DNS Issue on DC2003

joe2687

Hi all,

I'm running two servers, both 2003 R2 one is a

(A) File and Print server 192.168.1.100
(B) AD, DNS, DHCP 192.168.1.2

Gateway is 192.168.1.1

Server A is also a backup DNS server.


We had a power cut over xmas and I have been having issues with DNS ever since.

Server A is fine. It's pointing to itself for DNS, and I can ping loopback, gateway, external.

Server B is the problem. This is the primary DNS server on our network, and is having connectivity issues. Cannot ping the gateway, or anything external, but can ping internal machines. Recursive queries are failing in tests, and nslookup is saying ''Can't find server name for address 192.168.1.2''.


I have tried opendns to get out, but no luck. Can anyone suggest some troubleshooting steps to get this sorted?

Static M.e.

Basic's.

On both server do "Ipconfig /all" and post back here.

On Server B. Check what the DNS Forwarders are

Are you sure the DNS Service is switched on?

joe2687

Server A:
Windows IP Configuration
Host Name . . . . . . . . . . . . : moatebs1
Primary Dns Suffix . . . . . . . : MBC.IT
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : MBC.IT
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0D-60-16-C1-39
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2


Server B:
Windows IP Configuration
Host Name . . . . . . . . . . . . : moatebs2
Primary Dns Suffix . . . . . . . : MBC.IT
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MBC.IT
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mbc.it
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connectio
n
Physical Address. . . . . . . . . : 00-30-48-B8-34-B9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2
192.168.1.1


Forwarders are set to: All other DNS zones. DNS service is running.

I believe I may have found the root of this issue. I suspect that another machine or an external laptop has the same static IP as the server. When I logged on this morning, I got an IP address conflict message at logon screen. As I have 200 nodes and about 30 external laptops I fear it's going to be a long day...

Static M.e.

Yeah that could be it all right..

You could always try and do a "ping -a x.x.x.x" and see if you get lucky.
Failing that check your switches for the 192.168.1.1 IP which should help to narrow it down to at least the right switch. If you find two ports with the same IP, kick one off. Sooner or later someone will ring the helpdesk to ask why?
Also because this is a new problem just look for the last people to enter the building site they most likely are the culprit

I noticed aswell that your second dns server is the same as your gateway..192.168.1.1. Is your gateway also giving out DNS settings?

While you are at it. Add the Eircom/BT/Smart/OpenDNS (Choose your ISP) into your forwarders list and check simple \ recursive queries against it.

Static M.e.

Just thinking.
You could probably go on to your gateway and get the MAC address of whatever laptop is using the server IP. Then you should be able to narrow down your search.

You could also clear the table of that address, get your own server to sync to it so the laptop would have the problem and not your server..

joe2687

Static M.e. wrote: »

Just thinking.
You could probably go on to your gateway and get the MAC address of whatever laptop is using the server IP. Then you should be able to narrow down your search.

You could also clear the table of that address, get your own server to sync to it so the laptop would have the problem and not your server..

How would I go about that exactly? I took server B off the network and tried to ping 192.168.1.2 from Server A, if another machine was static with that IP should it not have replied? Also, server B reboot took about 45 mins, stuck on 'preparing network connections'..

Static M.e.

Also, server B reboot took about 45 mins, stuck on 'preparing network connections'..

Yeah, thats not good. Sounds like DNS trying to connect to your gateway.

Remove the Gateway address from your DNS address and add some forwarders as above. Only have the .2 address and/or 127.0.0.1

joe2687

Static M.e. wrote: »

Remove the Gateway address from your DNS address and add some forwarders as above. Only have the .2 address and/or 127.0.0.1

OK i have that done.. You said about going to my gateway to find the MAC of someone using the .2 address.. How would I go about this?

Enigma IE

I would suggest checking the arp tables on your switches, check the relevant Help or Admin guide for your particular switch for how to do it.

Look for the duplicate IP address, if you find it, disable the switch port that the rogue server/laptop is connected to.

joe2687

How do you check arp tables for a specific switch? I have run it from the server, thats it... If i could find the MAC address of the machine thats causing the trouble, i got filter it that way.

Enigma IE

joe2687 wrote: »

How do you check arp tables for a specific switch? I have run it from the server, thats it... If i could find the MAC address of the machine thats causing the trouble, i got filter it that way.

You need access to your switch, preferably via command line or web interface (browser).

Then to check the arp table, you need to check 'how' via the Help or Admin guide. On Cisco switches, it's simply:

sh arp (from the command line)

Gives you something like this. If you see duplicates, using the mac address, you should be able to track down exactly what switch port the rogue machine / mac-address is connected to.

Protocol Address Age (min) Hardware Addr Type Interfac
Internet 10.20.2.29 5 0011.0ac1.a1b2 ARPA Vlan1
Internet 10.20.2.29 9 000e.7fe3.b2a1 ARPA Vlan1

Identify your switch type, gain access to it, or someone who has access to it. Identify your duplicate IP addresses, mac-addresses. Disable the switch port that the rogue machine is connected to.

joe2687

Enigma IE wrote: »

You need access to your switch, preferably via command line or web interface (browser).

OK that makes sense, when you say access to the switch do you mean plug directly into a certain switch? We runn 3com baseline 2024 switches in here so i will check the specific command for them.


Sorry if these seem like silly questions, I just dont have that much experience investigating these type of network problems.

Enigma IE

joe2687 wrote: »

OK that makes sense, when you say access to the switch do you mean plug directly into a certain switch? We runn 3com baseline 2024 switches in here so i will check the specific command for them.


Sorry if these seem like silly questions, I just dont have that much experience investigating these type of network problems.

There not silly questions if you don't know the answer. You don't need to physically plug into it, you just need to be able to remote control the switch. Managed switches typically have IP addresses assigned to them. You can therefore connect to the switch using either the CLI (commmand line interface) or web browser e.g. http://switchIPaddress.

Good luck.

joe2687

They are unmanaged switches, which means they can't be logged onto to view network statistics etc.

I have went around 200 machines, and all laptops, and none have a static IP. This is bugging me indeed.

joe2687

Server B is up and functioning. Ripped down the DNS and re-installed. For sh*ts and giggles, I enabled the 2nd onboard network card and switched to that one, everything working fine... Still have an IP address conflict, but would an conflict between 2 client machines show up at login on the server??

Enigma IE

joe2687 wrote: »

Server B is up and functioning. Ripped down the DNS and re-installed. For sh*ts and giggles, I enabled the 2nd onboard network card and switched to that one, everything working fine... Still have an IP address conflict, but would an conflict between 2 client machines show up at login on the server??

It two clients have duplicate IPs, it may show up in the EventViewer in the domain controller, not at the server console. If your getting a conflict message at the server console, this tells me another device has same IP address as your server, in that case, you will still need to track down the rogue machine somehow.

joe2687

Enigma IE wrote: »

If your getting a conflict message at the server console, this tells me another device has same IP address as your server, in that case, you will still need to track down the rogue machine somehow.

That's what I was thinking... It's just finding it now!! Lots of people come here with laptops (I work in a college) so I'm thinking maybe somebody got a laptop for xmas, and had it set up in their home with a static IP and it's the same as our server...

Might be a plan to move the IP range onto something a little more exclusive, like 192.168.155.x, less chance of complications like this. I was very surprised the server came back up to be honest when I switched the network card, I thought if a network card was bust then it wouldn't allow any ping/comms through it.. One to remember!

Static M.e.

You could always change the IP address of the server to a high number like x.245 the chances of someone having that number would be a lot slimmer than x.1 or .2 etc

Doesnt solve the problem but it might be a work around

IrishB.ie

joe2687 wrote: »

I have went around 200 machines, and all laptops, and none have a static IP. This is bugging me indeed.

Check the address pool on the DHCP server. Also whatever IP you use on your servers, make sure they are excluded from the DHCP scope.

joe2687

I went through the address pool on the DHCP server before I went around the machines, eliminated a few by that, unfortunately the was no proper naming convention for PC's before I came here, so a lot of them are defaults (ADMIN-PC) etc..

IrishB.ie wrote: »

Also whatever IP you use on your servers, make sure they are excluded from the DHCP scope.

Scope is from .25 - .254, excluding .100 for server A, I suppose changing the IP address to something high and adding an exclusion in the scope would eliminate the duplicate IP problem, would be less work than changing the whole range, but things are kind of messy here to be honest, maybe I should look at this as an opportunity to wipe the slate and do it my way..

Thanks for the input today everyone, much appreciated.

Jumpy

192.168 is not good to use in an office environment.

You are always recommended to use a range in 172.16.0.0/12 or 10.0.0.0/8 (if you are that large)

The firs will give you over 1 million addresses. It will also not conflict with anyone plugging a default POS home router into your network.

Most standard home routers will give out 192.168 addresses.

joe2687

Yeah I generally use the 10. range.. I've inherited this network, and the setup is a little outdated. I plan to upgrade to 2008 once I get everything working OK. I hear it's a bumpy ride though...

Static M.e.

I never really upgrade servers just move the services to new machines. I find it helps to keep things under control because you know exactly how you built the new machines and what you had to do to get that service running. We also run new servers in parallel with the old ones to make sure we dont lose anything.

On the ip range, I would agree use this time to change the DHCP range to 172.16.0.0/12 or 10.0.0.0/8.

If you send out an email today for everyone to switch off their pc at the weekend. Then you can make the changes Friday evening\Saturday and once staff reboot on monday they will pick up the new range without any fuss.

If you only have two servers I would do it in a heartbeat. You should also give your self more IP's to play with. Set your range 10.0.1.20 to 10.0.1.240. I like to have a couple of statics for Printers, Servers, testing etc.

joe2687

Static M.e. wrote: »

I never really upgrade servers just move the services to new machines. I find it helps to keep things under control because you know exactly how you built the new machines and what you had to do to get that service running. We also run new servers in parallel with the old ones to make sure we dont lose anything.

That's a very good point, I have a spare blade server here, I might load 2008 on that and transfer some of the roles gradually, starting with DHCP. Seems like a bit of a waste running 2008 on a non Hyper-V server, but it would do for a start. I also have ABTutor console running on the server, so I can do a shutdown accross the board to eliminate any issues with running machines getting a new IP.

I currently have the scope going from .25 - .254, with all printers, WAPS, etc coming in under the scope.

Static M.e.

Give yourself some space at the end of the scope too, you never know when you will need extra IPs...

For instance we recently changed Internet providor so we had to have the two connections running at once. We used .254 as the new gateway for testing, .250 for the old gateway and the router inbetween was .252...

Having our default gateway at .250 works very well for us. Dont forget that once you get the scope up and running you cant edit the scope to make a change you have to build it again from scratch which is a pain in the ass if you have a lot of reservations or VoIP phones.