I can look at a network trace for you, if you want to send it over, I
have done it for others on the list to help them out with problems, and
its good practice. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

[email protected]

 

From: John Hornbuckle [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 11:12 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Alas, network traces are outside of my skillset. I may have to bring in
outside help for that. I'm a technology generalist-lots of breadth, less
depth.

 

If I wanted to host the domain locally... I would just go to Forward
Lookup Zones, right-click, select "New Zone", and go from there? With us
being AD-integrated, this won't screw anything up?

 

I'll read the link you sent, too. Thanks for that.

 

 

 

From: Michael B. Smith [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

While officially supported, having multiple IP addresses on a single DC
is not recommended and has caused problems all the way back to NT 3.5.

 

If you just want to make this work - host the domain locally. Create it
in your DNS servers. Probably the quickest way to fix the problem.

 

Meinolf Weber wrote a very lengthy response to someone's question, a few
years ago, about what can go wrong on a DC with multiple IP addresses.
Took me a few minutes to find it, link below. Much of it doesn't apply
in your case, of course, but still a worthwhile read.

 

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t
705909.html

 

I can surmise that what is happening here is that you are having to talk
to a server that doesn't like asynchronous routing of DNS replies and
requests. That's becoming more and more common as DNS spoofing becomes
more and more common. Couldn't verify that without a network trace
(wireshark / netmon). I probably would've done that by now and if you
really want to track the issue down, that's the next best step IMO.

 

From: John Hornbuckle [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

And I did consider that.

 

:)

 

However, (A.) this server's configuration hasn't changed in the years
since it was deployed, (B.) we've done the same thing at our other sites
that aren't having problems, and (C.) DNS is working 100% correctly at
the site in question except for the failure of lookups against this one
single domain name.

 

So while I'm open to all possibilities (honestly-I'm getting desperate),
my gut instinct is that this isn't the cause of the problem.

 

 

John

 

 

From: Kennedy, Jim [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

I have a theory. Often when Mr. Smith asks a question he isn't looking
for an answer to that question, he is pointing you towards the answer
for your problem.

 

From: John Hornbuckle [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Yup. When we decommissioned the old server this server replaced, some
devices were still looking for it for DNS (they had static settings). So
we assigned the old server's address to the new one as a second address.

 

 

John

 

From: Michael B. Smith [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Your DC has multiple IP addresses?

 

From: John Hornbuckle [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Oh, and to add... Each of my sites has its own DNS server. All other DNS
servers are resolving this address fine. All servers are behind the same
firewall.

 

Curiouser and curiouser.

 

 

From: John Hornbuckle [mailto:[email protected]] 
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Per the suggestions from the list, I put dig on my squirrely DNS server
and ran dig +trace www.studyisland.com. Results are:

 

===

; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com

;; global options:  printcmd

.                       19740   IN      NS      b.root-servers.net.

.                       19740   IN      NS      c.root-servers.net.

.                       19740   IN      NS      d.root-servers.net.

.                       19740   IN      NS      e.root-servers.net.

.                       19740   IN      NS      f.root-servers.net.

.                       19740   IN      NS      g.root-servers.net.

.                       19740   IN      NS      h.root-servers.net.

.                       19740   IN      NS      i.root-servers.net.

.                       19740   IN      NS      j.root-servers.net.

.                       19740   IN      NS      k.root-servers.net.

.                       19740   IN      NS      l.root-servers.net.

.                       19740   IN      NS      m.root-servers.net.

.                       19740   IN      NS      a.root-servers.net.

;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

 

com.                    172800  IN      NS      g.gtld-servers.net.

com.                    172800  IN      NS      m.gtld-servers.net.

com.                    172800  IN      NS      e.gtld-servers.net.

com.                    172800  IN      NS      j.gtld-servers.net.

com.                    172800  IN      NS      k.gtld-servers.net.

com.                    172800  IN      NS      d.gtld-servers.net.

com.                    172800  IN      NS      a.gtld-servers.net.

com.                    172800  IN      NS      c.gtld-servers.net.

com.                    172800  IN      NS      f.gtld-servers.net.

com.                    172800  IN      NS      h.gtld-servers.net.

com.                    172800  IN      NS      b.gtld-servers.net.

com.                    172800  IN      NS      l.gtld-servers.net.

com.                    172800  IN      NS      i.gtld-servers.net.

;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

 

studyisland.com.        172800  IN      NS
aldfwprdinf001.archipelagolearni

ng.com.

studyisland.com.        172800  IN      NS
aldfwcrpinf001.archipelagolearni

ng.com.

;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

 

www.studyisland.com.    0       IN      CNAME   vip1.studyisland.com.

vip1.studyisland.com.   28800   IN      A       72.249.13.58

;; Received 72 bytes from
207.210.237.70#53(aldfwprdinf001.archipelagolearning.c

om) in 46 ms

===

 

Now, I'm not a DNS expert. But to me, this looks right because I know
that www.studyisland.com = vip1.studyisland.com = 72.249.13.58.

 

But when I use nslookup against that same DNS server, my queries still
fail. I enabled debugging in nslookup and got this:

 

===

> set db2

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Addresses:  10.11.7.19

          10.11.7.13

 

------------

Got answer:

    HEADER:

        opcode = QUERY, id = 8, rcode = SERVFAIL

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 0,  additional
= 1

 

    QUESTIONS:

        www.studyisland.com, type = A, class = IN

    ADDITIONAL RECORDS:

    ->  (root)

        ??? unknown type 41 ???

        ttl = 0 (0 secs)

 

------------

DNS request timed out.

    timeout was 2 seconds.

timeout (2 secs)

*** aoc-pet300.taylor.k12.fl.us can't find www.studyisland.com.: Server
failed

===

 

Found someone reporting a similar issue (but no real solution) here:

 

http://forums.msexchange.org/m_1800553796/printable.htm

 

Also, when I run nslookup I *can* resolve studyisland.com-just not
www.studyisland.com.

 

Still researching...

 

 

From: John Hornbuckle 
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues ([email protected])
Subject: DNS Lookup Failing for One Address

 

Okay, DNS wizards... I need some input.

 

One of my DNS servers (Server 2008) is failing to resolve
www.studyisland.com like so:

 

C:\>nslookup

Default Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to aoc-pet300.taylor.k12.fl.us timed-out

 

But I can point nslookup at one of my other servers (also Server 2008),
and it resolves fine. Which kind of sounds like a server problem--but
this server has resolved every other name I've thrown at it, though.
Only this one is failing.

 

I can point nslookup at the Norton DNS server that my failing server
uses as a forwarding server (198.153.192.1), and it resolves fine. All
of my other servers use that same forwarding address, too.

 

I'm kind of going crazy here... My users desperately need to get to this
site. I can't figure out what's wrong, but that's no surprise because
I'm not an expert when it comes to DNS.

 

Can anyone offer any troubleshooting pointers?

 

 

 

John Hornbuckle, MSMIS, PMP

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to