- Routers
- Networking
- VPN
- DHCP
- DNS
- domain controller
DNS problems when shutting down old DC/DNS server temporarily.
Environment:
2008 FFL/DFL - 3 DCs
-HOMEDC01 - 2008 SP2 - DNS, GC
-HOMEPDC - 2008 R2 SP1 - FSMO, DHCP, DNS, WINS, GC
-HOMESDC (VM) - 2016 - DNS, GC
IPV6 enabled on all per articles found online.
DC01 has been on the network for years and did everything before. Then I brought up PDC a few years ago and transferred over all roles from DC01. 2 weeks ago I brought up SDC and set it up with DNS. Everything looks to be in order and the plan was to demote DC01 and retire it. I shut down DC01 for a few days and all of a sudden we started experiencing extremely slow loading times for any webpages. I brought it back up and everything went back to normal.
I made the necessary adjustments in DHCP to only provide PDC and SDC to clients for DNS.
I ran dcdiag /test:DNS /DNSALL /e /v to see whats going on and the only thing I can see is that root hints only seem to be showing up on DC01 in the output. I check DNS on PDC and SDC and they both have them, so not sure why they show up for only one server in the output. Is that my problem? What am I missing? (see attached output run from SDC, I also ran it on the other 2)
When I had DC01 off, before turning it back on, I ran nslookup and got major delays/time-outs the first time around but then would get a response eventually. Tried clearing cache on both PDC and SDC and re-registering both. No change.
Any direction or insight would be greatly appreciated. TIA
DCDIAG-DNSV.txt
2008 FFL/DFL - 3 DCs
-HOMEDC01 - 2008 SP2 - DNS, GC
-HOMEPDC - 2008 R2 SP1 - FSMO, DHCP, DNS, WINS, GC
-HOMESDC (VM) - 2016 - DNS, GC
IPV6 enabled on all per articles found online.
DC01 has been on the network for years and did everything before. Then I brought up PDC a few years ago and transferred over all roles from DC01. 2 weeks ago I brought up SDC and set it up with DNS. Everything looks to be in order and the plan was to demote DC01 and retire it. I shut down DC01 for a few days and all of a sudden we started experiencing extremely slow loading times for any webpages. I brought it back up and everything went back to normal.
I made the necessary adjustments in DHCP to only provide PDC and SDC to clients for DNS.
I ran dcdiag /test:DNS /DNSALL /e /v to see whats going on and the only thing I can see is that root hints only seem to be showing up on DC01 in the output. I check DNS on PDC and SDC and they both have them, so not sure why they show up for only one server in the output. Is that my problem? What am I missing? (see attached output run from SDC, I also ran it on the other 2)
When I had DC01 off, before turning it back on, I ran nslookup and got major delays/time-outs the first time around but then would get a response eventually. Tried clearing cache on both PDC and SDC and re-registering both. No change.
Any direction or insight would be greatly appreciated. TIA
DCDIAG-DNSV.txt
How is DNS configured? Forwarders? Root hints?
Refer to this IANA link for the up-to-date root hint file.
Refer to this IANA page to view the hint root list in human readable format.
IF using NSLOOKUP.EXE to troubleshoot DNS, do the following:
At NSLOOKUP's > prompt, type set debug then type set debug2 then perform your lookups to determine where the failures or performance impact is occurring in the chain of lookups.
Additionally, since your ISP/Internet infrastructure is obviously not supporting IPv6 so you may want to remove the IPv6 hint root servers listed.
Refer to this IANA link for the up-to-date root hint file.
Refer to this IANA page to view the hint root list in human readable format.
IF using NSLOOKUP.EXE to troubleshoot DNS, do the following:
At NSLOOKUP's > prompt, type set debug then type set debug2 then perform your lookups to determine where the failures or performance impact is occurring in the chain of lookups.
Additionally, since your ISP/Internet infrastructure is obviously not supporting IPv6 so you may want to remove the IPv6 hint root servers listed.
Thanks for the quick response, Darrell.
I'll try the nslookup with the debug set a little later this evening so I don't mess with my users. Aren't the answers to your questions in the output I attached? I don't know too much about DNS expect what it's meant to do, how to install it, run through the wizard, and make record changes. I going to have to say my DNS is setup pretty "default" or basic. Didn't make any special adjustments during the configuration. I see use root hints checked if no forwarders are available and forwarding (to PDC and DC01) setup on SDC. I've compared all the records on all 3 servers and to me they look the same.
I'll try the nslookup with the debug set a little later this evening so I don't mess with my users. Aren't the answers to your questions in the output I attached? I don't know too much about DNS expect what it's meant to do, how to install it, run through the wizard, and make record changes. I going to have to say my DNS is setup pretty "default" or basic. Didn't make any special adjustments during the configuration. I see use root hints checked if no forwarders are available and forwarding (to PDC and DC01) setup on SDC. I've compared all the records on all 3 servers and to me they look the same.
if you shutdown one dc/dns server and things get wonky i would expect that something is set to use that dns server and is now failing. if your dns zones have replicated correctly then each domain controller can be set to use itself as the primary dns server in the ipv4 property sheet.
scott
scott
change that so each of them points to themselves. how to set dns in an ad is a little controversial. you can always set these back.
scott
scott
I looked over the server properties again, on each, and found 1 difference in the Forwarders tab. See the attached pics. Could that be my problem?
ForwardersSetup2.png
ForwardersSetup2.png
It appears HOMEPDC is set to use the other DCs as forwarders, as is HOMESDC. This is a bad configuration (shouldn't affect any resolution for internal zones, but will slow down internet resolution). Forwarders are used (in general for basic setups) for resolving records from the internet. If you're going to use forwarders, enter in the IPs of some public resolvers (like Google's) or your ISP's. Test these before you decide which you are going to use to see which will give you good performance (use a DNS benchmark tool like the one found here - https://www.grc.com/dns/benchmark.htm ).
Side note - I favor keeping each DNS pointing to something other than itself as the preferred DNS in the NIC configuration.
Side note - I favor keeping each DNS pointing to something other than itself as the preferred DNS in the NIC configuration.
Thanks footech! I'll keep that in mind and look into making that adjustment. Or should I just not use forwarders? How would I do that? Just remove them from the list on that tab?
Footech, that tool is pretty awesome. What's interesting is it doesn't pick up my oldest DNS server DC01. Shows both PDC and SDC, though.
I went ahead and tried Darrell's recommendation with debug on for nslookup. Can one of you DNS gurus look over my results and let me know if anything stands out? I looked over the data and it times out, with DC01's DNS off, close to the end. Not sure if this even shows me what I need or which switches I should be trying to get what I need.
nslookupDC01on.txt
nslookupDC01off.txt
nslookupDC01on.txt
nslookupDC01off.txt
You don't have to use forwarders. Sometimes using them will result in faster resolution than using root hints, but that's not a given or the difference isn't always noticeable. If you don't want to use forwarders you can remove them and make sure your root hints list is populated (you can reference the link Darrell provided to see if your list is up-to-date).
The tool includes the IPs you have configured for DNS in your NIC settings, will vary according to the configuration of the machine where you run it. I generally make a custom list of DNS resolvers to test.
The tool includes the IPs you have configured for DNS in your NIC settings, will vary according to the configuration of the machine where you run it. I generally make a custom list of DNS resolvers to test.
Got it, thanks footech. I'll confirm my root hints on each server match and are current and try removing the Forwarders because the original (old) DC01 server doesn't have any listed. Just want to see if that will let me get rid of the old DC so I can continue with the rest of my plans. Just out of curiosity, did either of the text files above show you anything that stands out as to what my problem could be?
All the nslookup results show is that there was a timeout when performing a lookup, it doesn't tell you what caused it.
From the looks of things it may have been Darrell's info that pointed me to the eventual solution. Not sure how the points work, but I do hope that each of you got something that I marked as helpful because it was.
To fix the problem, I compared root hints on all three servers and they were identical. I then went out to the IANA site and compared them to what I had and found B and H had new IPs. I updated those and removed the other servers from the forwarding tab.
I have DNS disabled on DC01 and all is working properly after 24 hours. Before, when I would disable DNS on DC01, I would immediately have trouble resolving internet addresses. This time around everything worked. Thanks Darrell, and everyone else for your input.
To fix the problem, I compared root hints on all three servers and they were identical. I then went out to the IANA site and compared them to what I had and found B and H had new IPs. I updated those and removed the other servers from the forwarding tab.
I have DNS disabled on DC01 and all is working properly after 24 hours. Before, when I would disable DNS on DC01, I would immediately have trouble resolving internet addresses. This time around everything worked. Thanks Darrell, and everyone else for your input.
It appears that you have marked some comments as helpful, which is good. Now that your issue appears to be solved you should select one or more posts as the solution (or partial solution).
This is just my opinion, but it appears that you had two issues so I would select Darrell's and my initial post. However, it's completely up to you.
This is just my opinion, but it appears that you had two issues so I would select Darrell's and my initial post. However, it's completely up to you.
verified root hints are important, forwarders are controversial and for years i didnt use forwarders unless in special cases. today i subscribe all of my clients to cisco opendns and i use forwarders that point to their dns servers for protection from primarily crypto. I have seen LOTS of problem and long delays trying to access sites on the internet, when you have bad forwarder address. a bad forward address means you have instructed your server to attempt to get information from a ip address that doesnt work. glad you got it working. Scott
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
Sites switching domain name -
![]()
wrote an Article
![]()
Improve website response times easily with DNS Settings
-
![]()
created a Video
![]()
[Webinar] Learn How to Simplify Your Server Management
-
Explore Cloud Class® ![]()
70-647 - Windows Server Enterprise Administration
Premium Content
You need an Expert Office subscription to comment.Start Free Trial