Interesting DNS issue

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi to all on the forum, this is my first post.

I hope someone can help me with what I believe to be a DNS issue with a Windows 2k3 Small Business Server.

The symptoms are that my clients (all Win XP SP2) are able to access some but not all websites. e.g. I can access google, yahoo, etc, practically any website except for:

1. microsoft.com
2. ebay.co.uk

I am however able to access all of these sites directly from the server?

The address of the DNS is set in the DHCP so the clients are getting the same DNS as the server, but even if I set the DNS addresses manually on the clients I get the same "Page cannot be displayed" error.

I have an SDSL connection which is protected via a Cisco Pix firewall. There is only one network card in the server therefore I do not suspect a routing issue.

Any help would be greatly appreciated.

Many thanks

Tom
 
Joined
Jul 7, 2004
Messages
7,235
Are you runing in a workgroup or a domain setting? If you do an NSLOOKUP from the server and then try to do an NSLOOKUP on the PC's is there any difference? Does your firewall have anything open for the server only but not the clients?
 

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi I'm running in a domain configuration. I can run NSLOOKUP tomorrow and feedback after with the results. I'm not aware of anything specifically configured on the firewall.

Thanks

Tom
 
Joined
Jan 26, 2001
Messages
2,070
Can you run an ipconfig /all inside a command prompt both on the server and on a couple of the client machines and attach the screenshots to your next post??
 
Joined
Jul 7, 2004
Messages
7,235
Usually with DNS on a domain you want something like this as the setup -


You want a server to be setup with the DNS server. Clients DNS pointed to that servers IP. That servers DNS pointed to itself or to loopback 127.0.0.1 (I usually do loopback because if you change the server Ip its one less setting to change). Then within the DNS configuration of the server portion (not the TCP/IP properties) you have the forwarders to your ISP's DNS (or other outside DNS servers).

This will usually resolve alot of the DNS resolution problems also don't forget you have to have both a forward lookup zone and a rear lookup zone specified within the DNS of the server.

Usually I'll look at the other settings within the DNS such as the infamous . folder (yes it is a period) and things like that. I use the ping command and use NSLOOKUP to ensure I am getting good name resolution. If you use any client and you ping another internal machinename (not IP) the reply should come back as client.domain (IP) if thereply comes back as client (IP) then you are not resolving the FQDN and something is up with your DNS.

All of this helps to narrow down DNS issues.

Another thing DNS problems on the domain can lead to unusually long login times, inability to see some or all network resources, and many other nasty things.
 
Joined
Jul 7, 2004
Messages
7,235
Also remember when dealing with DNS sometimes after you make a chane aloow for a little time (except on the client side sometimes things (like the revers lookup zone stuff) can take awhile to populate. I have had a new DNS server install take overnight to replicate. This isn't uncommon.
 

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi, sorry for the delay in replying. IPconfig details attached. Please note the server is only using a single NIC.

Server IPconfig
Windows IP Configuration

Host Name . . . . . . . . . . . . : novamain
Primary Dns Suffix . . . . . . . : internova.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : internova.local

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-F1-BE-30-FA
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.0.0.254
DNS Servers . . . . . . . . . . . : 10.0.0.1
195.40.0.250
Primary WINS Server . . . . . . . : 10.0.0.1

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-80-AD-73-D8-AD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.8.173
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

Client IPconfig, again please note the VM configuration are not in use.
Windows IP Configuration

Host Name . . . . . . . . . . . . : ws06
Primary Dns Suffix . . . . . . . : internova.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internova.local
internova.local

Ethernet adapter VMware Network Adapter VMnet8:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.94.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.220.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : internova.local
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-11-11-27-36-34
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.0.36
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.0.0.254
DHCP Server . . . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.1
212.135.1.36
195.40.1.36
195.40.0.250
Primary WINS Server . . . . . . . : 10.0.0.1
Lease Obtained. . . . . . . . . . : 25 October 2005 11:55:15
Lease Expires . . . . . . . . . . : 02 November 2005 11:55:15

The DNS Servers are Easynet.

Trying to access the Microsoft site from oce of the other servers on the network have the same results as the clients. DNS on the other servers only have 10.0.0.1 as their primary DNS Server.

Many thanks

Tom
 
Joined
Jul 7, 2004
Messages
7,235
First off (just so you don't break anything in the process work on the server and get it up and running right) - go to start/programs/administrative tools/DNS When that opens find your DNS server and right click it and select properties in there look for forwarders and in there put the Easynet IP's 212.135.1.36, 195.40.1.36, 195.40.0.250 add each one in the lower section and then apply it. Also note if you have a secondary DNS server in the DNS list. Usually there is a backup DNS in case the primary fails but not all the time.

Next go into the reverse lookup zone and see if it has a subfolder of 10.0.0.X if it does not create a primary reverse lookup zone.

Lastly go to the servers TCP/IP properties and remove the DNS entry for - 195.40.0.250

Let this all propogate and sit 24 hours.

Take 1 test pc off DHCP and hardcode all settings - like this

IP Address. . . . . . . . . . . . : 10.0.0.X (where X is an unused octet)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.0.0.254
DNS Servers . . . . . . . . . . . : 10.0.0.1
Primary WINS Server . . . . . . . : 10.0.0.1

Check out web browsing and use NSLOOKUP on the client. Also check out web browsing and use NSLOOKUP from the server.

Even if this does NOT resolve the web browsing it would also do the following -

THEN I would take out ALL this - 212.135.1.36, 195.40.1.36, 195.40.0.250 from your server which is supplying the DHCP. If your truely running on a domain you should be resolving internal DNS to these machines NOT having multiple external DNS in the mix. What happens is if your server is ever busy instead of waiting for the server next they will resolve external DNS from the ISP and then your PC may not process all the AD information correctly. this can cause htings like group policy failures, long log in times, and other things.

Think of it this way - Its kind of like when you take a funnel and stick it in a bottle to fill up the bottle - The internet is the bottle. Your network pc's are on the large outside rim of a funnel. You want the server to be at the small spout side of the funnel and all PC's going through that server to resolve all DNS on the Internet side. The forwarders are on the server so the funnel knows the bottle is there. The liquid being poured in is the DNS requests from the large side (PCs) to the small spout (server) to the edge of the bottle (forwarders) to the bottle itself (internet).

The nice thing about this setup is if the funnel is removed from the bottle (I.E. your network is removed from the internet) the DNS of AD still works 100% without problems.
 

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi, many thanks for you help. I have progressed the first part of your suggestions. The forwarders have already got the DNS details applied. The reverse lookup has an entry for 10.0.x.x set as a primary zone. I have included a second primary zone of 10.0.0.x as suggested. Should the previousy 10.0.x.x zone be removed?

Removing the 195.40.0.250 from the server TCP/IP properties now prevents me from accessing Microsoft from the server as per the clients.

More to follow when it has had time to propogate.

Regards

Tom
 
Joined
Jul 7, 2004
Messages
7,235
Should the previousy 10.0.x.x zone be removed
Do you have other subnets? If so maybe it should stay but I usually make a primary for each subnet I am using so it would be like this

Reverse lookup zone
10.0.0.X
10.0.1.X

and so fourth

Removing the 195.40.0.250 from the server TCP/IP properties now prevents me from accessing Microsoft from the server as per the clients.
This right here tells me the BREAK in your DNS is definitely between your DNS server and your ISP - we have it narrowed down!

The forwarders have already got the DNS details applied.
Are you saying that these forwarders were in there even before I instructed to put them in I.E. have been there awhile?

More to follow when it has had time to propogate.
You didn't mention if there were more than one server (the 10.0.0.1) on the DNS server list. Maybe something is being routed to another DNS server in your network somewhere?
 

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi, no there is only 1 subnet on the network 10.0.0.x.

Yes the DNS entries were already in the forwarders. I applied these a couple of weeks ago when I first started looking at the issue. I added the 195.40.0.250 address to this list last week when I realised the server was using a different DNS to the clients but this made no difference to the problem irrespective of the search order.

There are an additional 2 win2k3 servers on the network but I am not aware of them being configured as DNS servers. Unfortunately I am out of the office today but can check tomorrow. From what I can remember each of these point back to 10.0.0.1 for their DNS.

Why would the issue only appear on Microsoft and not any other site?

Many thanks

Tom
 
Joined
Jul 7, 2004
Messages
7,235
DNS acts funny once you have the DNS records if DNS can't find it it then forwards it on to a DNS server that may have the record that allows it to "resolve". Usually its not the "big ones" that can't be resolved but the little nono name sites that have more problems.

If all of thee entries are in place we may have to admit that DNS may not be working properly on your internal server. I have had more than 1 time I have had to Rip out the DNS server service and do a complete reinstall.

I don't want to give up on this yet so if you can gather the rest of the information I.E. if any other servers are in the DNS server list. This way we can determine if it may just be that one server has the right info and the other does not.

Also I feel we have neglectid the firewall itself... have you gone into the cisco pix and done a look at the logs... Are you utilizing some of the fetures like Filter URL? That would be another reason why some would be blocked and others would not.

I am not thinking the firewall is the issue though because even the clients that CAN access the website are behind this firewall right?
 

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi All other servers on the network do not have a DNS service installed and are configured to the 10.0.0.1 address for their DNS.

The Cisco Pix has a rule which allows only requests from the 10.0.0.1 address to access the Internet so configuring a client with a static IP and specific DNS will not pass through the firewall.

Configuring a seperate rule for a single client with a static IP & DNS allows access to the microsoft site.

This would explain why the server (10.0.0.1) with a specific DNS address set in the TCP/IP properties can access Microsoft but not any of the clients.
It points back to the internal DNS server not forwarding the unresolved queries to the extrernal DNS servers.

I have also noted that the Small Business Server server has not had SP1 applied which should be one of the first things to do before un-installing & re-installing the DNS service?

Do you agree or does the above help with any other thoughts?

Thanks again

Tom
 
Joined
Jul 7, 2004
Messages
7,235
Removing the 195.40.0.250 from the server TCP/IP properties now prevents me from accessing Microsoft from the server as per the clients.
The Cisco Pix has a rule which allows only requests from the 10.0.0.1 address to access the Internet so configuring a client with a static IP and specific DNS will not pass through the firewall.

Configuring a seperate rule for a single client with a static IP & DNS allows access to the microsoft site.
These two above statments do not jive and really make me wonder if your DNS is just fubared, you say that removing the IP breaks the servers web browsing but your still using 10.0.0.1 to do your DNS connection.

What kind of DNS errors are you seeing in the DNS Event log (If any)?

I have also noted that the Small Business Server server has not had SP1 applied which should be one of the first things to do before un-installing & re-installing the DNS service?
I would install the service than the service pack... I just like to have the bases services working correctly before I go applying service packs... I don't think in operation standpoint it matters either way.
 

ISBCS

Thread Starter
Joined
Oct 20, 2005
Messages
18
Hi, yes taking the DNS server details out of the Server (10.0.0.1) TCP/IP properties prevents the server accessing the Microsoft site similar to the clients. This is despite it being the only server permitted to connect to the Internet via the firewall. Again I suspect the server is not forwarding on the request to the external DNS servers for this to be resolved.

There are a couple of DNS error in the log which has been reoccuring several times a day since I started looking at the problem. The following is a copy of the events in the order they have occured. The first being the earliest:

EventID 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

EventID 4004
The DNS server was unable to complete directory service enumeration of zone internova.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 6702 (Multiple entries, perhaps 10 - 15 over this past month)
DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error
should be ignored.

If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top