Re: DNS: high CPU, no access, UDP problems?

Hello Kip,

Remove the public DNS server, 71.243.0.12, from the NIC and confiugure it
as FORWARDER on the DNS server properties in the DNS management console.

Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon
service or reboot. See also the event 5781 and the description how to solve
it.

Make sure the DC is listed correct in the forward/reverse lookup zone with
it's A and Nameserver record.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On May 16, 2:41 pm, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de>
> wrote:
>
>> Hello Kip,
>>
>> Do you use SP2 and the latest patches on the DC/DNS server? Please
>> post an unedited ipconfig /all from the DC/DNS server.
>>
>> To understand you correct, you have uninstalled the DNS server role
>> from the DC and then reinstalled it?
>>
>> Do you have errors in the event viewer, if yes please post the
>> comeplete one.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
> Hello, and thank you for responding so quickly!
>
>> Do you use SP2 and the latest patches on the DC/DNS server?
>>
> The DNS server host is Windows Server 2003 with SP2 applied. I try to
> be diligent in making sure all the latest patches are installed by
> running Windows Update regularly.
>
>> Please post an unedited ipconfig /all from the DC/DNS server.
>>
> Here is the captured output of ipconfig /all:
>
> C:\>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : rachel
> Primary Dns Suffix . . . . . . . : 8Heidi.net
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : Yes
> DNS Suffix Search List. . . . . . : 8Heidi.net
> Ethernet adapter Local Area Connection 2:
>
> Connection-specific DNS Suffix . : 8Heidi.net
> Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet
> Adapter
> Physical Address. . . . . . . . . : 00-14-85-6E-16-38
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.2.10
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
> DNS Servers . . . . . . . . . . . : 192.168.2.10
> 71.243.0.12
> C:\>
>
> The 71.243.0.12 is a public DNS server.
>
>> To understand you correct, you have uninstalled the DNS server role
>> from the DC and then reinstalled it?
>>
> I went into Add/Remove Programs from Control Panel, selected Add/
> Remove Windows Components, selected Network Services from the list,
> de-
> selected DNS Service from the list, clicked OK all the way out. I
> then confirmed that there was no longer a DNS Server service listed in
> the Services MMC. I also checked to see that the DNS registry
> settings were gone...they were. I then went through the same steps,
> this time selecting DNS Server, and reinstalled from the CD.
> Unfortunately this did not change anything in terms of the problem.
>> Do you have errors in the event viewer, if yes please post the
>> comeplete one.
>>
> There are 2 application errors currently in my Application event log.
> Each of these seems to correspond to an instance of the DNS Server
> service crashing. Their contents are:
>
> Event Type: Error
> Event Source: Application Error
> Event Category: (100)
> Event ID: 1000
> Date: 5/16/2010
> Time: 2:26:17
> User: N/A
> Computer: RACHEL
> Description:
> Faulting application dns.exe, version 5.2.3790.4460, faulting module
> msvcrt.dll, version 7.0.3790.3959, fault address 0x00038e21.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 41 70 70 6c 69 63 61 74 Applicat
> 0008: 69 6f 6e 20 46 61 69 6c ion Fail
> 0010: 75 72 65 20 20 64 6e 73 ure dns
> 0018: 2e 65 78 65 20 35 2e 32 .exe 5.2
> 0020: 2e 33 37 39 30 2e 34 34 .3790.44
> 0028: 36 30 20 69 6e 20 6d 73 60 in ms
> 0030: 76 63 72 74 2e 64 6c 6c vcrt.dll
> 0038: 20 37 2e 30 2e 33 37 39 7.0.379
> 0040: 30 2e 33 39 35 39 20 61 0.3959 a
> 0048: 74 20 6f 66 66 73 65 74 t offset
> 0050: 20 30 30 30 33 38 65 32 00038e2
> 0058: 31 1
> Event Type: Error
> Event Source: Application Error
> Event Category: (100)
> Event ID: 1000
> Date: 5/15/2010
> Time: 11:08:23
> User: N/A
> Computer: RACHEL
> Description:
> Faulting application dns.exe, version 5.2.3790.4460, faulting module
> dns.exe, version 5.2.3790.4460, fault address 0x00018932.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 41 70 70 6c 69 63 61 74 Applicat
> 0008: 69 6f 6e 20 46 61 69 6c ion Fail
> 0010: 75 72 65 20 20 64 6e 73 ure dns
> 0018: 2e 65 78 65 20 35 2e 32 .exe 5.2
> 0020: 2e 33 37 39 30 2e 34 34 .3790.44
> 0028: 36 30 20 69 6e 20 64 6e 60 in dn
> 0030: 73 2e 65 78 65 20 35 2e s.exe 5.
> 0038: 32 2e 33 37 39 30 2e 34 2.3790.4
> 0040: 34 36 30 20 61 74 20 6f 460 at o
> 0048: 66 66 73 65 74 20 30 30 ffset 00
> 0050: 30 31 38 39 33 32 018932
> There also is one event in the System event log:
>
> Event Type: Warning
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5781
> Date: 5/16/2010
> Time: 1:26:38
> User: N/A
> Computer: RACHEL
> Description:
> Dynamic registration or deletion of one or more DNS records associated
> with DNS domain '8Heidi.net.' failed. These records are used by other
> computers to locate this server as a domain controller (if the
> specified domain is an Active Directory domain) or as an LDAP server
> (if the specified domain is an application partition).
> Possible causes of failure include:
> - TCP/IP properties of the network connections of this computer
> contain wrong IP address(es) of the preferred and alternate DNS
> servers
> - Specified preferred and alternate DNS servers are not running
> - DNS server(s) primary for the records to be registered is not
> running
> - Preferred or alternate DNS servers are configured with wrong root
> hints
> - Parent DNS zone contains incorrect delegation to the child zone
> authoritative for the DNS records that failed registration
> USER ACTION
> Fix possible misconfiguration(s) specified above and initiate
> registration or deletion of the DNS records by running 'nltest.exe /
> dsregdns' from the command prompt or by restarting Net Logon service.
> Nltest.exe is available in the Microsoft Windows Server Resource Kit
> CD.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 2a 23 00 00 *#..
> I don't know if this would make any difference but I should mention
> that the DC is connected to the rest of the domain through a second
> wireless router configured as a wireless bridge, i.e. the "main"
> wireless router is configured as usual, the second router is bridged
> to the first.
>
> With all of the RecvFrom() and UDP failures that pour into the log, I
> can't help but suspect I have misconfigured the networking somewhere,
> but I have no idea where to start looking.
>
> Thanks again!
>

On Sun, 16 May 2010 19:24:31 -0700 (PDT), Kip
<> wrote:

>On May 16, 3:58*pm, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de>
>wrote:
>> Hello Kip,
>>
>> Remove the public DNS server, 71.243.0.12, from the NIC and confiugure it
>> as FORWARDER on the DNS server properties in the DNS management console.
>
>I restarted the DNS Server service and performed the steps above.
>
>>
>> Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon
>> service or reboot.
>
>I issued the above commands, then stopped, started the Net Logon
>service.
>
>> See also the event 5781 and the description how to solve
>> it
>
>I reread this event and the following seem to be the solution(s):
>
>> - TCP/IP properties of the network connections of this computer
>> contain wrong IP address(es) of the preferred and alternate DNS
>> servers
>
>Check the IP properties and they seem to be correct.
>
>> - Specified preferred and alternate DNS servers are not running
>
>I assume the "preferred" server is my own...it is indeed running.
>The other machines in the domain can resolve names, but they
>can't reach my DNS server, so the alternate DNS must be OK
>too.
>
>> - DNS server(s) primary for the records to be registered is not
>> running
>
>Here's where I start to get lost. I have no idea what this phrase
>means.
>
>> - Preferred or alternate DNS servers are configured with wrong root
>> hints
>
>I have no clue what a "root hint" is nor how to check it.
>
>> - Parent DNS zone contains incorrect delegation to the child zone
>> authoritative for the DNS records that failed registration
>
>I definitely do not understand this statemetn.
>
>> > Fix possible misconfiguration(s) specified above and initiate
>> > registration or deletion of the DNS records by running 'nltest.exe /
>> > dsregdns' from the command prompt or by restarting Net Logon service.
>> > Nltest.exe is available in the Microsoft Windows Server Resource Kit
>> > CD.
>
>I restarted the Net Logon service as the above paragraph suggests.
>
>>
>> Make sure the DC is listed correct in the forward/reverse lookup zone with
>> it's A and Nameserver record.
>>
>
>Please bear with me here...I know very little about DNS...in the DNS
>mmc, under the name of my DC, I see "Forward Lookup Zones" and under
>that "8Heidi.net" (the domain is 8Heidi). If I select "8Heidi.net" I
>see a list of records in the right hand pane. There seems to be a
>Host (A) record for each machine in the domain, including the DC, and
>all of their addresses seem correct. I see only one "Name Server
>(NS)" record...it's Data column shows "rachel.8heidi.net" and its Name
>column reads "(same as parent folder)". Is all that correct?
>
>Under "Reverse Lookup Zones" there is "192.168.2.x Subnet" and inside
>that node I see Pointer (PTR) records for all the machines, again the
>DC is included. There is also a single NS record here - it has
>exactly the same form as the one in the forward zone section.
>
>
>After making the above changes I retested...unfortunately nothing has
>changed (DNS still gobbling CPU, no machines can talk to it using
>nslookup).
>
>Thank you for your continued help...


Kip,

How many DCs do you have? If you only have one DC, then just leave
192.168.2.10 as the only DNS entry on the NIC properties.

If only one DC, there should only be one 'same as parent' record and
only pointing to 192.168.2.10.

Check your workstations. If they have problems resolving the DC's
name, then it's telling me that they may have 71.243.0.12 set as a DNS
address in their IP properties. If they are getting their configuation
from DHCP, and they do have 71.243.0.12 or something else other than
192.168.2.10, then it's telling me DHCP is not configured properly.

Is your Dc the DHCP server, or is it your router?

Please provide an ipconfig /all from one of those machines you are
having trouble with.

As for refreshing Root Hints, you can got into DNS properties,
(right-click DNS, choose properties), Root Hints tab, click on Copy
from server, and type in 4.2.2.2, and hit OK.

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On Mon, 17 May 2010 21:15:07 -0700 (PDT), Kip
<> wrote:

>> Kip,
>>
>> How many DCs do you have? If you only have one DC, then just leave
>> 192.168.2.10 as *the only DNS entry on the NIC properties.
>>
>
>I only have one DC, it's the one running at IP 132.168.2.10 hostname
>"rachel".
>
>> If only one DC, there should only be one 'same as parent' record and
>> only pointing to *192.168.2.10.
>
>Here's what I see under "Forward Lookup Zones"->"8Heidi.net" :
>
>(same as parent folder) Start of Authority (SOA) [951],rachel.
>8heidi.net., hostmaster.
>(same as parent folder) Name Server (NS) rachel.
>8heidi.net.
>(same as parent folder) Host (A)
>192.168.2.10
>
>The first two are also present under "Reverse Lookup Zones"-
>>"192.168.2.x Subnet", and
>are identical, except the [951] is [97] instead.
>
>>
>> Check your workstations. If they have problems resolving the DC's
>> name, then it's telling me that they may have 71.243.0.12 set as a DNS
>> address in their IP properties. If they are getting their configuation
>> from DHCP, and they do have 71.243.0.12 or something else other than
>> 192.168.2.10, then it's telling me DHCP is not configured properly.
>>
>
>All of the workstations exhibit the same problem: none of them seem
>able
>to "talk to" the DC's DNS service. Yes, they all have the '71 IP
>configured
>as a secondary DNS server (with rachel as the primary). With the '71
>configured as secondary, none of them get names resolved.
>
>> Is your Dc the DHCP server, or is it your router?
>
>It is my router, but I run all the workstations with fixed addresses.
>
>> Please provide an ipconfig /all from one of those machines you are
>> having trouble with.
>
>I will grab one and post it here asap.
>
>> As for refreshing Root Hints, you can got into DNS properties,
>> (right-click DNS, choose properties), Root Hints tab, click on Copy
>> from server, and type in 4.2.2.2, and hit OK.
>
>I tried this. Didn't have much effect, DNS server still using far too
>much CPU and no other domain members can use it.
>
>THANK YOU !!!
>
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.- Hide quoted text -
>>
>> - Show quoted text -

The first thing I would do in your workstations, is remove the
71.x.x.x IP immediately. All members of an AD infrastructure MUST only
use the internal DNS. There are no exceptions. Otherwise, it will be
asking the 71.x.x.x, "what's the IP address of my domain controller?"
It does not have that answer. Read the following for a greater
understanding of AD's DNS requirements, please.

Active Directory and Its Reliance on DNS, and using an ISP's DNS
address
http://msmvps.com/blogs/acefekay/arc...ce-on-dns.aspx

Have you configured a Forwarder to 4.2.2.2? If not, please do so and
report back on internet resolution, please.

As for too much CPU usage, it sounds like something else is going on.
The DNS cache poisoning update from July, 2008 actually makes DNS use
a strict set of service UDP ports. If any application is installed
that may be conflicting with these ports, it may cause this problem.
Read more on what that update did, it's purpose and other info in my
blog, to understand it a bit more.

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and
Ports Reservation Explained
http://msmvps.com/blogs/acefekay/arc...explained.aspx

Ace

On Tue, 18 May 2010 17:32:54 -0700 (PDT), Kip
<> wrote:

>On May 18, 12:06*pm, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@mvps.RemoveThisPart.org> wrote:
>> On Mon, 17 May 2010 21:15:07 -0700 (PDT), Kip
>>
>>
>>
>>
>>
>> <guy.landing...@verizon.net> wrote:
>> >> Kip,
>>
>> >> How many DCs do you have? If you only have one DC, then just leave
>> >> 192.168.2.10 as *the only DNS entry on the NIC properties.
>>
>> >I only have one DC, it's the one running at IP 132.168.2.10 hostname
>> >"rachel".
>>
>> >> If only one DC, there should only be one 'same as parent' record and
>> >> only pointing to *192.168.2.10.
>>
>> >Here's what I see under "Forward Lookup Zones"->"8Heidi.net" :
>>
>> >(same as parent folder) * * *Start of Authority (SOA) * * [951],rachel.
>> >8heidi.net., hostmaster.
>> >(same as parent folder) * * *Name Server (NS) * * * * * * *rachel.
>> >8heidi.net.
>> >(same as parent folder) * * *Host (A)
>> >192.168.2.10
>>
>> >The first two are also present under "Reverse Lookup Zones"-
>> >>"192.168.2.x Subnet", and
>> >are identical, except the [951] is [97] instead.
>>
>> >> Check your workstations. If they have problems resolving the DC's
>> >> name, then it's telling me that they may have 71.243.0.12 set as a DNS
>> >> address in their IP properties. If they are getting their configuation
>> >> from DHCP, and they do have 71.243.0.12 or something else other than
>> >> 192.168.2.10, then it's telling me DHCP is not configured properly.
>>
>> >All of the workstations exhibit the same problem: none of them seem
>> >able
>> >to "talk to" the DC's DNS service. *Yes, they all have the '71 IP
>> >configured
>> >as a secondary DNS server (with rachel as the primary). *With the '71
>> >configured as secondary, none of them get names resolved.
>>
>> >> Is your Dc the DHCP server, or is it your router?
>>
>> >It is my router, but I run all the workstations with fixed addresses.
>>
>> >> Please provide an ipconfig /all from one of those machines you are
>> >> having trouble with.
>>
>> >I will grab one and post it here asap.
>>
>> >> As for refreshing Root Hints, you can got into DNS properties,
>> >> (right-click DNS, choose properties), Root Hints tab, click on Copy
>> >> from server, and type in 4.2.2.2, and hit OK.
>>
>> >I tried this. *Didn't have much effect, DNS server still using far too
>> >much CPU and no other domain members can use it.
>>
>> >THANK YOU !!!
>>
>> >> Ace
>>
>> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> >> Microsoft Certified Trainer
>> >> Microsoft MVP - Directory Services
>>
>> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregional support phone numbers.- Hide quoted text -
>>
>> >> - Show quoted text -
>>
>> The first thing I would do in your workstations, is remove the
>> 71.x.x.x IP immediately. All members of an AD infrastructure MUST only
>> use the internal DNS. There are no exceptions. Otherwise, it will be
>> asking the 71.x.x.x, "what's the IP address of my domain controller?"
>> It does not have that answer. Read the following for a greater
>> understanding of AD's DNS requirements, please.
>>
>> Active Directory and Its Reliance on DNS, and using an ISP's DNS
>> addresshttp://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-relian...
>>
>> Have you configured a Forwarder to 4.2.2.2? If not, please do so and
>> report back on internet resolution, please.
>>
>> As for too much CPU usage, it sounds like something else is going on.
>> The DNS cache poisoning update from July, 2008 actually makes DNS use
>> a strict set of service UDP ports. If any application is installed
>> that may be conflicting with these ports, it may cause this problem.
>> Read more on what that update did, it's purpose and other info in my
>> blog, to understand it a bit more.
>>
>> The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and
>> Ports Reservation Explainedhttp://msmvps.com/blogs/acefekay/archive/2009/09/03/the-dns-cache-poi...
>>
>> Ace- Hide quoted text -
>>
>> - Show quoted text -
>
>Ace, as you suggest I will do some studying to try to get a better
>understanding of
>what I'm dealing with.
>
>Thank you (and Meinof) very much for your generous help.


You are welcome. If you have any other questions, feel free to post
back.

Cheers!

Ace

YOu do have quite a bit running on this machine. The normal ports that
DNS use are the UDP ports as mentioned in my blog, however I am seeing
many other ports in the list that I do not recognize. What is
installed on the machine? List them out, please.

I see there are entries for lserver.exe. That is the terminal server
license service. Is this server running Terminal Services in
Application mode?

ANy new event log errors since you've removed the ISP's DNS addresses?

Ace




On Wed, 19 May 2010 20:15:00 -0700 (PDT), Kip
<> wrote:

>Hello again,
>
>OK, I've read the suggested articles and I think I understand, at
>least at a basic level,
>why the external DNS server shouldn't be configured anywhere except as
>a DNS forwarder,
>and the basics of the cache poisoning patch.
>
>As a test, I removed the external DNS server from the network
>properties on the DC. I then
>made sure that it was set as a forwarder in DNS settings, along with
>4.2.2.2.
>
>With this setup, the DNS service continues to gobble CPU and no names
>get resolved on
>the DC (I've stopped testing the clients at this point, figuring that
>a good first step would
>be to get DNS working on the DC only.)
>
>I noticed during the suggested reading that two test commands were
>suggested:
>netstat -ab and netstat -ano.
>
>Here are the results, I hope someone can help interpret them!
>
>netstat -ab with DNS server NOT RUNNING:
>================================
>
>Active Connections
>
> Proto Local Address Foreign Address State
>PID
> TCP rachel:kerberos rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:epmap rachel.8Heidi.net:0 LISTENING
>828
> RpcSs
> [svchost.exe]
>
> TCP rachel:ldap rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:microsoft-ds rachel.8Heidi.net:0 LISTENING
>4
> [System]
>
> TCP rachel:kpasswd rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:554 rachel.8Heidi.net:0 LISTENING
>3288
> [WMServer.exe]
>
> TCP rachel:593 rachel.8Heidi.net:0 LISTENING
>828
> RpcSs
> [svchost.exe]
>
> TCP rachel:ldaps rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:1026 rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:1027 rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:1028 rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:1042 rachel.8Heidi.net:0 LISTENING
>2432
> [ntfrs.exe]
>
> TCP rachel:1050 rachel.8Heidi.net:0 LISTENING
>3048
> [tssdis.exe]
>
> TCP rachel:1051 rachel.8Heidi.net:0 LISTENING
>3004
> [lserver.exe]
>
> TCP rachel:3268 rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:3269 rachel.8Heidi.net:0 LISTENING
>464
> [lsass.exe]
>
> TCP rachel:3389 rachel.8Heidi.net:0 LISTENING
>3988
> TermService
> [svchost.exe]
>
> TCP rachel:1062 rachel.8Heidi.net:0 LISTENING
>1912
> [alg.exe]
>
> TCP rachel:netbios-ssn rachel.8Heidi.net:0 LISTENING
>4
> [System]
>
> TCP rachel:ldap rachel.8Heidi.net:1037
>ESTABLISHED 464
> [lsass.exe]
>
> TCP rachel:ldap rachel.8Heidi.net:1041
>ESTABLISHED 464
> [lsass.exe]
>
> TCP rachel:ldap rachel.8Heidi.net:1038
>ESTABLISHED 464
> [lsass.exe]
>
> TCP rachel:1037 rachel.8Heidi.net:ldap
>ESTABLISHED 2252
> [ismserv.exe]
>
> TCP rachel:1038 rachel.8Heidi.net:ldap
>ESTABLISHED 2252
> [ismserv.exe]
>
> TCP rachel:1041 rachel.8Heidi.net:ldap
>ESTABLISHED 2252
> [ismserv.exe]
>
> TCP rachel:ldap rachel:2206 ESTABLISHED
>464
> [lsass.exe]
>
> TCP rachel:1027 rachel:1046 ESTABLISHED
>464
> [lsass.exe]
>
> TCP rachel:1027 rachel:4826 ESTABLISHED
>464
> [lsass.exe]
>
> TCP rachel:1027 rachel:1088 ESTABLISHED
>464
> [lsass.exe]
>
> TCP rachel:1046 rachel:1027 ESTABLISHED
>2432
> [ntfrs.exe]
>
> TCP rachel:1088 rachel:1027 ESTABLISHED
>464
> [lsass.exe]
>
> TCP rachel:2206 rachel:ldap ESTABLISHED
>2432
> [ntfrs.exe]
>
> TCP rachel:4826 rachel:1027 ESTABLISHED
>464
> [lsass.exe]
>
> TCP rachel:19704 vw-in-f100.1e100.net:http
>CLOSE_WAIT 3148
> [iexplore.exe]
>
> TCP rachel:19705 yo-in-f113.1e100.net:http
>CLOSE_WAIT 3148
> [iexplore.exe]
>
> TCP rachel:19706 lga15s03-in-f154.1e100.net:http
>CLOSE_WAIT 3148
> [iexplore.exe]
>
> TCP rachel:4825 rachel:epmap TIME_WAIT
>0
> UDP rachel:microsoft-ds *:*
>4
> [System]
>
> UDP rachel:isakmp *:*
>464
> [lsass.exe]
>
> UDP rachel:4500 *:*
>464
> [lsass.exe]
>
> UDP rachel:15134 *:*
>3560
> [iexplore.exe]
>
> UDP rachel:53260 *:*
>4692
> [iexplore.exe]
>
> UDP rachel:15800 *:*
>5336
> [iexplore.exe]
>
> UDP rachel:1076 *:*
>1900
> [Dfssvc.exe]
>
> UDP rachel:18798 *:*
>464
> [lsass.exe]
>
> UDP rachel:13914 *:*
>3148
> [iexplore.exe]
>
> UDP rachel:1318 *:*
>1552
> [spoolsv.exe]
>
> UDP rachel:1060 *:*
>3988
> TermService
> [svchost.exe]
>
> UDP rachel:1056 *:*
>404
> [winlogon.exe]
>
> UDP rachel:1052 *:*
>3004
> [lserver.exe]
>
> UDP rachel:36260 *:*
>616
> [iexplore.exe]
>
> UDP rachel:1043 *:*
>2432
> [ntfrs.exe]
>
> UDP rachel:13375 *:*
>232
> [Explorer.EXE]
>
> UDP rachel:1036 *:*
>2252
> [ismserv.exe]
>
> UDP rachel:1031 *:*
>892
> [Smc.exe]
>
> UDP rachel:ntp *:*
>952
> W32Time
> [svchost.exe]
>
> UDP rachel:15143 *:*
>2148
> [iexplore.exe]
>
> UDP rachel:389 *:*
>464
> [lsass.exe]
>
> UDP rachel:netbios-dgm *:*
>4
> [System]
>
> UDP rachel:ntp *:*
>952
> W32Time
> [svchost.exe]
>
> UDP rachel:kpasswd *:*
>464
> [lsass.exe]
>
> UDP rachel:kerberos *:*
>464
> [lsass.exe]
>
> UDP rachel:netbios-ns *:*
>4
> [System]
>
>
>netstat -ab with DNS server RUNNING:
>================================
>...I wanted to paste that output here, but it is so large that
>it's crippling the browser.
>
>The output is as above but with 7511 more lines of the
>following form:
>
> UDP rachel:7780 *:*
>3576
> [dns.exe]
>
>Each line is the same except for the number after the colon...I used
>an editor to extract some of these:
>
>55529 17493 17236 42679 43707 11839 33684 65295 6185 27002 49618 34711
>26487 41650 13123 3357 3099 44476 46018 29570
>6440 31369 31112 28285 43962 22888 22374 52443 32140 57583 35738 62209
>43190 54755 34452 30854 60152 12864 radacct 3097
>15690 16461 53212 60151 45245 32395 53982 11320 11577 57066 32137
>37277 5923 13632 65032 17230 52696 45243 48584 54238 28538
> 3095 47813 58092 14402 9262 56550 16715 21084 2837 36761 39074 34962
>20827 58863 10546 27765 2322 60918 6434 25195 32134 17485
>50124 31105 19283 28535 23909 33675 55777 13372 54234 4119 17997 35473
>41898 42412 55005 31104 35216 18253 3090 29047 31617 15683
> 2319 21594 33416 55260 1033 9771 22621 41896 2318 41125 61685 2832
>18251 51661 60913 2317 21335 48063 2830 37525 8227 4372
>31357 47291 42151 47548 8483 18763 38809 42664 26729 42663 27500 36752
>10538 54742 45747 54227 17733 3598 59110 24158 34695 55512
>56026 10280 56797 44975 3855 14135 31868 21331 40091 1798 65020 18503
>46259 40605 9251 11307 25956 27498 42147 32894 7708 14647 6423
> 47029 18759 20044 57823 19016 30067 47028 59878 56280 2824 23898
>22099 45743 15674 27774 11069 45228 32121 25696 55508 59363 27495
>15416
>
>
>The output of the -ano form of the command gives very similar
>results...many, many more entries with DNS running.
>
>Are these port numbers? Does this give any clue as to what is broken?
>
>
>Thanks for your continued help

On Mon, 24 May 2010 20:11:01 -0700 (PDT), Kip
<> wrote:

>On May 22, 1:00*am, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@mvps.RemoveThisPart.org> wrote:
>> YOu do have quite a bit running on this machine. The normal ports that
>> DNS use are the UDP ports as mentioned in my blog, however I am seeing
>> many other ports in the list that I do not recognize. What is
>> installed on the machine? List them out, please.
>>
>
>I'm guessing that you mean a listing from something like Control
>Panel's "Add/Remove Programs" list, rather than the list above? If
>so, do you want to see everything? Including items like Adobe Reader,
>Microsoft Office, .NET Framework, etc. etc.? Just wanted to make sure
>I understand what you're requesting before I post it.
>
>
>> I see there are entries for lserver.exe. That is the terminal server
>> license service. Is this server running Terminal Services in
>> Application mode?
>
>Someone else set this up for me. I can give you definitive answer if
>you tell me where to check.
>
>> ANy new event log errors since you've removed the ISP's DNS addresses?
>
>Oh, yes, very many, the majority of them are 4000's, with 1 4001 and 2
>4007's
>
>Thanks for your continuing help/suggestions.

You are welcome, so far.

You don't have to list the programs and services. It just appears
there is quite a bit on here. Not that it's a bad thing. It's just an
observation.

If you ask me, from the info you've provided, it seems normal for the
number of services and apps running.

Can you provide an updated ipconfig /all, please?

Thank you

Ace

On Tue, 25 May 2010 19:52:14 -0700 (PDT), Kip
<> wrote:

>On May 25, 11:04*am, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@mvps.RemoveThisPart.org> wrote:
>> On Mon, 24 May 2010 20:11:01 -0700 (PDT), Kip
>>
>>
>>
>>
>>
>> <guy.landing...@verizon.net> wrote:
>> >On May 22, 1:00*am, "Ace Fekay [MVP - Directory Services, MCT]"
>> ><ace...@mvps.RemoveThisPart.org> wrote:
>> >> YOu do have quite a bit running on this machine. The normal ports that
>> >> DNS use are the UDP ports as mentioned in my blog, however I am seeing
>> >> many other ports in the list that I do not recognize. What is
>> >> installed on the machine? List them out, please.
>>
>> >I'm guessing that you mean a listing from something like Control
>> >Panel's "Add/Remove Programs" list, rather than the list above? *If
>> >so, do you want to see everything? *Including items like Adobe Reader,
>> >Microsoft Office, .NET Framework, etc. etc.? *Just wanted to make sure
>> >I understand what you're requesting before I post it.
>>
>> >> I see there are entries for lserver.exe. That is the terminal server
>> >> license service. Is this server running Terminal Services in
>> >> Application mode?
>>
>> >Someone else set this up for me. *I can give you definitive answer if
>> >you tell me where to check.
>>
>> >> ANy new event log errors since you've removed the ISP's DNS addresses?
>>
>> >Oh, yes, very many, the majority of them are 4000's, with 1 4001 and 2
>> >4007's
>>
>> >Thanks for your continuing help/suggestions.
>>
>> You are welcome, so far.
>>
>> You don't have to list the programs and services. It just appears
>> there is quite a bit on here. Not that it's a bad thing. It's just an
>> observation.
>>
>> If you ask me, from the info you've provided, it seems normal for the
>> number of services and apps running.
>>
>> Can you provide an updated ipconfig /all, please?
>>
>> Thank you
>>
>> Ace- Hide quoted text -
>>
>> - Show quoted text -
>
>Definitely I can provide an ipconfig /all:
>
>
>C:\Program Files\Support Tools>ipconfig /all
>
>Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : rachel
> Primary Dns Suffix . . . . . . . : 8Heidi.net
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : Yes
> DNS Suffix Search List. . . . . . : 8Heidi.net
>
>Ethernet adapter Local Area Connection 2:
>
> Connection-specific DNS Suffix . : 8Heidi.net
> Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet
>Adapter
> Physical Address. . . . . . . . . : 00-14-85-6E-16-38
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.2.10
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
> DNS Servers . . . . . . . . . . . : 192.168.2.10
>
>C:\Program Files\Support Tools>


Thanks, Kip, for providing the updated ipconfig /all.

I see that Routing and WINS Proxy are both enabled. Any reason why?
This can be a cause of issues with a domain controller.

Since it is a single homed machine, and assuming RRAS is not installed
on it for VPN purposes, I suggest to disable the two.

Make sure RRAS is disabled in the RRAS console, and stopped and
disabled in Services (Routing and Remote Access service).

Also, go into the registry and disable WINS Proxy. Here's how:

========
NOTE: The EnableProxy value resides in the following registry
location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Netbt\Parameters\EnableProxy
To disable Netbios Proxy on the RAS or VPN server, follow these steps.

WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that you can solve problems that result
from using Registry Editor incorrectly. Use Registry Editor at your
own risk.

Start Registry Editor (Regedit.exe).
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Remoteaccess\Parameters\Ip\EnableNebtBcastFwd
Change the value of the EnableNebtBcastFwd to 0.
Quit Registry Editor.
Restart the computer.
========

More info on disabling WINS Proxy can be found in the following link:

How to Disable NetBT Proxy on Incoming Connections:
http://support.microsoft.com/kb/319848


Ace

On Wed, 26 May 2010 19:48:06 -0700 (PDT), Kip
<> wrote:

>
>> Thanks, Kip, for providing the updated ipconfig /all.
>
>No, thank YOU for trying to help me.
>
>>
>> I see that Routing and WINS Proxy are both enabled. Any reason why?
>
>Probably because I know just enough to be dangerous %^(.
>
>> This can be a cause of issues with a domain controller.
>>
>> Since it is a single homed machine, and assuming RRAS is not installed
>> on it for VPN purposes, I suggest to disable the two.
>>
>> Make sure RRAS is disabled in the RRAS console, and stopped and
>> disabled in Services (Routing and Remote Access service).
>>
>
>Right. So the RRAS console shows server name RACHEL and State =
>Stopped (unconfigured)
>In the Services console the "Routing and Remote Access" service was
>not running and set to "Manual". I changed this to "Disabled."
>
>> Also, go into the registry and disable WINS Proxy. Here's how:
>>
>> ========
>> NOTE: The EnableProxy value resides in the following registry
>> location:
>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Netbt\Parameters\Enabl*eProxy
>
>This currently has a registry value of 2. Do I touch this?
>
>> To disable Netbios Proxy on the RAS or VPN server, follow these steps.
>>
>> WARNING: If you use Registry Editor incorrectly, you may cause serious
>> problems that may require you to reinstall your operating system.
>> Microsoft cannot guarantee that you can solve problems that result
>> from using Registry Editor incorrectly. Use Registry Editor at your
>> own risk.
>>
>> Start Registry Editor (Regedit.exe).
>> Locate and then click the following registry key:
>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Remoteaccess\Parameter*s\Ip\EnableNebtBcastFwd
>> Change the value of the EnableNebtBcastFwd to 0.
>
>Done.
>
>> Quit Registry Editor.
>
>Done.
>
>> Restart the computer.
>
>Will do soon.
>
>> ========
>>
>> More info on disabling WINS Proxy can be found in the following link:
>>
>> How to Disable NetBT Proxy on Incoming Connections:http://support.microsoft.com/kb/319848
>>
>> Ace- Hide quoted text -
>>
>> - Show quoted text -
>
>Can I add one more piece of information? It may not be relevant, but
>I've learned not to leave
>information out when troubleshooting.
>
>The network topology we have is as follows: There is one main wireless
>router that is hardwired
>to the ISP's modem. Several domain members access the network via
>wireless connections to
>that router (along with a couple of wireless printers.) Another
>wireless connection exists to a
>second wireless router, configured as a wireless bridge. Hardwired to
>that bridge is one more
>domain member and the DC/DNS server itself ("hardwired" meaning thin
>wire Ethernet).
>
>One of the symptoms I've been experiencing with the failing DNS is
>that once the service is
>started, its CPU utilization will surge to about 25%, then drop to
>zero, then surge again. The
>frequency of this is about 4-5 seconds, and it's very easy to see it
>in perfmon... a sequence
>of nicely rounded "CPU hills" if you will.
>
>Now, I don't know what prompted me to try this, but here's what I did:
>I first stopped the DNS
>service. Then I went to the other machine connected to the bridge and
>disabled its network
>connection. Returning to the DC, I started DNS and for the first time
>in quite a while now, I watched
>it start up and NOT gobble CPU. I went back to client machine and re-
>enabled its network
>adapter. The DNS process on the DC immediately started it's CPU util.
>cycling. I then
>disabled the client network again, but the CPU utilization cycling
>remained. I shut down DNS
>and restarted it and it was quiescent again.
>
>So it seems that as long as I don't enable the network on the other
>box that's connected to the
>bridge, DNS doesn't eat CPU.
>
>I'm not sure what this means, or again if it's even relevant.
>
>Thank you so much for your time.


You are welcome. We are getting closer to straightening this out.

For RRAS, make sure it's also disabled in the registry:

=====
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters


Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 0

Refresh the Registry, then reboot the machine. That should take care
of it.
=====


As for the other question regarding the access point, and if I
understand you correctly, it is an access point, or is it a true
router/wireless router?

Reason I ask, if it is a wireless router that you're using it for the
sole purpose of a router, such as a Linksys, I set them up by plugging
a LAN port (not the WAN port) into the main switch. This way, an IP
address is provided by the DHCP server on the company network.
Essentially, this is 'bridged' to the main network. Some refer to it
as 'corporate mode.' Otherwise, it will be behind its own NAT giving
it's own IP address from it's own pool behind in its NAT network,
which in that case, will cause AD communication problems, but I don't
think that's the case here.

Just a guess...
Does that router have the DNS server in qusetion, as it's DNS address?
Does that client machine have the wireless set as its DNS address? It
may be trying to "proxy" requests to it. If so, set the client address
to the DNS server itself, and remove the address from the wireless
router, and see what happens.

Ace

On Fri, 28 May 2010 11:39:38 -0700 (PDT), Kip
<> wrote:

>>
>> You are welcome. We are getting closer to straightening this out.
>>
>> For RRAS, make sure it's also disabled in the registry:
>>
>> =====
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters
>>
>> Value Name: IPEnableRouter
>> Value type: REG_DWORD
>> Value Data: 0
>>
>> Refresh the Registry, then reboot the machine. That should take care
>> of it.
>> =====
>
>I will do this next, thanks.
>
>>
>> As for the other question regarding the access point, and if I
>> understand you correctly, it is an access point, or is it a true
>> router/wireless router?
>>
>
>It was originally a wireless router but I have replaced the factory-
>supplied firmware with an Open Source alternative, DD-WRT (http://
>www.dd-wrt.com/wiki/index.php/What_is_DD-WRT) The reason I did that
>was because the original firmware did not provide a wireless bridge
>mode, while DD-WRT does. As far as it being an access point, I've
>found differing opinions about the definitions of these terms. There
>seems to be agreement that "wireless bridge" is equivalent to "access
>point in client-mode", if that helps.
>
>> Reason I ask, if it is a wireless router that you're using it for the
>> sole purpose of a router, such as a Linksys, I set them up by plugging
>> a LAN port (not the WAN port) into the main switch. This way, an IP
>> address is provided by the DHCP server on the company network.
>> Essentially, this is 'bridged' to the main network. Some refer to it
>> as 'corporate mode.' *Otherwise, it will be behind its own NAT giving
>> it's own IP address from it's own pool behind in its NAT network,
>> which in that case, will cause AD communication problems, but I don't
>> think that's the case here.
>>
>
>My (coarse) understanding of how the wireless bridge works is that it
>functions basically as a switch, except that it "knows" when packets
>need to cross the bridge and when they don't. I'm afraid I'm not
>clear on how what you've said above maps to that.
>
>> Just a guess...
>> Does that router have the DNS server in qusetion, as it's DNS address?
>
>That I do not know, but will of course check.
>
>> Does that client machine have the wireless set as its DNS address? It
>> may be trying to "proxy" requests to it. If so, set the client address
>> to the DNS server itself, and remove the address from the wireless
>> router, and see what happens.
>>
>
>I will check all this out as you've suggested.
>
>> Ace
>
>I'll suppress the urge to keep thanking you, but will say: Have a
>wonderful Memorial Day weekend...


Hi Kip,

We had a nice Memorial Day Weekend, including a couple nights of food
and drink among friends and family. I hope you had a nice one, too.

I think we are both on the same wavelength regarding the wireless
definitions. What I did plugging a wireless router into the LAN ports
does the same thing. It acts as a wireless bridge. Now if you
installed the DD-WRT software to do the same thing, that is pluggin in
the WAN port into the office network switch (and not what I did by
plugging a LAN port into the office network switch), and setting up
the DD-WRT software to "bridge," it's really doing the same exact
thing. Think about it... :-)

Now maybe, and JUST maybe, the DD-WRT bridging feature *may* be(and I
stress *may*) blocking something. Just a thought. Unbridge it and plug
it in as I described, and see if it works.

And yes, please do set the internal DNS addresses in DD-WRT.

Ace