Tough DNS Problem

[Christopher Beard]

I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users. All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was able to
verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in DNS."
All other sites are resolving names properly to the same
DNS servers. Does anyone have any ideas?

 

[Rick Chisholm]

how many dns servers?

primary / secondary ?

SOA record for kc0015.pharmco.com.


Rick

 

[William Stacey [MVP]]

From that client, do an ipconfig /all. What dns servers are configured?
Do you have *only the ad dns servers in the list and not any ISP dns
servers?

 

[Guest]

Just the two internal DNS servers for Active Directory.
These DNS servers forward the requests of Internet
addresses.

-----Original Message-----
From that client, do an ipconfig /all. What dns servers are configured?
Do you have *only the ad dns servers in the list and not any ISP dns
servers?

--
William Stacey, MVP

"Christopher Beard"

I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users. All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was able to
verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in DNS."
All other sites are resolving names properly to the same
DNS servers. Does anyone have any ideas?

.

 

[Christopher Beard]

We are using three DNS servers; the Primary and one
Secondary server are at the Cincinnati location and the
other Secondary is in California. All machines in the KC
location are using the two servers in the Cincinnati
office. There is a record for KC0015.pharmco.com in DNS
and has been replicated to both Secondary servers,
however, it isn't an SOA record. Any ideas?
Thanks,
Christopher

 

[William Stacey [MVP]]

Use something like dig or netdig and do "netdig mydomain.com any". What do
you see?

--
William Stacey, MVP

Just the two internal DNS servers for Active Directory.
These DNS servers forward the requests of Internet
addresses.

-----Original Message-----
From that client, do an ipconfig /all. What dns servers are configured?
Do you have *only the ad dns servers in the list and not any ISP dns
servers?

--
William Stacey, MVP

"Christopher Beard"

I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users. All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was able to
verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in DNS."
All other sites are resolving names properly to the same
DNS servers. Does anyone have any ideas?

.

 

[Christopher Beard]

Where do I find netdig? Can you email me at
(e-mail address removed)? Thanks for your help!

-----Original Message-----

Use something like dig or netdig and do "netdig mydomain.com any". What do
you see?

--
William Stacey, MVP

Just the two internal DNS servers for Active Directory.
These DNS servers forward the requests of Internet
addresses.

-----Original Message-----
From that client, do an ipconfig /all. What dns

servers
are configured?

Do you have *only the ad dns servers in the list and

not
any ISP dns

servers?

I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users. All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was

able
to

verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in DNS."
All other sites are resolving names properly to the same
DNS servers. Does anyone have any ideas?




.

.

 

[William Stacey [MVP]]

www.mvptools.com. You need the .net framework 1.1 installed to use. dig is
at www.isc.org. dig may be a little more complex as you need to install the
bind nt build just to get the dig.exe and its required dlls. You could also
extract them I think, but not sure and you need to know what dlls to grab -
I think about 3-4. If you have the framework on one client, pull down
netdig as just one exe (actually two as it has a console and gui version.)
Cheers!

--
William Stacey, MVP

Where do I find netdig? Can you email me at
(e-mail address removed)? Thanks for your help!

-----Original Message-----

Use something like dig or netdig and do "netdig mydomain.com any". What do
you see?

--
William Stacey, MVP

Just the two internal DNS servers for Active Directory.
These DNS servers forward the requests of Internet
addresses.
-----Original Message-----
From that client, do an ipconfig /all. What dns servers
are configured?
Do you have *only the ad dns servers in the list and not
any ISP dns
servers?

--
William Stacey, MVP

"Christopher Beard"
I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users.
All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was able
to
verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in
DNS."
All other sites are resolving names properly to the
same
DNS servers. Does anyone have any ideas?




.

.

 

[Rick Chisholm]

use nslookup - less hassle

Rick

 

[Rick Chisholm]

from cmd

nslookup

set type=soa

mydomain.com

Rick

 

[William Stacey [MVP]]

Not agree here. dig/netdig provide more diag function and more output in a
better fasion for diag. Anyone doing dns a lot uses dig or the like.
nslookup has some oddities.

 

[Rick Chisholm]

perhaps, but without getting in a net tools flame-war, in this instance,
I don't think dig is going to provide a clue that nslookup isn't to
solve this guys troubles. nslookup is already available to him, he can
concentrate on the problem instead of surfing the net for utilities.

Rick

 

[Kevin D. Goodknecht [MVP]]

In

I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users. All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was able to
verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in DNS."
All other sites are resolving names properly to the same
DNS servers. Does anyone have any ideas?

Could be possible disjointed namespace.
These things must match exactly:
1.Primary DNS suffix on the DC (In ipconfig /all)
2.DNS domain name of AD domain (In AD Users & Computers)
3.Forward lookup zone name for the AD domain (In internal DNS server Forward
Lookup zones)

 

[William Stacey [MVP]]

true. I don't normally care what tools people use. However this is a big
one when it comes to dns diag. Most folks here that really know their stuff
use dig more and can spot errors a lot easier (at least I can.) The default
display of nslookup does not give you the tools. Then you need to remember
the switches to go deeper and that ouput is uggg.
But your right, use the tools you got or feel good about. However, helpers
may ask for the dig output.

 

[Ace Fekay [MVP]]

In

perhaps, but without getting in a net tools flame-war, in this
instance, I don't think dig is going to provide a clue that nslookup
isn't to solve this guys troubles. nslookup is already available to
him, he can concentrate on the problem instead of surfing the net for
utilities.

Rick

I actually like Netdig and find it's easier to use as well.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Ace Fekay [MVP]]

In

I'm having a really tough issue with DNS - I support 4
sites all of with use our DNS servers and at one of our
sites, clients can no longer resolve names through DNS.
This results in 10 minuit login times for the users. All
was working well before yesterday, and nothing has
changed recently. The clients all have the correct DNS
server addresses in their TCP/IP settings. Using a port
scanner from one of the failing computers, I was able to
verify that port 53 is open on both DNS servers. I ran
the NETDIAG tests on the same computer and received no
errors (even DNS tests passed) however, it gave me the
following warning: "[WARNING] Cannot find a primary
authoritative DNS server for the
name 'kc0015.pharmco.com.'. [ERROR_TIMEOUT] The
name 'kc0015.pharmco.com.' may not be registered in DNS."
All other sites are resolving names properly to the same
DNS servers. Does anyone have any ideas?

Since you stated that you are using your internal DNS only and configured a
forwarder, (which is good), are there any errors in the Event logs on the
DNS server? If you were to change the order of your DNS IPs on the client
(change it to one of your other DNS servers), can they then resolve? I'm
trying to determine if it's that specific DNS server is the problem or not.

If you have AD Integrated zones, let us know if you are getting any
replication errors in the Event logs.

Has anything changed recently, such as a router firmware upgrade, or
anything at all (as insignificant as it may seem to you) changed?

Does the the name 'kc0015' exist under your pharmco.com zone?

Does the name 'kc0015.pharmco.com' exist under the nameserver tab?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Rick Chisholm]

fair enough.

Rick