Solved

Same ISP New IP addresses and DNS, now workstations have DNS issues.

Posted on 2011-03-22
17
391 Views
Last Modified: 2012-05-11
I recently added a block of IP's from the same ISP (Comcast). We had a single IP before through them, when we added they gave me new DNS addresses which I am using at another location without issue. The problem that I have is that within the network, users that are hardcoded, using the firewall which works as a DNS proxy and the server running DNS cannot get to websites, ping IP's all day and can get to one or two sites. If I change them over to DHCP, let them auto obtain, it works fine and then I can hardcode right back to the original settings and they can get on fine after that. I've tried ipconfig /flushdns and repair the connections with no luck. Any ideas??
0
Comment
Question by:aspenlife
  • 7
  • 5
  • 5
17 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 35192864
Workstations should ONLY have the SBS server as the DNS server and NOT the ISP
0
 

Author Comment

by:aspenlife
ID: 35192995
What about the firewall which acts as a DNS Proxy? I've tried every config on the hardcoded machines and changing them to DHCP, letting the get their IP, IPConfig shows both the SBSvr and the firewall in DNS, then hardcode back exactly as it was before doing anything makes them work. Like something is being flushed by doing that that reboots, etc. don't do.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35193995
For your SBS to work correctly your SBS box should have DNS setup and running on it. It should forward to your ISP from DNS. The SBS box itself should have ONLY the SBS box itself set as its DNS servers in network config.
Your workstations should ONLY have the DNS of the SBS box set as a DNS server, no others.

Can you give a copy paste of the ipconfig /all output of a workstation that has the FIXED settings and then the same workstation when you config it for DHCP please?
0
 

Author Comment

by:aspenlife
ID: 35194280
If I get on a PC that isn't working and run ipconfig /all and write everything down, I then change from static to DHCP it connects and ipconfig /all is exactly the same except for the IP, then hardcode IP back to the original settings and it works. The only thing that has changed in the configuration is the DNS on the firewall going out. I don't think any of the other things come into play as they haven't changed at all. I did add the new DNS addresses to the SBSvr settings.
0
 

Author Comment

by:aspenlife
ID: 35194561
Sorry, not onsite to give you actual screenshots and have moved back to load balancing with a secondary connection. There are 50 users onsite and it's never a good time to break it in order to get it working properly.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35194620
With SBS 2003 if you make any WAN changes; router (even with the same options), ISP, DNS, etc. you must re-run the Connect to the Internet wizard. This will update many functions such as DNS, forwarders, DHCP scope options and more.
0
 

Author Comment

by:aspenlife
ID: 35194957
Thanks RobWill but when I run the wizard it says that my broadband connection should already be configured and ready to use. Do I need to kill the connection completely and start from scratch with the wizard? This sounds like a typical Microsoft deal!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35195012
Are you actually getting that message? Seems unfamiliar to me.
Regardless, often there are no changes to make but an oddity with SBS is you need to complete the wizard. Likely the only change you would be making is the ISP's DNS which will be add as a forwarder.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:aspenlife
ID: 35204206
Resetting each system that is affected. Nothing resolved the issue. Thanks for helping.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35209780
How are you resetting? What are you doing to the PC's?

You were asked for IPCONFIG details but said you couldnt suply them as your off site.  If you cant give us the info we ask for we cant be expected to help you fully. Now your giving up on trying when you have the data available that I am asking for?

0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 35209848
Yes ipconfig would be useful, from both a problematic PC and the server.

Just to confirm; Can the server access web sites OK? And, you say clients can ping an external site but not browse. That would be a DNS issue but you say you are using the router for DNS as a proxy? Perhaps you could elaborate. In a Windows domain all servers and PC's must point ONLY to your internal DNS servers for DNS or you will have all sorts of issues. The server can use externals DNS sources as forwarders, which are set up by the CEICW.
0
 

Author Comment

by:aspenlife
ID: 35219268
Both of you guys got it. I was able to use the firewall before as a DNS along with the SBSvr IP but not any longer. For some reason it worked before but now I can only have the IP of the server internally. Works fine as long as that's the only IP. Thanks for all the help!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35219363
Thanks aspenlife.
The issue is DNS doesn't work as you would expect. One would think with the server as the primary and your router as the alternate, if the server is offline it will default to the alternate. However DNS makes requests from both and works with the first one to respond. As a result if the SBS is not first, and it often isn't, the PC will attempt to reolve local names through the ISP, and of course cannot. Eventualy it times out, and should then try the server, but may not.
0
 

Author Comment

by:aspenlife
ID: 35219808
Makes sense now! Thank you RobWill!
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35221438
Sorry RobWill but you are VERY wrong on that! It is a common misunderstanding in how Windows and DNS works.

I'll quote you on Windows XP...

There's a good series of flowcharts on the low-level behaviour of the Windows XP DNS client here: http://technet.microsoft.com/en-us/library/bb457118.aspx
I'm not finding the same level of documentation for the Windows Vista and newer resolvers, though I'd expect that it's in the resource kit (since those get rev'd for each new release of Windows).

(I am simplifying this a little bit... you really should read the article if you want to know how it actually works because the logic is a bit complicated.)

The XP DNS client attempts each name resolution request through the primary DNS server specified on the primary network adapter first. If that times out (in one second) it attempts the same query on each adapter in the machine using the primary DNS server specified on each adapter, all at once, waiting 2 seconds for each response. If there's no response there then it sends out a request to all DNS servers specified on all adapters and waits 4 seconds. It does this again, waiting 8 seconds, and then returns timeout if it still hasn't received a response (and will continue to return timeout for the next 30 seconds w/o issuing any new queries).


So as you can see, DNS ONLY uses the PRIMARY DNA adapter IF that responds. The ONLY time that the secondary is used is if the Primary DNS on ALL NIC's in the machine fail to respond, i.e. timeout.

Once a DNS response is gained form the Primary DNS, regardless of what that response is, the secondary is NEVER quieried.

(Extracts from http://serverfault.com/questions/52923/when-does-a-windows-client-stop-using-a-secondary-dns-server-and-revert-back-to-p)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35222080
I would be very nice if it actually worked that way, I know that is the concept, but I am afraid in reality it doesn't. There are literally thousands of questions answered here outlining that an external secondary must be removed in a windows domain because the response is frequently received from it first. If you search for "10 things that will break DNS in your network" it is the # 1 item.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35222703
It does work that way! It breaks DNS because if the response is not recieved from the primary before the 1s timeout then the secondary is used. DNS can not reply for a 101 reasons, not just because it is down. That is the cause of most DNS  issues.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Resolve DNS query failed errors for Exchange
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now