Slow Resolution

Tom White · Sep 1, 2003

I'm quite new to DNS stuff so sorry if this is obvious.

I have a DC with a DNS server installed and I'm using ICS
to share a ADSL connection on another machine. There is 1
forward zone in the DNS which was setup by default and is
my domain. All the clients get DNS and gateway info from
the DHCP server, also installed on the DC.

The clients seem to be taking a very long time (15 secs
sometimes) to resolve website addresses to IP's. I tried
stopping the DNS server and this speeds up the whole
process as the clients just look to the gateway machine
for DNS, but if I do this I get problems with the object
picker and other stuff.

It's all working fine eventually it just takes ages... any
easy way I can speed it all up? Thanks!

Herb Martin · Sep 2, 2003

The clients seem to be taking a very long time (15 secs

sometimes) to resolve website addresses to IP's. I tried
stopping the DNS server and this speeds up the whole
process as the clients just look to the gateway machine
for DNS, but if I do this I get problems with the object
picker and other stuff.

What happens if you run NSLookup against those names?

Does it seem to timeout and require "-time=10" added to
work?

If so, then the problem is likely "in DNS" -- if not, then
the problem is likely with the Web site/Client themselves.

When you have a complex problem "divide and conquer";
simplify, simplify, simplify.

Are the clients configured with MORE THAN ONE DNS
server? If so, read my other posts in the last 30 minutes here.

Point all clients, including internal servers/DC/DNS itself, at
the internal DNS ONLY.

Have the internal DNS forward to a NAT/ISP DNS server,
or recurse the Internet directly itself but don't point the clients
"out there."

Herb Martin · Sep 2, 2003

One HUGE suggestion and recommendation, is to never use ICS with an AD

infrastructure, since it interferes with DNS (it has it's own mini "proxy
DNS" service, and it won;t allow you to customize DHCP since it has it's own
"mini" DHCP server. ICS will automatically set the internal NIC to
192.168.0.1 and creates a DHCP scope with random IPs between 192.168.0.2 to
192.168.0.254 and sets the DNS server as the 192.168.0.1 server and no other
DHCP options can be configured.

Never is a strong word but the warning is usually well
heeded.

If you must use "ICS" then ALSO set the network clients
EXPLICITLY to use the "internal DNS" AFTER you make
them "automatically obtain an IP address".

When you select that, the settings in other boxes will be cleared
but after that, you can fill in anything (except IP and subnet mask)
and it will override settings from the DHCP server (including ICS.)

General rule supports ACE however: ICS is not suitable for when
you have your own DNS or DHCP (especially DHCP).

Ace Fekay [MVP] · Sep 2, 2003

In

Herb Martin said:
Never is a strong word but the warning is usually well
heeded.

True, but was trying to emphasize the point.

If you must use "ICS" then ALSO set the network clients
EXPLICITLY to use the "internal DNS" AFTER you make
them "automatically obtain an IP address".

Too much added configuration and overhead dealing wtih ICS. Especially since
you can't statically set any machine other than the 192.168.0.1 ICS box
itself because of the random and not sequential nature of ICS' mini DHCP
service.

When you select that, the settings in other boxes will be cleared
but after that, you can fill in anything (except IP and subnet mask)
and it will override settings from the DHCP server (including ICS.)

General rule supports ACE however: ICS is not suitable for when
you have your own DNS or DHCP (especially DHCP).

Nope!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Herb Martin · Sep 2, 2003

If you must use "ICS" then ALSO set the network clients

Too much added configuration and overhead dealing wtih ICS. Especially since
you can't statically set any machine other than the 192.168.0.1 ICS box
itself because of the random and not sequential nature of ICS' mini DHCP
service.

Too much overhead perhaps, but you certainly can set all other
settings in IP statically. If you are using ICS, presumably you
have only a few machines also.

Manual settings at a machine (DHCP client) override settings from
the DHCP server.

Along about NT 3.51 or NT 4.0 Microsoft started "clearing the
other settings" when you change the client to use DHCP -- but you
can still type them in AFTER you switch the client.

Re: Never
(Almost) NEVER....

Ace Fekay [MVP] · Sep 2, 2003

In

Herb Martin said:
Too much overhead perhaps, but you certainly can set all other
settings in IP statically. If you are using ICS, presumably you
have only a few machines also.

Manual settings at a machine (DHCP client) override settings from
the DHCP server.

Along about NT 3.51 or NT 4.0 Microsoft started "clearing the
other settings" when you change the client to use DHCP -- but you
can still type them in AFTER you switch the client.

Good point.

Another thing to add, if the ICS machine is the DNS server, then errors will
occur due to that. Detrimental to AD. I can't think of the Event ID number,
but it's a NAT error message and the result is a major problem. Here's more
info on that:

250603 - ICS May Not Function Properly with DNS or DHCP Server Services on
the Same Computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q250603

Hence, why I strongly suggest to *never* use ICS with AD.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Herb Martin · Sep 2, 2003

"Ace Fekay [MVP]"

Good point.

Usually it's a troubleshooting point (some user does it and forgets about
the override) but I actually use it on my DHCP client NAT/ISA machines
to make sure they don't set their OWN DNS Server setting to the one
provided by the ISP.

(Actually I first let it set once, write down the entries, then override
them;
if I ever experience trouble with those ISP DNS Server, I repeat the process
to see if their DHCP is giving new entries.)

Another thing to add, if the ICS machine is the DNS server, then errors will
occur due to that. Detrimental to AD. I can't think of the Event ID number,
but it's a NAT error message and the result is a major problem. Here's more
info on that:

Actually you can beat this one too (I believe) -- let the ICS be the DNS,
but
make IT A CLIENT of the internal DNS and then have this DNS actually do
the recursion or forward to the ISP.

That's a lot of indirection however and the average new admin wouldn't
understand it when it breaks.

250603 - ICS May Not Function Properly with DNS or DHCP Server Services on
the Same Computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q250603

Well, I don't think it will (much) at all, but if you have DNS or DHCP
then you MUST in fact have a Server in that position and so can always
switch to NAT.

The only good reason for using ICS is if you just "don't have" a "Server"
and cannot budget one.

Microsoft probably did this to "sell more server" but I bet they actually
net fewer Windows sales because people run Linux or some appliance
instead of a Windows machine with an expensive server licence just to
get NAT.

Herb Martin · Sep 3, 2003

Actually it causes a "proxy DNS service" where ICS will forward the
request

to the ISP for the client without even looking at itself for DNS, that is if
DNS is installed on the ICS machine.

I think you missed the point here - due to assuming the USUAL case
was the way it works: ICS doesn't 'forward to the ISP' but rather it
'forwards to ITS OWN DNS server' (which is commonly the ISP.)

Just point the ICS machine somewhere else and that is what it used.

I don't think it will work based on the above. I can dig up the info on it,
but it won't work. That's why the nathlp message comes up.

I would probably have to see it fail or hear a really good reason why
my statement above is either not true or evidence there is a bug.

Ace Fekay [MVP] · Sep 3, 2003

In

Herb Martin said:
I think you missed the point here - due to assuming the USUAL case
was the way it works: ICS doesn't 'forward to the ISP' but rather it
'forwards to ITS OWN DNS server' (which is commonly the ISP.)

Just point the ICS machine somewhere else and that is what it used.

I would probably have to see it fail or hear a really good reason why
my statement above is either not true or evidence there is a bug.

Gotchya. I haven;t tried it nor never installed ICS in an AD environment to
answer that. But since you put it that way, I guess it will work, as long as
the ICS is not the DNS server. But if the ICS is the DNS server, the NATHLP
error will popup.

But it still leads me to say about the randomness of DHCP addressing with
ICS. It will interfere with the ability to statically assign internal
machines, such as printers, etc, with the possibility of dupe IPs. I've seen
that happen in a test environment and didn't realize what was going on until
I saw the randomness of the IPs. One machine I set to .200. Wouldn't you
know it, the machine right next to it was .189 and there were only 4
machines on the network. Hmm....

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Slow Resolution

Tom White

Herb Martin

Herb Martin

Ace Fekay [MVP]

Herb Martin

Ace Fekay [MVP]

Herb Martin

Herb Martin

Ace Fekay [MVP]