Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

Windows 2003 DNS question

We are running Windows 2003 server in a single domain config, 2 DC's both running DNS.  9 subnets.  Lately, just lately,  people are occasionally unable to access resources to a file server in xxx.xxx.xxx.1 by name, but they can do so by IP address.  Mapping a drive to \\xxx.xxx.xxx.x\share works where using the name of the server does not.  Further, occasionally a person will lose connectivity to the Exchange 2003 server (same subnet as the file server),  Pinging the exchange server by name from that client returns the outside address of the exchange server instead of the inside address.  A \flushdns on the client fixes the problem right away.  None of the clients are in the same subnet as the server.  All of the servers are in the same subnet, but only 2 of the servers seem to have problems.  People are able to log on and get to the internet with no problems.  This happens in several subnets.   DCDIAG and NETDIAG test both pass, except for the root hint errors which can safely be ignored (???? - really?).   Should any external name servers (ISP) be included in the list of the reverse lookup zones?  How exactly should the subnetted zones be configured?   Any thoughts on where to look to find the cause of this would be appreciated.
0
quaybj
Asked:
quaybj
  • 7
  • 4
  • 2
1 Solution
 
A-p-uCommented:
If you are going to run a split DNS configuration (different answered returned internally and externally), you should configure your clients to use servers that all return the same answers.

See http://blogs.technet.com/b/networking/archive/2009/06/26/dns-client-resolver-behavior.aspx for more info on how Windows would handle these queries.
0
 
KorbusCommented:
If /flushDNS fixes the problem that implies the following to me:
Your workstations primary and secondary DNS servers, are not providing the same results for this name.  So,
If you are using your two internal DNS servers for this, I would start by comparing that name entry on both servers.
If you are using an external DNS server as your secondary, this is probably why it's getting the wrong address.
Also consider: Both situations would imply your primary DNS server is not always responding fast enough.
0
 
quaybjAuthor Commented:
Thanks Korbus,

I am using 2 internal DNS servers, both are DC's, both using the same names servers. i compared each setting on the servers, they are identical.

I am not using external DNS server as a secondary.

Speed may be an issue, the primary server (also the primary DC) is colocated out of state, secondary is in a one of the subnets physically close to the other subnets.  But this isssue is new, the colocation is not.  

Might it matter that the colocated server is using itself as the primary DNS and the 'local' older, slower server is also using itself as the primary? So those entries on the TCP/IP properties tab are reversed, and have been for years.

I am considering running DNS on another faster server in a location with a bigger circuit. Thoughts on that?

Still need to know Should any external name servers (ISP) be included in the reverse lookup zones?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
quaybjAuthor Commented:
A-P-U
thanks for your response, but this is not a split brain issue.
Q
0
 
KorbusCommented:
No, I don't think you need ISP name servers in the reverse lookup zone.  But, though I can't image why you might want it, I'm really not sure.

The server's primary and secondary DNS server's in the TCP/IP settings should not effect how DNS server works: it has it's own database, and forwarder IP addresses.  (it only effects where standard TCP/IP domain name resolution requests go, from the OS and other software.)

Regarding adding a DNS server: while this may help reduce occurrences, a slow primary DNS should NOT be messing you up like this.  

I think we first need to figure out how the workstations are ever resolving the external IP address for names that are defined internally on your DNS.  

This external IP address is obviously coming from external/internet DNS servers (please confirm this IP exists nowhere in your internal DNS); but it sounds like, the only thing that is referencing external DNS, is your internal DNS servers' forwarding (as it should be- pls confirm).  
So if all requests are going through your internal DNS, why is it using the forwarder results, rather than internal results?

I'm a bit stumped on how to test this, though.  I'll post back when I have an idea.
0
 
quaybjAuthor Commented:
I am not using forwarders.  I was,for years  but about 2 months ago, I started seeing weird access and resolution problems,  tested and found the forwarders I was using were not valid DNS servers, found this article http://support.microsoft.com/kb/291382 that said forwarders were not really necessary and that root hints were better, did some more tests, found I had incorrectly resolving root hints, fixed that (or so i thought!) and all was good up until about 10 days ago.  Since I am getting root hint error from didiag, maybe I should put the forwarders back?  and what is the real story on this error, which people say to safely ignore?  Seems wrong to me.

     TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (199.7.91.13)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
               
            DNS server: 199.7.91.13 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13
               
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
         ......................... domain.org passed test DNS

The issues I am seeing are internal, not external, except for the email server issue, which happens every once in a while.

My ISP says that the routing to external world is being done on their side.  

I checked the DNS and verified that that external address is not in the list.  The only external address is an A record for our public web server.
0
 
A-p-uCommented:
I would suggest an ipconfig /all on the client and see what DNS servers are listed. Then do an nslookup against each of those DNS servers querying for your Exchange server.

If you have a client getting the external IP address of your Exchange server, we have to figure out where it is getting that from.
0
 
quaybjAuthor Commented:
ok, but I am out of the office, will try the nslookups on a machine that has had the email resolving issue tomorrow.

Thanks..
0
 
KorbusCommented:
It might NOT be safe to ignore those errors, since you are not using forwarders in your DNS server config.  Most people DO use forwarders, which may be why they said this error can be ignored (just guessing tho).

Without forwarders, I would think root hint problems would be a major issue for resolving external domain names (of course, this is NOT your problem: incorrect resolution of INTERNAL names is).

Please take these comments with a grain of salt, I'm no expert on root hints.
0
 
quaybjAuthor Commented:
Thanks Korbus
I am out of the office over Easter, but will pick yhis up when I get back.  I also am wary of ignoring the root hint errors.
Q
0
 
quaybjAuthor Commented:
Korbus, the problem has gone away as mysteriously as it came.  I am closing this ticket and awarding you the points because you made useful suggestions.  If i find anything about root hints that i think is useful, i will post it.

Thanks.

Q
0
 
KorbusCommented:
Hi Quaybj,

Thanks for following up.  Gosh those mysteriously disappearing issues are SO frustrating!  Will it come back? When? Who knows, arrrgghh.

Oh, you mentioned you were giving me some points, but it looks like you gave them all to APU.  Don't worry about it this time, but just want to make sure you were aware for future posts.

K
0
 
quaybjAuthor Commented:
I am awarding points to Korbus because of the reasoned, logical answer.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now