DNS query to NS-record fails if one of the DNS is down bisi <bisibis[ at ]pt.lu> 12/4/2008 7:48:21 PM Hello, we have 3 Domain Controllers in Windows 2008 which are also DNS servers. If I do a nslookup to "domain.com", the address of the 3 DNS server is returned, which is logical. The problem is now that, if one of the DNS servers or even two DNS servers fail, the nslookup to "domain.com" does still return the 3 reference to the DNS servers(even the one that are not there), since the NS-records still exist for all DNS servers, independently if they are up or nor. If I do a ping "domain.com"(when one or two DNS are down), some times this works and sometimes I get a request timed out since the DNS points me to one of the DNS that is not alive anymore. We have the same problem with LDAP which is sometimes working, sometimes not working dependently which _ldap- record is returned(since they also persist, even if one of the DC's is down). Is there any possibility to purge the NS, _LDAP records if the referencing DC is down and to reactivate them if the DC is alive again or any other mechanisme that can resolve this problem? Many thanx in advance CB

Re: DNS query to NS-record fails if one of the DNS is down "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 12/5/2008 4:49:30 AM In news:c1db3e1b-98f2-44a1-8a3d-a8110a898d24[ at ]d14g2000yqb.googlegroups.com, bisi <bisibis[ at ]pt.lu> requesting assistance, typed the following: [Quoted Text] > Hello, > we have 3 Domain Controllers in Windows 2008 which are also DNS > servers. > > If I do a nslookup to "domain.com", the address of the 3 DNS server is > returned, which is logical. The problem is now that, if one of the DNS > servers or even two DNS servers fail, the nslookup to "domain.com" > does still return the 3 reference to the DNS servers(even the one that > are not there), since the NS-records still exist for all DNS servers, > independently if they are up or nor. > > If I do a ping "domain.com"(when one or two DNS are down), some times > this works and sometimes I get a request timed out since the DNS > points me to one of the DNS that is not alive anymore. We have the > same problem with LDAP which is sometimes working, sometimes not > working dependently which _ldap- record is returned(since they also > persist, even if one of the DC's is down). > > Is there any possibility to purge the NS, _LDAP records if the > referencing DC is down and to reactivate them if the DC is alive again > or any other mechanisme that can resolve this problem? > > Many thanx in advance > > CB That record is called the LdapIpAddress. Each domain controller's netlogon service will register their LdapIpAddress record. If the DC is down for any length of time, it will not refresh the record. But then that leads me to question, why would a DC be down that long? I would assume you have a DR in place to mitigate if this were to occur. Keep in mind, that simply an LdapIpAddress resolution will be become the least of your concerns because each DC have different FSMO roles and services (such as GC, ISTG, bridgehead, etc), they provide a domain. THe LdapIpAddress is used by other functions such as GPOs, DFS, and others. So I would really concentrate on getting that machine back up and running. If you can't, such as if the drive dies and you do not have a good backup, then my suggestion is to perform a Metadata cleanup of that DC, replace the drive, reinstall the OS, and promote it as a new DC back into the domain to get things rolling again. So it's a matter of perspective of what the DC is doing, rather than concentrating if DNS is down on one of them. I hope that makes sense. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Re: DNS query to NS-record fails if one of the DNS is down bisi <bisibis[ at ]pt.lu> 12/5/2008 7:09:45 AM On 5 déc, 05:49, "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastn...[ at ]hotmail.com> wrote: [Quoted Text] > Innews:c1db3e1b-98f2-44a1-8a3d-a8110a898d24[ at ]d14g2000yqb.googlegroups.com, > bisi <bisi...[ at ]pt.lu> requesting assistance, typed the following: > > > > > > > Hello, > > we have 3 Domain Controllers in Windows 2008 which are also DNS > > servers. > > > If I do a nslookup to "domain.com", the address of the 3 DNS server is > > returned, which is logical. The problem is now that, if one of the DNS > > servers or even two DNS servers fail, the nslookup to "domain.com" > > does still return the 3 reference to the DNS servers(even the one that > > are not there), since the NS-records still exist for all DNS servers, > > independently if they are up or nor. > > > If I do a ping "domain.com"(when one or two DNS are down), some times > > this works and sometimes I get a request timed out since the DNS > > points me to one of the DNS that is not alive anymore. We have the > > same problem with  LDAP which is sometimes working, sometimes not > > working dependently which _ldap- record is returned(since they also > > persist, even if one of the DC's is down). > > > Is there any possibility to purge the NS, _LDAP records if the > > referencing DC is down and to reactivate them if the DC is alive again > > or any other mechanisme that can resolve this problem? > > > Many thanx in advance > > > CB > > That record is called the LdapIpAddress. Each domain controller's netlogon > service will register their LdapIpAddress record. If the DC is down for any > length of time, it will not refresh the record. But then that leads me to > question, why would a DC be down that long? I would assume you have a DR in > place to mitigate if this were to occur. Keep in mind, that simply an > LdapIpAddress resolution will be become the least of your concerns because > each DC have different FSMO roles and services (such as GC, ISTG, > bridgehead, etc), they provide a domain. THe LdapIpAddress is used by other > functions such as GPOs, DFS, and others. So I would really concentrate on > getting that machine back up and running. If you can't, such as if the drive > dies and you do not have a good backup, then my suggestion is to perform a > Metadata cleanup of that DC, replace the drive, reinstall the OS, and > promote it as a new DC back into the domain to get things rolling again. > > So it's a matter of perspective of what the DC is doing, rather than > concentrating if DNS is down on one of them. > > I hope that makes sense. > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT > Microsoft Certified Trainer > > For urgent issues, you may want to contact Microsoft PSS directly. > Please checkhttp://support.microsoft.comfor regional support phone > numbers.- Masquer le texte des messages précédents - > > - Afficher le texte des messages précédents - Hello, first of all, thank you very much for your answer. As you sugest, the most important is to get the DC up and running again, sure. We had problems with one DC and I finaly did the metadata cleanup since I was not able to run dcpromo on the DC. Doing this operation(diagnostics, metadata cleanup..) leaded althrough to a timeout of over an hour and all the application that were doing ldap- request sometimes worked, sometimes failed(in fact they had a chance of 66% to work regarding of the DC they were contacting). We have some business-critical applications, such as a financial application where we cannot tolerate such time-out. We were lucky that the DC in question had no FSMO-roles, so our "only" problem were the LdapIpAddress and NS-records(sure, if the PDC- emulator fails, things are bad). Are there possibilities to bring them at least these records(NS-records, LdapIpAddress...) in a consistent way if one of the DC fails so that we can ensute that at least the LDAP-applications work if a non-FSMO DC fails? best regards CB

Re: DNS query to NS-record fails if one of the DNS is down "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 12/7/2008 4:36:39 AM In news:d0222abd-01ea-4804-a4fe-8c3abf0c1ac9[ at ]f20g2000yqg.googlegroups.com, bisi <bisibis[ at ]pt.lu> requesting assistance, typed the following: [Quoted Text] > > Hello, > first of all, thank you very much for your answer. > As you sugest, the most important is to get the DC up and running > again, sure. We had problems with one DC and I finaly did the metadata > cleanup since I was not able to run dcpromo on the DC. Doing this > operation(diagnostics, metadata cleanup..) leaded althrough to a > timeout of over an hour and all the application that were doing ldap- > request sometimes worked, sometimes failed(in fact they had a chance > of 66% to work regarding of the DC they were contacting). We have some > business-critical applications, such as a financial application where > we cannot tolerate such time-out. > > We were lucky that the DC in question had no FSMO-roles, so our "only" > problem were the LdapIpAddress and NS-records(sure, if the PDC- > emulator fails, things are bad). Are there possibilities to bring them > at least these records(NS-records, LdapIpAddress...) in a consistent > way if one of the DC fails so that we can ensute that at least the > LDAP-applications work if a non-FSMO DC fails? > > best regards > CB Hello CB, Unfortunately in such a scenario you described, and based on the way the Client Side DNS resolver algorith it uses to query nameservers in the list, no unfortunately there is not. Keep in mind, all workstations, member servers and DCs run the Client Sider DNS Resolver service. If a DC failed in such a scenario where it is uncoverable, and it was the first DNS IP address in the IP config of a machine, then I can understand the 66% issue. This is because the 33% may have possibly already have queried the first entry when it was working and had the nameserver info cached for the TTL prior to it expiring when the DC went down. The other 66% either have restarted their machines, or the TTL expired, or the nameserver query list was reset based on the resolver default time out. If you suspect the DC will take time to recover, one of the ways, which i know you may not want to hear this, is to remove the DNS address from the DHCP scope. If anyone calls up complaining, ask them to restart if they do not know or do not have the permissions to manually renew an IP. For fixed servers, you would have to manually change the IPs in their IP properties, and flush the local cache. But the idea, as stated, is to get the server back up in a hurry to avoid all of this and production down time. Do you have a DR plan in place to mitigate such an occurence? Ace