0

on May 17 I received report of a down server. Went to check it out, and was unable to power it on. We've had service on that machine several times at this point, and are quite frustrated with it, so I recommended getting something new with a valid warranty. We did, and I set it up as a new DC-3.

For the last week or two, we've been experiencing slowness in DNS resolution time. Users will go to google something and that might work well, but then they might get NXDomain in google chrome when trying to click a result. Then the page might load but as a "web 1.0" version with no images or formatting, then will properly load upon refresh.

When DC-1 died, I:

  • seized FSMO roles on DC-2
  • updated DNS servers in DHCP
  • removed all records (I could find) of the old server in DNS
  • updated forwarders on each DNS server
  • performed metadata cleanup with ntdsutil
  • scoured through ADUC and AD Sites and Services for any references to DC-1
  • updated secondary DNS on DC-2 to point to DC-3 for each network adapter (primary DNS is loopback address)

if I run nslookup, it will show the correct specified DNS server, but will also say "DNS request timed out. timeout was 2 seconds." I believe I had it set to 3 seconds in the forwarder section.

Replication is working fine between servers. (per repadmin /syncall /adep)

Any information would be appreciated. Thanks in advance.

JohnMAL
  • 1
  • 1
    This probably won't resolve the issue, but as an aside, the loopback should never be used as primary DNS. DC2 should use DC3 for primary, itself for secondary, and 127.0.0.1 for tertiary. DC3 should use DC2 as primary, itself as secondary, and 127.0.0.1 as tertiary. Also, what forwarders are you using? – joeqwerty Jun 08 '21 at 01:16
  • Run the best practices analyzer for DNS on each DNS server and fix any problems. If you still have issues, please give us an update. – user5870571 Jun 08 '21 at 01:51
  • @joeqwerty I have heard from others that DC should always use it's own address for primary and another DC as secondary (if available). BPA has reinforced your point so I have made those changes. for forwarders I just have DC-2 pointing at DC-3 and DC-3 pointing at DC-2 but each only on a single address, I will add their secondary NICs. – JohnMAL Jun 08 '21 at 02:20
  • 1
    Don't use the domain controllers as *forwarders* for each other, but recursive DNS servers outside your network, e.g. from your ISP. You need to be able to resolve names from the Internet, and your own domain controllers won't magically know everything. – Esa Jokinen Jun 08 '21 at 04:01
  • I'm not sure what kind of whacky results you'd get using each DC as the others forwarder, but I'd be shocked and surprised if you'd be able to resolve any external DNS names at all. How would they resolve external DNS queries using each other as forwarders? Set external forwarders or omit using forwarders altogether and use the root hint servers. – joeqwerty Jun 08 '21 at 04:10
  • Well I guess that makes a lot of sense. When I checked the forwarders originally on DC-2, it had DC-1 as it's only forwarder. I bet DC-1 had no forwarder and was only using root hints. I removed all forwarders from DC-2 and DC-3 and they will both simply use root hints. I am thinking thats what the issue is but I will test it out for a couple hours and reply if the problem is definitely solved. Thank you @EsaJokinen and joeqwerty – JohnMAL Jun 08 '21 at 17:37
  • Fixing forwarder settings as suggested here seems to have fixed the problem. Thanks to everyone that contributed. – JohnMAL Jun 09 '21 at 02:56

0 Answers0