sintursula
asked on
Dns or connectivity problems on startup 2008R2
I have 3 Server 2008R2 fully patched domain controllers on site. The problem is that when I reboot the PDC (DC1) it takes a very long time before he starts up again.
DC1 is the DC with the problem, DC2 is a secondary DC:
In the event log I see that this is because of DNS problems. I have the IP of the DC1 as primary nameserver, the IP of another DC as secondary and the localhost adres as third.
When the DC comes up (after a while) I can't ping the other DC's where the secundary nameservers are located (not on IP and not on their name) but I can ping client computers.
Only after like 30 minutes or so or if I manually restart the DNS service on the DC1 connectivity restores and I can ping everything and all services that previously failed because of dns problems are coming back online.
So ofcourse DNS doesn't work because he can't get connectivity to the other nameservers. The problem is that I have no clue why this is. And even weirder is why the connectivity (also on IP) returns when I restart the dns service. (I would think that IP ping would work regardless of the DNS service)
Dcdiag doesn't show any errors and I can't find anything that could be a cause in the event viewer.
Does anyone have an idea?
DC1 is the DC with the problem, DC2 is a secondary DC:
In the event log I see that this is because of DNS problems. I have the IP of the DC1 as primary nameserver, the IP of another DC as secondary and the localhost adres as third.
When the DC comes up (after a while) I can't ping the other DC's where the secundary nameservers are located (not on IP and not on their name) but I can ping client computers.
Only after like 30 minutes or so or if I manually restart the DNS service on the DC1 connectivity restores and I can ping everything and all services that previously failed because of dns problems are coming back online.
So ofcourse DNS doesn't work because he can't get connectivity to the other nameservers. The problem is that I have no clue why this is. And even weirder is why the connectivity (also on IP) returns when I restart the dns service. (I would think that IP ping would work regardless of the DNS service)
Dcdiag doesn't show any errors and I can't find anything that could be a cause in the event viewer.
Does anyone have an idea?
localhost should always be primary DNS on a DC.
ASKER
Thats not really what Microsoft is recommending. 127.0.0.1 should not be set as the primary DNS when using multiple DC's. (Microsoft DNS recommendations)
At the moment I have, to be clear:
Primary DNS: IP of DC1
Secundary DNS: IP of DC2
Third: 127.0.0.1
That should be correct.
At the moment I have, to be clear:
Primary DNS: IP of DC1
Secundary DNS: IP of DC2
Third: 127.0.0.1
That should be correct.
ASKER
http://technet.microsoft.c
Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list.
Huh....well, as stated here:
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
Looks like it's highly debated. %99.99999 of technicians will tell you to use the loopback. But according to this new article, it's best not to.
So, based on this new knowledge:
DC1
Primary DNS: DC2
Secondary DNS: 127.0.0.1
DC2
Primary DNS: DC1
Secondary DNS: 127.0.0.1
Is that how it's configured?
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
Looks like it's highly debated. %99.99999 of technicians will tell you to use the loopback. But according to this new article, it's best not to.
So, based on this new knowledge:
DC1
Primary DNS: DC2
Secondary DNS: 127.0.0.1
DC2
Primary DNS: DC1
Secondary DNS: 127.0.0.1
Is that how it's configured?
ASKER
That configuration is indeed also valid, I tried that one too before but it has the same problem.
The thing is that the 127.0.0.1 IP or the DC1 IP waits until DNS is started on the server. But DNS waits until AD is ready, so he should use the IP of DC2, but he doesn't.
And as I can see when I can finally logon to the server, the IP of DC2 is not pingable until the DNS of DC1 is ready or if I manually restart the DNS of DC1.
So there is no connectivity for some reason on startup to DC2, so the DNS server of DC2 also can't be used. The question and big mystery is why is there no connectivity and why is it resolved by manually restarting the DNS service on DC1.
The thing is that the 127.0.0.1 IP or the DC1 IP waits until DNS is started on the server. But DNS waits until AD is ready, so he should use the IP of DC2, but he doesn't.
And as I can see when I can finally logon to the server, the IP of DC2 is not pingable until the DNS of DC1 is ready or if I manually restart the DNS of DC1.
So there is no connectivity for some reason on startup to DC2, so the DNS server of DC2 also can't be used. The question and big mystery is why is there no connectivity and why is it resolved by manually restarting the DNS service on DC1.
When everything is working, after restarting DNS, are you able to do an nslookup on DC2 from DC1?
nslookup
>server DC2.domain.local
>www.google.com
>dc1.domain.local
>domain.local
Do any of those error out?
Are you able to telnet from DC1 to DC2 on port 53?
nslookup
>server DC2.domain.local
>www.google.com
>dc1.domain.local
>domain.local
Do any of those error out?
Are you able to telnet from DC1 to DC2 on port 53?
ASKER
Yes, after restarting DNS, nslookup works just fine, also telnet is not a problem. (After dns restart)
After reboot, before restarting the DNS server service, do you have an IP Address? Wondering if it's DHCP related or a network card driver.
ASKER
I have an IP address, I can ping client pc's from the DC, just not other DC's.
I can RDP from a client to the DC, so that all works, its just the connectivity to the other DC's that doesn't.
I can RDP from a client to the DC, so that all works, its just the connectivity to the other DC's that doesn't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found it
Primary DNS: 127.0.0.1
Secondary DNS: DC2
DC2:
Primary DNS: 127.0.0.1
Secondary DNS: DC1
If you reboot your computers and they don't look at themselves they won't be able to find the domain. Your issue is timing out because it's looking at a DC that isn't online for name resolution.