DNS Failover

We have been having an issue where our network begins running VERY slow whenever the primary DNS server fails (the secondary is still up) or the secondary fails (the primary is still up).  All my research thus far has told me to remove the failed DNS server from the machines.  This does work, but it is time consuming and really doesn't solve the problem.  Does anyone have any ideas other than removing the failed server?
Glen KrinskySystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can reduce the timeout value for the clients so they abandon their request to the failed server sooner: http://technet.microsoft.com/en-us/library/ff807396(v=WS.10).aspx
Glen KrinskySystems AdministratorAuthor Commented:
I don't believe it is the timeout.  Its as if there is a sudden broadcast storm to try and find DNS.
Could you run following commands as administrator on your DC and put the result here please. Note: Please alter your environmental data

dcdiag /test:dns /v
dcdiag /test /v
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Glen KrinskySystems AdministratorAuthor Commented:
I will run them first thing in the morning.
Leon FesterSenior Solutions ArchitectCommented:
There is no DNS failover capabilities.

Primary and Secondary DNS are seperate entities where the secondary is only reference when the primary server becomes unavailable.

I'd explain it all, but I'd just be repeating everything that is mentioned in the following posts:
Glen KrinskySystems AdministratorAuthor Commented:
Ok.  I understand this, but, when we have just a single DNS entry on our systems, we have no problem.  If we add just a bogus IP address in for a secondary DNS, every system immediatly starts to run EXTREEMLY slow.
Just in case I'd like to make sure for the followings;
Your server's only 1 NIC has been connected
Your DC's IP configuration is correct (Primary DNS must be your DC's IP
On your DNS Console- DNS Server (Right click)-Properties, you are not accepting DNS queries on the IP other than your DC's IP
There is no left over from any previous DC in the DNS server
Glen KrinskySystems AdministratorAuthor Commented:
*Only 1 NIC connected
*DNS is set up correctly
*We are not accepting DNS queries
*No other installs present
Leon FesterSenior Solutions ArchitectCommented:
when we have just a single DNS entry on our systems, we have no problem
I'm assuming at that time, the DNS server is up and running. - so you should be seeing any issues.

If we add just a bogus IP address in for a secondary DNS, every system immediatly starts to run EXTREEMLY slow.

Why would you enter a bogus DNS server?
What scenario are you trying to test?

Are you client windows or *nix clients, I know I've seen issues on *nix clients when the DNS is not available...never ever got an answer from *nix support as to why. Just that DNS must be available.

I cannot say that I've personally seen Windows clients behave like this.

Finding a solution for your problem depends on the root cause of the server becoming unavailable. Can you elaborate on what causes the servers to go down?

I doubt that you'd get a "textbook" answer knowledge usually only looks at what is supposed to work, if configured correctly and all services are available.

Your best bet to get an understanding of what is happening on the network would be to run a snipper app, like Wireshark or Netmon from Microsoft, you'll then be able to see which servers are being queries, how long that server is pinged and you'll know when the DNS queries are answered.
Glen KrinskySystems AdministratorAuthor Commented:
We have no idea why the server is going down.  It is not on our end.  The reason for entering the bogus DNS ip for a secondary is mearly to "see what happens" in an attempt to duplicate the issue in our lab.  In the field, it is not our DNS (primary) that is going down, but the secondary.
Leon FesterSenior Solutions ArchitectCommented:
OK, makes sense.
If you're not controlling the DNS servers then I'd recommend moving the off your workstations.

Any Windows Server can be a DNS server, the only limitation being AD-integrated DNS can only run on a domain controller. I would recommend that you consider putting in a second DNS server of your own.

Does the secondary DNS server hold any specific DNS zones that you want to query or why are you using it?

Maybe you can expand on the reasons for using the secondary from another site?

The issues with external DNS is that too many things can go wrong, e.g. server issue, DNS service, Network, Firewall, Bandwidth and congestion, and then you end up with a situation like you're currently in.

N.B. I'm not rapping you over the knuckles, just trying to get an understanding of your environment. I've working in enough places where solutions were built on the wrong requirements.
Glen KrinskySystems AdministratorAuthor Commented:
Unfortunatly we do not have the ability to install another DNS due to space and other restrictions.  We have to have the other DNS as it does hold specific queries that will not be allowed on other servers if you know what I mean.
Leon FesterSenior Solutions ArchitectCommented:
Exactly the reason I was expecting, in this case you should rather setup forwarders on your own DNS server so that your workstations only query your DNS server. The DNS server will then look at the request, if it matches a forwarding rule, then it will send that query to the remote DNS server and return the results to your DNS client on the workstation.


The other option is to setup a stub zone:

When deciding between conditional forwarder and stubs should be based on how you are connected to the remote site?

Conditional forwarder only require that your DNS server cans connect to the remote DNS server.
Stub zones will require that your workstations/clients can also connect to the remote server which may require additional firewal configuration

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.