Odd NSLOOKUP results & configuring forwarders

Discussion in 'DNS Server' started by SnoBoy, Apr 9, 2009.

  1. SnoBoy

    SnoBoy Guest

    Scenario: Our AD DNS servers are authoritative for the domain associated
    with our AD only. There are DNS servers that the University provides that
    are authoritavite for the tamu.edu domain.

    The main symptom: When we add a new host to the tamu.edu domain, our AD DNS
    servers do not resolve the IP address using NSLOOKUP for about a week after
    it is entered into the campus DNS servers. If we start NSLOOKUP and use the
    server command to switch to one of the campus DNS servers where the host is
    registered, it resolves fine. Heck, I can even set the server for NSLOOKUP
    to a local cable company's DNS server and it can resolve the domain name I
    am using for testing!

    Configurations I have tried: I have had a stub domain for the tamu.edu
    domain and I have tried it without the stub domain. I have tried the
    internal campus DNS servers set as Forwarders. I have configured Conditional
    Forwarders for the tamu.edu domain as well, with and without the Forwarders
    set in the Properties of each of the DNS servers. I tried no forwarders and
    no conditional forwarders, relying only on the root hints. I have tried
    flushing the local cache on the AD DNS server used for the NSLOOKUP. Nothing
    seems to allow me to use NSLOOKUP with our AD DNS servers and to be able to
    immediately resolve those tamu.edu address until they have been active in
    the campus DNS servers for about a week.

    What could be causing these odd results?
     
    SnoBoy, Apr 9, 2009
    #1
    1. Advertisements

  2. In
    Do they manually update them on a weekly basis? If the parent domain is part
    of the forest, and you have a delegated child domain, it should happen right
    away. Otherwise, it sounds like a manual schedule. Curious, do you have a
    search suffix configured on the machine that matches the tamu.edu domain?
    That may help depending on how you are running the nslookup query. If by
    single name, nslookup will use the machine's search suffix. Same with pings.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 10, 2009
    #2
    1. Advertisements

  3. SnoBoy

    SnoBoy Guest

    The DNS servers associated with tamu.edu are UNIX BIND boxes and are
    comptetely independent of my AD structure. All I want to do is find a way to
    configure my AD DNS servers so that if they can't answer a query for a domain
    they aren't authoritative on, that they use either the root hints or possibly
    a configured forwarder. This works for every domain except for the tamu.edu
    domain and it makes zero sense to my why it would be any different.
     
    SnoBoy, Apr 10, 2009
    #3
  4. Is the AD domain a sub domain name of tamu.edu?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 10, 2009
    #4
  5. SnoBoy

    SnoBoy Guest

    Ours ends in tamus.edu, but the tamu.edu DNS servers do have our registered
    addresses in their databases. We only regiseter the servers and a few
    workstations, most use DHCP for addresseing.
     
    SnoBoy, Apr 11, 2009
    #5
  6. In
    So your AD domain is something like 'child.tamu.edu,' and you host the
    namespace on your server. Stubs can be problematic with a parent namespace
    of a zone the machine hosts, such as in your case. A simple forwarder should
    do the trick to the DNS servers that host the parent namespace. For nslookup
    to resolve the parent namespace, the machine it is running on should have a
    devolution search suffix for the parent namespace. Notice I do not call it a
    zone, even though it is a zone, but because of the parent hierarchal name,
    the are still separate namespaces. This would be similar to a delegation,
    but it isn't in your case. Either way, a forwarder should be fine. Try a
    conditional forwarder for the parent namespace.

    Also, when testing with nslookup, try resolving the host in the parent
    namespace by putting a period at the end of the query,
    nslookup
    hostname.tamu.edu. (<- there's a period at the end)

    As well as change the server nslookup is using to the tamu.edu DNS servers.
    nslookup
    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 11, 2009
    #6
  7. SnoBoy

    SnoBoy Guest

    Results are as inconsistent as it has been. I setup conditional forwarders
    for the4 domain tamu.edu and *sometimes* when the first query that I use from
    a new CMD window is "nslookup host.tamu.edu." I get the IP address, most
    times not. Even when I flush the DNS cache, results are inconsistent. I have
    never been able to follow up with a "ping hostname.tamu.edu" and have it
    successful.

    Should the domain in the COnditional Forwarders be listed as "tamu.edu" or
    "tamu.edu."?

    As soon as I can get our networking folks to reset the DNS listings for DHCP
    users, I will remove the final Windows 2003-based DNS server (has no FSMO
    roles on it). The other 4 are all running on Windows 2008 servers. Could the
    transition from 2003 to 2008 be implicated in this issue?
     
    SnoBoy, Apr 14, 2009
    #7
  8. There seems to be something else going on that I am not seeing causing the
    inconsistencies.

    The conditional forwarding should just have tamu.edu (no period). Maybe I
    can suggest a regular forwarder instead for everything (not a conditional),
    to send it to the parent DNS server.

    And no, I can't see any issues being caused by the upgrade to 2008. This is
    a DNS infrastructure issue.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 14, 2009
    #8
  9. SnoBoy

    SnoBoy Guest

    That is how I had it originally when we discovered the problem of not
    referring to forwarders. I have tried every combination and permutation of
    configurations (see first post) without success. Between this and the myriad
    of Exchange 2007 problems, I guess I might as well have my credit card on
    file with Microsoft Support.

    Before Exchange 2007, I had called MS Support once. I have called 5 times in
    the last year after exhausting all of the on-line resources. Seems to me that
    product quality control has slipped a bunch.

    Raising white flag (again).
     
    SnoBoy, Apr 15, 2009
    #9
  10. I don't think it's product quality, just a matter of DNS design. As I said,
    I am not able to see the complete picture to give a qualified answer other
    than the obvious that sticks out. I've designed elaborate DNS infrastructure
    implementations that work well, but when there is another factor involved,
    such as in universities and large companies that have separate BIND servers
    with their own administrators separate of the AD infrastructure, it
    complicates it a bit and not all information is provided by the BIND folks,
    which makes it challenging.

    I hate to see you have to burn a support call for this, but if it will help
    you, I would not hesitate to make the call.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 15, 2009
    #10
  11. SnoBoy

    SnoBoy Guest

    I don't know if this is a clue or not, but one thing I noticed - the first
    time I open a command prompt in the morning and run nslookup with my "test
    case" host I get:

    Name: dns_server.tees.tamus.edu
    Address: IP of AD DNS server returning query
    Aliases: test_host.tamu.edu
    [note that it returns the IP address of the test host & the absence of
    non-authoratative is this response]
    Server: dns_server.tees.tamus.edu
    Address: IP of AD DNS server returning query

    Non-authoritative answer:
    Name: test_host.tamu.edu

    Note the the second time it says non-authoritative. THis is repeated during
    that session each time I check, opening a new CMD prompt gets
    non-aurhoritative as well. THere is some sort of time out going here that
    makes the first one in the morning work as expected, but one is all you get,
    apparently.

    Additionally (and so far I can't confirm this on MS Technet), someone told
    me that the AD DNS servers client IP configuration for DNS servers should be
    done like this:

    1. Each domain controller’s client DNS settings should point to 127.0.0.1
    (localhost) as the primary DNS server.
    2. Each domain controller’s client DNS settings should point to the other
    domain controllers as secondary/tertiary DNS servers.

    Can you confirm that?
     
    SnoBoy, Apr 16, 2009
    #11
  12. No, REMOVE the loopback. That was put in place automatically during the
    dcpromo process. Only use the actual IP of the DC. During a promotion, add
    the other DNS as the first. After confirming that the DC is up and running,
    point to itself FIRST, then a partner replica DC as second.

    That may explain some of the nslookup issues.

    Once you've made the changes, do this in a CMD prompt:
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    Try your nslookups again and post the results and please do not hide the
    IPs, otherwise it makes me try to guess what is going on.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #12
  13. SnoBoy

    SnoBoy Guest

    I haven't had my configuration that way while testing. It was just something
    someone had told me that I couldn't substantiate.

    I won't be able to get the full reply until tomorrow morning, but here is
    what is happening from an nslookup:

    nslookup esl-hp-ups1.tamu.edu
    Server: dc-werc.tees.tamus.edu
    Address: 165.91.144.135

    Non-authoritative answer:
    Name: esl-hp-ups1.tamu.edu

     
    SnoBoy, Apr 16, 2009
    #13

  14. I can understand the non-authorative answer. It appears the machine you are
    running the nslookup on obviously is using 165.91.144.135 as its DNS server.
    Is that the IP of the DC in your AD infrastructure that we've been
    discussing?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #14
  15. SnoBoy

    SnoBoy Guest

    Yes, it is. Am I just misunderstanding this whole thing - if my AD DNS server
    can't answer a query for hosthames it is not responsible for, it is supposed
    to check with the forwarder, then return the reply from the forwarder, right?
    It doesn't make sense to me that it works just once when I log in in the
    morning, then it is stupid the rest of the day.
     
    SnoBoy, Apr 16, 2009
    #15
  16. Which as well doesn't make sense to me.

    If you used the server switch in nslookup to change the server nslookup is
    using from your server to the forwarder, do the results differ? Also when
    you get a result, hit the arrow up button (to repeat the command) and hit
    enter again. Do it a few times repeatedly and quickly. This will invoke
    Round Robin if there are multiple IPs for the same hostnam. If the results
    change, meaning the IPs change or get reordered, then it tells me there are
    multiple records for the same hostname.

    nslookup
    server (theForwarder'sIP)
    query

    hit arrow up, repeat

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #16
  17. SnoBoy

    SnoBoy Guest

    When I switch the nslookup to the forwarder, it works correctly the first
    time and everytime thereafter, no matter how fast it hit up arrow and enter.
    It works that way for each of the three forwarder address I am using.

    Example with the third forwarder:
    Server: dns-cache-3.net.tamu.edu
    Address: 128.194.254.3

    Name: esl-hp-ups.tees.tamus.edu
    Address: 165.91.211.228
    Aliases: esl-hp-ups1.tamu.edu
     
    SnoBoy, Apr 16, 2009
    #17

  18. What is esl-hp-ups1.tamu.edu? Is it your DC? Why is it coming up as an
    alias?
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #18
  19. SnoBoy

    SnoBoy Guest

    It isn't a DC - it is a UPS with an ethernet port. This was set up by an
    admin who first called this problem to my attention - the reason the
    esl-hp-usp1.tamu.edu shows as an alias is that it is apparently a CNAME
    registered on the BIND servers (forwarders). Other hosts with primaries of
    tees.tamus.edu domain with CNAMES on the tamu.edu namespace do return correct
    information. For example, here is the NSLOOKUP result for a server that has
    been around a while:
    Name: collaborate.tees.tamus.edu <-- primary host name
    Address: 165.91.144.171
    Aliases: collaborate.tamu.edu <-- CNAME
     
    SnoBoy, Apr 16, 2009
    #19
  20. I see. I hate to say it so late in the game, and should have asked earlier
    if it is a CNAME, but for the most part, many engineers avoid using CNAMES
    for a number of reasone, besides the confusion it can cause, also because of
    the sometimes undesired results that occur, especially when Windows is
    involved and domain communications because the CNAME does not match the
    NetBIOS name, which I know is not a factor in your case, but can cause
    issues with connectivity.

    If the BIND admin made it an A record, I bet the problem will disappear.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.