Solved

DNS Issues

Posted on 2013-05-30
7
243 Views
Last Modified: 2013-06-14
Hi
I have a very strange DNS related issue.
I look after a company who is situated across 2 different sites with a separate subnet for each site.
There is a DNS server located in each site with 1 AD integrated zone, there is 1 domain.
Both servers are running server 2008 R2 64bit
The main problem is that workstations in each site cannot communicate with servers in the other site however they can still communicate with servers in the same site. The issue is intermittent
Servers in both sites can communicate with servers in the other site so there appears to be no issue at the server level.
I can ping all servers from workstations via IP address

when the problem occurs I cannot ping remote servers (from a workstation)and the response given is "ping response could not find host xxxxxx. Please check the name and try again"
However if I flush the DNS is works again for a period of time.
When its not working if I run the command ipconfig /flushdns to display the local DNS cache it displays all the servers in the remote site as negative DNS records eg

SERVERNAME
-------------------------------------------------
Name does not exist

As soon as I flush the DNS cache it works. But for some reason after a period of time the DNS records turn up as a negative DNS record.
If I run a nslookup it resolves all DNS names
If I turn off DNS client cache it works.
The workstations use DHCP
So this points to an issue on the workstation side, however it seems to affect all workstations at the same time which points back at the server
All workstations and servers have up to date AV software and I have run a scan and it picks up no issues.
I have run some debugging at the server DNS side and when the issue occurs it isn't logging anything that I can see.
I have checked firewall ports and DNS is open. I have also tried turning the firewall off completely.
The DNS replication is working fine.
I have set the TTL on DNS to 1 hour, I have enabled scavenging on DNS records to 1 day to see if this will help.
0
Comment
Question by:CodeBlueEngineers
  • 5
7 Comments
 

Author Comment

by:CodeBlueEngineers
Comment Utility
To add to that I have also reloaded the DNS for the zone and manually forced replication.
Also just a correction the command I run is ipconfig /displaydns to show the local DNS cache
0
 
LVL 12

Expert Comment

by:S00007359
Comment Utility
Can you enlighten on how the remote sites are connected?, does each site have adsl connection or dedicated wan/fibre, and how is the routing setup? sounds like an issue with DNS and TTL
0
 
LVL 9

Expert Comment

by:Zenvenky
Comment Utility
It looks like a DNS misconfiguration on DCs, check below link to correct it.

DNS Best Practices

Also make sure PDC is the authoritative Time Server for the domain.

http://support.microsoft.com/kb/816042
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:CodeBlueEngineers
Comment Utility
That's great thanks Zenvenky, I will run this past the customer and organise a suitable time to do this. Will keep you posted. Some good advice there
0
 

Author Comment

by:CodeBlueEngineers
Comment Utility
Hi experts
An update on the work carried out
I have configured the best practices as recommended, unfortunately the same issues still occur.
DISCLAIMER- The below setup was against our recommendation, and we do not support the network
However there are some configurations that they have which are definitely no recommended.
The servers in 1 site all have publicly listed IP addresses, these servers are also part of the AD domain.
The publicly facing DC is also being used as a DNS server and unfortunately they had received DOS attacks.
So to increase the security the local admin deleted all root hints and turned off all forwarders.
This is about the time that the issues first started occurring, I have asked to put this back to the way it was originally setup but they have refused due to the security concerns.
So if anyone can shed any light on this that would be great
0
 

Accepted Solution

by:
CodeBlueEngineers earned 0 total points
Comment Utility
Hi experts
we have found the issue and applied the fix.
Basically as the DNS forwarders and root hints were removed, all workstations had been set to use google as the 3rd DNS server.
When local DNS was flushed we could then ping local servers, but as soon as something external needed to be resolved it would default to the google DNS server and then stay on that server for everything else. As google cannot resolve internal servers it would then fail to work.
The fix for this is we have removed the google DNS from all computers and set an internal facing DNS as the primary and forwarding out to the internet from there. There is still a few other things we need to do to get them in a best practice state but this is what fixed this issue
0
 

Author Closing Comment

by:CodeBlueEngineers
Comment Utility
Issue solved internally
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now