DNS Mess

Discussion in 'Networks' started by Stoney, Feb 15, 2007.

  1. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Afternoon!

    I've just been doing some tests on our network and I found that when I ping our mail server it resolves the IP address for the RAS interface that is running on the mail server (also deals with our VPN connections among other things).

    I also noticed on another pc that Outlook wouldn't open because it couldn' contact the Exchange server, and when I pinged the mail server it resolved the IP for the backup network interface on the mail server (different subnet)!

    There is clearly something not right and I think it's to do with the DNS setup. Is it possible to configure the DNS to resolve just the one IP for mailserver.domain.local instead of taking a random pick from what ever's available.

    This is on a Windows 2003 server environment btw.

    Cheers :biggrin
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  2. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Another point. The mail server is also the primary DNS server and domain controller.

    I have noticed in the DNS management console that there are 3 entries for the mail server in:

    DNS\Servername\Forward Lookup Zones\local\domainname and

    DNS\Servername\Forward Lookup Zones\domainname.local

    The 3 entries relate to the IP's of the RAS server, the LAN connection and the backup LAN connection.

    Is this correct for a DNS server, or any server, to have 3 different entries in the lookup zones?

    I'm thinking probably not but I'm not that great with DNS.

    Cheers
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  3. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    What happens when you ping the servers by I.P address? Also try a tracert to the servers.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  4. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Are you running Windows SBS server. If not then your answer may lie in the fact that M$ do not recommend having your DC and your exchange server on the same box.

    LINK

    However you may have resolved this.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  5. Vendetta

    Vendetta Nibble Poster

    56
    0
    9
    try to run nslookup to test that dns is working as it should be. and I agree with the above post; an exchange server should not really be running on a DC.
     
  6. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    In a perfect world the DC and Exchange server should be on different boxes but saving £$£$ and putting them on the same box is always tempting.

    Going back to the problem are the client PCs pointing at the DNS server for DNS or are they pointing somewhere else? Using real world DNS I.Ps (for example) will cause you problems. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  7. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    If I ping the actual IP of the mailserver then it responds fine.
    If I ping the backup network adapter on the mailserver it doesn't respond.
    If I ping the IP that is associated with the RAS on the mailserver then it does not respond.
    This is why Outlook is not connecting because the DNS is telling it that the IP for the mailserver is one of these 3 IP's and only one of them is correct.
    However, if i dial our VPN connection into the RAS then all 3 IP's associated with the mail server respond.

    Nope, no SBS. All W2K3 standard and W2K server.
    Unfortunatley we are limited to server space so everything has been bundled onto one server, not ideal but it's just what we've got!

    From my PC the DNS server is resolved ok. I ran DCDIAG /testDNS on the DC and the DNS service failed with Forward lookup zones. Everything else ok.

    I found that by entering the correct mailserver IP and FQDN into the hosts file that Outlook connects almost instanteously. Using ipconfig /displaydns shows the correct IP in the cache. Without the hosts file entry the cache shows 3 IP's for the mailserver.

    Shall I just delete the 2 incorrect entries from the DNS management? Would this have an affect on the RAS? I'm thinking not, because that IP is not used to dial in but a domain name is eg: vpn.companyName.com.
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  8. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    Is the ip address for the Exchange server also the MX record for the domain?

    ...but then this would correct otherwise you get no email!

    A series of tracert's and nslookup's on the three ip addresses would be illuminating.

    Also are all the ip addresses -including the one on the second adaptor - fixed ip addresses?

    Note that the "register this connections address in DNS" for TCP/IP properties, avanced, dns...should be enabled.

    Then do a "Route print" to see if any static routes are defined...based on what you said about your VPN working...you may have a crook static route.

    Plus check the AD replication by replmon as you could have issues there in additional to DNS issues if you have a few DC's....

    Finally Exchange on a DC, even if not best practice, is still common - especially if you have multiple sites and the existing nominated DC/GC is little better than a workgroup server. :rolleyes: :blink
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  9. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Not quite! The IP for the MX record is the public IP. The IP that is showing up in DNS is the private IP for the mailserver.

    Our DNS server only manages our internal DNS because it is in a remote server farm managed by other peeps. We use their DNS to resolve our public IP addresses.

    Yes, both network adapters are fixed and so is the RAS interface.

    I shall have a look into the other stuff.
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  10. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Good point!
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  11. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Well I think that the DNS issue has gone. I told DNS to listen on just the one IP and I also unchecked the box for register this connections address in DNS on the backup network and now the extra DNS entries have gone.

    When I ping the mail server the correct private IP is returned. All seems ok. Thanks for the help guys :cheers

    Regarding Exchange and DC, how messy an operation would it be to demote the DC on the mailserver and then remove AD? We have a secondary DC that doesn't do much so maybe I could promote it and then install AD on another server we have locally.

    Does the DC have to have DNS running on the same server or can the DNS service be elsewhere?
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  12. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    What is your domain\DC setup? Do you have dns zone for the whole network?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  13. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    That could get messy if your not sure what you are doing. The DC's in an Active Directory environment are multi-master, meaning there are no BDC like with NT. You would need an understanding of the FSMO roles to determine exactly how things are set up at present. Also, when you demote a DC to a member server, you can leave meta-data behind in AD, in other words AD still has references to the DC and might try and replicate to it etc. You can clean out the meta data but again, you really need to understand what you are doing or things could easily go pear shaped.

    The DNS server does not need to be on a DC unless you want to use AD integrated DNS.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  14. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Why not promote the other DNS server and then reconfigure the DHCP for the clients to point at the new DC for DNS?

    When I hear the word ‘demote’ I always have nightmares! You have to plan if you want to demote your original DC or first Exchange server in your domain\organisation. Actually you have to plan for any major network config change! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  15. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    NP!

    btw - how many mailboxes on the Exchange server?

    For Exchange and DC on the same server there are some choices to make, and as others here so rightfully point out you have to be real careful....

    1. If your FSMO roles are on the Email/DC server you need to move them out to another server first....ie promote that additional DC, check its dns [esp name server], check replication etc. Then move the FSMO roles off the Dc and let the new config run for a few days.

    The you can demote that main server...but note that Exchange 2000 or 2003 may need a couple of reboots first.

    Also ensure that at least one of the remaining servers is a GC.

    OR.

    2. Add an additional Exchange server on that spare server but keep it as a member server.

    Note that if you do this the new Exchange Server has to be at exactly the same Exchange patch level [ie the latest] as for the existing Exchange server, otherwise your Information store service on the new Exchange server may stop working after a few hours after you move the mailboxes across.

    You can test this easily enough by installing exchange and moving some mailboxes across, like your own mailbox, so you can test it out first. This is a good method if you have to upgrade an older Exchange server that is still working but has a hardware set you are not happy with or beyond it's maintenance life.

    with the Exchange move you have to check the mail delivery is okay... and this could take awhile, also check dns and external mx record etc etc.

    Usually the recommendation would be to demote after the third DC is established. For instance you would have to do this anyway if you where running Exchange 2003 Server on Windows 2000 that was a DC, and you wanted to upgrade to Windows 2003 but the server hardware was older and not considered fully compatible. In this case you would demote the DC, then upgrade the OS to 2003 and finally re-promote to a DC.

    HTH

    supag33k
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.