ccatarella
asked on
Windows not using Alternative DNS Servers
I'm having an issue with numerous clients ranging from Windows XP to Windows 7 wherein these clients never switch over to using their Alternative DNS servers configured either manually or DHCP when their Preferred DNS becomes unavailable.
This issue came to light during our recent testing of our Disaster Recovery site. Clients are configured with 2 DNS servers in our corporate office and 2 DNS Servers in our DR Site.
For Example:
DNS Servers: 192.168.100.10 -Corp
192.168.100.11 -Corp
172.50.16.10 - DR
172.50.16.11 - DR
All of our DNS servers are running Windows 2003 R2 SP2 x32 Domain Controllers with AD Integrated DNS. We have no issues using any of the servers individually, no errors with NS Lookup queries and no lingering Active Directory issues.
During our testing the 192.168.100.x network becomes unavailable leaving only the 172.50.16.x network. Clients can communicate to the DR servers just fine and are able to use DNS here just fine when configured with 172.50.16.10/11 as a primary.
Needless to say I'm baffled by the fact that the Windows DNS Client will simply not resolve DNS off of any of our alternate DNS servers. I have also tried with just 1x Corp DNS server and 1x DR DNS Server instead of 2 and 2.
As far as I understand it Windows Client DNS functions in the following manner:
Reference: http://technet.microsoft.com/en-us/library/cc772774%28WS.10%29.aspx#w2k3tr_dns_how_gaxc
- Several seconds it tries to query the preferred DNS server over the preferred NIC
- If that fails it tries the primary using all NICs
- If that fails it tries all DNS servers over the preferred NIC
- etc....
Once it receives a valid response (any DNS/53tcp comms) it will continue to use that DNS server until it reaches whatever fail back time is configured (15 minutes by default) at which point it will once again attempt to hit the preferred DNS server.
It does not seem that any client we have (Windows XP SP2/SP3, Windows 7, Windows 2003) on or off the domain will make use of the secondaries.
We have....
• Waited over 30 mins...
• Restarted the dnscache, dhcp client, netbt services
• Rebooted
• Run Repairs / release+renew on dhcp
• Repaired Winsock/TCPip
• Applied all Win updates
All without any success.
Searching the internet I've come up quite short on any KB articles or hotfixes for this issue. Has anyone seen this? Are you able to reproduce it? I'm even seeing it with a fresh load of XP SP3 with no patches.
In summation:
• Primary and Secondary DNS servers = completely offline
• 3rd and 4th DNS servers = ping-able, DNS comms verified
• Client = Windows XP
• DNS = Windows 2003 SP2 ADIntergrated
• Client will not ever attempt to use 3rd or 4th DNS server. Simply times out continually.
Just to head off any quick replies please keep in mind this KB article is NOT what we are looking at:
The DNS Client Service does not revert to using the first server in the list in Windows XP
http://support.microsoft.com/kb/320760/en-us
Any help would be greatly appreciated !
This issue came to light during our recent testing of our Disaster Recovery site. Clients are configured with 2 DNS servers in our corporate office and 2 DNS Servers in our DR Site.
For Example:
DNS Servers: 192.168.100.10 -Corp
192.168.100.11 -Corp
172.50.16.10 - DR
172.50.16.11 - DR
All of our DNS servers are running Windows 2003 R2 SP2 x32 Domain Controllers with AD Integrated DNS. We have no issues using any of the servers individually, no errors with NS Lookup queries and no lingering Active Directory issues.
During our testing the 192.168.100.x network becomes unavailable leaving only the 172.50.16.x network. Clients can communicate to the DR servers just fine and are able to use DNS here just fine when configured with 172.50.16.10/11 as a primary.
Needless to say I'm baffled by the fact that the Windows DNS Client will simply not resolve DNS off of any of our alternate DNS servers. I have also tried with just 1x Corp DNS server and 1x DR DNS Server instead of 2 and 2.
As far as I understand it Windows Client DNS functions in the following manner:
Reference: http://technet.microsoft.com/en-us/library/cc772774%28WS.10%29.aspx#w2k3tr_dns_how_gaxc
- Several seconds it tries to query the preferred DNS server over the preferred NIC
- If that fails it tries the primary using all NICs
- If that fails it tries all DNS servers over the preferred NIC
- etc....
Once it receives a valid response (any DNS/53tcp comms) it will continue to use that DNS server until it reaches whatever fail back time is configured (15 minutes by default) at which point it will once again attempt to hit the preferred DNS server.
It does not seem that any client we have (Windows XP SP2/SP3, Windows 7, Windows 2003) on or off the domain will make use of the secondaries.
We have....
• Waited over 30 mins...
• Restarted the dnscache, dhcp client, netbt services
• Rebooted
• Run Repairs / release+renew on dhcp
• Repaired Winsock/TCPip
• Applied all Win updates
All without any success.
Searching the internet I've come up quite short on any KB articles or hotfixes for this issue. Has anyone seen this? Are you able to reproduce it? I'm even seeing it with a fresh load of XP SP3 with no patches.
In summation:
• Primary and Secondary DNS servers = completely offline
• 3rd and 4th DNS servers = ping-able, DNS comms verified
• Client = Windows XP
• DNS = Windows 2003 SP2 ADIntergrated
• Client will not ever attempt to use 3rd or 4th DNS server. Simply times out continually.
Just to head off any quick replies please keep in mind this KB article is NOT what we are looking at:
The DNS Client Service does not revert to using the first server in the list in Windows XP
http://support.microsoft.com/kb/320760/en-us
Any help would be greatly appreciated !
When you list DNS servers on the individual machines, this will be overridden by a group policy setting that differs from what you've set on the individual machines.
Are you sure you don't have a group policy set somewhere that's only listing the 192.X.X.X entries?
See: http://technet.microsoft.com/en-us/library/dd197486%28WS.10%29.aspx
And check, in your Group Policy Settings, Computer Configuration/Administrati
Are you sure you don't have a group policy set somewhere that's only listing the 192.X.X.X entries?
See: http://technet.microsoft.com/en-us/library/dd197486%28WS.10%29.aspx
And check, in your Group Policy Settings, Computer Configuration/Administrati
ASKER
To reply to the above comments.
a) mpfister | network connectivity to all DNS servers from all test clients has been verified 100% there are no network connectivity issues and DNS resolves if pointing to each one directly. The issue is that when we have say two configured on a client and we "unplug" the preferred dns server from the network the clients never look at any of the alternates even though they are live and usable. I've verified using NS Lookup / Ping / Dig etc..
b) akahan | we've used both domain and non-domain clients. My first thought in seeing this was that there was some strange group policy but this is not the case. The DNS servers manually configured or leased via DHCP are the ones being used. We've verified this during our testing. Furthermore the non-domain clients used for tests are fresh loads from a XP SP2 and XP SP3 cd --- not simply a disjoined machine and not using any of our images.
Thanks for your input all -- I'd be curious if any of you can reproduce this issue just for my own sanity.
a) mpfister | network connectivity to all DNS servers from all test clients has been verified 100% there are no network connectivity issues and DNS resolves if pointing to each one directly. The issue is that when we have say two configured on a client and we "unplug" the preferred dns server from the network the clients never look at any of the alternates even though they are live and usable. I've verified using NS Lookup / Ping / Dig etc..
b) akahan | we've used both domain and non-domain clients. My first thought in seeing this was that there was some strange group policy but this is not the case. The DNS servers manually configured or leased via DHCP are the ones being used. We've verified this during our testing. Furthermore the non-domain clients used for tests are fresh loads from a XP SP2 and XP SP3 cd --- not simply a disjoined machine and not using any of our images.
Thanks for your input all -- I'd be curious if any of you can reproduce this issue just for my own sanity.
Am I correct in assuming you have a single NIC with two IP addresses for both 192.168.100.0/24 and 172.50.16.0/24 network?
ASKER
No that is not correct. This is a single NIC with a single IP on any of our client networks which are routable to both the Corp and DR server subnets.
Communication is not an issue and this problem in my mind is a Windows Client issue; more specifically a Windows DNS client issue. The only plausible fix I see would be a registry hack, hotfix or other patch.
Communication is not an issue and this problem in my mind is a Windows Client issue; more specifically a Windows DNS client issue. The only plausible fix I see would be a registry hack, hotfix or other patch.
I tried that, using XP SP3, a single NIC with a single IP (but DHCP), providing two invalid DNS servers (1.1.1.1 and 2.2.2.2), and a valid one as third, and that works. However, it is querying all 3 DNS servers in a row each time.
Not using DHCP is not changing anything. And if I don't use nslookup, but the DNS Cache service (e.g. with ping or anything else but nslookup), the DNS answer is immediate.
If the primary DNS server goes down, then client shroud use the secondary then if the primary goes up again, the client will continue to use the secondary until the secondary goes down. this is how windows dns client works.
hope this would help..
hope this would help..
ASKER
Hey All,
I might have figured out my issue.... and I think this is probably due to a lack adequate of caffeine on my part.
Our test lab area machines are all configured without default gateways. I was adding manual route table entries; one for DR and one for CORP.
The reason for this is that I could use our production DNS IPs and simply delete the route to simulate a loss of communication to any server without having the need to stop dns/unplug a production box. Keeping it simple with separate test servers would seem the better option but right now I'm stretched for physical and virtual resources in both locations and opted to use the route table instead.
OK that all said....
It seems as if the Windows DNS client will NOT attempt to query a DNS server which is not on the clients own subnet if the Windows DNS client does not see a default gateway. From my testing this seems to be regardless of whether or not a usable route exists.
So the mystery might be solved .... and while this still doesn't explain our issues during our DR test (which may end up being just routing issues) it does explain my results when troubleshooting/testing after the fact.
Thanks all for your effort thus far - I'll go ahead and close this out pending my verification of what I mentioned above.
I might have figured out my issue.... and I think this is probably due to a lack adequate of caffeine on my part.
Our test lab area machines are all configured without default gateways. I was adding manual route table entries; one for DR and one for CORP.
The reason for this is that I could use our production DNS IPs and simply delete the route to simulate a loss of communication to any server without having the need to stop dns/unplug a production box. Keeping it simple with separate test servers would seem the better option but right now I'm stretched for physical and virtual resources in both locations and opted to use the route table instead.
OK that all said....
It seems as if the Windows DNS client will NOT attempt to query a DNS server which is not on the clients own subnet if the Windows DNS client does not see a default gateway. From my testing this seems to be regardless of whether or not a usable route exists.
So the mystery might be solved .... and while this still doesn't explain our issues during our DR test (which may end up being just routing issues) it does explain my results when troubleshooting/testing after the fact.
Thanks all for your effort thus far - I'll go ahead and close this out pending my verification of what I mentioned above.
Interesting theory - no default gateway, no (foreign) DNS server queried? Sounds Windows - ehm, strange. But there might be some truth behind.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for research and sharing. I have taken that into my KB. I agree that this cannot be an intended "feature".
Very useful,
thank you.
thank you.
ASKER
Self-Answered question. The original problem I was describing was a direct result of my testing methods. It shed light on a possible bug with Windows Client DNS. At the end of the day since all our clients utilize default gateways DNS fail-over was actually working all along.
What happens if you query the DNS directly? Does it work? I.e.
nslookup name-to-resolve 172.50.16.10