Author Topic: DC DNS Errors and blocks internet traffic (Read 24484 times)

Chrisxs5 · « **on:** June 22, 2009, 07:23:40 PM »

I seem to be getting errors 4005 and 4015 evry other day on my 2003 DC. When this happens all interent is blocked for domains on the controller. I know we still have internet for several reasons, our VOIP system is on a completely different server system but uses the same T1 as well as the router will ping outside websites.

Another weird thing about this is the network will allow some outgoing traffic. I have some scripts that run every 5 minutes to test that my offsite websites are up and running, I get the text message every time while trying to figure out what is up.

The internet is up and running right now but will go down if I cant figure out the cause.

(The DC is a spare Dell I had with a 1 gig proc and 256 memory, running Server 2003 and all updates are current)

Rob Pomeroy · « **Reply #1 on:** June 24, 2009, 06:49:04 AM »

Are you using ISA?

Are you using that server for DHCP/as a DNS server for other machines?

PLEASE treat that server to a memory upgrade!

jerryheavyarms · « **Reply #2 on:** June 24, 2009, 09:06:51 AM »

Also what do you get when you try to ping sites from the internet such as yahoo.com or google.com?

Chrisxs5 · « **Reply #3 on:** June 24, 2009, 11:57:46 AM »

Quote from: Rob Pomeroy on June 24, 2009, 06:49:04 AM

Are you using ISA?

Are you using that server for DHCP/as a DNS server for other machines?

PLEASE treat that server to a memory upgrade!

Were are not using ISA, I really wish we were. We have a Sonicwall that serves has the firewall. The DC does also serve as the DHCP and DNS server. It also seems that when the issue occurs, every time I make a chnage in the DNS, I will get the net for about 20 seconds.

I will go ahead and max the server out in memory, it will only go to 1g tho.

Chrisxs5 · « **Reply #4 on:** June 24, 2009, 11:58:43 AM »

Quote from: jerryheavyarms on June 24, 2009, 09:06:51 AM

Also what do you get when you try to ping sites from the internet such as yahoo.com or google.com?

I can not ping from a cmd prompt at will. I can ping from within our router/firewall (Sonicwall) just fine.

jerryheavyarms · « **Reply #5 on:** June 24, 2009, 12:28:41 PM »

Hmm..Have you tried to restart DNS/DHCP

Chrisxs5 · « **Reply #6 on:** June 24, 2009, 12:36:38 PM »

That seems to do no good either. Most of the computers are static IP's anyways, I have basically ruled out the DHCP. I think it is the darn DNS. When I restart it, I will get the internet for about the same 20 seconds.

The first time this happened I added a Host A record pointing to the router and that seem to fix. The second time I deleted the record, The 3rd time I quit screwing with that record.

jerryheavyarms · « **Reply #7 on:** June 24, 2009, 12:50:31 PM »

Can you visit the site using their IP address?

May we know how did you set up your servers? where did you point the server's DNS and alternate DNS server?

Chrisxs5 · « **Reply #8 on:** June 24, 2009, 12:58:07 PM »

No I can not visit the sites by IP address. I did try that.

The original design when I came on was all 2K servers including the 2 DC's. I built the 2003 DC and promoted it to master in all areas. I then (after giving it a week of replication) demoted all the other DC's since they were actual application and SQL servers. I have not yet created the alternate DC yet. And yes: I know better.

(You can interchange DC and DNS if you would like, it was all done the same way.)

Rob Pomeroy · « **Reply #9 on:** June 24, 2009, 02:14:52 PM »

By coincidence I think 20 seconds is the initial default timeout on most Windows clients' DNS queries. Will give this some more thought, but just wanted to toss that one in there for now.

Chrisxs5 · « **Reply #10 on:** June 25, 2009, 08:19:12 AM »

Quote from: Rob Pomeroy on June 24, 2009, 02:14:52 PM

By coincidence I think 20 seconds is the initial default timeout on most Windows clients' DNS queries. Will give this some more thought, but just wanted to toss that one in there for now.

I had a feeling it was something like that. I think tonight I will stop DNS and seewhat effect that has on the system as well as throwing those Host A records in back in.

Rob Pomeroy · « **Reply #11 on:** June 25, 2009, 11:28:15 AM »

I'd be interested in an answer to Jerry's question - the 2003 server - what DNS servers is it pointing at?

SonicWalls are a PITA by the way. You already know that.

If price is an issue, better get a Vyatta.

One last question: when the internet appears to be down, if you run "nslookup" from a client workstation, what happens?

Chrisxs5 · « **Reply #12 on:** June 25, 2009, 12:33:08 PM »

I might not be understanding the question, which happens alot with me. But here is answer just the same

The DC is also the DNS server (.10), all computers point here, including itself. The router serves as the firewall also(.1).

Rob Pomeroy · « **Reply #13 on:** June 26, 2009, 01:45:35 AM »

So let me just check I've got this right. Your domain controller has a single network card on your LAN (it is not operating as a router). Its DNS server points only at itself for all DNS queries. In that case, how can it resolve queries concerning external domains?

Chrisxs5 · « **Reply #14 on:** June 26, 2009, 07:50:17 AM »

Quote from: Rob Pomeroy on June 26, 2009, 01:45:35 AM

So let me just check I've got this right. Your domain controller has a single network card on your LAN (it is not operating as a router). Its DNS server points only at itself for all DNS queries. In that case, how can it resolve queries concerning external domains?

You do have it all right. THe DC doesnt need to resolve external DNS queries for itself only for the computers going through it. This is my the theory in my head $:-\$ , do I need to change some things?

Rob Pomeroy · « **Reply #15 on:** June 26, 2009, 12:21:11 PM »

Well I have one more assumption, which is this: your client computers are only getting the DC's IP address for DNS queries. So the DC is operating as a caching proxy. And when the DC gets requests for external sites, it doesn't know what to do with them. So: leave DHCP alone, but in the DNS settings for the DC, make the first entry the IP address of your router. That well the DC will authoritatively answer queries in relation to computers within AD and pass on everything else. Try it.

Chrisxs5 · « **Reply #16 on:** June 26, 2009, 12:33:12 PM »

OK so change the DNS setting on the DC from:

.10 (Itself)
.11 (Non-existing DC) LOL

To:

.1 (The router, to provide routing for external request)
.10 (To itself for DNS request as well)

Am I understanding correctly? Becuase it does sound the probable solution.

jerryheavyarms · « **Reply #17 on:** June 26, 2009, 12:35:18 PM »

And the alternative DNS server could be your Internet provider.

You could also use <a href="http://www.opendns.com/solutions/overview/>openDNS[/url]

Chrisxs5 · « **Reply #18 on:** June 26, 2009, 12:48:09 PM »

OK, so I have made plans to be here tomorrow night to implement these changes. Also I am now very intrigue by OpenDNS and will be looking into that closer.

I will update on my status either Monday or Tuesday.

Thanks

jerryheavyarms · « **Reply #19 on:** June 26, 2009, 12:51:55 PM »

Yes, please update us.

Good luck!

Rob Pomeroy · « **Reply #20 on:** June 26, 2009, 02:25:54 PM »

Good call Jerry. My preference would be (from the DC) to query the router rather than the ISP, for various reasons (local caching, lower maintenance) but the OpenDNS project is always worth a look.

And yes Chris, I would do the change you suggested. If you wish to implement OpenDNS, I would do it at the router, not at the DC. DNS is very noisy traffic with latency issues and it's best to keep as much of it local as possible.

jerryheavyarms · « **Reply #21 on:** June 26, 2009, 02:56:10 PM »

I think you're right Rob. Just as what Chris stated that he has only one network connection

Chrisxs5 · « **Reply #22 on:** June 30, 2009, 03:18:13 PM »

I set it to:
.10.1 (Router)
.10.10 (Self)

It appeared to be working this way and then about 15 minutes ago it happened again, the internet went completely down. So I set it to opbtain its own info and then reentered the IP info and that brought the internet back up.

Rob Pomeroy · « **Reply #23 on:** June 30, 2009, 05:48:38 PM »

Right, so you're now (potentially) entering the realms of flaky network cards or faulty software or something of that ilk. For further diagnoistics, when the internet appears to be down, from a client machine in a command prompt run the command "nslookup www.google.com". What happens? Repeat from the DC.

What network switch do you have between the DC and the other PCs/devices? What speeds/duplex are the cards running at?

Chrisxs5 · « **Reply #24 on:** July 01, 2009, 09:48:43 AM »

I will pull one next time the internet goes down as well.

Code: [Select]

C:\Documents and Settings\cwilcox>nslookup www.google.com
Server:  dc01.ptc.local
Address:  192.168.10.10

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  74.125.47.105, 74.125.47.103, 74.125.47.106, 74.125.47.104
          74.125.47.99, 74.125.47.147
Aliases:  www.google.com

As for the switches the DC connects to an AOpen 10/100 and I also have an Airlink 10/100/1000 on the system as well. Both 24 port.

jerryheavyarms · « **Reply #25 on:** July 01, 2009, 10:51:46 AM »

Have you tried setting your ISP's address to be an alternate DNS server?

Chrisxs5 · « **Reply #26 on:** July 01, 2009, 11:51:05 AM »

I have not tried that yet. I will try that this weekend or next time it goes down. I went out and got a network card and some memory for the DC, so I am going to try and get all that in this weekend.

Chrisxs5 · « **Reply #27 on:** July 03, 2009, 06:28:46 AM »

So it went back down again. I implemented my ISPs IP and that did nothing. I tried promoting another DC that I made a few days ago and it couldnt bring back the internet either. So this time I tried something a little out of the norm for me. I turned off all the lights and went home! Came back up this morning and the &*^% fixed itself. So I am going to get the memory and the network card installed this weekend and see if that helps. If you guys have anymore thoughts I am still listening and still very thankful for all. This stupid internet is driving me crazy.

Rob Pomeroy · « **Reply #28 on:** July 07, 2009, 06:59:02 AM »

Yeah, figures...

Just one thing - I think I got things in the wrong order before. The DC should query itself first for DNS, since it is authoritative for all local matters. Instead of:

Quote from: Chrisxs5 on June 30, 2009, 03:18:13 PM

I set it to:
.10.1 (Router)
.10.10 (Self)

The order should be:

DNS1: x.x.10.10
DNS2: x.x.10.1

Sorry for the confusion!

Chrisxs5 · « **Reply #29 on:** July 07, 2009, 07:09:15 AM »

OK, I will fix that immediately. It went down this morning again. I also have the memory and a new network card to throw on it. I alsow changed out the patch cable and moved it to my other switch.

Rob Pomeroy · « **Reply #30 on:** July 07, 2009, 12:53:08 PM »

Good luck!

Chrisxs5 · « **Reply #31 on:** July 07, 2009, 01:04:16 PM »

Quote from: Rob Pomeroy on July 07, 2009, 12:53:08 PM

Good luck!

LOL Thanks

Spoiler · « **Reply #32 on:** August 14, 2009, 08:33:53 AM »

You can read though this.....it will help you get the DNS server setup right.

http://support.microsoft.com/kb/300202

Computer Hope Forum

News:

Author Topic: DC DNS Errors and blocks internet traffic (Read 24484 times)

Chrisxs5

Rob Pomeroy

jerryheavyarms

Chrisxs5

Chrisxs5

jerryheavyarms

Chrisxs5

jerryheavyarms

Chrisxs5

Rob Pomeroy

Chrisxs5

Rob Pomeroy

Chrisxs5

Rob Pomeroy

Chrisxs5

Rob Pomeroy

Chrisxs5

jerryheavyarms

Chrisxs5

jerryheavyarms

Rob Pomeroy

jerryheavyarms

Chrisxs5

Rob Pomeroy

Chrisxs5

jerryheavyarms

Chrisxs5

Chrisxs5

Rob Pomeroy

Chrisxs5

Rob Pomeroy

Chrisxs5

Spoiler