Forwarding Requests Other Than Local To Another Server

C

crossrider

Member
Joined
Jun 14, 2010
Messages
5
Hi everybody,

I've recently set up Server 2008 R2 as the PDC of an AD. Everything went well so far, but there is one problem I could not solve yet: In the clients' network settings I've entered the IP of the local 2008 R2 server as preferred DNS server. In the alternative DNS server field I've entered the IP of router that connects to the internet.

What happens now is that whenever I try to connect to another client or even the server through its domain name, say "s2008.home.tld", the request apparently is handled by the router's DNS server (which forwards to the ISP's DNS server), which obviously returns an "unknown address - no website is configured to this address" answer (the local domain is identical to a toplevel domain I registered).

When I remove the alternative DNS entry from the clients, domain name resolution works fine inside the local network. However, I'm getting another problem: When I try to access external pages, such as youtube or whatever, the connection is extremely slow. In addition, some contents like videos or flash won't play at all. I've read, yet not quite understood, several articles saying that the local DNS server tries to resolve the external address in a complicated manner which subsequently leads to low speeds.

Now this is my question: How can I speed up the name resolution? Is there a setting/a rule for the server to immediately forward all requests that do not concern the local domain directly to the router's DNS server? I've read something about settings in the forward lookup zone but I'm not quite sure how it works.

Any suggestions are appreciated! Thank you
 
This Microsoft KB has some info about DNS in Win2008, including how to add forwarders.

If you don't have a forwarder specified, than your DNS will contact the root servers for name resolution. You should set your forwarder to your ISP's DNS server, though you can also set to other public DNS servers if your ISP isn't reliable. It isn't usually helpful to help

The clients should only be using the secondary DNS server if the first server is unavailable,i.e. it fails to respond to a query. So you may be having some other problem with your DNS server. Using the nslookup command from the command line can help find problems. When you have problems run it on both the dns server and on the client workstation. You should get the same results on both. It will tell you want server you are using by default and whether you connected successfully to it. You can then do lookups from the command line. You can also change the dns server you are checking against.
 
Hi Matt,

thank you very much for your answer.

As to the forwarder: Where do I set the forwarder? In the properties of the domain in the DNS snap-in? I just took a look and there is already an entry pointing towards the router/local gateway (the way I wanted it to be if the forwarder is set in the right place?)

I've checked again the DNS event log of the but it doesn't seem that any errors have occurred recently. There is just some information about invalid packets coming from somewhere on the web, but just once a day or so. The log is rather empty.

Anyway I think you could be right about me having some other issue with the name resolution. When I type nslookup on the command line, my own PC (one of the clients) returns:

nslookup
DNS request timed out.
timeout was 2 seconds.
Standardserver: UnKnown
Address: 192.168.1.11

The timeout is bad, but at least it returns the correct IP of the server (192.168.1.11)

Whereas when I execute nslookup on the server it returns:

nslookup
Standardserver: localhost
Address: 127.0.0.1

However, if I try to look up other devices in the LAN from my client PC it seems to work correctly. For example, if I execute nslookup typing "wlan" in order to resolve the name of the WLAN access point the command line returns

nslookup > wlan
Server: UnKnown
Address: 192.168.1.11

Name: wlan.domain.tld
Address: 192.168.1.5

Can you see where I can adjust my configuration or are the responses I am getting normal? As you said, I should be getting the same results on both client and server, which is not the case, however.
 
It's okay that the server is showing 127.0.0.1 local host. That's essentially the same as it showing its own 192.168. address. The clients should be reporting the FQDN of your dns server there, though it is not necessarily fatal to dns. The timeout and unknown server name may simply be because reverse ip lookup is failing. Do you have a reverse lookup zone in your DNS? Is your server's IP in that zone?
The timeout isn't pretty, but as long as it is resolving names to ip addresses, then it is probably working properly. Did you try to resolve some internet names from nslookup, like www.google.com, etc?

Also, on your forwarder, I would set it to the IP of your ISP's DNS servers. It'll work the way you have it, but it's just another layer of relaying that has to occur for each lookup.
 
Yeah I know that 127.0.0.1 is the address of localhost. Still I'm wondering why clients won't show me the FQDN even though they know its IP.

I don't have a reverse lookup zone in my DNS. I thought it wasn't necessary for a small network. Or is there any big advantage to setting up a reverse lookup zone, i.e. would it improve name resolution? As far as I can remember, the wizard didn't require a reverse lookup zone to be set up, so I just left it the way it was.

I just did some lookups of internet names. Both on the server and the client it gives me the following results:

nslookup > google.com
Server: localhost (+ "UnKnown" on the client)
Address: 127.0.0.1 (+ 192.168.1.11 on the client)

Non authorizing response (I've translated this from German but I guess you know how it reads in English):
Name: google.com
Addresses: 74.125.87.105
74.125.87.103
74.125.87.99

and so on...

While this seems to work, I've just discovered something very weird:

When I do lookups of local computers, say server1.domain.tld and client2.domain.tld, on both machines (server and client) the names are resolved without any problem.

However, when I try to ping the same machines, I get responses that are different from each other:

On the server, ping works correctly, so if I enter server2.domain.tld the name is resolved correctly and i get the responses from the IPs they've been assigned in the LAN

On the client, ping doesn't work correctly: When I request the same names as above, ping will answer with responses from the server where my domain is hosted. Apparently it resolves the names using another DNS server, since it responds with an external IP (81.28.232.71).

I really can't see why the client is doing this if everything else works fine. Do you have any further suggestions? It seems that the clients are not contacting the DNS server they are supposed to contact.

**Edit**: I've just discovered that also the server has started resolving the wrong names when doing pings inside the LAN. So therefore probably not only a client problem. What is even more awkward is that sometimes it works, and sometimes it doesn't.
 
Yes, you don't have to have the reverse zone, but one minor side effect is that you won't get the fqdn on your clients with your nslookup requests. Not a big deal.

Just to be safe, try running DCDIAG from a command line on the server. There are a few basic DNS tests that it runs. Check that it passes them.

In your forward lookup zone, under your domain name, are all of your computers showing up there with their IP addresses? Is the Start of Authority record pointing to your server name? Same for the NS record in there?
 
Hi Matt,

thanks for the hint with dcdiag. Unfortunately, there is nothing that points to the behaviour I've been experiencing. The only error detected is this one: the server does not pass the test NCSecDesc. The error is: NT-Authority\Domain Controller of Organisation does not possess Replicating Directory Changes In Filtered Set access rights for the name context: DC=ForestDnsZones,DC=domain,DC=tld

However, it seems that this is connected to the Read Only Domain Controller Feature.

As to the forward lookup zone, I can confirm that all my computer are listed with their correct IP addresses. The server is listed twice, with one entry for each IP. I hope it is no problem to have both NICs connected to the LAN? I'm using the second NIC for the Virtual machines that are running on Hyper-V. Also The SOA and NS records are in there and pointing to the server.

Before I set up this Server 2008 R2, I had a Server 2003 running for about two years, which showed the same symptoms of sometimes resolving names correctly and sometimes not. Therefore the problem is not new, but I has started bothering me only recently when I began setting up several virtual machines.

Since the error occurs only sporadically I'm really wondering what causes it since the environment has been the same for several years now. Can you imagine anything else causing this error? It is so strange that name resolution won't even work reliably on the server itself (as I had reported earlier). Can there maybe be any superfluous entries that interfere with the DNS? I've seen a gray _msdcs folder in the forward lookup zone and was wondering what it was doing there.

**Edit**

I just saw that in the client's event log an event id 1014 (DNS Client Events) appears every time I start the machine. It says: timeout resolving the name 168.192.in-addr.arpa, after none of the configured DNS server has responded.

Again, this is translated from German, but I hope you understand the content.

Another idea has come to my mind: Couldn't I simply uninstall the DNS role from the server and reinstall it right afterwards? Maybe this would clean up any inconcistencies that cause the errors I'm having. Or is it impossible to uninstall DNS with AD already running?
 
crossrider said:
Since the error occurs only sporadically I'm really wondering what causes it since the environment has been the same for several years now. Can you imagine anything else causing this error? It is so strange that name resolution won't even work reliably on the server itself (as I had reported earlier). Can there maybe be any superfluous entries that interfere with the DNS? I've seen a gray _msdcs folder in the forward lookup zone and was wondering what it was doing there.

Another idea has come to my mind: Couldn't I simply uninstall the DNS role from the server and reinstall it right afterwards? Maybe this would clean up any inconcistencies that cause the errors I'm having. Or is it impossible to uninstall DNS with AD already running?
Click to expand...

If you installed DNS when you installed Active Directory, and you used the default options, then you now have an Active Directory Integrated DNS. Active Directory will not work without DNS and removing your only DNS server could severely damage your domain. Do not uninstall DNS.

The _msdcs folder is very important for your domain. When your clients start up they need to know what machine is the domain controller, where to get kerberos tickets and other domain-related information. They get it from the msdcs folder. So if your DNS is not always working, I wouldn't be surprised if you had slow logins and possible other issues.

Having two NICs on the same subnet can cause some problems. It would be worthwhile to temporarily disable the one you use for your vms and see if your DNS performance changes.

The fact that you've had this problem for a while and with a previous server makes me think that there may be some other network or configuration problem.

Could you perhaps post an "ipconfig /all" from one of your clients?
 
Hi Matt,

sorry for the delay in answering your last post, but I was on a short trip this weekend and only came back this morning.

I already suspected that reinstalling DNS with AD already running was a bad idea, so I'm glad I didn't try.

The _msdcs folder I was talking about is kind of strange as I have two of them. One is situated directly under the forward lookup zone node, thus on the same level as the domain. Another one, however, with a grey icon instead of a yellow one, is located under the domain node and contains a Nameserver entry pointing to my server. I'll try and make it clear with a graph:

S2008
|- Forward Lookup Zones
|- _msdcs.domain.tld
|- domain.tld
|- _msdcs (grey icon)

This is kind of weird, and I didn't notice the existence of a similar folder on my old Server 2003.

Surprisingly, I'm never experiencing slow logins or similar issues. Rather, logins work very fast and apart from not being able to access a computer through its domain name I have never had any other issues.

I will try and deactivate the second NIC in the next few days, but I suspect this won't change anything since I had these issues already before, when my old server only had one NIC.

Well meanwhile I also got to the point that there could be some other network problem that I'm not aware of. I've posted a copy of the ipconfig command taken from the client I'm using and who is showing irregularities in name resolution just as the other clients.

I'm sorry I could only post it in German. If it's too difficult for you to decipher the meaning of the log then let me know and I will try and provide an English log from a VM I will set up for this purpose.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\admin>ipconfig /all

Windows-IP-Konfiguration

Hostname . . . . . . . . . . . . : Admin-PC
Primres DNS-Suffix . . . . . . . : domain.tld
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein
DNS-Suffixsuchliste . . . . . . . : domain.tld

Ethernet-Adapter LAN-Verbindung:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physikalische Adresse . . . . . . : 00-1D-92-34-4F-3B
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::9ea:c2cf:b375:87aa%11(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.1.20(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.1.1
DHCPv6-IAID . . . . . . . . . . . : 234888594
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-12-98-46-15-00-1D-92-34-4F-3

DNS-Server . . . . . . . . . . . : 192.168.1.11
192.168.1.1
Primrer WINS-Server. . . . . . . : 192.168.1.11
NetBIOS ber TCP/IP . . . . . . . : Aktiviert

Tunneladapter LAN-Verbindung* 2:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja

Tunneladapter isatap.{100B2501-2378-47F5-AC80-05E1AC7346A8}:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::5efe:192.168.1.20%15(Bevorzugt)
Standardgateway . . . . . . . . . :
DNS-Server . . . . . . . . . . . : 192.168.1.11
192.168.1.1
NetBIOS ber TCP/IP . . . . . . . : Deaktiviert

C:\Users\admin>
 
The two _msdc folders are normal. No need to worry there. Your ipconfig looks okay, too. If you don't need to use the IPv6, I would consider disabling it. Sometimes that can cause network performance issues. Also, there is a possibility that your ISP has got something odd going on with their dns servers. It would also be worth a try to set your forwarder to a public DNS server, like 4.2.2.1, to see if that affects your resolution speed for internet addresses. Normally, your isp's servers should be faster since they are closer, but sometimes it's good to try a third party.

Once you get your internal DNS working well, I would remove the secondary DNS server from the workstation. In a domain, you usually don't want the clients using an external DNS unless it is more important to have internet access than to access domain resources.
 
Back
Top