ARP DNS Problems?

  • Thread starter Thread starter riki-oh69
  • Start date Start date


I have 3 regular network users who lose internet/network connections
daily. The problem seemed to develop back when a DNS sever that was a
Windows 2000 Domain controller was lost forever. The DNS server was
replaced with a new Domain Controller on a new machine with Windows
2003 installed. At first is was with a laptop user who takes laptop
with home every night. Now it has spread to two other users. As a test
one user was switch to a new network cable that goes to a main switch
on the network directly after the firewall. Connection is still lost
for that user.

The following are the steps I take to fix network access for the 3
which has to be done multiple times a day.

1st. On a machine that has problems connecting. I logged in as the
administrator and attempted to access the internet and got no
2nd I changed the name of the work station from test to test1 to see
if that made a difference to with the internal DNS. I rebooted the
workstation to and attempted to access the internet and I got no
connection with test machine.
3rd. I changed the workstation name back to test and rebooted the
workstation. I deleted the DNS cache on Server66 (new machine with Win
2003) to see if this made a difference, I got no connection with test
4th. I cleared the DNS cache on Server22 to see if this made a
difference I got no connection with test machine.
5th I cleared the ARP cache from the firewall and was finally able to
get the internet working on the test computer.
Hello (e-mail address removed),

Please give some more info about the DNS setup, how many DNS servers and
is DNS running as Active directory integrated zones? Also post an unedited
ipconfig /all form the problem machine and the DNS server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
Meinolf Weber said:
Hello (e-mail address removed),

Please give some more info about the DNS setup, how many DNS servers
and is DNS running as Active directory integrated zones? Also post an
unedited ipconfig /all form the problem machine and the DNS server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

Good point, Menolf.

In addition (e-mail address removed), what type of firewall is in place? Is it
a proxy? Does it support EDNS0?

Also, about the lost DC, exactly how did you 'replace' it? Was a Metadata
Cleanup ever performed? Did you seized the roles?


This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Please give some more info about the DNS setup, how many DNS servers
* 2 DNS Servers
* Active Directory Intergrated
* ipconfig /all form the machine with problem (Windows XP)
Windows IP Configuration
Host Name . . . . . . . . . . . . : test
Primary Dns Suffix . . . . . . . : <Insert domain name>.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <Insert domain name>.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100
Integrated Controller
Physical Address. . . . . . . . . : 00-1A-A0-3B-94-9F
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

* ipconfig /all form DNS machine Server22 (Windows 2000 Server)

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : Server22
Primary DNS Suffix . . . . . . . : <Insert domain name>.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <Insert domain name>.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Belkin Gigabit Desktop Card
Physical Address. . . . . . . . . : 00-30-BD-BB-74-F1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

* ipconfig /all form DNS machine Server66 (Windows 2003)

Windows IP Configuration

Host Name . . . . . . . . . . . . : server66
Primary Dns Suffix . . . . . . . : <Insert domain name>.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <Insert domain name>.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : 00-1C-23-C6-B1-63
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
In addition (e-mail address removed), what type of firewall is in place? Is it
a proxy? Does it support EDNS0?

* Watchgaurd Firewall is in place
* It is not a proxy
* It does not support EDNS0

Also, about the lost DC, exactly how did you 'replace' it? Was a Metadata
Cleanup ever performed? Did you seized the roles?

* The replacement domain controller is Sever66. Server66 was promoted
to DC and had DNS installed/configured.
* Metadata Cleanup was not performed.
* Roles were not seized.
Please give some more info about the DNS setup, how many DNS servers
* 2 DNS Servers
* Active Directory Intergrated
* ipconfig /all form the machine with problem (Windows XP)
Windows IP Configuration
Host Name . . . . . . . . . . . . : test
Primary Dns Suffix . . . . . . . : <Insert domain name>.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <Insert domain name>.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100
Integrated Controller
Physical Address. . . . . . . . . : 00-1A-A0-3B-94-9F
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

* ipconfig /all form DNS machine Server22 (Windows 2000 Server)

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : Server22
Primary DNS Suffix . . . . . . . : <Insert domain name>.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <Insert domain name>.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Belkin Gigabit Desktop Card
Physical Address. . . . . . . . . : 00-30-BD-BB-74-F1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

* ipconfig /all form DNS machine Server66 (Windows 2003)

Windows IP Configuration

Host Name . . . . . . . . . . . . : server66
Primary Dns Suffix . . . . . . . : <Insert domain name>.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <Insert domain name>.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : 00-1C-23-C6-B1-63
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
In addition (e-mail address removed), what type of firewall is in place? Is it
a proxy? Does it support EDNS0?

* Watchgaurd Firewall is in place
* It is not a proxy
* It does not support EDNS0

Also, about the lost DC, exactly how did you 'replace' it? Was a Metadata
Cleanup ever performed? Did you seized the roles?

* The replacement domain controller is Sever66. Server66 was promoted
to DC and had DNS installed/configured.
* Metadata Cleanup was not performed.
* Roles were not seized.
Hello (e-mail address removed),

Please check that all 5 FSMO roles are present and that you have at least
one Global catalog server:

Metadata cleanup:

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

* Watchgaurd Firewall is in place
* It is not a proxy
* It does not support EDNS0

* The replacement domain controller is Sever66. Server66 was promoted
to DC and had DNS installed/configured.
* Metadata Cleanup was not performed.
* Roles were not seized.

Thank you for posting that information. It actually looks fine and the issue
is elsewhere. I would *highly* recommend to immediately follow Meinolf's
suggestions. They are extremely important. I may also suggest to upgrade the
Watchguard's firmware to the latest in order to support EDNS0 or Windows
2003 may not resolve certain domains with large data.

Hello Ace Fekay [MVP],

No problem with that. :-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
Thank you for posting that information. It actually looks fine and the issue
is elsewhere. I would *highly* recommend to immediately follow Meinolf's
suggestions. They are extremely important. I may also suggest to upgrade the
Watchguard's firmware to the latest in order to support EDNS0 or Windows
2003 may not resolve certain domains with large data.


Ok this is what I have done. The instructions for the one link for
"How to view and transfer FSMO roles in Windows Server 2003" did not
do much good because Server66 (Uses Win 2003 and replaced Server11
that died) was already pointing to Sever22 (uses Win 2000). I followed
the instructions for the "How to remove data in Active Directory after
an unsuccessful domain controller demotion". With those instructions I
was able to use adsiedit.msc to remove the Server11 references from
Server22 and there was no references of Server11 on Server66.

The problem has not gone away.

We have found doing an ipconfig /flushdns and ipconfig /registerdns
seems to work well to allow the workstations to connect past the
network gateway to the internet.
Ok this is what I have done. The instructions for the one link for
"How to view and transfer FSMO roles in Windows Server 2003" did not
do much good because Server66 (Uses Win 2003 and replaced Server11
that died) was already pointing to Sever22 (uses Win 2000). I followed
the instructions for the "How to remove data in Active Directory after
an unsuccessful domain controller demotion". With those instructions I
was able to use adsiedit.msc to remove the Server11 references from
Server22 and there was no references of Server11 on Server66.

The problem has not gone away.

We have found doing an ipconfig /flushdns and ipconfig /registerdns
seems to work well to allow the workstations to connect past the
network gateway to the internet.

When you attempted to seize the roles, were you on the 2003 server? You want
to be on the server that you want the role to go to. I

A Metadata Cleanup is performed using ntdsutil, not ADSI Edit. ADSI Edit is
limited in this area. So it sounds like the Metadata Cleanup procedure was
not performed properly. Please follow this link again. Also, when you do the
procedure, copy and paste the data from the CMD prompt to notepad and post
it so we can see what was actually performed and what you are actually
seeing. You may have to change the CMD prompt properties to allow to view
more than the default 300 lines just in case. I usually change my CMD
properties to view 3000 lines as well as check the QuickEdit checkbox to
allow me to drag select everything in the CMD prompt.

Metadata cleanup:

Also, post any Event log errors please on any of the DCs. Post the EventID#
and the Source name.

Hi Guys,

I'm a newbie so you'll have to forgive me here if my way off the mark here,
but goes nothing ..
Riki ... I'd suggest a few steps to troubleshoot this. My "gut" feel is
that, while cleaning up old meta data in AD is important, I'm not sure how
it can impact DNS resolution of external namespaces directly. My thoughts
would be to test the network side of things first as follows (please forgive
me if you've already tried these steps. I didn't see anything in the
previous postings suggesting you'd done this).

1. You say three PCs can't browse the internet. How many CAN browse?
2. Of the PCs that DO work, are they DHCP enabled? I notice the busted PC is
NOT DHCP enabled.
3. I also notice that Server22 has its Primary DNS set to Server66 and vice
versa. I seem to recall a KB Article saying something about DNS servers
defaulting to use themselves first irrespective of the IP Config.
4. How have you configured the DNS Servers to forward queries? They should
be configured to either Forward queries to the firewall, Do recursive
queries themselves or use perhaps your ISP's DNS server. They should NOT be
configured as Root DNS servers. If one of them is, this may be your problem.

5. From a busted PC try the following both when Internet is working and
again when not working:
a. Open CMD Prompt. (Note down which server it connected to Server22 or 66)
6. If they return good data, try pasting the IP Address of Hotmail into your
web browser to see if it works.
7. If they can't resolve the names, do the same NSLOOKUP tests again, but
this time, change the NSLOOKUP prompt to use the alternate Internal DNS
a. To do this type NSLOOKUP at a CMD Prompt, then type "server x.x.x.x",
then type in names to be resolved.
8. If that doesn't return anything, try your ISPs DNS server

9. If nothing works at all, check that you can Telnet to port 53 on
Server22, 66, the Firewall and your ISPs DNS Box (or even one of the Root
DNS Servers).
10. Might also be worth testing the telnet angle from one of the busted PCs
while the Internet is working OK to compare results.
11. If the Telnets don't work, Try pinging Server 22, 66 and the Firewall.

Finally, I'm assuming you have a DNS problem because that was the path that
was suggested in your original posting. However, are you sure it isn't some
kind of Proxy server problem or perhaps an authentication issue with your
Proxy, or some kind of networking problems?

Hope this helps,
Let me know how your tests go???

(e-mail address removed) <> typed:

When you attempted to seize the roles, were you on the 2003 server? You want
to be on the server that you want the role to go to. I

A Metadata Cleanup is performed using ntdsutil, not ADSI Edit. ADSI Edit is
limited in this area. So it sounds like the Metadata Cleanup procedure was
not performed properly. Please follow this link again. Also, when you do the
procedure, copy and paste the data from the CMD prompt to notepad and post
it so we can see what was actually performed and what you are actually
seeing. You may have to change the CMD prompt properties to allow to view
more than the default 300 lines just in case. I usually change my CMD
properties to view 3000 lines as well as check the QuickEdit checkbox to
allow me to drag select everything in the CMD prompt.

Metadata cleanup:

Also, post any Event log errors please on any of the DCs. Post the EventID#
and the Source name.


Ok this was done on Sever22 to eliminate Server11 (which was
ultimately lost).

C:\Documents and Settings\Administrator.DS>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server server22
Binding to server22 ...
Connected to server22 using credentials of locally logged on user
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=<insert domain name>,DC=com
select operation target: select domain 0
No current site
Domain - DC=<insert domain name>,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=DS,CN=Sites,CN=Configuration,DC=<insert domain name>,DC=com
select operation target: select site 0
Site - CN=DS,CN=Sites,CN=Configuration,DC=<insert domain name>,DC=com
Domain - DC=<insert domain name>,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 5 server(s)
0 - CN=server22,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>,DC=com
1 -
2 -
domain name>,DC=com
3 - CN=TEST0,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>
4 - CN=SERVER66,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>,DC=com
select operation target:

Server11 is not among the listed servers. I don't know where to go.
(e-mail address removed) <> typed:

When you attempted to seize the roles, were you on the 2003 server? You want
to be on the server that you want the role to go to. I

A Metadata Cleanup is performed using ntdsutil, not ADSI Edit. ADSI Edit is
limited in this area. So it sounds like the Metadata Cleanup procedure was
not performed properly. Please follow this link again. Also, when you do the
procedure, copy and paste the data from the CMD prompt to notepad and post
it so we can see what was actually performed and what you are actually
seeing. You may have to change the CMD prompt properties to allow to view
more than the default 300 lines just in case. I usually change my CMD
properties to view 3000 lines as well as check the QuickEdit checkbox to
allow me to drag select everything in the CMD prompt.

Metadata cleanup:

Also, post any Event log errors please on any of the DCs. Post the EventID#
and the Source name.


Ok this was done on Sever22 to eliminate Server11 (which was
ultimately lost).

C:\Documents and Settings\Administrator.DS>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server server22
Binding to server22 ...
Connected to server22 using credentials of locally logged on user
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=<insert domain name>,DC=com
select operation target: select domain 0
No current site
Domain - DC=<insert domain name>,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=DS,CN=Sites,CN=Configuration,DC=<insert domain name>,DC=com
select operation target: select site 0
Site - CN=DS,CN=Sites,CN=Configuration,DC=<insert domain name>,DC=com
Domain - DC=<insert domain name>,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 5 server(s)
0 - CN=server22,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>,DC=com
1 -
2 -
domain name>,DC=com
3 - CN=TEST0,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>
4 - CN=SERVER66,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>,DC=com
select operation target:

Server11 is not among the listed servers. I don't know where to go.
Ok this was done on Sever22 to eliminate Server11 (which was
ultimately lost).

C:\Documents and Settings\Administrator.DS>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server server22
Binding to server22 ...
Connected to server22 using credentials of locally logged on user
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=<insert domain name>,DC=com
select operation target: select domain 0
No current site
Domain - DC=<insert domain name>,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=DS,CN=Sites,CN=Configuration,DC=<insert domain name>,DC=com
select operation target: select site 0
Site - CN=DS,CN=Sites,CN=Configuration,DC=<insert domain name>,DC=com
Domain - DC=<insert domain name>,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 5 server(s)
0 - CN=server22,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>,DC=com
1 -
2 -
domain name>,DC=com
3 - CN=TEST0,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>
4 - CN=SERVER66,CN=Servers,CN=DS,CN=Sites,CN=Configuration,DC=<insert
domain name>,DC=com
select operation target:

Server11 is not among the listed servers. I don't know where to go.

Ok, thanks for posting that. From the previous post, it didn't appear that
you ran it.

If not in ntdsutil, and not found in ADSI Edit, have you looked in any of
the OUs or Sites & Services snap in? How about in WINS?
