afreemancube
asked on
Help with DNS server DCDIAG errors
All, I ran some tests on my DNS server and got some errors that I could use some help putting into english or maybe a suggest to help fix
I am going to attach the code. The Ip addresses the report says it cant resolve are my ISP's DNS servers. Internet and everything is working,
except I keep getting some random delays on emails being sent. Multiple domains and doesnt hapen all the time. Mostly when I have carbon copies running
is when I get most of the delays.
dcdiagtestio05032011.txt
I am going to attach the code. The Ip addresses the report says it cant resolve are my ISP's DNS servers. Internet and everything is working,
except I keep getting some random delays on emails being sent. Multiple domains and doesnt hapen all the time. Mostly when I have carbon copies running
is when I get most of the delays.
dcdiagtestio05032011.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
and dont forget to "net stop netlogon" and "net start netlogon" to apply changes after DCDIAG /fix
Are 216.136.95.2 and 64.132.94.250 your ISP DNS? Looks like you have configured them on the NIC on the DC.
You should never have public DNS on the NIC. Only internal (if that is the case)
You should never have public DNS on the NIC. Only internal (if that is the case)
You should NOT be using DNS forwarders. Configure your server as a root server. Delete the DNS forwarders Delete the forwarders from the DNS server and make sure you have root hints, (basically just make sure the root hints tab isnt blank).
ASKER
Wow, great comments. Let me start up top.
1. I ran the dcdiag test, and passed all the tests. Then I restarted and ran the dcdiag again, looks like same failures. Attaching the file that has both tests.
2. Yes, 216.136.95.2 and the other is my ISP's DNS. I do have them on my DNS server NIC, but as secondary DNS. I have the first DNS pointing to itself. Then I have a www record with 216.136.95.2 on it.
3. Burners, not sure sure about what you mean on the DNS forwarders.
Lastly, if I remove the ISPs ip addresses from the NICs, I guess that will resolve that error?
DNSfix-and-second-TEST.txt
1. I ran the dcdiag test, and passed all the tests. Then I restarted and ran the dcdiag again, looks like same failures. Attaching the file that has both tests.
2. Yes, 216.136.95.2 and the other is my ISP's DNS. I do have them on my DNS server NIC, but as secondary DNS. I have the first DNS pointing to itself. Then I have a www record with 216.136.95.2 on it.
3. Burners, not sure sure about what you mean on the DNS forwarders.
Lastly, if I remove the ISPs ip addresses from the NICs, I guess that will resolve that error?
DNSfix-and-second-TEST.txt
Open DNS and right click on your Server name and select properties
Go to the Root Hints tab and make sure its not empty
Go to the forwarders tab and delete anything in there, it should be empty unless for very specific reasons which dont meet your situation.
Now edit your Local Interface NIC properties and changed the DNS servers to 127.0.0.1 and leave the second field empty unless you have another INTERNAL DNS server
Go to the Root Hints tab and make sure its not empty
Go to the forwarders tab and delete anything in there, it should be empty unless for very specific reasons which dont meet your situation.
Now edit your Local Interface NIC properties and changed the DNS servers to 127.0.0.1 and leave the second field empty unless you have another INTERNAL DNS server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
All the workstations on your network should ONLY point to your main DNS server and any other INTERNAL servers you have.
From there your DNS server uses the ROOT HINTS to resolve the addresses.
From there your DNS server uses the ROOT HINTS to resolve the addresses.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
LOL: This is an occasion where almost every expert on the thread is correct.
Please read this for DNS familiarity:
https://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
You have multiple problems (all addressed by the experts above): So, let's consolidate the issues>>
1) you have an outside server listed on the NIC as a preferred or alternate DNS server.
2) your ISP may be rejecting DNS as a forwarding sever, so you might change your DNS forwarders to 8.8.8.8 and 8.8.4.4 (google).
3) You will probably want to go into DHCP scope options and make sure you don't have listed any outside DNS servers. DHCP will pass down preferred and alternate DNS servers to DHCP clients.
5) As stated above NO OUTSIDE DNS servers should be listed on ANY NICs. They are found on your DNS forwarders. To get to DNS forwarder's tab:
---1. Open the DNS snap-in.
---2. In the console tree, click the applicable Domain Name System (DNS) server.
DNS/applicable DNS server
---3. On the Action menu, click Properties.
---4. On the Forwarders tab, click Edit.
>>Please do not accredit me for this solution because I am only agreeing with the techs that gave you the answers.
Please read this for DNS familiarity:
https://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
You have multiple problems (all addressed by the experts above): So, let's consolidate the issues>>
1) you have an outside server listed on the NIC as a preferred or alternate DNS server.
2) your ISP may be rejecting DNS as a forwarding sever, so you might change your DNS forwarders to 8.8.8.8 and 8.8.4.4 (google).
3) You will probably want to go into DHCP scope options and make sure you don't have listed any outside DNS servers. DHCP will pass down preferred and alternate DNS servers to DHCP clients.
5) As stated above NO OUTSIDE DNS servers should be listed on ANY NICs. They are found on your DNS forwarders. To get to DNS forwarder's tab:
---1. Open the DNS snap-in.
---2. In the console tree, click the applicable Domain Name System (DNS) server.
DNS/applicable DNS server
---3. On the Action menu, click Properties.
---4. On the Forwarders tab, click Edit.
>>Please do not accredit me for this solution because I am only agreeing with the techs that gave you the answers.
ASKER
AGAIN, all great comments. I will list steps I took below...
1. Removed external DNS from my NIC of my DNS server.
2. I added externald DNS (TWTELECOM) DNS and the 8.8.8.8 (Google?) to my forwarder in DNS Properties
3. Verfied that I had a bunch of ip addresses in root servers.
4. Verified that DHCP DNS is pointing to my internal DNS server Only.
5. Ran DCDIAG /Fix and complted successfully!!
6. Ran DCDIAG /test:DNS and complted SUCCESSFULLY!!!! I am attaching the text file of the report.
Can you review it make sure it all looks good? Well done all of you. Not sure how or who gets the points. I did all the steps I believe.
DNSfix-and-third-TEST.txt
1. Removed external DNS from my NIC of my DNS server.
2. I added externald DNS (TWTELECOM) DNS and the 8.8.8.8 (Google?) to my forwarder in DNS Properties
3. Verfied that I had a bunch of ip addresses in root servers.
4. Verified that DHCP DNS is pointing to my internal DNS server Only.
5. Ran DCDIAG /Fix and complted successfully!!
6. Ran DCDIAG /test:DNS and complted SUCCESSFULLY!!!! I am attaching the text file of the report.
Can you review it make sure it all looks good? Well done all of you. Not sure how or who gets the points. I did all the steps I believe.
DNSfix-and-third-TEST.txt
Looks great, thanks for getting back to us.
2. I added externald DNS (TWTELECOM) DNS and the 8.8.8.8 (Google?) to my forwarder in DNS Properties
INCORRECT, you shouldn't have anything in your DNS forwarders. IT SHOULD BE EMPTY.
The server uses the root hints to do lookups.
ASKER
Burners, it was able to pass the tests. would having forwarders and root hints mess anything up? How does it work? If a request goes to the DNS server, does it look at the forwarder first or the root hint? Is there somewhere that I designate which to hit first? Also, there are a lot of root hints listed. Is there any particular that I need or dont need? Also, what is the difference of having 127.0.0.1 as my primary dns server rather then the IP address of the internal server? Is the 127.0.0.1 what points to the hints?
@ burner, this is incorrect what your saying. You have a choice of how you want DNS to handle external requests. You can use either Root Hints or Forwarding.
The preferred DNS is for the primary DNS Server on your LAN, so this would be the IP address of a Domain Controller that is performing DNS resolution requests. Alternate DNS Server is when you have a second Server also running the DNS Role and is there for Fault Tolerance and Redundancy. So, should the preferred DNS Server crash you have the Alternate DNS Server in place.
You should never use the Public DNS Server IP addresses of your ISP for internal DNS Resolution. Check the DHCP Scope Options and make sure to remove the ISP Public DNS Server IP address.
When you have this done, then open DNS Management Console and right click on server node name and select clear cache.
Then open the command prompt and type ipconfig /flushdsn and press enter, then type ipconfig /registerdns. Verify if you are using Root Hints or Forwarders.
If you want you can use Forwarders to forward external name resolution requests to your ISP and this is where you would add the Public DNS IP Address of your ISP and then your ISP would be handling your external queries. Or you can use Root Hints.
You should never use the Public DNS Server IP addresses of your ISP for internal DNS Resolution. Check the DHCP Scope Options and make sure to remove the ISP Public DNS Server IP address.
When you have this done, then open DNS Management Console and right click on server node name and select clear cache.
Then open the command prompt and type ipconfig /flushdsn and press enter, then type ipconfig /registerdns. Verify if you are using Root Hints or Forwarders.
If you want you can use Forwarders to forward external name resolution requests to your ISP and this is where you would add the Public DNS IP Address of your ISP and then your ISP would be handling your external queries. Or you can use Root Hints.
I agree with JBond2010:
IM just stating best practices, you should keep all of the Root hints, using the Root Hints will speed up Lookups because its going right to the root hints vs. going to your ISP then to their DNS servers then to the Root Hints.
Its all about reducing hops.
Using 127.0.0.1 or the Internal address in DNS makes no difference, 127.0.0.1 just means loopback address.
Its all about reducing hops.
Using 127.0.0.1 or the Internal address in DNS makes no difference, 127.0.0.1 just means loopback address.
ASKER
Understood. Im all about best practice and you guys have been right so far.
Thanks!!
Thanks!!
ASKER
Well done everyone and very quickly resolved. I do appreciate the assistance.
@ afreemancube, your welcome:)
Regards,
JBond2010