DC DNS Errors and blocks internet traffic

[Chrisxs5]

I seem to be getting errors 4005 and 4015 evry other day on my 2003 DC. When this happens all interent is blocked for domains on the controller. I know we still have internet for several reasons, our VOIP system is on a completely different server system but uses the same T1 as well as the router will ping outside websites.

Another weird thing about this is the network will allow some outgoing traffic. I have some scripts that run every 5 minutes to test that my offsite websites are up and running, I get the text message every time while trying to figure out what is up.

The internet is up and running right now but  will go down if I cant figure out the cause.

(The DC is a spare Dell I had with a 1 gig proc and 256 memory, running Server 2003 and all updates are current)

[Rob Pomeroy]

Are you using ISA?

Are you using that server for DHCP/as a DNS server for other machines?

PLEASE treat that server to a memory upgrade!

[jerryheavyarms]

Also what do you get when you try to ping sites from the internet such as yahoo.com or google.com?

[Chrisxs5]

Are you using ISA?

Are you using that server for DHCP/as a DNS server for other machines?

PLEASE treat that server to a memory upgrade!

Were are not using ISA, I really wish we were. We have a Sonicwall that serves has the firewall. The DC does also serve as the DHCP and DNS server. It also seems that when the issue occurs, every time I make a chnage in  the DNS, I will get the net for about 20 seconds.

I will go ahead and max the server out in memory, it will only go to 1g tho.

[Chrisxs5]

Also what do you get when you try to ping sites from the internet such as yahoo.com or google.com?

I can not ping from a cmd prompt at will. I can ping from within our router/firewall (Sonicwall) just fine.

[jerryheavyarms]

Hmm..Have you tried to restart DNS/DHCP

[Chrisxs5]

That seems to do no good either. Most of the computers are static IP's anyways, I have basically ruled out the DHCP. I think it is the darn DNS. When I restart it, I will get the internet for about the same 20 seconds.

The first time this happened I added a Host A record pointing to the router and that seem to fix. The second time I deleted the record, The 3rd time I quit screwing with that record.

[jerryheavyarms]

Can you visit the site using their IP address?

May we know how did you set up your servers? where did you point the server's DNS and alternate DNS server?

[Chrisxs5]

No I can not visit the sites by IP address. I did try that.

The original design when I came on was all 2K servers including the 2 DC's. I built the 2003 DC and promoted it to master in all areas. I then (after giving it a week of replication) demoted all the other DC's since they were actual application and SQL servers. I have not yet created the alternate DC yet. And yes: I know better. 

(You can interchange DC and DNS if you would like, it was all done the same way.)

[Rob Pomeroy]

By coincidence I think 20 seconds is the initial default timeout on most Windows clients' DNS queries.  Will give this some more thought, but just wanted to toss that one in there for now.

[Chrisxs5]

By coincidence I think 20 seconds is the initial default timeout on most Windows clients' DNS queries.  Will give this some more thought, but just wanted to toss that one in there for now.

I had a feeling it was something like that. I think tonight I will stop DNS and seewhat effect that has on the system as well as throwing those Host A records in back in.

[Rob Pomeroy]

I'd be interested in an answer to Jerry's question - the 2003 server - what DNS servers is it pointing at?

SonicWalls are a PITA by the way.  You already know that.    If price is an issue, better get a Vyatta.

One last question: when the internet appears to be down, if you run "nslookup" from a client workstation, what happens?

[Chrisxs5]

I might not be understanding the question, which happens alot with me. But here is answer just the same 

The DC is also the DNS server (.10), all computers point here, including itself. The router serves as the firewall also(.1).

[Rob Pomeroy]

So let me just check I've got this right.  Your domain controller has a single network card on your LAN (it is not operating as a router).  Its DNS server points only at itself for all DNS queries.  In that case, how can it resolve queries concerning external domains?

[Chrisxs5]

So let me just check I've got this right.  Your domain controller has a single network card on your LAN (it is not operating as a router).  Its DNS server points only at itself for all DNS queries.  In that case, how can it resolve queries concerning external domains?

You do have it all right. THe DC doesnt need to resolve external DNS queries for itself only for the computers going through it. This is my the theory in my head  , do I need to change some things?