• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 420
  • Last Modified:

Internal DNS Issue

My org (before I got here) created an AD infrastructure whose internal name is same as it's external (mycompany.com). I have 2 internal DNS servers (DNS1, DNS2) and they are AD-Integrated.

Recently, our marketing dept created a new website. Occasionally, for some reason, internally we get directed to our old website. Externally, it works fine. I will say that most times it does work. But, a few times a week it doesn't. What am I missing here that I need to add to my internal DNS, if anything?

Thanks.
~coolsport00
0
coolsport00
Asked:
coolsport00
  • 26
  • 23
  • 4
2 Solutions
 
Jan Vojtech VanicekIT SpecialistCommented:
try to run nslookup www.yourdomain.com
it must point to server where your presentation is located... so you must edit in the internal DNS the CNAME or A record named WWW to the proper location.
0
 
Jan Vojtech VanicekIT SpecialistCommented:
for external nslookup you can use this: http://network-tools.com/nslook/
the result should be the same if the presentation is running externaly - out of your company.
0
 
coolsport00Author Commented:
I think it's a NAME SERVER issue. Running NSLOOKUP shows 1 of the NS's having an the IP for the site. We removed it, flushed DNS, and it's working...but are still 'testing' it is indeed this.

Thanks.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Chris DentPowerShell DeveloperCommented:

Worth checking both internal and external. In both cases nslookup will do.

To test internally:

nslookup www.mycompany.com

If it comes up with one entry make sure it's correct. If it comes up with more than one make sure all are valid. If one or more is not you need to clean that up on your internal DNS server.

Do you use "http://mycompany.com" from your internal network? If you do, is that being forwarded from your DCs? Otherwise AD holds onto that name and you'll get odd behaviour if you try and add an A record for it.

Pretty much the same thing for external:

nslookup www.mycompany.com 4.2.2.4

Using 4.2.2.4 (a public DNS server run by Verizon) will give you a few of the answer the public see. Perhaps check this one too:

nslookup mycompany.com 4.2.2.4

If those all look good, and you still get occasional mis-direction externally run this series of commands:

nslookup -q=ns mycompany.com 4.2.2.4

Then for each of the name servers it lists there run:

nslookup www.mycompany.com IPOrNameOfServer

It's rare, but occasionally you end up with different replies from each name server. That will cause intermittant site failure.

HTH

Chris
0
 
Chris DentPowerShell DeveloperCommented:

heh sorry, I'm too slow :)

Chris
0
 
Jan Vojtech VanicekIT SpecialistCommented:
can you explain your scenario? where is located your webserver, it is in your network, on your server? or it is somewhere hosted?
0
 
coolsport00Author Commented:
To clarify my earlier post - we have 3 NS's and 1 of them, for whatever reason, showed the OLD IP associated with mycompany.com. As mentioned, we removed it and, at the moment, it's working. "Vanikcz", the server hosting our site is external.

Thanks all for the posts. I am gonna keep this open a few days and continue monitoring. If all is well, at week's end I will close this and assign pts.

Thanks guys.
~coolsport00
0
 
Jan Vojtech VanicekIT SpecialistCommented:
Are all 3 server form MS and associated with domain? Is the 3rd server, that have wrong zone data correctly joined to domain? What the event log? There are any errors?
0
 
coolsport00Author Commented:
No..thinking you're not understanding what I meant. I have 3 NAME SERVERS associated with my root record internally. The 3 NS's are external DNS servers that we, internally, are directed to for external URL lookups. Make sense? :)
0
 
Chris DentPowerShell DeveloperCommented:

If they're not authoritative for the external zone it'll be a cache issue. But it sounds like they are from your description. Don't they use Zone Transfers to maintain the same zone across all servers?

Chris
0
 
coolsport00Author Commented:
They I believe are authoritative. In my www record properties, I explicitly added our ISP DNS records. Doesn't that make them authoritative? Not sure if I understand what you're asking exactly Chris. I have 2 internal DNS servers and they are AD-integrated, so whatever is config'd on one DNS server, will get replicated to my 2nd'ary DNS server.

~c
0
 
Chris DentPowerShell DeveloperCommented:

Do you mean it's a Delegation (greyed out folder in MS DNS)? Is that where the 3 servers mentioned above appear?

It's not much of a problem either way if you've fixed it :)

Chris
0
 
coolsport00Author Commented:
No...under fwd lookup -> mycompany.com there is a www 'folder'. I can right-click it and go into the properties and add external name servers (fwd lookup servers I imagine is what they are).

Ha...yeah...I guess as long as this fixed it (I'm assuming...or maybe it just started working again on its own), then it's no biggie. :)

~C
0
 
Chris DentPowerShell DeveloperCommented:

> fwd lookup servers I imagine is what they are

That's a delegation, but the description works just as well :)

Anyway, that's all fine. If you wanted to check the answer from each of those servers it'd be that nslookup command above for each name server / IP, e.g. "nslookup www.mycompany.com IP". All of them should be providing the same answer.

Chris
0
 
coolsport00Author Commented:
Ah...I see; yeah...one of them wasn't, so there goes (I think) lied my problem.

Thanks Chris!
~C
0
 
Chris DentPowerShell DeveloperCommented:

Sounds like it. I guess you could simply bump it off the list, might be worth looking at this:

nslookup -q=ns mycompany.com 4.2.2.4

Are the servers returned by that the same as the ones you're using? If not, I recommend updating your delegation so they are.

If one of the servers listed there is the one returning a bad answer it needs raising with your DNS host. Unless that's also you? :)

Chris
0
 
coolsport00Author Commented:
We did bump it off the list, which (again, seemingly) resolved this. But...I'm still in a 'wait and see' mode. I don't trust technology....it's too quirky...umm...like women. Ha :)

Interesting in doing that query, it lists a NS not on our list, but the IP for our site it lists is correct. So, I won't worry about.

Thanks Chris!
~coolsport00
0
 
coolsport00Author Commented:
Sorry to neglect this; it seems this issue still happens but not daily....more like 1/wk or 1/every 2wks. I'm at my wits end. Not sure what to look at next.

~coolsport00
0
 
Chris DentPowerShell DeveloperCommented:

Hey,

Does it still list an unknown server when you looked at the NS list?

Chris
0
 
coolsport00Author Commented:
OK Chris....I went back up to your 1st post and retried some lookups (not sure if I did that initially...it's been a while) :P

Anyway...when I do nslookup mycompany.com, it replies with all my DCs as well as an external IP. When I do nslookup www.mycompany.com, it replies with both my DNS server (which is also my FSMO DC), and the correct external IP. I did the nslookup with the 2 switches (-q, ns=) and got 3 name servers, all of which are not the ones on my "www" record. When I do the nslookup with each of those (only a hostname is given, not an IP), 2 of the 3 return the error: " Can't find server name for address IPaddress: No information"; the 3rd NS returns correct resolution. Now, the 2 NSs we have configured with our "www" record I tried to do nslookup with ("nslookup www.mycompany.com nameserver" as well as "nslookup www.mycompany.com IPofNameServer") and they work as well.

The last time we couldn't connect to our external website (remember, our website - www.mycompany.com - is the same name as our internal domain name; again, this was done way before I got here unfortunately), I wasn't here to do the nslookup tests to see if something 'hiccuped'. My Ntwk Engineer flushed the DNS cache and things started working again, so I'm not sure what exactly is going on.

~coolsport00
0
 
Chris DentPowerShell DeveloperCommented:

> when I do nslookup mycompany.com, it replies with all my DCs as well as an external IP.

If mycompany.com is the AD domain name the public IP should be removed from the set. It'll mess up group policy processing and DFS otherwise.

That does mean you won't be able to access http://mycompany.com unless you forward the web request to http://www.mycompany.com on every DC.

> all of which are not the ones on my "www" record.

That was "nslookup -q=ns mycompany.com 4.2.2.4"?

Chris
0
 
coolsport00Author Commented:
? How do I forward the request on every DC?

Yes...the "nslookup -q=ns mycompany.com 4.2.2.4" I ran gave NSs not configured/associated with the www record.

Thanks.
0
 
Chris DentPowerShell DeveloperCommented:

> ? How do I forward the request on every DC?

You'd have to install IIS, the configure a site with a redirection to a URL, and send the request to www.mycompany.com.

> Yes...the "nslookup -q=ns mycompany.com 4.2.2.4" I ran gave NSs not configured/associated with the www record.

For each of those, do they respond when you run:

nslookup -q=a www.mycompany.com WhateverServerIP

Chris
0
 
coolsport00Author Commented:
Hmm...I know my director won't let that happen (install IIS on my DCs).

Yes...the 2 that seemingly fail, do respond, but with the following output:

(root)  nameserver = M.ROOT-SERVERS.NET
(root)  nameserver = H.ROOT-SERVERS.NET
(root)  nameserver = G.ROOT-SERVERS.NET
(root)  nameserver = D.ROOT-SERVERS.NET
(root)  nameserver = K.ROOT-SERVERS.NET
(root)  nameserver = J.ROOT-SERVERS.NET
(root)  nameserver = C.ROOT-SERVERS.NET
(root)  nameserver = B.ROOT-SERVERS.NET
(root)  nameserver = A.ROOT-SERVERS.NET
(root)  nameserver = F.ROOT-SERVERS.NET
(root)  nameserver = E.ROOT-SERVERS.NET
(root)  nameserver = L.ROOT-SERVERS.NET
(root)  nameserver = I.ROOT-SERVERS.NET
M.ROOT-SERVERS.NET      internet address = 202.12.27.33
M.ROOT-SERVERS.NET      AAAA IPv6 address = 2001:dc3::35
H.ROOT-SERVERS.NET      internet address = 128.63.2.53
H.ROOT-SERVERS.NET      AAAA IPv6 address = 2001:500:1::803f:235
G.ROOT-SERVERS.NET      internet address = 192.112.36.4
D.ROOT-SERVERS.NET      internet address = 128.8.10.90
K.ROOT-SERVERS.NET      AAAA IPv6 address = 2001:7fd::1
K.ROOT-SERVERS.NET      internet address = 193.0.14.129
J.ROOT-SERVERS.NET      AAAA IPv6 address = 2001:503:c27::2:30
J.ROOT-SERVERS.NET      internet address = 192.58.128.30
C.ROOT-SERVERS.NET      internet address = 192.33.4.12
B.ROOT-SERVERS.NET      internet address = 192.228.79.201
E.ROOT-SERVERS.NET      internet address = 192.203.230.10
*** Can't find server name for address nameServerIP: No information
Server:  UnKnown
Address:  nameServerIP

Name:    www.mycompany.com
Address:  CorrectExternalCompanyIP

~coolsport00
0
 
Chris DentPowerShell DeveloperCommented:

"http://mycompany.com" will never work then, hopefully no one minds :)

Anyway, that's not too bad, it's giving the right answer. You can ignore the root hints it gives you before that. It's nslookup checking things before doing as it's told. It was always an annoying thing for a debugging tool (nslookup) to do, it really muddies the results.

Is maintaining the delegation higher maintenance than occasionally changing www as a Host (A) record yet? ;) There are always alternative approaches that could be used if it still changes too much for comfort.

Chris
0
 
coolsport00Author Commented:
Well...sorry to leave this hangin...had to scoot yesterday (was quite a weird day!).

OK...so I'm a bit confused about this whole forwarding thing. I'm most certainly not a neophyte, obviously, but I can't figure out why each DC needs IIS/some fwd'ing rule set up. The reason I'm confused is because all my computers (Servers and workstations alike), have all their IP addressing setup to look to my main DNS server (we'll call it DNS1) for host/IP resolution, as well as an alternate server config'd (we'll call this DNS2). It just so happens that both of those DNS servers are also DCs as well. So, if all my computers are pointing to DNS1 for DNS, shouldn't DNS1 use its config'd name servers (NSs) to 'see' www.mycompany.com? What am I missing here?

Thanks Chris.
0
 
Chris DentPowerShell DeveloperCommented:

If www.mycompany.com is a delegation inside mycompany.com your DNS servers will try and resolve that name using the delegate (provided it does not have a cached response).

At least that's what is meant to happen.

You would need to ensure that all of the servers listed in the delegation are able to answer the question you're putting to them. But you've done that now?

Chris
0
 
coolsport00Author Commented:
I'm sorry Chris...I don't understand what you mean by delegation.
0
 
Chris DentPowerShell DeveloperCommented:

The www thing you have, it's a delegation isn't it? If you click on it and open up the properties you get a name server list?

Chris
0
 
coolsport00Author Commented:
Ohhhh...yes :) There are only 2 servers listed..external DNS servers from our ISP.
0
 
Chris DentPowerShell DeveloperCommented:

Right, so for your server to get an accurate answer about www both of those two servers will have to be able to respond with the correct answer.

That's why I was wanting nslookup running against each of them, because if one says it's x, and the other says y you'll get some really erratic behaviour when you try to use it.

Chris
0
 
coolsport00Author Commented:
Ok...no...both display the correct external IP of our external website. I think I mentioned that above? Of course, this question is going on forever so it's easy to forget/get confused. Obviously you've seen that from me :P
0
 
coolsport00Author Commented:
BTW...thank u for your diligence in working to find a potential solution :)
0
 
Chris DentPowerShell DeveloperCommented:

lol I think you might be right, I'm sure we've gone right around twice :)

If you're still getting odd values for www.mycompany.com sometimes your only remaining recourse is to enable Debug Logging to try and capture where it might be coming from.

Chris
0
 
coolsport00Author Commented:
Is that a registry setting? You know something else...I never did look at the DNS Evt logs either. I'll  have to pay attention to that the next time this occurs. (it's been almost a week now again since it happened)
0
 
Chris DentPowerShell DeveloperCommented:

> Is that a registry setting?

Nope, it's in the properties for the Server in the DNS Console.

It might be a bit tricky if it doesn't happen very often though, difficult to filter the logs when you don't know the IP of the system buggering it up.

Chris
0
 
coolsport00Author Commented:
Hmm...true, but when it is happening, I can set the logging then to see if anything comes up. It usually goes on for several minutes before resolving (either by something we do [flush cache] or something else unknown causes it to resolve).

OK...I saw that there is a tab for debug logging. It's so hard to keep my brain wrapped around all the intricacies of things. My org is small (like 250 employees) so our IT shop is small and I do EVERYTHING - SAN, AD, DNS, GP, Web Filtering, Virtualization, A/V, Patch Mgmt, Exchg...need I go on??? :)  It's good cuz I do about everything and get to 'touch' a lot of different technologies, but goodness, my brain can only handle so much info at a time!

Well...is there any other suggestions to look at? If not, I'll go ahead and close this.

THanks!
~coolsport00
0
 
Chris DentPowerShell DeveloperCommented:

Perhaps there is a little more.

Take a look at the cached record for www.mycompany.com, and anything else cached under the same name. To see the cache you'll have to turn on View / Advanced, after that, drill down through the folders until you get to it.

Can you let me know what's listed?

Chris
0
 
coolsport00Author Commented:
There is mycompany record and it shows the www 'A' record with the correct external IP. There is another record that's weird (instead of 'mycompany', the record shows 'mycomp' [not the full word]) and it shows 4 NSs.
0
 
Chris DentPowerShell DeveloperCommented:

I wonder if there's an alias in there.

Can you try this one?

nslookup -q=any www.mycompany.com 4.2.2.4

Via the public servers again, just to see if we can get anything more revealing.

It'll be something simple you know...

Chris
0
 
coolsport00Author Commented:
I tried "nslookup -q=any www.mycompany.com 4.2.2.4" and it returned my external IP:

Server:  SomeServer.net
Address:  4.2.2.4

Non-authoritative answer:
www.mycompany.com internet address = CorrectExternalIP
0
 
Chris DentPowerShell DeveloperCommented:

That's a shame, I was hoping it'd be more complicated than that ;)

Well that doesn't get us much further. I wondered if it was caching new name servers from those who claim (public) authority, then somehow getting a bad answer from one of those.

If all else fails you could always add www as a static Host record, then have a little script keep an eye on it for changes.

Chris
0
 
coolsport00Author Commented:
I don't think it would let me add a 2nd www host record would it? ALthough the current www record isn't a specific record "type". I think it's put in there by default isn't it? What script could I run against the A record?
0
 
Chris DentPowerShell DeveloperCommented:

Not if you have a delegation there at the moment, you're handing off responsibility for it.

DNS Records can be modified using WMI, or deleted and recreated using dnscmd, either would work to deal with record changes. It just depends which kind of approach you prefer ;)

Chris
0
 
coolsport00Author Commented:
Umm..I prefer the DNS GUI :P
0
 
Chris DentPowerShell DeveloperCommented:

lol that makes it a bit more tricky :)

Chris
0
 
coolsport00Author Commented:
So, what should we try. The www record I have has 2 delegations associated with it. You want me to create a www A record?
0
 
Chris DentPowerShell DeveloperCommented:

Well if delegations aren't working well I'd go with a script to modify the an A record. It means deleting the delegation though.

It's not hard, just frustrating when I consider my current little project, writing admin / debugging tools for MS DNS ;)

Anyway, VbScript is possibly the easiest in the meantime, even if it took me this long to remember how to write it.

Chris
Option Explicit

Const SERVER_NAME = "YourDNSServer"
Const ZONE_NAME = "mycompany.com"
Const RECORD_NAME = "www.mycompany.com"

Function NsLookup(strHostName)
  ' Return Type: Array
  '
  ' Returns an Array containing each IP Address for a given Node Name from a
  ' DNS Query

  Dim arrIPAddresses() : Dim i : i = 0

  Dim objShell : Set objShell = CreateObject("WScript.Shell")
  Dim arrResponse : arrResponse = Split(objShell.Exec( _
    "nslookup " & strHostName & " 4.2.2.4").StdOut.ReadAll, vbCrLf)

  Dim strLine
  For Each strLine in arrResponse
    If InStr(strLine, "Address") Then
      ReDim Preserve arrIPAddresses(i)
      strIPAddress = Trim(Replace(strLine, "Addresses:", ""))
      strIPAddress = Trim(Replace(strLine, "Address:", ""))
      arrIPAddresses(i) = strIPAddress
    End If
  Next
  NsLookup = arrIPAddresses
End Function

'
' Main code
'

Dim strIPAddress : strIPAddress = NsLookup(RECORD_NAME)(0)

Dim objWMI : Set objWMI = GetObject("winmgmts:\\" & SERVER_NAME & "\root\MicrosoftDNS")

Dim colItems : Set colItems = objWMI.ExecQuery("SELECT * FROM MicrosoftDNS_AType" & _
  " WHERE ContainerName='" & ZONE_NAME & "' AND OwnerName='" & RECORD_NAME & "'")

Dim objItem
For Each objItem in colItems
  If strIPAddress <> objItem.IPAddress Then
    ' Modify the record
    objItem.Modify objItem.TTL, strIPAddress
  End If
Next

Open in new window

0
 
coolsport00Author Commented:
OK...at the moment, all seems fine. But, if it reoccurs, then what? I create a www A record?...and then place this script where?

Thanks!
0
 
Chris DentPowerShell DeveloperCommented:

It won't reoccur.

Your current issue can only happen because of the delegation (at least that is the case if I properly understand the problem).

The script above will maintain an existing static www record for you as follows:

1. Runs "nslookup www.mycompany.com 4.2.2.4" and holds into the IP addresses returned
2. Uses WMI to take a look at the current IP for the record (on your internal DNS system)
3. Modify the existing record if the two IP addresses are different

The script would need to run somewhere that has access to the DNS server, or on the server itself. Then as a Scheduled Task every day / half day perhaps.

Of course... I would test it first. It's not that I don't trust my code, but it's always good to be safe :)

Do you have ftp.mycompany.com? If you do... create a Host (A) record for that on your internal DNS system with an invalid IP. Set the script up with ftp.mycompany.com as the record name, then run the script and make sure it changes the IP to the correct value. Or do the same for any other public record your users won't notice you playing with :)

Chris
0
 
coolsport00Author Commented:
Oh...I meant currently. Currently, without adding your script, everything is fine. I don't wanna mess with it at the moment while it's working. My delegated NSs associated with the www record show the correct IP via nslookup. My confusion is why/how does this change, if it does. It's hard to know at the moment without the issue occuring and testing nslookup against those delegated NSs, but my assumption is they're fine even then. I would agree with you that the problem must (or at least 'should') occur via those NSs somehow though.

Is your code backwards?...meaning, I see the bottom code & it looks like it should run before the top part, but I may have the wrong line of thinking as what you're doing in your script?

We don't have an ftp site.
0
 
Chris DentPowerShell DeveloperCommented:

It's cool, you don't have to change anything at all, it's there as an option if the current issue just won't go away.

The problem you have is (obviously) difficult to nail down. It would be nice to catch it in the act. And even then it's not likely to be entirely clear.

It's not backwards :) The function at the top is called on the first line of the name code to get the current public IP address of www. Functions don't have to appear in order or inline.

ftp was just an example really (because it's a common one), any Host (A) record can be used. Personally I created a test.com zone, and added a www record to that, then updated using the public version (which isn't anything at all to do with me).

Chris
0
 
coolsport00Author Commented:
Ahh..I see; thanks for everything.

~coolsport00
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 26
  • 23
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now