Solved

DNS Issues

Posted on 2013-05-30
7
255 Views
Last Modified: 2013-06-14
Hi
I have a very strange DNS related issue.
I look after a company who is situated across 2 different sites with a separate subnet for each site.
There is a DNS server located in each site with 1 AD integrated zone, there is 1 domain.
Both servers are running server 2008 R2 64bit
The main problem is that workstations in each site cannot communicate with servers in the other site however they can still communicate with servers in the same site. The issue is intermittent
Servers in both sites can communicate with servers in the other site so there appears to be no issue at the server level.
I can ping all servers from workstations via IP address

when the problem occurs I cannot ping remote servers (from a workstation)and the response given is "ping response could not find host xxxxxx. Please check the name and try again"
However if I flush the DNS is works again for a period of time.
When its not working if I run the command ipconfig /flushdns to display the local DNS cache it displays all the servers in the remote site as negative DNS records eg

SERVERNAME
-------------------------------------------------
Name does not exist

As soon as I flush the DNS cache it works. But for some reason after a period of time the DNS records turn up as a negative DNS record.
If I run a nslookup it resolves all DNS names
If I turn off DNS client cache it works.
The workstations use DHCP
So this points to an issue on the workstation side, however it seems to affect all workstations at the same time which points back at the server
All workstations and servers have up to date AV software and I have run a scan and it picks up no issues.
I have run some debugging at the server DNS side and when the issue occurs it isn't logging anything that I can see.
I have checked firewall ports and DNS is open. I have also tried turning the firewall off completely.
The DNS replication is working fine.
I have set the TTL on DNS to 1 hour, I have enabled scavenging on DNS records to 1 day to see if this will help.
0
Comment
Question by:CodeBlueEngineers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 

Author Comment

by:CodeBlueEngineers
ID: 39209843
To add to that I have also reloaded the DNS for the zone and manually forced replication.
Also just a correction the command I run is ipconfig /displaydns to show the local DNS cache
0
 
LVL 12

Expert Comment

by:S00007359
ID: 39209855
Can you enlighten on how the remote sites are connected?, does each site have adsl connection or dedicated wan/fibre, and how is the routing setup? sounds like an issue with DNS and TTL
0
 
LVL 9

Expert Comment

by:Zenvenky
ID: 39209957
It looks like a DNS misconfiguration on DCs, check below link to correct it.

DNS Best Practices

Also make sure PDC is the authoritative Time Server for the domain.

http://support.microsoft.com/kb/816042
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:CodeBlueEngineers
ID: 39210115
That's great thanks Zenvenky, I will run this past the customer and organise a suitable time to do this. Will keep you posted. Some good advice there
0
 

Author Comment

by:CodeBlueEngineers
ID: 39220951
Hi experts
An update on the work carried out
I have configured the best practices as recommended, unfortunately the same issues still occur.
DISCLAIMER- The below setup was against our recommendation, and we do not support the network
However there are some configurations that they have which are definitely no recommended.
The servers in 1 site all have publicly listed IP addresses, these servers are also part of the AD domain.
The publicly facing DC is also being used as a DNS server and unfortunately they had received DOS attacks.
So to increase the security the local admin deleted all root hints and turned off all forwarders.
This is about the time that the issues first started occurring, I have asked to put this back to the way it was originally setup but they have refused due to the security concerns.
So if anyone can shed any light on this that would be great
0
 

Accepted Solution

by:
CodeBlueEngineers earned 0 total points
ID: 39233571
Hi experts
we have found the issue and applied the fix.
Basically as the DNS forwarders and root hints were removed, all workstations had been set to use google as the 3rd DNS server.
When local DNS was flushed we could then ping local servers, but as soon as something external needed to be resolved it would default to the google DNS server and then stay on that server for everything else. As google cannot resolve internal servers it would then fail to work.
The fix for this is we have removed the google DNS from all computers and set an internal facing DNS as the primary and forwarding out to the internet from there. There is still a few other things we need to do to get them in a best practice state but this is what fixed this issue
0
 

Author Closing Comment

by:CodeBlueEngineers
ID: 39247011
Issue solved internally
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question