We help IT Professionals succeed at work.

DNS problems when shutting down old DC/DNS server temporarily.

Zee
Zee asked
on
Environment:

2008 FFL/DFL - 3 DCs

-HOMEDC01 - 2008 SP2 - DNS, GC

-HOMEPDC -  2008 R2 SP1 - FSMO, DHCP, DNS, WINS, GC

-HOMESDC (VM) -  2016 - DNS, GC

IPV6 enabled on all per articles found online.

DC01 has been on the network for years and did everything before.  Then I brought up PDC a few years ago and transferred over all roles from DC01.  2 weeks ago I brought up SDC and set it up with DNS.  Everything looks to be in order and the plan was to demote DC01 and retire it.  I shut down DC01 for a few days and all of a sudden we started experiencing extremely slow loading times for any webpages.  I brought it back up and everything went back to normal.

I made the necessary adjustments in DHCP to only provide PDC and SDC to clients for DNS.

I ran dcdiag /test:DNS /DNSALL /e /v to see whats going on and the only thing I can see is that root hints only seem to be showing up on DC01 in the output.  I check DNS on PDC and SDC and they both have them, so not sure why they show up for only one server in the output.  Is that my problem?  What am I missing? (see attached output run from SDC, I also ran it on the other 2)

When I had DC01 off, before turning it back on, I ran nslookup and got major delays/time-outs the first time around but then would get a response eventually.  Tried clearing cache on both PDC and SDC and re-registering both.  No change.

Any direction or insight would be greatly appreciated.  TIA
DCDIAG-DNSV.txt
Comment
Watch Question

Enterprise Business Process Architect
CERTIFIED EXPERT
Commented:
How is DNS configured?  Forwarders?  Root hints?

Refer to this IANA link for the up-to-date root hint file.

Refer to this IANA page to view the hint root list in human readable format.

IF using NSLOOKUP.EXE to troubleshoot DNS, do the following:

At NSLOOKUP's > prompt, type set debug then type set debug2 then perform your lookups to determine where the failures or performance impact is occurring in the chain of lookups.

Additionally, since your ISP/Internet infrastructure is obviously not supporting IPv6 so you may want to remove the IPv6 hint root servers listed.
ZeeIT Manager

Author

Commented:
Thanks for the quick response, Darrell.

I'll try the nslookup with the debug set a little later this evening so I don't mess with my users.  Aren't the answers to your questions in the output I attached?  I don't know too much about DNS expect what it's meant to do, how to install it, run through the wizard, and make record changes.  I going to have to say my DNS is setup pretty "default" or basic.  Didn't make any special adjustments during the configuration.  I see use root hints checked if no forwarders are available and forwarding (to PDC and DC01) setup on SDC.  I've compared all the records on all 3 servers and to me they look the same.
CERTIFIED EXPERT

Commented:
if you shutdown one dc/dns server and things get wonky i would expect that something is set to use that dns server and is now failing. if your dns zones have replicated correctly then  each domain controller can be set to use itself as the primary dns server in the ipv4 property sheet.

scott
ZeeIT Manager

Author

Commented:
Each server is setup to use another first and itself second as I've found in several articles.
CERTIFIED EXPERT

Commented:
change that so each of them points to themselves. how to set dns in an ad is a little controversial. you can always set these back.

scott
ZeeIT Manager

Author

Commented:
I looked over the server properties again, on each, and found 1 difference in the Forwarders tab.  See the attached pics.  Could that be my problem?
ForwardersSetup2.png
CERTIFIED EXPERT
Top Expert 2014
Commented:
It appears HOMEPDC is set to use the other DCs as forwarders, as is HOMESDC.  This is a bad configuration (shouldn't affect any resolution for internal zones, but will slow down internet resolution).  Forwarders are used (in general for basic setups) for resolving records from the internet.  If you're going to use forwarders, enter in the IPs of some public resolvers (like Google's) or your ISP's.  Test these before you decide which you are going to use to see which will give you good performance (use a DNS benchmark tool like the one found here - https://www.grc.com/dns/benchmark.htm ).

Side note - I favor keeping each DNS pointing to something other than itself as the preferred DNS in the NIC configuration.
ZeeIT Manager

Author

Commented:
Thanks footech! I'll keep that in mind and look into making that adjustment.  Or should I just not use forwarders?  How would I do that?  Just remove them from the list on that tab?
ZeeIT Manager

Author

Commented:
Footech, that tool is pretty awesome.  What's interesting is it doesn't pick up my oldest DNS server DC01.  Shows both PDC and SDC, though.
ZeeIT Manager

Author

Commented:
I went ahead and tried Darrell's recommendation with debug on for nslookup.  Can one of you DNS gurus look over my results and let me know if anything stands out?  I looked over the data and it times out, with DC01's DNS off, close to the end.  Not sure if this even shows me what I need or which switches I should be trying to get what I need.
nslookupDC01on.txt
nslookupDC01off.txt
CERTIFIED EXPERT
Top Expert 2014

Commented:
You don't have to use forwarders.  Sometimes using them will result in faster resolution than using root hints, but that's not a given or the difference isn't always noticeable.  If you don't want to use forwarders you can remove them and make sure your root hints list is populated (you can reference the link Darrell provided to see if your list is up-to-date).

The tool includes the IPs you have configured for DNS in your NIC settings, will vary according to the configuration of the machine where you run it.  I generally make a custom list of DNS resolvers to test.
ZeeIT Manager

Author

Commented:
Got it, thanks footech.  I'll confirm my root hints on each server match and are current and try removing the Forwarders because the original (old) DC01 server doesn't have any listed.  Just want to see if that will  let me get rid of the old DC so I can continue with the rest of my plans.  Just out of curiosity, did either of the text files above show you anything that stands out as to what my problem could be?
CERTIFIED EXPERT
Top Expert 2014

Commented:
All the nslookup results show is that there was a timeout when performing a lookup, it doesn't tell you what caused it.
ZeeIT Manager

Author

Commented:
From the looks of things it may have been Darrell's info that pointed me to the eventual solution.  Not sure how the points work, but I do hope that each of you got something that I marked as helpful because it was.

To fix the problem, I compared root hints on all three servers and they were identical.  I then went out to the IANA site and compared them to what I had and found B and H had new IPs.  I updated those and removed the other servers from the forwarding tab.

I have DNS disabled on DC01 and all is working properly after 24 hours.  Before, when I would disable DNS on DC01, I would immediately have trouble resolving internet addresses.  This time around everything worked.  Thanks Darrell, and everyone else for your input.
CERTIFIED EXPERT
Top Expert 2014

Commented:
It appears that you have marked some comments as helpful, which is good.  Now that your issue appears to be solved you should select one or more posts as the solution (or partial solution).
This is just my opinion, but it appears that you had two issues so I would select Darrell's and my initial post.  However, it's completely up to you.
CERTIFIED EXPERT

Commented:
verified root hints are important, forwarders are controversial and for years i didnt use forwarders unless in special cases. today i subscribe all of my clients to cisco opendns and i use forwarders that point to their dns servers for protection from primarily crypto. I have seen LOTS of problem and long delays trying to access sites on the internet, when you have bad forwarder address. a bad forward address means you have instructed your server to attempt to get information from a ip address that doesnt work.  glad you got it working. Scott