Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Local DNS not refreshing after reboot

Posted on 2010-09-02
24
1,002 Views
Last Modified: 2012-05-10
Good day experts,

I have a large problem with the local DNS cache on about 1500 computers.

To get more specific:

The network was converted from Novell Netware 6 to Window Server 2008 Enterprise Education edition (ADDS, DNS)

Novell Client for Windows and all other TCP/IP add ons for Novell were removed

Each computer is statically set with IP, Subnet, Gateway, Primary DNS (DNS Server =  2008) and ISP DNS

Each NIC is set to register with DNS


Problem:

When the computers are rebooted, they lose the ability to resolve by DNS Hostname. The computers will ping the server by IP.  Thus, each computer has to have the connection repaired, an ipconfig /flushdns -> ipconfig /registerdns done every single time.

 This causes the mapped home folders (set in the profile tab or through a logon script) to not map.  All logon scripts set through GPO are not hitting either.

Doing a ipconfig /display DNS before the flush/register, shows that the hostname pinged, site and logon directories cannot be resolved.

I have used nslookup to try and troubleshoot. When I enter the hostname of the file server or DNS server, it returns the proper IP. I can also see the NameServers

I am at a loss and need to find an answer.  Any help will be GREATLY appreciated.
0
Comment
Question by:smtsol
  • 10
  • 6
  • 4
  • +2
24 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 33591787
When this happens, can the affected systems ping an outside host by name, like ping www.google.com ?  In other words is it only internal DNS that's failing but external DNS lookups work?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33591828
http://support.microsoft.com/kb/299357/en-us

reset windows tcip stack to defaults

guessing removal of Novell probably corrupted settings.
0
 
LVL 2

Expert Comment

by:pmanno
ID: 33591836
First off, I would suggest you remove the ISP DNS entry as the secondary DNS server.  You don't want your client computers querying the ISP's DNS for your local DC, which it will never find.  So, in your situation, you have only one DNS server and it is your DC.

Also, I assume your client computers are joined to the domain, and you are logging in to the computers with domain credentials, not local credentials.  Are those assumptions correct?
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 11

Expert Comment

by:Ben Personick
ID: 33593046

Sounds like both the previous posts get part of this right.

First, as a band-aid, add these lines @ the begining of your logon batch script:

IPConfig /FlushDNS
IPConfig /RefreshDNS

At least that Will solve the immediate problem for most users.

Next because it's quickest, set the DHCP server setting your DNS settings on the clients to serve thE IP addresses of  your primary and secondary domain controllers.

 Also, set the DNS forwarding for Each DC's DNS server to be the ISP's DNS Server.

  Client requests sent to the ISP to register their NICs will be rejected, and may cause you issues with DNS.

Finally, whenever you un-install software which integrates with or extends TCP/IP on any machine, you should re-install the TCP/IP stack on that machine as best practice because there is a huge potential for problemS with a machine both immediately and later on if you do not.  


0
 

Author Comment

by:smtsol
ID: 33612163
Hey experts.  Sorry for the delay in response.  Been trying to use your suggestions in the way given as well as finding different combinations and solutions, plus do the rest of the job.

IT-Monkey-Dave:
Yes they can all ping an outside IP.

Greg_Hejl:
I have tried repairing the TCP/IP Stack.  This worked on one computer.  As I continued to use this method the other computers that I touched were hit and miss on fixing the problem.

pmanno:
removing the DNS also seemed to increase the chances that someone would get their map drive and logon script, but it was still not consistent.  Yes they are all part of an ADDS domain and logging on with domain credentials.

QCubed:
As per the others, I tried repairing the TCP/IP stack, removing the DNS of the ISP, and also took a fresh install of a PC and put it on the network. There is still the problem with consistency of logging into the domain and getting the mapped network drive through the profile and getting the logon script.

There is also a new symptom.  Whenever someone with a GPO logs in, there is a bout a 35% chance that the policy will apply, whether it be a computer configuration or a user configuration. This is still a mystery.
0
 
LVL 11

Expert Comment

by:Ben Personick
ID: 33612424
If even a fresh install gives you issued the problem is on your servers or network infrastructure.

If you statically assign yourt DNS servers on the newly installed machine does that resolve the DNS issue?

How are your networks configured?

(  I know you said the client IPs are static, but I assume that you left DNS non-static.  If so how are you assigning the DNS servers network-wise - that is to say: ar you using DHCP forwarding or are you putting a DHCP server on each segment, or are you putting the DHCP server in the router for each segment.
?)
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33614765
Time to break out the wireshark and check comms on the wire.  start with your AD servers and work around to the computers that are having issues

look at dns and ad traffic,  also dhcp services.

its easy to pick out the packets that are failing.  

run dCDiag /fix on your AD servers.  gpupdate /force will refresh GPO - shark this

if you upload the pcap's, we'll need a network diagram, with switch ports pls

also check event logs for failures relating to DNS, group policy, and dhcp
0
 
LVL 2

Expert Comment

by:pmanno
ID: 33614822
Is there a firewall between the workstations and the server?
0
 

Author Comment

by:smtsol
ID: 33620177
QCubed:
I have the DNS statically set on some computers that I am having issues with.  This will map their home folder set in the ADDS profile, but will not run the GPO.  We do not have any DHCP servers (Server 2008 or router) that are in play.  
We have:
4 locations
1 Server 2008 with ADDS and DNS installed at 3 locations
      - Sites and Services is configured under AD
      - Each location has its own DNS
1 Server 2008 with File and Application Services installed at same locations
Each site has multiple VLANS through a SGE2000 (configured L3)
The SGE2000 feeds to SRW2048's and some other legacy switches throughout the site
Each site has a RVS4000 router between the SGE2000 and the ISP
0
 

Author Comment

by:smtsol
ID: 33620181
pmanno:
The firewalls are all disabled
0
 

Author Comment

by:smtsol
ID: 33620191
Greg_Hejl:
Ran the DCDIAG /FIX
found some issues that were resolved.

Haven't got wireshark installed on anything yet.

Will work on it.
0
 

Author Comment

by:smtsol
ID: 33620202
QCubed:
The mapping of the profile home drive is after removing the ISP DNS entries on the computer.  That is now consistent.  Just working on the GPO problem.
0
 
LVL 2

Expert Comment

by:pmanno
ID: 33621039
smtsol: when you say that the firewalls are all disabled, are you talking about a software firewall or a hardware firewall?
0
 

Author Comment

by:smtsol
ID: 33621086
Greg_Hejl:
Installed WireShark on the DC.  Ran a capture with the filter set to DNS.  I am getting clean (as in not the wireshark marking them as bad) packets from my DC to the ISP DNS.  There are also clean packets that come with the lable of LMNR to computers that are on the network.

All other DNS packets are coming back as bad with the error of what is in the attached doc.
Doc1.doc
0
 

Author Comment

by:smtsol
ID: 33621094
pmanno:
Windows firewall on the computer....sorry for not clarifying.
0
 
LVL 2

Expert Comment

by:pmanno
ID: 33621127
Have you checked your NIC drivers in the server?  Are they up to date?  Do you have another network card in the server that you could try to use instead?
0
 

Author Comment

by:smtsol
ID: 33621163
All of the servers are brand new and up to date.  Have done a clean install with the drivers from the manufacturer.  I have tried using the other NIC's as the DNS but the same response.
0
 
LVL 2

Expert Comment

by:pmanno
ID: 33621192
smtsol: Sorry, I should have asked this question instead, are the workstations and the DC on the same subnet or is there a router/bridge between them?
0
 

Author Comment

by:smtsol
ID: 33621314
The workstations are all on VLANS.  Each is segmented into different subnets.  The DNS and File server are all on the management VLAN
0
 
LVL 11

Expert Comment

by:Ben Personick
ID: 33621377
okay, so DNS is resolved and drive mapping is resolved so your issues are only applying the GPO now, is that correct?
0
 
LVL 2

Assisted Solution

by:pmanno
pmanno earned 150 total points
ID: 33621398
What are you using to route traffic between the VLANs?  Have you tried dumping a workstation on the same subnet as the server to see if the problem persists?  I noticed in your Wireshark dump that the destination device was a Cisco device which got me thinking about it.  Perhaps that box is on the fritz or a port is going bad on it?  A checksum error usually indicates hardware failure.
0
 
LVL 11

Assisted Solution

by:Ben Personick
Ben Personick earned 150 total points
ID: 33621459
I just took a look at the screen shot you gave us, and that error appears to be indicating that something is stripping off the header content from the DNS Packets being received by the server.

  That could be an improperly configured router or Layer 3 switch most likely, or possibly bad hardware, or finally you may have some sort of over-zealous or miss-configured intrusion detection/prevention device/system on the network doing this.

Whatever the case the Header in question is being stripped by your networking equipment somewhere.  time to open a smart-net ticket! ^^  (unless your IDS/IPS is software based in which case start there by disabling it..)
0
 
LVL 13

Accepted Solution

by:
Greg Hejl earned 200 total points
ID: 33623122
run gpupdate /force on the workstation that has issues.  review event logs for gpupdate events.

you can also shark this - here's a link to ports required by AD:  http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

GP is port 445 if i remember.

also review w32tm logs, gpupdate wont work if time is not synch'ed:  http://technet.microsoft.com/en-us/library/cc758905%28WS.10%29.aspx

if you are able to resolve dns on the internet through your domain controller you're probably ok  - udp is best effort - but since this is captured off your DC in response to dns request you may have an issue with your tpicp stack - did you reset tcpip stack on DC?  i would boot to safe mode to reset stack - DC might not like it with services running.

this may be why your workstations were trying dns for your ip - i'm guessing you had isp dns as secondary entry?  since all your workstations are now just pointed to Domain DNS you're prly seeing lots of udp traffic as workstations will hammer until they get a response.
0
 

Author Closing Comment

by:smtsol
ID: 33663824
Thanks all.  These steps did not solve the initial problem, but have pointed me into the right direction to solve it.  I am drilling down into my network and checking all the configurations of the switches to see where I am dropping packets.  Weird, though, the computers seem to be holding group policy unless a totally new user logs in.  Then, it applies some group policy, but not all.  Will have to figure out.  Thanks again.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question