Solved

DNS "Secondary DNS server" just fails to kick in....

Posted on 2015-01-05
31
278 Views
Last Modified: 2015-01-22
Our users suddenly were not able to see network drives through mapping, which caused a whole network downtime due to the Primary DNS server was down. But we do have a Secondary DNS server in place in each client -- as listed by ipconfig. How come the Secondary DNS server didn't kick in to do its job of resolving names while the Primary DNS server is down?
Did I miss anything? What should I set up to prevent this issue?
0
Comment
Question by:Castlewood
  • 7
  • 6
  • 5
  • +5
31 Comments
 
LVL 18

Expert Comment

by:Don S.
Comment Utility
Drive mapping names are not handled by DNS.  They are handled by NetBIOS broadcasts or by a WINS server.
0
 
LVL 4

Expert Comment

by:Joeteck
Comment Utility
The local hosts file works good too, just in case the DNS server goes down..

When you setup the second DNS, did you add it as a second to the zone?

Check this out here.. You may need to change the "Zone Transfer settings"

http://technet.microsoft.com/en-us/library/cc816885%28v=ws.10%29.aspx
0
 

Author Comment

by:Castlewood
Comment Utility
Okay, drive mapping is just one of the problems. While the Primary DNS server was down, we are NOT able to ping a host name. Hope you got my point -- since obviously the Secondary DNS just fails to kick in to help resolving host names. What did I miss?
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Technically right and wrong.

If you do not want to install a WINS server but have a DNS server you can select Enable DNS for Windows Resolution in the WINS properties sheet. This will cause the NetBios name resolution requests to be directed to the DNS server.

Possibly the primary DNS server was not down rather it was just responding with not found.  Secondary is only ever used when NO CONNECTION can be made to the primary.
0
 

Author Comment

by:Castlewood
Comment Utility
I am pretty sure the Primary DNS server box was down at the time of issue.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
If the box was OFF and the clients had not talked to it at all then the secondary should have been used.  HOWEVER if the primary went down after a client had already connected to it once and had not timed out the connection (bit more to it than that) then the client will keep trying to talk to the dead primary. A reboot or network stack restart on a client would have resolved.

DNS resolution in windows is still a flakey thing. google it, lots of questions and answers but very few "Solutions"
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
There are a couple of things that could have happened. One is with the client and the other with the server.

The clients don't know that the primary is down, so they will always try the first one in the list first. This would certainly slow things down.

If the secondary is a slave and getting its info from the primary, part of the zone includes how long to cache information. After that time, it will respond with "I don't know." If that time is set pretty short, then this will happen sooner (on the other hand if it's too long then updated information will take a long time to be propagated).
0
 
LVL 18

Expert Comment

by:Don S.
Comment Utility
Do you know your secondary DNS actually works?  You can test this by using NSlookup from any client computer.  Set the name server to use as the address of your secondary DNS and test some internal names.  If it responds, then it should be good and the problem is elsewhere.  Either the DNS entries on the clients aren't right, or the primary wasn't really down, just not responding correctly, or the secondary DNS isn't really a secondary server for the Zone.
0
 
LVL 4

Expert Comment

by:Joeteck
Comment Utility
Try this once you got your primary backup..


To modify zone transfer settings using the Windows interface

    Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

    Right-click a DNS zone, and then click Properties.

    On the Zone Transfers tab, do one of the following:
        To disable zone transfers, clear the Allow zone transfers check box.

        To allow zone transfers, select the Allow zone transfers check box.

    If you allowed zone transfers, do one of the following:
        To allow zone transfers to any server, click To any server.

        To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

        To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.
0
 
LVL 4

Expert Comment

by:Tony Pitt
Comment Utility
Several things to check:

1) Are the clients configured for both DNS servers?  That's a client setting, not a DNS server setting ...

2) Can the clients ping the secondary DNS server?  If not, then it's an IP problem, not a DNS problem.

3) Use NsLookup specifying the secondary server - type "nslookup - xx.yy.zz.aa" at a Windows command prompt, where xx.yy.zz.aa is the IP address of the secondary server.  Once in NsLookup, type a hostname and see what comes back.  NsLookup is capable of giving some error messages, whereas things like drive mapping simply fail.

Assuming none of the above gave/showed up an error, then it might just be down to the issue of the clients not knowing that they should switch to the secondary, though I thought that usually occurred pretty seamlessly ...  What OSes are we talking for both the DNS servers and the clients?  That might make a difference.

/T
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
My experience with Microsoft DNS clients is that the first entry will get used and, upon no answer, will not attempt to query the second or third listed server.

And, a better tool to test DNS than nslookup is 'dig'.
0
 
LVL 4

Expert Comment

by:Tony Pitt
Comment Utility
Oh, one more thing: to check whether the secondary actually contains data for the zone (domain), point NsLookup at the secondary server, preferably from a command prompt on that server itself, and type "LS -d <domain>" where "<domain>" is your domain name.  If you get data about the machines in the domain, then the server contains the required data; if not, then the zone transfer isn't working.

/T
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
On NO ANSWER then the secondary will respond. The problem is how you define no answer.  As we have stated above, its not just a case of "are you there? No? Well i'll go somewhere else."  Windows DNS is a lot more complex than that and all sorts of issues can result in a broken DNS even when you have DNS servers online and running.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Install dig.

Then, from command line:

/path/to/dig www.microsoft.com @IP_OF_PRIMARY

/path/to/dig www.microsoft.com @IP_OF_SECONDARY

Post the results and I'll explain the output.  DNS can be difficult but it's really not that complex.
0
 

Author Comment

by:Castlewood
Comment Utility
Thank all you guys.
But I think I may have confused some of you guys by using "Secondary DNS server". Actually in my Windows I don't have any called "Secondary DNS server". Instead, I have two AD-integrated DNS servers, which are used as Preferred DNS server and Alternate DNS server.  
So let me re-phrase my question here:
Why didn't the "Alternate DNS server" kick in to help resolving names during the outage of Preferred DNS server??

I guess my question is boiling down to.. how to have fault tolerance on DNS?

According to the link provided above by joeteck:
http://technet.microsoft.com/en-us/library/cc816885%28v=ws.10%29.aspx
In order to have fault tolerance, should I set up another DNS server as the "Secondary DNS server" besides my currently two AD-integrated DNS servers, which are used as "Preferred DNS" and "Alternate DNS"??
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Unless MS is not following RFC, that's not how DNS works.

You have to first determine that:  both servers answer queries for authoritative domains and then that both servers answer queries for non-authoritative domains (also know as recursion).
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
In order to have fault tolerance, should I set up another DNS server as the "Secondary DNS server" besides my currently two AD-integrated DNS servers, which are used as "Preferred DNS" and "Alternate DNS"??
No, that shouldn't be necessary. Your two DCs/DNS servers will provide fault tolerance if everything is correctly configured and functional. It may be difficult or even impossible to determine what caused the issue in the past, since (I assume) both DCs are up and running normally at the moment. However, if you've got a little time after-hours, you can perform a simple test to make sure both DCs are resolving names as they should, which should prevent this from happening again. (If there really is a problem, users may run into trouble if you perform this test during the day.)

Before testing anything, verify that your domain-joined machines are in fact configured to use both DCs for DNS and nothing else. Which DC is configured as the preferred server and which is the alternate isn't really that important, but the machines in your domain should not be using 8.8.8.8, 4.2.2.2, or any other DNS server that exists outside your domain.

You should also check DNS on both DCs to make sure the correct records are actually there. You don't need to check every single record at this point; just make a quick check of both servers in the DNS console, and if the zones/records appear to match, they're probably good. If one DC is missing a bunch of records or even an entire zone, that's a problem. If the zone in question is AD-integrated, you're likely looking at an AD replication issue. The potential causes of that are legion, so we'll skip it for now.

Assuming everything above checks out, pick a workstation to use for testing. Run ipconfig /all at a command prompt and note which server is used as its preferred DNS server. On that server, stop the DNS Server service. As far as DNS is concerned, this has the same effect as shutting the server down, but without all the waiting. Back on the client, restart the DNS Client service. This clears the client's resolver cache and resets its DNS server priority list, which ensures that the next query it sends will go to its preferred DNS server. Now ping the FQDN of a machine in your domain (i.e., ping client1.mydomain.local). Don't use nslookup or dig here - they function differently.

If the output of the ping command shows the machine's IP address, DNS is working as it should. (We don't care whether the machine actually responds to the ping.) If the output says Ping request could not find host, then there's a problem, and further troubleshooting is needed. Feel free to post your results here.

In either case, don't forget to go back to your DC and start its DNS Server service when you're done testing.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Sure you can try a FQDN ping but the result won't tell you where the problem might lie like dig does.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
The reason I said to use ping is that this will use the OS's resolver, which will query the alternate DNS server if the preferred server doesn't respond, and that's the specific thing I wanted to test. I know nslookup won't do that because it has its own resolver. I honestly have very little experience with dig - I've only ever used it when nslookup has been inadequate, like when dealing with DNSSEC - so I don't know how it behaves.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
With dig, you can specify the server to direct your query (@IP_ADDRESS_OF_SERVER).
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
not
Active Directory–integrated zones do not ordinarily employ secondary DNS servers. Active Directory–integrated zones use Active Directory replication instead of zone transfer to synchronize zone data among DNS servers.

You do not need to configure SECONDARY DNS SERVERS
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
You can specify the server to use with nslookup too!
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
In DNS, there is no such thing as "primary" and "secondary".  You list servers in the order that you want them to be queried.

From the back end, there is "master" and "slave" and those denote whether the machine has the configuration data or the configuration data is transferred from a master.

With 'dig', the amount of information returned, it helps to troubleshoot DNS issues.

If this is truly a DNS server, then dig should be your tool of choice.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
"In DNS, there is no such thing as "primary" and "secondary".  "

Sorry you are wrong again.  Active directory integrated DNS utilizes AD Replication, like I stated above and all DNS servers are synced in this way HOWEVER you CAN create a SECONDARY DNS server that is NOT AD Integrated that acts as a backup to your AD DNS Servers. This is well documented by Microsoft where they explicitly state that that is how you would configure a SECONDARY DNS server for AD using Zone transfers and not replication.

See Technet
0
 

Author Comment

by:Castlewood
Comment Utility
Neilsr,
When you said " You do not need to configure SECONDARY DNS SERVERS" did you mean in my current Windows network I don't need to set up a Secondary DNS server for the fault tolerance purpose??

I am eager to know how to have DNS fault tolerance in my Windows network since as above mentioned I found the "Alternate DNS sever" didn't kick in to provide fault tolerance when the "Preferred DNS server" is down. Please help.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Did you perform the test I suggested?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
Comment Utility
I mean that windows AD servers are all DNS servers. They are NOT primary and secondary but are all equal.  They are used in the order you list them in the NIC's network config, either manually or via DHCP options.

what you do not need is a SECONDARY DNS Server in the classic sense of the word as explained above.


Just to clarify, as nobody has asked...

When the DNS server listed first in your list failed, how long was it offline for and have you checked that ALL DNS records are being replicated between all of your AD servers?

It could of course be that you have a different issue altogether, like replication.

Can you describe HOW you came to the conclusion that the secondary DNS server was NOT responding at all?

Also the point that DrDave242 made...

Are the ONLY DNS servers that are listed on your client PC's, the two AD Integrated DNS servers?  NO others, no routers, no ISP, no 8.8.8.8  etc?
0
 

Author Comment

by:Castlewood
Comment Utility
DrDave242,
I did. I stopped both Preferred and Alternate DNS servers and restarted my computer's DNS Client service, and then the ping still able to resolve my servers' names without a problem.  That means there is some other resolvers than the two DNS servers. Could it be Wins?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Do you have a WINS server, and are the clients configured to use it? If not, it's definitely not WINS. Did you ping just the names or the fully qualified domain names? If you're pinging just the names, those can be resolved in other ways (WINS or NetBIOS broadcasts, for example), so the client may not have even tried to query a DNS server.
0
 
LVL 18

Expert Comment

by:Don S.
Comment Utility
Please use nslookup (or DIG if you are on a Linux box or have Bind dns installed) to test your DNS server responses.  Ping will resolve via DNS, NetBIOS, WINS or Host table (whatever works) and as such makes troubleshooting DNS issues difficult.  nslookup only uses the DNS server you specify for resolution.
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 250 total points
Comment Utility
There is a reason, explained above, why I recommended using ping, but yes, nslookup will allow you to test each server one at a time to ensure they're both responding correctly to queries. So will dig, if you feel like downloading the BIND package and rummaging around a bit.

Ping will resolve via DNS, NetBIOS, WINS or Host table (whatever works) and as such makes troubleshooting DNS issues difficult.
If you ping a fully qualified domain name, ping won't attempt to resolve it using WINS or a NetBIOS broadcast; it will use only DNS, which includes both hosts files and queries to DNS servers.

Speaking of hosts files, I'm baffled by how often they come up in DNS discussions here. It's not 1989 anymore, folks; OSes recognize more than 640KB of memory, file names can be longer than 8.3, and unless you've got a very unusual environment, you shouldn't even consider hosts files as a viable means of performing name resolution. If you're troubleshooting something, yes, you should be aware of them, but if you're performing any kind of deployment and are seriously considering creating a text file on every single machine in the network and then modifying that file - again, on every single machine - every time something changes, you should probably lie down for a while, then get a second opinion before proceeding.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Resolve DNS query failed errors for Exchange
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now