miswhoi
asked on
WIndows Server 2008 + DNS Issue
I have a test 2008 box setup running active directory and DNS. When I run a query against DNS from my workstation (not part of the 2008 domain) the request times out.
I've done my best to research the issue and I found that it might be related to IPv6, so I unchecked IPv6 on the server adapters and also made the registry entry to disable IPv6. Furthermore I've gone into DNS and deleted out any IPv6 references...still when I query DNS I get a timeout.
When I query DNS from the server itself, it responds appropriately. It seems like the query from my machine isn't authorized but the same thing happened when I joined a laptop to the domain to test.
Any insight is appreciated.
I've done my best to research the issue and I found that it might be related to IPv6, so I unchecked IPv6 on the server adapters and also made the registry entry to disable IPv6. Furthermore I've gone into DNS and deleted out any IPv6 references...still when I query DNS I get a timeout.
When I query DNS from the server itself, it responds appropriately. It seems like the query from my machine isn't authorized but the same thing happened when I joined a laptop to the domain to test.
Any insight is appreciated.
ASKER
Chris-Dent,
Thank you for the idea but unfortunately "Your computer is not protected: turn on Windows Firewall"
Windows Firewall is off. Windows Firewall is not using the recommended settings to protect your computer.
No love.
Thank you for the idea but unfortunately "Your computer is not protected: turn on Windows Firewall"
Windows Firewall is off. Windows Firewall is not using the recommended settings to protect your computer.
No love.
That's on the server? Can't remember if it warns you about it being off there, never turned it off :)
You should find that TCP Port 53 is listening as well, which means you should be able to do "telnet <server> 53" from the client and get a blank screen as a response (rather than a time-out message).
Chris
ASKER
Chris,
When I telnet <server> 53 I DO get a black screen without a logon prompt. The firewall IS disabled on the server but it does not respond to queries via nslookup. A little frustrating.
When I telnet <server> 53 I DO get a black screen without a logon prompt. The firewall IS disabled on the server but it does not respond to queries via nslookup. A little frustrating.
Okay, cool, the blank screen at least indicates that you can talk to the server. Not the right protocol, but I'd be surprised to find blocks on UDP if TCP is allowed.
What query are you throwing at it? Just a random web site name? e.g. nslookup www.google.com.
Are you able to query it from a system that is a member of the domain? Or is it not that far on yet?
It'd be worth running:
netstat -anb | FindStr :53
Just to make sure it's got a UDP port bound to the interface you're talking to.
Chris
Sorry missed this bit
> but the same thing happened when I joined a laptop to the domain to test.
So ignore the question about a member of the domain.
Chris
ASKER
name of the system is cahu07-00. If I type:
c:\>nslookup
Default server: myprimary_server
address: xxx.xxx.xxx.xxx
>Server cahu07-00
Default Server: cahu07-00
address: <correct address>
>cahu07-00 (itself)
DNS request timed out.
Timeout was 2 seconds.
>www.google.com
DNS request timed out.
Timeout was 2 seconds
>Another server on "test" domain
same response.
I'm perplexed on this.
c:\>nslookup
Default server: myprimary_server
address: xxx.xxx.xxx.xxx
>Server cahu07-00
Default Server: cahu07-00
address: <correct address>
>cahu07-00 (itself)
DNS request timed out.
Timeout was 2 seconds.
>www.google.com
DNS request timed out.
Timeout was 2 seconds
>Another server on "test" domain
same response.
I'm perplexed on this.
Turn on debug see what it's asking the server.
nslookup
server cahu07-00
set debug
cahu07-00
I guess the client is configured with a DNS suffix for the AD domain since you managed to connect to the server by name alone?
nslookup for www.google.com works from the server itself?
Chris
I have to pop out, I'll be back in a few hours if you're still having problem (not ignoring you :)).
Chris
One last comment ;)
It's always fun to blame AV software for any odd behaviour. If you have any on the server I recommend ripping it off while this is being tested.
Chris
ASKER
from server itself:
C:\Users\administrator.TES
Default Server: cahu07-00.testadmin.mydoma
Address: xxx.xxx.xxx.xxx
> www.google.com
Server: cahu07-00.testadmin.mydoma
Address: xxx.xxx.xxx.xxx
Non-authoritative answer: (expected as I have conditional forwarders).
Name: www.l.google.com
Addresses: 209.85.133.147
209.85.133.99
209.85.133.104
Aliases: www.google.com
(note: server can resolve itself and other test machines on said test domain)
FROM MY PC
> set debug
> cahu07-00
Server: cahu07-00
Address: xxx.xxx.xxx.xxx
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to cahu07-00 timed-out
and just for the record, there isn't any problems with my workstation so far as I can tell because queries to my primary and other DNS servers work fine. This cahu07-00 is actually on the same network as I am on so latency shouldn't be any kind of issue whatsoever. Pings to Cahu07-00 response with time <1ms consistently.
Take your time Chris. Any ideas are appreciated. I didn't want to make my original post too long but initially I setup a Windows 2008 core box and this was occuring with the core machine, so I promoted another machine and demoted the core box so I had a gui to troubleshoot with. Whatever the issue is it has continued on to another machine. I've actually wiped out everything in group policy on the box to ensure it wasn't something stupid that MS added that is causing this...still not sure what the problem is.
C:\Users\administrator.TES
Default Server: cahu07-00.testadmin.mydoma
Address: xxx.xxx.xxx.xxx
> www.google.com
Server: cahu07-00.testadmin.mydoma
Address: xxx.xxx.xxx.xxx
Non-authoritative answer: (expected as I have conditional forwarders).
Name: www.l.google.com
Addresses: 209.85.133.147
209.85.133.99
209.85.133.104
Aliases: www.google.com
(note: server can resolve itself and other test machines on said test domain)
FROM MY PC
> set debug
> cahu07-00
Server: cahu07-00
Address: xxx.xxx.xxx.xxx
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to cahu07-00 timed-out
and just for the record, there isn't any problems with my workstation so far as I can tell because queries to my primary and other DNS servers work fine. This cahu07-00 is actually on the same network as I am on so latency shouldn't be any kind of issue whatsoever. Pings to Cahu07-00 response with time <1ms consistently.
Take your time Chris. Any ideas are appreciated. I didn't want to make my original post too long but initially I setup a Windows 2008 core box and this was occuring with the core machine, so I promoted another machine and demoted the core box so I had a gui to troubleshoot with. Whatever the issue is it has continued on to another machine. I've actually wiped out everything in group policy on the box to ensure it wasn't something stupid that MS added that is causing this...still not sure what the problem is.
ASKER
Unless I did something wrong with the debug command all it seemed to do was spit out one extra line:
*** Request to cahu07-00 timed out.
Also, no AV running on server in question.
*** Request to cahu07-00 timed out.
Also, no AV running on server in question.
How about on the client?
Otherwise I suspect it'll be time to crack out the packet sniffers to see what's happening to the requests / responses.
For example, it's entirely possible the server is receiving the request, but the client isn't getting the reply back even if the server is sending it out.
Chris
ASKER
Chris,
The client is running Windows XP, it does have AV installed but does NOT have any problems querying other DNS servers. It may be worthwhile to note that I stood up DNS on the test domain on a Windows 2003 machine and can query that without problems, for some reason the 2008 boxes running DNS do not want to play ball...it really makes very little sense to me.
The humorous thing is, the test environment is primarily intended ot test out the functonality of Exchange 2007 and I figured I'd stand up Server 2008 at the same time just to bang on it a little...and then this happens. I'm almost at the point where I'm going to scrap everything and rebuild on 2003 to avoid this crap...because whatever the problem is, it exists on 2 different 2008 machines in pretty much default configurations.
The client is running Windows XP, it does have AV installed but does NOT have any problems querying other DNS servers. It may be worthwhile to note that I stood up DNS on the test domain on a Windows 2003 machine and can query that without problems, for some reason the 2008 boxes running DNS do not want to play ball...it really makes very little sense to me.
The humorous thing is, the test environment is primarily intended ot test out the functonality of Exchange 2007 and I figured I'd stand up Server 2008 at the same time just to bang on it a little...and then this happens. I'm almost at the point where I'm going to scrap everything and rebuild on 2003 to avoid this crap...because whatever the problem is, it exists on 2 different 2008 machines in pretty much default configurations.
It's quite odd, I've never had that particular problem with DNS on 2008. Different hardware for the two 2008 servers?
I would definitely be popping out WireShark to have a look at what the client and server are talking about :)
Chris
ASKER
Chris,
I ran wireshark on both the client and the server. I'm able to ping the server and see the requests on both sides, however name queries don't appear to hit the server at all...no record of them reaching cahu07-00...which is odd because I'm RDP'd into the machine, ping works...really strange to say the least.
I ran wireshark on both the client and the server. I'm able to ping the server and see the requests on both sides, however name queries don't appear to hit the server at all...no record of them reaching cahu07-00...which is odd because I'm RDP'd into the machine, ping works...really strange to say the least.
Yeah, it is. No Firewalls / Routers between client and server?
You see the request leaving the client I guess?
Chris
ASKER
Chris,
I just ran another test and while this still doesn't make total sense to me, I'm leaning toward it being a network infrastructure issue.
WAN----->building switch----->test environment switch---->many servers
Being that I see the queries leaving the client but not arriving at the server, despite pings and RDP connections being successful, I decided to take a laptop down to the test environment and patch directly into the switch. queries work flawlessly.
The oddball thing about this is I could have sworn that when I first encountered this problem I stood up DNS on a 2003 server and queries worked fine, it was the 2008 boxes that have refused to play in this configuration.
I'm not sure if I should close this ticket out or continue to report back my findings.
I just ran another test and while this still doesn't make total sense to me, I'm leaning toward it being a network infrastructure issue.
WAN----->building switch----->test environment switch---->many servers
Being that I see the queries leaving the client but not arriving at the server, despite pings and RDP connections being successful, I decided to take a laptop down to the test environment and patch directly into the switch. queries work flawlessly.
The oddball thing about this is I could have sworn that when I first encountered this problem I stood up DNS on a 2003 server and queries worked fine, it was the 2008 boxes that have refused to play in this configuration.
I'm not sure if I should close this ticket out or continue to report back my findings.
ASKER
I lied. If I had 2003 running DNS I don't now and if it was ever working, it's not now from outside the switch. Switch configuration issue for sure...but what exactly? who knows.
Any monitoring or logging available on it?
Does the server have more than one NIC?
Chris
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Windows Firewall? You'll need some holes for DNS if there aren't already.
There's no filtering within (MS) DNS itself based on the client.
Chris