SBS 2008 DNS external name server

jleyse
jleyse used Ask the Experts™
on
We have a Small Business Server 2008 with DNS setup.  Our domain name uses .com instead of .local.  That's the way it was when I got here and I just migrated it from SBS 03 to SBS 08.  It has 2 forward lookup zones, our domain name and our domain name with the prefix of remote for exchange.  

Under our domain name zone there are two grey icons for the NS records, one for remote and one for www.  Remote points to our own server.  www pointed to our external name servers for web hosting.  We were using SiteServer for our web hosting, but I've moved our website to PowerDNN.  The new website was working for everyone except our internal network.  So I changed the www records from pointing to SiteServers name servers to PowerDNNs name servers, but now we just get a 404 error when attempting to hit our website.  If I ping our web address internally, it points to our SBS server.  I've tried changing the NS records back to SiteServer and then it works again, but points to our old website.  Once I change it back to PowerDNN, it points us back to our SBS box.  

I've already been through several forums and checked the normal things like hosts files, and clearing both the client and server cache.  There is only one entry in the host file and it points to 127.0.0.1  It just seems to not be able to see the PowerDNN name servers even though it validates the FQDN to the IP address and gives me the green check.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
www pointed to our external name servers for web hosting

You need to have the www record on your SBS's DNS configured to point to the actual external web server IP, not the name server.

You should not modify the NS records on the SBS.

This is because internally, your computers need to use the SBS's IP as their DNS authority.  Your hosted nameservers will not work from within your network due to the domain name being the same.

So, make sure on your SBS's DNS there is a www A record pointing to the hosted web server IP, and the only NS entry should be "same as parent folder" and pointing to your SBS's FQDN.
(in the properties of the forward lookup zone > Name Servers, you should only have a single entry for your SBS's FQDN and it's IP address).

Running the Fix My Network wizard should correct these.

Jeff
TechSoEasy
Neil RussellTechnical Development Lead

Commented:
It should point to your wesite NOT to PowerDNNs name servers it SHOULD point at your www.domain.com's IP Address.

Author

Commented:
Thank you for your replies.  The only reason I tried to change it to the powerdnn name servers is because that was what was in there for the siteserver website.  The NS records for our domain name have always and still do point to our SBS server.  The www entry was a different type of record.  When I deleted it, I believe it said that it was a glue record.  When you right clicked on it the only options it gave me were to add a name server.  And now that I've deleted it, I'm not sure how to add it back in.  

I tried changing the www glue record to the IP address that is returned when I ping the website on an external machine, but it didn't work and then wouldn't let me remove that entry.  So I deleted the whole www glue record and added just an A record that points to the IP address that is returned when pinging our website from and outside network.  Didn't work.  Then I tried changing it to powerdnn's name servers, didn't work either.  We are on a shared server at PowerDNN.  They told me that because of that, I can't just type the IP address into Internet Explorer and get our website.  I assume that's why I'm having problems now.  

So as of now, I've deleted the www glue record, added an A record with the pinged IP address, and cleared both the server and client cache again.  But now when I ping our website from our server, it returns the ip address for PowerDNN's name server and I can't find an entry for it anywhere in our DNS configuration.  Can I get into the settings from the ADSI console?
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Commented:
So that I can be sure I am giving you proper information, I looked at your login IP address and was able to determine your domain (so you don't have to actually state it publicly).

It is true that you cannot just enter the www's IP address in a browser because it is shared hosting and you'll just get the Powerdnn Plesk default control panel page.

However, if you have the A record defined in your SBS's DNS which points www to the IP address of your webserver -- 70.34.32.162.  

Then, please be sure you run the Fix My Network Wizard just to make sure everything else is set properly.

By default, SBS 2008 doesn't use DNS forwarders, and instead uses root hints.

To be sure all caches are clear, make sure you empty the DNS cache from the mmc by right clicking on the SERVER name and selecting "Clear Cache".

Pinging www.your-domain.com from your server should return 70.34.32.162, and if you enter the www.your-domain.com in your browser it should go to the www site.  It will NOT go to the www site if you don't use www.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
P. S.  Don't go anywhere near ADSI console for this.

Also, be sure there are no lingering NS records on your SBS that point to any external IP or domain.

Author

Commented:
Right now I have removed the www glue record and have only an A record for www that points to 70.34.32.162.  I have cleared the cache as you have said, by right clicking on the server name.  I have even cleared the client cache with ipconfig -flushdns.  But when I ping our website I get 208.88.72.61 for some reason, which is the address of nsa.powerdnn.com.

I have run the Fix My Network wizard and the only DNS relevant issues are that we are using a Forwarder, it's not listening to the primary network adapter, and there is one that just says a networking component is not configured properly.  I fixed the last 2, but am still getting the 208 IP.  

When I was messing with the www glue record, at one point I had it pointing to just powerdnn.com with 70.34.32.162 as the ip.  Then it wouldn't let me delete/change that entry for some reason, so I deleted the whole glue record.  I think it might be hung up now somewhere and am wondering if I should remove the whole zone and recreate it.

I will try to restart it first thing in the morning and see if anything changes.

Anything else I should try?  

Thanks for your help by the way.
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
A glue record is created when there is an authoritative name server record as well.  So there very well may still be a lingering record or two.

Open up the _msdcs.domain.com zone and see if the external NS is listed.  If so, delete it.

Also, if there is a reverse DNS zone for anything other than your internal IP subnet, delete those as well.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
One other thing... if you do an nslookup for www.your-domain.com does it show an authoritative name server?

Jeff
TechSoEasy

Author

Commented:
I didn't manage to get in early enough to reboot it this morning, but there were 3 other reverse DNS zones, but I was under the advanced view and it wouldn't let me delete them.  I switched to basic view and there is only one.  

We also don't have a _msdcs.domain.com zone.  The only _msdcs is a folder under the domain.com zone.  And it only has 2 records in it's root folder.  A CNAME with our server's name and an A record with our firewall/router's IP.  

If I run nslookup www.domain.com, it says it can't find address for server www.domain.com: Non-existent domain.
WORKS2011Managed IT Services, Cyber Security, Backup

Commented:
run dcdiag /test:dns and post the results

Author

Commented:
Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = Server

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\Server

      Starting test: Connectivity

         ......................... Server passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\Server
   
      Starting test: DNS        

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... Server passed test DNS
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : hrc-cpa
   
   Running enterprise tests on : hrc-cpa.com

      Starting test: DNS

         Test results for domain controllers:
           
            DC: Server.hrc-cpa.com

            Domain: hrc-cpa.com
                 
               TEST: Basic (Basc)
                  Warning: adapter

                  [00000007] Intel(R) PRO/1000 EB Network Connection with I/O Acceleration

                  has invalid DNS server: 10.0.0.7 (<name unavailable>)

                  Warning: The AAAA record for this DC was not found
                 
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000007] Intel(R) PRO/1000 EB Network Connection with I/O Acceleration:
             
                     Warning:
                     Missing AAAA record at DNS server 10.0.0.3:
                     Server.hrc-cpa.com
                     
                     Warning:
                     Missing AAAA record at DNS server 10.0.0.3:
                     gc._msdcs.hrc-cpa.com
                     
                     Warning:
                     Missing CNAME record at DNS server 10.0.0.7:
                     89a5e58c-9f38-4e34-801d-6b5bfe8fb276._msdcs.hrc-cpa.com
                     
                     Warning:
                     Missing A record at DNS server 10.0.0.7:
                     Server.hrc-cpa.com
                     
                     Warning:
                     Missing AAAA record at DNS server 10.0.0.7:
                     Server.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.356257cf-ae82-4ca5-b98a-b8c6c9acb0bc.domains._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _kerberos._tcp.dc._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.dc._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _kerberos._tcp.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _kerberos._udp.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _kpasswd._tcp.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.Default-First-Site-Name._sites.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _kerberos._tcp.Default-First-Site-Name._sites.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.gc._msdcs.hrc-cpa.com
                     
                     Warning:
                     Missing A record at DNS server 10.0.0.7:
                     gc._msdcs.hrc-cpa.com
                     
                     Warning:
                     Missing AAAA record at DNS server 10.0.0.7:
                     gc._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _gc._tcp.Default-First-Site-Name._sites.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hrc-cpa.com
                     
                     Error:
                     Missing SRV record at DNS server 10.0.0.7:
                     _ldap._tcp.pdc._msdcs.hrc-cpa.com
                     
               Error: Record registrations cannot be found for all the network

               adapters
         
         Summary of test results for DNS servers used by the above domain

         controllers:        

            DNS server: 10.0.0.7 (<name unavailable>)

               1 test failure on this DNS server

               Name resolution is not functional. _ldap._tcp.hrc-cpa.com. failed on the DNS server 10.0.0.7
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: hrc-cpa.com

               Server                   PASS WARN PASS PASS PASS FAIL n/a  
         
         ......................... hrc-cpa.com failed test DNS


10.0.0.7 is our firewall.  I currently have it listed as an alternate DNS server on the NIC card.  Should I instead have our NIC card pointing to our ISP's forwarders or just leave that off and point only to our server's DNS?  That seems to be where the bulk of the error are coming from.
WORKS2011Managed IT Services, Cyber Security, Backup
Commented:
you should remove the 10.0.0.7 as an alternate on the NIC. Only have your server ip in DNS
WORKS2011Managed IT Services, Cyber Security, Backup

Commented:
after you make the changes run ipconfig /flushdns (server and workstations) and it could take a little while, hour or so to clean up the dns entries. As well run ipconfig /registerdns on the workstation after flushing DNS if needed.

Author

Commented:
I've done that and now it's working on the clients.  The server itself still resolves www to the nsa.powerdnn.com, but the clients resolve to the correct address.  I'm wondering if a restart will clear up the server, but as long as it works for the clients, I'm happy.  

Thank you, thank you.
WORKS2011Managed IT Services, Cyber Security, Backup

Commented:
DNS can take awhile to resolve I think you'll be fine moving forward, you can always restart DNS as well, and scavenge old records.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial