[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1213
  • Last Modified:

SBS2003 DNS Forwarding not working

I have a strange fault with a SBS2003 box at a customers site. Internal DNS works fine, no issues there at all but external name resolution fails if there are any forwarders added into the DNS server setup. It works using its root hints (which Ive updated to the latest) but as soon as you add open dns or the ISPs dns servers as forwarders it starts to fail although not 100% of the time. Really strange, looks to me like  a DNS re director at work but virus scans in safe mode have found nothing.

Any Ideas?
0
plug1
Asked:
plug1
  • 24
  • 22
  • 12
  • +2
1 Solution
 
PapertripCommented:
Can you provide some nslookup outputs from when this it fails and when it does not.
0
 
plug1Author Commented:
There's not much to show you it either works or it fails. Im going to do a wire shark on it.
0
 
Michael OrtegaSales & Systems EngineerCommented:
Try google's name server - 8.8.8.8

Perhaps it's a problem with the ISP's or OpenDNS' name servers.

MO
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
ChiefITCommented:
Some of the root hints servers that were provided are no longer working. You might switch to google's DNS servers as a forwarder. These are known good servers. But, in order for forwarders to work, you have to enable recursive lookups...

8.8.8.8
8.8.4.4
0
 
plug1Author Commented:
Cheers,  tried google's name servers, same problem. Its not an external problem its something on this server as far as I can tell.
0
 
ChiefITCommented:
Please provide the output from: DCdiag /test:DNS
0
 
plug1Author Commented:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MAINSERVER
      Starting test: Connectivity
         ......................... MAINSERVER passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MAINSERVER

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : culleymcalpine
   
   Running enterprise tests on : culleymcalpine.local
      Starting test: DNS
         Test results for domain controllers:
           
            DC: mainserver.culleymcalpine.local
            Domain: culleymcalpine.local

                 
               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 208.67.220.220 (<name unavailable>)
                  Error: Forwarders list has invalid forwarder: 208.67.222.222 (<name unavailable>)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
                 
               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure culleymcalpine.local.
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
               
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
            DNS server: 208.67.220.220 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 208.67.220.220
               
            DNS server: 208.67.222.222 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 208.67.222.222
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: culleymcalpine.local
               mainserver                   PASS PASS FAIL PASS WARN PASS n/a  
         
         ......................... culleymcalpine.local failed test DNS
0
 
Michael OrtegaSales & Systems EngineerCommented:
You change anything recently?

Can you try a  telnet test for your dc to google's nameserver on port 53?

Example: telnet 8.8.8.8 53

See if you can make the connection consistently.

MO
0
 
plug1Author Commented:
Its a new customers server so I have no idea whats led up to this. I can telnet out on port 53 no problem, just sits with a blinking cursor if that sounds right.
0
 
Michael OrtegaSales & Systems EngineerCommented:
Yeap. So the gateway/firewall isn't blocking outbound DNS traffic. Now that I'm looking at the results of the DCDIAG it's obvious you have some DNS issues on that SBS itself. Try a DCDIAG with the fix switch. Also can you run a NETDIAG and post results?

MO
0
 
plug1Author Commented:



    Computer Name: MAINSERVER
    DNS Host Name: mainserver.culleymcalpine.local
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 6 Model 30 Stepping 5, GenuineIntel
    List of installed hotfixes :
        KB911564
        KB911565
        KB917734_WMP9
        KB923561
        KB925398_WMP64
        KB925902
        KB927891
        KB929123
        KB930178
        KB931768
        KB931784
        KB931836
        KB932168
        KB933854
        KB935966
        KB936357
        KB938127
        KB938127-IE7
        KB938464-v2
        KB941569
        KB942830
        KB942831
        KB943055
        KB943460
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB950762
        KB950974
        KB951066
        KB951748
        KB952004
        KB952069
        KB952954
        KB954550-v5
        KB954600
        KB955069
        KB955839
        KB956572
        KB956802
        KB957097
        KB958644
        KB958687
        KB958690
        KB959426
        KB960225
        KB960803
        KB961063
        KB961373
        KB967715
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection 3

        Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{7AADA4FF-C3A8-4EF2-884E-42738268C96C}
    1 NetBt transport currently configured.


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.2'.
       [WARNING] The DNS entries for this DC cannot be verified right now on DNS server 192.168.0.254, ERROR_TIMEOUT.


The command completed successfully
0
 
Michael OrtegaSales & Systems EngineerCommented:
Can you post an output for ipconfig /all on your DNS server? The primary DNS on your DNS server should be it's private IP or 127.0.0.1.

MO
0
 
ChiefITCommented:
DNS fails because your ISP's DNS and the root hints are not seen as valid servers.

Again, as a test, put in 8.8.8.8, and 8.8.4.4 within forwarders and ENABLE recursive lookups.

Error: Forwarders list has invalid forwarder: 208.67.220.220 (<name unavailable>)
                  Error: Forwarders list has invalid forwarder: 208.67.222.222 (<name unavailable>)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
0
 
plug1Author Commented:
CheifIT it does the exact same with 8.8.8.8 and 8.8.4.4.  I know its failing because it doesnt see these as valid I just need to find out why, these servers are valid and I use them at all my sites which is strange.
0
 
Michael OrtegaSales & Systems EngineerCommented:
Please post ipconfig /all from your server.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
What device on your network is 192.168.0.254...or use to be that IP?

MO
0
 
plug1Author Commented:
192.168.0.254 is the default gateway, its a router. I did wonder why its mentioned in the DNS error.

Windows IP Configuration



   Host Name . . . . . . . . . . . . : mainserver

   Primary Dns Suffix  . . . . . . . : culleymcalpine.local

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : culleymcalpine.local



Ethernet adapter Local Area Connection 3:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client)

   Physical Address. . . . . . . . . : 78-2B-CB-06-83-47

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.0.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.0.254

   DNS Servers . . . . . . . . . . . : 192.168.0.2

0
 
Michael OrtegaSales & Systems EngineerCommented:
Interesting. I would've almost bet that the routers IP was listed as a DNS Server, but it's obviously not. Not sure why the NETDIAG tried to run a DNS test against that IP. Check your DNS settings in the DNS MMC. What interfaces/IPs is your DC listening on? It should just be 192.168.0.2.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
You can try and restore root hints to it's original state:

1. If it is running, quit the DNS MMC snap-in. At a command prompt, type net stop dns, and then press ENTER.
2. After the DNS Server Service stops, type copy %systemroot%\system32\dns\samples\cache.dns %systemroot%\system32\dns, and then press ENTER. Note that if you are prompted to overwrite an existing file, type y, and then press ENTER..
3. Start the Active Directory Users and Computers MMC snap-in. Click Advanced Features on the View menu.
4. Expand the System folder, expand MicrosoftDNS, right-click RootDNSServers, and then click Delete.
5. Click Yes when you are prompted to delete this object, and then click Yes again when you are prompted to delete this object and the objects it contains.
6. Quit the Active Directory Users and Computers MMC snap-in.
7. At the command prompt, type net start dns, and then press ENTER. Exit the command prompt.
8. Start the DNS MMC snap-in, and then verify that the root servers appear on the Root Hints tab in the server properties.
9. Start the Active Directory Users and Computers MMC snap-in, and then verify that the RootDNSServers container has been recreated and contains the root servers that were listed in the DNS Manager. If multiple domain controllers exist that are running DNS, the new root hints are automatically be replicated.

MO
0
 
plug1Author Commented:
Ive already completely removed DNS uninstalled it, re-installed it and reconfigured it. Still the same issue, probably should have mentioned that.
0
 
plug1Author Commented:
Sorry, its also only listening on 192.168.0.2.
0
 
ChiefITCommented:
OK, let's try an NSlookup to a site you normally don't use, hence not cached on the server:

Try, on the server:
NSlookup www.metacrawler.com

Metacrawler is a search engine and should be a public IP of 67...

If this doesn't resolve and only resolves to your gateway/router it means your router is blocking DNS. I doubt an ISP would block DNS..
-------------------------------------------------------------------------
Another thing you can try is to reset DNS:

DCdiag /Fix:DNS
or is that a pipe:
DCdiag /fix|dns
0
 
ChiefITCommented:
Oh, yah:

Netdiag /fix
0
 
Rob WilliamsCommented:
Following up with CheifIT's suggestion; "it means your router is blocking DNS". Might you have a router with a licensing limit and you have exceeded the limit? For example a Cisco router can be bought with 10 licenses. The 11th device that ries to access services on the Internet through the router will be blocked. The 'counter' can be reset with a reboot of the router.
0
 
Michael OrtegaSales & Systems EngineerCommented:
RobWill, that's a good one, but wouldn't the server be the one providing the resolution. I'm sure if the server can provider the resolution for one it should do it for all. Presumably it still has the same internet access license provided by the firewall/gateway. I could see where the domains are resolving fine, but the client can't get ping replies or simply access the site because the client itself doesn't have an available license.

I don't believe that the firewall or the ISP is blocking DNS traffic, because in an earlier post I suggested testing that with a simple telnet test. The result was a telnet to an external nameserver on port 53 was successful.

MO
0
 
ChiefITCommented:
DNS is performed by the server on behalf of the client only if recursive lookups is enabled (RECURSION). On an Iterative Query the server will tell the client to go seek a root hint server all by itself. This is why recursive lookups is necessary if you choose to use forwarders rather than root hints servers. Your root hints servers don't work because the list of Root servers is out of date, as seen in the DCDiag /test:DNS....

Even so, if there are not enough licenses on the router to allow computers through the router, the DNS server might provide DNS resolution through a recursive lookup, BUT you still will not be able to communicate with the outside using the client. The server only provides an IP for DNS, then the client is expected to communicate after that even using tools like PING or trace route. So, if you have the default of 10 licenses on the router, then only 10 computers can communicate to the outside world. One appears to be the server?????

@ROB: Thanks for reminding me that some routers have limited licenses. I always seem to forget that when troubleshooting these types of things. I have seen a router licensing problem about five times. As soon as I saw it mentioned, I wanted to beat the head on the table a couple times.

0
 
Michael OrtegaSales & Systems EngineerCommented:
ChiefIT???

So we know that Root Hints are screwy, but I thought we've made several attempts to use forwarders, hence recursion. The forwarders don't work either. My understanding is that the client doesn't even get resolution. Again, nothing to do with the firewall licensing unless the server itself is being blocked by the firewall/gateway because all licenses are in use by other hosts on the network. On yet another note, I believe a telnet test was performed from the client to an external address. This worked. Again, not a firewall/gateway licensing issue affecting the client system in question.

If you really think this is the issue plug1 can simply log into his firewall and check. I could be wrong, but I just don't think this is the problem. The evidence provided in tests above don't add up to a firewall licensing issue in my opinion.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
Plug1, how about getting on the client system and manually assigning 8.8.8.8 as the primary DNS server? Test browsing and resolution to external hosts, e.g. yahoo.com, google.com, etc. This will take the server out of the picture completely just to determine if the problem is related to something on that client system or your firewall/gateway appliance.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
--- recall last two messages ---

Can I do that?

My apologies guys. I was with the assumption that you were talking about the client not having an access license. Now I realize that you were most likely referring to the server itself.

I reviewed the original post and it was root hints that were working and forwarders that were not. I thought neither were working.

I lean towards the firewall licensing issue as well. If the server is without an access license the problem does makes sense. As RobWill suggested and ChiefIT concurred I would power cycle the firewall or login and reset the licenses count manually.

Sorry about that.

MO
0
 
Rob WilliamsCommented:
@ mgortega
Yes the SBS provides DNS services, however in a power outage with 11 devices on the network (assuming 10 licenses) there is a 90% change they will come back on line in the following order, due to time required to boot; router, 10 other devices, server. If the server is last it looses Internet access, and can therefore not do DNS lookups, and all devices loose public DNS.  As ChiefIT said it's not common but very frustrating when you realize that is what happened.

Maybe test if the router is blocking with
telnet 8.8.8.8 53
If you get a blank screen with a flashing cursor DNS is allowed to pass, if you get an error or it times out, DNS is blocked and likely has nothing to do with DNS configuration.
0
 
Michael OrtegaSales & Systems EngineerCommented:
RobWill, I follow you on that. Again, I was thinking in terms of the client itself not having an access license as opposed to the server. I think the scenario you provided above is possible, but just not very common for our networks. The server is typically on some kind of smart battery backup and usually is the first device to turn back on in the event of restored power failure. If any device gets an access license it's typically the server first and then as users make their way into the office and fire up their machines - well, it's first come first server for them. Of course we make sure we have the appropriate licensing to avoid this.

Just for clarification you want the telnet test to be performed from the server, correct?

MO
0
 
plug1Author Commented:
Feel like I've been missing out on the party here!

To recap and clarify, the server does resolve DNS when using the root hints, it takes a while but generally works 90% of the time, when you add a forwarder it drops to about 10% of the time but again occasionally works. dns isnt being blocked by the router or ISP and its not a licensing issue as its a draytek router. Ive already tested the telnet to port 53 and it works fine. Any other ideas out there..
0
 
Michael OrtegaSales & Systems EngineerCommented:
Now that we've overcome the mystery of router/gateway access licenses can you manually assign a public DNS server to a client computer and provide some feedback on the resolution and browsing experience? You can try one of google's nameservers - 8.8.8.8.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
If that client machine has resolution or browsing issues even with using manual external DNS can you try at least one of client machine?

MO
0
 
Rob WilliamsCommented:
@mmgortega:  Agreed very uncommon but easy to test. Apparently based on last reports it is not an issue here.
Curious though as to how you control "The server...........is the first device to turn back on in the event of restored power failure."  All PC's are on UPS's with delayed startups?
0
 
plug1Author Commented:
The clients all browse fine using public DNS servers, thats how I'm working around it for the time being, I need to resolve it so that I can install web proxy software.
0
 
Michael OrtegaSales & Systems EngineerCommented:
@RobWill, not sure if this is the best stage for continuing this conversation, but to satisfy your question, we do not use smart UPS' on the desktops. They are not a critical component of the network and so we don't invest into ensuring their "uptime". They do not auto-restart on restored power. The battery backups at the desktop level are there to deal with power fluctuations/anomalies in order to preserve the hardware. They provide some uptime in the event of a power failure so productivity can be saved. They also shut down the PC's gracefully. The server, for obvious reasons, is setup to start back up after a restored power failure. I hope that's an adequate explanation.

@plug1, as I suspected, and I'm sure you agree, the problem is when DNS is dependent on the server - either with iterative or recursive DNS queries. The focus, I believe, needs to be back on resolving those issues on the server.

Taking the client machine completely out of the equation the server should be able to pass some basic simple and recursive query tests. If you go to the DNS MMC, on the monitoring tab you'll find a couple DNS tests you can run. Can you run both the simple and recursive tests to see if you get a "Pass" for both. Please report results.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
Any DNS log errors to report?

MO
0
 
plug1Author Commented:
@mgortega - Both pass and no errors in the DNS log.

For the record to me it sounds like malware of some sort, a dns redirector type thing but god knows how to find that.
0
 
Michael OrtegaSales & Systems EngineerCommented:
But it sounds like it's limited to your server. Check the usual suspects, e.g. hosts file, etc. I would also run a AV or malware removal tool scan. You can try Hitman Pro or Malwarebytes.

MO
0
 
plug1Author Commented:
Already checked the hosts file and ran 2 AV scans. I've kind of covered every base before I came on here, this is my last chance saloon..
0
 
Michael OrtegaSales & Systems EngineerCommented:
Any significant packet loss or latency when pinging from the server to an external IP - 8.8.8.8?

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
You try something other than a traditional AV scan, e.g. Malwarebytes or Hitman Pro? Both can be run in normal startup mode. No need to run in safe mode unless they find something and can't fully remove it in normal mode.

MO
0
 
plug1Author Commented:
No packet loss at all, Ive ran malware bytes and mcafee, both come up blank.
0
 
ChiefITCommented:
The quickest way to rule out a DNS server is to take a client and manually configure the preferred and alternate DNS as 8.8.8.8 and 8.8.4.4. Then, see if you have DNS through the firewall/router from that client. You see, if the client doesn't have the web site cached it will seek an answer from the preferred server (in this case google's dns servers)...

If DNS is a problem on your SBS server, I do know of some issues that can knock down DNS from the server. One is using Service pack 1, where you can intermittently get DNS knocked down. But the DNS service will be not started when this happens. Sometimes in event logs you will see error 5719, (sometimes not).. Service pack 1 has a coding error in the MTU channel and causes intermittent communications. It can cause problems with DHCP as well.

So, let's get back to some basic troubleshooting. Bypass the server and use the client. Is the server acting a fool too? If the entire network seems to be intermittent, we should check switch to router protocols and connectiivity. If the server is multihomed, this would also cause an issue. So many things can cause intermittent communications.
0
 
ChiefITCommented:
Warning: Don't forget to set DNS back to the server, or the client will suffer no domain features that rely upon DNS, including logging onto the domain..
0
 
plug1Author Commented:
CheifIT if you read back a bit you'll see I've already done all of this. All clients work fine using external DNS servers, all basic trouble shooting has been done. Im interested in the SP1 issue you mention though.
0
 
Rob WilliamsCommented:
Just to go off a different tangent, and grasp at straws. There were two SBS updates that cause DNS to be blocked in a few cases. What would happen is after a reboot other services that use random ports would occationally grab required ports that they were not allowed to do so prior to the update. In few cases this blocked DNS. According to the article (below) it could cause DNS to fail to start. In the two cases where I ran into this DNS was running but it could not resolve external queries. If you reboot the server you had a reasonable chance of restoring order. The solution, as per the article, is to reserve specific ports in the registry. However I don't see this as being your problem as your DNS sometimes works. That would not be the case if this issue were at play, unless you did a reboot. Just a tid-bit of info to have in your back pocket.
http://blogs.technet.com/b/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx

0
 
Rob WilliamsCommented:
PS- It is not a case of an inability to resolve "some top level/specific domains" is it? There is a known issue, which to the best of my knowledge only applies to SBS 2008/2011 where DNS fails to resolve some domains, but most commonly the problem is with European domain suffixes, and I see I see you are on the "other side of the big pond" (Atlantic).
Again a long shot but trying to toss in some new ideas.
0
 
Michael OrtegaSales & Systems EngineerCommented:
plug1, have you tried to rerun the CEICW since this started?

MO
0
 
ChiefITCommented:
Here is an example of SP1 issues:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23306595.html

In this particular instance, it was dropping DHCP. BUT, I have seen it drop DNS periodically.
0
 
ChiefITCommented:
To resolve the SP1 issue, simply install SP2.
0
 
plug1Author Commented:
Had a long day today, so I'll read over and report back tomorrow.
0
 
plug1Author Commented:
Just to go off a different tangent, and grasp at straws. There were two SBS updates that cause DNS to be blocked in a few cases. What would happen is after a reboot other services that use random ports would occationally grab required ports that they were not allowed to do so prior to the update. In few cases this blocked DNS. According to the article (below) it could cause DNS to fail to start. In the two cases where I ran into this DNS was running but it could not resolve external queries. If you reboot the server you had a reasonable chance of restoring order. The solution, as per the article, is to reserve specific ports in the registry. However I don't see this as being your problem as your DNS sometimes works. That would not be the case if this issue were at play, unless you did a reboot. Just a tid-bit of info to have in your back pocket.
http://blogs.technet.com/b/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx

Cheers RobWill - Noted

PS- It is not a case of an inability to resolve "some top level/specific domains" is it? There is a known issue, which to the best of my knowledge only applies to SBS 2008/2011 where DNS fails to resolve some domains, but most commonly the problem is with European domain suffixes, and I see I see you are on the "other side of the big pond" (Atlantic).
Again a long shot but trying to toss in some new ideas.

@RobWill - No mate it fails on virtually all domains as soon as a forwarder is added, without it it works 90% of the time

plug1, have you tried to rerun the CEICW since this started?

@Mortega, yes Ive ran it a couple of times

@CheifIT - just doubl checked and Im on SP2





0
 
plug1Author Commented:
Having a think about this last night and there is a 2nd disabled network card in there, Im thinking theres some kind of binding problem on the main card, my plan was to change the current router onto a new subnet, enable the second card and configure the server to route out to the new gateway address and have the 2nd card deal with all outgoing DNS requests. Do you think this would make any difference or do you think the problem will still exist?
0
 
Rob WilliamsCommented:
Check in the DNS management console to see that DNS is only bound to the one IP.
For the record if making changes to the LAN adapter make sure you use the wizards, not doing so has resulted in some SBS servers needing to be rebuilt/restored. The IP is tied to AD, DNS, Sharepoint, IIS, Exchange, and much more. [change server IP, and CEICW wizards]
0
 
plug1Author Commented:
Yeah its only bound on the one IP and I've used the wizards a couple of times though I dont know what may have happened on the lead up to this.
0
 
Michael OrtegaSales & Systems EngineerCommented:
A long shot, but do you have the latest NIC drivers installed? I couldn't explain how that would impact DNS traffic alone, but the issue appears to be external DNS resolution from the Server only. Without forwarders in place can you resolve (90% of the time) from the Server using root hints? I don't know if it was ever clear whether or not root hints worked 90% of the time for the Server or if you were referring to the client machines.

MO
0
 
plug1Author Commented:
I was referring to the server (although the client machines are the same if using only the server for DNS).
0
 
plug1Author Commented:
I'll update the drivers just in case, its always worth a shot..
0
 
ChiefITCommented:
A root hints query is an iterative query. This means the server will tell the client to find it's own resolution upon giving the client a root hints server.

A forwarder is a recursive query. This means the server will perform an iterative query on behalf of the client.

Since a client works 90% of the time on its own, and not often when the server acts on behalf of the client, something is interfering with the server. This could be a second machine with the ip address of 192.168.0.2. With a client and server on the same IP, what computer does the client go to for DNS on behalf of the client?

If you have a router that is providing DHCP on that subnet. The first logical IP address will be the IP address for the entire scope AFTER the router. So, if the router is 192.168.0.1, then the logical IP lease will be 192.168.0.2, (THE SERVER'S IP). A rogue DHCP server can cause problems like this, especially if the rogue DHCP server gives clients the IP of the domain server. Now, that should also mess up a few domain services internally. Yet, another problem with a rogue DHCP server is by default, they often provide DNS.

To check for a rogue DHCP server, you can run DHCPloc.exe at the command prompt of the server and see what is OFFering ip addresses to clients REQuesting them.
0
 
Michael OrtegaSales & Systems EngineerCommented:
@ChiefIT, wouldn't an easy way to determine if the client computer is seeing multiple devices with the same IP just to run an "arp -a" on the client to show the arp cache? Anything presenting with two different physical addresses but the same IP would be a problem, especially if it's the servers IP.

I'm not sure where you're going with the DHCP thing. I'm leaning towards hardware/software issues specifically with the NIC on the server.

For example - if the client queries the server for DNS and gets a response to use root hints then the session with the server is brief and the client will do iterative queries and work on it's own accord. Since the conversation with the server is brief the problems at the network level on the server might be masked because the client is doing all the work, hence it works 90% of the time. I imagine the 10% failure is when the, even brief, conversation with server is disrupted by a network issue.

With forwarders/recursive queries the server is doing all the work on behalf of the client. If there are network issues at the server then the problem would manifest much more obviously and consistently, hence forwarders fail consistently.

That's my interpretation and theory anyway.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
My solution for testing the above:

1. Update NIC drivers/firmware (to test driver/firmware theory), and/or
2. Disable NIC in question and use a different NIC (to test hardware theory).

MO
0
 
plug1Author Commented:
CheifIT thats not what I said, the server works 90% of the time without a forwarder and about 10% of the time with one, the clients are the same if they are using the server. The clients work fine if they use external DNS.
0
 
ChiefITCommented:
Is the server multihomed?

Since an iterative query is a communication between the server and client, where the server says here is a root hint server, go get resolution on your own. Iterative queries are a one time communication between client and server. So being a multihomed computer may will not effect a root hints configuration as much.

Since a recursive query involves the server performing an iterative query on behalf of the server, the NIC between server and client is in use. The server could try to go out the second nic (multihomed) and maybe 10% of the time works.

As far the DHCP thing:
I was thinking that the DHCP scope options may pass down to the clients an incorrect DNS server. Within DHCP scope options, you could pass down a DNS server that doesn't exist. The clients try to communicate with that DNS server for DNS resolution, No joy. Or your clients find the proper DNS server for resolution, joy. So, make sure within DHCP scope options you are not passing down a bogus DNS server.

It really sounds like the server is multihomed:
IPconfig /all
at the command prompt would tell you how many interfaces you have. This would include VPN connections as an interface that could interfere with DNS resolution.

0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 24
  • 22
  • 12
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now