DNS problem at remote sites
I have a client with 10 remote sites reporting random problems with their Windows 7 laptops resolving internal DNS names. All the remote sites connect to the main site (where all four of their servers are located) via hardware IPSEC
tunnels. Each remote site has DHCP provided by the router that lists the following for client DNS:
1. 10.0.1.4 (IP of the domain controller / DNS server) Internal
2. 4.2.2.2 (Layer 3 DNS) External
This was setup so that remote sites would still have internet access should the main site go down. All the remote clients use a program hosted on one of two terminal servers. We are using round robin DNS to balance the load on the servers, so
it is essential that we continue to use a DNS name for connection.
We have attempted to troubleshoot by using NSlookup. When the problem occurs the client can only ping the domain controller and external addresses by name. Using NSlookup however shows that 10.0.1.4 is my DNS server and all the Internal DNS names
resolve. The only way to correct the problem every time has been to restart the client's DNS client service. Restarting the laptop, disabling/enabling the adapter, releasing and renewing the IP address, or flushing DNS cache only solve the
problem sporadically. One client reported restarting the laptop six times before it reconnected to the terminal server.
Any ideas or possible avenues to resolve the root problem would be greatly appreciated.
Thank You.
February 3rd, 2011 5:22pm
Do you use the fqdn or the short system name to connect to the terminal servers?
What exactly did you test with NSLOOKUP?Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2011 5:32pm
We are using the short system name. However, when the problem occurs we have tried the fqdn with the same results.
Using NSLOOKUP, which connects with our local DNS server (10.0.1.4), we tested each short and fqdn server name successfully. It also properly resolved both of our terminal servers when testing our round robin name. When you exit NSLOOKUP
the client still cannot ping any internal server other than the DNS server.
February 3rd, 2011 5:50pm
Your problem is with the DNS configuration of your Windows 7 clients. The DNS client in Windows 7 expects that all DNS servers in the configuration are capable of resolving the AD systems. This is not the case for your fallback or second DNS server.
This article describes the behavior of the DNS Client for Windows Vista and later:
http://technet.microsoft.com/en-us/library/dd197552(WS.10).aspx
In fact it describes the following behavior:
The DNS Client service queries the DNS servers in the following order:
The DNS Client service sends the name query to the first DNS server on the preferred adapter’s list of DNS servers and waits one second for a response.
If the DNS Client service does not receive a response from the first DNS server within one second, it sends the name query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.
If the DNS Client service does not receive a response from any DNS server within two seconds, the DNS Client service sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.
If the DNS Client service still does not receive a response from any DNS server, it sends the name query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.
If it the DNS Client service does not receive a response from any DNS server, the DNS client sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
So if your preferred DNS server doesn't respond within a second, the second DNS server is considered a valid alternative.
I think your only option is to place DNS servers at the remote locations that can connect to the AD DNS zone and can resolve names on the Internet.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2011 6:08pm
I had a feeling that may be the only way to go, but I appreicate your response. I guess the only inexpensive alternative would be to remove the external DNS server altogether.
Thanks again,
Jason
February 3rd, 2011 6:13pm