• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 472
  • Last Modified:

DNS issues with new DC

Hey all, we have a 2003 server (server1) which used to serve as our main DC, DNS, and DHCP and also held all our FSMO roles

We recently set up two 2008 boxes (server2 and server3) and promoted both to be DCs and moved all FSMO roles from server1 to server2

We also set up DHCP on the new server and made it authoritative and set up the DNS scopes to be server1 and server2, so when we do a ipconfig /all on any client machine it correctly points to server1 as its DHCP provider and server2/3 for it's DNS

So in an attempt to remove server1 from our environment and make sure everything is running properly from server2/3 I turned off server1 and within a day started noticing some odd issues on our network....slow file server access, internet latency/slow websites, etc.

nslookup for a client PC does point to server1, when I do a 'set' to see which logonserver it is using some PCs do point to server1 and others point to server2, but a reboot of those PCs make it point to server2 or 3...but still doesn't fix the above issues..

Not sure whether it is a DNS/DC/DHCP issue or what at this point...any ideas?
0
dealstrike
Asked:
dealstrike
  • 17
  • 13
  • 2
  • +1
3 Solutions
 
Krzysztof PytkoActive Directory EngineerCommented:
Have you set up forwarders on your new 2008 DNS server to be able to access the Internet ?
Are all of your 2008 DCs set up as Global catalogs ?
And finally, did you shut down 2003 or decommissioned it ?

One more thing, when you transfer PDC Emulator role, you need to advertise new time server in your forest
[...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]

it's an extract from MVP blog at
http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

Regards,
Krzysztof
0
 
dealstrikeAuthor Commented:
Hello

I just shut down server1(2003 DC) to see what kind of effect it would have on our environment, when all is well I will properly decom it

I believe they are all GCs yes, I did a dsquery server -isgc and it is showing all 3 servers in the list

Not sure what you mean by forwarders...
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
"I turned off server1 and within a day started noticing some odd issues on our network...."

If this statment is true and you did not decommission the server properly then you are going to still have entries in DNS, Active Directory etc. If this server has not been decommissioned you will need to do so properly.

Your slow lookup etc will be caused by Server1 still being associated as a NameServer in DNS. We had also run into this issue when using LDAP for applicaitons it was taking 2-3 minutes before the applicaiton would authenticate. This was casued from having a bogus entry in the NameServers Tab in DNS. If you look at the _MSDCS you will probably see SRV records also that point to Server1.

Even after you successfully demote Server1 you will also need to ensure that DNS is cleanedup accordingly as well. Remove/Delete any records associated with Server1 (after successful demotion).
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
dealstrikeAuthor Commented:
Thanks, but like I said I did NOT decom server1...I just turned it off to see what kind of effect it would have on our network, and it did not have a good effect
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Forwarders are used to allow clients access the Internet resources as DNS server list should be set up with DNS internal servers only to avoid communication issue
Please check more about forwarders at
http://technet.microsoft.com/en-us/library/cc754941.aspx

Krzysztof
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
When you have a bad entry in the NameServers Tab if that entry is at the top of the list when you do an nslookup it will attempt to contact that first NameServer (which has a timeout period) then it will go to the next server if the first one cannot be contacted.

Example
10.10.0.1 <-- Turned off or doesn't exists
10.10.0.2
10.10.0.3

it will query the first name server then work its way down the list.

Also for any of the servers that you currently have with static addresses do they have Server1 as there primary DNS? It will also have the same affect if this is true. There will be a timeout period before it goes to the secondary DNS Ip.
0
 
dealstrikeAuthor Commented:
Spec01...when you say nameservers tab I am assuming you mean in the DHCP scope? server1 isn't even in the list, only server2 and 3 are

All servers that had static entries have been changed to server2 and 3 as their DNS'.....except for server1 which still points to itself as its primary DNS and server2 as its secondary DNS
0
 
dealstrikeAuthor Commented:
Also, I did try doing an ipconfig /release, ipconfig/renew, ipconfig/flushdns, and ipconfig/registerdns on client PCs and it did not solve the issue...

One thing I just noticed is that server2 still had server1 as it's primary DNS...so when I shutdown server1 maybe that caused the issue since server2 itself could not contact server1 since it was it's primary DNS?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope, as local DNS records are also available on server2.
However, you can remove server1 IP from its NIC's properties and set up there as:

Primary: IP address of server3
Alternate: IP adress of server2
3rd: Loopback IP address (127.0.0.1)

and ensure if you have configured forwarders to allow clients access the Internet

Krzysztof
0
 
dealstrikeAuthor Commented:
Why wouldn't I set up server2 as the main DNS for server 2?
0
 
dealstrikeAuthor Commented:
And regarding forwarders...I checked the DNS server on server 2 and the only server I see in the list is server1, but it only uses it if it cannot resolve via server2 (itself) correct? or do I need to specify server 2 here?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Because when you reboot it and AD services would go up faster than DNS the you would experience slow logo issues or could not be able to log on. This is for preventing DNS island. Please check that MS explanation about DNS island
http://support.microsoft.com/kb/275278

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, remove server 1 and point to your ISP DNS servers or publicly available like Google (8.8.4.4 or/and 8.8.8.8)

You are experiencing slow access because when DNS record cannot be resolved, your server2 redirects it to server1 which is down

Krzysztof
0
 
dealstrikeAuthor Commented:
iSiek...can you expand further on why this is needed and what is the point of this?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Your DC was restarted. AD services start faster than DNS and NETLOGON fails. You are unable to logon to that DC. You're stuck.

In case that this point to another DNS server, you may be sure that DNS is available and AD would start

Krzysztof
0
 
dealstrikeAuthor Commented:
I basically just removed server1 and left the list empty since it looks at itself first...is this ok?
0
 
dealstrikeAuthor Commented:
I also removed server1 and a few other older DNS servers from the 'nameservers' list...sorry about the confusion before, earlier I meant in the DHCP DNS scope options
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope, because now you may experience issue with the Internet access (slow or no access)
Forwarders should have ISP DNS or publicly available DNS servers or you have to have defined proper root hints

If no forwarders or root hints are defined, no access to the Internet would be possible

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Do not worry Namespace servers as long as you are using AD-Integrated DNS zones

Krzysztof
0
 
dealstrikeAuthor Commented:
How do I vertify that I am using AD integrated DNS in 2008
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Open DNS Management console, select zone and click right mouse button. You will see general tab and there will be an information about DNS zone type

Krzysztof
0
 
dealstrikeAuthor Commented:
Regarding forwarders...are you sure I need something in here? Earlier it just had server1 in the list...how was server1 working as a forwarder?

If you are sure then should I just add the google nameservers you said earlier? or our public IP?
0
 
dealstrikeAuthor Commented:
also..the 'use root hints if no forwarders are available' box is checked and greyed out...can you expand on this further
0
 
dealstrikeAuthor Commented:
It won't let me add server2 is a forwarder, only server1 or 3...(I am trying to do this from server 2)
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, probably your 2003 DNS used forwarders and your 2008 used 2003 in a chain :)
If you have DNS IP addresses from your ISP then you may use them in other case use Google (they work fine)

When your forwarders are empty then root hints are used by default and you cannot uncheck them. But you need to be sure that those servers are up to date because you would have no access to the Internet or very slow access.

When you define forwarders, you can basically uncheck root hints as they are not required in this case

Root hints servers are Top Level Domains (TLDs) servers which know IP addresses of each DNS server for TLD
http://en.wikipedia.org/wiki/Top-level_domain

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You cannot use server as forwarder itself. You need to point it to another DNS server.
So make your server2 using forwarders like Google and your server3 may use then server2 as forwarder

Krzysztof
0
 
dealstrikeAuthor Commented:
For DNS forwarders in server1...it says "all other DNS domains"...so I guess I still don't understand what purpose server1 servers as a forwarder
0
 
Krzysztof PytkoActive Directory EngineerCommented:
In 2003 forwarders configuration looked a little bit different. Conditional forwarding and forwarders were managed in the same place. But forwarders was set up under "all other DNS domain"

Now, this functions are split and forwarders and conditional forwarding are in different places.

On your 2003 server under "all other DNS domains" shoudl be set up some IP address or addresses

You may simple reuse them on 2008 DNS server (server 2 for example)

Krzysztof
0
 
dealstrikeAuthor Commented:
Oh ok, I see...I don't see anything on server1 but I am going to be brave and leave dns forwarders blank in server2 for now and see how it goes
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, let me know after all :)

Krzysztof
0
 
dealstrikeAuthor Commented:
Will do, I am still confused about forwarders though, server1 only had itself as a forwarder and I don't see any place else that it could be set...so I am still unsure why leaving it blank on the new server where it points to itself won't work...
0
 
ChiefITCommented:
Go into the DHCP scope options and remove Server 1 as an avail DNS server. Then, go to each client and perform an:

IPconfig /release
IPconfig /flushdns
IPconfig /renew

By putting Server1 as a valid DNS in DHCP scope options, you are telling the clients this server still exists and is available for use.

STEP 2:
Then perform a DNS, FRS, and AD metadata cleanup if Server1 was never demoted from the domain properly.

HOW TO: (Follow these steps real closely!)
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
dealstrikeAuthor Commented:
Didnt select my own answer, not sure why its saying I did
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 17
  • 13
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now