1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Interesting DNS issue

Discussion in 'Networking' started by ISBCS, Oct 20, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi to all on the forum, this is my first post.

    I hope someone can help me with what I believe to be a DNS issue with a Windows 2k3 Small Business Server.

    The symptoms are that my clients (all Win XP SP2) are able to access some but not all websites. e.g. I can access google, yahoo, etc, practically any website except for:

    1. microsoft.com
    2. ebay.co.uk

    I am however able to access all of these sites directly from the server?

    The address of the DNS is set in the DHCP so the clients are getting the same DNS as the server, but even if I set the DNS addresses manually on the clients I get the same "Page cannot be displayed" error.

    I have an SDSL connection which is protected via a Cisco Pix firewall. There is only one network card in the server therefore I do not suspect a routing issue.

    Any help would be greatly appreciated.

    Many thanks

    Tom
     
  2. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    Are you runing in a workgroup or a domain setting? If you do an NSLOOKUP from the server and then try to do an NSLOOKUP on the PC's is there any difference? Does your firewall have anything open for the server only but not the clients?
     
  3. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi I'm running in a domain configuration. I can run NSLOOKUP tomorrow and feedback after with the results. I'm not aware of anything specifically configured on the firewall.

    Thanks

    Tom
     
  4. skinnywhiteboy

    skinnywhiteboy

    Joined:
    Jan 26, 2001
    Messages:
    2,070
    First Name:
    Bruce
    Can you run an ipconfig /all inside a command prompt both on the server and on a couple of the client machines and attach the screenshots to your next post??
     
  5. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    Usually with DNS on a domain you want something like this as the setup -


    You want a server to be setup with the DNS server. Clients DNS pointed to that servers IP. That servers DNS pointed to itself or to loopback 127.0.0.1 (I usually do loopback because if you change the server Ip its one less setting to change). Then within the DNS configuration of the server portion (not the TCP/IP properties) you have the forwarders to your ISP's DNS (or other outside DNS servers).

    This will usually resolve alot of the DNS resolution problems also don't forget you have to have both a forward lookup zone and a rear lookup zone specified within the DNS of the server.

    Usually I'll look at the other settings within the DNS such as the infamous . folder (yes it is a period) and things like that. I use the ping command and use NSLOOKUP to ensure I am getting good name resolution. If you use any client and you ping another internal machinename (not IP) the reply should come back as client.domain (IP) if thereply comes back as client (IP) then you are not resolving the FQDN and something is up with your DNS.

    All of this helps to narrow down DNS issues.

    Another thing DNS problems on the domain can lead to unusually long login times, inability to see some or all network resources, and many other nasty things.
     
  6. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    Also remember when dealing with DNS sometimes after you make a chane aloow for a little time (except on the client side sometimes things (like the revers lookup zone stuff) can take awhile to populate. I have had a new DNS server install take overnight to replicate. This isn't uncommon.
     
  7. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi, sorry for the delay in replying. IPconfig details attached. Please note the server is only using a single NIC.

    Server IPconfig
    Windows IP Configuration

    Host Name . . . . . . . . . . . . : novamain
    Primary Dns Suffix . . . . . . . : internova.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : internova.local

    Ethernet adapter Server Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : 00-0C-F1-BE-30-FA
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.0.0.1
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.0.0.254
    DNS Servers . . . . . . . . . . . : 10.0.0.1
    195.40.0.250
    Primary WINS Server . . . . . . . : 10.0.0.1

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
    Physical Address. . . . . . . . . : 00-80-AD-73-D8-AD
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Autoconfiguration IP Address. . . : 169.254.8.173
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . :

    Client IPconfig, again please note the VM configuration are not in use.
    Windows IP Configuration

    Host Name . . . . . . . . . . . . : ws06
    Primary Dns Suffix . . . . . . . : internova.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : internova.local
    internova.local

    Ethernet adapter VMware Network Adapter VMnet8:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
    Physical Address. . . . . . . . . : 00-50-56-C0-00-08
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.94.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter VMware Network Adapter VMnet1:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
    Physical Address. . . . . . . . . : 00-50-56-C0-00-01
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.220.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : internova.local
    Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
    Physical Address. . . . . . . . . : 00-11-11-27-36-34
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 10.0.0.36
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.0.0.254
    DHCP Server . . . . . . . . . . . : 10.0.0.1
    DNS Servers . . . . . . . . . . . : 10.0.0.1
    212.135.1.36
    195.40.1.36
    195.40.0.250
    Primary WINS Server . . . . . . . : 10.0.0.1
    Lease Obtained. . . . . . . . . . : 25 October 2005 11:55:15
    Lease Expires . . . . . . . . . . : 02 November 2005 11:55:15

    The DNS Servers are Easynet.

    Trying to access the Microsoft site from oce of the other servers on the network have the same results as the clients. DNS on the other servers only have 10.0.0.1 as their primary DNS Server.

    Many thanks

    Tom
     
  8. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    First off (just so you don't break anything in the process work on the server and get it up and running right) - go to start/programs/administrative tools/DNS When that opens find your DNS server and right click it and select properties in there look for forwarders and in there put the Easynet IP's 212.135.1.36, 195.40.1.36, 195.40.0.250 add each one in the lower section and then apply it. Also note if you have a secondary DNS server in the DNS list. Usually there is a backup DNS in case the primary fails but not all the time.

    Next go into the reverse lookup zone and see if it has a subfolder of 10.0.0.X if it does not create a primary reverse lookup zone.

    Lastly go to the servers TCP/IP properties and remove the DNS entry for - 195.40.0.250

    Let this all propogate and sit 24 hours.

    Take 1 test pc off DHCP and hardcode all settings - like this

    IP Address. . . . . . . . . . . . : 10.0.0.X (where X is an unused octet)
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.0.0.254
    DNS Servers . . . . . . . . . . . : 10.0.0.1
    Primary WINS Server . . . . . . . : 10.0.0.1

    Check out web browsing and use NSLOOKUP on the client. Also check out web browsing and use NSLOOKUP from the server.

    Even if this does NOT resolve the web browsing it would also do the following -

    THEN I would take out ALL this - 212.135.1.36, 195.40.1.36, 195.40.0.250 from your server which is supplying the DHCP. If your truely running on a domain you should be resolving internal DNS to these machines NOT having multiple external DNS in the mix. What happens is if your server is ever busy instead of waiting for the server next they will resolve external DNS from the ISP and then your PC may not process all the AD information correctly. this can cause htings like group policy failures, long log in times, and other things.

    Think of it this way - Its kind of like when you take a funnel and stick it in a bottle to fill up the bottle - The internet is the bottle. Your network pc's are on the large outside rim of a funnel. You want the server to be at the small spout side of the funnel and all PC's going through that server to resolve all DNS on the Internet side. The forwarders are on the server so the funnel knows the bottle is there. The liquid being poured in is the DNS requests from the large side (PCs) to the small spout (server) to the edge of the bottle (forwarders) to the bottle itself (internet).

    The nice thing about this setup is if the funnel is removed from the bottle (I.E. your network is removed from the internet) the DNS of AD still works 100% without problems.
     
  9. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi, many thanks for you help. I have progressed the first part of your suggestions. The forwarders have already got the DNS details applied. The reverse lookup has an entry for 10.0.x.x set as a primary zone. I have included a second primary zone of 10.0.0.x as suggested. Should the previousy 10.0.x.x zone be removed?

    Removing the 195.40.0.250 from the server TCP/IP properties now prevents me from accessing Microsoft from the server as per the clients.

    More to follow when it has had time to propogate.

    Regards

    Tom
     
  10. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    Do you have other subnets? If so maybe it should stay but I usually make a primary for each subnet I am using so it would be like this

    Reverse lookup zone
    10.0.0.X
    10.0.1.X

    and so fourth

    This right here tells me the BREAK in your DNS is definitely between your DNS server and your ISP - we have it narrowed down!

    Are you saying that these forwarders were in there even before I instructed to put them in I.E. have been there awhile?

    You didn't mention if there were more than one server (the 10.0.0.1) on the DNS server list. Maybe something is being routed to another DNS server in your network somewhere?
     
  11. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi, no there is only 1 subnet on the network 10.0.0.x.

    Yes the DNS entries were already in the forwarders. I applied these a couple of weeks ago when I first started looking at the issue. I added the 195.40.0.250 address to this list last week when I realised the server was using a different DNS to the clients but this made no difference to the problem irrespective of the search order.

    There are an additional 2 win2k3 servers on the network but I am not aware of them being configured as DNS servers. Unfortunately I am out of the office today but can check tomorrow. From what I can remember each of these point back to 10.0.0.1 for their DNS.

    Why would the issue only appear on Microsoft and not any other site?

    Many thanks

    Tom
     
  12. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    DNS acts funny once you have the DNS records if DNS can't find it it then forwards it on to a DNS server that may have the record that allows it to "resolve". Usually its not the "big ones" that can't be resolved but the little nono name sites that have more problems.

    If all of thee entries are in place we may have to admit that DNS may not be working properly on your internal server. I have had more than 1 time I have had to Rip out the DNS server service and do a complete reinstall.

    I don't want to give up on this yet so if you can gather the rest of the information I.E. if any other servers are in the DNS server list. This way we can determine if it may just be that one server has the right info and the other does not.

    Also I feel we have neglectid the firewall itself... have you gone into the cisco pix and done a look at the logs... Are you utilizing some of the fetures like Filter URL? That would be another reason why some would be blocked and others would not.

    I am not thinking the firewall is the issue though because even the clients that CAN access the website are behind this firewall right?
     
  13. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi All other servers on the network do not have a DNS service installed and are configured to the 10.0.0.1 address for their DNS.

    The Cisco Pix has a rule which allows only requests from the 10.0.0.1 address to access the Internet so configuring a client with a static IP and specific DNS will not pass through the firewall.

    Configuring a seperate rule for a single client with a static IP & DNS allows access to the microsoft site.

    This would explain why the server (10.0.0.1) with a specific DNS address set in the TCP/IP properties can access Microsoft but not any of the clients.
    It points back to the internal DNS server not forwarding the unresolved queries to the extrernal DNS servers.

    I have also noted that the Small Business Server server has not had SP1 applied which should be one of the first things to do before un-installing & re-installing the DNS service?

    Do you agree or does the above help with any other thoughts?

    Thanks again

    Tom
     
  14. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,235
    These two above statments do not jive and really make me wonder if your DNS is just fubared, you say that removing the IP breaks the servers web browsing but your still using 10.0.0.1 to do your DNS connection.

    What kind of DNS errors are you seeing in the DNS Event log (If any)?

    I would install the service than the service pack... I just like to have the bases services working correctly before I go applying service packs... I don't think in operation standpoint it matters either way.
     
  15. ISBCS

    ISBCS Thread Starter

    Joined:
    Oct 20, 2005
    Messages:
    18
    Hi, yes taking the DNS server details out of the Server (10.0.0.1) TCP/IP properties prevents the server accessing the Microsoft site similar to the clients. This is despite it being the only server permitted to connect to the Internet via the firewall. Again I suspect the server is not forwarding on the request to the external DNS servers for this to be resolved.

    There are a couple of DNS error in the log which has been reoccuring several times a day since I started looking at the problem. The following is a copy of the events in the order they have occured. The first being the earliest:

    EventID 4015
    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    EventID 4004
    The DNS server was unable to complete directory service enumeration of zone internova.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event ID 6702 (Multiple entries, perhaps 10 - 15 over this past month)
    DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

    If this DNS server does not have any DS-integrated peers, then this error
    should be ignored.

    If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

    To ensure proper replication:
    1) Find this server's Active Directory replication partners that run the DNS server.
    2) Open DnsManager and connect in turn to each of the replication partners.
    3) On each server, check the host (A record) registration for THIS server.
    4) Delete any A records that do NOT correspond to IP addresses of this server.
    5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
    6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Interesting issue
  1. BRADCOX
    Replies:
    3
    Views:
    417
  2. Milo9mm
    Replies:
    2
    Views:
    427
  3. nickpalk
    Replies:
    4
    Views:
    471
  4. KKLC
    Replies:
    4
    Views:
    413
  5. dano_61
    Replies:
    14
    Views:
    686
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/409610

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice