Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2003 DNS question

Posted on 2014-04-14
14
Medium Priority
?
496 Views
Last Modified: 2014-04-25
We are running Windows 2003 server in a single domain config, 2 DC's both running DNS.  9 subnets.  Lately, just lately,  people are occasionally unable to access resources to a file server in xxx.xxx.xxx.1 by name, but they can do so by IP address.  Mapping a drive to \\xxx.xxx.xxx.x\share works where using the name of the server does not.  Further, occasionally a person will lose connectivity to the Exchange 2003 server (same subnet as the file server),  Pinging the exchange server by name from that client returns the outside address of the exchange server instead of the inside address.  A \flushdns on the client fixes the problem right away.  None of the clients are in the same subnet as the server.  All of the servers are in the same subnet, but only 2 of the servers seem to have problems.  People are able to log on and get to the internet with no problems.  This happens in several subnets.   DCDIAG and NETDIAG test both pass, except for the root hint errors which can safely be ignored (???? - really?).   Should any external name servers (ISP) be included in the list of the reverse lookup zones?  How exactly should the subnetted zones be configured?   Any thoughts on where to look to find the cause of this would be appreciated.
0
Comment
Question by:quaybj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
14 Comments
 
LVL 1

Expert Comment

by:A-p-u
ID: 40000482
If you are going to run a split DNS configuration (different answered returned internally and externally), you should configure your clients to use servers that all return the same answers.

See http://blogs.technet.com/b/networking/archive/2009/06/26/dns-client-resolver-behavior.aspx for more info on how Windows would handle these queries.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40000675
If /flushDNS fixes the problem that implies the following to me:
Your workstations primary and secondary DNS servers, are not providing the same results for this name.  So,
If you are using your two internal DNS servers for this, I would start by comparing that name entry on both servers.
If you are using an external DNS server as your secondary, this is probably why it's getting the wrong address.
Also consider: Both situations would imply your primary DNS server is not always responding fast enough.
0
 

Author Comment

by:quaybj
ID: 40002223
Thanks Korbus,

I am using 2 internal DNS servers, both are DC's, both using the same names servers. i compared each setting on the servers, they are identical.

I am not using external DNS server as a secondary.

Speed may be an issue, the primary server (also the primary DC) is colocated out of state, secondary is in a one of the subnets physically close to the other subnets.  But this isssue is new, the colocation is not.  

Might it matter that the colocated server is using itself as the primary DNS and the 'local' older, slower server is also using itself as the primary? So those entries on the TCP/IP properties tab are reversed, and have been for years.

I am considering running DNS on another faster server in a location with a bigger circuit. Thoughts on that?

Still need to know Should any external name servers (ISP) be included in the reverse lookup zones?
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 

Author Comment

by:quaybj
ID: 40002238
A-P-U
thanks for your response, but this is not a split brain issue.
Q
0
 
LVL 10

Accepted Solution

by:
Korbus earned 1500 total points
ID: 40002281
No, I don't think you need ISP name servers in the reverse lookup zone.  But, though I can't image why you might want it, I'm really not sure.

The server's primary and secondary DNS server's in the TCP/IP settings should not effect how DNS server works: it has it's own database, and forwarder IP addresses.  (it only effects where standard TCP/IP domain name resolution requests go, from the OS and other software.)

Regarding adding a DNS server: while this may help reduce occurrences, a slow primary DNS should NOT be messing you up like this.  

I think we first need to figure out how the workstations are ever resolving the external IP address for names that are defined internally on your DNS.  

This external IP address is obviously coming from external/internet DNS servers (please confirm this IP exists nowhere in your internal DNS); but it sounds like, the only thing that is referencing external DNS, is your internal DNS servers' forwarding (as it should be- pls confirm).  
So if all requests are going through your internal DNS, why is it using the forwarder results, rather than internal results?

I'm a bit stumped on how to test this, though.  I'll post back when I have an idea.
0
 

Author Comment

by:quaybj
ID: 40002383
I am not using forwarders.  I was,for years  but about 2 months ago, I started seeing weird access and resolution problems,  tested and found the forwarders I was using were not valid DNS servers, found this article http://support.microsoft.com/kb/291382 that said forwarders were not really necessary and that root hints were better, did some more tests, found I had incorrectly resolving root hints, fixed that (or so i thought!) and all was good up until about 10 days ago.  Since I am getting root hint error from didiag, maybe I should put the forwarders back?  and what is the real story on this error, which people say to safely ignore?  Seems wrong to me.

     TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (199.7.91.13)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
               
            DNS server: 199.7.91.13 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13
               
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
         ......................... domain.org passed test DNS

The issues I am seeing are internal, not external, except for the email server issue, which happens every once in a while.

My ISP says that the routing to external world is being done on their side.  

I checked the DNS and verified that that external address is not in the list.  The only external address is an A record for our public web server.
0
 
LVL 1

Expert Comment

by:A-p-u
ID: 40002416
I would suggest an ipconfig /all on the client and see what DNS servers are listed. Then do an nslookup against each of those DNS servers querying for your Exchange server.

If you have a client getting the external IP address of your Exchange server, we have to figure out where it is getting that from.
0
 

Author Comment

by:quaybj
ID: 40002613
ok, but I am out of the office, will try the nslookups on a machine that has had the email resolving issue tomorrow.

Thanks..
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40002818
It might NOT be safe to ignore those errors, since you are not using forwarders in your DNS server config.  Most people DO use forwarders, which may be why they said this error can be ignored (just guessing tho).

Without forwarders, I would think root hint problems would be a major issue for resolving external domain names (of course, this is NOT your problem: incorrect resolution of INTERNAL names is).

Please take these comments with a grain of salt, I'm no expert on root hints.
0
 

Author Comment

by:quaybj
ID: 40010773
Thanks Korbus
I am out of the office over Easter, but will pick yhis up when I get back.  I also am wary of ignoring the root hint errors.
Q
0
 

Author Comment

by:quaybj
ID: 40020665
Korbus, the problem has gone away as mysteriously as it came.  I am closing this ticket and awarding you the points because you made useful suggestions.  If i find anything about root hints that i think is useful, i will post it.

Thanks.

Q
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40020746
Hi Quaybj,

Thanks for following up.  Gosh those mysteriously disappearing issues are SO frustrating!  Will it come back? When? Who knows, arrrgghh.

Oh, you mentioned you were giving me some points, but it looks like you gave them all to APU.  Don't worry about it this time, but just want to make sure you were aware for future posts.

K
0
 

Author Closing Comment

by:quaybj
ID: 40022412
I am awarding points to Korbus because of the reasoned, logical answer.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Resolve DNS query failed errors for Exchange
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question