Strange DNS issues !!!

Hi!,

Have been facing a strange situation. Let me attempt to explain the
scenario:

We are a small group managing few servers (around 20 mix of windows and
linux) in virtual environment, our desktops login to our corporate Domain
controller and use the corporate DNS server.

We have been using XXX network for a while now, and our main office wanted
us to release that network and they have provided us a different YYY
network.
We also have ZZZ network for each server for servers to communicate
internally and we have our own DC and DNS for internal name resolution. The
internal DC and DNS do not communicate
to our corporate network.

So as of now our server have 3 networks:

1) xxx.xxx.xxx.x - network to release back to corporate
2) yyy.yyy.yyy.y - new network assigned
3) zzz.zzz.zzz.z - internal network


The Primary and Secondary DNS server is the same for both XXX and YYY
network. The gateway assigned for our servers is the gateway of the xxx
network,

Our laptops are connected with a AAA network with AAA gateway to the
corporate DC but the DNS server is the same as the XXX and YYY network.

We added the yyy network recently. When we ping from our laptop we noticed
that we dont get a ping reply from yyy network.

We first have to ping the xxx network - and once we receive the reply - the
ping to yyy is successful.

Now, to further investigate - I created a new VM and first added the YYY
network IP and assigned the YYY gateway. Later I added the XXX networ IPk,
and tried the ping which was unsuccessful.
I first had to ping the YYY network and then the XXX ping was successful. I
even tried to assign Gateway for both XXX and YY network - still did not
help.
We will remove the xxx network from our server but some server do need them
as they are production.


Can anyone explain why this is happening and how to resolve this.


Thank you
Hugo

"Hugo" <> wrote in message
news:%...
> Hi!,
>
> Have been facing a strange situation. Let me attempt to explain the
> scenario:
>
> We are a small group managing few servers (around 20 mix of windows and
> linux) in virtual environment, our desktops login to our corporate Domain
> controller and use the corporate DNS server.
>
> We have been using XXX network for a while now, and our main office wanted
> us to release that network and they have provided us a different YYY
> network.
> We also have ZZZ network for each server for servers to communicate
> internally and we have our own DC and DNS for internal name resolution.
> The internal DC and DNS do not communicate
> to our corporate network.
>
> So as of now our server have 3 networks:
>
> 1) xxx.xxx.xxx.x - network to release back to corporate
> 2) yyy.yyy.yyy.y - new network assigned
> 3) zzz.zzz.zzz.z - internal network
>
>
> The Primary and Secondary DNS server is the same for both XXX and YYY
> network. The gateway assigned for our servers is the gateway of the xxx
> network,
>
> Our laptops are connected with a AAA network with AAA gateway to the
> corporate DC but the DNS server is the same as the XXX and YYY network.
>
> We added the yyy network recently. When we ping from our laptop we noticed
> that we dont get a ping reply from yyy network.
>
> We first have to ping the xxx network - and once we receive the reply -
> the ping to yyy is successful.
>
> Now, to further investigate - I created a new VM and first added the YYY
> network IP and assigned the YYY gateway. Later I added the XXX networ IPk,
> and tried the ping which was unsuccessful.
> I first had to ping the YYY network and then the XXX ping was successful.
> I even tried to assign Gateway for both XXX and YY network - still did not
> help.
> We will remove the xxx network from our server but some server do need
> them as they are production.
>
>
> Can anyone explain why this is happening and how to resolve this.
>
>
> Thank you
> Hugo


Sorry, but I'm getting a little dizzy trying to follow the letters.

I assume you mean by the term 'released' you mean to change your IP scheme
from X to Y. But what does it mean released to corporate? Does that mean
they will take that subnet?

Another thing that doesn't make sense is
" The internal DC and DNS do not communicate to our corporate network."

If not, how do the DCs replicate? Are they not in the same forest? Is there
more than one forest?

Tell you what, do you have a straight forward Visio of the current network,
and one of the future network? Use IP addresses instead of alphabetic
characters, including IP addresses of connecting routers, etc. It will make
it A LOT easier for us to look at this.

Here are some simple network Visio examples. Try to use them as a a template
of your subnets and how they're interconnected, routers IPs, show us where
your DCs are, which ones have DNS on them, etc.
http://www.fekay.com/supportblogs/St...ingExample.jpg
www.fekay.com/supportblogs/BasicNetwork.jpg
www.fekay.com/supportblogs/BasicDMZNetwork.jpg

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Hi!
Sorry for the confusion. This just shows the complexity of the situation Iam
in, or atlease I think Iam.
I will get the visio ready in the meantime - Let me replace the A,X,Y.Z
with IP addresses and try to explain.


A - 10.237.129.0 - Our laptops use IP's from this subnet - provided
by corporate DNS server. We login to our Corporate Domain
X - 10.237.114.0 - This subnet will be removed from most servers
Y - 10.237.119.0 - New subnet assigned to our group
Z - 192.168.115.0 - Internal subnet provided by our Internal DNS

I dont have any access to the corporate DC or DNS - if we want any alias for
existing IP or new .114 / .119 IP's - then we have to put a request to our
Corporate I.T and it takes a very long time for it to get processed. There
are many other factors which made us decide on setting up our own internal
DC and DNS.

Now since our Internal DC/DNS are not authorised - they cannot have the .114
or .119 IP - hence they have the 192.168.115.0 network. And all our internal
servers have the 192.168.115.x IP's too.
The internal server are a part of our Internal Domain.

I hope things are much clear to you now.

Server 1 has the following IP configuration
NIC1 - 10.237.114.10
Subnet - 255.255.255.0
Gateway - 10.237.114.1

NIC2 - 10.237.119.10
Subnet - 255.255.255.9

NIC3 - 192.168.115.10
Subnet - 255.255.255.0

When I ping Server 1 (ping 10.237.119.10.) from my laptop which has IP
(10.237.129.20) - I get "Request Time Out"

And when I ping Server 1 (ping 10.237.114.10) I get reply from server.

Now if I ping back the 10.237.119.10 - I get the reply from the server

Questions:
1) I want to know why this is happening?
2) Is the issue with my Internal server configuration or my Corporate Domain
/DNS?
3) If the issue is with my corporate Domain/DNS - then how should I proceed
to resolv this issue?

Hope the above info helps to get a understanding of my scenario. Appreciate
you time and effort in helping me out. Lot of thanks to you wonderful
Trainers and MCP's

Thank you

Hugo







"Ace Fekay [Microsoft Certified Trainer]" <>
wrote in message news:...
> "Hugo" <> wrote in message
> news:%...
>> Hi!,
>>
>> Have been facing a strange situation. Let me attempt to explain the
>> scenario:
>>
>> We are a small group managing few servers (around 20 mix of windows and
>> linux) in virtual environment, our desktops login to our corporate Domain
>> controller and use the corporate DNS server.
>>
>> We have been using XXX network for a while now, and our main office
>> wanted us to release that network and they have provided us a different
>> YYY network.
>> We also have ZZZ network for each server for servers to communicate
>> internally and we have our own DC and DNS for internal name resolution.
>> The internal DC and DNS do not communicate
>> to our corporate network.
>>
>> So as of now our server have 3 networks:
>>
>> 1) xxx.xxx.xxx.x - network to release back to corporate
>> 2) yyy.yyy.yyy.y - new network assigned
>> 3) zzz.zzz.zzz.z - internal network
>>
>>
>> The Primary and Secondary DNS server is the same for both XXX and YYY
>> network. The gateway assigned for our servers is the gateway of the xxx
>> network,
>>
>> Our laptops are connected with a AAA network with AAA gateway to the
>> corporate DC but the DNS server is the same as the XXX and YYY network.
>>
>> We added the yyy network recently. When we ping from our laptop we
>> noticed that we dont get a ping reply from yyy network.
>>
>> We first have to ping the xxx network - and once we receive the reply -
>> the ping to yyy is successful.
>>
>> Now, to further investigate - I created a new VM and first added the YYY
>> network IP and assigned the YYY gateway. Later I added the XXX networ
>> IPk, and tried the ping which was unsuccessful.
>> I first had to ping the YYY network and then the XXX ping was successful.
>> I even tried to assign Gateway for both XXX and YY network - still did
>> not help.
>> We will remove the xxx network from our server but some server do need
>> them as they are production.
>>
>>
>> Can anyone explain why this is happening and how to resolve this.
>>
>>
>> Thank you
>> Hugo
>
>
> Sorry, but I'm getting a little dizzy trying to follow the letters.
>
> I assume you mean by the term 'released' you mean to change your IP scheme
> from X to Y. But what does it mean released to corporate? Does that mean
> they will take that subnet?
>
> Another thing that doesn't make sense is
> " The internal DC and DNS do not communicate to our corporate network."
>
> If not, how do the DCs replicate? Are they not in the same forest? Is
> there more than one forest?
>
> Tell you what, do you have a straight forward Visio of the current
> network, and one of the future network? Use IP addresses instead of
> alphabetic characters, including IP addresses of connecting routers, etc.
> It will make it A LOT easier for us to look at this.
>
> Here are some simple network Visio examples. Try to use them as a a
> template of your subnets and how they're interconnected, routers IPs, show
> us where your DCs are, which ones have DNS on them, etc.
> http://www.fekay.com/supportblogs/St...ingExample.jpg
> www.fekay.com/supportblogs/BasicNetwork.jpg
> www.fekay.com/supportblogs/BasicDMZNetwork.jpg
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>

Responses inline below...


"Hugo" <> wrote in message
news:%...
> Hi!
> Sorry for the confusion. This just shows the complexity of the situation
> Iam in, or atlease I think Iam.
> I will get the visio ready in the meantime - Let me replace the A,X,Y.Z
> with IP addresses and try to explain.
>
>
> A - 10.237.129.0 - Our laptops use IP's from this subnet - provided
> by corporate DNS server. We login to our Corporate Domain
> X - 10.237.114.0 - This subnet will be removed from most servers
> Y - 10.237.119.0 - New subnet assigned to our group
> Z - 192.168.115.0 - Internal subnet provided by our Internal DNS
>
> I dont have any access to the corporate DC or DNS - if we want any alias
> for existing IP or new .114 / .119 IP's - then we have to put a request to
> our Corporate I.T and it takes a very long time for it to get processed.
> There are many other factors which made us decide on setting up our own
> internal DC and DNS.
>
> Now since our Internal DC/DNS are not authorised - they cannot have the
> .114 or .119 IP - hence they have the 192.168.115.0 network. And all our
> internal servers have the 192.168.115.x IP's too.
> The internal server are a part of our Internal Domain.
>
> I hope things are much clear to you now.




Not really. The terminology is a bit skewed, e.g., not standard network
terminology. But from what I am seeing, it doesn't make sense that the corp
subnet is not accessible from your subnet. if that is the case, and I assume
this is an AD network, and all DCs are in one forest, then how does
replication work?

Also, are you an AD administrator, or a network admin without AD
permissions?



>
> Server 1 has the following IP configuration
> NIC1 - 10.237.114.10
> Subnet - 255.255.255.0
> Gateway - 10.237.114.1
>
> NIC2 - 10.237.119.10
> Subnet - 255.255.255.9
>
> NIC3 - 192.168.115.10
> Subnet - 255.255.255.0
>
> When I ping Server 1 (ping 10.237.119.10.) from my laptop which has IP
> (10.237.129.20) - I get "Request Time Out"


This can be due to either:
1. No route to host
2. Firewall (either your machine or the network) blocking ICMP ECHO.


>
> And when I ping Server 1 (ping 10.237.114.10) I get reply from server.
>
> Now if I ping back the 10.237.119.10 - I get the reply from the server


Then my #1 response above applies. No route to host.



>
> Questions:
> 1) I want to know why this is happening?
> 2) Is the issue with my Internal server configuration or my Corporate
> Domain /DNS?

It's not with DNS. You are just pinging by IP. If you pinged by name or FQDN
name, then because the server has multiple IPs, you never know which one it
will resolve to. This is due to Round Robin feature with DNS. It will rotate
the response.


> 3) If the issue is with my corporate Domain/DNS - then how should I
> proceed to resolve this issue?


DNS has not been determined to be the problem, but you're ping results lead
me to believe it is a routing issue.



>
> Hope the above info helps to get a understanding of my scenario.
> Appreciate you time and effort in helping me out. Lot of thanks to you
> wonderful Trainers and MCP's
>
> Thank you
>
> Hugo


I hope that helps.

"Hugo" <> wrote in message
news:%...
> Hi!
>
> Server 1 has the following IP configuration
> NIC1 - 10.237.114.10
> Subnet - 255.255.255.0
> Gateway - 10.237.114.1
>
> NIC2 - 10.237.119.10
> Subnet - 255.255.255.9
>
> NIC3 - 192.168.115.10
> Subnet - 255.255.255.0
>

Also, is this server a domain controller? If it is, this is one of the big
no-no's with DCs. Never multihome a DC unless ever possible issue that can
result of such a config is resolved, such as DNS registration control, Sites
configure properly, etc.

Ace

Hi!
Thanks for the reply. The "Server 1" Iam talking about is not my internal
Domain controller. It is just one of my Virtual Server.

Iam AD/vmware admin, and I manage only our internal servers. I dont have
any access to the Corporate IT. The network for our dept is configured long
time ago. To make matters worst - I dont have any documentation to review. I
see a lot of DC's to login from my laptop but I login to only 1 - cant
really tell which forest they belong and how replication works.

I want to get some info of whats happening prior to reporting this issue to
my corporate IT. Sorry about my network terminology, will improve

Can you explain me a little bit more on:
1) No route to host - and how to resolv this?
2) Why the first time I ping .119.10 the route is not established and when I
try back after pinging .114.10, the route is established? Is it because of
the default gateway not assigned for .119 subnet?

Appreciate your help.

Hugo





"Ace Fekay [Microsoft Certified Trainer]" <>
wrote in message news:...
> "Hugo" <> wrote in message
> news:%...
>> Hi!
>>
>> Server 1 has the following IP configuration
>> NIC1 - 10.237.114.10
>> Subnet - 255.255.255.0
>> Gateway - 10.237.114.1
>>
>> NIC2 - 10.237.119.10
>> Subnet - 255.255.255.9
>>
>> NIC3 - 192.168.115.10
>> Subnet - 255.255.255.0
>>
>
> Also, is this server a domain controller? If it is, this is one of the big
> no-no's with DCs. Never multihome a DC unless ever possible issue that can
> result of such a config is resolved, such as DNS registration control,
> Sites configure properly, etc.
>
> Ace
>
>
>
>
>

"Hugo" <> wrote in message
news:...
> Hi!
> Thanks for the reply. The "Server 1" Iam talking about is not my internal
> Domain controller. It is just one of my Virtual Server.
>
> Iam AD/vmware admin, and I manage only our internal servers. I dont have
> any access to the Corporate IT. The network for our dept is configured
> long time ago. To make matters worst - I dont have any documentation to
> review. I see a lot of DC's to login from my laptop but I login to only
> 1 - cant really tell which forest they belong and how replication works.
>
> I want to get some info of whats happening prior to reporting this issue
> to my corporate IT. Sorry about my network terminology, will improve
>
> Can you explain me a little bit more on:
> 1) No route to host - and how to resolv this?
> 2) Why the first time I ping .119.10 the route is not established and when
> I try back after pinging .114.10, the route is established? Is it because
> of the default gateway not assigned for .119 subnet?
>
> Appreciate your help.
>
> Hugo
>

Hi Hugo,

It seems your network is a bit complicated as well as not enough info on how
it is setup, to give you specifics.

But as for your questions, based on what you know so far:

1. This is the ping returning what your router is telling your machine. It
doesn't know how to get to that subnet.
2. When you ping multiple times, or actually wait until the local cache is
cleared, or clear it manually (ipconfig /flushdns), and since there are
multiple records, DNS is performing a Round Robin meaning it is rotating
through the multiple IPs for that one host name. It is establishing the ping
to 114.10.x.x because it knows how to get there. The router has a static
route to it, whereas it deos not for the 119.x.x.x subnet, even though they
aer the same machine. This is something you can't do and must be done by the
infrastructure folks, if they 1. deem that it is necessary, and 2. if they
feel like it!

It sounds to me that it should be necessary, especially if they feel that
multihoming the server is necessary, they should at least make provisions so
either they establish static routes for all routers to get to it, or at
least disable DNS registration on the IP they don't want anyone to get to or
not necessary to get to because that subnet is may probably be a SAN or some
private subnet for backup purposes or something else.

Ace