Solved

Local DNS not refreshing after reboot

Posted on 2010-09-02
24
977 Views
Last Modified: 2012-05-10
Good day experts,

I have a large problem with the local DNS cache on about 1500 computers.

To get more specific:

The network was converted from Novell Netware 6 to Window Server 2008 Enterprise Education edition (ADDS, DNS)

Novell Client for Windows and all other TCP/IP add ons for Novell were removed

Each computer is statically set with IP, Subnet, Gateway, Primary DNS (DNS Server =  2008) and ISP DNS

Each NIC is set to register with DNS


Problem:

When the computers are rebooted, they lose the ability to resolve by DNS Hostname. The computers will ping the server by IP.  Thus, each computer has to have the connection repaired, an ipconfig /flushdns -> ipconfig /registerdns done every single time.

 This causes the mapped home folders (set in the profile tab or through a logon script) to not map.  All logon scripts set through GPO are not hitting either.

Doing a ipconfig /display DNS before the flush/register, shows that the hostname pinged, site and logon directories cannot be resolved.

I have used nslookup to try and troubleshoot. When I enter the hostname of the file server or DNS server, it returns the proper IP. I can also see the NameServers

I am at a loss and need to find an answer.  Any help will be GREATLY appreciated.
0
Comment
Question by:smtsol
  • 10
  • 6
  • 4
  • +2
24 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
Comment Utility
When this happens, can the affected systems ping an outside host by name, like ping www.google.com ?  In other words is it only internal DNS that's failing but external DNS lookups work?
0
 
LVL 13

Expert Comment

by:Greg Hejl
Comment Utility
http://support.microsoft.com/kb/299357/en-us

reset windows tcip stack to defaults

guessing removal of Novell probably corrupted settings.
0
 
LVL 2

Expert Comment

by:pmanno
Comment Utility
First off, I would suggest you remove the ISP DNS entry as the secondary DNS server.  You don't want your client computers querying the ISP's DNS for your local DC, which it will never find.  So, in your situation, you have only one DNS server and it is your DC.

Also, I assume your client computers are joined to the domain, and you are logging in to the computers with domain credentials, not local credentials.  Are those assumptions correct?
0
 
LVL 11

Expert Comment

by:Ben Personick
Comment Utility

Sounds like both the previous posts get part of this right.

First, as a band-aid, add these lines @ the begining of your logon batch script:

IPConfig /FlushDNS
IPConfig /RefreshDNS

At least that Will solve the immediate problem for most users.

Next because it's quickest, set the DHCP server setting your DNS settings on the clients to serve thE IP addresses of  your primary and secondary domain controllers.

 Also, set the DNS forwarding for Each DC's DNS server to be the ISP's DNS Server.

  Client requests sent to the ISP to register their NICs will be rejected, and may cause you issues with DNS.

Finally, whenever you un-install software which integrates with or extends TCP/IP on any machine, you should re-install the TCP/IP stack on that machine as best practice because there is a huge potential for problemS with a machine both immediately and later on if you do not.  


0
 

Author Comment

by:smtsol
Comment Utility
Hey experts.  Sorry for the delay in response.  Been trying to use your suggestions in the way given as well as finding different combinations and solutions, plus do the rest of the job.

IT-Monkey-Dave:
Yes they can all ping an outside IP.

Greg_Hejl:
I have tried repairing the TCP/IP Stack.  This worked on one computer.  As I continued to use this method the other computers that I touched were hit and miss on fixing the problem.

pmanno:
removing the DNS also seemed to increase the chances that someone would get their map drive and logon script, but it was still not consistent.  Yes they are all part of an ADDS domain and logging on with domain credentials.

QCubed:
As per the others, I tried repairing the TCP/IP stack, removing the DNS of the ISP, and also took a fresh install of a PC and put it on the network. There is still the problem with consistency of logging into the domain and getting the mapped network drive through the profile and getting the logon script.

There is also a new symptom.  Whenever someone with a GPO logs in, there is a bout a 35% chance that the policy will apply, whether it be a computer configuration or a user configuration. This is still a mystery.
0
 
LVL 11

Expert Comment

by:Ben Personick
Comment Utility
If even a fresh install gives you issued the problem is on your servers or network infrastructure.

If you statically assign yourt DNS servers on the newly installed machine does that resolve the DNS issue?

How are your networks configured?

(  I know you said the client IPs are static, but I assume that you left DNS non-static.  If so how are you assigning the DNS servers network-wise - that is to say: ar you using DHCP forwarding or are you putting a DHCP server on each segment, or are you putting the DHCP server in the router for each segment.
?)
0
 
LVL 13

Expert Comment

by:Greg Hejl
Comment Utility
Time to break out the wireshark and check comms on the wire.  start with your AD servers and work around to the computers that are having issues

look at dns and ad traffic,  also dhcp services.

its easy to pick out the packets that are failing.  

run dCDiag /fix on your AD servers.  gpupdate /force will refresh GPO - shark this

if you upload the pcap's, we'll need a network diagram, with switch ports pls

also check event logs for failures relating to DNS, group policy, and dhcp
0
 
LVL 2

Expert Comment

by:pmanno
Comment Utility
Is there a firewall between the workstations and the server?
0
 

Author Comment

by:smtsol
Comment Utility
QCubed:
I have the DNS statically set on some computers that I am having issues with.  This will map their home folder set in the ADDS profile, but will not run the GPO.  We do not have any DHCP servers (Server 2008 or router) that are in play.  
We have:
4 locations
1 Server 2008 with ADDS and DNS installed at 3 locations
      - Sites and Services is configured under AD
      - Each location has its own DNS
1 Server 2008 with File and Application Services installed at same locations
Each site has multiple VLANS through a SGE2000 (configured L3)
The SGE2000 feeds to SRW2048's and some other legacy switches throughout the site
Each site has a RVS4000 router between the SGE2000 and the ISP
0
 

Author Comment

by:smtsol
Comment Utility
pmanno:
The firewalls are all disabled
0
 

Author Comment

by:smtsol
Comment Utility
Greg_Hejl:
Ran the DCDIAG /FIX
found some issues that were resolved.

Haven't got wireshark installed on anything yet.

Will work on it.
0
 

Author Comment

by:smtsol
Comment Utility
QCubed:
The mapping of the profile home drive is after removing the ISP DNS entries on the computer.  That is now consistent.  Just working on the GPO problem.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 2

Expert Comment

by:pmanno
Comment Utility
smtsol: when you say that the firewalls are all disabled, are you talking about a software firewall or a hardware firewall?
0
 

Author Comment

by:smtsol
Comment Utility
Greg_Hejl:
Installed WireShark on the DC.  Ran a capture with the filter set to DNS.  I am getting clean (as in not the wireshark marking them as bad) packets from my DC to the ISP DNS.  There are also clean packets that come with the lable of LMNR to computers that are on the network.

All other DNS packets are coming back as bad with the error of what is in the attached doc.
Doc1.doc
0
 

Author Comment

by:smtsol
Comment Utility
pmanno:
Windows firewall on the computer....sorry for not clarifying.
0
 
LVL 2

Expert Comment

by:pmanno
Comment Utility
Have you checked your NIC drivers in the server?  Are they up to date?  Do you have another network card in the server that you could try to use instead?
0
 

Author Comment

by:smtsol
Comment Utility
All of the servers are brand new and up to date.  Have done a clean install with the drivers from the manufacturer.  I have tried using the other NIC's as the DNS but the same response.
0
 
LVL 2

Expert Comment

by:pmanno
Comment Utility
smtsol: Sorry, I should have asked this question instead, are the workstations and the DC on the same subnet or is there a router/bridge between them?
0
 

Author Comment

by:smtsol
Comment Utility
The workstations are all on VLANS.  Each is segmented into different subnets.  The DNS and File server are all on the management VLAN
0
 
LVL 11

Expert Comment

by:Ben Personick
Comment Utility
okay, so DNS is resolved and drive mapping is resolved so your issues are only applying the GPO now, is that correct?
0
 
LVL 2

Assisted Solution

by:pmanno
pmanno earned 150 total points
Comment Utility
What are you using to route traffic between the VLANs?  Have you tried dumping a workstation on the same subnet as the server to see if the problem persists?  I noticed in your Wireshark dump that the destination device was a Cisco device which got me thinking about it.  Perhaps that box is on the fritz or a port is going bad on it?  A checksum error usually indicates hardware failure.
0
 
LVL 11

Assisted Solution

by:Ben Personick
Ben Personick earned 150 total points
Comment Utility
I just took a look at the screen shot you gave us, and that error appears to be indicating that something is stripping off the header content from the DNS Packets being received by the server.

  That could be an improperly configured router or Layer 3 switch most likely, or possibly bad hardware, or finally you may have some sort of over-zealous or miss-configured intrusion detection/prevention device/system on the network doing this.

Whatever the case the Header in question is being stripped by your networking equipment somewhere.  time to open a smart-net ticket! ^^  (unless your IDS/IPS is software based in which case start there by disabling it..)
0
 
LVL 13

Accepted Solution

by:
Greg Hejl earned 200 total points
Comment Utility
run gpupdate /force on the workstation that has issues.  review event logs for gpupdate events.

you can also shark this - here's a link to ports required by AD:  http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

GP is port 445 if i remember.

also review w32tm logs, gpupdate wont work if time is not synch'ed:  http://technet.microsoft.com/en-us/library/cc758905%28WS.10%29.aspx

if you are able to resolve dns on the internet through your domain controller you're probably ok  - udp is best effort - but since this is captured off your DC in response to dns request you may have an issue with your tpicp stack - did you reset tcpip stack on DC?  i would boot to safe mode to reset stack - DC might not like it with services running.

this may be why your workstations were trying dns for your ip - i'm guessing you had isp dns as secondary entry?  since all your workstations are now just pointed to Domain DNS you're prly seeing lots of udp traffic as workstations will hammer until they get a response.
0
 

Author Closing Comment

by:smtsol
Comment Utility
Thanks all.  These steps did not solve the initial problem, but have pointed me into the right direction to solve it.  I am drilling down into my network and checking all the configurations of the switches to see where I am dropping packets.  Weird, though, the computers seem to be holding group policy unless a totally new user logs in.  Then, it applies some group policy, but not all.  Will have to figure out.  Thanks again.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now