DNS Stops working

[cswarr]

I have two DNS servers, which are root domain
controllers. They are Win2k, SP4, with most of the latest
service packs. This past weekend, one of these servers
stopped responding to client requests. I didn't see any
signs of problems on the server - no bad event log
messages. After some investigation, we ended up rebooting
the machine and DNS started working again. This happend
on Sunday, then again yesterday morning and yesterday
afternoon. When DNS stopped working in the afternoon, I
didn't have to reboot the server and it started working
again after about 10 or 15 minutes. Any idea? Thanks.

 

[Ace Fekay [MVP]]

In

I have two DNS servers, which are root domain
controllers. They are Win2k, SP4, with most of the latest
service packs. This past weekend, one of these servers
stopped responding to client requests. I didn't see any
signs of problems on the server - no bad event log
messages. After some investigation, we ended up rebooting
the machine and DNS started working again. This happend
on Sunday, then again yesterday morning and yesterday
afternoon. When DNS stopped working in the afternoon, I
didn't have to reboot the server and it started working
again after about 10 or 15 minutes. Any idea? Thanks.

Can we see an unedited ipconfig /all of the server and one of your clients?
My intial thought is that you may have a single label name. Also with the
ipconfig results will show what DNS servers the clients and the DNS server
(if a DC too) is using.

Thanks


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[cswarr]

-----Original Message-----
Can we see an unedited ipconfig /all of the server and one of your clients?
My intial thought is that you may have a single label name. Also with the
ipconfig results will show what DNS servers the clients and the DNS server
(if a DC too) is using.

Thanks
Regards,
Ace

here you go...

DNS SERVER
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dnsdc02
Primary DNS Suffix . . . . . . . : afsvision.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : afsvision.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Compaq NC3163
Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-02-A5-BD-59-
A6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.0.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.0.1
DNS Servers . . . . . . . . . . . : 10.1.0.10
10.1.0.11
Primary WINS Server . . . . . . . : 10.1.0.11
Secondary WINS Server . . . . . . : 10.1.0.10

DNS SERVER
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dnsrdc01
Primary DNS Suffix . . . . . . . : afsvision.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : afsvision.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Compaq NC3163
Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-02-B5-AD-57-
A6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.0.10
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.0.1
DNS Servers . . . . . . . . . . . : 10.1.0.11
10.1.0.10
Primary WINS Server . . . . . . . : 10.1.0.10
Secondary WINS Server . . . . . . : 10.1.0.10

CLIENT
Windows IP Configuration

Host Name . . . . . . . . . . . . : client1
Primary Dns Suffix . . . . . . . :
ad.afsvision.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :
ad.afsvision.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : afsvision.com
Description . . . . . . . . . . . : Intel(R)
PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-0A-C4-40-DC-
AB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.151.235
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.0.1
DHCP Server . . . . . . . . . . . : 10.1.20.44
DNS Servers . . . . . . . . . . . : 10.1.0.10
10.1.0.11
Primary WINS Server . . . . . . . : 10.1.0.10
Secondary WINS Server . . . . . . : 10.1.0.11
Lease Obtained. . . . . . . . . . : Thursday,
October 30, 2003 8:30:04 A
M
Lease Expires . . . . . . . . . . : Thursday,
November 06, 2003 8:30:04
AM

 

[Kevin D. Goodknecht]

In

here you go...

DNS SERVER
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dnsdc02
Primary DNS Suffix . . . . . . . : afsvision.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : afsvision.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Compaq NC3163
Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-02-A5-BD-59-
A6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.0.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.0.1
DNS Servers . . . . . . . . . . . : 10.1.0.10
10.1.0.11
Primary WINS Server . . . . . . . : 10.1.0.11
Secondary WINS Server . . . . . . : 10.1.0.10

DNS SERVER
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dnsrdc01
Primary DNS Suffix . . . . . . . : afsvision.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : afsvision.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Compaq NC3163
Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-02-B5-AD-57-
A6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.0.10
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.0.1
DNS Servers . . . . . . . . . . . : 10.1.0.11
10.1.0.10
Primary WINS Server . . . . . . . : 10.1.0.10
Secondary WINS Server . . . . . . : 10.1.0.10

CLIENT
Windows IP Configuration

Host Name . . . . . . . . . . . . : client1
Primary Dns Suffix . . . . . . . :
ad.afsvision.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :
ad.afsvision.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : afsvision.com
Description . . . . . . . . . . . : Intel(R)
PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-0A-C4-40-DC-
AB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.151.235
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.0.1
DHCP Server . . . . . . . . . . . : 10.1.20.44
DNS Servers . . . . . . . . . . . : 10.1.0.10
10.1.0.11
Primary WINS Server . . . . . . . : 10.1.0.10
Secondary WINS Server . . . . . . : 10.1.0.11
Lease Obtained. . . . . . . . . . : Thursday,
October 30, 2003 8:30:04 A
M
Lease Expires . . . . . . . . . . : Thursday,
November 06, 2003 8:30:04
AM

At first glance the ipconfig appears OK, taking a closer look I notice the
primary DNS suffix is not the same between the DC/DNS servers and the client
you posted. This can cause a real problem when these machines try to
register their addresses.

What is the actual domain name in ADU&C?
The Primary DNS suffix must match the DNS name of the AD domain. If it does
not, it has been know to cause DNS to fail.

Also, do these two DNS servers have forwarders defined? If so, they are not
forwarding to each other are they? This will set up a DNS loop which will
also cause DNS to fail.

 

[Ace Fekay [MVP]]

In

At first glance the ipconfig appears OK, taking a closer look I notice the
primary DNS suffix is not the same between the DC/DNS servers and the client
you posted. This can cause a real problem when these machines try to
register their addresses.

What is the actual domain name in ADU&C?
The Primary DNS suffix must match the DNS name of the AD domain. If it does
not, it has been know to cause DNS to fail.

Also, do these two DNS servers have forwarders defined? If so, they are not
forwarding to each other are they? This will set up a DNS loop which will
also cause DNS to fail.

Hi Chris and Kevin,

In addition, on the first 10.1.0.11 server, I see you have different WINS
servers. Not an issue with DNS, but since it's a WINS server, it should
point to itself twice. On 10.1.0.10, it's fine pointing to itself twice for
WINS. Otherwise, it can cause a problem with replication partners on who
owns the record, since a WINS server needs to own it's own recorfd.

Kevin asked about the forwarders. What forwarders are you using? And yes,
forwarding to itself will cause a forwarding loop. Kind of a (Star Trek)
Causality Loop.

Do they stop responding to Internet requests and directory services request
or just the Internet?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[cswarr]

Hey guys,

Our win2k DNS servers forward to two BIND servers. The
problem we have is that our win2k boxes stop forwarding
internet requests to the BIND servers; internal DNS
resolution works. They may start back up by themselves,
but sometimes they don't and we have to restart DNS.
Thanks for the WINS tip, I took care of that.

 

[Ace Fekay [MVP]]

In

Hey guys,

Our win2k DNS servers forward to two BIND servers. The
problem we have is that our win2k boxes stop forwarding
internet requests to the BIND servers; internal DNS
resolution works. They may start back up by themselves,
but sometimes they don't and we have to restart DNS.
Thanks for the WINS tip, I took care of that.

Try forwarding to this guy and see if that changes anything:
4.2.2.2

Also, any errors in the Event logs?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[cswarr]

That's the frustrating thing - there is nothing on the
servers that indicate a problem. There is nothing in
event viewer and I turned on DNS logging (everything), but
that really hasn't helped with this problem, either. The
server seems to be functioning fine.

Do you want me to forward our Win2k DNS to the address
below? If so, I'll try it, but I think the requests still
stop at the Win2k servers and don't get sent out.

 

[Ace Fekay [MVP]]

In

That's the frustrating thing - there is nothing on the
servers that indicate a problem. There is nothing in
event viewer and I turned on DNS logging (everything), but
that really hasn't helped with this problem, either. The
server seems to be functioning fine.

Do you want me to forward our Win2k DNS to the address
below? If so, I'll try it, but I think the requests still
stop at the Win2k servers and don't get sent out.

If recursion is turned off, that will stop it too. Try that for a forwarder
and see if it helps.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

That's the frustrating thing - there is nothing on the
servers that indicate a problem. There is nothing in
event viewer and I turned on DNS logging (everything), but
that really hasn't helped with this problem, either. The
server seems to be functioning fine.

Do you want me to forward our Win2k DNS to the address
below? If so, I'll try it, but I think the requests still
stop at the Win2k servers and don't get sent out.

You have still not verified the AD domain name, is it afsvision.net or
ad.afsvision.net?
Having an incorrect Primary DNS suffix will overload DNS with registration
requests. Especially if your machine is trying to register in a zone that
does not exist.

 

[Guest]

The DNS servers are in the root domain, afsvision.net.
The clients are in the child domain ad.afsvision.net.

I guess one thing I'm not clear on is how the clients (and
servers for that matter) use the primary DNS suffix as
opposed to the connection specific dns entry.

 

[Kevin D. Goodknecht [MVP]]

In (e-mail address removed) <[email protected]>
posted a question
Then Kevin replied below:

The DNS servers are in the root domain, afsvision.net.
The clients are in the child domain ad.afsvision.net.

I guess one thing I'm not clear on is how the clients (and
servers for that matter) use the primary DNS suffix as
opposed to the connection specific dns entry.

Your machines will attempt to register their addresses in the zone name
listed for both the primary and connection DNS suffix in the DNS server
listed on the NIC.

Is DNS running on the Child DC?
Does the parent DC hold both of these zones?
It is possible to point the child clients only to the parent DNS but the
parent DNS must have a child zone configured to allow the child machines to
register in them or a delegation to the DNS server that has the child zone.
I am suspecting a DNS loop but I need verification of how your DNS servers
are setup as to their forwarders and zone locations and delegations.

 

[Jonathan de Boyne Pollard]

c> I turned on DNS logging (everything), but that
c> really hasn't helped with this problem, either.

It most certainly should. When the symptoms occur, use a DNS diagnosis tool
(such as "dig" or "dnsquery") to perform a query (with an otherwise quiescent
system) against an "external" domain name, and report both that and the
relevant extract of the debug log.

 

[Michael Johnston [MSFT]]

When the problem occurs, can you run NSLOOKUP and make queries against the server for records that is owns? Make sure
you query by FQDN and use a trailing "." on the end of the query. This will prevent a DNS suffix problem. Next, try clearing the
cache on the DNS server. To do this, open the DNS manager on that box. Right click on the server name in the left pane tree
and choose Clear Cache.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

 

[cswarr]

The DNS servers are in the root domain and the clients are
in the child domain. The Win2k DNS servers in the Root
forward requests to BIND servers in our DMZ. There are
zones for afsvision.net (root) and ad.afsvision.net
(child) in our Win2k DNS. We are also using AD Integrated
zones.

-----Original Message-----
In (e-mail address removed)

 

[Kevin D. Goodknecht [MVP]]

In

The DNS servers are in the root domain and the clients are
in the child domain. The Win2k DNS servers in the Root
forward requests to BIND servers in our DMZ. There are
zones for afsvision.net (root) and ad.afsvision.net
(child) in our Win2k DNS. We are also using AD Integrated
zones.

So you are saying that all machines are pointing to the two parent DCs only
for DNS including the Child Domain Controllers?
This is OK but the child domain zones should be a sub domain in the parent
zone instead of a separate zone on the parent DNS. Forwarding should only be
to the BIND servers in the DMZ or to your ISP. There should be no machines
using the BIND DNS at all in their NIC properties.

Depending on how many clients there are in total in each domain I would run
DNS on the child DCs with the Child DNS zone on them, then delegate the
child name in the parent zone on the parent DNS back to the Child DNS, even
if all machines are still using only the parent DNS in their NIC properties,
this would split the load among four servers instead of two.