AD DNS stopping problem

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hello
I have a question to ask, if someone can help. Here is the situation: we
have a Domain with 2 DC running Windows 2000 Advanced Server with SP4 for the
internal network, there is a DMZ (demilitarized zone) for the external
(internet available servers – WEB, Mail, DNS, Proxy, Firewall etc.) the in
the DMZ the DNS is a Linux machine running BIND – it handles the records for
the web sites that we are hoisting. For faster access to the web sites form
the internal network the DNS services on each DC has a record for the address
of the servers in the DMZ with there IP addresses for the local network (not
the Internet ones). Until 2 weeks everything was fine but one day the to DC
based DNS servers started to act strange – both claim that one is sending the
other packets with invalid domain name – to be exact error 5504 “The DNS
server encountered an invalid domain name in a packet from X.X.X.X. The
Packet was rejected� when that happens one of them starts to build up memory
and the used memory jumps with 1.5GB the CPU utilization levels at 100% for
all processors and after something like 10 minutes the DNS service stops. If
a stop manually the DNS service on one of the DC-s there is no problem but if
both are running after 10 minutes both start to log errors and after few
hours one of them stops. If any one can help I will be very happy, because we
have no idea what might happen to start causing the problem.

Stoil Pankov

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

How do you have forwarding configured on the DNS servers, and what DNS server(s)
do you have listed in the TCP/IP properties of those DCs?

For what you're doing, the two DCs shouldn't be trying to send each other any DNS queries
at all - corrupt or otherwise. At least not if things are configured properly. So my
hunch is that somebody here is forwarding or looping through or to sombody else
that they shouldn't be.

Since you have manually entered 'shadow' records for the DMZ hosts in your Win2K DNSen,
the BIND server shouldn't enter into this at all as regards the Windows DCs. So that IP
should apppear nowhere in the DNS configuration on the Windows side.

So unless there is more to your network than described here: in your Windows DNS
you can disable forwarding altogether (using root hints only for public name resolution), and
just list each DCs own respective IP as its DNS server in TCP/IP properties. This is the simplest
configuration and should do the job you've described without problems. After you configure this, run
a netdiag on each DC to verify that it is working to resolve AD properly.

You also might want to check out this hotfix: http://support.microsoft.com/?id=838969 to see
if it applies.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

"Stoil Pankov" <Stoil Pankov@discussions.microsoft.com> wrote in message news:906D95AC-217C-4580-B62B-500B98ED7513@microsoft.com...
> Hello
> I have a question to ask, if someone can help. Here is the situation: we
> have a Domain with 2 DC running Windows 2000 Advanced Server with SP4 for the
> internal network, there is a DMZ (demilitarized zone) for the external
> (internet available servers - WEB, Mail, DNS, Proxy, Firewall etc.) the in
> the DMZ the DNS is a Linux machine running BIND - it handles the records for
> the web sites that we are hoisting. For faster access to the web sites form
> the internal network the DNS services on each DC has a record for the address
> of the servers in the DMZ with there IP addresses for the local network (not
> the Internet ones). Until 2 weeks everything was fine but one day the to DC
> based DNS servers started to act strange - both claim that one is sending the
> other packets with invalid domain name - to be exact error 5504 "The DNS
> server encountered an invalid domain name in a packet from X.X.X.X. The
> Packet was rejected" when that happens one of them starts to build up memory
> and the used memory jumps with 1.5GB the CPU utilization levels at 100% for
> all processors and after something like 10 minutes the DNS service stops. If
> a stop manually the DNS service on one of the DC-s there is no problem but if
> both are running after 10 minutes both start to log errors and after few
> hours one of them stops. If any one can help I will be very happy, because we
> have no idea what might happen to start causing the problem.
>
> Stoil Pankov
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the replay

I checked the DNS Server configuration and both were configured to forward
to each other and to the BIND, so was the LAN cards TCP/IP settings for both
DC-s were configured to use both DNS servers. After reconfiguring the DS-s
now every thing is working perfectly.

Many, many thanks for the help!!!!

Stoil Pankov


"Steve Duff [MVP]" напиÑ?а:

> How do you have forwarding configured on the DNS servers, and what DNS server(s)
> do you have listed in the TCP/IP properties of those DCs?
>
> For what you're doing, the two DCs shouldn't be trying to send each other any DNS queries
> at all - corrupt or otherwise. At least not if things are configured properly. So my
> hunch is that somebody here is forwarding or looping through or to sombody else
> that they shouldn't be.
>
> Since you have manually entered 'shadow' records for the DMZ hosts in your Win2K DNSen,
> the BIND server shouldn't enter into this at all as regards the Windows DCs. So that IP
> should apppear nowhere in the DNS configuration on the Windows side.
>
> So unless there is more to your network than described here: in your Windows DNS
> you can disable forwarding altogether (using root hints only for public name resolution), and
> just list each DCs own respective IP as its DNS server in TCP/IP properties. This is the simplest
> configuration and should do the job you've described without problems. After you configure this, run
> a netdiag on each DC to verify that it is working to resolve AD properly.
>
> You also might want to check out this hotfix: http://support.microsoft.com/?id=838969 to see
> if it applies.
>
> Steve Duff, MCSE, MVP
> Ergodic Systems, Inc.
>
> "Stoil Pankov" <Stoil Pankov@discussions.microsoft.com> wrote in message news:906D95AC-217C-4580-B62B-500B98ED7513@microsoft.com...
> > Hello
> > I have a question to ask, if someone can help. Here is the situation: we
> > have a Domain with 2 DC running Windows 2000 Advanced Server with SP4 for the
> > internal network, there is a DMZ (demilitarized zone) for the external
> > (internet available servers - WEB, Mail, DNS, Proxy, Firewall etc.) the in
> > the DMZ the DNS is a Linux machine running BIND - it handles the records for
> > the web sites that we are hoisting. For faster access to the web sites form
> > the internal network the DNS services on each DC has a record for the address
> > of the servers in the DMZ with there IP addresses for the local network (not
> > the Internet ones). Until 2 weeks everything was fine but one day the to DC
> > based DNS servers started to act strange - both claim that one is sending the
> > other packets with invalid domain name - to be exact error 5504 "The DNS
> > server encountered an invalid domain name in a packet from X.X.X.X. The
> > Packet was rejected" when that happens one of them starts to build up memory
> > and the used memory jumps with 1.5GB the CPU utilization levels at 100% for
> > all processors and after something like 10 minutes the DNS service stops. If
> > a stop manually the DNS service on one of the DC-s there is no problem but if
> > both are running after 10 minutes both start to log errors and after few
> > hours one of them stops. If any one can help I will be very happy, because we
> > have no idea what might happen to start causing the problem.
> >
> > Stoil Pankov
> >
>
>
>