Solved

Windows 2003 DNS question

Posted on 2014-04-14
14
489 Views
Last Modified: 2014-04-25
We are running Windows 2003 server in a single domain config, 2 DC's both running DNS.  9 subnets.  Lately, just lately,  people are occasionally unable to access resources to a file server in xxx.xxx.xxx.1 by name, but they can do so by IP address.  Mapping a drive to \\xxx.xxx.xxx.x\share works where using the name of the server does not.  Further, occasionally a person will lose connectivity to the Exchange 2003 server (same subnet as the file server),  Pinging the exchange server by name from that client returns the outside address of the exchange server instead of the inside address.  A \flushdns on the client fixes the problem right away.  None of the clients are in the same subnet as the server.  All of the servers are in the same subnet, but only 2 of the servers seem to have problems.  People are able to log on and get to the internet with no problems.  This happens in several subnets.   DCDIAG and NETDIAG test both pass, except for the root hint errors which can safely be ignored (???? - really?).   Should any external name servers (ISP) be included in the list of the reverse lookup zones?  How exactly should the subnetted zones be configured?   Any thoughts on where to look to find the cause of this would be appreciated.
0
Comment
Question by:quaybj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
14 Comments
 
LVL 1

Expert Comment

by:A-p-u
ID: 40000482
If you are going to run a split DNS configuration (different answered returned internally and externally), you should configure your clients to use servers that all return the same answers.

See http://blogs.technet.com/b/networking/archive/2009/06/26/dns-client-resolver-behavior.aspx for more info on how Windows would handle these queries.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40000675
If /flushDNS fixes the problem that implies the following to me:
Your workstations primary and secondary DNS servers, are not providing the same results for this name.  So,
If you are using your two internal DNS servers for this, I would start by comparing that name entry on both servers.
If you are using an external DNS server as your secondary, this is probably why it's getting the wrong address.
Also consider: Both situations would imply your primary DNS server is not always responding fast enough.
0
 

Author Comment

by:quaybj
ID: 40002223
Thanks Korbus,

I am using 2 internal DNS servers, both are DC's, both using the same names servers. i compared each setting on the servers, they are identical.

I am not using external DNS server as a secondary.

Speed may be an issue, the primary server (also the primary DC) is colocated out of state, secondary is in a one of the subnets physically close to the other subnets.  But this isssue is new, the colocation is not.  

Might it matter that the colocated server is using itself as the primary DNS and the 'local' older, slower server is also using itself as the primary? So those entries on the TCP/IP properties tab are reversed, and have been for years.

I am considering running DNS on another faster server in a location with a bigger circuit. Thoughts on that?

Still need to know Should any external name servers (ISP) be included in the reverse lookup zones?
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Comment

by:quaybj
ID: 40002238
A-P-U
thanks for your response, but this is not a split brain issue.
Q
0
 
LVL 10

Accepted Solution

by:
Korbus earned 500 total points
ID: 40002281
No, I don't think you need ISP name servers in the reverse lookup zone.  But, though I can't image why you might want it, I'm really not sure.

The server's primary and secondary DNS server's in the TCP/IP settings should not effect how DNS server works: it has it's own database, and forwarder IP addresses.  (it only effects where standard TCP/IP domain name resolution requests go, from the OS and other software.)

Regarding adding a DNS server: while this may help reduce occurrences, a slow primary DNS should NOT be messing you up like this.  

I think we first need to figure out how the workstations are ever resolving the external IP address for names that are defined internally on your DNS.  

This external IP address is obviously coming from external/internet DNS servers (please confirm this IP exists nowhere in your internal DNS); but it sounds like, the only thing that is referencing external DNS, is your internal DNS servers' forwarding (as it should be- pls confirm).  
So if all requests are going through your internal DNS, why is it using the forwarder results, rather than internal results?

I'm a bit stumped on how to test this, though.  I'll post back when I have an idea.
0
 

Author Comment

by:quaybj
ID: 40002383
I am not using forwarders.  I was,for years  but about 2 months ago, I started seeing weird access and resolution problems,  tested and found the forwarders I was using were not valid DNS servers, found this article http://support.microsoft.com/kb/291382 that said forwarders were not really necessary and that root hints were better, did some more tests, found I had incorrectly resolving root hints, fixed that (or so i thought!) and all was good up until about 10 days ago.  Since I am getting root hint error from didiag, maybe I should put the forwarders back?  and what is the real story on this error, which people say to safely ignore?  Seems wrong to me.

     TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (199.7.91.13)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
               
            DNS server: 199.7.91.13 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13
               
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
         ......................... domain.org passed test DNS

The issues I am seeing are internal, not external, except for the email server issue, which happens every once in a while.

My ISP says that the routing to external world is being done on their side.  

I checked the DNS and verified that that external address is not in the list.  The only external address is an A record for our public web server.
0
 
LVL 1

Expert Comment

by:A-p-u
ID: 40002416
I would suggest an ipconfig /all on the client and see what DNS servers are listed. Then do an nslookup against each of those DNS servers querying for your Exchange server.

If you have a client getting the external IP address of your Exchange server, we have to figure out where it is getting that from.
0
 

Author Comment

by:quaybj
ID: 40002613
ok, but I am out of the office, will try the nslookups on a machine that has had the email resolving issue tomorrow.

Thanks..
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40002818
It might NOT be safe to ignore those errors, since you are not using forwarders in your DNS server config.  Most people DO use forwarders, which may be why they said this error can be ignored (just guessing tho).

Without forwarders, I would think root hint problems would be a major issue for resolving external domain names (of course, this is NOT your problem: incorrect resolution of INTERNAL names is).

Please take these comments with a grain of salt, I'm no expert on root hints.
0
 

Author Comment

by:quaybj
ID: 40010773
Thanks Korbus
I am out of the office over Easter, but will pick yhis up when I get back.  I also am wary of ignoring the root hint errors.
Q
0
 

Author Comment

by:quaybj
ID: 40020665
Korbus, the problem has gone away as mysteriously as it came.  I am closing this ticket and awarding you the points because you made useful suggestions.  If i find anything about root hints that i think is useful, i will post it.

Thanks.

Q
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40020746
Hi Quaybj,

Thanks for following up.  Gosh those mysteriously disappearing issues are SO frustrating!  Will it come back? When? Who knows, arrrgghh.

Oh, you mentioned you were giving me some points, but it looks like you gave them all to APU.  Don't worry about it this time, but just want to make sure you were aware for future posts.

K
0
 

Author Closing Comment

by:quaybj
ID: 40022412
I am awarding points to Korbus because of the reasoned, logical answer.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question