Windows 2003 DNS Server freezes

Discussion in 'DNS Server' started by Gustav Almstrom, Oct 17, 2004.

  1. Ok, can someone please help me with this, I have been battling with this
    problem for _months_ and can't seem to find any explanation for it...

    My setup is as follows:

    Cable connection to the internet with static IP address
    Router from the cable modem so I can share the connection to multiple
    computers
    Switch connected to the router
    Windows 2003 Server connected to the switch.
    DNS Server running on the server
    Various other computers also connected to the switch

    I have one local domain defined in the DNS server, almstrom.org, I have
    both forward and reverse stuff for all the computers on the network

    Now to my problem...
    At random intervals, the DNS server just stops responding. I have the
    server set as primary dns on my other machines, and when I do "nslookup" on
    them all I get is the following:

    DNS request timed out.
    timeout was 2 seconds.
    *** Can't find server name for address 192.168.0.20: Timed out
    *** Default servers are not available
    Default Server: UnKnown
    Address: 192.168.0.20
    And it won't resolve any addresses. If I restart the dns server, everything
    works just fine for anywhere between 5 minutes and 5 hours, then it stops
    responding again. In the event viewer there is _nothing_ that indicates a
    problem with the DNS server.

    So please help me before I throw this crap out and replace it with bind or
    something....
     
    Gustav Almstrom, Oct 17, 2004
    #1
    1. Advertisements

  2. Gustav Almstrom

    Dana Brash Guest

    Hi Gustav,

    Is the DNS server service running when the server stops responding to
    clients? I assume so since if the service were to stop you would see
    something in the event logs.

    Just to check, you're running the server with the static IP 192.168.0.20,
    right? How about a ping to that IP?

    What about when the DNS server 'freezes' if you do an NSLookup on that
    machine itself? Can it perform a recursive query?

    Instead of restarting the server itself, how about cycling (disable then
    enable) the NIC? Does that help? If so, maybe faulty hardware or driver.
    How about cycling the DNS Server service?

    HTH,
    =d=
     
    Dana Brash, Oct 17, 2004
    #2
    1. Advertisements

  3. It is running
    It pings fine, I can connect with Remote Desktop to it without any problems
    You mean if I run nslookup on the win2003 server? Same thing, since the
    server is using the "broken" dns server as its dns, it won't resolve
    anything.
    Sorry my bad, I meant restarting the DNS Server, as in restarting the
    service
     
    Gustav Almstrom, Oct 17, 2004
    #3
  4. Gustav Almstrom

    Dana Brash Guest

    I've fixed similar problems on my system by replacing a sporadically bad
    NIC. Did you try cycling the NIC?

    thanks,
    =d=
     
    Dana Brash, Oct 17, 2004
    #4
  5. Gustav Almstrom

    Dana Brash Guest

    Dana Brash, Oct 17, 2004
    #5
  6. In
    The nslookup message (not really an error), is just telling you the PTR
    entry for the DNS server's IP is missing. Create a PTR for it, and that will
    go away.

    You stated:
    Does that mean you are using your ISP's DNS address as well? If you are
    using it, that can cause the whole problem.

    Keep in mind, all machines in an AD infrastructure must ONLY use your
    internal DNS, no others. COnfigure a forwarder to your ISP's DNS for
    efficient Internet resolution. This way all machines will ask your DNS, and
    if it doesn't have the answer, will ask the ISP, and provide the answer to
    the internal machines.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Oct 18, 2004
    #6
  7. Well, the dns-server doesn't resolve anything, not the zones I have on it,
    nor any external addresses, so something is really wrong...

    Right. I am only using the Windows 2003 dns server as dns server for my
    clients, I have my isps servers as forward-servers. The problem is, when
    the Win2003 dns server dies, all my clients are effectively cut off from
    the internet :(
     
    Gustav Almstrom, Oct 18, 2004
    #7
  8. In
    Do you have a firewall? A PIX? It may be an EDNS0 issue as well.

    828731 - An External DNS Query May Cause an Error Message in Windows Server
    2003:
    http://support.microsoft.com/?id=828731

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Oct 18, 2004
    #8
  9. In


    Also, forgot to ask, are there any other services, apps or anything else on
    it?

    Do the ISP DNS servers you are using support recursion (allowed to forward
    to)? If you can post their IPs, we can test them for you.

    Ace
     
    Ace Fekay [MVP], Oct 18, 2004
    #9
  10. Okay, this is a followup to this problem...Had some other hardware problems
    here, completely unrelated, but I haven't really been able to write
    anything up until now.

    Anyways.. My system have been running along nicely now for about a week.
    The solution was to create two dns-servers. The first one handles _only_
    the almstrom.org domain internally. It doesn't do any kind of resolving for
    other addresses. The other DNS-server does Internet lookups. My clients
    have been configured to query them both, first the one with only the
    almstrom.org domain, then the other.

    WHat kinda bothers me is that you can only run one (Microsoft) DNS-server
    on a server. Instead of adding another machine I though it would be easier
    to just add another IP to the server and create a DNS server that listened
    to only that ip. That wasn't possible using Microsofts DNS, I am currently
    testing a few third-party dns-server that has this capability.
     
    Gustav Almstrom, Oct 29, 2004
    #10
  11. In
    Just insure that the 3rd party version supports AD's requirements.

    Keep in mind, if you are using this DNS server (MS DNS or Bind - which
    supports 'views', or any other 3rd party DNS), to host a public zone, it's
    not wise to expose the AD's DNS server to the Internet.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Oct 30, 2004
    #11
  12. Actually, the way I have it set up now, the 3rd-party server doesn't have
    to understand Active Directory at all.
    My local domain is almstrom.org, the Microsoft DNS is configured with all
    the addresses I need for my AD, all in the 192.168.0.x series, and that's
    _all_ it resolves, nothing else. When client query it for external stuff
    they get an error. The second, 3rd-party server resolves nothing but
    external stuff. I have the "internal" server as primary and the "external"
    as secondary, so all *.almstrom.org traffic is resolved by the internal
    server, and everything else is taken care of by the 3rd-party server.
    Also, neither of these servers are public, so there shouldn't be any
    security-issues
     
    Gustav Almstrom, Oct 31, 2004
    #12
  13. In
    You should not do it this way, you have to remember that if one of your DNS
    servers answers back not found the query stops and the other DNS will not be
    queried.
    It would be OK for all the internal clients to point to only the internal
    DNS, then set the external DNS as its forwarder. If the external DNS does
    not have a zone for the AD domain, it should not be used for internal
    clients, period.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Oct 31, 2004
    #13
  14. In
    As Kevin said, this is not the way to do it. You pretty much *MUST* only use
    the MS DNS (or whatever DNS server you have that hosts the AD zone) ONLY.
    Otherwise, other issues can arise from this. You can peruse this newsgroup
    regarding this fact, it's been posted multiple times by various people and
    the errors that result of incorreclty configuring a system.

    If you have multiple DNS addresses in your IP properties, keep in mind, the
    client resolver service works by checking the first entry, if it results in
    a time out on the response, then it goes to the second one, but not back to
    the first one, unless you restart the machine, or restart the DNS client
    side service. If the first one responds, even if it's an NXDOMAIN response
    (negative response), it looks at that as the answer, and won't ask again.
    From what you are saying, your MS DNS has recusion disabled? My feeling, if
    you haven't been getting any errors in teh Event viewer regarding Netlogon,
    NTFRS, and other AD errors, is that the MS DNS is using the Root hints.

    All machines, (DCs, member servers and clients), must only use the DNS that
    holds the AD zone. Configure a forwarder (to your other DNS), to efficiently
    resolve other names.

    Ace
     
    Ace Fekay [MVP], Nov 2, 2004
    #14
  15. Um, well, this is how I have it set up now, and it's working :)
    This was how I had it set up earlier, but Microsofts DNS-server got borked
    for some reason, probably because my domain (almstrom.org) points to
    192.168.0.20 internally, and externally it points to 83.249.192.208

    If you read back you can see that if I have it set up like you suggest, the
    MS DNS server just stops responding after a while, no errormessages or
    anything.
     
    Gustav Almstrom, Nov 2, 2004
    #15
  16. In
    My guess at this juncture, is that this may be the point that it received an
    NXDOMAIN response, meaning that it got an answer, but the answer is null,
    nonetheless, an answer, therefore it will not look onward.

    Ace
     
    Ace Fekay [MVP], Nov 3, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.