Announcement

Collapse
No announcement yet.

SBS 2008 DNS Server acts unreliable; Mostly "Standard query response, Server failure"

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SBS 2008 DNS Server acts unreliable; Mostly "Standard query response, Server failure"

    (The solution to this problem is in post #22 of this thread)

    This is going to be a long post, mostly because I've tried everything I know how to before sending out a plea for help.

    I have a fresh installation of Small Business Server 2008 Standard running on 8GB RAM and a 2.1 GHz 1352 AMD Operton. It's completely patched as of Friday the 8th of May 2009. None of my clients have yet been made domain members as I am in the process of the migration at the moment. I was hoping to get everyone looking at it for DHCP and DNS first. I don't think that non-domain members would have a problem looking to the server for DHCP/DNS since many VPN clients will not be domain members but will still need to resolve internal names (like the local SharePoint site and file server).

    Problem: Clients cannot reliably use the SBS server as a DNS server. My client PCs are running Vista Home Premium (I know, they can't be joined to the domain… I'm working on upgrading them ), Vista Ultimate and XP Pro. Using the SBS server as a DHCP server, they receive a default gateway, default domain suffix and DNS server (the SBS server). Most of the time the SBS DNS server responds to client queries with " Standard query response, Server failure" either immediately without consulting the forwarders / root hints or after attempting to resolve them through forwarders and root hints . Typically if DNS results are returned to the clients it takes a very long time (by DNS standards – about 6 seconds or more). Sometimes, albeit rarely, web browsing and name resolution is lightning fast as I would expect, but that usually only lasts for one or two domains that I try to resolve. I've tried several different set ups and options on the DNS server and seem to receive a confusing array of behavior. So far nothing has solved it. Here's what I've done so far:

    I first set up the DNS server portion of the SBS machine to use OpenDNS's two forwarders and fall back on root hints if those forwarders failed. Very inconsistent results were experienced. I watched the process with Wireshark and sometime the SBS machine would send requests to OpenDNS, sometimes it wouldn't. Sometimes the SBS machine would receive a reply from OpenDNS and sometimes it wouldn't. Sometimes when the SBS machine would receive a reply from OpenDNS it would pass the A record to the client and then the client would immediately make another request for an A record (making me suspect a client problem for a moment). Most often the server would simply reply with "Standard query response, server failure".

    I deleted the forwarders and moved to using root hints and watched the traffic with Wireshark. The SBS machine would query root hints servers and follow a trail of DNS servers recursively. However, it seemed that it took very long to recursively resolve queries, sometimes not receiving responses from the DNS servers at all and having to re-request A records from the DNS servers second after second. Most of the time it would eventually reply to the local client with "standard query reply, server failure". Sometimes it wouldn't even try to query root hints servers at all and just reply "standard query response, server failure". At first I suspected latency on the ISP connection might be part of the problem but seemed to have ruled that out because if clients use any other DNS server, everything works swimmingly. The client PCs and the SBS machine are all on the same single subnet, VLAN and ISP link. I pathpinged various DNS servers that the SBS machine had problems with getting responses from but there wasn't a terrible amount of latency (about 100ms).

    I've currently changed the DHCP scope options to give everyone OpenDNS servers or sometimes our LinkSys gateway as a DNS server and everything works good as far as web browsing is concerned. Of course, I need to eventually be able to resolve internal DNS names. As soon as a client is pointed to the SBS server for DNS things go haywire. It's so inconsistent that it's driving me mad. Just a few minutes ago I set a client up with the SBS server as its DNS server and had the SBS server use OpenDNS forwarders and I couldn't browse anywhere on the web. More "Server Failure" messages were seen in Wireshark on the SBS machine. I turned from that fiasco to something else (I think I perused the Petri forums for a minute or three on a machine that had different DNS settings) and then came back to the client. Suddenly I could browse! I hadn't done anything and I was trying the same domains that I was trying previously. There is seemingly no rhyme or reasons to it.

    I've twiddled options on the SBS machine, disabling recursion, disabling securing against cache pollution (I read about that helping someone else's somewhat similar problem with getting to co.uk domains), etc. etc. If I go into the "Monitoring" tab of the DNS server's properties I can perform a simple query and recursive query test and both pass. I've checked event logs and absolutely no DNS errors are to be found. I've turned off the SBS machine's Windows firewall. There is no other software firewall in place. The Kaspersky Enterprise Antivirus on the SBS machine is turned off and has never been turned on. The LinkSys RV082 firewall has no weird rules in it. In fact, only one non-default rule exists and that's to allow external ICMP requests. No errors are being reported on the switch port that the server is plugged into. Perfmon on the server's NIC is showing no errors of any sort so far. I turned on debug logging both with and without details on the DNS server. That's basically just a packet capture like what I was doing with Wireshark so no new info was seen there.

    This is behaving so buggy I'm tempted to do a reinstallation. I hate that kind of fix though… I'd rather find what the cause is in case it happens again. The only incident that I've had with this installation is that I accidentally installed the wrong version of Kaspersky Antivirus on this machine (it didn't support Server 2008 ) and I uninstalled it a few days later. However, it was never turned on and never perform a scan.

    Thank you for reading this far. Any advice would be appreciated. I'll post some traffic samples next.
    Last edited by Nonapeptide; 3rd August 2009, 19:29.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

  • #2
    Re: SBS 2008 DNS Server acts unreliable; Mostly "Standard query response, Server fail

    Throughout all of these samples, 192.168.168.6 is the SBS server and 192.168.168.95 is the test client.

    Here's traffic when the SBS/DNS server was set to use OpenDNS forwarders:
    Code:
    2259	209.824251	192.168.168.6	208.67.222.222	DNS	Standard query A www.chesscorner.com
    2260	209.826713	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2262	213.824196	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    2263	213.825997	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2264	213.826256	192.168.168.6	208.67.220.220	DNS	Standard query A www.chesscorner.com
    2265	214.825511	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2266	215.825693	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2267	217.824254	192.168.168.6	208.67.222.222	DNS	Standard query A www.chesscorner.com
    2268	217.826016	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2269	221.824200	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    2270	221.826179	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2271	221.826383	192.168.168.6	208.67.220.220	DNS	Standard query A www.chesscorner.com
    2276	225.824248	192.168.168.6	208.67.222.222	DNS	Standard query A www.chesscorner.com
    2277	225.827630	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2278	226.827312	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2279	227.827457	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2280	229.824220	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    2281	229.824266	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    2282	229.824289	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    2283	229.824311	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    2284	229.826095	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2285	229.826365	192.168.168.6	208.67.220.220	DNS	Standard query A www.chesscorner.com
    2286	230.825811	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2287	231.826004	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2288	233.824261	192.168.168.6	208.67.222.222	DNS	Standard query A www.chesscorner.com
    2289	233.826262	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    2292	237.824197	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    Now using root hints. Eventually, after forever and a day, resolved and loaded the web page.

    Code:
    938	633.627175	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    939	633.627477	192.168.168.6	192.42.93.30	DNS	Standard query A www.chesscorner.com
    941	634.627266	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    943	635.627393	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    944	636.995606	192.168.168.6	192.31.80.30	DNS	Standard query A www.chesscorner.com
    945	637.628858	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    948	640.995618	192.168.168.6	192.43.172.30	DNS	Standard query A www.chesscorner.com
    949	640.995665	192.168.168.6	192.33.14.30	DNS	Standard query A www.chesscorner.com
    950	641.628552	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    953	644.995614	192.168.168.6	192.26.92.30	DNS	Standard query A www.chesscorner.com
    954	644.995668	192.168.168.6	192.5.6.30	DNS	Standard query A www.chesscorner.com
    957	645.817483	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    958	645.823137	192.168.168.95	192.168.168.6	DNS	Standard query A s14.sitemeter.com
    959	646.817024	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    960	646.822997	192.168.168.95	192.168.168.6	DNS	Standard query A s14.sitemeter.com
    961	647.817281	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    962	647.823167	192.168.168.95	192.168.168.6	DNS	Standard query A s14.sitemeter.com
    965	648.995556	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    966	648.995598	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    967	648.995617	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    968	648.995638	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    969	648.995722	192.168.168.6	192.43.172.30	DNS	Standard query A s14.sitemeter.com
    970	648.997488	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    971	648.997756	192.168.168.6	192.26.92.30	DNS	Standard query A www.chesscorner.com
    973	649.823469	192.168.168.95	192.168.168.6	DNS	Standard query A s14.sitemeter.com
    974	649.998338	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    977	650.997932	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    979	652.995603	192.168.168.6	192.26.92.30	DNS	Standard query A s14.sitemeter.com
    980	652.995648	192.168.168.6	192.5.6.30	DNS	Standard query A s14.sitemeter.com
    981	652.995691	192.168.168.6	192.43.172.30	DNS	Standard query A www.chesscorner.com
    982	652.997887	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    984	653.824014	192.168.168.95	192.168.168.6	DNS	Standard query A s14.sitemeter.com
    986	656.995624	192.168.168.6	192.12.94.30	DNS	Standard query A s14.sitemeter.com
    987	656.995702	192.168.168.6	192.12.94.30	DNS	Standard query A www.chesscorner.com
    988	656.998503	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    993	660.995565	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    994	660.995652	192.168.168.6	192.52.178.30	DNS	Standard query A www.chesscorner.com
    995	660.995673	192.168.168.6	192.26.92.30	DNS	Standard query A www.chesscorner.com
    996	661.000098	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    999	662.000298	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1002	663.000335	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1005	664.995565	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1006	664.995608	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1007	664.995631	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1008	664.995652	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1009	664.997465	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1010	664.997750	192.168.168.6	192.12.94.30	DNS	Standard query A www.chesscorner.com
    1019	665.997903	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1023	666.998485	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1026	668.995602	192.168.168.6	192.52.178.30	DNS	Standard query A www.chesscorner.com
    1027	668.998266	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1045	672.995601	192.168.168.6	192.12.94.30	DNS	Standard query A www.chesscorner.com
    1046	672.999581	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1080	676.995603	192.168.168.6	192.31.80.30	DNS	Standard query A www.chesscorner.com
    1081	676.995650	192.168.168.6	192.54.112.30	DNS	Standard query A www.chesscorner.com
    1082	677.001324	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1088	679.499487	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1089	679.500516	192.168.168.95	192.168.168.6	DNS	Standard query A www.chesscorner.com
    1098	680.995554	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1099	680.995596	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1100	680.995614	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    1101	680.995633	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: SBS 2008 DNS Server acts unreliable; Mostly "Standard query response, Server fail

      Two more samples. Both times the SBS server was set to use root hints. 192.168.168.6 is the SBS server and 192.168.168.95 is the test client.

      This happens frequently. I'll type a domain name into a browser, nothing will happen and then after a while Google will show up with search results as if I searched for the domain name rather than having typed it in directly. I think this is because the browser is set to search for things that you type in the URL bar and I assume that when no DNS info is returned it then goes to Google (the domain of which can somehow resolve) and gets search results:
      Code:
       4763	3272.658119	192.168.168.95	192.168.168.6	DNS	Standard query A www.yahoo.com
      4764	3272.658389	192.168.168.6	192.31.80.30	DNS	Standard query A www.yahoo.com
      4766	3273.657912	192.168.168.95	192.168.168.6	DNS	Standard query A www.yahoo.com
      4768	3274.658035	192.168.168.95	192.168.168.6	DNS	Standard query A www.yahoo.com
      4769	3274.995607	192.168.168.6	216.239.36.10	DNS	Standard query A clients1.google.com
      4770	3274.995655	192.168.168.6	216.239.38.10	DNS	Standard query A clients1.google.com
      4771	3275.087137	192.168.168.95	192.168.168.6	DNS	Standard query A clients1.google.com
      4772	3275.995625	192.168.168.6	192.41.162.30	DNS	Standard query A www.yahoo.com
      4773	3276.658291	192.168.168.95	192.168.168.6	DNS	Standard query A www.yahoo.com
      4775	3278.995573	192.168.168.6	216.239.34.10	DNS	Standard query A clients1.google.com
      4776	3278.995608	192.168.168.6	216.239.32.10	DNS	Standard query A clients1.google.com
      4778	3279.995615	192.168.168.6	192.55.83.30	DNS	Standard query A www.yahoo.com
      4779	3279.995664	192.168.168.6	192.48.79.30	DNS	Standard query A www.yahoo.com
      4782	3280.658914	192.168.168.95	192.168.168.6	DNS	Standard query A www.yahoo.com
      4785	3282.995553	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure
      4787	3283.995615	192.168.168.6	192.54.112.30	DNS	Standard query A www.yahoo.com
      4788	3283.995651	192.168.168.6	192.31.80.30	DNS	Standard query A www.yahoo.com
      (The PC now tried NetBIOS name resolution when it doesn't get a DNS name fast enough I guess)
      4790	3284.660022	192.168.168.95	192.168.168.255	NBNS	Name query NB WWW.YAHOO.COM<00>
      4792	3285.409659	192.168.168.95	192.168.168.255	NBNS	Name query NB WWW.YAHOO.COM<00>
      4793	3286.159812	192.168.168.95	192.168.168.255	NBNS	Name query NB WWW.YAHOO.COM<00>
      4796	3287.995573	192.168.168.6	192.168.168.95	DNS	Standard query response, Server failure

      Here's the SBS 2008 machine's debug logging output while trying to get to www.freeverse.com. The browser on the client hung endlessly at "Waiting for http://freeverse.com/".
      Code:
       5/9/2009 1:52:21 PM 02A4 PACKET  0000000003D374A0 UDP Rcv 192.168.168.95  e29c   Q [0001   D   NOERROR] A     (9)freeverse(3)com(0)
      5/9/2009 1:52:21 PM 02A4 PACKET  0000000002F08D60 UDP Snd 192.31.80.30    9afb   Q [0000       NOERROR] A     (9)freeverse(3)com(0)
      5/9/2009 1:52:21 PM 02A4 PACKET  0000000002BA0910 UDP Rcv 192.31.80.30    9afb R Q [0080       NOERROR] A     (9)freeverse(3)com(0)
      5/9/2009 1:52:21 PM 02A4 PACKET  0000000003BF0020 UDP Snd 192.31.80.30    0383   Q [0000       NOERROR] A     (4)ns01(4)bway(3)net(0)
      5/9/2009 1:52:22 PM 02A4 PACKET  0000000004366450 UDP Rcv 192.31.80.30    0383 R Q [0080       NOERROR] A     (4)ns01(4)bway(3)net(0)
      5/9/2009 1:52:22 PM 02A4 PACKET  0000000002F08D60 UDP Snd 216.220.96.18   e24a   Q [0000       NOERROR] A     (9)freeverse(3)com(0)
      5/9/2009 1:52:22 PM 02A4 PACKET  00000000029E7990 UDP Rcv 192.168.168.95  e29c   Q [0001   D   NOERROR] A     (9)freeverse(3)com(0)
      5/9/2009 1:52:22 PM 02A4 PACKET  000000000388CDA0 UDP Rcv 216.220.96.18   e24a R Q [8084 A  R  NOERROR] A     (9)freeverse(3)com(0)
      5/9/2009 1:52:22 PM 02A4 PACKET  0000000003D374A0 UDP Snd 192.168.168.95  e29c R Q [8081   DR  NOERROR] A     (9)freeverse(3)com(0)
      I'm a bit confused by the above. I'm not sure if it is a DNS error or not. Nonetheless, if the client is moved over to any other DNS server the problem stops.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

        Hii

        Looking at the logs we do see clients sometimes going to forwarders and if they fail to get the result they automatically go to roothints which is by design..

        I have a few suggestions that may/may not work but sure enuf worth a try..

        If you are using a split DNS/Multilabel ,I wud suggest the steps below..

        By default in Windows Vista and Windows 2008 , when a machine attempts to resolve unqualified multi-label name, the DNS client will attempt to resolve the name as specified. The DNS suffix search order will NOT be used. It is disabled by default to performance concern .The registry key “AppendToMultiLabelName” = 1 can be added under
        HKLM\System\CurrentControlSet\Services\DNSCACHE\Pa rameters
        to change the default behavior.


        Other option worth a try wud be to

        Decrease the query timeout, or increase the Recursion Timeout.

        To decrease the query timeout, this is done on the "Forwarders" tab.

        To increase the RecursionTimeout use the following registry key....
        -> HKLM\SYSTEM\CurrentControlSet\Services\DNS\Paramet ers
        New DWORD "RecursionTimeout" value = XX number of seconds for recursion timeout.(decimal)


        Though I have still not seen DNS leak issues with 2k8 boxes which was predominant in 2k3...The fact that DNS is acting funny here it may be the case of DNS leak..



        Regards

        Fazal
        Fazal Zaidi
        MCITP-Windows 2008,Exchange 2010,MCTS-Exchange 2007,2010,Lync 2010,MCSE-2000,2003,MCSA-2003,2008,2012,MCP,MCSE -Messaging 2013,ITIL

        Comment


        • #5
          Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

          Have you tried running the SBS BPA to see if there are any issues?
          TIA

          Steven Teiger [SBS-MVP(2003-2009)]
          http://www.wintra.co.il/
          sigpic
          I’m honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

          We don’t stop playing because we grow old, we grow old because we stop playing.

          Comment


          • #6
            Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

            Oddly, today the DNS server seems to be working fine for the first time ever. It's using root hints. I haven't tried forwarders yet. I left it alone Sunday and Monday and I haven't touched it beyond what I mentioned in my first post. There are some other symptoms that I forgot to mention that are still a problem today though. Oddly neough, there are at least two sites that I can't get to from that office. Microsoft.com and MSNBC.com both hang endlessly in a browser with "Waiting for www.microsoft.com" no matter which DNS servers I use (The "waiting for..." message suggests that it's not a DNS issue in the first place of course). Unfortunately because of that I can't get the BPA downloaded on a machine in that office, unless I can find it somewhere else on a non Microsoft.com domain...

            Anyway, I'm so skittish about this installation that I might just blow it away and reinstall. I'd prefer to at least run the BPA first though.
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

              Update: I downloaded the SBS BPA on my laptop and transferred it over the VPN to the remote office. I just ran it on the SBS machine in question and received all green check marks, however upon viewing the "All Issues" tab I saw two entries:

              Code:
              Local activation permission to the IIS WAMREG Admin Service required:
              The Network Service is missing local activation permissions to the IIS WAMREG admin Service in accordance with the event ID 10016 in the system event log. For more information, see KB "Event ID error messages 10016 and 10017 are logged in the System log after you install Windows SharePoint Services 3.0" at http://go.microsoft.com/fwlink/?LinkId=128063.
              Code:
              Windows SBS 2008 is not activated
              I haven't activated it because I tend not to activate things until the latest possible moment to make absolutey sure that it works and I'm keeping the installation. I have about a month left.

              EDIT:
              Furthermote, on the "Tree Report" page I see some exclamation points that are interesting. When I see exclamation marks I think bad things, but in this instance it seems like it's purely informational:
              "This computer can successfully ping the IP address of the default gateway"
              "The number of network adapters that are installed is 1"
              "This server is running Windows Server 2008 with Service Pack 1"
              "The Windows SBS*2008 domain functional level is: Windows Server*2003 domain level."
              "The Windows SBS*2008 forest functional level is: Windows Server*2003 forest level."
              "The Windows SBS*2008 schema version is at: 44"
              "This server can successfully ping OMEGA." (DNS name for the SBS server)
              "The server OMEGA is running Exchange Server*2007 with Service Pack*1."
              "This server is running Windows SharePoint Services*3.0."
              "Windows SharePoint Services*3.0 is installed with Service Pack*1 or later."
              "The SHAREPOINT instance uses Microsoft SQL Server*2005 with Service Pack*2 or later."
              "The SHAREPOINT instance uses the 64-bit version of Windows Internal Database Edition."
              "Windows Server Update Services*3.0 is installed on this server."
              "Windows Server Update Services*3.0 includes Service Pack*1 or later."
              "The instance of Windows Server Update Services uses Microsoft SQL Server*2005 with Service Pack*2 or later."
              "The instance of Windows Server Update Services uses the 64-bit version of Windows Internal Database."
              "This server can ping the internal Web site."
              "The SBSMonitoring instance of SQL Server is using SQL Server*2005 with Service Pack*2."
              "The SBSMonitoring instance of SQL Server is using Microsoft SQL Server*2005 Express Edition."

              ...and others of seemingly less interest. I hope this is of some help.
              Last edited by Nonapeptide; 12th May 2009, 20:45.
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                Originally posted by fazal View Post
                Looking at the logs we do see clients sometimes going to forwarders and if they fail to get the result they automatically go to roothints which is by design..
                In my experience, if I remember my traffic samples correctly, even though the option to fail over to root hints was selected the server never queried root hints servers when the forwarders didn't work out.

                Originally posted by fazal View Post
                If you are using a split DNS/Multilabel ,I wud suggest the steps below.
                I haven't set up a split DNS zone yet. The SBS server is set up to be authoritative for remote.businessdomain.com but not businessdomain.com. I will set it up at some point though. Since that's not what it's doing and I'm not trying to resolve unqualified multilable names is it safe for me to assume that I can ignore this fix?


                Originally posted by fazal View Post
                Decrease the query timeout, or increase the Recursion Timeout.
                I increased the query timeout when I had it use forwarders. That didn't help any. Using forwarders seems to be completely impossible for some reason. I do not get any DNS resolution now using OpenDNS or my ISP's DNS servers as forwarders.

                I increased the recursion timeout when I was using root hints. That might have helped some. I can't be sure if it was simple the power of suggestion or not. Either way, results are very marginal with resolution being slow and still it sometime completely fails. As soon as I use another DNS server, things are working good.


                Furthermore, at the suggestion of someone in a private message I ran dcdiag /c /v while using root hints and also while using forwarders. I've attached txt files of each of the results for anyone who is interested. The short story is that when using root hints I received some of the following errors:
                • Root zone on this DC/DNS server was not found
                • Several "Error: Root hints list has invalid root hint server:" errors
                • Warning: Missing AAAA record at DNS server 192.168.168.6: OMEGA.domain.local [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.)]
                • Warning: Missing AAAA record at DNS server 192.168.168.6: gc._msdcs.domain.local [Error details: 9501 (Type: Win32 - Description: No records found for given DNS query.)]
                • Warning: Record Registrations not found in some network adapters
                • And then in the "Summary of test results for DNS servers used by the above domain controllers:" section I see the specific errors for the individual root hints servers. They're all timeout errors.


                In the dcdiag test done with forwarders, I receive the same AAAA errors of course, but strangely no errors for the actual forwarders themselves. I say "strangely" because I cannot resolve names at all using forwarders (early in my test I think I was able to have extremely sporadic success).

                I'll look into the "Root hints list has invalid root hint server" error but if no other info pans out it's looking like I'll try a reinstallation here in the next day or two.
                Attached Files
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                  Just for the heck of it can you disable IPv6 on all NIC's on the server?

                  Also to clarify: My understanding of the use of the root hints is that they will be used if the forwarders are not available (if configured to be used if the forwarders are not available). They will NOT be used if the forwarders are available but fail to resolve the query.

                  As far as the dcdiag output is concerned:

                  1. The root zone message can be ignored as there should not be a local root zone. If there is it should be deleted.

                  2. The missing AAAA record message can be ignored as this is an IPv6 record, unless you're using IPv6.

                  3. The message about the root hints list having invalid root hint servers needs to be fixed. If I'm not mistaken the dcdiag output should tell you which root hint servers are incorrect so that you know which ones to fix. There was a change a year or two ago (maybe longer) to one of the root hint servers. (I'm thinking it was the m root hint server but I could be wrong). At any rate you can verify them online at: http://www.internic.net/zones/named.root

                  Comment


                  • #10
                    Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                    Hii

                    Thanks for the update

                    The error as per BPA seems to be related to WSS 3.0 and may be fixed by following the KB below..

                    http://support.microsoft.com/kb/927012

                    Looking at the DCDIAG it seems the server randomly goes unresponsive,We may apply hotfix below..

                    http://support.microsoft.com/default...b;EN-US;959816

                    We may also try re-installing the DNS Zones(My last thought bfore re-install)

                    The easiest way to do this is:
                    1. Make a backup
                    (in systemstate there is posibility to chose DNS, but its recomended to make the
                    whole system state backup)
                    2. Go on DNS ->
                    - DO not delete the parent active directory zonez!!! "_msdcs.intern.local" and
                    "intern.loca"

                    - Delete everything under the active directory zonez (the content of
                    "_msdcs.intern.local" and "intern.loca" should be deleted)
                    3. restart the DNS
                    4. Go over the zones, right click -> chose reload


                    Regards

                    Fazal
                    Fazal Zaidi
                    MCITP-Windows 2008,Exchange 2010,MCTS-Exchange 2007,2010,Lync 2010,MCSE-2000,2003,MCSA-2003,2008,2012,MCP,MCSE -Messaging 2013,ITIL

                    Comment


                    • #11
                      Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                      Originally posted by joeqwerty View Post
                      Just for the heck of it can you disable IPv6 on all NIC's on the server?
                      I thought of that, but some articles on the 'net made that sound like a bona fide Bad Idea (Exhibit A, B and C).

                      Originally posted by joeqwerty View Post
                      As far as the dcdiag output is concerned: 1. The root zone message can be ignored as there should not be a local root zone. If there is it should be deleted.
                      Gotcha

                      Originally posted by joeqwerty View Post
                      2. The missing AAAA record message can be ignored as this is an IPv6 record, unless you're using IPv6.
                      Not using IPv6 at all. I figured that I could ignore this too.

                      Originally posted by joeqwerty View Post
                      3. The message about the root hints list having invalid root hint servers needs to be fixed. If I'm not mistaken the dcdiag output should tell you which root hint servers are incorrect so that you know which ones to fix. There was a change a year or two ago (maybe longer) to one of the root hint servers. (I'm thinking it was the m root hint server but I could be wrong). At any rate you can verify them online at: http://www.internic.net/zones/named.root
                      What bothers me about the DCDiag output is that it impugns quite a few different servers:
                      Code:
                       Root hint Information:
                                           Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
                                           Name: a.root-servers.net. IP: 2001:503:ba3e::2:30 [Invalid
                      (unreachable)]
                                           Error: Root hints list has invalid root hint server:
                                           a.root-servers.net. (2001:503:ba3e::2:30)
                                           Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreach
                      able)]
                                           Error: Root hints list has invalid root hint server:
                                           b.root-servers.net. (128.9.0.107)
                                           Name: b.root-servers.net. IP: 192.228.79.201 [Valid]
                                           Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
                                           Name: d.root-servers.net. IP: 128.8.10.90 [Valid]
                                           Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unre
                      achable)]
                                           Error: Root hints list has invalid root hint server:
                                           e.root-servers.net. (192.203.230.10)
                                           Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
                                           Name: f.root-servers.net. IP: 2001:500:2f::f [Invalid (unre
                      achable)]
                                           Error: Root hints list has invalid root hint server:
                                           f.root-servers.net. (2001:500:2f::f)
                                           Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
                                           Name: h.root-servers.net. IP: 128.63.2.53 [Valid]
                                           Name: h.root-servers.net. IP: 2001:500:1::803f:235 [Invalid
                       (unreachable)]
                                           Error: Root hints list has invalid root hint server:
                                           h.root-servers.net. (2001:500:1::803f:235)
                                           Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
                                           Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
                                           Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
                                           Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreac
                      hable)]
                                           Error: Root hints list has invalid root hint server:
                                           l.root-servers.net. (198.32.64.12)
                                           Name: m.root-servers.net. IP: 202.12.27.33 [Valid]
                      Apparently no IPv6 DNS server addresses are being resolved. That's fine. However, three IPv4 DNS servers are erroring out. b.root-servers.net (128.9.0.107), e.root-servers.net (192.203.230.10) and l.root-servers.net (198.32.64.12). I checked root-servers.org and apparently the b.root-server is really 192.228.79.201 and l.root-server is really 202.12.27.33. However e.root-server is correct in my file and yet it still says [Invalid (unreachable)]. Why is this root hints file so old? B changed to 192.228.79.201 on January 29th 2004!! I updated the root hints file using this list. At first it didn't seem like it was working but I restarted the DNS service and suddenly resolution was working like a charm! I could browse to my heart's content. I then put in OpenDNS forwarders and it too worked amazingly! … well, for about 5 minutes. Then all resolution stopped. I went back to root hints and couldn't resolve there either. Queries leave the server but no responses come back to it or if they do come back it's after repeated queries to multiple servers with no response. Often the timeout limit on the client is reached before the server gets the response back. However, sporadically I will have moments of fast name resolution. No rhyme or reason, seemingly (I know there's a reason, but I just haven't figured it out yet).

                      Here's a new observation. Whenever I watched the traffic stream for DNS resolution queries from clients, I blindly assumed that the SBS server was querying the root hints servers. However, after getting acquainted with the IP addresses of the root hints servers I noticed that the DNS being queried did not look familiar. For instance, just a minute ago I had my test client try to resolve chessville.com and the SBS machine made 6 attempts at resolving the name by querying 6 different IP addresses for an A record. None of the IPs queried are listed in the root hints file.
                      • 192.35.51.30
                      • 192.41.162.30
                      • 192.55.83.30
                      • 192.35.51.30
                      • 192.26.92.30
                      • 192.5.6.30

                      They all seem to be owned by Verisign so I wonder if they're the backend DNS servers for A or J root server's IP address if the ones listed in the root hints file is just a virtual IP or something (J root server has 62 sites!!).

                      Originally posted by fazal View Post
                      The error as per BPA seems to be related to WSS 3.0 and may be fixed by following the KB below..

                      http://support.microsoft.com/kb/927012
                      I looked into the WSS errors a few weeks ago and according to my research the error was trivial and didn't need to be addressed unless you just wanted to get rid of the error messages in the event viewer. I haven't installed that patch yet.


                      Originally posted by fazal View Post
                      Looking at the DCDIAG it seems the server randomly goes unresponsive,We may apply hotfix below..

                      http://support.microsoft.com/default...b;EN-US;959816
                      In installed that hotfix and rebooted. No change in behavior. Nice tip though!


                      Originally posted by fazal View Post
                      We may also try re-installing the DNS Zones(My last thought bfore re-install) Delete everything under the active directory zonez (the content of "_msdcs.intern.local" and "intern.loca" should be deleted)
                      At first I took that to mean that was supposed to delete everything under those folders, subfolders included. I delete the subfolders but when they did not come back after reloading I decided that I had made a mistake. Fortunately I took a system state backup. I received a crash course in restoring a system state backup via wbadmin which ultimately was unsuccessful and discovered how much I dislike the backup utility in SBS 2008 (I biting my virtual tongue concerning Microsoft's marvelous new backup system). I'm moments away from performing a reinstallation. I'll let you know what happens.

                      I can't believe I've spent two whole weeks on this problem.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                        I think you're right about the IPv6 root servers ip addresses. Those can be ignored in the diag output. The e root server being unreachable is strange but I wouldn't bet on that being your problem. As far as this is concerned:

                        Here's a new observation. Whenever I watched the traffic stream for DNS resolution queries from clients, I blindly assumed that the SBS server was querying the root hints servers. However, after getting acquainted with the IP addresses of the root hints servers I noticed that the DNS being queried did not look familiar. For instance, just a minute ago I had my test client try to resolve chessville.com and the SBS machine made 6 attempts at resolving the name by querying 6 different IP addresses for an A record. None of the IPs queried are listed in the root hints file.
                        • 192.35.51.30
                        • 192.41.162.30
                        • 192.55.83.30
                        • 192.35.51.30
                        • 192.26.92.30
                        • 192.5.6.30
                        That seems normal as those appear to be ip addresses of the gTLD name servers (.com, .net, .edu, etc.). The root hint servers only know what name servers are responsible for the gTLD's (and nothing below that such as Microsoft, Google, etc.) and will direct your query to those servers as the root hint servers will not perform recursion (imagine the load they'd be under if they did). So when you query for chessville.com the root hint servers will direct you to the NS for .com, which will then direct you to the NS for chessville.

                        Comment


                        • #13
                          Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                          I reinstalled SBS 2008 and I began trying to browse from clients using the SBS machine for DNS fresh out of the box without doing anything to the server (not even Windows updates). I had exactly the same problems with resolution. I then installed winpcap on the SBS server and ran Wireshark portable to capture packets. I saw the same old hit and miss DNS resolution with "Standard Query Response, Server Failure".

                          I also saw a lot of "ICMP Destination unreachable (Port unreachable)" in Wireshark on the SBS machine with the source being the client and the destination being the server. So the client is telling the server that it can't be reached… ? (.106 is the client and .6 is the SBS machine)
                          Code:
                           3001	397.285209	192.168.168.106	192.168.168.6	ICMP	Destination unreachable (Port unreachable)
                          It should be noted that I saw these errors in the previous installation last week. I just couldn't fit them into this puzzle.

                          At the last minute I noticed the option in the DNS server's properties box on the "Interfaces" tab to turn on and off the service from listening on the TCP/IPv6 interface. By default the DNS service is set to listen on both the IPv4 and v6 addresses. I turned the option to listen and respond on the IPv6 interface off (note: I didn't turn off v6 on the interface. I just told the DNS service to not listen on the v6 interface). Interestingly, it seems that the problems cleared up! I then switched to OpenDNS forwarders and again, things seem to be 99% normal. I've been browsing the 'net now on several machines for several hours and have only had the tiniest of hiccups. Once when I went to www.Apple.com I waited for a little while and was sent over to Google's search results for the term www.apple.com . If you recall, that was a symptom of this strange DNS issue in the past. In my experience with troubleshooting this problem I haven't ever had this much time without major resolution issues. It's not uncommon for this problem to be so transient that sometimes, without having modified anything, DNS resolution will work fine but then suddenly stop. However, it is uncommon to go for this long without errors.

                          I'll go with this for a while and see how it goes. It will be interesting to see how clients work when people get back in the office and start browsing. I'm still worried since I do still seem to have resolution problems once in a great while. That could be due to our slightly laggy DSL connection that has at least 100ms latency.

                          Joe, it seems that your intuition about IPv6 having something to do with this issue was correct. I'd like to know, if the DNS service listening on the v6 interface is the problem, why it's causing problems and why the web doesn't have more people complaining about this problem. Maybe there's something unique on my network that is causing the interference.

                          More news as events warrant.
                          Wesley David
                          LinkedIn | Careers 2.0
                          -------------------------------
                          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                          Vendor Neutral Certifications: CWNA
                          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                          Comment


                          • #14
                            Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                            In reference to an earlier observation, could someone with a Windows DNS server using root hints validate e.root-servers.net and report back with the results? I receive "A timeout occurred during validation" and I can't find anyone on the net having the same problem. I'm wondering if it's just me.
                            Wesley David
                            LinkedIn | Careers 2.0
                            -------------------------------
                            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                            Vendor Neutral Certifications: CWNA
                            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                            Comment


                            • #15
                              Re: SBS 2008 DNS Server acts unreliable; Mostly &quot;Standard query response, Server fail

                              Not sure how to validate but it resolves to 192.203.230.10 and is listed in my Root Hints. I used the resolve option there to check.

                              Comment

                              Working...
                              X