Troubleshooting DNS
We're running Sun Solaris 8 on our DNS servers with bind 9.1.5
We are experiencing intermittent DNS issues where our users are reporting intermittentproblems with name resolution. They're telling me that in some cases the name lookups seem to stop responding.
I'm new to troubleshooting this type of problem. I too have noticed that there is a problem because I had to restart named on 2 of our 4 DNS servers just this morning.
Before I spend too much more time going through the logs, can anyone tell me which logs give me the information that can start me down a logical path of troubleshooting these issues? We've got logs in /var/log called biglog, dsmerror, and messages. Then there's logs in /var/log/named called named.crit, named.debug, named.info, and queries.
In addition to the logs, there's snoop port 53, which gives me info that doesn't seem to appear in any of the other logs.
The big question is where do I start down this path?
Thanks in advance, Penny
The purpose of setting up a VLAN is to group certain network devices and only allow these devices to communicate to each other. Only computers or devices which are the members of that VLAN will be able to successfully communicate. Because the workstation is on a different VLAN with that of the DNS/DHCP or RRAS, it is possible that this is the reason why they can’t communicate. Maybe try to member that DNS/DHCP or RRAS also to the VLAN of the workstation and see if it will work.
Other than this, I suggest contacting Cisco Tech support to further look into your concern. I believe this unit belongs to the business series devices that Cisco is now supporting. Try to go to this link for the other business series devices and the site where you can get hold of Cisco for support:
http://www.cisco.com/web/products/linksys/index.html
Similar Messages
-
Forum FAQ: How to troubleshoot DNS Event 5504 error
Symptom
A DNS server may frequently record the Event ID 5504 error in the event log:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
User: N/A
Computer: Computer_name
Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
The packet is rejected.
Cause
Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
1. The DNS cache becomes corrupt with invalid domain names.
2. The DNS Server receives a spoofed response.
3. The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and - (Hyphen).
4. The DNS Server has been configured with invalid forwarders
5. The network the DNS server resides on is busy or not working properly.
Resolution
The following are general troubleshooting steps for this issue:
1. Secure the DNS cache against pollution.
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
c) After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers. To view the forwarders, please perform the following steps:
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Forwarders tab, you can view the existing forwarders.
3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
920162 Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
http://support.microsoft.com/default.aspx?scid=kb;EN-US;920162
4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
dnscmd /Config /EnableEDnsProbes 0
More Information
Troubleshooting DNS
http://technet2.microsoft.com/WindowsServer/en/library/de2aa69d-1155-4dc9-a651-e836
2f6a81c81033.mspx?mfr=true
DNS Best Practices
http://technet2.microsoft.com/WindowsServer/en/library/59d7a747-48dc-42cc-8986-c73d
b47398a21033.mspx?mfr=true
Applies to
Windows Server® 2003 operating system
Windows Server® 2008 operating system
Windows Server® 2008 R2 operating systemI'm not sure whether this is the appropriate place to add this but - a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address)
being responded to with an A record (IPv4 address).
DNS debug logging (Windows 2008 R2 SP1) captured requests to
192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “The DNS server encountered an invalid domain name
in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet.”
The domain name in the response was the same as that in the query, and looks OK.
The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
http://www.rfc-editor.org/rfc/rfc4074.txt “Common
Misbehavior Against DNS Queries for IPv6 Addresses” says, under “Expected Behavior”:
Suppose that an authoritative server has an A RR but has no AAAA RR
for a host name. Then, the server should return a response to a
query for an AAAA RR of the name with the response code (RCODE) being
0 (indicating no error) and with an empty answer section (see
Sections 4.3.2 and 6.2.4 of [1]). Such a response indicates that
there is at least one RR of a different type than AAAA for the
queried name, and the stub resolver can then look for A RRs. -
DNS cache " Name Does not Exist"
Hey Guys,
So we've been experiencing a really weird issue related to the DNS for past couple of months. Here are the details:
1) Our domain machines are Windows 7 Enterprise and their DNS points to Windows DNS Servers
2) For companyxyz.net internal sites, the Windows DNS resolves those from its
companyxyz.net zone.
3) For public *.companyxyz.com records, the Windows DNS has conditional forwarders to point these requests to our Linux Bind Servers. And than the authoritative name servers respond to these queries accordingly
4) Our internal employees use the public records such as testing.companyxyz.com
Problems:
1) Employees on the internal network would randomly experience page not found on their browsers while trying to hit
testing.companyxyz.com. When we try to ping this URL, ping would fail too. However, NSLOOKUP would work perfectly fine and return the correct results. ipconfig /flushdns fixes the issue right away
2) During the time when this problem is occurring, if I look into the local cache ( ipconfig /displaydns), I find an entry saying:
testing.companyxyz.com
Name does not exist.
ipconfig /flushdns obviously clears out this record along with the other local cached records and fixes the issue.
3) Point the local computers directly to the Linux Bind servers as DNS never create this issue. It's only when they are pointing to the Windows DNS and going to this public record. The problem also seems to occur a lot more frequently if there are considerably
high number of hits to this URL.
Have you guys experienced this issue before? I am looking for a fix for this issue and not having the end-users to flush their dns constantly. Also note this problem occurs sometimes once a day, or 2 -3 times a week. It's very random.
Thanks.
Bilal
Hi,
It seems that the issue is related to your Windows 7 client. Considering whether there is DNS attack or virus on this computer.
Please try to do the safety scan first.
Please monitor the DNS server performance referring these article:
Monitoring DNS server performance
http://technet.microsoft.com/en-us/library/cc778608(WS.10).aspx
Monitoring and Troubleshooting DNS
http://www.tech-faq.com/monitoring-and-troubleshooting-dns.html
For further step, we need to capture the traffic by using Network monitor when the issue happened and we continuously ping
testing.companyxyz.com.
Microsoft Network Monitor 3.4
http://www.microsoft.com/en-us/download/details.aspx?id=4865
Let’s see whether there is DNS request happened and the DNS request is handled.
You can post back the save traffic log here for our further research.
Kate Li
TechNet Community Support -
Cisco Pix 501 / DNS - DNS resolution stops working over time
Hello,
I currently have a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.
When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What’s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)
The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.
Then network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.
Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?
One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.
Cisco Pix Config
PIX# show config
: Saved
: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password chiuzjKkSD33lwEw encrypted
passwd chiuzjKkSD33lwEw encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
access-list ping_acl permit icmp any any
pager lines 24
logging timestamp
logging monitor debugging
logging buffered debugging
logging history debugging
logging queue 0
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 512
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group ping_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ACS protocol tacacs+
aaa-server ACS max-failed-attempts 3
aaa-server ACS deadtime 10
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
crypto map MYMAP client authentication LOCAL
crypto map MYMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPNGRP idle-time 1800
vpngroup VPNGROUP address-pool VPN
vpngroup VPNGROUP dns-server 167.206.254.2
vpngroup VPNGROUP wins-server 192.168.2.50
vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 167.206.254.2 167.206.254.2
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd enable inside
username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
username andrew password A340D92MQ0zV0hGs encrypted privilege 15
terminal width 80
Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbecWow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine. -
Hi All,
We are in a process of migrating to a new ISP.
With the new ISP, we have no options but double NAT (one in Cisco router and one in Firewall).
In the test environment for the new ISP (double NAT) a desktop behind the firewall getting a dynamic IP address (which includes DNS server 192.168.0.3) resolved an external web site too long, but when I changed the DNS ip address to 8.8.8.8 it resolved quickly
as normal.
In the current live production every thing works as expected.
Any help/ idea would be appreciated.
CheersI would agree with Christopher.
You can also make sure that your DNS servers do not have public DNS IPs set in their IP settings. Instead, public DNS IPs should be set as forwarders. Also, make sure that you use your ISP DNS servers instead of other public DNS servers for external DNS
resolution.
For troubleshooting DNS lookups, you can use NSlookup with debug mode for more details. I have started a Wiki about that here: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Ok so I just purchased the E4200 and upgraded to .03 (newest firmware) and noticed everytime the router reboots my computer (wired client) would say limited or no internet access for some time after the router has stopped blinking. When I try to open Chrome and go to google.com I get a DNS error. If I then try to go to another website like say bing.com it works and then google.com works. Mind this whole time Nslookup works and when I can't seem to access google.com from my wired connection my iPod can connect to it wirelessly. Normal or is everyone else experiancing that? I also suppose if I wait some time while it says limited or no connectivity it will work and switch to internet access.
DNS is one of the most essential services on any Windows network. Active Directory can’t function without DNS, and it’s is also used by any number of other network functions. So it’s critical to troubleshoot DNS problems as fast as possible. So you can try to reduce the LAN card speed. Here is the step:
START--> right-click My Network Places and click Properties
right-click on the device and click properties
Click on the CONFIGURE button
Select the ADVANCED tab and the settings you can alter are listed on the left.
If the issue still persist then here is the link which may help you in resolving the concern: http://www.techrepublic.com/blog/10things/10-tips-for-troubleshooting-dns-problems/1964 -
Issue on Service Ports for outgoing connection
Hi,
My question is regarding to my desktop Mac making outgoing connection to an external IP address 184.84.124.244 using TCP protocol destination port 443 but using 40 Service Ports between 49170 through 49217. This is an automatic outgoing connection by OS X 10.7.3 (I assumed as I did not make that connection). Why such connection required 40 ports to be opened at the same time? Anyone have any idea what might have caused that? Thanks.There could be lots of outgoing connections when you fire up Safari, as an example, because by default it has many favourites that are RSS feeder. You could have added some new yourself.
How do I find out if those connections stay up indefinitely?
By the way just curious, how did you look up the IP address as who they are?
If you are "Terminal aware" there are some commands that can help you in this direction
host
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.
netstat
show network status
whois
The whois utility looks up records in the databases maintained by several Network Information Centers (NICs).
nslookup
query Internet name servers interactively
dig
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
just to name a few.
netstat in particular let you know which connections and their relative status are going on between your computer and the rest of the world -
Windows server 2008 R2 stuck at applying computer settings
Hello all:
i have seen other posts with this same problem, but none of them apply to my situation.
i have a set of virtual servers, mounted over Vsphere 5.5 running on XenApp, all basically with the same configuration, except for the hosted applications, however i only have problems with some of those servers.
i have tried:
placing the servers on an empty OU --no change
remove the native VMware network driver and install intel drivers --no change
created the registry key : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\DependOnService
(value CRYPTSVC) --no change
run winsock on the affected servers --worked...after a week the same situationis present.
i tried changing the DNS server order -- worked
i then tried to bring the DNS servers to the established order, and the servers where able to boot propperly.
at this point im out of ideas!
sorry, i meant R2!If I understand well, by tweaking the IP Settings DNS configuration, you were able to fix the problem.
I would recommend that you use the IP settings I recommended here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
As for the member servers / computers, make sure that they point only to internal DNS servers for DNS resolution. T troubleshoot DNS resolution, you can use
NSlookup with debug mode: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Safari Stalls on SOME pages - loading ads?
I moved an Intel Mini from an Airport network to an ethernet connection on the same network. Safari now has issues loading SOME but not all web pages. One page with a problem is www.macrumors.com - the content on the page loads but Safari stalls, apparently trying to load all the ads.
The stall makes it impossible to use Safari, and needs to be "force quit".
Other ethernet-connected Macs have no issues.
I've done the usual troubleshooting; DNS, disabling DNS prefetching, etc. but nothing seems to resolve the issue.I have tried all of these solutions and find that at times nothing resolves the problem with Safari stalling except for switching from wi-fi to another connection method. This is happening on different networks(routers) and is resolved if I disable wi-fi and connect via another means. My 6 year old OS-X on a 11 yr. MacBook pro never has any issues and is ALWAYS 3 times faster than the new Safari runs on a much more powerful machine running on the same wi-fi network. Wish I could switch back to the older Safari.
Here is my story:
When Yosemite came out I installed it (and have applied all available patches) on my MacBook Pro,MacBook Air and 2 IPhones and now having problem with Safari stalling at 25% load progress point in webpage download at a fairly high frequency. YOSEMITE REALLY ***** -- need to now figure out how to the MAVERICKS installed.
Meanwhile, I have another MacBook Pro - 11 Yr. old and 6 yr. old Safari and it is rock solid reliable and on average it's 3 times faster in loading (when compared to YOSEMITE when it's working that is). As a result, I had to download anothe r browser and as you would expect, I am not having these problems with anothe r browser.
Avoid YOSEMITE is you care an ounce about have a reliable Safari browser.
Thanks for wasting my time Apple -- now I got the hours/hours of trying to reload 4 devices with MAVERICKS.
I believe the issue has to do with using Safari via a Wi-Fi connection as when I turn on Wi-Fi on the Iphone's the problem seems to be resolved. Unfortunately it's not an easy option to disable Wi-Fi on the MacBook Pro's/Air as it wouldn't be much fun to connect up with an ethernet cable. It's not the Wi-Fi connection itself as it happens on all Routers in multiple locations and the 11 yr. old MB running 6 yr old Safari doesn't have the same problem. -
Portlet Preferences Gateway Issue
I have a custom portlet, I am setting 2 custom preferences:
PortletResponse.SetSettingValue(SettingType.Admin,"URL", TextBox1.Text);PortletResponse.SetSettingValue(SettingType.Admin,"Count",TextBox2.Text);These settings basically Set the URL and Site Count for a List. I have built this using the Plumtre EDK, and .net.I have a remote Server, IE not in the same Domain as the corporate portal server. The Preference work great. The portlets render fine everything is wonderful.When I place the code on our Production environment, the initial preference page loads with the gateway, but during postback where I am setting the Preferences above, I get a Gateway exception error. When I look at the URL of the preferences I do indeed see a 'Local' non gatewayed server in the URL. (When I use a server not on our Domain the preference are gatewayed." Has anyone run into this before..I haven't seen it, bugging me!Hi Terry,
à
I can ping the server with no problem when using the ip address, I can not do it using server name.
Generally, it seems to be a DNS issue. on current situation, please run
SBS BPA and check if find some related issues. Then, please use
Nslookup tool to troubleshoot DNS problems. Meanwhile, please run
DCDIAG /TEST:DNS to validate DNS health. In addition, would you please let me know how configure DNS?
How To Install and Configure DNS Server in Windows Server
2003
Please also open Event Viewer and check if can find some events or errors. Those may help us to go further
analyze.
If anything I misunderstand or any update, please don’t hesitate to let me know.
Hope this helps.
Best regards,
Justin Gu -
I am trying to set up leopard server in advanced mode on a intel mac pro, i think i have the dns set up right, and i have web service turned on. I already had a domain name purchased from godaddy.com that was linked to my website on mobileme. Circumstances arose that now i need my own server and i can't for the life of me get the domain name i have from godaddy linked to my server. anyone have any thoughts of something that i have set up wrong. i have provided more information below. i have tried for over two weeks now on my own, thinking i could get it to work, but now i'm asking for some help.
FYI: i'm working out of the Mac OS X Server Essentials Second Edition training book.
dns settings
xxx.xxx.x.xx reverse mapping
xxx.xxx.x.x2 reverse mapping
domain.com
www alias server1.domain.com
server1 machine xxx.xxx.x.xx
client1 machine xxx.xxx.x.x2It is completely impossible for anyone to troubleshoot DNS issues without knowing the domain in question. There are just too many possibilities.
Please post the domain name, then you might get some results. -
I have set up my Time Capsule so that a couple of friends with Macs have their own user accounts which they can access over the Internet using afp. No problem there, it works very well. However both of them also have read/write access to the main shared area (same name as the TC hard drive). I'd like them to only have read access to this but cannot work out a way of doing it which doesn't also only give them read access to their own share. Any clues?
Hi,
How is it going? Can you ping the domain names of both domain controllers from your client? I agree with Santhosh that something may go wrong with your DNS configuration. In order to better troubleshoot the issue, as also mentioned by Santhosh,
you may provide us the ipconfig/all results from your troubled client and both DCs.
In addition, regarding troubleshooting DNS issues, the following article can be referred to for more information.
Troubleshooting DNS
http://technet.microsoft.com/en-us/library/cc753041.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
[Forum FAQ] DNS Dynamic Update Troubleshooting Guide
As we all known,
DNS Client service and DNS Server services support dynamic updates. With dynamic updates, the DNS client computer is allowed to dynamically register and update this resource
records based on their fully qualified domain name by default. However, in some scenarios,
we may find that
the DNS records are not updated.
To analyze this issue clearly, this kind of issue is divided into two parts in this article:
Non-AD integrated zone with DHCP and DNS unintegrated
AD-integrated zone with DHCP and DNS Integrated
Next, we begin to troubleshoot this issue from the above two classes separately.
Non-AD integrated zone with DHCP and DNS unintegrated
1. Check if Dynamic Updates is enabled or not
If you have encountered this kind of issues, firstly, Please check if dynamic updates is enabled in DNS server or not. You can right-click the domain in the
Forward Lookup Zones, then select Properties. In the dialog, click
General tab and choose Nonsecure and secure
in the Dynamic updates box, then click OK. Please refer to Figure 1 and Figure 2
Figure 1: Check DNS Server Settings-1
Figure 2: Check DNS Server Settings-2
2. Check DNS Suffix
Besides, since all computers register records based on their fully qualified domain name, and the fully qualified domain name is based on the primary DNS suffix of a computer appended to its Computer name. We also need to check the DNS panel of Advanced TCP/IP
settings in TCP/IP properties.
Just as Figure 3, if Register this connection's address in DNS is selected and
Use this connection's DNS suffix in DNS registration
is not selected. This default configuration causes the client to request that the client register the Host resource record and the server register the PTR resource record. In these scenarios, please make sure the primary DNS suffix portion of a computer's FQDN
is the same as the name of the Active Directory domain to which the computer is joined.
Figure 3: Check DNS Client settings-1
You can run “ipconfig/all” at the command prompt to check the Primary DNS suffix. From Figure 4, we can see that the Primary DNS suffix is blank.
Figure 4: Check DNS Client settings-2
To set the Primary DNS suffix, you can follow the steps below (Figure 5):
Right-click
My computer and then click Properties.
In the
System Properties dialog, click Computer Name tab and then click
Change….
In the
Computer Name Changes panel, click More…, then you can type the domain name into the
Primary DNS suffix of this computer and then click
OK.
Figure 5: Set the Primary DNS Suffix
After set the primary DNS suffix, we can see that the Primary DNS suffix is demo.com in Figure 6.
Figure 6: Primary DNS Suffix-demo.com
If both
Register this connection's address in DNS and Use this connection's DNS suffix in DNS registration are selected. You need to check the primary DNS suffix and connection-specific DNS suffix at the same time and make sure that
the connection-specific domain name of this connection is the DNS suffix for this connection appended to the computer name. In the picture above, we can see that the Primary
DNS suffix and Connection-specific DNS suffix are the same.
AD-integrated zone with DHCP and DNS Integrated
In some cases,
this issue may happen when the DNS zone is AD-integrated and DHCP server is configured to register and update the A resource records and PTR records on behalf of the DHCP-enabled clients.
1. Check if secure dynamic updates is enabled or not
As everyone knows, DNS update security is available only for zones that are integrated into Active Directory Domain Services (we
can see the difference from Figure 7 and Figure 2). Since secure dynamic updates can prevent unauthorized computers from overwriting existing names in DNS, generally, we recommend
using only secure dynamic updates for AD-integrated zone.
For AD-integrated zone, we can check if secure dynamic updates is enabled in DNS server or not firstly.
You can right-click the domain in the Forward Lookup Zones, then select
Properties. In the dialog, click General tab and choose
Secure only in the Dynamic updates box, then click OK. Please refer to Figure 7.
Figure 7: Check DNS Server Settings-2
2. Check the DNS configuration and options settings on DHCP server
We need to make sure
that DHCP server is configured to register and to update client information with its configured DNS servers. You can check by right-clicking the
IPv4 under your domain and choosing DNS in IPv4 properties.
By default,
the
Enable DNS dynamic updates according to the settings below and
the Dynamically update DNS A and PTR records only if requested by the DHCP clients box is checked.
You can also select Always dynamically update DNS A and PTR records box so that the DHCP server
always registers and updates client information with its configured DNS servers. (Figure 8)
Figure 8: DHCP Server Settings
In addition, you need to check that the configuration 006 DNS server option in DHCP option is correct.
You can check that by clicking
Server Options in DHCP console. If the setting is incorrect, you can right-click the option and then choose
Properties, then you can remove the wrong DNS server and add a correct one. (Figure 9)
Figure 9: Check DHCP Options
3.
Check if the DHCP server is added to the DnsUpdateProxy security group
Furthermore, as the DHCP server becomes the owner of the name since the DHCP server performs a secure dynamic
update on that name, only that DHCP server can update the name. We would make sure the DHCP server is available. If the DHCP server fails, even other DHCP servers are online, they still have no right to update the client’s record because the other DHCP
server are not the owner of the client name.
To solve this, it is necessary to add the DHCP server to the DnsUpdateProxy security group in AD. You can follow the steps below to achieve that: (Figure 10 and Figure 11)
Open ADUC, click
Computers under your domain.
Right-click your DHCP server and select
Add to a group tab.
Enter
DnsUpdateProxy in the object name box and click
Ok.
Figure 10: Add DHCP Server to the DnsUpdateProxy security group – 1
Figure 11: Add DHCP Server to the DnsUpdateProxy security group – 2
After that, you can find that the DHCP server (In this demo, the DHCP server is W2K12R2) is a member of the DnsUpdateProxy group. (Figure 12)
Figure 12: DHCP server is a member of the DnsUpdateProxy group
4.
Check the
Credentials configuration for DNS update
Furthermore, if
a domain controller is running on the same host as the DHCP server and secure dynamic DNS update has been configured, you need to configure
Credentials for DNS update.
You can
open DHCP console tree, right-click
IPv4 and then click Properties. In the IPv4 Properties
dialog, click Advanced, click
Credentials, type the credentials that the DHCP server supplies when registering names using DNS dynamic updates, and then click
OK. (Figure 13)
Figure 13: Configure DNS dynamic update credentials
More information:
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, the DnsUpdateProxy Group, and DHCP Name Protection (Published by Ace Fekay, MVP)
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
Integrating DHCP with DNS
http://technet.microsoft.com/en-us/library/cc771732.aspx
Using DNS servers with DHCP
http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx
How to configure DNS dynamic updates
http://support.microsoft.com/kb/816592/en-us
Keyword: Dynamic Update, Troubleshooting
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.I have created one STATIC DNS Entry, for Example "ROSE" and
1. Open
the DNS snap-in.
2. Right
click the individual record (ROSE) and open the Properties dialog.
3. Uncheck
the Delete this record when it becomes stale option
and click OK
For
the moment the time stamp will show as BLANK
Then
I logged in to server "ROSE" and restarted DHCP Client
Service on server or restarted server, the time stamp is automatically setting as current date and "DELETE THIS RECORD WHEN IT BECOME STALE" check box also selected automatically
and gets deleted after a week or so when the scavenging runs
Is
there any way to avoid the static entries become dynamic automatically.
Domain Controller or DNS OS is Windows server 2003 R2 Standard Edition SP2
Thanks & Regards
Dinesh Cholekkavil -
DNS request behind content switch: troubleshooting
Hi, sometimes we experience problems resolving a dns name behind a content switch. The problem solves himself after 5 minutes or something like that. We see the dns request on the dns servers subnet. It looks like the is a problem when the packet returns. I'm thinking of a nat problem. How can i best troubleshoot this?
Can i e-mail you the config file? I will also e-mail as soon as possible a network capture in front of the CSS. Where can i e-mail it? For the moment dns is working so i will have to wait for network capture untill it fails again.
Kind regards,
Frederik De Muyter
[email protected] -
I have to analyze capture to sniffer for a problem about reply DNS that don't working fine.
Does somebody advice me an document that can help me to interpreted this trace?
best regards
LorenzoHi Lorenzo
The RFC documents are the best references available about DNS and almost anything else related with the Internet.
RFC 1034 covers basic DNS concepts and the protocol inner workings. It can be found here:
http://www.zytrax.com/books/dns/apd/rfc1034.txt
Sometimes the RFC documents are somewhat difficult to read, so I would suggest you first grab a copy of some TCP/IP book ( Comer's Internetworking with TCP/IP, Stevens' TCP/IP Illustrated, etc.) and then return to the RFC documents if something is missing on the book.
http://www.amazon.com/exec/obidos/tg/detail/-/0130183806/qid=1127234181/sr=8-2/ref=pd_bbs_2/002-5754392-4094454?v=glance&s=books&n=507846
Regards.
Maybe you are looking for
-
Accessing The Chooser In Os9 Classic
How does one access the chooser to change the printers in os9 classic from panther? (assuming the computer is NOT dual bootable in 9) basically I want to be able to switch from 2 different OS9 printers
-
Install sql developer in oracle 12 c
hi all , after install oracle 12 c i tried to open sql developer prompet appear asking about path , after alot of search i found that java programe should setup called jdk and acces bridge should found my pc is win 8 64 single languge could any on
-
Macbook hanged and now won't turn on
hi hope i can get some help here i was running vlc on leopard and when i went and hit the volume up button on the keyboard my white 2007 macbook kept displaying the colorful spinning cursor for a very long time and the computer wasn't responding... s
-
Verizon data signup says card expiration is invalid
Is there a workaround to signing up for the data service aside from the iPad portal? My credit card expires in 2020, but when I enter all the information to sign up, it says that the expiration date is invalid.
-
How long does the full charge last?
How long does the battery last on a full charge