?
Solved

Need advice when switching from Windows DNS to Linux DNS

Posted on 2007-10-16
22
Medium Priority
?
358 Views
Last Modified: 2010-04-07
I am switching from a Windows DNS server over to a Linux one and want to make sure I understand stuff before I do the cut over.

On my windows domain I can ping DOMAIN.COM and it responds with my domain controller ip address. When I switched over to linux on a test workstation and ping DOMAIN.COM I get no response. I am wondering if this will be an issue? Any other things I should be thinking of on this switchover?

0
Comment
Question by:WTarlton
  • 6
  • 5
  • 5
  • +3
22 Comments
 
LVL 12

Expert Comment

by:Heem14
ID: 20089464
if you have active directory you need a windows DNS server internally. Use Linux externally or for non-domain things, but you need a windows DNS server for AD.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20089482
Any reason for this? Windows DNS integrates better with Active Directory and provides secure updates and very efficient replication via AD replication and integration with DHCP.

If you must move to another DNS then make sure that the DNS supports SRV records and dynamic updates this is a requirement for a windows domain. You will need to set up the DNS zone on the linux box and make sure that all of your clients and servers are reconfigured to use the new DNS server as the preferred DNS server. This may involve manually chnaging TCP/IP settings and/or DHCP options.
0
 

Author Comment

by:WTarlton
ID: 20089821
Well for some reason lately my DNS server stops forwarding to my external internet providers DNS. So basically my whole companies internet dies because it cannot resolve any names. I can resolve anything internally still and I can go to google.com by the ip but not by name. Sometimes it comes back by itself after 5 minutes and other times I have to completely reboot the DNS server for it to come back. I have check event logs and find no reason for such behavior. I figured I would just throw in 2 duel Linux DNS servers to solve the problem but it's sounding like that may not be such a good idea.

Any ideas?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 48

Expert Comment

by:Tintin
ID: 20089887
It very much depends on your internal network and your LAN as to whether you really need a Windows DNS server.

Do you use AD?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20089914
You realy need to sort this out rather than move to a Linux DNS just for this reason, there is no guarantee that a Linux based DNS will not do the same and it has the potential to introduce a lot more problems.

First thing to check is that ALL clients and servers including the windows server running DNS point to the Windows DNS server as their prferred DNS server. If you have multiple Domain Controllers with DNS installed then clients can be configured with the address of another internal DNS server as the alternate DNS server. DNS servers themselves however should not have an alternate DNS specified and on no account should any external DNS servers be set as preferred or Alternate DNS servers anywhere.

Your ISPs DNS servers should appear in DNS as (unconditional) forwarders - on the properties  tab of the DNS server in the DNS console. You can provide other public DNS servers aslo in the case of issues with your ISPs DNS servers  (4.2.2.1 and 4.2.2.2 are used quite commonly as a backups to ISPs DNS servers)
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 20089939
Hi,

From the initial problem description, it looks like you have a network issue, since pinging from the windows dns server works, while it does not work from the linux workstation.

Why do you need to forward your dns queries to your isp dns servers? If you have a full fledged dns server, then it should work independent of your isp dns servers.

It is always a good idea to have more than one dns server in your network, and I do not see any problem in getting linux based dns server work.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20089962
omarfarid:

This could be a network or configuration issue

Forwarders are required to resolve external names efficiently (much more efficiant than root hints)

Yes multiple servers a better (but lets get the one running first)

Yes you could use Linux based DNS - providing it meets the requirements - but if its a network or configuration problem its not going to solve the issue and could result in more problems
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 20090612
Hi,

KCTS:

Thank you for your comments, and would like to assure you that aim is help resolving the problem not complicate it.

If you read my comments carefully, you will find that I was commenting on not being able to ping from the other node.

Also, WTarlton showed interest in adding more dns servers to the network. You yourself agreed that it is a better idea.

In my opinion the problem is in communicating to the external network, and in relying on the ISP dns servers which could have their own problems as well.

DNS server will always meet requirements of a DNS server, but it could be other MS stuff that may not work with the Linux DNS server.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20090691
I am sure you are trying to assist but I was trying to simplify the situation in order to determine the root cause of the problem and putting in additional DNS servers while we are still trying to determine this is not going to help much - in the longer term yes, additional DNS servers (and DCs) is awlays a good idea but I'm not convinced that a Linux based DNS is the answer.

I'm not suggesting you cannot use a Linux based DNS but as all the machines are Windows (apart from the experimental linux machine), there seems little merit in this approach and it seems to me it only serves to complicate the issue. On that point any old DNS server will not do, DNS must support SRV and dynamic update and while MOST do SOME do not.

Once it is confirmed that the DNS configuration is correct, then we can begin to narrow down the problem if it still exists. The basic DNS recursive query test and NSLOOKUP tests being the next stage I would think.
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 20090788
Hi,

Thank you KCTS :)

The current situation is that  the main dns server (the windows server) has a problem of not being able to resolve external sites and hence users are not able to browse the Internet.

Also, a new dns server (the linux one) was introduced to the network and it has a problem as well.

Now, we have a situation of users not being able to access the Internet, otherwise everything else seams ok.

I think priority is to make users have the ability to browse the Internet.

This could be by solving current dns server problem (which might take time before fixing it).

Or, by adding another dns server (regardless windows or linux based) that can resolve external sites.

Once, this problem is resolved, adding additional dns servers can be studied.

Now, to see if there is a network problem or not, I recommend the following:

From any node:

- run nslookup to resolve from other dns servers (e.g. ns1.cisco.com)
nslookup
> server 128.107.241.185
www.yahoo.com

If the above works, then I would say that there is no network issue related to routing or UDP (DNS) traffic.

If it did not work, then there could be an issue that requires investigation with the network administrator or the ISP.


Thanks
0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 2000 total points
ID: 20092364
Heem14: You really don't need Windows DNS for Active Directory, although it is advisable but purely for the purpose of secure dynamic update.  We do need at least BIND 4.9.6 (that's off the top of my head but it's around that ballpark) for SRV record support though BIND 8.1.2 was recommended (again, going from memory here).

WTarlton:  There is a known issue with Windows 2003 DNS implementations that cause intermittent name resolution failures.  EDNS0 is a mechanism allowing DNS requestors to advertise the size of their UDP packets (based on their MTU) to facilitate the transfer of DNS messages containing more possible responses.  When a DNS server receives a request over UDP (which is the default for resolution attempts), it determines the requestors UDP packet size and attempts to scale its response such that it contains as many records as permitted by that packet size ... something that any number of routers between the two end-points may dislike and subsequently drop.  You can disable EDNS0 support using the registry (restart the DNS server once implemented) -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

Value [REG_DWORD]: EnableEDNSProbes = 0x0

... to disable EDNS0
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20092502
True you don't NEED windows DNS, but id you are going to use an alternative it must be BIND 8.2.2 or later since it MUST support both SRV records and dynamic updates.

My personal opinion is still that it is folly to seek to replace Windows DNS with BIND unless there is some compling reason for doing and I don't think that is the case here.
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 20092573
Hi,

Whether to replace Windows DNS server with some other DNS server or not is not the current problem.

This can be considered later if better options are required.

AWTarlton:

Any progress / update on the issue?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20092656
Sorry, but I'm afraid I still don't agree with your first point -- you also do not _need_ dynamic update (secure or otherwise), though as I said, it is indeed advisable for sanity's and (in the case of secure dynamic update) security's sake.  In addition, my BIND reference was accurate -- per http://support.microsoft.com/kb/237675, BIND 8.1.2 is the stated supportable minimum though by no means the recommendation.

Regarding your last comment, what that I agree entirely.  While there are absolutely compelling reasons to use BIND DNS, I haven't identified any within this thread.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20092778
I think we'll call that a draw - OK it is 8.1.2 not 8.2.2 but dynamic update IS required (see http://technet2.microsoft.com/windowsserver/en/library/73c0ae36-8058-43d1-8809-046eb03b73fb1033.mspx?mfr=true)

Anyway I think we are drifting off the point here and should draw this to a close. We should be concentrating on the WTarlton's problem

Any update ?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20092908
I wasn't trying to win in the first place, I tried only to state a technical fact as I see it.  To my mind, this conversation is entirely relevant to the OP's question and, as such, I'm comfortable proceeding.  That said -- seriously ... dynamic ipdate is NOT required, I have implemented many an AD in this manner ... not by design but by requirement.  The Internet is rife with information to that effect; to quote the article you directed me toward (verbatim I might add) -

"Support for dynamic updates is recommended but not essential"

Please understand that (most of) my responses aren't meant to be argumentative (but we're all human), they just represent a difference of opinion which I'm comfortable volunteering :0)
0
 

Author Comment

by:WTarlton
ID: 20094711
Sorry all I just got into work. I find MSE-dwells comment might be right on with the symptoms im seeing:

WTarlton:  There is a known issue with Windows 2003 DNS implementations that cause intermittent name resolution failures.  EDNS0 is a mechanism allowing DNS requestors to advertise the size of their UDP packets (based on their MTU) to facilitate the transfer of DNS messages containing more possible responses.  When a DNS server receives a request over UDP (which is the default for resolution attempts), it determines the requestors UDP packet size and attempts to scale its response such that it contains as many records as permitted by that packet size ... something that any number of routers between the two end-points may dislike and subsequently drop.  You can disable EDNS0 support using the registry (restart the DNS server once implemented) -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

Value [REG_DWORD]: EnableEDNSProbes = 0x0

... to disable EDNS0



I do not think this is any kind of network problem just DNS. Like I said when the DNS bombs out I just cant resolve names but I can still get to the internet via ip addresses and all internal DNS names still function (they may be cached if it happens again i will flushdns just to verify) I have made the registry change and will see if the symptoms continue. Do you know if I need to reboot the server or restart the DNS service for this change to take place?

0
 

Author Comment

by:WTarlton
ID: 20094734
And just to be clear I would rather stay with my Windows DNS but I don't have the luxury to really fix that server because it is the only DC we have and it's running all the home shares and some critical databases. I would like to split that stuff up into multiple servers but we are a small company and the boss don't wanna spend the $$$ :)
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20095078
A restart is required for the change to take effect ... bouncing the entire box will achieve that obviously but is a tad extreme :0)
0
 

Author Comment

by:WTarlton
ID: 20097730
So far so good. If the DNS stays up without crashing for 1 more day I will award points to you MSE-dwells :)
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20098112
... holding my breath ;0)
0
 

Author Comment

by:WTarlton
ID: 20104334
hasnt crashed yet!!! thanks
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question