Announcement

Collapse
No announcement yet.

DNS issues/external lookups with new Windows 2008 R2 dc's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS issues/external lookups with new Windows 2008 R2 dc's

    Hello everyone,
    I'm new to the forums but not necessarily new to the site, I've been "lurking" about this great site for probably more than a year already, it's been a great resource with the work that I perform on a daily basis.

    In a nutshell, I'm in the middle of Active Directory upgrade,
    upgrading all of our Windows 2003 domain controllers to Windows 2008 R2.
    The upgrade process has been fairly straightforward & successful, any issues that have come up I've been able to take care but I'm stumped on specific issue, hoping to get some assistance with this.

    In one particular office location that I'm currently upgrading the dc's.
    I have 3 dc's, 2 Windows 2008 R2 dc's and 1 Windows 2003 dc.
    The plan is to demote the remaining 2003 dc at this location when the work is complete but I can't until I get this DNS issue resolved (pardon the pun). The new dc's resolve local dns records without any issues.

    My problem is with external lookup's. It appears that I can resolve 99% of the external websites that our users go to but some sites pose a difficulty for our new Windows 2008 R2 dc's but here's the kicker, the Windows 2003 dc that I have yet to demote and decommission handles the external dns queries correctly that the newer Windows 2008 R2 dc cannot handle which frustrates me to no end as I haven't been able to determine the specific problem causing this issue.

    The only difference with these three DC's is the OS itself.
    Windows 2008 R2 vs. Windows 2003
    DNS server properties are virtually identical across the dc's in question, forward lookup zones, reverse lookup zones, internal queries are successful, domain logins, internal web apps, ad authentication, everything works fine, AD is in good shape.

    Aside from the OS difference with these dc's, Windows 2003 isn't built with ipv6 in mind and I believe this is the difference that's causing my problem, more research into this lead me to reading this on one website:

    "If the DNS server does not support IPv6, the name query fails. The querying node then sends a request to resolve the name to a set of IPv4 addresses (a request for A records). The misconfigured DNS server drops the subsequent DNS query for IPv4 addresses and the entire name resolution attempt fails, resulting in impaired network connectivity for the requesting node."

    An example of a successful nslookup query for external domain name (an external website that some of our users make use of) on our Windows 2003 dc:

    > external domain name (I had to change this as posting an URL wasn't allowed)
    Server: win2k3dc.domain.com
    Address: x.x.x.x

    Non-authoritative answer:
    Name: external domain name
    Address: 12.153.224.22


    An example of the same nslookup query from our Windows 2008 R2 dc's:

    > external domain name
    Server: win2k8r2dc.domain.com
    Address: x.x.x.x

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to win2k8r2dc.domain.com timed-out

    I've restarted DNS services multiple times, cleared the DNS caches, rebooted the servers to no end and it didn't help. I've also made sure that ipv6 isn't selected in the nic properties on these servers. The problem isn't with my ISP either since my Windows 2003 dc can perform these external dns lookups successfully.

    To get around this issue on my newly created Windows 2008 R2 dc's, I've created specific conditional forwarders for the dns domains that give us grief and point the forwarders to 8.8.8.8 (which isn't great, I don't want to have to use google's public dns servers for a request that my dc should be able to handle using the root hint servers).

    I have even deleted the root hint servers on our Windows 2008 R2 dc's and recreated/copied them from the Windows 2003 dc that resolves all dns queries successfully.

    I'm at a loss as to how to resolve this issue.

    If this is an issue of ipv6 causing problems for some dns queries, how do I correct this on my Windows 2008 R2 dc's. I don't want to have to continue using these custom conditional forwarders that I've created as I'm sure my existing list of conditional forwarders will just continue to grow and grow, these are more like temporary patches until I get the problem solved. Another work around that was successful was to add our Windows 2003 dc as a forwarder on these Windows 2008 dc's, any dns queries that these new dc's couldn't handle would be forwarded to the Windows 2003 dc and they would be resolved successfully. Again that is a solution I can't use because my plan is to demote and decommission the Windows 2003 dc, I only want 2 dc's at each site that I'm upgrading, I don't want to have to maintain a 3rd dc.

    Anyone else experience this type of problem?
    I can't be the only one experiencing this (as per the quote highlighted above, apparently I'm not), I'm surprised more people haven't seen this type of issue and more attention hasn't been brought to this at Microsoft's end, seems like a pretty big problem to me.

    I apologize in advance for the long post, I'm verbose to a fault.

  • #2
    Re: DNS issues/external lookups with new Windows 2008 R2 dc's

    The following technet article might be your problem

    http://support.microsoft.com/kb/832223

    This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS. (Also 2008R2)

    ENDS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.

    You can try the following command to disable the above

    dnscmd /config /enableednsprobes 0
    gerth

    MCITP sa, ea & va, [email protected]

    Comment


    • #3
      Re: DNS issues/external lookups with new Windows 2008 R2 dc's

      Originally posted by gerth View Post
      The following technet article might be your problem

      http://support.microsoft.com/kb/832223

      This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS. (Also 2008R2)

      ENDS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.

      You can try the following command to disable the above

      dnscmd /config /enableednsprobes 0
      But this doesn't explain why the W2K3 DNS server is able to resolve the query.

      Comment


      • #4
        Re: DNS issues/external lookups with new Windows 2008 R2 dc's

        My suggestion would be to run a packet capture program on the W2K8 DNS server (Microsoft Network Monitor is a good one) and run the same test. Then filter the capture results to show only DNS packets and see what's going on. This should give you some valuable insight in to where things are breaking down.

        Comment


        • #5
          Re: DNS issues/external lookups with new Windows 2008 R2 dc's

          Originally posted by joeqwerty View Post
          But this doesn't explain why the W2K3 DNS server is able to resolve the query.
          Well not exactly, but I have seen it happen before, running Cisco ASA firewall's W2K3 gave no problems without extra setting, W2K8R2 needed extra settings to function properly
          gerth

          MCITP sa, ea & va, [email protected]

          Comment


          • #6
            Re: DNS issues/external lookups with new Windows 2008 R2 dc's

            Originally posted by gerth View Post
            Well not exactly, but I have seen it happen before, running Cisco ASA firewall's W2K3 gave no problems without extra setting, W2K8R2 needed extra settings to function properly
            Gotcha. Thanks for the clarification.

            Comment


            • #7
              Re: DNS issues/external lookups with new Windows 2008 R2 dc's

              yup it doesn't explain why the w2k3 dc would be able to perform the same dns query without any issues because I know we haven't implemented that change on that dc.

              But... I'm definitely going to try it out!

              Thanks for the suggestion,
              I will implement this change on one of the dc's this morning and attempt some nslookup tests and I'll reply back with my results asap.

              Comment


              • #8
                Re: DNS issues/external lookups with new Windows 2008 R2 dc's

                Originally posted by gerth View Post
                The following technet article might be your problem


                kb 832223

                This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS. (Also 2008R2)

                ENDS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.

                You can try the following command to disable the above

                dnscmd /config /enableednsprobes 0
                This worked!!!!

                dnscmd /config /enableednsprobes 0

                as per the kb article,
                After you run this command, DNS no longer advertises its EDNS0 capabilities. As a result, the DNS server will not be sent UDP packets that are larger than 512 bytes.

                As a test, I turned it back on again by running

                dnscmd /config /enableednsprobes 1

                and then ran the same nslookup queries and they failed, so this is the issue.

                dnscmd /config /enableednsprobes 0

                needs to be run on my Windows 2008 dc's,
                to keep the UDP packets less than 512 bytes in size,
                and then they won't be blocked at the firewall and my queries will now be successful.

                Guys, thanks alot for your help!!!!

                Comment

                Working...
                X