asked on DNS problems when shutting down old DC/DNS server temporarily.
Environment:
2008 FFL/DFL - 3 DCs
-HOMEDC01 - 2008 SP2 - DNS, GC
-HOMEPDC - 2008 R2 SP1 - FSMO, DHCP, DNS, WINS, GC
-HOMESDC (VM) - 2016 - DNS, GC
IPV6 enabled on all per articles found online.
DC01 has been on the network for years and did everything before. Then I brought up PDC a few years ago and transferred over all roles from DC01. 2 weeks ago I brought up SDC and set it up with DNS. Everything looks to be in order and the plan was to demote DC01 and retire it. I shut down DC01 for a few days and all of a sudden we started experiencing extremely slow loading times for any webpages. I brought it back up and everything went back to normal.
I made the necessary adjustments in DHCP to only provide PDC and SDC to clients for DNS.
I ran dcdiag /test:DNS /DNSALL /e /v to see whats going on and the only thing I can see is that root hints only seem to be showing up on DC01 in the output. I check DNS on PDC and SDC and they both have them, so not sure why they show up for only one server in the output. Is that my problem? What am I missing? (see attached output run from SDC, I also ran it on the other 2)
When I had DC01 off, before turning it back on, I ran nslookup and got major delays/time-outs the first time around but then would get a response eventually. Tried clearing cache on both PDC and SDC and re-registering both. No change.
Any direction or insight would be greatly appreciated. TIA
DCDIAG-DNSV.txt
2008 FFL/DFL - 3 DCs
-HOMEDC01 - 2008 SP2 - DNS, GC
-HOMEPDC - 2008 R2 SP1 - FSMO, DHCP, DNS, WINS, GC
-HOMESDC (VM) - 2016 - DNS, GC
IPV6 enabled on all per articles found online.
DC01 has been on the network for years and did everything before. Then I brought up PDC a few years ago and transferred over all roles from DC01. 2 weeks ago I brought up SDC and set it up with DNS. Everything looks to be in order and the plan was to demote DC01 and retire it. I shut down DC01 for a few days and all of a sudden we started experiencing extremely slow loading times for any webpages. I brought it back up and everything went back to normal.
I made the necessary adjustments in DHCP to only provide PDC and SDC to clients for DNS.
I ran dcdiag /test:DNS /DNSALL /e /v to see whats going on and the only thing I can see is that root hints only seem to be showing up on DC01 in the output. I check DNS on PDC and SDC and they both have them, so not sure why they show up for only one server in the output. Is that my problem? What am I missing? (see attached output run from SDC, I also ran it on the other 2)
When I had DC01 off, before turning it back on, I ran nslookup and got major delays/time-outs the first time around but then would get a response eventually. Tried clearing cache on both PDC and SDC and re-registering both. No change.
Any direction or insight would be greatly appreciated. TIA
DCDIAG-DNSV.txt
DHCPDNSNetworkingDomain Controller
Last Comment
Scott Gorcester
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
if you shutdown one dc/dns server and things get wonky i would expect that something is set to use that dns server and is now failing. if your dns zones have replicated correctly then each domain controller can be set to use itself as the primary dns server in the ipv4 property sheet.
scott
scott
ASKER
Each server is setup to use another first and itself second as I've found in several articles.
change that so each of them points to themselves. how to set dns in an ad is a little controversial. you can always set these back.
scott
scott
ASKER
I looked over the server properties again, on each, and found 1 difference in the Forwarders tab. See the attached pics. Could that be my problem?
ForwardersSetup2.png
ForwardersSetup2.png
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks footech! I'll keep that in mind and look into making that adjustment. Or should I just not use forwarders? How would I do that? Just remove them from the list on that tab?
ASKER
Footech, that tool is pretty awesome. What's interesting is it doesn't pick up my oldest DNS server DC01. Shows both PDC and SDC, though.
ASKER
I went ahead and tried Darrell's recommendation with debug on for nslookup. Can one of you DNS gurus look over my results and let me know if anything stands out? I looked over the data and it times out, with DC01's DNS off, close to the end. Not sure if this even shows me what I need or which switches I should be trying to get what I need.
nslookupDC01on.txt
nslookupDC01off.txt
nslookupDC01on.txt
nslookupDC01off.txt
You don't have to use forwarders. Sometimes using them will result in faster resolution than using root hints, but that's not a given or the difference isn't always noticeable. If you don't want to use forwarders you can remove them and make sure your root hints list is populated (you can reference the link Darrell provided to see if your list is up-to-date).
The tool includes the IPs you have configured for DNS in your NIC settings, will vary according to the configuration of the machine where you run it. I generally make a custom list of DNS resolvers to test.
The tool includes the IPs you have configured for DNS in your NIC settings, will vary according to the configuration of the machine where you run it. I generally make a custom list of DNS resolvers to test.
ASKER
Got it, thanks footech. I'll confirm my root hints on each server match and are current and try removing the Forwarders because the original (old) DC01 server doesn't have any listed. Just want to see if that will let me get rid of the old DC so I can continue with the rest of my plans. Just out of curiosity, did either of the text files above show you anything that stands out as to what my problem could be?
All the nslookup results show is that there was a timeout when performing a lookup, it doesn't tell you what caused it.
ASKER
From the looks of things it may have been Darrell's info that pointed me to the eventual solution. Not sure how the points work, but I do hope that each of you got something that I marked as helpful because it was.
To fix the problem, I compared root hints on all three servers and they were identical. I then went out to the IANA site and compared them to what I had and found B and H had new IPs. I updated those and removed the other servers from the forwarding tab.
I have DNS disabled on DC01 and all is working properly after 24 hours. Before, when I would disable DNS on DC01, I would immediately have trouble resolving internet addresses. This time around everything worked. Thanks Darrell, and everyone else for your input.
To fix the problem, I compared root hints on all three servers and they were identical. I then went out to the IANA site and compared them to what I had and found B and H had new IPs. I updated those and removed the other servers from the forwarding tab.
I have DNS disabled on DC01 and all is working properly after 24 hours. Before, when I would disable DNS on DC01, I would immediately have trouble resolving internet addresses. This time around everything worked. Thanks Darrell, and everyone else for your input.
It appears that you have marked some comments as helpful, which is good. Now that your issue appears to be solved you should select one or more posts as the solution (or partial solution).
This is just my opinion, but it appears that you had two issues so I would select Darrell's and my initial post. However, it's completely up to you.
This is just my opinion, but it appears that you had two issues so I would select Darrell's and my initial post. However, it's completely up to you.
verified root hints are important, forwarders are controversial and for years i didnt use forwarders unless in special cases. today i subscribe all of my clients to cisco opendns and i use forwarders that point to their dns servers for protection from primarily crypto. I have seen LOTS of problem and long delays trying to access sites on the internet, when you have bad forwarder address. a bad forward address means you have instructed your server to attempt to get information from a ip address that doesnt work. glad you got it working. Scott
I'll try the nslookup with the debug set a little later this evening so I don't mess with my users. Aren't the answers to your questions in the output I attached? I don't know too much about DNS expect what it's meant to do, how to install it, run through the wizard, and make record changes. I going to have to say my DNS is setup pretty "default" or basic. Didn't make any special adjustments during the configuration. I see use root hints checked if no forwarders are available and forwarding (to PDC and DC01) setup on SDC. I've compared all the records on all 3 servers and to me they look the same.