Solved

DNS server updates and removes 2nd Host record of itself (it's Hamachi, software VPN, IP address)

Posted on 2008-06-23
14
1,695 Views
Last Modified: 2008-07-04
I have a domain that has an SBS 2003 server as the PDC, we'll call this server "Server A" at "Site A". DNS server is running on Server A, as well as DHCP. Server A is also the Exchange server for the domain. The local area connection on Server A has a static IP and the only DNS server for the connection is itself. Everything DNS related for the workstations at Site A is working fine.

There is a 2003 Standard server, "Server B" on the domain at another location "Site B" hundreds of miles away from Site A. I was able to use Hamachi (software VPN connection) to connect the two sites. After many many hours of struggling, I was able to run dcpromo on Server B with it at Site B in order to make it an additional domain controller on the domain. In order to do so I had to manually create and populate the _msdcs.domain.local forward lookup zone in the DNS server on Server B. Before doing so the dcpromo wizard would fail because it could not find the Domain controller.

So I got that fixed up and got Server B promoted to domain controller. Active Directory and DNS both replicated to Server B successfully. I was then able to join the 2 workstations at Site B to the domain. Both of those workstations are also running Hamachi and are joined to the same Hamachi network as the domain controllers. One of the workstation's Outlook client keeps losing its connection to the Exchange server (Server A at Site A). When it does, I check the DNS server (on either server) and the Hamachi IP address of Server A (the Exchange server) is missing from the Forward Lookup Zone. I can manually add the Host Record of the Hamachi IP address of Server A and then the workstation is once again able to connect to the Exchange server.

Everything would be fine if the DNS server would quit removing the Host Record for Server A conatining the Hamachi IP address. It seems that it is now removing that record every 15 minutes or so. This is causing a lot of email downtime and a lot of frustration (for the user and myself).

Addditional info... When running properly the DNS server should have 2 Host Record for Server A, it's local IP and it's Hamachi IP. Server B has two Host Records, its local IP and its Hamachi IP and neither record has ever disappeared. All necessary Reverse Lookup Zones are created and PTRs are created. I've opened the LDAP port in the firewall at Site A. DNS event viewer shows the following 2 events just before the Host Record goes missing:

Event ID 4521

The DNS server encountered error 32 attempting to load zone 255.162.5.in-addr.arpa from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

Event ID 6702

DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
 
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
 
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.
0
Comment
Question by:rnapro
  • 7
  • 4
14 Comments
 

Author Comment

by:rnapro
ID: 21849899
Any takers?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21852261
Afraid it is not a solution but just an opinion; as wonderful a product as Hamachi is, I do not feel it is an enterprise solution. Have you considered site to site hardware VPN devices? A pair of Linksys RV042's work extremely well for $200 each, but you can get Linksys BEFV41's, or Netgear FVS318's for under $150 each.
Among other issues, Hamachi uses dynamic addressing which can play havoc with DNS and unless you have a paid version it does not run as a service.

I apologize up front, I appreciate this is not the information you are looking for.
0
 

Author Comment

by:rnapro
ID: 21854172
Thank you for the comment. We are using the paid version on both sides. We went with the software solution instead of hardware since we have had good experience with Himachi. We will have to keep the hardware you suggested in mind if no one is able to solve this issue.
0
 

Author Comment

by:rnapro
ID: 21854933
As he said, we are usign the paid service. I've never seen a Hamachi address change when running on the same user profile. I appreciate your suggestion. My thoughts though, is that it is not a complcation of using Hamachi. With the problem being that DNS removes the Hamachi IP address, I'm not sure that if I wasn't using Hamachi, there would be a different result. And for whatever reason the Hamachi address of Server B never gets removed.

Is anyone aware of a way to make a Host record never get deleted? It seems like such a small issue causing such a big problem. When the Host Record is there, everything works like a charm.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21860926
>>"Is anyone aware of a way to make a Host record never get deleted?"
You could resort to using the Hosts file (for DNS names) or the LMHosts file (for NetBIOS names).
http://msmvps.com/blogs/robwill/archive/2008/05/10/lmhosts-and-hosts-files.aspx
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:rnapro
ID: 21861010
Already tried that and it didn't help.
0
 

Author Comment

by:rnapro
ID: 21861026
When the Hamachi address is missing from DNS, regardless of if I use lmhosts file or not... the computer resolves Server A to it's local IP address (local to Site A), which of course doesn't get it anywhere.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21867587
Does your version of Hamachi create a virtual adapter in network connections? If so the only other thought I would have is to verify that "register this connection's address in DNS" is checked under the advanced DNS tab of the virtual adapter.

The interesting part is if you had a site to site VPN connection there is no DNS entry relating to the VPN, just the remote site's LAN IP and routing knows the path to get there. I assume the remote site and subnet are set up in AD sites and services?
0
 

Author Comment

by:rnapro
ID: 21880975
I tried checking "register this connection's address in DNS". It did not register. I did a command prompt ipconfig /registerdns, it did not register. I am not familiar with using AD sites and services to achieve what I need. Could you elaborate?
0
 

Accepted Solution

by:
rnapro earned 0 total points
ID: 21881031
I finally figured out how to get the Host Record to stay. Instead of just creating a new Host Record in the forward lookup zone... I went tot he properties of the forward lookup zone, then to the Name Servers tab, selected Server A, clicked edit and added the Hamachi address. It automatically creates the Host Record and it appears to stay indefinitely.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21881040
Sounds good.

As for sites and services it is important to set up the different sites, subnets, and link to be used so that replication between the DC's works properly. Jay_Jay70 has written an excellent "down to earth" article about the basic functionality of AD sites & services, which may be of help:
http://www.block.net.au/help/AD-Sites/
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now