[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 253
  • Last Modified:

DNS issues

In our current network we have 2 DC's, both have the DNS service running.  I can manually assign my PC an IP and one of the DNS servers address and resolve any computers IP.  The problem I am having is when I restart DC#1, all DNS goes down.  I can't figure out why this is.  

Frank
0
RHNOC
Asked:
RHNOC
  • 8
  • 5
  • 5
  • +1
3 Solutions
 
Cyclops3590Commented:
you say, "and one of the DNS servers"
why are you using both since you have two.

also, dns failures can get cached for a little while.  did you try off the wall ones that you normally don't visit like www.whiteshouse.gov or www.nasa.gov to ensure the entry was not from cache?

if adding the second dns or flushing your dns to ensure failures aren't cached doesn't work, then we'll need to look at the traffic a little.  get wireshark installed on your client. then we'll sniff the dns traffic to make sure that the client is actually sending the request and seeing if the server is responding or not.  if not, then we may need to load wireshark on it so that we know its actually receiving the request.
0
 
RHNOCAuthor Commented:
Thanks for your response.  I am sure my question was confusing as my knowledge on this subject is not great.  

As for your first question, I am not sure what your asking/saying.  Is it incorrect to have both DNS servers listed?  Any machine that receives DHCP information, gets both DNS server information.  I was stating that I have manually assigned a workstation an IP and one of the DNS addresses to test that its working.  Then I enter the other DNS servers address and test again.  

The reason I think something is wrong was because I had to restart a DC today.  While it was restarting, I noticed I couldn't connect to any of the servers via RDC without using the IP.  Also a few users complained that had application issues.  Applications were locking up or erroring out.  Once the DC that I had restarted came back up, everything worked fine again.  I was just under the impression that having one DNS server offline/fail, the other would perform the duty.

I apologize for my lack of knowledge on this subject.  I appreciate all the help. Thanks,

Frank

0
 
brwwigginsCommented:
in the tcp/ip configuration on the 2nd server, does it's DNS settings point to itself or the other server?
Also, is the 2nd server configured to use forwarders to the 1st server or do lookups on its own?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ABLComputersCommented:
Each DNS Server must be configured as if the other one is not there. Meaning each serve must be able to forward requests to the internet and each must have it's AD zones created.

NOW As to AD Zones one Server must be a Primary and the second a Secondary. This is done for replication of internal network. Once you have created your internal Zone you need to  create a secondary Zone on the second Server so that in the event that the first goes down you have a copy on the other. Also if you make any changes on the Primary it will be replicated to the secondary.

Now Workstations Configuration
Each workstation must be configured with the IP Addresses of the both DNS Server as the Primary and Secondary Servers. You can use DHCP to trhis or manually assign it.

Eg.
DNS SERVER 1 ----> IP 192.168.0.2
SUBnet Mask           255.255.255.0
Gateway                 192.168.0.1
 Primary DNS            192.168.0.2   P.S. that you must setup forwarding to your ISP in DNS Configuration
Seconday DNS        192.168.0.3
                             
DNS Server 2-------> IP 192.168.0.3
SUBnet Mask           255.255.255.0
Gateway                 192.168.0.1
Primary DNS            192.168.0.2
Seconday DNS        192.168.0.3  P.S. that you must setup forwarding to your ISP in DNS Configuration

Workstation 1  ----> IP 192.168.0.10
SUBnet Mask           255.255.255.0
Gateway                 192.168.0.1
Primary DNS            192.168.0.2
Seconday DNS        192.168.0.3

With this configuration you can turn off one Server and your workstations can access the network and the internet.
0
 
RHNOCAuthor Commented:
Ok as far as the IP settings you listed, mine match that design.  How do i know what DNS server is primary though.  Lets say i have DNS server A and DNS server B:

DNS Server A-------> IP 192.168.0.2
SUBnet Mask           255.255.255.0
Gateway                 192.168.0.1
Primary DNS            192.168.0.2
Seconday DNS        192.168.0.3

DNS Server B-------> IP 192.168.0.3
SUBnet Mask           255.255.255.0
Gateway                 192.168.0.1
Primary DNS            192.168.0.2
Seconday DNS        192.168.0.3

This is how mine is setup.  But how do i know DNS server A is primary?  If I open DNS and connect to both servers, I can see forward and Reverse zones for both servers.  They are identical.  There must be something I am missing though.  TY to all of you who have provided some assistance on this.

Frank
0
 
Cyclops3590Commented:
The tcp/ip dns settings on the DNS servers have nothing to do with them "serving" the DNS requests.  Those are the client settings for those servers.  Your dhcp server should be issuing out both IPs of the dns servers to the clients for their tcp/ip settings though.

How is your DNS servers configured in the DNS console.  Do they have forwarders set up or do they use the root hints.  They should use the root hints.
0
 
brwwigginsCommented:
personally, I would set server B to point to itself as primary DNS. Microsoft recommends configuring the TCP/IP properties of DNS servers to point to itself

In active directory, there is not really any primary/secondary setups....each domain controller is "primary" so to speak.
0
 
RHNOCAuthor Commented:
The DHCP server is issuing out both IPs for DNS.  The DNS servers have forwards but also have all the root hints.  The forwarders are our ISP's DNS servers.  Is that not a good way to have that configured?
0
 
ABLComputersCommented:
DNS Serever A when you create it you will tell it to uses primary AD integrated Zone Mydomain.com or my domain.local

On the DNS Server B you create A secondary zone where it will ask you to input the IP Address of the Primary Server so that it can copy the Zone you enter 192.168.0.2 then it will copy the information for that zone from server A.
0
 
RHNOCAuthor Commented:
I thought setting DNS servers to use themselves as the primary DNS was the correct way.  Either way though, this is not what is causing the issue, right?
0
 
ABLComputersCommented:
You should assign static IP's to both servers.
0
 
RHNOCAuthor Commented:
ALL of my servers are Static.  I was refering to clients that are using DHCP.  I was stating that the clients are getting DHCP'd with the info for both DNS servers so its not an issue of the clients or DHCP.
0
 
RHNOCAuthor Commented:
In response to this comment, when i look at server A and server B the information is identical.  Wouldn't that mean it was replicating from server A.  Also, if I expand each server, it shows Forward and Reverse zones.  If I expand those, under Forward it has the domain name.  If i right click that and go to properties, Server A and B are configured as Active Directory-Integrated.  Under Reverse it shows my subnet and when I right click I see the same, Active Directory-Integrated.  So where would one be configured for Primary/Secondary. Also on the SOA tab.  Server A lists itself as the Primary Server, on Server B it also lists itself.  Should server B list server A on the SOA tab for primary server?  This are just random thoughts so I apologize if I am making no sence.  Thanks again guys...

Frank

"ABLComputers:DNS Serever A when you create it you will tell it to uses primary AD integrated Zone Mydomain.com or my domain.local

On the DNS Server B you create A secondary zone where it will ask you to input the IP Address of the Primary Server so that it can copy the Zone you enter 192.168.0.2 then it will copy the information for that zone from server A. "
0
 
ABLComputersCommented:
WHAT OS are you running?
0
 
Cyclops3590Commented:
brwwiggins,  dns server tcp/ip settings have 0 to do with clients resolving addresses, its the dns daemon on the dns server.

jiveass1960,  if you configure forwarders, they are used instead of the root hints.  since you are forwarding to your ISP dns servers that is fine

ablcomputers, why would you do a secondary zone on server B and AD-integrated on server A when both are DC's, they will both be AD-integrated

jiveass1960, now my question is why are you statically assigning an IP to your computer when you have dhcp working.  testing, I presume.  personally I'd leave it at dhcp as that is how the rest of your clients are configured.  As a test, here is what I recommend.  install wireshark, set it to capture all dns queries on the client.  do some nslookups.  now restart server A.  from what you describe, this should break dns resolutions.  do some more nslookups with the same fqdn's you did before the server restart, now do some that you didn't do.  what does the wireshark capture say.  You should see it trying the server for the new ones.  The first ones you try should be cached.  we are trying to verify that the client is trying a server and that server is receiving the request.  basically get a lead as to where the communication break down is happening for dns queries
0
 
RHNOCAuthor Commented:
ABL Computers   -   I am running Windows 2000 Server.

Cyclops3590   -   Servers are statically assigned.  Workstations are DHCP.  I wrote that I statically assigned my PC an IP and DNS server for testing.  I set an IP and set my DNS to server B only.  I was able to work just fine.  Just as I am when my DNS is set to server B. Unfortunatly, restarting server A is not an easy task.  So testing using your method is going to be difficult to pull off.  We are an organization that is open 24/7.  Another DNS outtage would result in application lockups/crashes across 120+ workstations and 20+ servers.  Although I agree and understand your method of troubleshooting, at this time I probably can utilize it.  Is there a way I could test using wireshark without downing Server A?
0
 
ABLComputersCommented:
Using a workstation configure it to use static IP and DNS info. For the DNS Info use Server B. once the system is up type these command in your command prompt

ipconfig /flushdns hit Enter

nslookup

> "type the name of one of your server" this should result in the Ip address of that system

www.google.com see if it resolves.

let me know your results
0
 
Cyclops3590Commented:
understood, 24/7 environments are a PITA in that way.
The only other thing i can think of is get a firewall on your client that will block outgoing to server A.  This would simulate a server A crash as well.  ZoneAlarm I believe has a free version you could use to try this out.  The problem is restarting a server versus blocking access to it isn't an apple to apple type of comparison, but it should give us some information as to what the client is trying to do when server A goes down.

By doing this, your client should still try to contact server A each time, but only give a small latency in resolution.  I believe my experiences have been no more than 3 seconds.  It could be higher than that, but that's what I would expect for each query (until its cached of course)

the main purpose of this test is to see what the client is trying to do.  as I stated before, dns client will generally cache failures as well.  So if you if the client gives a failure and no packets were sent, then we need to clear the local cache just to make sure we're good there.  Also, just for giggles you can view the cache as well to see what is currently there and see how querying those will react.
ipconfig /displaydns
0
 
RHNOCAuthor Commented:
I am headed out for the weekend, so i will try this next week.  Thanks again everyone and have a great weekend.

Frank
0
 
brwwigginsCommented:
cyclops,

I was just offering some friendly advice, I didn't say it was the cure-all to the DNS problems but since they mentioned it was AD environment I thought I would throw the comment in there.

see the MS article for more if you want to http://support.microsoft.com/kb/291382
0
 
Cyclops3590Commented:
gotcha, yes i agree with you that dns servers tcp/ip settings for dns should point to localhost first all the time, except in odd cases that require differently

however, I wanted to ensure it was clear this change/check has nothing to do with the problem at hand as those settings are the client settings for the server so it knows where to find the server running the dns daemon.

BTW, this is what I found in a thread else where on DNS time out values, could be of help.

Windows by default retries with the following pattern: 1, 2, 2, 4, 8... count it, that's 17 seconds. In other words, after the first query is sent, wait 1 second... if you don't get a response, send another query, and wait 2 seconds... another query, another 2 seconds... another query, then wait 4 seconds... send the 5th query, wait 8 seconds... if you don't get a response, call it quits on the primary DNS server. Run a packet sniffer and you'll see this to be true. If after 17 seconds the primary DNS server hasn't responded, then Windows switches over to the secondary server, and attempts another 5 queries. After a total of 34 seconds, DNS lookup fails.
from:  http://drewthaler.blogspot.com/2005/09/changing-dns-query-timeout-in-windows.html
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 8
  • 5
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now