Urgent TCPIP knowledge required please

Posted on 2011-03-04
Last Modified: 2012-05-11
Sorry for the title of this topic but I'm under a lot of pressure to sort this quickly.

Could anyone explain how the DNS works in a small domain environment please? I have a situation where the presence of a Windows based DNS server is causing a slow ping to the internet. Even though a workstation might rely on the server for the DNS, removing the network connection from the server makes everything normal. I'm guessing the workstation doesn't require the server once it's resolved the IP address but I'm puzzled as to why the presence of the server makes things slow.

There is no apparent unusual network traffic which you might otherwise associate with these symptoms.

Is it feasible to suggest that a faulty DNS server service might cause this to happen?
Question by:edz_pgt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
LVL 71

Expert Comment

by:Chris Dent
ID: 35034648
Good morning,

DNS requirements for an Active Directory domain are fairly simple:

1. All clients must be able to reliably resolve names for the AD domain name in DNS
2. The DNS server must support service records (MS DNS does)

The first is perhaps the most critical, and it means that you should not, under any circumstances, feed clients DNS servers that know nothing about your AD domain (for example, your ISPs DNS servers).

Your Internal DNS server will be able to resolve public names on its own by default (using Root Hints), although using Forwarders (typically to ISPs DNS servers) is a popular choice.

On to Ping. What do you mean by slow ping? Because DNS cannot directly impact Ping, although it can cause a delay before Ping really gets going if you ping a name rather than IP.


Expert Comment

ID: 35034757
what is the status of Antivirus on the DNS server ? updating to latest definition ?


Expert Comment

ID: 35034814
Also see

* Check the events for any hint
* Check your DNS forwarder for unwanted entries ..
* Observe the nslookup timing

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.


Expert Comment

ID: 35043567
Flush the DNS on the server
ipconfig /flushdns

It is probablt a fowarder.
Make sure that they are the same as your ISP.
Can also chuck in which is googles public dns

Author Comment

ID: 35043632
Many thanks for all of your replies.

It seems that the notification emails have gone astray so I was unaware of your comments until a couple of minutes ago. Hence my delayed reply - sorry guys.

It now seems that DNS may have been a red herring. After a lot of investigation I've managed to narrow this down a lot. I've found that stopping the SMTP service brings the ping results back to normal.

To answer a previous question, I had been pinging and getting replies at around 300ms - 600ms. Stop the SMTP service and these replies take around 50ms - 60ms.

So, my question I suppose is now related to email.

I've checked the queue, bad mail & pickup directories and they are empty. The UCEarchive folder has about 10 emails in it which appear quite normal.

Any ideas?


Author Comment

ID: 35043871
A bit more information:

1. Stopping the default SMTP in Exchange stops the ping problem.
2. Disabling all inbound NAT ports at the router has no effect.
3. Disabling outbound mail in Exchange has no effect.

So, it appears to be smtp related but I can't see anything to explain it in the Exchange queues.

Not sure if this is relevant, but there's a lot of port 445 netbios activity on the network. Never really looked into this before so I'm not sure what levels of 445 traffic to expect.
LVL 24

Accepted Solution

rfc1180 earned 500 total points
ID: 35044476
>Could anyone explain how the DNS works in a small domain environment please?

1. The client contacts AD DNs server (ADDNS01) with a recursive query for The server must now return
either the answer or an error message.

2. ADDNS01 checks its cache and zones for the answer, but does not find it, so it contacts a server authoritative
for the Internet (that is, a root server ) with an iterative query for

3. The DNS server at the root of the Internet does not know the answer, so it responds with a referral to a DNS server
authoritative for the .com domain.

600ms of RTT latency

4. ADDNS01 contacts a DNS server authoritative for the .com domain with an iterative query for

5. The DNS server authoritative for the .com domain does not know the exact answer, so it responds with a referral
to a server authoritative for the domain.

Additional 600ms of latency

6. ADDNS01 contacts the DNS server authoritative for the domain with an iterative query for

7. The DNS server authoritative for the domain does know the answer. It responds with the requested IP address.

Again, an additional 600ms of latency on the query time, with a total of 1.8 seconds for the entire query to complete from
a client prespective

8. ADDNS01 responds to the client query with the IP address for


Stopping SMTP does appear to be the culprit; however by disabling outbound email and the NAT policy indicates that possibly internal client are filling up the SMTP queue causing congestion on the Ethernet link. I find  it hard to believe that SMTP traffic internally could be causing congestion on your internal network. Do you have the capability to log into the Ethernet switch and check the statistics of the switchport that the Exchange server is connected to. You could also install wireshark
on the Exchange server to analyze the packets and parse through the data to give you a better understanding what is going on from a packet level.


Author Comment

ID: 35044638
Thanks Billy.

While testing this afternoon the traffic suddenly stopped of it's own accord. The only thing I noticed was that the apparently empty outbound smtp queues had vanished.

All is still quiet but I suspect the issue may return on Monday when the office staff are back at work.

Is there a simple guide to running wireshark? I've read a lot of people suggesting it's good but it seems really complicated at first glance.
LVL 24

Expert Comment

ID: 35044739
>Is there a simple guide to running wireshark? I've read a lot of people suggesting it's good but it seems really complicated at first glance.

There is a guide, but parsing through all the data will be a bit intimidating; If you are not very knowledge in TCP/IP, then your best bet is to run a packet capture and ask the Experts here at the exchange to assist.

LVL 77

Expert Comment

by:Rob Williams
ID: 35050432
You can filter traffic with Wireshark after you make the capture. Based on your comments I would filter out all but SMTP. I would also check to make sure your server is not exposed to being an open relay.
Or use the Microsoft on-line test tool:

Author Comment

ID: 35098039
Just for the record....

The problem was due to a 15MB email being continuously rejected by and being continuously resent.

The message wasn't visible in the queue until I blocked port 25 outbound on the router. Once I could see it, I could then delete and problem solved.

Thanks everyone.

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question