Solved

DNS malfunction on WinSrv08

Posted on 2011-02-22
14
1,007 Views
Last Modified: 2012-05-11
Boy, oh, boy. I've done *something* and now DNS is not working. I'm convinced that the recent FTP7.5 patch had something to do with it, but I'm not equipped to find out how right (or not) I am.

First, the environment. We have a single-server domain running Windows Server 2008 (NOT R2). It is all things to the network - DC, DNS, and IIS server, and it does file and print sharing. All IP addressing is static (192.168.x.y), so we aren't using DHCP. The ISP, Qwest, gave us an M1000 modem and we are not using its built-in firewall, but we are using NAT and some of its port forwarding features. The Windows firewall is up and running on the server. Both have allowed traffic on 135 for DNS purposes.

The problems... Port 135 was opened because two of the original problems were that the root hints all showed "not available" for IP addresses and that one of the DNS tools reported that COM+ wasn't able to communicate with my ISP's DNS servers using any available protocol. Research on that problem indicated that traffic needs to pass on port 135 for DNS. The server's IP stack locally was configured to point to itself for DNS, and the DNS service was pointing to the ISP's DNS servers using forwarders. I tried turning Root Hints on AND off, but the IP addresses remained blank.

I've followed many of the suggestions here at EE to no avail. While clients on the network were able to resolve new addresses just fine, the DC itself could not resolve addresses that weren't in the local cache. From the server, I could ping any name successfully, but when it came to actually going to that site in a browser, it would just sit at "attempting to connect" unless the site was in the local cache. After trying a bunch of things, I came to the point that I felt removing and reinstalling DNS should resolve my problems. My first remove-and-reinstall didn't resolve anything, so after more tinkering, I removed again. This time, upon reinstallation, I now see that the DNS server has the red-circle-white-X over it. The new error is, "Active Director Domain Services was unable to establish a connection with the global catalog." In Server Manager, DNS is stuck in a situation where I have the message, "This DNS server has not been configured. [...] To configure the DNS server, on the Action menu, click Configure a DNS server." The problem is...that option is greyed out, even after two reboots. So, I fear that DNS is broken and tomorrow, it will be much worse (requiring me to reconfigure each person's DNS settings so they can get to the 'net...NOT the way to make a good impression on a client!)

Now, dcdiag /fix and dcdiag /test:dns both tell me that "There are no more endpoints available from the endpoint mapper....SERVER (my DC name) failed test Connectivity." The /test option also says that there is no RPC connectivity, but RPC is running... I've stopped and restarted netlogon. I've rebooted again. I still get errors with AD and DNS, both referring back to RPC not working.

I really don't want to have to rip out AD and rebuild the domain, and at this point, I don't know if that will even help. (WHY couldn't this have happened on a Friday???)

Does anyone have ideas for me? Feel free to ask me for additional information and I'll post as much as I can. I TRULY appreciate all assistance anyone can provide.
0
Comment
Question by:Mark Racicot
  • 9
  • 5
14 Comments
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 34958901
Hi

Port 53 should be open for DNS.
It should only be for udp protocol, but tcp 53 is used to zone transfers, so open that too.
0
 

Author Comment

by:Mark Racicot
ID: 34961504
I'll do that. Any thoughts on the larger problem if the service not working generally? After I posted, I did another remove and reinstall, but it is just as broken...In order, I get first error 4013:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

...then a few seconds later, I get Event 140:
The DNS server could not initialize the remote procedure call (RPC) service. If it is not running, start the RPC service or reboot the computer. The event data is the error code.

...and at the same time-stamp as 140, I also get Event 2 ("The DNS server has started") then Event 4 (the one about being finished loading zones, DNS is available for updates and zone transfers as allowed by their individual zone configuration).

Other thoughts?




 Screenshot of Server Manager showing the defunct DNS service.
0
 
LVL 11

Accepted Solution

by:
Pieter Jordaan earned 500 total points
ID: 34964312
Add your primary zone, and give it some time to automatically create the AD stuff.
It will eventually show you the sub folders in the zone needed for Active Directory.

Also add a forwarding DNS server to resolve all non-local domain names using an external DNS server.

If you don't have one, use the Google DNS server 8.8.8.8

Then see if you can resolve "www.google.com" using your DNS server.

The following command in command prompt should resolve the name without using your server:
nslookup www.google.com 8.8.8.8

Then see if your server forwards the corrently:

nslookup www.google.com your.DNS.server.here

You should get:
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.l.google.com
Address:  196.23.168.147
Aliases:  www.google.com

Good luck.

0
 

Author Comment

by:Mark Racicot
ID: 34964582
OK...but when I go to add the zone, here's what I see...a grayed-out menu.
SERVER.bmp
0
 

Author Comment

by:Mark Racicot
ID: 34989795
OK, experts... having no solid answers to the above question, I've rebuilt my server. Windows 2008 Standard (NOT R2) reinstalled on a Dell T310. Of the two NICs, one is connected to my Cisco switch which is up-linked to my DSL modem and the other is disabled.

I installed and configured the following ROLES: AD DS, NDS, File Services, Print Services, Web Server (IIS), Windwos Deployment Services, Windows Server Update Services.

I installed the following FEATURES: .NET Framework 3.0, Grp Pol Mgmt, Rem Assist., Remote Server Admin Tools, Windwos Internal Database, Windows PowerShell, and Windows Process Activation.

I've configured my domain. Prior to installing DNS, IPv4 was set to my ISP's DNS servers and I was able to get to the Internet and browse normally. After installilng DNS, I verified that the DNS configuration wizard automatically re-pointed IPv4 to 192.168.0.11 (my server's static IP address) and...nothing...no websites resolve. None. This is a basic install - the only thing I did was to add two forwarders to point my DNS to my ISP to resolve unknown names. I expected that once I set the forwarders, I should be able to resolve by forwarders, since nothing is cached locally yet. I also followed the tests above (nslookup) and they all work as described.The browser resolves the name - I can see it in the status bar at the bottom - but the page just doesn't load.

I'm frustrated, and my client is looking to me to get this working. I am really stressing now... It MUST be something small and probably painfully obvious to any good IT guy (which until now I thought I was).  Anyone?
0
 

Author Comment

by:Mark Racicot
ID: 35024455
New information... A look at the network traffic via NETMON showed odd behavior between my server and the web servers we tried to reach. WIth no other solutions readily available and a server in a less-than-usable state, I got Dell to send me a new motherboard. We theorized that it might be significant that the onboard NICs showed a 100Mbps link while the switch showed a 1Gbps link. The new part got installed and didn't change the lights at all...but, after reinstallation of the OS, it seemed to be working. That was last night. Today, my customer made only one change that I can see, and that was the installation of Quickbooks 2008. When I remoted in to do some FTP site configuration, I tried going out to the Internet as a check to see if it was still working. It wasn't. I turned off all firewalls and still nothing. NSLOOKUP still works.

So, I managed to get FTP working and I sent myself NETMON, installed it, and captured the attached 1MB file. From the browser point of view, both IE8 and Firefox, the initial request is resolved and an http connection is made, but once the browser "sees" the site, it simply doesn't get any more data...it sits and churns until I quit the connection attempt. (I let it go 15 minutes with nothing to show for it.)

I'm not that good at reading them, so I'm hoping someone out there can look at it and translate for me. What is happening? trap1.zip
0
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35024570
Hi

Are you sure that the M1000 modem is functioning correctly?
Perhaps a broken NAT rule, or routing issue?

Please post the output of:
tracert www.google.com

from you server and a working workstation.

Let see if the packets find their way.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 

Author Comment

by:Mark Racicot
ID: 35028534
BitFreeze-

At this point, I am ruling nothing out. :) Due to my work schedule today, I won't be able to get the info you requested until this evening. Is there anything else you think you might need? Let me know.
0
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35030624

I think we should eliminate Windows for now and focus on the network.

Do an nslookup from a working workstation to compare the results.
Lets see if the problem is network related or OS specific.
0
 

Author Comment

by:Mark Racicot
ID: 35033739
BitFreeze-

I was unable to get to the server this evening. I'll get something posted here tomorrow night. Sorry about the delay and thanks for your help and patience. :)
0
 

Author Comment

by:Mark Racicot
ID: 35180596
The problem has been discovered to be likely within the router's ARP tables. All NSLOOKUP queries continue to process correctly, but communication with websites fails. Changing the server's IP address from its static IP to a different static IP or to a DHCP-issued address resolves the problem, and returning the server to its original static IP address returns web browsing to its disfunctional state.

Thank you to all who responded!
0
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35182198

No points?

ID:35024570?
0
 

Author Comment

by:Mark Racicot
ID: 35182300
Since I was closing the question myself, I did not originally assign points. BitFreeze deserves the points originally offered because the information he gave was correct and easy to follow...even if the root problem was not what I thought it was. Please award the points to BitFreeze with my thanks!
0
 

Author Closing Comment

by:Mark Racicot
ID: 35182314
Thank you for the timely and thorough answers. Your help is greatly apprecaited, and no slight intended with the previous 'closure'.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now