Dual home DNS w/ AD doesn't work after several hours

[Kevin D. Goodknecht Sr. [MVP]]

In

The proxy is just for internet, email, ftp, etc no AV
within or DNS.
Just simple small utility/software.
I don't know if there is another purpose for that proxy
as far as I know that's it.
Hopefully after this last changes I made and the server
working ok.
Till now still the dns/ping fqdn after 6 hours or so will
fail
I will let you know the result.
Please works my 'baby'.......

Then as far as I can tell this proxy serves no real purpose, your router can
do this, too. If they can use the router for the gateway. The proxy will
only serve as a point of failure.
I use a proxy, but my proxy is there for its Anti-virus capabilities, it
scans email and websites for viruses and malicious code.
If all your clients can ping the router I suggest you keep the proxy out of
the picture.

 

[Ace Fekay [MVP]]

Yes, there is Netgear simple router connect to DSL modem and from this
router connect to dual homed W2K SP3 Server.
Thank you for the info and suggestion Ace.

No problem. So you already have a router. May I ask why the W2k machine is
mutlihomed? Is it because you are running that Spoonproxy ?

Ace

 

[Joe]

FYI:
In the zone file (craft.local) has "Allow Dynamic Update" = Only secure update.
Is this the cause? should choose NO or other option?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

FYI:
In the zone file (craft.local) has "Allow Dynamic Update"
= Only secure update.
Is this the cause? should choose NO or other option?

Secure updates is fine so long as updates getting done. You don't want to
choose No because you DC needs to register its records in the zone, setting
the zone to No will cause errors on the DC and any other client that is
registering in DNS.

 

[Joe]

Oh Nightmare, I don't know what happened but now from all clients
cannot see the server, none network printer available, cannot ping to
internet at all even though server rebooted.
But ping to external nic with 216.xxx.xxx.aaa no problem but to the
gateway/Netgear router or public internet IP time out (

Oh my God, I am in trouble now....I don't know how to solve it, I try
to change back to original setting but still doesn't work.
I try use enable sharing for internal NIC and then the remote
connection cut off and I am not able to connect to that server (use
static IP). So I couldn't try to solve it remotely and this morning
(now when I write is 3 am in the morning) at 8 am they are gonna use
it the program that running in the server through network (Ooopss it's
gonna big a mess if I couldn't solve it...their business depend on
this prog that run in the server.... I am dead man).
I write this NOT to blame you guys, you have already patient to guide
me, thank you very much but somehow I don't know why the system screw
up. I need to throw out my frustation only somewhere......
I hope at least running like before, reboot every 6 hours than now
nobody can use it.......Oh God please help me, I pray.

I try to find the dual home/ multihomed setup for TCP/IP but not much
and not helping me.

And the bad thing about this Google forum is taking 3-9 hours to be
posted available....so harder to interaction asap.

If you have any suggestion, pls let me know asap, thanks.

Regards,
Joe

 

[Ace Fekay [MVP]]

In

Oh Nightmare, I don't know what happened but now from all clients
cannot see the server, none network printer available, cannot ping to
internet at all even though server rebooted.
But ping to external nic with 216.xxx.xxx.aaa no problem but to the
gateway/Netgear router or public internet IP time out (

Oh my God, I am in trouble now....I don't know how to solve it, I try
to change back to original setting but still doesn't work.
I try use enable sharing for internal NIC and then the remote
connection cut off and I am not able to connect to that server (use
static IP). So I couldn't try to solve it remotely and this morning
(now when I write is 3 am in the morning) at 8 am they are gonna use
it the program that running in the server through network (Ooopss it's
gonna big a mess if I couldn't solve it...their business depend on
this prog that run in the server.... I am dead man).
I write this NOT to blame you guys, you have already patient to guide
me, thank you very much but somehow I don't know why the system screw
up. I need to throw out my frustation only somewhere......
I hope at least running like before, reboot every 6 hours than now
nobody can use it.......Oh God please help me, I pray.

I try to find the dual home/ multihomed setup for TCP/IP but not much
and not helping me.

And the bad thing about this Google forum is taking 3-9 hours to be
posted available....so harder to interaction asap.

If you have any suggestion, pls let me know asap, thanks.

Regards,
Joe

Well, you shouldn't go thru Google, for one. Use Outlook Express and setup a
newsgroup account, the servername is news.microsoft.com, the group to
subscribe to is microsoft.public.win2000.dns. Just look for this post:

Sorry to hear you are in this predicament. Not sure what happened, thought
you had it all fixed.

Newsgroups: microsoft.public.win2000.dns
Subject: Dual home DNS w/ AD doesn't work after several hours
Date: 26 Jul 2004 12:19:21 -0700
From: (e-mail address removed) (Joe)

Joe, maybe if your network were simplified, such as removing the spoonproxy
(you're not using it anyway), remove the extra NIC, and just use the router
for Internet access instead of this dual homed server, it may just work.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Joe]

But thanks God this morning after the server reboot and users can
connect without problem as usual, just I am sure about the DNS that
not working after several hours, hopefully it's resolved.
Thanks very much for both of you.

 

[Joe]

Thanks God, at least the users could use the centralize app today and
network printing without problem.
Just some computer cannot be connected remotely from server althoug could
ping it.
and the internet still doesn't work after several hours, also there are
several error in the system log
Source: userenv
eventid: 1000
the search for AD object fail with (87)

Windows cannot query for the list of GPO

Is this related becaus eof DNS?

At least users can work, that's better ...FIuuhh

I am so dumb...ho wcome I use Google posting, actually in the long time ago
I ve ever use Outlook Express for newsgroup ;((
Otherwise it's gonna be faster for communication.
Thanks Ace.


--
Regards,
Yohannes Tedjasukmana
MultiSoft Solutions Inc.

Tel:905-629-3640 Ext.122
Fax: 905-629-2910
(e-mail address removed)


"Ace Fekay [MVP]"

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks God, at least the users could use the centralize
app today and network printing without problem.
Just some computer cannot be connected remotely from
server althoug could ping it.
and the internet still doesn't work after several hours,
also there are several error in the system log
Source: userenv
eventid: 1000
the search for AD object fail with (87)

Windows cannot query for the list of GPO

Is this related becaus eof DNS?

If you are getting userenv 1000 events, it is usually because it is looking
at the wrong interface for the SYSVOL share, possibly because the private IP
is not getting published for the domain name(step 2 & 3 below), or the
private interface is not at the top of the binding order (step 4 below).

1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the private IP you want in DNS for

the server.

2. Add this registry entry with regedt32 to stop the (same as parent folder)
records.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress

(If the DC is also a Global Catalog see note below)

3. Create a new host in DNS, leave the name field blank, give it the IP of
the internal interface. Win2k barks at you saying (same as parent folder) is
not a valid host name, click OK to create the record anyway.

4. Right click on Network places, choose properties, in the Advanced menu
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.


Note-

If the DC is also a Global Catalog use this registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

And in addition to the (same as parent folder) record in the domain zone for

the domain name, expand _msdcs, open gc create new host with name field

blank and give it the IP of the internal interface. This resolves as

gc._msdcs.forestroot.

 

[Ace Fekay [MVP]]

In

Thanks God, at least the users could use the centralize app today and
network printing without problem.
Just some computer cannot be connected remotely from server althoug
could ping it.
and the internet still doesn't work after several hours, also there
are several error in the system log
Source: userenv
eventid: 1000
the search for AD object fail with (87)

Windows cannot query for the list of GPO

Is this related becaus eof DNS?

At least users can work, that's better ...FIuuhh

I am so dumb...ho wcome I use Google posting, actually in the long
time ago I ve ever use Outlook Express for newsgroup ;((
Otherwise it's gonna be faster for communication.
Thanks Ace.

You;re welcome Joe. OEx is easier than using any web interface to interact
with any newsgroup.

See what Kevin said about the reg entries.

Ace

 

[Joe]

Still the same problem exist, after several hours the ping using fqdn dns
fail even from server itseft to public domain.

Before it's happened always there is a event id #5871 and also everytime
reboot.

I notice that after dns fail and I run the netdiag /test:dns /v compare WITH
after reboot (because after reboot the ping to fqdn domain works ok), have
different.

I list below for comparison and analisys.

AFTER FAIL:

Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Adapter : WAN

Netcard queries test . . . : Passed

Adapter : IPX Internal Interface

Netcard queries test . . . : Passed

Adapter : IpxLoopbackAdapter

Netcard queries test . . . : Passed

Adapter : NDISWANIPX

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{8A7AEEE3-F3B6-48F1-93F5-6D39CAC7C19E}
1 NetBt transport currently configured.


DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'ntserver1.craft.local.'. [ERROR_TIMEOUT]
The name 'ntserver1.craft.local.' may not be registered in DNS.
[WARNING] Cannot find a primary authoritative DNS server for the
name
'ntserver1.craft.local.'. [ERROR_TIMEOUT]
The name 'ntserver1.craft.local.' may not be registered in DNS.
[WARNING] The DNS entries for this DC cannot be verified right now on
DNS server 10.1.1.10, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC registered.

The command completed successfully



AFTER REBOOT:


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Adapter : WAN

Netcard queries test . . . : Passed

Adapter : IPX Internal Interface

Netcard queries test . . . : Passed

Adapter : IpxLoopbackAdapter

Netcard queries test . . . : Passed

Adapter : NDISWANIPX

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{8A7AEEE3-F3B6-48F1-93F5-6D39CAC7C19E}
1 NetBt transport currently configured.


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.1.1.10'.


The command completed successfully



I have followed all the instruction but somehow still doesn't resolve the
problem, even though there are progresses.
Hopefully there is another way to solve this weird thing.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Still the same problem exist, after several hours the
ping using fqdn dns fail even from server itseft to
public domain.

Before it's happened always there is a event id #5871 and
also everytime reboot.

I notice that after dns fail and I run the netdiag
/test:dns /v compare WITH after reboot (because after
reboot the ping to fqdn domain works ok), have different.

This thread has gotten so long I don't remember if you said DNS was
configured with a forwarder and what the forwarder was.

It definitely looks like the DNS service is failing, when you look in the
Services console, does the service say it is stopped or running?

 

[Joe]

I know, it's pretty long....but what can I do.

The internal NIC using forwarder to ISP DNS (142.77.1.1 & 5)
When the ping to FQDN domain failed, the DNS server service still runs also
netlogon.
After I restart DNS server service, the event id 6702 comes up (still canot
ping to fqdn domain) and afterward I restart Netlogon service and event id
5781 comes up (still canot ping to fqdn domain).
Also from log I see that after the time ping FQDN domain failed (around 1.49
pm) around 2.25 pm begin quite many event id 1000 (userenv) shows up.

I notice that after every time server reboot, there is a 5781 event id but
ping FQDN still ok but after exactly 6 hours 20 minutes, that's the 1st time
event id 5781 show up again in event log, ping FQDN fail and afterward every
exact 2 hours interval there are 5781.

What other thing you could suggest for resolving this weird problem??

If you need very detail info about this server configuration, etc...I will
send it to you but to the email address not publish in this thread. If you
need it, please let me know your email address to send to.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I know, it's pretty long....but what can I do.

The internal NIC using forwarder to ISP DNS (142.77.1.1 &
5)

Internal NIC using a forwarder to ISP?
All your NICs must be using the internal DNS, no exceptions, no ISP's DNS in
any position.

When the ping to FQDN domain failed, the DNS server
service still runs also netlogon.
After I restart DNS server service, the event id 6702
comes up (still canot ping to fqdn domain) and afterward
I restart Netlogon service and event id 5781 comes up
(still canot ping to fqdn domain).
Also from log I see that after the time ping FQDN domain
failed (around 1.49 pm) around 2.25 pm begin quite many
event id 1000 (userenv) shows up.

I notice that after every time server reboot, there is a
5781 event id but ping FQDN still ok but after exactly 6
hours 20 minutes, that's the 1st time event id 5781 show
up again in event log, ping FQDN fail and afterward every
exact 2 hours interval there are 5781.

What other thing you could suggest for resolving this
weird problem??

This is getting to the point it might be easier and faster if I could remote
into this server. Follow the instructions in my signature line to email me,
you never want to post your email unmunged in a public forum.

Email me this:
1.Unedited ipconfig /all (text format)
2.Domain name from AD Users & Computers
3.Exported List of Forward lookup zones in DNS
4.Exported List of records in your AD forward lookup zone.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

 

[Joe]

I send to you an email with your requested. Thanks.