snowmizer
asked on
DNS Forwarder in Mixed 2003/2008 Domain
We currently have 2 Win 2003 DCs and have added 2 Win 2008 DCs to the domain. We would like to decommission the 2003 DCs and move to a native 2008 domain. However, yesterday we noticed errors in our DNS Server log that had an id of 5504 (The DNS server encountered an invalid domain name in the packet from <external IP>. The packet will be rejected). We also noticed that general web browsing was really slow.
After some debugging we traced the problem to the DNS forwarders on our 2008 DCs. Apparently when we promoted the 2008 DCs the ip addresses for the 2003 DCs got added as forwarders (they were the only ips in the forwarder lists on the 2 2008 DCs). Looking at the 2003 DCs there were no ip addresses in the forwarders list. We removed these IPs from the 2008 forwarder list...this is when we started getting hammered with the 5504 error. When we put these ip addresses back in the forwarders list on the 2008 DCs the errors stopped and the web browsing speeds went back to a more normal level.
Question 1)
What is the tie between the forwarders on the 2003 DCs and the 2008 DCs? Both of the 2008 DCs have the "use root hints" check box checked.
Question 2)
While we were debugging we tried turning off the Windows Firewall on the 2008 DCs. As soon as we did that we started experiencing issues with our Exchange server and couldn't ping or RDP to servers. As soon as we started the Windows Firewall service everything went back to normal. Why would stopping the firewall (by stopping the service) cause these issues?
Thanks.
After some debugging we traced the problem to the DNS forwarders on our 2008 DCs. Apparently when we promoted the 2008 DCs the ip addresses for the 2003 DCs got added as forwarders (they were the only ips in the forwarder lists on the 2 2008 DCs). Looking at the 2003 DCs there were no ip addresses in the forwarders list. We removed these IPs from the 2008 forwarder list...this is when we started getting hammered with the 5504 error. When we put these ip addresses back in the forwarders list on the 2008 DCs the errors stopped and the web browsing speeds went back to a more normal level.
Question 1)
What is the tie between the forwarders on the 2003 DCs and the 2008 DCs? Both of the 2008 DCs have the "use root hints" check box checked.
Question 2)
While we were debugging we tried turning off the Windows Firewall on the 2008 DCs. As soon as we did that we started experiencing issues with our Exchange server and couldn't ping or RDP to servers. As soon as we started the Windows Firewall service everything went back to normal. Why would stopping the firewall (by stopping the service) cause these issues?
Thanks.
ASKER
My initial thought was that the forwarders should be ISP DNS servers so I tried that and it didn't make a difference. The root servers tab is populated with the same list that's on the 2003 DCs. I don't believe the 2008 DCs have caching enabled. Can you tell me where I might find that? I'm not the person who actually built the server so I'm a real newbie to 2008 and where stuff is at. How can I tell if the 2008 DCs are presenting the authoritative AD domain?
Thanks.
Thanks.
The error might be that it is seeing an invalid response.
I am also not too familiar with the server 2008, but it should be one of the options within the properties of the DNS service dealing with scavanging.
Check the forward zones.
I think one of the option is to display the caching zone which is often hidden.
run nslookup localsystem.localdomain and see if it responds with an answer or it has a response saying not-authoritiative (cached response from prior similar query)
I am also not too familiar with the server 2008, but it should be one of the options within the properties of the DNS service dealing with scavanging.
Check the forward zones.
I think one of the option is to display the caching zone which is often hidden.
run nslookup localsystem.localdomain and see if it responds with an answer or it has a response saying not-authoritiative (cached response from prior similar query)
Question 1)
What is the tie between the forwarders on the 2003 DCs and the 2008 DCs? Both of the 2008 DCs have the "use root hints" check box checked.
When a DNS server resolves an address, it only starts with the Root DNS servers. For instance, if you look up someserver.somedomain.com,
If your Exchange system, or Antispam software, is set to do ANY kind of reverse DNS lookups, then every e-mail you receive from an overseas IP kicks off a query to an overseas DNS server. You can look up the <External IP> from your errors if you really want to know where the server is.
When you set the forwarders, the 2008 servers don't do any of this. The 2003 servers do (unless they also have forwarders) so these errors would show up there.
Question 2)
While we were debugging we tried turning off the Windows Firewall on the 2008 DCs. As soon as we did that we started experiencing issues with our Exchange server and couldn't ping or RDP to servers. As soon as we started the Windows Firewall service everything went back to normal. Why would stopping the firewall (by stopping the service) cause these issues?
Did you try disabling the service and rebooting the server to allow the network to remove the dependencies on the firewall?
What is the tie between the forwarders on the 2003 DCs and the 2008 DCs? Both of the 2008 DCs have the "use root hints" check box checked.
When a DNS server resolves an address, it only starts with the Root DNS servers. For instance, if you look up someserver.somedomain.com,
If your Exchange system, or Antispam software, is set to do ANY kind of reverse DNS lookups, then every e-mail you receive from an overseas IP kicks off a query to an overseas DNS server. You can look up the <External IP> from your errors if you really want to know where the server is.
When you set the forwarders, the 2008 servers don't do any of this. The 2003 servers do (unless they also have forwarders) so these errors would show up there.
Question 2)
While we were debugging we tried turning off the Windows Firewall on the 2008 DCs. As soon as we did that we started experiencing issues with our Exchange server and couldn't ping or RDP to servers. As soon as we started the Windows Firewall service everything went back to normal. Why would stopping the firewall (by stopping the service) cause these issues?
Did you try disabling the service and rebooting the server to allow the network to remove the dependencies on the firewall?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any repercussions with disabling EDNS?
The forwarders are used to reduce the load on the dns server. Try adding forwarders that reference your ISP's DNS server. The delay may deal with the windows 2008 DNS service having to collect the data.
Double check that the root servers tab on the DNS server is populated.
Is the win2k8 DNS service configured to also cache data in addition to presenting the authoritative AD domain?