Solved

DNS settings on an offline network

Posted on 2008-10-05
12
387 Views
Last Modified: 2010-04-07
Hi there,
I administer a large offline network, which consists of several DCs which function as well as DNS server
We noticed the problem sometime after we upgraded the network to an 2003-native - long, 20 seconds or more delays in many applications on the network.

After some research, we assumed that the applications' are 'trying' to revoke their certificate, which makes them turn to addresses like crl.microsoft.com
After some sniffing, it turns out that some addresses doesn't get a response from the DNS server at all

To make a long story short - are there any known configuration i can make to the DNS server or local machines to prevent these delays?

Thanks in advance
0
Comment
Question by:sheshtus
  • 6
  • 5
12 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22647916
Do the preferred DNS servers match your internal DNS servers?
0
 

Author Comment

by:sheshtus
ID: 22648392
Indeed
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22648601
Well, a lot of things can cause the problems you are seeing. I think we need a little more diagnostics to help you fine tune out the problem.

Does DCdiag, Netdiag, or event logs cough up some information for us to go by?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22648662
~~Example of some issues that can cause the slowness:
If applications, like Word documents, right clicking, or adobe acrobat are slow, you might be experiencing a problem with context menu handlers or a program running from a remote computer, (like WINZip. I have just the article you can look at for this:
(((Similar symptoms for both issues but one is context menu handlers and the other is a program running from a remote location: So far, the list of programs that I have seen cause this are Visio, Acrobat, and Winzip. )))
http://www.experts-exchange.com/Hardware/Desktops/PCs/Q_23099683.html

~~Of course DNS can be a factor. Usually DNS errors are easily seen in event logs or DCdiag reports. At least all the DNS problems I have seen are.

~~Another problem is with the service pack you are on. SP1 has a problem where it can flood a NIC. The interesting thing is it usually shuts down the service that floods the NIC. Often this is a service that is network intensive, like SQL server. Sometimes it will shut down DHCP. The end result will appear like intermittent communications. The fix was to install a hotfix, but an alternative (recommended) fix is to install SP2. Most of the time there are no errors in event logs and/or DCdiag reports. Details are on this link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

~~Multihomed domain controllers can also certainly cause this problem. Multihomed is simply defined as a DC that has two or more IPs. This could mean two IPs on the same NIC or two + NICs. Most domains don't really need two NICs and on a domain controller it is highly recommended you disable the second NIC. TOO MANY errors come from multihomed domain controllers.

~~We also somewhat covered the Preferred DNS servers list on all your PCs of the LAN. So, I am going to conclude that isn't the issue.

There are more issues, but the above are most common:

0
 

Author Comment

by:sheshtus
ID: 22648986
I see
Well, netdiag is something i somehow forgot, but it all passed - i fear that it's not a problem in the DNS itself.
For example, if i turn to mydomain.dom - i'll get a reply saying it doesn't exist.
But if i turn to mydomain.com, i don't get a reply at all (the application times out, but the server won't reply even if i let it a whole hour).

I assumed its a known-issue because applications do need access to the internet (like in the certificate usage), and that there is a workaround i can apply.
If it helps, users in my organization add an entry in the Hosts file on their local computer - and by that bypass the problem.
Besides that, there aren't any dns problems inside the organization
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22649388
If your workstations are looking to resolve certificates by going to a public server, and that absolutely isn't necessary and never will be, you can go to Control Panel - Internet Options - Content - Certificates - Trusted Root Certification Authorities, and remove the public ones.  You can leave your internal ones.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sheshtus
ID: 22651306
Actually, i was kinda hoping for a more extensive solution - so i could deal with non-existing addresses from the snerver side rather than specifically removing several addresses, even though it is the best solution possible right now..
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 250 total points
ID: 22657827
First off, let's talk about the problems with configuring a HOST file. A Host file is used when a DNS server doesn't exist on the network. It is a list of basically HOST A records. So, by configuring that, your clients will think they can provide their own DNS resolution and skip your server. In doing so, these clients miss out on the SRV records of the server. Those records point the direction of the AD servers for logon. If you are able to logon, then you are getting DNS resolution to your clients from your server.

I am going to explain the chronology of a DNS query to help you troubleshoot this issue:
_______________________________________________________________________________-
The client sends out a DNS query:
The client has a couple records that it will try to resolve the query by itself:
1) The first place a client looks for is a cached entry. (Since it is taking a long time to propogate a DNS reply, your client may be looking at the old server records in its own DNS cache. To determine if this is the case, go to the command prompt of the client and type IPconfig /flushdns.)
2) Then if your client doesn't have the cached entry, it will look at the client's C:\Windows\system32\drivers\ect\Host file for resolution. (As you know, you can look at and edit the host file with word pad. Check and see that there are no entries, except 1.0.0.127 local host file in that file. Manually configured host files can mess up DNS resolution.)

After the client can't determine its own DNS query it will look at the prefered DNS server: (To determine the prefered DNS server, it will be the first on on the list in an IPconfig /all of the client).
1) The first place the server looks for DNS records is its own DNS cache. (You can flush the cash by again going to the command prompt and typing ipconfig /flushdns)
2) Then, the server will look at its own C:\Windows\system32\drivers\ect\Host file.
3)Then, the DNS server will have a list of Host A records and SRV records. (For internal queries, it looks and sounds like you have a list of Host A records).
4) If the DNS server can't find the Host A, it will make an attempt to contact an outisde server. There are two types of contacts. One is a recursive and the other is an iteration query. There are also two types of lists to contact the outside server. One is called a forwarder and the other is called roothints.
***brief explaination of each:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders)
---Root Hints: Root Hints are a list of public DNS servers that your server forwards DNS queries to if your server can't resolve the DNS query
____________________________________________________________________________________
Witht that said, I think you have a number of DNS problems and possibly a couple firewall problems:

1) You configured the C:\Windows\system32\drivers\ect\Host files on workstations and maybe the server. In doing so, the domain will think it can resolve the query without going through DNS records.
2) You are not getting a reply from the server. It is my belief you have a software firewall that is blocking ICMP from replying. This can be Windows firewall, (by default), or ISA firewall (by default). Things like Ping and netstat, and I think NSlookup will be blocked from replying.
So, what software & hardware firewalls are we looking at?
3) The long dely is the result of confusion in DNS. The DNS server is the only place that holds the SRV records. These records point to the domain AD server. Even though the AD server may be the same server as your DNS server, it still needs the SRV pointers to authenticate. The confusion as to where your AD server is for authentication is causing your delays, I believe.

NOW, For the fixes:
~~Firewall: If you have ISA, google search "ISA rules for DNS" and "ISA rules for ICMP" and "ISA rules for DHCP"
**If using Windows firewall, please follow the next two links:
http://support.microsoft.com/kb/555381
http://msdn.microsoft.com/en-us/library/ms912869.aspx

~~Make sure you go to your DHCP snapin and expand that until you see a folder called scope options. Under scope options, make sure the DNS server is ONLY your internal Microsoft DNS servers. This is the DNS server passed down to the clients for its preferred DNS servers. On fixed IPs, make sure your Preferred  Primary and Alternate DNS servers are your internaly Microsoft DNS servers. NOT your gateway or any other DNS servers.
~~Flush your DNS resolver cache on client and server and rid yourself of the manually configured C:\Windows\system32\drivers\ect\Host records. This rids you of these records and forces the clients and servers to use your DNS server.
~~Another problem is with the service pack you are on. SP1 has a problem where it can flood a NIC. The interesting thing is it usually shuts down the service that floods the NIC. Often this is a service that is network intensive, like SQL server. Sometimes it will shut down DHCP. The end result will appear like intermittent communications. (((The fix was to install a hotfix, but an alternative (recommended) fix is to install SP2))). Most of the time there are no errors in event logs and/or DCdiag reports. Details are on this link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060
NOTE: This error will not necessarily show up in event logs or DCdiag reports, but can flood a single NIC and cause major havoc on your server.
~~Multihomed domain controllers can also certainly cause this problem. Multihomed is simply defined as a DC that has two or more IPs. This could mean two IPs on the same NIC or two + NICs. Most domains don't really need two NICs and on a domain controller it is highly recommended you disable the second NIC. TOO MANY errors come from multihomed domain controllers. If you can not disable the second NIC, then, we have to fix this as well. By a quirk in microsoft, the SRV records of both NICs will be registered in DNS. Therefore, it will confuse DNS resolution to the AD server.

LOL: How's that for an "extensive" solution?
0
 

Author Comment

by:sheshtus
ID: 22658356
lol - i believe you redefined 'extensive' right there.
i'll detail the steps i did  - thanks a lot

The sp1, windows firewall, HOST file, DHCP and multihomed solutions are irrelevant, due to the netowrk configurations (The DCs are multihomed, but the NIC is disabled)
However, when i disabled recursion on the DNS server - the replies shortened from 15-20 seconds to 0.44 >)
I still want to check it around before i'll try it on the actual network, but it seems promising.
so again, thank you

BUT, i think i'm rude enough to ask another question :P
With replies from nonexis.domain.dom (correct suffix) answered on 0.25 sconds, and replies from nonexist.domain.com now shortened to less than a second (instead of 20) - responses from www.google.com, for instance, still take 6 seconds..
Although now 6 seconds seems laughable, i stil have no clue as for why it can happen..

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22658637
disabling recursion will default you to ROOT HINTS. Root hints servers are public servers and usually work very well.

(Your not rude), I am game to help out in any way I can. So, ask away.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22658994
Type, at the command prompt,  (NSlookup google.com) and produce the results for me will you?
0
 

Author Comment

by:sheshtus
ID: 22659178
Well, with recursion diabled i get "server failure" after 0.6 seconds.
From stations that work against a recursive DNS server, i get a 2 second timeout
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now