Solved

Windows 2003 DNS question

Posted on 2014-04-14
14
475 Views
Last Modified: 2014-04-25
We are running Windows 2003 server in a single domain config, 2 DC's both running DNS.  9 subnets.  Lately, just lately,  people are occasionally unable to access resources to a file server in xxx.xxx.xxx.1 by name, but they can do so by IP address.  Mapping a drive to \\xxx.xxx.xxx.x\share works where using the name of the server does not.  Further, occasionally a person will lose connectivity to the Exchange 2003 server (same subnet as the file server),  Pinging the exchange server by name from that client returns the outside address of the exchange server instead of the inside address.  A \flushdns on the client fixes the problem right away.  None of the clients are in the same subnet as the server.  All of the servers are in the same subnet, but only 2 of the servers seem to have problems.  People are able to log on and get to the internet with no problems.  This happens in several subnets.   DCDIAG and NETDIAG test both pass, except for the root hint errors which can safely be ignored (???? - really?).   Should any external name servers (ISP) be included in the list of the reverse lookup zones?  How exactly should the subnetted zones be configured?   Any thoughts on where to look to find the cause of this would be appreciated.
0
Comment
Question by:quaybj
  • 7
  • 4
  • 2
14 Comments
 
LVL 1

Expert Comment

by:A-p-u
Comment Utility
If you are going to run a split DNS configuration (different answered returned internally and externally), you should configure your clients to use servers that all return the same answers.

See http://blogs.technet.com/b/networking/archive/2009/06/26/dns-client-resolver-behavior.aspx for more info on how Windows would handle these queries.
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
If /flushDNS fixes the problem that implies the following to me:
Your workstations primary and secondary DNS servers, are not providing the same results for this name.  So,
If you are using your two internal DNS servers for this, I would start by comparing that name entry on both servers.
If you are using an external DNS server as your secondary, this is probably why it's getting the wrong address.
Also consider: Both situations would imply your primary DNS server is not always responding fast enough.
0
 

Author Comment

by:quaybj
Comment Utility
Thanks Korbus,

I am using 2 internal DNS servers, both are DC's, both using the same names servers. i compared each setting on the servers, they are identical.

I am not using external DNS server as a secondary.

Speed may be an issue, the primary server (also the primary DC) is colocated out of state, secondary is in a one of the subnets physically close to the other subnets.  But this isssue is new, the colocation is not.  

Might it matter that the colocated server is using itself as the primary DNS and the 'local' older, slower server is also using itself as the primary? So those entries on the TCP/IP properties tab are reversed, and have been for years.

I am considering running DNS on another faster server in a location with a bigger circuit. Thoughts on that?

Still need to know Should any external name servers (ISP) be included in the reverse lookup zones?
0
 

Author Comment

by:quaybj
Comment Utility
A-P-U
thanks for your response, but this is not a split brain issue.
Q
0
 
LVL 10

Accepted Solution

by:
Korbus earned 500 total points
Comment Utility
No, I don't think you need ISP name servers in the reverse lookup zone.  But, though I can't image why you might want it, I'm really not sure.

The server's primary and secondary DNS server's in the TCP/IP settings should not effect how DNS server works: it has it's own database, and forwarder IP addresses.  (it only effects where standard TCP/IP domain name resolution requests go, from the OS and other software.)

Regarding adding a DNS server: while this may help reduce occurrences, a slow primary DNS should NOT be messing you up like this.  

I think we first need to figure out how the workstations are ever resolving the external IP address for names that are defined internally on your DNS.  

This external IP address is obviously coming from external/internet DNS servers (please confirm this IP exists nowhere in your internal DNS); but it sounds like, the only thing that is referencing external DNS, is your internal DNS servers' forwarding (as it should be- pls confirm).  
So if all requests are going through your internal DNS, why is it using the forwarder results, rather than internal results?

I'm a bit stumped on how to test this, though.  I'll post back when I have an idea.
0
 

Author Comment

by:quaybj
Comment Utility
I am not using forwarders.  I was,for years  but about 2 months ago, I started seeing weird access and resolution problems,  tested and found the forwarders I was using were not valid DNS servers, found this article http://support.microsoft.com/kb/291382 that said forwarders were not really necessary and that root hints were better, did some more tests, found I had incorrectly resolving root hints, fixed that (or so i thought!) and all was good up until about 10 days ago.  Since I am getting root hint error from didiag, maybe I should put the forwarders back?  and what is the real story on this error, which people say to safely ignore?  Seems wrong to me.

     TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (199.7.91.13)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
               
            DNS server: 199.7.91.13 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13
               
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
         ......................... domain.org passed test DNS

The issues I am seeing are internal, not external, except for the email server issue, which happens every once in a while.

My ISP says that the routing to external world is being done on their side.  

I checked the DNS and verified that that external address is not in the list.  The only external address is an A record for our public web server.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Expert Comment

by:A-p-u
Comment Utility
I would suggest an ipconfig /all on the client and see what DNS servers are listed. Then do an nslookup against each of those DNS servers querying for your Exchange server.

If you have a client getting the external IP address of your Exchange server, we have to figure out where it is getting that from.
0
 

Author Comment

by:quaybj
Comment Utility
ok, but I am out of the office, will try the nslookups on a machine that has had the email resolving issue tomorrow.

Thanks..
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
It might NOT be safe to ignore those errors, since you are not using forwarders in your DNS server config.  Most people DO use forwarders, which may be why they said this error can be ignored (just guessing tho).

Without forwarders, I would think root hint problems would be a major issue for resolving external domain names (of course, this is NOT your problem: incorrect resolution of INTERNAL names is).

Please take these comments with a grain of salt, I'm no expert on root hints.
0
 

Author Comment

by:quaybj
Comment Utility
Thanks Korbus
I am out of the office over Easter, but will pick yhis up when I get back.  I also am wary of ignoring the root hint errors.
Q
0
 

Author Comment

by:quaybj
Comment Utility
Korbus, the problem has gone away as mysteriously as it came.  I am closing this ticket and awarding you the points because you made useful suggestions.  If i find anything about root hints that i think is useful, i will post it.

Thanks.

Q
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Hi Quaybj,

Thanks for following up.  Gosh those mysteriously disappearing issues are SO frustrating!  Will it come back? When? Who knows, arrrgghh.

Oh, you mentioned you were giving me some points, but it looks like you gave them all to APU.  Don't worry about it this time, but just want to make sure you were aware for future posts.

K
0
 

Author Closing Comment

by:quaybj
Comment Utility
I am awarding points to Korbus because of the reasoned, logical answer.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now