RHNOC
asked on
DNS issues
In our current network we have 2 DC's, both have the DNS service running. I can manually assign my PC an IP and one of the DNS servers address and resolve any computers IP. The problem I am having is when I restart DC#1, all DNS goes down. I can't figure out why this is.
Frank
Frank
ASKER
Thanks for your response. I am sure my question was confusing as my knowledge on this subject is not great.
As for your first question, I am not sure what your asking/saying. Is it incorrect to have both DNS servers listed? Any machine that receives DHCP information, gets both DNS server information. I was stating that I have manually assigned a workstation an IP and one of the DNS addresses to test that its working. Then I enter the other DNS servers address and test again.
The reason I think something is wrong was because I had to restart a DC today. While it was restarting, I noticed I couldn't connect to any of the servers via RDC without using the IP. Also a few users complained that had application issues. Applications were locking up or erroring out. Once the DC that I had restarted came back up, everything worked fine again. I was just under the impression that having one DNS server offline/fail, the other would perform the duty.
I apologize for my lack of knowledge on this subject. I appreciate all the help. Thanks,
Frank
As for your first question, I am not sure what your asking/saying. Is it incorrect to have both DNS servers listed? Any machine that receives DHCP information, gets both DNS server information. I was stating that I have manually assigned a workstation an IP and one of the DNS addresses to test that its working. Then I enter the other DNS servers address and test again.
The reason I think something is wrong was because I had to restart a DC today. While it was restarting, I noticed I couldn't connect to any of the servers via RDC without using the IP. Also a few users complained that had application issues. Applications were locking up or erroring out. Once the DC that I had restarted came back up, everything worked fine again. I was just under the impression that having one DNS server offline/fail, the other would perform the duty.
I apologize for my lack of knowledge on this subject. I appreciate all the help. Thanks,
Frank
in the tcp/ip configuration on the 2nd server, does it's DNS settings point to itself or the other server?
Also, is the 2nd server configured to use forwarders to the 1st server or do lookups on its own?
Also, is the 2nd server configured to use forwarders to the 1st server or do lookups on its own?
Each DNS Server must be configured as if the other one is not there. Meaning each serve must be able to forward requests to the internet and each must have it's AD zones created.
NOW As to AD Zones one Server must be a Primary and the second a Secondary. This is done for replication of internal network. Once you have created your internal Zone you need to create a secondary Zone on the second Server so that in the event that the first goes down you have a copy on the other. Also if you make any changes on the Primary it will be replicated to the secondary.
Now Workstations Configuration
Each workstation must be configured with the IP Addresses of the both DNS Server as the Primary and Secondary Servers. You can use DHCP to trhis or manually assign it.
Eg.
DNS SERVER 1 ----> IP 192.168.0.2
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2 P.S. that you must setup forwarding to your ISP in DNS Configuration
Seconday DNS 192.168.0.3
DNS Server 2-------> IP 192.168.0.3
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3 P.S. that you must setup forwarding to your ISP in DNS Configuration
Workstation 1 ----> IP 192.168.0.10
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3
With this configuration you can turn off one Server and your workstations can access the network and the internet.
NOW As to AD Zones one Server must be a Primary and the second a Secondary. This is done for replication of internal network. Once you have created your internal Zone you need to create a secondary Zone on the second Server so that in the event that the first goes down you have a copy on the other. Also if you make any changes on the Primary it will be replicated to the secondary.
Now Workstations Configuration
Each workstation must be configured with the IP Addresses of the both DNS Server as the Primary and Secondary Servers. You can use DHCP to trhis or manually assign it.
Eg.
DNS SERVER 1 ----> IP 192.168.0.2
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2 P.S. that you must setup forwarding to your ISP in DNS Configuration
Seconday DNS 192.168.0.3
DNS Server 2-------> IP 192.168.0.3
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3 P.S. that you must setup forwarding to your ISP in DNS Configuration
Workstation 1 ----> IP 192.168.0.10
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3
With this configuration you can turn off one Server and your workstations can access the network and the internet.
ASKER
Ok as far as the IP settings you listed, mine match that design. How do i know what DNS server is primary though. Lets say i have DNS server A and DNS server B:
DNS Server A-------> IP 192.168.0.2
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3
DNS Server B-------> IP 192.168.0.3
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3
This is how mine is setup. But how do i know DNS server A is primary? If I open DNS and connect to both servers, I can see forward and Reverse zones for both servers. They are identical. There must be something I am missing though. TY to all of you who have provided some assistance on this.
Frank
DNS Server A-------> IP 192.168.0.2
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3
DNS Server B-------> IP 192.168.0.3
SUBnet Mask 255.255.255.0
Gateway 192.168.0.1
Primary DNS 192.168.0.2
Seconday DNS 192.168.0.3
This is how mine is setup. But how do i know DNS server A is primary? If I open DNS and connect to both servers, I can see forward and Reverse zones for both servers. They are identical. There must be something I am missing though. TY to all of you who have provided some assistance on this.
Frank
The tcp/ip dns settings on the DNS servers have nothing to do with them "serving" the DNS requests. Those are the client settings for those servers. Your dhcp server should be issuing out both IPs of the dns servers to the clients for their tcp/ip settings though.
How is your DNS servers configured in the DNS console. Do they have forwarders set up or do they use the root hints. They should use the root hints.
How is your DNS servers configured in the DNS console. Do they have forwarders set up or do they use the root hints. They should use the root hints.
personally, I would set server B to point to itself as primary DNS. Microsoft recommends configuring the TCP/IP properties of DNS servers to point to itself
In active directory, there is not really any primary/secondary setups....each domain controller is "primary" so to speak.
In active directory, there is not really any primary/secondary setups....each domain controller is "primary" so to speak.
ASKER
The DHCP server is issuing out both IPs for DNS. The DNS servers have forwards but also have all the root hints. The forwarders are our ISP's DNS servers. Is that not a good way to have that configured?
DNS Serever A when you create it you will tell it to uses primary AD integrated Zone Mydomain.com or my domain.local
On the DNS Server B you create A secondary zone where it will ask you to input the IP Address of the Primary Server so that it can copy the Zone you enter 192.168.0.2 then it will copy the information for that zone from server A.
On the DNS Server B you create A secondary zone where it will ask you to input the IP Address of the Primary Server so that it can copy the Zone you enter 192.168.0.2 then it will copy the information for that zone from server A.
ASKER
I thought setting DNS servers to use themselves as the primary DNS was the correct way. Either way though, this is not what is causing the issue, right?
You should assign static IP's to both servers.
ASKER
ALL of my servers are Static. I was refering to clients that are using DHCP. I was stating that the clients are getting DHCP'd with the info for both DNS servers so its not an issue of the clients or DHCP.
ASKER
In response to this comment, when i look at server A and server B the information is identical. Wouldn't that mean it was replicating from server A. Also, if I expand each server, it shows Forward and Reverse zones. If I expand those, under Forward it has the domain name. If i right click that and go to properties, Server A and B are configured as Active Directory-Integrated. Under Reverse it shows my subnet and when I right click I see the same, Active Directory-Integrated. So where would one be configured for Primary/Secondary. Also on the SOA tab. Server A lists itself as the Primary Server, on Server B it also lists itself. Should server B list server A on the SOA tab for primary server? This are just random thoughts so I apologize if I am making no sence. Thanks again guys...
Frank
"ABLComputers:DNS Serever A when you create it you will tell it to uses primary AD integrated Zone Mydomain.com or my domain.local
On the DNS Server B you create A secondary zone where it will ask you to input the IP Address of the Primary Server so that it can copy the Zone you enter 192.168.0.2 then it will copy the information for that zone from server A. "
Frank
"ABLComputers:DNS Serever A when you create it you will tell it to uses primary AD integrated Zone Mydomain.com or my domain.local
On the DNS Server B you create A secondary zone where it will ask you to input the IP Address of the Primary Server so that it can copy the Zone you enter 192.168.0.2 then it will copy the information for that zone from server A. "
WHAT OS are you running?
brwwiggins, dns server tcp/ip settings have 0 to do with clients resolving addresses, its the dns daemon on the dns server.
jiveass1960, if you configure forwarders, they are used instead of the root hints. since you are forwarding to your ISP dns servers that is fine
ablcomputers, why would you do a secondary zone on server B and AD-integrated on server A when both are DC's, they will both be AD-integrated
jiveass1960, now my question is why are you statically assigning an IP to your computer when you have dhcp working. testing, I presume. personally I'd leave it at dhcp as that is how the rest of your clients are configured. As a test, here is what I recommend. install wireshark, set it to capture all dns queries on the client. do some nslookups. now restart server A. from what you describe, this should break dns resolutions. do some more nslookups with the same fqdn's you did before the server restart, now do some that you didn't do. what does the wireshark capture say. You should see it trying the server for the new ones. The first ones you try should be cached. we are trying to verify that the client is trying a server and that server is receiving the request. basically get a lead as to where the communication break down is happening for dns queries
jiveass1960, if you configure forwarders, they are used instead of the root hints. since you are forwarding to your ISP dns servers that is fine
ablcomputers, why would you do a secondary zone on server B and AD-integrated on server A when both are DC's, they will both be AD-integrated
jiveass1960, now my question is why are you statically assigning an IP to your computer when you have dhcp working. testing, I presume. personally I'd leave it at dhcp as that is how the rest of your clients are configured. As a test, here is what I recommend. install wireshark, set it to capture all dns queries on the client. do some nslookups. now restart server A. from what you describe, this should break dns resolutions. do some more nslookups with the same fqdn's you did before the server restart, now do some that you didn't do. what does the wireshark capture say. You should see it trying the server for the new ones. The first ones you try should be cached. we are trying to verify that the client is trying a server and that server is receiving the request. basically get a lead as to where the communication break down is happening for dns queries
ASKER
ABL Computers - I am running Windows 2000 Server.
Cyclops3590 - Servers are statically assigned. Workstations are DHCP. I wrote that I statically assigned my PC an IP and DNS server for testing. I set an IP and set my DNS to server B only. I was able to work just fine. Just as I am when my DNS is set to server B. Unfortunatly, restarting server A is not an easy task. So testing using your method is going to be difficult to pull off. We are an organization that is open 24/7. Another DNS outtage would result in application lockups/crashes across 120+ workstations and 20+ servers. Although I agree and understand your method of troubleshooting, at this time I probably can utilize it. Is there a way I could test using wireshark without downing Server A?
Cyclops3590 - Servers are statically assigned. Workstations are DHCP. I wrote that I statically assigned my PC an IP and DNS server for testing. I set an IP and set my DNS to server B only. I was able to work just fine. Just as I am when my DNS is set to server B. Unfortunatly, restarting server A is not an easy task. So testing using your method is going to be difficult to pull off. We are an organization that is open 24/7. Another DNS outtage would result in application lockups/crashes across 120+ workstations and 20+ servers. Although I agree and understand your method of troubleshooting, at this time I probably can utilize it. Is there a way I could test using wireshark without downing Server A?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
understood, 24/7 environments are a PITA in that way.
The only other thing i can think of is get a firewall on your client that will block outgoing to server A. This would simulate a server A crash as well. ZoneAlarm I believe has a free version you could use to try this out. The problem is restarting a server versus blocking access to it isn't an apple to apple type of comparison, but it should give us some information as to what the client is trying to do when server A goes down.
By doing this, your client should still try to contact server A each time, but only give a small latency in resolution. I believe my experiences have been no more than 3 seconds. It could be higher than that, but that's what I would expect for each query (until its cached of course)
the main purpose of this test is to see what the client is trying to do. as I stated before, dns client will generally cache failures as well. So if you if the client gives a failure and no packets were sent, then we need to clear the local cache just to make sure we're good there. Also, just for giggles you can view the cache as well to see what is currently there and see how querying those will react.
ipconfig /displaydns
The only other thing i can think of is get a firewall on your client that will block outgoing to server A. This would simulate a server A crash as well. ZoneAlarm I believe has a free version you could use to try this out. The problem is restarting a server versus blocking access to it isn't an apple to apple type of comparison, but it should give us some information as to what the client is trying to do when server A goes down.
By doing this, your client should still try to contact server A each time, but only give a small latency in resolution. I believe my experiences have been no more than 3 seconds. It could be higher than that, but that's what I would expect for each query (until its cached of course)
the main purpose of this test is to see what the client is trying to do. as I stated before, dns client will generally cache failures as well. So if you if the client gives a failure and no packets were sent, then we need to clear the local cache just to make sure we're good there. Also, just for giggles you can view the cache as well to see what is currently there and see how querying those will react.
ipconfig /displaydns
ASKER
I am headed out for the weekend, so i will try this next week. Thanks again everyone and have a great weekend.
Frank
Frank
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
why are you using both since you have two.
also, dns failures can get cached for a little while. did you try off the wall ones that you normally don't visit like www.whiteshouse.gov or www.nasa.gov to ensure the entry was not from cache?
if adding the second dns or flushing your dns to ensure failures aren't cached doesn't work, then we'll need to look at the traffic a little. get wireshark installed on your client. then we'll sniff the dns traffic to make sure that the client is actually sending the request and seeing if the server is responding or not. if not, then we may need to load wireshark on it so that we know its actually receiving the request.