Server loses connection with Domain - DNS issue

2011-12-19

Question

_{Monday, December 19, 2011 10:04 PM}

I have a Windows 2008 Application Server with SP2 which looses the ability to contact the Domain. If you start from a cold boot everything is fine for a while. GPOs are applied about ever 90 minutes for a while and then after a few hours (or sometimes a day) GPOs stop applying and you can no longer logon because it can't locate a logon server.

The GPO error message indicated a possible DNS problem and further investigation did show there was a problem. When you use NSLookup and set debug on and look up the domain you get the following error messages

Trucated answer

Connect failed: Result too large

HostName.a.b.Contoso.com can't finding a.b.contoso.com: Unspecified error.

Basically the server cannot locate its Domain in DNS which explains why I am getting the GPO errors and can't logon but I can't figure out why this is occring.

By playing with nslookup I was able to isolate the problem to retrieving the A record for certain domains. In Nslookup I did a set type=a then then typed in a number of domains.

We have a number of domains and I was able to see the same error when I did a lookup on some (but not all) of the other domains. In all cases the domains that had problems had a large number of A records. Over 30 seemed to be a problem, but admittedly that isn't a scientific number. Retrieving A records from domains with a smaller number of records didn't cause any problems.

If do a set type=txt in NSlookup and then typ in the domain name of one of the domains that fails, for example. a.b.contoso.com, it works just fine.

I have tried the lookups, directing NSLookup to different DNS servers and it did not make any difference. The problem seems to be in the Application server, not our DNS server.

Other servers are not exhibiting the same problems. Any ideas would be appreciated.

Roger

All replies (21)

_{Wednesday, January 4, 2012 3:55 PM ✅Answered}

It seems that EDNS is blocked so while that could cause a problem, it doesn't make sense to us why it would only affect this one server. In any case, we decided to place a call to Microsoft Premier support and they came up empty also. After looking at some traces, they did not believe that it was a EDNS problem. Right now we and Microsoft Support believe this is some unexplained corruption and while we could continue to troubleshoot we think that would probably be a waste of resources. We decided to simply rebuild the server and we are no longer going to persue a solution to the problem. If we see the problem after the server is rebuilt we will reinitiate this.

So for now, the issue can be closed. Thanks to everyone and especially Ace for their help and information. I learned a few things so this was interesting.

Roger

_{Tuesday, December 20, 2011 12:43 PM}

Hi,

Basically this server is losing out connection to Logon server - means your DC. DC's are located using SRV records in DNS. So

1) can you check what is the primary and secondary DNS servers IP which is configured in this application server. Compare this config with other servers.

2) Are you able to reach them without any issues?

3) IS this server in site which doesnt have DC associated with that site?

Regards, Mohan R Sr. Administrator - Server Support

_{Tuesday, December 20, 2011 2:12 PM}

Thanks for the reply. The DNS settings are correct on the server and no other servers are having problems.

You are correct in that it cannot find the SRV records but the issue here is why it can't find them. The NSLookup debug showed that it was because it could not even enumerate the A records. It was when I attempted to get the A records for the Domain name, that I got the erorr. All other records for the domain could be retrieved. For example, I could retrieve the TXT and AAAA record for the domain. So in answer to Question 2, I can reach the DC and the DNS server. In this case actually the DC and DNS server are the same and it is the one answering the Queries.

The site has its own DCs although again I am pretty sure this isn't a DC problem. As I mentioned, In NSLookup, I can select a DNS server in another site and issue the same lookup on the Domain A record and get the same error.

The error message implies that the Packet is too big which partically makes sense because of the number of A records retrieved. I even tried NsLookup forcing TCP instead of UDP and got the same result.

The strange part is that the server starts out working just fine after a reboot. There are many other servers in the same site and no others are having this problem. Also this only started happening recently and we are not aware of any changes (its' a big environment so unknown changes are a possiblity but not likely).

Thanks.

Roger

_{Tuesday, December 20, 2011 2:25 PM}

One other piece of information. The problem occurs when I do the same lookup on other domains which have a lot of a records from this server. This is the secquences in NSLookup

NSLookup

Set Debug
Set nosearch
set type=a

a.b.Contoso.com

c.d.Contoso.com

The first one is the domain that the server is in and it fails with the Truncated error. The second one is another domain. If the domain has a large number of A records it fails. If the other Domain has a few A records, it succeeds.

This further suggests that the problem isn't in the DC for this domain. It problem is in the server or possibly network to the server.

Roger

_{Tuesday, December 20, 2011 3:21 PM}

Hi Roger,

Thanks for clarifying.. I'm actually trying to figure out why this server is losing communications with DC's. Trying to get A records, i nevr tried this..

What i can figure out is, server is unable to contact \domain\sysvol whnever this is happening, hence policies are not applying properly. I had a similiar issue once, i ws able to login fine but gpo's not applied properly, after the reboot it was fine and never happend again.

So,if this is happening very frequently in your environment and you're not even able to logon then this is definitely bcos of your DC is unavailble. In other words DNS is unavailable so that it cant locate DC. In your case its AD integrated DNS. When you cold boot,is it taking long time saying, applying computer settings?? then when you try to logon it is saying " NO Dc's available to process your logon requests"? It could be a network issue as well?. For us, main thing is, we should be authenticated prply to a DC first. something is preventing us to communicate with a DC. its time to figure out what is it.. Is there any other server in same subnet(next to its IP) has any issues? This should help us to find out if there is a n/w issue.

Regards, Mohan R Sr. Administrator - Server Support

_{Tuesday, December 20, 2011 5:49 PM}

Mohan,

I think you are looking too far into the process. The following article describes the Domain lookup process

http://support.microsoft.com/kb/247811

You will see early on in the process it says that it queries DNS to get the SRV records and the A records. Actually I think it queries for the A records first so that it knows which Servers are hosting Directory services. Then it finds the SRV records so it can go on with the Domain location process. If it can't find the A records, it can't go any further. This is the situation we are having. That's why I am pretty sure this isn't a DC problem. When the server asks "Who is hosting my Domain", DNS responds with a packet that is truncated which results in a failed request.

Again, it can find A records for some domains and it can finds other record types for the Domain in question. DNS is definitely available and the DNS server on the DC is answering queries. In fact it answers queries for every record other than the A record for the domain in question (and a few other domains with more than 30 A records).

No other servers are reporting problems and this is a large production Data Center.

Roger

_{Wednesday, December 21, 2011 2:35 PM}

Hi Roger,

I should ve put it little more clearly. If you read my first line, you could see "trying to figure out why this server is losing communications with DC's. In all the places i meant to explain the same thing.

Can you check from n/w perspective if anything is blocking the communication between this server and DNS.

Regards, Mohan R Sr. Administrator - Server Support

_{Wednesday, December 21, 2011 3:53 PM}

Sorry didn't understand your question.

The answer to you question is there is nothing obvious blocking communication between this server and DNS. This is proven by the NSLookup and in fact why I used NSLookup -- to prove connectivity to the DNS server. The NSLookup is able to talk to the server's primary DNS server and get answers. It can also talk to other DNS servers if you explicitly select them in NSLookup. This is true even if you use a DNS server in another site. In all cases the results are the same. If you request A records for a Domain which has a lot of A records it will get the Truncated/Error message regardless of which DNS server you select. Even when it gets the message, it shows that the DNS server answered so I am reasonable certain the network connectivity is present to the DNS server.

I looked a little more at the logs and found that the problem seems to occur about 12 hours after the server is rebooted. Sometimes a little less but generally in the 12 hour range. Up until that time everything is fine. Group Policies are being applied successfully about every 90 minutes for about 12 hours and then all of a sudden start failing due the DNS problem. At that point you can no longer log on using Domain credentials and when you log on locally you see the NSLookup problems I described. A simple reboot clears the problem.

Roger

_{Wednesday, December 21, 2011 6:24 PM}

I believe there is one of three possibilities that may be going on.

1. The machines are using a mixture of internal and external DNS addresses in their NIC properties. The term "external" referes to the using the router as a DNS address, too. External in our case means a DNS server that does not host the internal AD zone name. This is problematic, if it is the case.

If you can post an ipconfig /all from the DC/DNS server and from the querying client machine, we can evaluate and make recommendations if we see anything amiss. Note - it's not just IP addresses and DNS addresses we're looking for.

2. One other possibility I believe is EDNS0 is limited between the client and DNS server. EDNS0 allows larger than UDP 512 bytes to return for a query. THis is evident in zone data responses that have a larger than 512 bytes in the answer. Many firewalls block it if not configured to allow it, or do not support it (as in some of the older firewalls with old firmware).

3. The third possibility is both the above.

Was EDNS0 ever disabled on the domain controllers or any machine?

To test if EDNS0 is a factor, you can run nslookup in TCP mode by switching it to TCP (it uses UDP by default) by typing in:

set vc

Then run the query. If it returns the result correctly without getting the 'truncated' error, then it means EDNS0 is blocked.

You can also test this with internet resolution by running the following to find out what the router/firewall supports:

Here's a quick command to test if there's an EDNS0 restriction in your firewall:
nslookup -type=TXT rs.dns-oarc.net

Look for the part in the response that says, " ...DNS reply size limit is at least xxxx." The xxxx is what it will support. If it's under 512, then it is blocking EDNS0 or the Forwarder you are using is blocking or not allowing/configured to use EDNS0.

One way to overcome firewall EDNS0 lack of support is to use a Forwarder, which will bypass the limitation.

More on EDNS0:

What is EDNS0? (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, December 21, 2011 10:00 PM}

Ace,

Thank you for the reply. This is startting to make sense I ran your test for EDNS0 and found that it came back with "198.36.86.68 DNS reply size limit is at least 490" which seems to indicate that EDNS0 is disabled. In addition, I read your article and the part about the 512 bytes seems to be consistent with the behavior - ie. I only get problems when it tries queries a domain with a large number of A records which translates into a large packet size.

In any case, getting IP config on the server is difficult as I don't have rights to that server. On the client I put the IPConfig at

https://skydrive.live.com/redir.aspx?cid=331c55b8faed6361&resid=331C55B8FAED6361!152&parid=331C55B8FAED6361!129

Right now the client server was rebooted so it is working plus someone else is trying to do some restores so things might get even more messed up. In any case, I get the idea of EDNS0 and I do think that is at the root of the problem but I am still confused on some parts.

1) Why would it start out working and start failing?

2) I don't understand how a forwarder would help the problem. In this case, everything is local and is not going to the Internet. The machine is in the same Domain as the domain being queried. The DNS server that is answering the query is A700931.a.b.Contoso.com and the Client is A-700S513.a.b.Contoso.com.

Thanks again for your help

Roger

_{Wednesday, December 21, 2011 10:12 PM}

It may be failing due to the first of the three DNS servers may have EDNS0 enabled, but not any of the others.

Try the following to determine which. You'll want to change nslookup's server focus and see.

nslookup                              (this puts you into interactive mode)
set q=txt                             (this sets the query type to TXT records)
server 10.130.131.92           (this changes the server focus to use this server)
rs.dns-oarc.net                     (you're querying this FQDN)

Then change to the next server:

server 10.130.131.77 (This changes the server focus to use 10.130.131.77)
rs.dns-oarc.net

Then change to the next one:

server 10.20.188.87 (This changes the server focus to use10.20.188.87)
rs.dns-oarc.net

Review the results of each. If any of them is over 512, then you know that's the one that doesn't have EDNS0 disabled and can resolve large zone data.

If all of them fail, then it's probably a block on the external firewall, that is if they are not using Forwarders. If using Forwarders, then it could be one of the forwarders and not the actual servers you're querying above.

It's hard to tell without exactly knowing how they've designed and configured everything.

Report this to your IT department to let them know of your symptoms, and the possibility of EDNS0 being the culprit, and your results from these test.

Some departments like to disable EDNS0. I believe it shouldn't be disabled, due to obvious reasons, and possibly for internal AD zone data lookup in a large infrastructure when there are multiple, large records. It could also be that it is enabled on the DNS servers, but it's either disabled or never been configured to allow this traffic type on the firewalls.

Like I said, it depends on how everything's configured.

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, December 22, 2011 9:46 AM}

Excellent Ace. Such an outstanding article which is clearly explains about EDNS. :) We don't have the rating feature avialble for yoru blogs? would love to give 5 stars :)

I have one more query here, here Roger is trying to load the zone data or query the A records of his domain and he is getting "truncated error" since his DNS configured only with 490 bytes, in other words EDNS0 is disabled.

The above is part of troubleshooting he is trying to do for this issue.

I look at this way, please correct me if im wrong, after 90 minutes or so , say after sometime, server is losing connectivity with DNS/DC's and policies are not applying correctly, once the server is rebooted it clears the dns cache and try to contact the DC via DNS again. This time it is successfully able to reach DNS/DC without any issues and it works normal again. I could not see that skydrive ip addresses but i think you saw it.. For me, what is confusing is, is the primary and secondary DNS servers are properly configured on this Server? If it is losing connectivity intermittently, there could be an issue with network?

Regards, Mohan R Sr. Administrator - Server Support

_{Thursday, December 22, 2011 4:59 PM}

Hi Mohan,

Thank you for the wonderful feedback!

What maybe occuring with truncation, is due to EDNS0 not enabled, and possibly TCP is disabled, but that would be a first for me to hear that one, because if UDP doesn't work, it switches up to TCP.

Regarding doing a restart to fix it, after a restart is required, then what *may* be going on is one of two things. First, if any of the DNS addresses listed in the ipconfig do not have a reference for the zone (does nto have a copy of the zone, no forwarder, general forwarder, stub, secondary, etc), of course assuming EDNS0 has not been disabled on the server with the dnscmd command. The reason I'm thinking this, is due to the way the client side resolver service algorithm works.

Basically, if there are multiple DNS entries on a machine (whether a DC, member server or client), it will ask the first nameserver entry first. If it doesn't have an answer, such as an NXDOMAIN response (when the DNS server doesn't have a response) or a NULL response (when the DNS is down and doesn't respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, until the list is reset after 15 minutes.

In summary, if EDNS0 is disabled, or the wrong DNS servers are being used, unexpected results will occur.

DNS Client side resolver service Algorithm
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx#section5

One more thing, since nslookup only uses UDP by default, you can test if truncation occurs using TCP. You can switch nslookup to use TCP instead of UDP by specifying the command, set vc (set 'virtual circuit) when in interactive mode. This changes it to use TCP.

nslookup
set vc

Using WaukeshaGeek's previous nslookup post:

NSLookup
Set d2 (which puts it into debug)
Set nosearch
set vc
set type=a
a.b.Contoso.com

c.d.Contoso.com

I hope that helps!

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, December 23, 2011 8:40 AM}

Thanks Ace. It is clear. Let's wait for Roger to find out more what's happening over there.Regards, Mohan R Sr. Administrator - Server Support

_{Saturday, December 24, 2011 11:40 PM}

Thanks for all the feedback. We are shut down for a few days so it will be a while before I can process. Plus someone else messed with the server so I may not be able to any longer duplicate the problem. There are now new problems that need to be addressed. For now I just need to do more reasearch along the EDNS0 lines.Roger

_{Monday, December 26, 2011 7:41 PM}

Happy Holidays, Roger!

Let us know after you return and get a chance to run the tests.

Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, December 28, 2011 3:41 PM}

OK, Had a chance to try the tests but I am not sure exactly what I am looking at. This is what I saw

C:\Users\Administrator>nslookup
Default Server: a700m931.ag.eu.Contoso.com
Address: 10.130.131.92

> set q=txt
> server 10.130.131.92
Default Server: a700m931.ag.eu.Contoso.com
Address: 10.130.131.92

> rs.dns-oarc.net
Server: a700m931.ag.eu.Contoso.com
Address: 10.130.131.92

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x476.rs.dns-oarc.net
rst.x476.rs.dns-oarc.net        canonical name = rst.x485.x476.rs.dns-oarc.net
rst.x485.x476.rs.dns-oarc.net   canonical name = rst.x490.x485.x476.rs.dns-oarc.net
rst.x490.x485.x476.rs.dns-oarc.net      text =

"198.36.86.68 DNS reply size limit is at least 490"
rst.x490.x485.x476.rs.dns-oarc.net text =

"198.36.86.68 lacks EDNS, defaults to 512"
rst.x490.x485.x476.rs.dns-oarc.net text =

"Tested at 2011-12-28 15:13:20 UTC"
>

But I got it on all 3 DNS servers. If the 490 and 512 returned mean that EDSN0 is turned off on all of our servers then how does it ever work? Pus there are lots of other servers in this data center which are not having problems.

Next I tried running the same query but on my workstation which is in the US (the server in question is a datacenter in Germany). My workstaiton uses a completely different set of DNS servers and is in a different Domain. The resuts from the query on rs.dns-oarc.net were similar in that they got the same limits of 490 and 512 but everything is working fine on my workstation. The query on my works station looked as follows

> rs.dns-oarc.net
Server: j0200s900.Contoso.com
Address: 10.10.43.53

"192.132.24.81 DNS reply size limit is at least 490"
rst.x490.x485.x476.rs.dns-oarc.net text =

"192.132.24.81 lacks EDNS, defaults to 512"
rst.x490.x485.x476.rs.dns-oarc.net text =

"Tested at 2011-12-28 15:36:51 UTC"

Finally, I tried doing a set VC and got the following

set vc
rs.dns-oarc.net
server: a700m931.ag.eu.jci.com
address: 10.130.131.92

** a700m931.ag.eu.Contoso.com can't find rs.dns-oarc.net: Unspecified error

I did the same thing on my workstation but got the same display as when I used UDP.

I am very confused and it is obvious that I don't understand enough about DNS.

Thanks.

Roger

_{Wednesday, December 28, 2011 3:57 PM}

OK, Had a chance to try the tests but I am not sure exactly what I am looking at. This is what I saw

C:\Users\Administrator>nslookup
Default Server: a700m931.ag.eu.Contoso.com
Address: 10.130.131.92

> set q=txt
> server 10.130.131.92
Default Server: a700m931.ag.eu.Contoso.com
Address: 10.130.131.92

> rs.dns-oarc.net
Server: a700m931.ag.eu.Contoso.com
Address: 10.130.131.92

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x476.rs.dns-oarc.net
rst.x476.rs.dns-oarc.net        canonical name = rst.x485.x476.rs.dns-oarc.net
rst.x485.x476.rs.dns-oarc.net   canonical name = rst.x490.x485.x476.rs.dns-oarc.net
rst.x490.x485.x476.rs.dns-oarc.net      text =

        "198.36.86.68 DNS reply size limit is at least 490"
rst.x490.x485.x476.rs.dns-oarc.net      text =

        "198.36.86.68 lacks EDNS, defaults to 512"
rst.x490.x485.x476.rs.dns-oarc.net      text =

        "Tested at 2011-12-28 15:13:20 UTC"
>

But I got it on all 3 DNS servers. If the 490 and 512 returned mean that EDSN0 is turned off on all of our servers then how does it ever work? Pus there are lots of other servers in this data center which are not having problems.

Next I tried running the same query but on my workstation which is in the US (the server in question is a datacenter in Germany). My workstaiton uses a completely different set of DNS servers and is in a different Domain. The resuts from the query on rs.dns-oarc.net were similar in that they got the same limits of 490 and 512 but everything is working fine on my workstation. The query on my works station looked as follows

> rs.dns-oarc.net
Server: j0200s900.Contoso.com
Address: 10.10.43.53

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x476.rs.dns-oarc.net
rst.x476.rs.dns-oarc.net        canonical name = rst.x485.x476.rs.dns-oarc.net
rst.x485.x476.rs.dns-oarc.net   canonical name = rst.x490.x485.x476.rs.dns-oarc.net
rst.x490.x485.x476.rs.dns-oarc.net      text =

        "192.132.24.81 DNS reply size limit is at least 490"
rst.x490.x485.x476.rs.dns-oarc.net      text =

        "192.132.24.81 lacks EDNS, defaults to 512"
rst.x490.x485.x476.rs.dns-oarc.net      text =

        "Tested at 2011-12-28 15:36:51 UTC"

Finally, I tried doing a set VC and got the following

set vc
rs.dns-oarc.net
server: a700m931.ag.eu.jci.com
address: 10.130.131.92

** a700m931.ag.eu.Contoso.com can't find rs.dns-oarc.net: Unspecified error

I did the same thing on my workstation but got the same display as when I used UDP.

I am very confused and it is obvious that I don't understand enough about DNS.

Thanks.

Roger

It looks like EDNS0 is being blocked. The results you got are under 512 (in bold in the quoted text above).

As far as the "Unspecified error" after setting it to TCP (using set vc), that means TCP 53 is blocked.

Who handles the firewalls? Have you spoke to them about this?

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, December 29, 2011 7:31 PM}

Thanks. I will try and track down the right group but it will take a while. Finding the right people here is not easy.

Even if it is blocked at the firewall, I don't quite understand why that is causing the problem. The request that is failing is a request to enumerate an internal domain and I am pretty sure that there is no firewall between the server issuing the request and the DNS server servicing the request.

I did a tracert from the Server to the DNS server which is servicing the requests and it shows only 2 hops and all are internal. The DNS servicing the requests has the zone for the Domain being queried (ie. the a.b.Contoso.com zone is on the DNS Server).

I checked to see what else was on the same subnet and in the same domain and found about 25 other servers, none of which are having problems.

Finally, this server was working for quite a while until early November when this problem starting occurring (Yes I know that's a long time but it took quite a while before it filtered down to us). Of course something could have changed then but I have not been able to find it and even if it was a global change, why would it effect only this server.

So even though EDNS blocked, why does this affect just this server.

Thanks again for all your help. It is interesting learning about EDNS

Roger

_{Wednesday, January 4, 2012 8:57 AM}

Hi,

I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

Regards,
Rick Tan
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

Rick Tan

TechNet Community Support

_{Wednesday, January 4, 2012 4:14 PM}

Glad to have helped to understand the problem. Please do keep us updated whether you see the problem or not on the rebuilt server.

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Server loses connection with Domain - DNS issue

Question

All replies (21)

Additional resources