AD DNS stopping problem

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello
I have a question to ask, if someone can help. Here is the situation: we
have a Domain with 2 DC running Windows 2000 Advanced Server with SP4 for the
internal network, there is a DMZ (demilitarized zone) for the external
(internet available servers – WEB, Mail, DNS, Proxy, Firewall etc.) the in
the DMZ the DNS is a Linux machine running BIND – it handles the records for
the web sites that we are hoisting. For faster access to the web sites form
the internal network the DNS services on each DC has a record for the address
of the servers in the DMZ with there IP addresses for the local network (not
the Internet ones). Until 2 weeks everything was fine but one day the to DC
based DNS servers started to act strange – both claim that one is sending the
other packets with invalid domain name – to be exact error 5504 “The DNS
server encountered an invalid domain name in a packet from X.X.X.X. The
Packet was rejected†when that happens one of them starts to build up memory
and the used memory jumps with 1.5GB the CPU utilization levels at 100% for
all processors and after something like 10 minutes the DNS service stops. If
a stop manually the DNS service on one of the DC-s there is no problem but if
both are running after 10 minutes both start to log errors and after few
hours one of them stops. If any one can help I will be very happy, because we
have no idea what might happen to start causing the problem.

Stoil Pankov
 
How do you have forwarding configured on the DNS servers, and what DNS server(s)
do you have listed in the TCP/IP properties of those DCs?

For what you're doing, the two DCs shouldn't be trying to send each other any DNS queries
at all - corrupt or otherwise. At least not if things are configured properly. So my
hunch is that somebody here is forwarding or looping through or to sombody else
that they shouldn't be.

Since you have manually entered 'shadow' records for the DMZ hosts in your Win2K DNSen,
the BIND server shouldn't enter into this at all as regards the Windows DCs. So that IP
should apppear nowhere in the DNS configuration on the Windows side.

So unless there is more to your network than described here: in your Windows DNS
you can disable forwarding altogether (using root hints only for public name resolution), and
just list each DCs own respective IP as its DNS server in TCP/IP properties. This is the simplest
configuration and should do the job you've described without problems. After you configure this, run
a netdiag on each DC to verify that it is working to resolve AD properly.

You also might want to check out this hotfix: http://support.microsoft.com/?id=838969 to see
if it applies.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.
 
Thanks for the replay

I checked the DNS Server configuration and both were configured to forward
to each other and to the BIND, so was the LAN cards TCP/IP settings for both
DC-s were configured to use both DNS servers. After reconfiguring the DS-s
now every thing is working perfectly.

Many, many thanks for the help!!!!

Stoil Pankov


"Steve Duff [MVP]" напиÑа:
 
Back
Top