Possible DNS related issue – Sporadic problem – Clients cannot access some internal resources

Active Directory
Microsoft Windows
This issue is driving me up the wall and Microsoft has yet to get back to me with anything. I'm running a basic network of 12 servers (all HP DL380's running Windows Server 2003 Enterprise) and 80 workstations (all HP d530's running Windows XP Pro SP2). Workstations are on a different segment than Servers. I'm running Active Directory and my domain controller runs this along with DHCP and DNS. My problem is that sporadically, a client will (all of a sudden) not be able to access Exchange, or File Services, or the Intranet site. Sometimes all of these are unavailable, sometimes it's just one or two of these that are unavailable. When performing an NSLookup on the resource, it's found easily but still, the resource itself cannot be accessed. If I do an IPCONFIG /FLUSHDNS and then an IPCONFIG /REGISTERDNS a few times, all of a sudden, the problem is fixed and all is well for a while, sometimes the rest of the day. I should also note, that it's only internal resources that cannot be accessed. All external resources are fine, and never fail during this period. Also, it's not ALL clients that have problems. It's just a few out of the computers at any given time, and it's not consistently the same ones that are problematic. It rotates around randomly. My DNS looks ok. Microsoft has checked it out and it seems there are no flaws or problems with it. I run a basic internal zone, forwarding out to my internet provider for non-internal queries. I have turned scavenging off (since the problem started) thinking it was to blame, but it's off and hasn't made a difference. Any thoughts? I'm going nuts here and have run out of ideas.. Regards, Mark

Answer Wiki

Thanks. We'll let you know when a new response is added.

Like most of us you have a ‘split-brain’ DNS. The client’s 1st DNS site is your main login server. the 2nd DNS site would be the ISP’s unit. Since the external resources are not a problem that is okay. Active Directory refers to several services, FSMO and GC being the most important. It is probably the second item GC (Global Catalog) which by default only exists on the same server as FSMO. Either a separate segment, or in my case a branch office, can result in a system that logs into the domain, but doesn’t have all the resources. Whereupon you flush DNS and Reload DNS and Log off and login again until it ‘works’.
Your segmentation of servers on one subnet and workstations on another severely agrravates the problem.
In my case I added GC to two other DC’s and it resolved the problem. That would be my 1st recommendation for you.
Good Luck.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Petroleumman
    Hello, If Howard's suggestion fails to resolve your issue, something else to consider is your router. It is possible that there are old routes or outdated ARP entries retained in memory which may be confusing things. This scenario would also result in symptoms such as your experiencing. Clear the ARP cache on the router and maybe even set some type of static route that your workstation traffic will use to access server resources. Another thought on the DNS side, try creating LMHost entries on an affected workstation pointing to your servers. This will force your workstation to bypass DNS so to speak. If the problem goes away then there could still be an underlying issue with DNS. Good luck!
    0 pointsBadges:
  • Astronomer
    Mark: We had some problems accessing microsoft resources on a different subnet. It wasn't as intermittent as your symptoms but it boiled down to the workstations using browsing to reach the servers. When we re-enabled WINS in our environment the problems went away. Our DNS was working perfectly but that didn't help with some microsoft services. I would really like to get rid of WINS but this fixed our problem so we continue with it. I recommend you try this. rt
    15 pointsBadges:
  • Linger1974
    Hi all, Thanks so much for the replies. I can say we used all suggestions and have come quite far in troubleshooting the problem, but it's still with us. I'd like to investigate one possibility, in that right now, our internal zone is TORCVB.COM and it's the same as our public (internet) domain name. I'm thinking of moving our internal domain to CORP.TORCVB.COM but I am not strong enough with DNS to know what that involves. What will I have to do to the Active Directory to achieve this, and is it something that requires more than a few hours of downtime? Any and all replies much appreciated! Mark
    0 pointsBadges:
  • 0ct0pus
    to setup a new child domain you have to point new PDC, use ADMT to move the users and computers accounts for internal users. Create the new domain in the current DNS, then inform all clients to logon to the new domain. looking back at your original issue, the fact that you can nslookup fine when the problem occured shows that it's not name resolution issue. perhaps authentication to those services, which controlled by AD. any errors in the event viewer of AD or exchange or IIS server might be helpful.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: