Announcement

Collapse
No announcement yet.

Primary DNS Incorrect - No attempt for secondary?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Primary DNS Incorrect - No attempt for secondary?

    hey,

    Yesterday I updated the dns entries for a subnet in DHCP.

    Problem is, I put in the wrong IP for the primary DNS server. The secondary IP was fine and is a functioning DC.

    This morning when clients attempted to log on, they couldnt! (well the ones with cached accounts could.. but in effect clients couldnt log on)

    Ok, I shouldnt have entered the wrong IP for their primary DNS, but wouldnt they automatically try the secondary?

    The wrong IP I entered was an existing box which was up - so when the client looks for a DC does it just do a ping? If the ping responds does it assume that the dc/dns server is up/available and never tries the secondary??

    Any other reasons you can think of why a client wouldnt try its secondary DNS server if the primary was incorrect??

  • #2
    Re: Primary DNS Incorrect - No attempt for secondary?

    The DNS resolver should go through the list of DNS servers it is configured for in order to obtain a host name that the resolver is looking for. In your case I think it should have tried the secondary DNS server. Unfortunately things do not always work in the real world as they are taught in the book or classroom.

    What would have been interesting is to be able to take one of those problem workstations, log on with a local account, and try some name lookups to see what happens. Even more interesting would be to run a protocol analyzer on the machine to see if it was querying the secondary DNS server, or to see if it was getting some kind of response from the incorrectly configured primary.

    Jas
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: Primary DNS Incorrect - No attempt for secondary?

      There is a delay for the fail over. What happens if you try to logon, get the error, then try again 15- 30 seconds later?

      You can also test it with nslookup on one of your machines that used cached creds. EDIT - or as my wise friend pointed out, use a local account. And the sniffer is a good idea too.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Primary DNS Incorrect - No attempt for secondary?

        I updated the dhcp scope with the correct IP so I cant go back and test at this stage - I can simulate a test a bit later but I just wanted to find what 'should' be happening!

        From: http://technet2.microsoft.com/Window....mspx?mfr=true
        -----------
        The DNS Client service queries the DNS servers in the following order:
        1. The DNS Client service sends the name query to the first DNS server on the preferred adapterís list of DNS servers and waits one second for a response.

        2. If the DNS Client service does not receive a response from the first DNS server within one second, it sends the name query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.

        3. If the DNS Client service does not receive a response from any DNS server within two seconds, the DNS Client service sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.

        4. If the DNS Client service still does not receive a response from any DNS server, it sends the name query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.

        5. If the DNS Client service does not receive a response from any DNS server, the DNS client sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
        ---------

        So when it tries to contact its preferred DNS server, it is making a name query. I thought it might just do a ping - and because my incorrect IP would respond it would think that it had contacted a DNS server and would therefore not try the Alternate DNS - which would explain what happened.

        But if it is making a name query, my incorrect IP would not have returned a positive response so it should have moved onto the alternate dns entry and try again.

        hmm ill keep reading!!! thanks for your responses..

        Comment


        • #5
          Re: Primary DNS Incorrect - No attempt for secondary?

          When you do an ipconfig /all on the clients are the right DNS servers in the list?

          I recently updated my DNS server list on the DHCP server but in order for the clients to have the updated list, I had to release all the clients and then renew them again so that their DHCP information is updated.

          Comment


          • #6
            Re: Primary DNS Incorrect - No attempt for secondary?

            I built a test workstation this morning and modified DNS to simulate the wrong IP I originally had in the DHCP scope as the primary, and the secondary was a functioning DNS/DC

            The wrong IP for primary DNS was a pingable address (a router).

            When I tried to log on from the workstation it said the domain was unavailable (ie it wasnt switching over to the secondary DNS)

            I then changed the primary DNS to 1.2.3.4 which wasnt pingable and I could log on fine. ie it did switch over to the secondary.

            so it seems that it uses ping not name resolution to verify if the primary dns server is available!

            or possibly not ping, but something other than name resolution to verify if the primary dns server is available.

            I made sure cached logons wasnt an issue by using different accounts - and I was rebooting the workstation in between changing dns settings.

            if anyone wants to check this, get a test machine and change its primary DNS server to a member server which isnt a DNS/DC box - but which is turned on and pingable.. and it wont attempt to use the secondary dns and you wont be able to log onto the domain.

            I did an rsop to check if there was any GPO that could be affecting this and I couldnt see anything, but having someone else in a different environment to check this would be handy

            Comment


            • #7
              Re: Primary DNS Incorrect - No attempt for secondary?

              Ah hah! I'm pretty sure I know what's going on.

              I bet your router performs DNS proxy. So when it tries to find a DC, the router forwards the request to whatever DNS server is configured on the router. It obviously won't find it and the give the error message.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Primary DNS Incorrect - No attempt for secondary?

                or it could be that

                I'll confirm on my test box by putting a primary dns server that is pingable, but isnt a router (which could have a dns proxy!)

                cheers!

                Comment


                • #9
                  Re: Primary DNS Incorrect - No attempt for secondary?

                  Or you could just run nslookup from any computer and test to see if your router is a DNS proxy.

                  Something like:
                  Code:
                  >server ip address of router
                  >google.com
                  Let me know what you find.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Primary DNS Incorrect - No attempt for secondary?

                    I've had problems with DNS not failing over when the node type isn't set to hybrid.

                    Just my two cents

                    Dean

                    Comment


                    • #11
                      Re: Primary DNS Incorrect - No attempt for secondary?

                      Originally posted by JeremyW View Post
                      Or you could just run nslookup from any computer and test to see if your router is a DNS proxy.
                      Ok nslookup timed out so thats not it..

                      Can it simply be that it uses ICMP to verify if the server is up? If ping responds it never fails over to the secondary (even if subsequent name resolution fails)?

                      Comment


                      • #12
                        Re: Primary DNS Incorrect - No attempt for secondary?

                        Nuts. I was so sure.

                        I'm pretty sure it uses DNS queries to check. i.e. it sends its queries to the primary and if it gets no response, moves on to the secondary. I could be wrong though.

                        Just for kicks, could you test it the way you suggested by setting up the test computer and use a pingable IP address that's not your router?

                        BTW - what model router are you using?
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment


                        • #13
                          Re: Primary DNS Incorrect - No attempt for secondary?

                          Originally posted by hammo View Post
                          Ok nslookup timed out so thats not it..

                          Can it simply be that it uses ICMP to verify if the server is up? If ping responds it never fails over to the secondary (even if subsequent name resolution fails)?
                          nslookup does not fail over to secondary DNS server. It will also not focus on the DNS server if it does not have a PTR record, when you run it without parameters.

                          DNS server availability is not tested using ICMP - you can have DNS server blocking ICMP and the client will still be able to use it.
                          Guy Teverovsky
                          "Smith & Wesson - the original point and click interface"

                          Comment


                          • #14
                            Re: Primary DNS Incorrect - No attempt for secondary?

                            Originally posted by guyt View Post
                            nslookup does not fail over to secondary DNS server. It will also not focus on the DNS server if it does not have a PTR record, when you run it without parameters.

                            DNS server availability is not tested using ICMP - you can have DNS server blocking ICMP and the client will still be able to use it.
                            I did a nslookup servername (the routers IP) then tried to resolve without success

                            Of the docco I've read, nothing explicitly says how a client determines if the primary or secondary is available. I would assume it would be via a name query - it *must* be - but then clients would have (should have?) failed over to their secondary DNS which was a functioning DNS server - thats why I started to question how a client determines if its primary dns server is available..

                            I have never blocked ICMP on my DNS servers as theyre all domain controllers. But im keen to test!! Perhaps it doesnt use ICMP or name queries..?

                            First off though ill build another test box and try a pingable address (which isnt a DNS server) as its primary and see if it can perform name resolution (or log onto the domain) to see if its that device in particular causing me headaches.

                            JeremyW - Im not sure what kind of router it is - I sent an email to our network guys asking if it could have some sort of dns proxy and they assured me it didnt (but my nsoolkup shows that it cant be yeah?)

                            Thanks for the input fellas...
                            Last edited by hammo; 26th April 2007, 08:24.

                            Comment

                            Working...
                            X