Primary DNS resolution slow if PDC role DC is down

Similar Messages

• SBS 2011 DNS Resolution Slow

  I have a customer running SBS2011 Standard.  We've had problems with slow DNS resolute for a very long time.  When users on their workstations go to a web site in IE, it usually takes a couple of seconds to load the site.  The best example
  of the problem is on Yahoo!.  When users click a link there, IE will spin for a while and then time out.  If they click on the link again, it usually loads the second time.
  We recently switched internet providers and I was hoping that might resolve the issue, but it has not.  The server is up-to-date as of a month or so ago and I've run BPA and the only issue there is with WSUS Group Policy objects, which I don't care
  about.  I wouldn't think this would be related to that.  There are no errors in the DNS logs.  This server was originally a clean install of a new domain, not a migration.
  I have Forwarders configured and have tried using the DNS servers of the old ISP, the new ISP and OpenDNS.  No improvement with any of those changes.  On the Monitoring tab of the DNS server properites, "A simple query against this DNS server"
  and "A recursive query to other DNS server" both fail every time.  If I get rid of the Forwarders, those queries still fail and DNS resolute at the clients is still slow.
  I know there was a DNS issue that was reported by the BPA a while ago and I fixed that.  I think it was a registry setting that needed to be adjusted, but I can't recall the details right now.
  I ran DCDIAG last night and was receiving messages about running Chkdsk to fix errors.  I was hopeful that that would fix something, but I'm no longer getting that message.  Now, the only errors in DCDIAG are SystemLog errors about not being able
  to contact a machine that has been off the network for a while.
  Restarting the server or just the DNS server has never helped.
  My server has a PTR record in the reverse lookup zone and a static A record in the Forward Lookup Zone.
  When I run NSLookup, it only responds with
  Default Server:  UnKnown
  Address:  fe80::9fcf:d19d:a86e:46cd
  On another SBS server that I have, it has all of this information:
  x.x.2.0.3.x.8.6.x.x.x.2.0.d.f.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.x.x.ip6.arpa
          primary name server = localhost
          responsible mail addr = nobody.invalid
          serial  = 1
          refresh = 600 (10 mins)
          retry   = 1200 (20 mins)
          expire  = 604800 (7 days)
          default TTL = 10800 (3 hours)
  Default Server:  UnKnown
  Address:  fe80::dfd0:2dca:68f3:2cf
  Is that a helpful clue?  Where do I start with troubleshooting and/or checking settings?
  Any help would be appreciated.
  Thank,
  Mike

  I would certainly change the router, just to rule it out.
  Have you run the SBS BPA and fixed any issues it highlights?
  If pointing a client directly to an external DNS, improves, but does not fully resolve, i would be inclined to say the Server is 'ok' and that it may be the router at fault.
  It has been too long since i looked at a ProSafe router, but there may well be some firewall settings you can tweak.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Slow DNS resolution

  Folks;
  *I have Mac OS X Leopard 10.5.6 up to date and since few days, the DNS resolution is very slow, about 5 seconds to resolve names.*
  *For example :*
  # ping test.com
  *(wait 5 seconds)*
  PING test.com (205.178.152.103): 56 data bytes
  *Of course it also happen in firefox and in all other internet applications. Each time I'm loading a web page, I have to wait 5 seconds...*
  *If I try a few seconds later, it answer immediately, but a few minutes later, it take again 5 seconds to resolve the name.*
  *I'm not sure, and maybe it's just a coincidence, but it came just after the installation of Adobe Photoshop 4.*
  *I think about a virus or some mysterious mac os parameters ...*
  *I try* dscacheutil -flushcache *with no effect.*
  *My /etc/hosts is :*
  nameserver 212.27.40.240
  *I only have 1 dns server, and when I try :*
  nslookup test.com 212.27.40.240
  *It answer immediately :*
  Server: 212.27.40.240
  Address: 212.27.40.240#53
  Non-authoritative answer:
  Name: test.com
  Address: 205.178.152.103
  *I tried with many others DNS and also with a local DNS server (bind) with the same result.*
  *The output of :*
  # dscacheutil -statistics
  Overall Statistics:
  Average Call Time - 1.298089
  Cache Hits - 1813
  Cache Misses - 1888
  Total External Calls - 2662
  Statistics by procedure:
  Procedure Cache Hits Cache Misses External Calls
  getpwnam 151 15 166
  getpwuid 842 34 876
  getpwent 0 0 2
  getgrnam 38 18 56
  getgrgid 15 16 31
  getgrent 0 0 2
  getservbyname 7 5 7
  getservent 0 0 6
  getprotobyname 0 2 2
  getfsent 0 0 14
  getaddrinfo 0 0 1117
  getnameinfo 53 189 242
  gethostbyname 537 591 42
  gethostbyaddr 16 71 87
  gethostbymac 5 4 9
  _flushcache 0 0 3
  *As you can see, "Average Call Time" is very high, it should be 0.0xxxxx*
  *ifconfig output :*
  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  inet6 ::1 prefixlen 128
  gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
  stf0: flags=0 mtu 1280
  en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  ether 00:1b:63:96:ab:e1
  media: autoselect status: inactive
  supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
  fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
  lladdr 00:1c:b3:ff:fe:86:88:46
  media: autoselect <full-duplex> status: inactive
  supported media: autoselect <full-duplex>
  en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
  ether 00:1b:63:ca:a9:93
  media: autoselect status: active
  supported media: autoselect
  *dtruss output :*
  # dtruss ping itt.com
  SYSCALL(args) = return
  ioctl(0x3, 0x80086804, 0xBFFFE488) = 0 0
  close(0x3) = 0 0
  __sysctl(0xBFFFE35C, 0x2, 0xBFFFE364) = 0 0
  bsdthread_register(0x91CD1F30, 0x91D0A2A4, 0x1000) = 0 0
  open_nocancel("/dev/urandom\0", 0x0, 0x0) = 3 0
  read_nocancel(0x3, "\377~\360U\360\211\303\231l\2725\002\265\327\247\371N`#_\314.\323@\022u\323\34 6'\224\314\271\0", 0x20) = 32 0
  close_nocancel(0x3) = 0 0
  mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = 0x1E000 0
  mmap(0x0, 0x200000, 0x3, 0x1002, 0x7000000, 0x100000000) = 0x21000 0
  munmap(0x21000, 0xDF000) = 0 0
  munmap(0x200000, 0x21000) = 0 0
  mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = 0x21000 0
  getpid(0x0, 0x3000, 0x3) = 1436 0
  socket(0x2, 0x3, 0x1) = 3 0
  getuid(0x2, 0x3, 0x1) = 0 0
  setuid(0x0, 0x3, 0x1) = 0 0
  getuid(0x0, 0x3, 0x1) = 0 0
  getpid(0x0, 0x0, 0x0) = 1436 0
  __sysctl(0xBFFFE678, 0x3, 0xBFFFFA98) = 0 0
  issetugid(0xBFFFE678, 0x3, 0xBFFFFA98) = 0 0
  __sysctl(0xBFFFE534, 0x2, 0xBFFFE4FC) = 0 0
  __sysctl(0xBFFFE4FC, 0x2, 0xBFFFE57C) = 0 0
  sharedregion_checknp(0xBFFFFA78, 0x2, 0xBFFFE57C) = 0 0
  stat("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0xBFFFD6E8, 0xBFFFE57C) = 0 0
  open("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0x0, 0x0) = 3 0
  pread(0x3, "\312\376\272\276\0", 0x1000, 0x0) = 4096 0
  pread(0x3, "\316\372\355\376\a\0", 0x1000, 0x9000) = 4096 0
  mmap(0x19000, 0x1000, 0x5, 0x12, 0x3, 0x100000000) = 0x19000 0
  mmap(0x1A000, 0x1000, 0x3, 0x12, 0x3, 0x100000000) = 0x1A000 0
  mmap(0x1B000, 0x1000, 0x7, 0x12, 0x3, 0x100000000) = 0x1B000 0
  mmap(0x1C000, 0x1900, 0x1, 0x12, 0x3, 0x100000000) = 0x1C000 0
  fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFBD54) = 0 0
  close(0x3) = 0 0
  stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFD4E8, 0xFFFFFFFFBFFFBD54) = 0 0
  stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFD4E8, 0xFFFFFFFFBFFFBD54) = 0 0
  stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFD328, 0xFFFFFFFFBFFFBD54) = 0 0
  open("/dev/dtracehelper\0", 0x2, 0xBFFFE504) = 3 0
  PING itt.com (199.253.127.99): 56 data bytes
  sigaction(0x2, 0xBFFEF6E0, 0x0) = 0 0
  sigaction(0x1D, 0xBFFEF6E0, 0x0) = 0 0
  sendto(0x3, 0x5234, 0x40) = 64 0
  select(0x4, 0xBFFFF9DC, 0x0, 0x0, 0xBFFFFB30) = 1 0
  recvmsg(0x3, 0xBFFFFAC4, 0x0) = 153 0
  setsockopt(0x3, 0xFFFF, 0x400) = 0 0
  setsockopt(0x3, 0xFFFF, 0x1002) = 0 0
  setsockopt(0x3, 0xFFFF, 0x1001) = 0 0
  fstat64(0x1, 0xBFFEEE64, 0x1001) = 0 0
  ioctl(0x1, 0x4004667A, 0xBFFEEECC) = 0 0
  mmap(0x0, 0x1000000, 0x3, 0x1002, 0x2000000, 0x0) = 0x200000 0
  munmap(0x200000, 0x600000) = 0 0
  munmap(0x1000000, 0x200000) = 0 0
  write_nocancel(0x1, "PING itt.com (199.253.127.99): 56 data bytes\n\0", 0x2D) = 45 0
  select(0x4, 0xBFFFF9DC, 0x0, 0x0, 0xBFFFFB30) = 0 0
  sendto(0x3, 0x5234, 0x40) = 64 0
  ©select(0x4, 0xBFFFF9DC, 0x0, 0x0, 0xBFFFFB30) = 0 0
  sendto(0x3, 0x5234, 0x40) = 64 0
  select(0x4, 0xBFFFF9DC, 0x0, 0x0, 0xBFFFFB30) = 0 0
  sendto(0x3, 0x5234, 0x40) = 64 0
  ^C
  *tcpdump output (with # ping ita.fr) :*
  # tcpdump -i en1
  00:26:06.469246 IP 192.168.0.10.49985 > 192.168.2.1.domain: 64308+ A? ita.fr. (24)
  00:26:06.486473 IP 43.242.3.202.dial.dyn.mana.pf.22369 > 192.168.0.10.42567: UDP, length 85
  00:26:06.487552 IP 192.168.0.10.42567 > 43.242.3.202.dial.dyn.mana.pf.22369: UDP, length 35
  00:26:07.277453 IP 192.168.0.10.49938 > 192.168.2.1.domain: 44176+ PTR? 43.242.3.202.in-addr.arpa. (43)
  00:26:09.346380 IP 192.168.0.10.ntp > time4.euro.apple.com.ntp: NTPv4, Client, length 48
  00:26:09.541593 IP time4.euro.apple.com.ntp > 192.168.0.10.ntp: NTPv4, Server, length 48
  00:26:11.467716 IP 192.168.0.10.61034 > dns1.proxad.net.domain: 64308+ A? ita.fr. (24)
  00:26:11.469940 arp who-has 192.168.0.10 tell 192.168.0.254
  00:26:11.469996 arp reply 192.168.0.10 is-at 00:1b:63:ca:a9:93 (oui Unknown)
  ^C
  *ps aux output :*
  # ps aux
  $USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
  root 15 4.2 0.0 599620 284 ?? Ss 10:27AM 0:23.20 /usr/sbin/update
  fanzila 330 3.1 0.8 302188 16000 ?? R 12:06PM 0:41.58 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn0413797
  fanzila 994 2.6 8.2 486288 172048 ?? S 11:33PM 5:53.31 /Applications/Firefox.app/Contents/MacOS/firefox-bin -psn01122578
  _windowserver 54 2.5 4.6 405476 97200 ?? Ss 10:27AM 6:30.50 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphic s.framework/Resources/W
  fanzila 1092 1.2 3.2 473732 66856 ?? S 11:52PM 0:34.00 /Applications/Adobe Photoshop CS4/Adobe Photoshop CS4.app/Contents/MacOS/Adobe Photoshop CS4 -psn012
  root 33 1.1 0.2 78660 3796 ?? Ss 10:27AM 0:16.79 /usr/sbin/DirectoryService
  fanzila 23 0.5 0.4 298916 8368 ?? Ss 10:27AM 0:14.18 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
  fanzila 130 0.5 0.6 305176 13164 ?? S 10:38AM 0:17.71 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -psn053261
  fanzila 1332 0.0 0.1 2926604 2376 ?? S 12:20AM 0:00.10 /Applications/CrossOver.app/Contents/SharedSupport/CrossOver/lib/../bin/wineloa der C:\windows\system32
  fanzila 1328 0.0 0.1 79096 2432 ?? Ss 12:20AM 0:01.88 /Applications/CrossOver.app/Contents/SharedSupport/CrossOver/lib/../bin/wineser ver
  fanzila 1322 0.0 0.2 2928312 5072 ?? S 12:20AM 0:00.33 /Applications/CrossOver.app/Contents/SharedSupport/CrossOver/bin/wineloader winewrapper.exe --workdir
  fanzila 1321 0.0 0.1 217684 2364 ?? S 12:20AM 0:00.05 /Users/fanzila/Library/Caches/Cleanup At Startup/CrossOver CD Helper.app/Contents/MacOS/CrossOver CD H
  fanzila 1317 0.0 0.2 78124 4940 ?? Ss 12:20AM 0:00.11 /usr/bin/perl -w /Applications/CrossOver.app/Contents/SharedSupport/CrossOver/bin/cxmenu --bottle winx
  fanzila 1316 0.0 0.2 2928312 5072 ?? Ss 12:20AM 0:00.37 /Applications/CrossOver.app/Contents/SharedSupport/CrossOver/bin/wineloader winewrapper.exe --run -- /
  fanzila 1313 0.0 0.1 227052 2960 ?? Ss 12:20AM 0:00.10 /usr/bin/quartz-wm
  fanzila 1305 0.0 1.2 327344 25868 ?? S 12:20AM 0:01.48 /Applications/CrossOver.app/Contents/MacOS/CrossOver -psn01335622
  fanzila 1304 0.0 0.1 225336 3004 ?? S 12:20AM 0:00.13 /Users/fanzila/Applications/CrossOver/DHO.app/Contents/MacOS/CrossOver Helper with Feedback -psn0133
  fanzila 1097 0.0 0.2 91876 4644 ?? S 11:52PM 0:00.28 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn01212712
  fanzila 1094 0.0 0.7 327036 15668 ?? S 11:52PM 0:14.38 /Applications/TextEdit.app/Contents/MacOS/TextEdit -psn01208615
  fanzila 1093 0.0 0.1 76432 1540 ?? Ss 11:52PM 0:00.07 /Applications/Adobe Photoshop CS4/Adobe Photoshop CS4.app/Contents/Frameworks/AdobeCrashReporter.frame
  fanzila 993 0.0 2.9 430152 60324 ?? U 11:33PM 0:20.24 /Applications/Path Finder.app/Contents/MacOS/Path Finder -psn01118481
  fanzila 983 0.0 1.9 399876 39104 ?? S 11:32PM 0:19.28 /Applications/Skype.app/Contents/MacOS/Skype -psn01114384
  fanzila 982 0.0 1.1 339696 22972 ?? U 11:32PM 0:09.25 /Applications/Adium.app/Contents/MacOS/Adium -psn01110287
  fanzila 967 0.0 2.6 355348 53504 ?? S 11:32PM 0:08.98 /Applications/Mail.app/Contents/MacOS/Mail -psn01106190
  fanzila 921 0.0 0.0 600252 944 s001 S+ 7:07PM 0:00.06 /bin/bash
  fanzila 912 0.0 0.0 600252 756 s001 S 7:07PM 0:00.01 -bash
  root 911 0.0 0.1 76592 1104 s001 Ss 7:07PM 0:00.03 login -pf fanzila
  _mdnsresponder 646 0.0 0.1 77304 1164 ?? Ss 4:03PM 0:00.10 /usr/sbin/mDNSResponder -launchd
  fanzila 635 0.0 0.0 601896 804 ?? S 4:02PM 0:01.19 /usr/local/bin/gpg-agent --launchd --use-standard-socket --write-env-file
  root 596 0.0 0.0 600252 952 s000 S 3:55PM 0:00.43 /bin/bash
  fanzila 341 0.0 0.0 600252 944 s000 S 12:06PM 0:00.07 /bin/bash
  fanzila 332 0.0 0.0 600252 756 s000 S 12:06PM 0:00.02 -bash
  root 331 0.0 0.1 76592 1104 s000 Ss 12:06PM 0:00.03 login -pf fanzila
  fanzila 298 0.0 0.6 268748 12604 ?? U 11:54AM 0:00.91 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Co ntents/MacOS/DashboardC
  fanzila 297 0.0 0.4 264760 8108 ?? S 11:54AM 0:00.51 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Co ntents/MacOS/DashboardC
  fanzila 296 0.0 0.8 272252 16328 ?? S 11:54AM 0:01.51 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Co ntents/MacOS/DashboardC
  fanzila 295 0.0 0.6 270808 12488 ?? S 11:54AM 0:01.51 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Co ntents/MacOS/DashboardC
  fanzila 294 0.0 0.9 299344 17828 ?? S 11:54AM 0:03.26 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Co ntents/MacOS/DashboardC
  nobody 156 0.0 0.0 76776 632 ?? Ss 10:38AM 0:00.01 /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/u sbmuxd -launchd
  fanzila 151 0.0 0.1 223464 2408 ?? S 10:38AM 0:00.12 /Applications/iTunes.app/Contents/Resources/iTunesHelper.app/Contents/MacOS/iTu nesHelper -psn0118813
  fanzila 144 0.0 0.3 314696 7184 ?? S 10:38AM 0:03.93 /Library/PreferencePanes/Witch.prefPane/Contents/Resources/witchdaemon.app/Cont ents/MacOS/witchdaemon
  fanzila 137 0.0 0.1 214952 2960 ?? S 10:38AM 0:00.22 /Library/Printers/hp/hpio/HPEventHandler.app/Contents/MacOS/HPEventHandler -psn069649
  fanzila 129 0.0 0.6 279688 12996 ?? S 10:38AM 0:15.74 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn049164
  fanzila 128 0.0 0.3 136856 6420 ?? S 10:38AM 0:08.23 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framewo rk/Support/ATSServer
  fanzila 127 0.0 0.0 76504 536 ?? S 10:38AM 0:00.01 /usr/sbin/pboard
  fanzila 126 0.0 0.1 220304 2248 ?? S 10:38AM 0:00.28 /usr/sbin/UserEventAgent -l Aqua
  fanzila 125 0.0 0.2 225908 3964 ?? S 10:38AM 0:00.26 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
  fanzila 120 0.0 0.2 257568 3348 ?? S 10:38AM 0:00.17 /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent
  fanzila 114 0.0 0.0 600820 560 ?? Ss 10:38AM 0:00.51 /sbin/launchd
  root 108 0.0 0.2 79644 3304 ?? Ss 10:29AM 0:01.10 /usr/sbin/coreaudiod
  root 95 0.0 0.1 77928 1388 ?? S 10:27AM 0:00.13 /Library/Printers/hp/hpio/HPIO Trap Monitor.app/Contents/MacOS/HPIO Trap Monitor
  root 87 0.0 0.0 76572 732 ?? Ss 10:27AM 0:00.12 /Library/Frameworks/HPServicesInterface.framework/Runtime/hpusbmond
  root 47 0.0 0.1 86716 1836 ?? Ss 10:27AM 0:00.16 /usr/sbin/blued
  root 45 0.0 1.3 116160 27116 ?? Ss 10:27AM 0:05.43 /System/Library/CoreServices/coreservicesd
  daemon 43 0.0 0.0 75356 808 ?? Ss 10:27AM 0:01.88 /usr/sbin/distnoted
  root 40 0.0 0.1 75704 1500 ?? Ss 10:27AM 0:00.61 /usr/libexec/ApplicationFirewall/socketfilterfw
  root 38 0.0 0.0 75388 672 ?? Ss 10:27AM 0:00.03 autofsd
  root 35 0.0 0.1 77000 2080 ?? Ss 10:27AM 0:13.02 /usr/sbin/configd
  root 32 0.0 0.1 75460 1104 ?? Ss 10:27AM 0:01.04 /usr/sbin/diskarbitrationd
  root 29 0.0 0.0 75376 700 ?? Ss 10:27AM 0:00.01 /sbin/dynamic_pager -F /private/var/vm/swapfile
  root 27 0.0 0.1 85768 1476 ?? Ss 10:27AM 0:01.70 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonC ore.framework/Versions/
  root 26 0.0 0.0 75896 600 ?? Ss 10:27AM 0:00.01 /usr/libexec/hidd
  root 24 0.0 0.0 75448 644 ?? Ss 10:27AM 0:00.01 /usr/sbin/KernelEventAgent
  root 21 0.0 2.9 259112 61136 ?? Ss 10:27AM 2:08.30 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /Support/mds
  root 19 0.0 0.1 77316 2248 ?? Ss 10:27AM 0:00.64 /usr/sbin/securityd -i
  root 16 0.0 0.0 75372 640 ?? Ss 10:27AM 0:00.01 /sbin/SystemStarter
  root 14 0.0 0.0 75900 824 ?? Ss 10:27AM 0:02.07 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
  root 12 0.0 0.0 601332 464 ?? Ss 10:27AM 0:00.57 /usr/sbin/syslogd
  root 11 0.0 0.0 600236 484 ?? Ss 10:27AM 0:00.69 /usr/sbin/notifyd
  root 10 0.0 0.1 75968 1228 ?? Ss 10:27AM 0:00.86 /usr/libexec/kextd
  root 1460 0.0 0.0 599788 452 s000 R+ 12:27AM 0:00.01 ps aux
  root 1 0.0 0.0 600820 564 ?? Ss 10:27AM 0:00.50 /sbin/launchd
  _spotlight 1453 0.0 0.1 89116 2000 ?? SNs 12:26AM 0:00.13 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /Versions/A/Support/mdw
  fanzila 1425 0.0 0.2 122524 3432 ?? SNs 12:21AM 0:00.24 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /Versions/A/Support/mdw
  fanzila 1365 0.0 0.3 2931372 6596 ?? Ss 12:21AM 0:00.36 /Applications/CrossOver.app/Contents/SharedSupport/CrossOver/lib/../bin/wineloa der C:\windows\system32
  fanzila 1362 0.0 0.1 78948 1364 ?? S 12:21AM 0:00.11 /System/Library/Frameworks/CoreMIDIServer.framework/MIDIServer
  *Many thanks for your help.*

  fanzila wrote:
  Thanks for your help nerowolfe.
  If I ping or put in browser any IP, it answer immediately. It's just the resolution.
  Then the problem lies with your DNS, perhaps your ISP DNS are simply slow.
  I use OpenDNS servers in my router and computer and have very little latency.
  Here is their webpage
  http://www.opendns.com/solutions/homenetwork/

• Slow DNS Resolution using Time Capsule

  Hello,
  I'm using a time capsule as my main internet router and wireless access point, and I've noticed a significant delay before web pages begin to download.  In trying to troubleshoot this, I came across a very helpful utilitity called the Netalyzr from Berkley.  Using this tool, I'm able to see that there is a significant delay in name lookups using the time capsule DNS proxy capability.  There's not a lot of documentation on this, but it appears that instead of handing clients the designated DNS servers configured in DHCP, it hands out its own address to the clients as the DNS server and makes the DNS request to the configured servers.  I've included the verbage from the Netalyzer tool below.
  Your ISP's DNS resolver requires 2200 msec to conduct an external lookup. It takes 81 msec for your ISP's DNS resolver to lookup a name on our server.
  This is particularly slow, and you may see significant performance degradation as a result. 
  As you can see, this causes almost a 2.5 second "pause" before the lookup is even returned.  However, if I hard code the designated DNS servers into this client (Macbook air running Lion), I get the following result.
  Your ISP's DNS resolver requires 110 msec to conduct an external lookup. It takes 81 msec for your ISP's DNS resolver to lookup a name on our server. 
  This is a significant improvement over the lookup using the proxy capabilities of the Time Capsule.  This leads me to believe that the DNS "proxying" that the time capsule is doing is really slow.
  I'm using opendns as my provider in both scenarios.
  Is this a known issue, and if so, is there an existing fix or a planned fix for this?
  Best,
  Eric

  Frankly I just don't believe those analysers.. not until I can prove it myself.
  Do a very simple test..
  Open terminal  and ping a website you have never opened before.
  You should do this from a PC or Mac on the network using ethernet. Just to keep crummy wireless responses out of it. And do it without internet activity going on.
  Do it a second time, and it should be instantaneous now having the address resolved and held in the cache.
  If you get a significant lag before the address is resolved to actual IP, there maybe something wrong. And the first test then would be to change the DNS server to your local ISP not opendns.. because the routing to opendns might also be an issue.
  You can also test by removing the TC from the network..plug a computer directly to the modem and just browse.. compare that to speed with the TC. I know it isn't exactly scientific but a 2.5sec delay in dns resolution you will notice it. It is important to connect to stuff that is outside your normal pattern. Otherwise it should just be in the cache.
  Otherwise it is unlikely to really exist.

• Problem: Slow Intranet Sites/Internal DNS Resolution for only AD Users

  Hello,
  We are experiencing a very odd problem.
  Any and All Active Directory users are experiencing very slow intranet sites.
  We are a school corporation, so this is affecting our Student Information System, as it is entirely web-based and locally hosted.
  All of our Domain Controllers are Windows Server 2012 R2, with all the latest critical updates.
  All client workstations are Windows 8.1 Professional.
  The problem occurs with ALL web browsers (IE, Chrome, FF, etc)
  All DNS queries respond in <1 ms (no matter whether we are logged in as AD User or local computer user).
  If we login as local computer user, we have blazing fast intranet sites/DNS resolution.
  If we login as AD user, everything crawls again... every click on the intranet site spins and says loading for up to 15 seconds.
  If we add the the intranet site to the local computer HOST file, it is blazing fast, just as if we logged on as local computer user.
  If we take it back out of the HOST file, it drags again.
  I am totally stumped!
  Any help is appreciated.
  Thanks!

  Hi,
  How are DNS settings configured?
  If there are any public DNS IP addresses in Preferred or Alternate field, please remove them, then input these DNS entries in the Advanced section. We should only configure Domain Controllers’ IP addresses on Preferred
  and Alternate DNS server section for domain-joined machines.
  More information for you:
  Active Directory’s Reliance on DNS, and using an ISP’s DNS address
  http://blogs.msmvps.com/acefekay/2009/08/17/ad-and-its-reliance-on-dns/
  Best Regards,
  Amy

• RV082 - Slow DNS Resolution

  Greetings Gang,
  Have an RV082 v1.1 FW 1.3.98-tm that has been rock solid for a couple of years and is now, suddenly, experiencing dead crawl DNS resolution.
  No changes in configuration prior to the behavior starting. Tried rebooting the unit, no changein behavior.
  There's an internal DNS server that resolves internal resources, but everything else gets pushed to the RV082.
  I've tried Comcast, Verizon and Google DNS servers at the router level, and the results are the same -- so that rules out the DNS servers themselves.
  Change the DNS servers at the NIC level on a wrokstation, and resolution occurs quickly and reliably.
  I'm looking to reset to Factory Default and reload the configuration and likely upgrade to FW 2.0.0.19-tm or 2.0.2.01-tm but I do see similar issues reported with those firmwares, and moreover, in a mixed Mac/PC environment.
  Was wondering if anyone else has experienced these issues, could identify a root cause and resolution.
  Thanks,
  Jorge

  Probably just corruption, which can happen every so often.  A couple of years in service rock-solid is really great.
  I experienced similar problems with my rv016s when my ISP changed their backend carrier equipment.  I was never able to fix the issue, so I had to reboot them every 8hrs.
  I wouldn't upgrade unless you HAVE to.  You'll more than likely run into other bugs that breaks your current configuration, even if it's just a site-to-site VPN (I've been there, done that).
  Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

• Changes in DNS resolution in Mac OS X Snow Leopard

  Disclaimer: Apple does not necessarily endorse any suggestions, solutions, or third-party software products that may be mentioned in the topic below. Apple encourages you to first seek a solution at Apple Support. The following links are provided as is, with no guarantee of the effectiveness or reliability of the information. Apple does not guarantee that these links will be maintained or functional at any given time. Use the information below at your own discretion.
  There have been two major changes in DNS resolution in Mac OS X Snow Leopard as compared to Mac OS X Leopard and previous releases, and this tip is intended to explain them.
  1) User-specified DNS servers, if any, are now used to the exclusion of all others
  DNS server addresses may be manually-specified by users via the Networking preference pane by selecting the active interface (e.g. AirPort, Ethernet, etc.), the clicking the "Advanced…" button in the lower right hand corner of the window, and selecting the "DNS" tab.
  DNS server addresses may also be provided by a DHCP server.
  In Mac OS X Snow Leopard, if any DNS servers are manually specified, they will be the only DNS servers consulted; any DNS servers specified via DHCP will be ignored
  This differs from Mac OS X Leopard and previous releases of Mac OS X, as in those releases, if DNS servers were specified manually as well as provided via DHCP, the manually-specified server(s) would be queried first, and if those requests failed, requests would then be sent to any DNS server(s) specified via DHCP.
  This means that in Mac OS X Snow Leopard, if queries to manually-specified DNS servers fail, the request will be considered to have failed and no DHCP-specified DNS server will ever be queried.
  Users may encounter this because at some point a DNS server (which is no longer functioning or reachable) was manually set in a work or other environment and they had forgotten about it since the previous behavior was for failed requests to "fall through" to DHCP-specified servers.
  Because of the change in behavior, those same systems will fail to resolve any DNS requests in Mac OS X Snow Leopard.
  2) mDNSResponder does not honor DNS server ordering
  While not explicitly documented, in Mac OS X versions earlier than Snow Leopard, DNS servers, whether specified manually or via DHCP, were queried in the order they were provided. For manual specification, this means in the order shown in the appropriate Network preferences pane tab, and for DHCP users in the order specified by the DHCP server.
  This is no longer true in Mac OS X Snow Leopard; instead mDNSResponder now seems to occasionally change the order in which it queries DNS servers from that in which they were specified.
  This has caused some users issues when DNS servers are specified in a specific sequence.
  For example, say your network has two DNS servers, a main server at address 192.168.100.1, and a secondary server at 192.168.100.2, which is normally only to be used if the primary DNS server fails as it is slower and/or has a slower link to the Internet.
  If they were specified in that order, past versions of Mac OS X would query them in that order, and unless a failure occurred contacting the primary server, the second server specified would never be contacted.
  In Mac OS X Snow Leopard, under various conditions mDNSResponder will instead decide to route all DNS queries to the second DNS server specified, perhaps as a method of routing DNS queries in a round-robin fashion.
  Nevertheless, this behavior is unexpected to most users, and may cause issues if the previous behavior was expected.
  The only workaround is to realize that Mac OS X Snow Leopard treats all specified DNS servers as being equally capable and to specify DNS servers, either manually or via DHCP, accordingly.
  This is the 1st version of this tip. It was submitted on November 15, 2009 by William Kucharski.
  Do you want to provide feedback on this User Contributed Tip or contribute your own? If you have achieved Level 2 status, visit the User Tips Library Contributions forum for more information.

  This tip is now ready for publication.

• Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

  We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
  I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
  Errors:
  Error 1043: Timeout during name resolution request
  Error 1129: Group policy updates could not be processed due to DC not available
  Error 5719: Could not establish secure connection to DC, DC not available
  Occasionally but disappears after a while
  Error 134: As a result of a DNS resolution timeout could not reach time server
  Symptoms
  On Win 7 Clients
  Network shares added through Group Policy will not show sometimes
  Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
  When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
  nslookup during the incident returns cannot resolve error
  ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
  Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
  On Win 8.1 Clients
  Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
  drive shares but usually only for the active session. After logoff / logon the shares are gone again.
  The issue does appear to be load related since it occurs even if there are only one or two workstations active.
  Server Configuration
  Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
  Zyxel 1910-48 Port Switch
  VDSL 50Mbps Down / 20Mbps Up
  Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
  Currently only one Network card is active for problem determination reasons.
  There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
  I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
  Best Practice Analyzer Results
  DNS server scavening not enabled
  Root hint server XYZ must respond to NS queries for the root zone
  More than one forwarding server should be configured (although 3 are configured)
  NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
  I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
  set to 3 second.
  Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
  issues. Any help would be appreciated

  Hello Milos thx for your reply.. my comments below
  1. What does it "switched"? You may mean migration or new installation. We do not know...
  >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
  removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
  2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
  >> Correct, and I am aware of that
  3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
  >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
  Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
  4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
  >> Will post as soon as available
  5. I do not use forwarders and the system works
  >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
  required apart from that it does work for you that way?
  6. DHCP should sit on DC (DHCP on router is disabled)
  >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
  7. NIC settings in DC points to itself (loopback address 127.0.0.1)
  >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
  8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
  >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
  9. Test your system with dcdiag.
  >> See result below
  10. Share your findings.
  Regards
  Milos
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
    Home Server = GSERVER2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Connectivity
           ......................... GSERVER2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Advertising
           ......................... GSERVER2 passed test Advertising
        Starting test: FrsEvent
           ......................... GSERVER2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... GSERVER2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... GSERVER2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... GSERVER2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... GSERVER2 passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... GSERVER2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... GSERVER2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... GSERVER2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... GSERVER2 passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... GSERVER2 passed test Replications
        Starting test: RidManager
           ......................... GSERVER2 passed test RidManager
        Starting test: Services
           ......................... GSERVER2 passed test Services
        Starting test: SystemLog
           ......................... GSERVER2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... GSERVER2 passed test VerifyReferences  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : GS2
        Starting test: CheckSDRefDom
           ......................... GS2 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... GS2 passed test CrossRefValidation  
     Running enterprise tests on : GS2.intra
        Starting test: LocatorCheck
           ......................... GS2.intra passed test LocatorCheck
        Starting test: Intersite
           ......................... GS2.intra passed test Intersite
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  *** gserver2.g2.intra can't find g2: Non-existent domain
  > gserver2
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  g2.intra
          primary name server = gserver2.g2.intra
          responsible mail addr = hostmaster.g2.intra
          serial  = 443
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  > wikipedia.org
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  Non-authoritative answer:
  wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
  wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
  polonium.wikimedia.org  internet address = 208.80.154.90
  polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
  lead.wikimedia.org      internet address = 208.80.154.89
  lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
  Final benchmark results, sorted by nameserver performance:
   (average cached name retrieval speed, fastest to slowest)
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
    + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
    + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
    - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
    - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
    - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
    - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
    - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
  15: 40
  192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
    + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
    + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
    - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
    - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
    - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
    - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363

• Secondary DNS failing to redirect clients when Primary DNS goes down

  I have a single domain with two Windows 2008 servers, DC1 (physical) and DC2 (virtual).  Both servers run DNS and are GC servers, and the entire domain is on the same subnet (192.168.0.x). 
  All clients on the network are configured to use DC1 as primary DNS, DC2 as secondary DNS. 
  DHCP is enabled only on DC1.  (This might be part of the issue, not sure).
  The problem is that when DC1 goes down for a reboot or repair, we lose access to the internet from our clients.  Trying to pull up any website results in a "Page cannot be displayed" error.  DC2 is available during this time and can be
  pinged from any client but does not resolve DNS requests, even if I specify it as the primary DNS server on one of my workstations.  However I can log on to DC2 locally and browse the web. 
  Here are the results of a DCdiag /dnsall from DC2 (I bolded areas of concern):
  Directory Server Diagnosis
  Performing initial setup:
     * Connecting to directory service on server DC2.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=mydomain,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=mydomain,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 2 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\DC2
        Starting test: Connectivity
  * Active Directory LDAP Services Check
  Determining IP4 connectivity
  Determining IP6 connectivity
  * Active Directory RPC Services Check
  ......................... DC2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\DC2
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Starting test: DNS
  DNS Tests are running and not hung. Please wait a few minutes...
  See DNS test in enterprise tests section for results
  ......................... DC2 passed test DNS
     Running partition tests on : ForestDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : DomainDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Schema
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Configuration
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : mydomain
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running enterprise tests on : mydomain.com
        Starting test: DNS
  Test results for domain controllers:
   DC: DC2.mydomain.com
  Domain: mydomain.com
  TEST: Authentication (Auth)
  Authentication test: Successfully completed
  TEST: Basic (Basc)
                    Microsoftr Windows Serverr 2008 Standard 
  (Service Pack level: 2.0)
  is supported
  NETLOGON service is running
  kdc service is running
  DNSCACHE service is running
                    DNS service is running
  DC is a DNS server
  Network adapters information:
  Adapter [00000006] Intel(R) PRO/1000 MT Network Connection:
  MAC address is 00:0C:29:91:59:68
  IP Address is static
  IP address: 192.168.0.249
  DNS servers:
  192.168.0.105 (DC1.mydomain.com.) [Valid]
  127.0.0.1 (DC2) [Valid]
  The A host record(s) for this DC was found
  Warning: The AAAA record for this DC was not found
  [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.) - mydomain.com]
                    The SOA record for the Active Directory zone was found
  The Active Directory zone on this DC/DNS server was found primary
  Root zone on this DC/DNS server was not found
  TEST: Forwarders/Root hints (Forw)
  Recursion is enabled
  Forwarders Information:
  192.168.0.105 (DC1.mydomain.com.) [Valid]
  192.168.0.7 (<name unavailable>) [Invalid (unreachable)]
   Error: Forwarders list has invalid forwarder: 192.168.0.7 (<name unavailable>)
  TEST: Delegations (Del)
  Delegation information for the zone: mydomain.com.
  Delegated domain name: _msdcs.mydomain.com.
  DNS server: DC1.mydomain.com. IP:192.168.0.105 [Valid]
  TEST: Dynamic update (Dyn)
  Test record _dcdiag_test_record added successfully in zone mydomain.com
  Test record _dcdiag_test_record deleted successfully in zone mydomain.com
  TEST: Records registration (RReg)
  Network Adapter
  [00000006] Intel(R) PRO/1000 MT Network Connection:
  Matching CNAME record found at DNS server 192.168.0.105:
  a32fcfbd-16bb-4697-a23d-20fc3b8c274c._msdcs.mydomain.com
  Matching A record found at DNS server 192.168.0.105:
  DC2.mydomain.com
  Warning:
  Missing AAAA record at DNS server 192.168.0.105:
  DC2.mydomain.com
  [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.)]
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.ac09921d-4553-475e-b25c-059742ac0552.domains._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _kerberos._tcp.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _kerberos._tcp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _kerberos._udp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _kpasswd._tcp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.Default-First-Site-Name._sites.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _kerberos._tcp.Default-First-Site-Name._sites.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.gc._msdcs.mydomain.com
  Matching A record found at DNS server 192.168.0.105:
  gc._msdcs.mydomain.com
  Warning:
  Missing AAAA record at DNS server 192.168.0.105:
  gc._msdcs.mydomain.com
  [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.)]
  Matching  SRV record found at DNS server 192.168.0.105:
  _gc._tcp.Default-First-Site-Name._sites.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.105:
  _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.com
  Matching CNAME record found at DNS server 192.168.0.249:
          a32fcfbd-16bb-4697-a23d-20fc3b8c274c._msdcs.mydomain.com
  Matching A record found at DNS server 192.168.0.249:
  DC2.mydomain.com
  Warning:
  Missing AAAA record at DNS server 192.168.0.249:
  DC2.mydomain.com
  [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.)]
  Matching  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.ac09921d-4553-475e-b25c-059742ac0552.domains._msdcs.mydomain.com
               Matching 
  SRV record found at DNS server 192.168.0.249:
  _kerberos._tcp.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _kerberos._tcp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _kerberos._udp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _kpasswd._tcp.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.Default-First-Site-Name._sites.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.com
             Matching 
  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _kerberos._tcp.Default-First-Site-Name._sites.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.gc._msdcs.mydomain.com
  Matching A record found at DNS server 192.168.0.249:
  gc._msdcs.mydomain.com
  Warning:
  Missing AAAA record at DNS server 192.168.0.249:
  gc._msdcs.mydomain.com
  [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.)]
  Matching  SRV record found at DNS server 192.168.0.249:
  _gc._tcp.Default-First-Site-Name._sites.mydomain.com
  Matching  SRV record found at DNS server 192.168.0.249:
  _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.com
  Warning: Record Registrations not found in some network adapters
  TEST: External name resolution (Ext)
  Internet name www.microsoft.com was resolved successfully
  Summary of test results for DNS servers used by the above domain
  controllers:
  DNS server: 192.168.0.7 (<name unavailable>)
  1 test failure on this DNS server
  PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.0.7              
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
  DNS server: 192.168.0.105 (DC1.mydomain.com.)
  All tests passed on this DNS server
  Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
  DNS delegation for the domain  _msdcs.mydomain.com. is operational on IP 192.168.0.105
  DNS server: 192.168.0.249 (DC2)
  All tests passed on this DNS server
  Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
  Summary of DNS test results:
  Auth Basc Forw Del  Dyn  RReg Ext
  Domain: mydomain.com
  DC2                      
  PASS WARN FAIL PASS PASS WARN PASS
  ......................... mydomain.com failed test DNS
        Test omitted by user request: LocatorCheck
        Test omitted by user request: Intersite

  Looks like it may be trying to forward to a machine that's down (DC1 and another 192.168.0.7) and root hints aren't available.
  Check out this article:
  http://technet.microsoft.com/en-us/library/ff807391(v=ws.10).aspx
  See if you can enable DNS access through the firewall to the Internet if it's not already available.  Try to match whatever forwarder settings are on DC1, or remove them entirely and let the server resolve DNS from Internet root servers.  Alternativly,
  you could change your forwarder to a public DNS server you have access to, your ISP should supply this or you could test with something common like 4.2.2.2.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Error NtpClient was unable to set a manual peer. DNS resolution error When using IP address.

  Hya,
  We have been migarting to some new DCs. one of the new DCs now has all the master roles call it DC01.
  when I try and sync/setup NTP on this server as the the authoritive NTP in the doamin I get:
  NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on '”10.*.*.*,0x1”'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
  I am using the following commands to set NTP up on the server.
  >net stop w32time
  >w32tm /config /syncfromflags:manual /manualpeerlist:"10.*.*.*,0x1"
  >w32tm /config /reliable:yes
  >net start w32time.
  Is anyone aware of what the issue could be?
  Ps one of the old dc can still sync to this site manually if tried.
  cheers Mike

  Hi,
  First make sure your DNS is working properly, then please try this article below:
  Event ID 134 — Manual Time Source Acquisition
  http://technet.microsoft.com/en-us/library/cc756393(v=ws.10).aspx
  Hope this helps.

• Primary DNS server

  Hello,
  I am trying to setup a local primary dns server that will resolve local server names but at the same time forward request that it doens't have.
  like i would like it to resolve our internal web address and still pull up google.com. I put in about ten records and all those work but when i try anything else it doesn't work. Can someone help?
  Thanks,
  Jay

  What's different about 10.4.9 in this
  case?
  10.4.9 update "Addresses slow performance of non-cached DNS queries and provides an update to BIND version 9.3.2."
  You may still prefer to add forwarders but, taking above on face value, no longer necesary for those who do not want to manually edit files.
  Mind you, I have not actually tested the default DNS in 10.4.9 so cannot confirm that the previous problems do not still occur (but just to a lesser extent .
  -david

• DNS Resolution in Cisco ASA 5525

  Hey all,
  I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
  Current Version: Cisco ASA 5525
  ASA Version: 8.6(1)
  I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
  What I've done.
  dns domain-lookup inside
  dns domain-lookup outside
  name-server x.x.x.x (Primary internal dns server)
  name-server x.x.x.x (Secondary internal dns server)
  name-server 8.8.8.8 (Google external dns server)
  name-server 8.8.4.4 (Google external dns server)
  domain-name example.com
  With this config I can, however, ping hostnames of internal servers.
  This is an example of me pinging an external hostname.
  ciscoasa# ping google.ca
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:803::101f
  Success rate is 0 percent (0/1)
  Any ideas?
  Thanks!

  officeasa# ping www.google.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:802::1012
  Success rate is 0 percent (0/1)
  John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
  (I know without certain information you cannot help but I need to ensure security on my end)
  Thanks for understanding.

• How do I find my Primary DNS with a wireless router?

  My PS3 keeps asking me for my primary DNS, but I can't find it.

  It is optional, but as Duane has suggested you can substitute the OpenDNS DNS server IPs for both the primary & secondary DNS servers. So, for example, you can enter: 208.67.222.222 for the primary and 208.67.220.220 for the secondary instead of x.x.x.1 that you are using now.

• Domain name/"primary DNS" name/mail host name/mail server name/mx name

  Hi,
  I have registered my domain name (N.com) with an external dns server and created an MX record (mail.N.com) for it as well. My server sits behind a router and internet traffic is port(80)-forwarded to my server's fixed internal ip address (I can access my webpages from the internet just fine). When I initially setup the server I was asked to give it a "primary DNS name." I naturally assumed that N.com was supposed to be entered here, but that just caused all kinds of problems (though I still do not understand why). So I reinstalled and currently have server.N.com as the primary DNS name of the server (although it shows up in Server Admin and Workgroup Manager as server.local--why is that?)
  I have had no luck getting any email from the internet with the default settings in mail services (domain name of N.com and host name of server.N.com). Having no luck with the defaults, I assumed that maybe I needed to change the host name to "mail.N.com" so that it matched the MX record. I also changed the user preferences in Workgroup Manager to receive mail from mail.N.com--but still no luck. Could someone tell me what I am doing wrong and how come none of the Mail Service literature mentions anything about what a mail "host name" is supposed to be? Is it supposed to be the same as the "Mail Server" name that Workgroup Manager asks each user for? and is it the same as the MX record name?
  I am just needing some help to connect all these variously named, but undefined, dots.
  Also, how come I can access webmail from the internet using www.N.com/webmail but can't do it from any computers within my physical network (I have to use IPaddress/webmail or server.local/webmail)?
  Also, should my user email addresses be [email protected] or [email protected] (which is the current default)?
  Thanks in advance and good luck!
  John

  I had been told by a friend that ... regular email coming in from the internet would go through port 80
  Unfortunately you were misinformed.
  My MX record needs the extra subname (such as "mail") in front of the domain name, right?
  Not at all. A MX record for 'N.com' is entirely valid (expected, in fact).
  An MX record tells remote mail servers where to send mail for any domain/subdomain. If you think about it, let's say you worked for Apple and you wanted people to be able to send email to [email protected], well then you need an MX record for 'apple.com'.
  You can see if you dig MX apple.com that they actually have 9 MX records, but the point still stands.
  Now, you might also have MX records for subdomains so that you can have [email protected], [email protected], [email protected], etc. Each of these subdomains would need a separate MX record.
  So, in general, for any set of email addresses @[anything.]domain.com you have a MX record telling remote mail servers where to send that mail.
  Of course the MX record name is mail.N.com, but I think you are implying that the in the Mail settings of Server Admin where it asks for domain name all I need to put there is the N.com, right?
  What I mean is that you need to set the domain name to whatever domain name you expect to receive mail at.
  If you want users to have email addresses in the form of [email protected], then you enter 'N.com'.
  If you want users to have email addresses in the form of [email protected] then you enter 'mail.N.com'.
  If you want both forms, enter one in the main domain and add the other(s) in the Advanced -> Hosting -> Local Host Aliases section.
  Is there anything in the Mail settings that needs to have the full MX record name (mail.N.com)?
  Yes. Either the 'domain name' or the 'Local Host Aliases' needs to contain the same thing as your MX record. That's because the MX record tells remote servers to send mail to this machine, but the machine won't accept the mail unless it is configured to do so.
  What is the "host name" supposed to be?
  This should be the name that remote servers see when this machine tries to send outgoing mail.
  Ideally this should match the reverse DNS of your IP address, that way when it connects to a remote server it says "Hi, I'm $hostname" and the remote server can lookup the machine's IP address and see the same result. This will reduce the problem of remote servers thinking you're sending them spam.
  If you only have a single IP address then this probably needs to be something like 'N.com'. If you don't have control over your reverse DNS then you're going to run into a problem.
  Also in the user accounts (in Workgroup Manager) what should the "mail server name" be? Is it the host name or the domain name?
  Off hand, I don't know.
  Also, why are all the default user email addresses [email protected] (the name I gave the server at setup)? Why doesn't the user accounts create [email protected] as the default address?
  Presumably because the mail server says it is 'server.N.com' and therefore any accounts on that machine would be [email protected]. Changing the domain name (as above) should fix that.

• 10.6.4 Server on Mini Server - DNS Problems - Slow, EDNS log messages

  Like a few of other people here, I'm having a hard time getting DNS to work smoothly on my new Mac Mini Server, now running Snow Leopard Server 10.6.4. I'd been running Leopard Server on a previous machine with much smoother DNS (though the Server Admin config didn't work, that's another story).
  Resolution takes a very, very long time and eventually I'll get messages in the log saying 'success resolving 'xxxxxx' after reducing the advertised EDNS UDP packet size to 512 octets'.
  I've searched everywhere and there seem to be two reasons why this is happening:
  1. The DNS server is stopping responding on TCP, and is only responding on UDP;
  2. Some other portion of my network (maybe the router) doesn't like UDP packets bigger than 512 octets.
  For the first - is there any way I can fix this within OS X Server? There is no problem in the network since the router itself (running Linux) can resolve via TCP (using the forwarder addresses that are set up in my OS X Server config) instantly, and any clients that I switch from using the internal OS X Server (for DNS resolution) to use an external resolver work immediately too. I'm not sure why the daemon on OS X Server stops listening on TCP port 53 and only accepts UDP - and then only forwards on queries via EDNS via UDP - which is where I seem to have a problem.
  Secondly - can I disable EDNS somehow and just do plain old DNS?
  Some of the threads point to routers that don't like UDP packets over 512 octets, some point to firewalls and adaptive code that closes off ports when an app tries too many times, etc. I've opened ALL firewalls - turned off the OS X Server firewall, turned off the SPI firewall in the router (it's a Netgear DG834 with the DGTeam custom firmware), and I'm as far as I can go without buying a new router.
  If the only answer is 'OS X Server needs a better router' then I'd appreciate what router I should buy - this situation is becoming untenable since the DNS resolution performance of my entire network is unpredictable, and I don't want to have to reboot the Server on a regular basis when there are loads of clients and their home directories sitting on it, since OS X Client gets twitchy when your home folder vanishes off the network…
  I'm happy hacking config files - but can't seem to see anything in the DNS config that would allow me to either turn off EDNS or restrict the packet size to 512 octets (there's a comment in the config file that the directive is ignored for this one, fat lot of help that is). As to why the server itself stops listening to TCP port 53…. I have no idea and I can't find a solution with a search.
  So in the absence of solutions - can anyone help me with a workaround? The only 'answered' question in this domain was 'answered' with the OP finding a workaround in their router firmware that changed the DNS cache packet size. I can't find anything like this in my router config, so I can't use this workaround. Are there any workarounds I can apply to my OS X Server, that don't rely on my router?
  Yes, I know the router isn't that special, but it's a small business network. Advice on an upgrade would be welcome but doesn't solve the problem for me now. I'm based in the UK, if anyone also in the UK can recommend a suitable small-business NAT router I can use then I'd find that helpful, but I don't want to be told to purchase an enterprise-class router, turn off NAT and be recommended a store in the USA as it won't be that helpful
  Ideally there'd be a way to tweak the DNS server on OS X to not bother with EDNS, or to stick to 512 octet sized packets (can I do this globally for all UDP from my server?), or to keep working on TCP…
  Anyone know? The machine hosts client homes internally and serves mail, web and DNS externally. It's not a high-traffic system and it sits at the end of a business-grade ADSL line. I'm not being DoS'd - this behaviour seems random as to when it strikes. I try to restart the named daemon on the server when it strikes, but I need to be on the network to make that happen….
  Solutions appear to be out, but I'd really appreciate a workaround. Many thanks in advance!

  Hi Rob,
  Not much of a MAC person myself however this support matrix might help:
  http://www.adobe.com/products/coldfusion/coldfusion7/pdfs/cfmx7_systemsupportmatrix.pdf
  Seeing your getting a few Java errors perhaps the JVM in CF7 1.4.2_09 is too early for MAC OS 10.6.4?
  HTH, Carl.