RE: DNS Lookup Failing for One Address

[Jimmy Tran]

Clear the DNS cache on that particular server?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Tuesday, August 14, 2012 10:42 AM
To: NT System Admin Issues
Subject: DNS Lookup Failing for One Address

 

Okay, DNS wizards... I need some input.

 

One of my DNS servers (Server 2008) is failing to resolve
www.studyisland.com like so:

 

C:\>nslookup

Default Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to aoc-pet300.taylor.k12.fl.us timed-out

 

But I can point nslookup at one of my other servers (also Server 2008),
and it resolves fine. Which kind of sounds like a server problem--but
this server has resolved every other name I've thrown at it, though.
Only this one is failing.

 

I can point nslookup at the Norton DNS server that my failing server
uses as a forwarding server (198.153.192.1), and it resolves fine. All
of my other servers use that same forwarding address, too.

 

I'm kind of going crazy here... My users desperately need to get to this
site. I can't figure out what's wrong, but that's no surprise because
I'm not an expert when it comes to DNS.

 

Can anyone offer any troubleshooting pointers?

 

 

 

John Hornbuckle, MSMIS, PMP

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

Non-authoritative answer:

Name:vip1.studyisland.com

Address:  72.249.13.58

Aliases:  www.studyisland.com

 

So looks like possible dns cache corruption on your DNS server. 

(What I see from my end) (this could be due to access list on what
traffic its accepting)

> server 198.153.192.1

Default Server:  [198.153.192.1]

Address:  198.153.192.1

 

> www.studyisland.com.

Server:  [198.153.192.1]

Address:  198.153.192.1

 

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to [198.153.192.1] timed-out

 

Have you turned on debug log for dns, and look into that one? 

 

Have you tried, to do that DNS lookup from the DNS Server itself to the
upstream DNS forwarder, and see if it resolves and then take a look at
it from the DNS cache ( You will probably need wireshark on the
workstation and server in question to see what is going on with the
packets. I will be happy to look at any pcap files you would want to
send over on the situation. 

 

Z

 

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues
Subject: DNS Lookup Failing for One Address

 

Okay, DNS wizards... I need some input.

 

One of my DNS servers (Server 2008) is failing to resolve
www.studyisland.com like so:

 

C:\>nslookup

Default Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to aoc-pet300.taylor.k12.fl.us timed-out

 

But I can point nslookup at one of my other servers (also Server 2008),
and it resolves fine. Which kind of sounds like a server problem--but
this server has resolved every other name I've thrown at it, though.
Only this one is failing.

 

I can point nslookup at the Norton DNS server that my failing server
uses as a forwarding server (198.153.192.1), and it resolves fine. All
of my other servers use that same forwarding address, too.

 

I'm kind of going crazy here... My users desperately need to get to this
site. I can't figure out what's wrong, but that's no surprise because
I'm not an expert when it comes to DNS.

 

Can anyone offer any troubleshooting pointers?

 

 

 

John Hornbuckle, MSMIS, PMP

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Ben Scott]

On Tue, Aug 14, 2012 at 1:42 PM, John Hornbuckle
 wrote:
> One of my DNS servers (Server 2008) is failing to resolve
> www.studyisland.com like so:

  There is some bug in MS-DNS in Windows 2008 R2 that causes it to
randomly get a brain crap on individual domains.  I don't know the
details, but it's bit a few people on this list.  Symptoms seem to
match yours.  Try the command

dnscmd /clearcache

on the server.  If that clears the trouble, you need the hotfix.  I
*think* this is it:

http://support.microsoft.com/kb/2508835

but I might have it confused with some other bug in MS-DNS.

> C:\>nslookup

  NSLOOKUP is brain damaged.  (The biggest problem is that it can give
ambiguous error messages.)  Get DIG from the ISC BIND suite and get in
the habit of using it for DNS diagnostics.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Kurt Buff]

On Tue, Aug 14, 2012 at 10:42 AM, John Hornbuckle
 wrote:
> Okay, DNS wizards… I need some input.
>
>
>
> One of my DNS servers (Server 2008) is failing to resolve
> www.studyisland.com like so:
>
>
>
> C:\>nslookup
>
> Default Server:  aoc-pet300.taylor.k12.fl.us
>
> Address:  10.11.7.13
>
>
>
>> www.studyisland.com.
>
> Server:  aoc-pet300.taylor.k12.fl.us
>
> Address:  10.11.7.13
>
>
>
> DNS request timed out.
>
> timeout was 2 seconds.
>
> DNS request timed out.
>
> timeout was 2 seconds.
>
> *** Request to aoc-pet300.taylor.k12.fl.us timed-out
>
>
>
> But I can point nslookup at one of my other servers (also Server 2008), and
> it resolves fine. Which kind of sounds like a server problem--but this
> server has resolved every other name I’ve thrown at it, though. Only this
> one is failing.
>
>
>
> I can point nslookup at the Norton DNS server that my failing server uses as
> a forwarding server (198.153.192.1), and it resolves fine. All of my other
> servers use that same forwarding address, too.
>
>
>
> I’m kind of going crazy here… My users desperately need to get to this site.
> I can’t figure out what’s wrong, but that’s no surprise because I’m not an
> expert when it comes to DNS.
>
>
>
> Can anyone offer any troubleshooting pointers?

Yes - if recycling the DNS Server service fixes the problem, there are
some known issues with DNS on 2003, 2008 and 2008 R2. One is EDNS -
see this link:
http://support.microsoft.com/kb/832223

and/or this link:
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

Also, it's possible, but unlikely, that your firewall is filtering
these extended DNS records - especially if your firewall doesn't
understand/like TCP returns on queries. These links has some info on
that:
http://www.cisco.com/web/about/security/intelligence/dnssec.html

http://www.icann.org/en/groups/ssac/documents/sac-016-en.htm

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Clearing the cache didn't help. I'll grab DIG now...



-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, August 14, 2012 2:41 PM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

On Tue, Aug 14, 2012 at 1:42 PM, John Hornbuckle 
 wrote:
> One of my DNS servers (Server 2008) is failing to resolve 
> www.studyisland.com like so:

  There is some bug in MS-DNS in Windows 2008 R2 that causes it to randomly get 
a brain crap on individual domains.  I don't know the details, but it's bit a 
few people on this list.  Symptoms seem to match yours.  Try the command

dnscmd /clearcache

on the server.  If that clears the trouble, you need the hotfix.  I
*think* this is it:

http://support.microsoft.com/kb/2508835

but I might have it confused with some other bug in MS-DNS.

> C:\>nslookup

  NSLOOKUP is brain damaged.  (The biggest problem is that it can give 
ambiguous error messages.)  Get DIG from the ISC BIND suite and get in the 
habit of using it for DNS diagnostics.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Kurt Buff]

Here's some more specific advice regarding EDNS:
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

Kurt

On Tue, Aug 14, 2012 at 12:44 PM, John Hornbuckle
 wrote:
> Clearing the cache didn't help. I'll grab DIG now...
>
>
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Tuesday, August 14, 2012 2:41 PM
> To: NT System Admin Issues
> Subject: Re: DNS Lookup Failing for One Address
>
> On Tue, Aug 14, 2012 at 1:42 PM, John Hornbuckle 
>  wrote:
>> One of my DNS servers (Server 2008) is failing to resolve
>> www.studyisland.com like so:
>
>   There is some bug in MS-DNS in Windows 2008 R2 that causes it to randomly 
> get a brain crap on individual domains.  I don't know the details, but it's 
> bit a few people on this list.  Symptoms seem to match yours.  Try the command
>
> dnscmd /clearcache
>
> on the server.  If that clears the trouble, you need the hotfix.  I
> *think* this is it:
>
> http://support.microsoft.com/kb/2508835
>
> but I might have it confused with some other bug in MS-DNS.
>
>> C:\>nslookup
>
>   NSLOOKUP is brain damaged.  (The biggest problem is that it can give 
> ambiguous error messages.)  Get DIG from the ISC BIND suite and get in the 
> habit of using it for DNS diagnostics.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Ben Scott]

On Tue, Aug 14, 2012 at 4:51 PM, Maglinger, Paul  wrote:
> Somebody put something in the hosts file?

  Wouldn't effect data returned by DIG.  Shouldn't effect data
returned by NSLOOKUP, either, but as mentioned, I don't trust that
program.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Ben Scott]

On Tue, Aug 14, 2012 at 3:26 PM, John Hornbuckle
 wrote:
> Yeah, I tried that. Cleared the cache, restarted the DNS server service,
> even rebooted the whole machine.

  Hmmm, that's interesting.  A reboot *should* clear most possible
causes discussed so far, at least briefly.

  My next guess would be a firewall interacting badly with EDNS or
something like that, but you say another DNS server you run doesn't
have this trouble.  Are they both on the same IP subnet?  Same
broadcast domain?  Same switch?  Behind the same firewall?

  Compare versions/sizes of DNS.EXE on the working server and the
non-working server.  Maybe an update failed or something like that.

  Using DIG, running on the problem server, run a delegation trace for
the problem domain.  For example:

dig +trace www.studyisland.com.

This will cause DIG to perform an iterative query internally.  That
is, DIG will query the root servers directly, and then chase the
referrals in the replies until it gets an answer.  In other words, DIG
will do what your DNS server should be doing.  If DIG fails, you can
see where and why.  If it succeeds, you know it's possible to do a
good lookup from the problem server.

  Maybe do the same thing on the working server.  See if they follow
different paths.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com.0   IN  CNAME   vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find www.studyisland.com.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forums.msexchange.org/m_1800553796/printable.htm

Also, when I run nslookup I *can* resolve studyisland.com-just not 
www.studyisland.com.

Still researching...


From: John Hornbuckle
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues (ntsysadmin@lyris.sunbelt-software.com)
Subject: DNS Lookup Failing for One Address

Okay, DNS wizards... I need some input.

One of my DNS servers (Server 2008) is failing to resolve 
www.studyisland.com like so:

C:\>nslookup
Default Server:  aoc-pet300.taylor.k12.fl.us
Address:  10.11.7.13

> www.studyisland.com.
Server:  aoc-pet300.taylor.k12.fl.us
Address:  10.11.7.13

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to aoc-pet300.taylor.k12.fl.us timed-out

But I can point nslookup at one of my other servers (also Server 2008), and it 
resolves fine. Which kind of sounds like a server problem--but this server has 
resolved every other name I've thrown at it, though. Only this one is failing.

I can point nslookup at the Norton DNS server that my failing server uses as a 
forwarding server (198.153.192.1), and it resolves fine. All of my other 
servers use that same forwarding address, too.

I'm kind of going crazy here..

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find 
www.studyisland.com<http://www.studyisland.com>.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forums.msexchange.org/m_1800553796/printable.htm

Also, when I run nslookup I *can* resolve studyisland.com-just not 
www.studyisland.com<http://www.studyisland.com>.

Still researching...


From: John Hornbuckle
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues 
(ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>)
Subject: DNS Lookup Failing for One Address

Okay, DNS wizards... I need some input.

One of my DNS servers (Server 2008) is failing to resolve 
www.studyisland.com<http://www.studyisland.com> like so:

C:\>nslookup
Default Server:  aoc-pet300.taylor.k12.fl.us
Address:  10.11.7.13

> www.studyisland.com<http://www.studyisland.com>.
Server:  ao

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

Your DC has multiple IP addresses?

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find 
www.studyisland.com<http://www.studyisland.com>.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forums.msexchange.org/m_1800553796/printable.htm

Also, when I run nslookup I *can* resolve studyisland.com-just not 
www.studyisland.com<http://www.studyisland.com>.

Still researching...


From: John Hornbuckle
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues 
(ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>)
Subject: DNS Lookup Failing for One Address

Okay, DNS wizards... I need some input.

On

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

Are the root hints on that DNS correct, as compared to the other DNS
servers? Can you resolve the DNS roots?  Because its trying to go to
.com on root first and them to studyisland but its not even getting to
.com DNS root, in your db2 switch debug. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Your DC has multiple IP addresses?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Oh, and to add... Each of my sites has its own DNS server. All other DNS
servers are resolving this address fine. All servers are behind the same
firewall.

 

Curiouser and curiouser.

 

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Per the suggestions from the list, I put dig on my squirrely DNS server
and ran dig +trace www.studyisland.com. Results are:

 

===

; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com

;; global options:  printcmd

.   19740   IN  NS  b.root-servers.net.

.   19740   IN  NS  c.root-servers.net.

.   19740   IN  NS  d.root-servers.net.

.   19740   IN  NS  e.root-servers.net.

.   19740   IN  NS  f.root-servers.net.

.   19740   IN  NS  g.root-servers.net.

.   19740   IN  NS  h.root-servers.net.

.   19740   IN  NS  i.root-servers.net.

.   19740   IN  NS  j.root-servers.net.

.   19740   IN  NS  k.root-servers.net.

.   19740   IN  NS  l.root-servers.net.

.   19740   IN  NS  m.root-servers.net.

.   19740   IN  NS  a.root-servers.net.

;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

 

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

 

studyisland.com.172800  IN  NS
aldfwprdinf001.archipelagolearni

ng.com.

studyisland.com.172800  IN  NS
aldfwcrpinf001.archipelagolearni

ng.com.

;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

 

www.studyisland.com.0   IN  CNAME   vip1.studyisland.com.

vip1.studyisland.com.   28800   IN  A   72.249.13.58

;; Received 72 bytes from
207.210.237.70#53(aldfwprdinf001.archipelagolearning.c

om) in 46 ms

===

 

Now, I'm not a DNS expert. But to me, this looks right because I know
that www.studyisland.com = vip1.studyisland.com = 72.249.13.58.

 

But when I use nslookup against that same DNS server, my queries still
fail. I enabled debugging in nslookup and got this:

 

===

> set db2

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Addresses:  10.11.7.19

  10.11.7.13

 



Got answer:

HEADER:

opcode = QUERY, id = 8, rcode = SERVFAIL

header flags:  response, want recursion, recursion avail.

questions = 1,  answers = 0,  authority records = 0,  additional
= 1

 

QUESTIONS:

www.studyisland.com, type = A, class = IN

ADDITIONAL RECORDS:

->  (root)

??? unknown type 41 ???

ttl = 0 (0 secs)

 



DNS request timed out.

timeout was 2 seconds.

timeout (2 secs)

*** aoc-pet300.taylor.k12.fl.us can't find www.studyisland.com.: Server
failed

===

 

Found someone reporting a similar issue (but no real solution) here:

 

http://forums.msexchange.org/m_1800553796/printable.htm

 

Also, when I run nslookup I *can* resolve studyisland.com-just not

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find 
www.studyisland.com<http://www.studyisland.com>.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forum

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (ro

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> =

RE: DNS Lookup Failing for One Address

[Free, Bob]

AKA fishing lesson :)

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 7:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, r

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Yep, and I prefer it that way.

From: Free, Bob [mailto:r...@pge.com]
Sent: Wednesday, August 15, 2012 10:49 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

AKA fishing lesson :)

From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 7:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Well, since you are desperate. :)  Remove one of the addresses, bounce the DC 
and retest.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:44 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

I did disable DNS on one of the two addresses and restarted the service. No 
difference.

I haven't tried removing the whole address from the TCP/IP settings.



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 10:55 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Well, since you are desperate. :)  Remove one of the addresses, bounce the DC 
and retest.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:44 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.17280

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Another option is to set up conditional forwarding on the 'bad' dns server to 
one of your 'good' dns servers for just studyisland.com

That way you will be out of the business of manually working on that zone as 
studyisland moves or changes things.


From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Alas, network traces are outside of my skillset. I may have to bring in outside 
help for that. I'm a technology generalist-lots of breadth, less depth.

If I wanted to host the domain locally... I would just go to Forward Lookup 
Zones, right-click, select "New Zone", and go from there? With us being 
AD-integrated, this won't screw anything up?

I'll read the link you sent, too. Thanks for that.



From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   1

RE: DNS Lookup Failing for One Address

[David Lum]

Wow, it would never, ever occur to me to give a DC multiple IP addresses. 
Multiple NIC's, yes, but teamed. Amazing that's it's supported, but that just 
may be my ignorance due to my SMB-scale focus.

I need to work with Ken and experience big environments!

Dave

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 8:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN 

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

I can look at a network trace for you, if you want to send it over, I
have done it for others on the list to help them out with problems, and
its good practice. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 11:12 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Alas, network traces are outside of my skillset. I may have to bring in
outside help for that. I'm a technology generalist-lots of breadth, less
depth.

 

If I wanted to host the domain locally... I would just go to Forward
Lookup Zones, right-click, select "New Zone", and go from there? With us
being AD-integrated, this won't screw anything up?

 

I'll read the link you sent, too. Thanks for that.

 

 

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

While officially supported, having multiple IP addresses on a single DC
is not recommended and has caused problems all the way back to NT 3.5.

 

If you just want to make this work - host the domain locally. Create it
in your DNS servers. Probably the quickest way to fix the problem.

 

Meinolf Weber wrote a very lengthy response to someone's question, a few
years ago, about what can go wrong on a DC with multiple IP addresses.
Took me a few minutes to find it, link below. Much of it doesn't apply
in your case, of course, but still a worthwhile read.

 

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t
705909.html

 

I can surmise that what is happening here is that you are having to talk
to a server that doesn't like asynchronous routing of DNS replies and
requests. That's becoming more and more common as DNS spoofing becomes
more and more common. Couldn't verify that without a network trace
(wireshark / netmon). I probably would've done that by now and if you
really want to track the issue down, that's the next best step IMO.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

And I did consider that.

 

:)

 

However, (A.) this server's configuration hasn't changed in the years
since it was deployed, (B.) we've done the same thing at our other sites
that aren't having problems, and (C.) DNS is working 100% correctly at
the site in question except for the failure of lookups against this one
single domain name.

 

So while I'm open to all possibilities (honestly-I'm getting desperate),
my gut instinct is that this isn't the cause of the problem.

 

 

John

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

I have a theory. Often when Mr. Smith asks a question he isn't looking
for an answer to that question, he is pointing you towards the answer
for your problem.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Yup. When we decommissioned the old server this server replaced, some
devices were still looking for it for DNS (they had static settings). So
we assigned the old server's address to the new one as a second address.

 

 

John

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Your DC has multiple IP addresses?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Oh, and to add... Each of my sites has its own DNS server. All other DNS
servers are resolving this address fine. All servers are behind the same
firewall.

 

Curiouser and curiouser.

 

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Per the suggestions from the list, I put dig on my squirrely DNS server
and ran dig +trace www.studyisland.com. Results are:

 

===

; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com

;; global options:  printcmd

.   19740   IN  NS  b.root-servers.net.

.   19740   IN  NS  c.root-servers.net.

.   19740   IN  NS  d.root-servers.net.

.   19740   IN  NS  e.root-servers.net.

. 

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

To David's point - except when used in bonding (for failover) - most big 
environments would avoid this with a 10-foot pole. The behavior can seem quite 
non-deterministic and can be difficult to debug.

From: Webster [mailto:webs...@carlwebster.com]
Sent: Wednesday, August 15, 2012 11:34 AM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

Your commute to work with Ken would be brutal!



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>

From: David Lum mailto:david@nwea.org>>
Subject: RE: DNS Lookup Failing for One Address

Wow, it would never, ever occur to me to give a DC multiple IP addresses. 
Multiple NIC's, yes, but teamed. Amazing that's it's supported, but that just 
may be my ignorance due to my SMB-scale focus.

I need to work with Ken and experience big environments!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

And we have a winner!!!

So, I was totally unfamiliar with conditional forwarding. I just tried what you 
suggested, and voila-it works.

I realize this is a workaround, and I still want to tackle the root of the 
problem. But this at least buys me some time.



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 11:09 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Another option is to set up conditional forwarding on the 'bad' dns server to 
one of your 'good' dns servers for just studyisland.com

That way you will be out of the business of manually working on that zone as 
studyisland moves or changes things.


From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-

Re: DNS Lookup Failing for One Address

[Kurt Buff]

If you don't have any old equipment with static listings of the older
IP address of the DC, remove the older IP address.

If you do have older equipment with static listings, but don't have
any newer equipment with static listings, and want to preserve the old
address, then during off-hours remove the newer address and reboot.

If you have different sets of equipment that points to both addresses,
you'll need to fix one or the other set of equipment.

Kurt

On Wed, Aug 15, 2012 at 9:14 AM, John Hornbuckle
 wrote:
> And we have a winner!!!
>
>
>
> So, I was totally unfamiliar with conditional forwarding. I just tried what
> you suggested, and voila—it works.
>
>
>
> I realize this is a workaround, and I still want to tackle the root of the
> problem. But this at least buys me some time.
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 11:09 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Another option is to set up conditional forwarding on the ‘bad’ dns server
> to one of your ‘good’ dns servers for just studyisland.com
>
>
>
> That way you will be out of the business of manually working on that zone as
> studyisland moves or changes things.
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 11:06 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> While officially supported, having multiple IP addresses on a single DC is
> not recommended and has caused problems all the way back to NT 3.5.
>
>
>
> If you just want to make this work – host the domain locally. Create it in
> your DNS servers. Probably the quickest way to fix the problem.
>
>
>
> Meinolf Weber wrote a very lengthy response to someone’s question, a few
> years ago, about what can go wrong on a DC with multiple IP addresses. Took
> me a few minutes to find it, link below. Much of it doesn’t apply in your
> case, of course, but still a worthwhile read.
>
>
>
> http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html
>
>
>
> I can surmise that what is happening here is that you are having to talk to
> a server that doesn’t like asynchronous routing of DNS replies and requests.
> That’s becoming more and more common as DNS spoofing becomes more and more
> common. Couldn’t verify that without a network trace (wireshark / netmon). I
> probably would’ve done that by now and if you really want to track the issue
> down, that’s the next best step IMO.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:43 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> And I did consider that.
>
>
>
> :)
>
>
>
> However, (A.) this server’s configuration hasn’t changed in the years since
> it was deployed, (B.) we’ve done the same thing at our other sites that
> aren’t having problems, and (C.) DNS is working 100% correctly at the site
> in question except for the failure of lookups against this one single domain
> name.
>
>
>
> So while I’m open to all possibilities (honestly—I’m getting desperate), my
> gut instinct is that this isn’t the cause of the problem.
>
>
>
>
>
> John
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 10:36 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> I have a theory. Often when Mr. Smith asks a question he isn’t looking for
> an answer to that question, he is pointing you towards the answer for your
> problem.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:33 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Yup. When we decommissioned the old server this server replaced, some
> devices were still looking for it for DNS (they had static settings). So we
> assigned the old server’s address to the new one as a second address.
>
>
>
>
>
> John
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 10:05 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Your DC has multiple IP addresses?
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 9:08 AM
>
>
> To: NT Syst

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

I'm going to remove the older address after hours--maybe this weekend--and see 
what happens.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, August 15, 2012 1:10 PM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

If you don't have any old equipment with static listings of the older IP 
address of the DC, remove the older IP address.

If you do have older equipment with static listings, but don't have any newer 
equipment with static listings, and want to preserve the old address, then 
during off-hours remove the newer address and reboot.

If you have different sets of equipment that points to both addresses, you'll 
need to fix one or the other set of equipment.

Kurt

On Wed, Aug 15, 2012 at 9:14 AM, John Hornbuckle 
 wrote:
> And we have a winner!!!
>
>
>
> So, I was totally unfamiliar with conditional forwarding. I just tried
> what you suggested, and voila—it works.
>
>
>
> I realize this is a workaround, and I still want to tackle the root of
> the problem. But this at least buys me some time.
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 11:09 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Another option is to set up conditional forwarding on the ‘bad’ dns
> server to one of your ‘good’ dns servers for just studyisland.com
>
>
>
> That way you will be out of the business of manually working on that
> zone as studyisland moves or changes things.
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 11:06 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> While officially supported, having multiple IP addresses on a single
> DC is not recommended and has caused problems all the way back to NT 3.5.
>
>
>
> If you just want to make this work – host the domain locally. Create
> it in your DNS servers. Probably the quickest way to fix the problem.
>
>
>
> Meinolf Weber wrote a very lengthy response to someone’s question, a
> few years ago, about what can go wrong on a DC with multiple IP
> addresses. Took me a few minutes to find it, link below. Much of it
> doesn’t apply in your case, of course, but still a worthwhile read.
>
>
>
> http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem
> -t705909.html
>
>
>
> I can surmise that what is happening here is that you are having to
> talk to a server that doesn’t like asynchronous routing of DNS replies and 
> requests.
> That’s becoming more and more common as DNS spoofing becomes more and
> more common. Couldn’t verify that without a network trace (wireshark /
> netmon). I probably would’ve done that by now and if you really want
> to track the issue down, that’s the next best step IMO.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:43 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> And I did consider that.
>
>
>
> :)
>
>
>
> However, (A.) this server’s configuration hasn’t changed in the years
> since it was deployed, (B.) we’ve done the same thing at our other
> sites that aren’t having problems, and (C.) DNS is working 100%
> correctly at the site in question except for the failure of lookups
> against this one single domain name.
>
>
>
> So while I’m open to all possibilities (honestly—I’m getting
> desperate), my gut instinct is that this isn’t the cause of the problem.
>
>
>
>
>
> John
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 10:36 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> I have a theory. Often when Mr. Smith asks a question he isn’t looking
> for an answer to that question, he is pointing you towards the answer
> for your problem.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:33 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Yup. When we decommissioned the old server this server replaced, some
> devices were still looking for it for DNS (they had static settings).
> So we assigned the old server’s address to the new one as a second address.
>
>
>
>
>
> John
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012