NonapeptideMemberMay 09, 2009 at 4:47 pm #141488
(The solution to this problem is in post #22 of this thread)
This is going to be a long post, mostly because I’ve tried everything I know how to before sending out a plea for help. :)
I have a fresh installation of Small Business Server 2008 Standard running on 8GB RAM and a 2.1 GHz 1352 AMD Operton. It’s completely patched as of Friday the 8th of May 2009. None of my clients have yet been made domain members as I am in the process of the migration at the moment. I was hoping to get everyone looking at it for DHCP and DNS first. I don’t think that non-domain members would have a problem looking to the server for DHCP/DNS since many VPN clients will not be domain members but will still need to resolve internal names (like the local SharePoint site and file server).
Problem: Clients cannot reliably use the SBS server as a DNS server. My client PCs are running Vista Home Premium (I know, they can’t be joined to the domain… I’m working on upgrading them :) ), Vista Ultimate and XP Pro. Using the SBS server as a DHCP server, they receive a default gateway, default domain suffix and DNS server (the SBS server). Most of the time the SBS DNS server responds to client queries with ” Standard query response, Server failure” either immediately without consulting the forwarders / root hints or after attempting to resolve them through forwarders and root hints . Typically if DNS results are returned to the clients it takes a very long time (by DNS standards – about 6 seconds or more). Sometimes, albeit rarely, web browsing and name resolution is lightning fast as I would expect, but that usually only lasts for one or two domains that I try to resolve. I’ve tried several different set ups and options on the DNS server and seem to receive a confusing array of behavior. So far nothing has solved it. Here’s what I’ve done so far:
I first set up the DNS server portion of the SBS machine to use OpenDNS’s two forwarders and fall back on root hints if those forwarders failed. Very inconsistent results were experienced. I watched the process with Wireshark and sometime the SBS machine would send requests to OpenDNS, sometimes it wouldn’t. Sometimes the SBS machine would receive a reply from OpenDNS and sometimes it wouldn’t. Sometimes when the SBS machine would receive a reply from OpenDNS it would pass the A record to the client and then the client would immediately make another request for an A record (making me suspect a client problem for a moment). Most often the server would simply reply with “Standard query response, server failure”.
I deleted the forwarders and moved to using root hints and watched the traffic with Wireshark. The SBS machine would query root hints servers and follow a trail of DNS servers recursively. However, it seemed that it took very long to recursively resolve queries, sometimes not receiving responses from the DNS servers at all and having to re-request A records from the DNS servers second after second. Most of the time it would eventually reply to the local client with “standard query reply, server failure”. Sometimes it wouldn’t even try to query root hints servers at all and just reply “standard query response, server failure”. At first I suspected latency on the ISP connection might be part of the problem but seemed to have ruled that out because if clients use any other DNS server, everything works swimmingly. The client PCs and the SBS machine are all on the same single subnet, VLAN and ISP link. I pathpinged various DNS servers that the SBS machine had problems with getting responses from but there wasn’t a terrible amount of latency (about 100ms).
I’ve currently changed the DHCP scope options to give everyone OpenDNS servers or sometimes our LinkSys gateway as a DNS server and everything works good as far as web browsing is concerned. Of course, I need to eventually be able to resolve internal DNS names. As soon as a client is pointed to the SBS server for DNS things go haywire. It’s so inconsistent that it’s driving me mad. Just a few minutes ago I set a client up with the SBS server as its DNS server and had the SBS server use OpenDNS forwarders and I couldn’t browse anywhere on the web. More “Server Failure” messages were seen in Wireshark on the SBS machine. I turned from that fiasco to something else (I think I perused the Petri forums for a minute or three on a machine that had different DNS settings) and then came back to the client. Suddenly I could browse! I hadn’t done anything and I was trying the same domains that I was trying previously. There is seemingly no rhyme or reasons to it.
I’ve twiddled options on the SBS machine, disabling recursion, disabling securing against cache pollution (I read about that helping someone else’s somewhat similar problem with getting to co.uk domains), etc. etc. If I go into the “Monitoring” tab of the DNS server’s properties I can perform a simple query and recursive query test and both pass. I’ve checked event logs and absolutely no DNS errors are to be found. I’ve turned off the SBS machine’s Windows firewall. There is no other software firewall in place. The Kaspersky Enterprise Antivirus on the SBS machine is turned off and has never been turned on. The LinkSys RV082 firewall has no weird rules in it. In fact, only one non-default rule exists and that’s to allow external ICMP requests. No errors are being reported on the switch port that the server is plugged into. Perfmon on the server’s NIC is showing no errors of any sort so far. I turned on debug logging both with and without details on the DNS server. That’s basically just a packet capture like what I was doing with Wireshark so no new info was seen there.
This is behaving so buggy I’m tempted to do a reinstallation. I hate that kind of fix though… I’d rather find what the cause is in case it happens again. :| The only incident that I’ve had with this installation is that I accidentally installed the wrong version of Kaspersky Antivirus on this machine (it didn’t support Server 2008 ) and I uninstalled it a few days later. However, it was never turned on and never perform a scan.
Thank you for reading this far. Any advice would be appreciated. I’ll post some traffic samples next.
You must be logged in to reply to this topic.