrated.

No, there are no SRV records.  There are SOA, NS, MX and a bunch of A records
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:blotto99
ID: 17989938
Under _msdcs.ourdomain.local there are SRV records under dc, domains, gc and pdc.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17990387
Are either of your DC's multihomed or running RRAS?

Can you do this:

1.  Restart the netlogon service on the DC you are on
2.  run netdiag /fix
3.  run netdiag /test:dns /v

and post the resluts of the verbose test, so I can see what's happening.
0
 
LVL 16

Expert Comment

by:kshays
ID: 17992248
Along with the others here I would set the IP of the DNS server to the actual IP and not the 127.0.0.1  What it seems like is it's trying to use an external IP from your ISP's DNS or whatever you have listed as a forwder there.

Was this an issue since you brought up your AD and DNS services or has it just happened?

I would check your forward and reverse lookup zones anyway ( though I doubt that is the problem though ).
0
 

Author Comment

by:blotto99
ID: 18013650
I found that IPv6 was installed on both DC's.  I uninstalled it and the issue went away.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18414290
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now