tag:blogger.com,1999:blog-8195960884587142892.post4789517200545872906..comments2022-03-29T16:20:42.294-04:00Comments on Jonathan E. Smith: DNS trouble with Server 2008 R2Jonathan Smithhttp://www.blogger.com/profile/01991321405489551817noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-8195960884587142892.post-50972203753155751742013-03-31T11:44:29.172-04:002013-03-31T11:44:29.172-04:00You are most welcome. I always benefit when others...You are most welcome. I always benefit when others post these kinds of issues so I try to do the same when I stumble across them hoping it will save someone else time.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-52036232784913459832013-03-31T10:37:38.589-04:002013-03-31T10:37:38.589-04:00I was having the EXACT same issue..created a 2008R...I was having the EXACT same issue..created a 2008R2 from template, DCpromo went w/o incident. DNS BPA showed failures for all root servers, inside DNS was OK.<br />Demoted this server/deleted it. Recreated server the same way...same problem<br />After reading this article, I did a reload on the PIX 506E, FIXED IT!!!!<br /><br />THANK YOU!!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-61969239714346049482012-03-05T16:37:31.909-05:002012-03-05T16:37:31.909-05:00I'm glad my post helped you out. You will hav...I'm glad my post helped you out. You will have to check wiht DrayTek regarding how it passes those packets but I don't think that DOS proection or UDF flood defense will have anything to do with it as the issue revolves around the router being able to handle those packets.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-71351718167618461742012-03-03T19:58:28.697-05:002012-03-03T19:58:28.697-05:00Hi,
I struggled with this problem after installing...Hi,<br />I struggled with this problem after installing win 2008 R2 SP1. Than I finally found your blog post here, and I suppose I've fixed my problem. You mentioned about large UDP packets. I have DrayTek Vigor 2920, and it has DOS protection and have an option about enabling "UDP flood defense". I disabled it and I didn't do deep testing but I don't have any timing outs right now.<br /><br />Regards, and thanks.Fatih Tolga Atahttp://www.diyezon.comnoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-86599414027781084252011-11-22T14:55:02.576-05:002011-11-22T14:55:02.576-05:00We are using a SonicWall E5500 series in HA config...We are using a SonicWall E5500 series in HA configuration.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-65760551543237733322011-11-20T01:56:47.822-05:002011-11-20T01:56:47.822-05:00Hi Jonathan,
Im using neatgear FVX538 firewall.. ...Hi Jonathan,<br /> Im using neatgear FVX538 firewall.. Im having the exact same problem. What is the model of the firewall you are using..<br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-87277306381041133702011-02-08T15:19:26.979-05:002011-02-08T15:19:26.979-05:00Fortunately SonicWall was willing to work on the p...Fortunately SonicWall was willing to work on the problem and admit it was their fault. They proved it in their lab. This is where you find out the true nature of a hardware provider.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-38948552904610200942011-02-08T15:08:43.023-05:002011-02-08T15:08:43.023-05:00I have the exact same problem you mention, vmware ...I have the exact same problem you mention, vmware 2008 r2 DC. physical 2003 boxes are fine i have disabled EDNS but the problem still persists. Spoke to firewall engineer they claim the fortigate is not the problem. Ahhhhh where do i start?jimbobthhttp://twitter.comnoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-56138375030981102632011-01-13T16:08:03.271-05:002011-01-13T16:08:03.271-05:00Hoooray! If it was UDP packets/large then that po...Hoooray! If it was UDP packets/large then that points back to eDNS/DNSSEC. Very glad you got it sorted out.<br /><br />I had that same problem if you recall with my Cisco ASA firewalls until I changed the global policies, etc.<br /><br />Good work dude. Good work.<br /><br />--DWDW Hunterhttp://www.darylhunter.menoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-39293084879548990362011-01-13T15:58:49.706-05:002011-01-13T15:58:49.706-05:00Fixed! We finally got it fixed! Turns out it was...Fixed! We finally got it fixed! Turns out it was a SonicWall firmware issue but nothing we could detect. All of our tests said it was working and SonicWall admitted that we would see that because their firmware was dropping the return UDP packets that it deemed too large and then not logging that it was dropping said packet.<br /><br />SonicWall support helped get our firmware fixed and admitted the problem was on their end. We were running an out-of-band firmware release to solve problems with our SonicPoint N devices. This issue fortunately is limited to that release alone and since so few users are running that version we were the first to report the problem.<br /><br />5 days later an issue we could not detect or prove existed is finally resolved. Now to cleanup the mess we made along the way.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-23744782041427537382011-01-13T14:45:34.339-05:002011-01-13T14:45:34.339-05:00Looks like this is a firewall issue but not an obv...Looks like this is a firewall issue but not an obvious one. SonicWall has confirmed it is something on their end but they are not sure what. Could be firmware related but they want to confirm that in the lab before assuring me that a firmware update will solve the problem.<br /><br />Everyone agrees that there does not appear to be anything wrong with our current configuration which makes firmware the likely suspect but I'm glad they are confirming.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-73475406312062642492011-01-13T12:24:45.085-05:002011-01-13T12:24:45.085-05:00For those keeping track, we setup a physical 2008 ...For those keeping track, we setup a physical 2008 R2 server and it has the same problems. We are now going to test connecting it directly to the internet and bypassing everything except our upstream connection hardware to see if we can narrow things down further.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-55488588589791846542011-01-13T11:13:51.960-05:002011-01-13T11:13:51.960-05:00LOL - "the twitter me"
Ditto my friend....LOL - "the twitter me"<br /><br />Ditto my friend.DW Hunterhttp://www.darylhunter.menoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-9007753658255426132011-01-13T10:05:40.239-05:002011-01-13T10:05:40.239-05:00Thanks for the help. I think we may have an issue...Thanks for the help. I think we may have an issue with our VMware setup. Either our template that we are deploying our VM's with is corrupt some how or there is an issue at the VM layer. To test this we are deploying a physical Server 2008 R2 box to see if it works there. If it does then we go back to the VMware layer or our deployment template. <br /><br />If it doesn't work on the physical box then it is a Microsoft issue and we may have to bring them in.<br /><br />I really appreicate your insight and do look foward to seeing you next month in Florida despite what the Twitter me says.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-54051818888814196772011-01-13T08:30:32.496-05:002011-01-13T08:30:32.496-05:00Sorry dude. Without looking at it, I'm not su...Sorry dude. Without looking at it, I'm not sure. I asked our engineers and 100% of them said "root hints and forwarders to fix" - but if you've verified you aren't using root hints, and setup forwarders, and restarted appropriate service, then I'm not sure right now.<br /><br />Bummer.DW Hunterhttp://www.darylhunter.menoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-64574789841301144792011-01-13T00:46:59.139-05:002011-01-13T00:46:59.139-05:00No change. No errors in event viewer either.No change. No errors in event viewer either.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-48236443554681486872011-01-12T23:43:19.692-05:002011-01-12T23:43:19.692-05:00so - humor me
change the DNS settings on the NIC
...so - humor me<br /><br />change the DNS settings on the NIC<br /><br />primary 127.0.0.1<br />secondary IP.OF.ANOTHER.2008R2<br /><br />what does that do for you? any difference?<br /><br />and you don't see anything in eventvwr.msc / DNS Server?DW Hunterhttp://www.darylhunter.menoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-39290674176100163002011-01-12T21:27:24.985-05:002011-01-12T21:27:24.985-05:00This is why I'm truly baffled.This is why I'm truly baffled.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-19738744349086435232011-01-12T21:26:53.629-05:002011-01-12T21:26:53.629-05:00The reverse PTR record is in place. Here is what ...The reverse PTR record is in place. Here is what I get when I do 10.0.0.5 in nslookup.<br /><br />> 10.0.0.5<br />Server: dc1.faith.lafayette<br />Address: 10.0.0.5<br /><br />Name: dc1.faith.lafayette<br />Address: 10.0.0.5<br /><br />Here is what I get when I do another server.<br /><br />> 10.0.0.7<br />Server: dc1.faith.lafayette<br />Address: 10.0.0.5<br /><br />Name: sql01_server.faith.lafayette<br />Address: 10.0.0.7<br /><br />I have confirmed I am not doing root hints and that the "." is not in DNS server. Unless I'm not looking in the right place but it seems pretty obvious.<br /><br />I have also confirmed that the SonicWall is passing the IP address of the new DNS server.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-91591573660772504112011-01-12T21:02:44.300-05:002011-01-12T21:02:44.300-05:00lastly, just on a hunch, are you doing any firewal...lastly, just on a hunch, are you doing any firewall ACL filtering on port 53? Is your firewall only expecting DNS resolution on your old/2003 DNS servers, and you forgot to open up/adjust the firewall for the new IP addresses of the 2008 R2 servers?DW Hunterhttp://www.darylhunter.menoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-37461957136523286742011-01-12T21:01:18.856-05:002011-01-12T21:01:18.856-05:00And you have reverse PTR records in place?
nslook...And you have reverse PTR records in place?<br /><br />nslookup<br /><br />type in "10.0.0.5" and what do you get as a response?<br /><br />type in the IP of another server - do you get an error, or the FQDN as expected? <br /><br />it still seems to me that your 2008 R2 servers are doing "root hints" or you have the "." root zone in your DNS server.DW Hunterhttp://www.darylhunter.menoreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-91624579096135484552011-01-12T20:44:20.591-05:002011-01-12T20:44:20.591-05:00Under the NIC the only DNS server I have listed is...Under the NIC the only DNS server I have listed is the server itself.<br /><br />I don't get any failures when I start nslookup. I get the FQDN for the default server and the proper address.<br /><br />When I type in server I get the FQDN of the server, the address and then I get:<br />*** dc1.faith.lafayette can't find server: Non-existent domain<br /><br />The upstream DNS server is working as my 2003 DNS server is using it and it is working fine. <br /><br />Here is an NSLookup output:<br />> google.com<br />Server: dc1.faith.lafayett<br />Address: 10.0.0.5<br /><br />Non-authoritative answer:<br />DNS request timed out.<br /> timeout was 2 seconds.<br />Name: google.com<br />Addresses: 209.85.225.106<br /> 209.85.225.147<br /> 209.85.225.99<br /> 209.85.225.103<br /> 209.85.225.104<br /> 209.85.225.105<br /><br />or sometimes I just get<br /><br />> cnn.com<br />Server: dc1.faith.lafayette<br />Address: 10.0.0.5<br /><br />DNS request timed out.<br /> timeout was 2 seconds.<br />DNS request timed out.<br /> timeout was 2 seconds.<br />*** Request to dc1.faith.lafayette timed-out<br /><br />Hope this helps.Jonathan Smithhttps://www.blogger.com/profile/01991321405489551817noreply@blogger.comtag:blogger.com,1999:blog-8195960884587142892.post-79364281175232763342011-01-12T20:26:17.531-05:002011-01-12T20:26:17.531-05:00What are the DNS Server you've got listed unde...What are the DNS Server you've got listed under your NIC? First 127.0.0.1 and second an IP of another server? Vice versa?<br /><br />When you drop to command prompt... type in nslookup... do you get an immediate failure of any kind, or does everything appear normal?<br /><br />After you type in nslookup, and the applet launches, type in the word "server" (no quotes) and hit enter... what do you see returned?<br /><br />What it "smells like" is that your first DNS entry isn't working as expected - maybe service failure, maybe upstream DNS forwarder, maybe the presence of the "." root (which doesn't need to be there), or something else.<br /><br />Can you get us more details about your actual NIC/DNS Servers setup, and some of the output from NSLookup?DW Hunterhttp://www.darylhunter.menoreply@blogger.com