DNS: high CPU, no access, UDP problems?
Kip
I need a little help: my Windows 2003 Server DNS service has stopped
working. This is the sole DC on a domain of about 7 systems. The DNS
Server is running on IP 192.168.2.10
Symptoms:
1. When the DNS Server service starts, the host CPU begins cycling up
to about 25% utilization. This continues until the DNS server
eventually crashes.
2. Running nslookup on the DNS Server machine as follows: "nslookup
192.168.2.10 127.0.0.1" is successful. Running the same command on a
client machine results in "*** UnKnown can't find 192.168.2.10: No
response from server". From the same machine, a ping to 192.168.2.10
works
3. If I enable DNS logging, I get a log file that grows in size at an
alarming rate. It is full of the same entries over and over. Here is
a small sample. One thing I noticed is the the port number reported
in the "Start UDP..." lines increases throughout the log file, as if
the server code can't communicate on UDP and keeps trying other port
numbers.
20100516 14:24:19 1544 ERROR: RecvFrom() failed causing listen
shutdown! status=10055, socket=500, pcon=009562B0, state=3,
IP=192.168.2.10
20100516 14:24:19 1544 ERROR: RecvFrom() failed causing listen
shutdown! status=10055, socket=500, pcon=009562B0, state=3,
IP=192.168.2.10
20100516 14:24:19 1544 Start UDP listen failed! status=0, socket=500,
pcon=009562B0, state=3, IP=192.168.2.10
20100516 14:24:19 1544 ERROR: RecvFrom() failed causing listen
shutdown! status=10055, socket=6520, pcon=0097EE90, state=3,
IP=0.0.0.0
20100516 14:24:19 1544 ERROR: RecvFrom() failed causing listen
shutdown! status=10055, socket=6520, pcon=0097EE90, state=3,
IP=0.0.0.0
20100516 14:24:19 1544 Start UDP listen failed! status=0, socket=6520,
pcon=0097EE90, state=3, IP=0.0.0.0
20100516 14:24:19 1544 ERROR: RecvFrom() failed causing listen
shutdown! status=10055, socket=6532, pcon=0097EF80, state=3,
IP=0.0.0.0
20100516 14:24:19 1544 ERROR: RecvFrom() failed causing listen
shutdown! status=10055, socket=6532, pcon=0097EF80, state=3,
IP=0.0.0.0
20100516 14:24:19 1544 Start UDP listen failed! status=0, socket=6532,
pcon=0097EF80, state=3, IP=0.0.0.0
I have tried disabling Windows Firewall, thinking that it might be
blocking a port that the DNS Server wants to use, but that made no
difference. In desperation I also tried reinstalling the DNS Server
from the system (remove, then add the Windows Component). But the
problem reappeared immediately.
Appreciate any help/advice!!!
![Meinolf Weber [MVP-DS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Meinolf Weber [MVP-DS]
Do you use SP2 and the latest patches on the DC/DNS server? Please post an
unedited ipconfig /all from the DC/DNS server.
To understand you correct, you have uninstalled the DNS server role from
the DC and then reinstalled it?
Do you have errors in the event viewer, if yes please post the comeplete one.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Kip
wrote:
> Hello Kip,
>
> Do you use SP2 and the latest patches on the DC/DNS server? Please post an
> unedited ipconfig /all from the DC/DNS server.
>
> To understand you correct, you have uninstalled the DNS server role from
> the DC and then reinstalled it?
>
> Do you have errors in the event viewer, if yes please post the comeplete one.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Hello, and thank you for responding so quickly!
> Do you use SP2 and the latest patches on the DC/DNS server?
The DNS server host is Windows Server 2003 with SP2 applied. I try to
be diligent in making sure all the latest patches are installed by
running Windows Update regularly.
> Please post an unedited ipconfig /all from the DC/DNS server.
Here is the captured output of ipconfig /all:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : rachel
Primary Dns Suffix . . . . . . . : 8Heidi.net
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : 8Heidi.net
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : 8Heidi.net
Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet
Adapter
Physical Address. . . . . . . . . : 00-14-85-6E-16-38
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.10
71.243.0.12
C:\>
The 71.243.0.12 is a public DNS server.
> To understand you correct, you have uninstalled the DNS server role from
> the DC and then reinstalled it?
I went into Add/Remove Programs from Control Panel, selected Add/
Remove Windows Components, selected Network Services from the list, de-
selected DNS Service from the list, clicked OK all the way out. I
then confirmed that there was no longer a DNS Server service listed in
the Services MMC. I also checked to see that the DNS registry
settings were gone...they were. I then went through the same steps,
this time selecting DNS Server, and reinstalled from the CD.
Unfortunately this did not change anything in terms of the problem.
> Do you have errors in the event viewer, if yes please post the comeplete one.
There are 2 application errors currently in my Application event log.
Each of these seems to correspond to an instance of the DNS Server
service crashing. Their contents are:
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 5/16/2010
Time: 2:26:17
User: N/A
Computer: RACHEL
Description:
Faulting application dns.exe, version 5.2.3790.4460, faulting module
msvcrt.dll, version 7.0.3790.3959, fault address 0x00038e21.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 6e 73 ure dns
0018: 2e 65 78 65 20 35 2e 32 .exe 5.2
0020: 2e 33 37 39 30 2e 34 34 .3790.44
0028: 36 30 20 69 6e 20 6d 73 60 in ms
0030: 76 63 72 74 2e 64 6c 6c vcrt.dll
0038: 20 37 2e 30 2e 33 37 39 7.0.379
0040: 30 2e 33 39 35 39 20 61 0.3959 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 33 38 65 32 00038e2
0058: 31 1
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 5/15/2010
Time: 11:08:23
User: N/A
Computer: RACHEL
Description:
Faulting application dns.exe, version 5.2.3790.4460, faulting module
dns.exe, version 5.2.3790.4460, fault address 0x00018932.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 6e 73 ure dns
0018: 2e 65 78 65 20 35 2e 32 .exe 5.2
0020: 2e 33 37 39 30 2e 34 34 .3790.44
0028: 36 30 20 69 6e 20 64 6e 60 in dn
0030: 73 2e 65 78 65 20 35 2e s.exe 5.
0038: 32 2e 33 37 39 30 2e 34 2.3790.4
0040: 34 36 30 20 61 74 20 6f 460 at o
0048: 66 66 73 65 74 20 30 30 ffset 00
0050: 30 31 38 39 33 32 018932
There also is one event in the System event log:
Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 5/16/2010
Time: 1:26:38
User: N/A
Computer: RACHEL
Description:
Dynamic registration or deletion of one or more DNS records associated
with DNS domain '8Heidi.net.' failed. These records are used by other
computers to locate this server as a domain controller (if the
specified domain is an Active Directory domain) or as an LDAP server
(if the specified domain is an application partition).
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer
contain wrong IP address(es) of the preferred and alternate DNS
servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not
running
- Preferred or alternate DNS servers are configured with wrong root
hints
- Parent DNS zone contains incorrect delegation to the child zone
authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate
registration or deletion of the DNS records by running 'nltest.exe /
dsregdns' from the command prompt or by restarting Net Logon service.
Nltest.exe is available in the Microsoft Windows Server Resource Kit
CD.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
I don't know if this would make any difference but I should mention
that the DC is connected to the rest of the domain through a second
wireless router configured as a wireless bridge, i.e. the "main"
wireless router is configured as usual, the second router is bridged
to the first.
With all of the RecvFrom() and UDP failures that pour into the log, I
can't help but suspect I have misconfigured the networking somewhere,
but I have no idea where to start looking.
Thanks again!
Meinolf Weber [MVP-DS]
Remove the public DNS server, 71.243.0.12, from the NIC and confiugure it
as FORWARDER on the DNS server properties in the DNS management console.
Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon
service or reboot. See also the event 5781 and the description how to solve
it.
Make sure the DC is listed correct in the forward/reverse lookup zone with
it's A and Nameserver record.
Kip
wrote:
> Hello Kip,
>
> Remove the public DNS server, 71.243.0.12, from the NIC and confiugure it
> as FORWARDER on the DNS server properties in the DNS management console.
I restarted the DNS Server service and performed the steps above.
>
> Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon
> service or reboot.
I issued the above commands, then stopped, started the Net Logon
service.
> See also the event 5781 and the description how to solve
> it
I reread this event and the following seem to be the solution(s):
> - TCP/IP properties of the network connections of this computer
> contain wrong IP address(es) of the preferred and alternate DNS
> servers
Check the IP properties and they seem to be correct.
> - Specified preferred and alternate DNS servers are not running
I assume the "preferred" server is my own...it is indeed running.
The other machines in the domain can resolve names, but they
can't reach my DNS server, so the alternate DNS must be OK
too.
> - DNS server(s) primary for the records to be registered is not
> running
Here's where I start to get lost. I have no idea what this phrase
means.
> - Preferred or alternate DNS servers are configured with wrong root
> hints
I have no clue what a "root hint" is nor how to check it.
> - Parent DNS zone contains incorrect delegation to the child zone
> authoritative for the DNS records that failed registration
I definitely do not understand this statemetn.
> > Fix possible misconfiguration(s) specified above and initiate
> > registration or deletion of the DNS records by running 'nltest.exe /
> > dsregdns' from the command prompt or by restarting Net Logon service.
> > Nltest.exe is available in the Microsoft Windows Server Resource Kit
> > CD.
I restarted the Net Logon service as the above paragraph suggests.
>
> Make sure the DC is listed correct in the forward/reverse lookup zone with
> it's A and Nameserver record.
>
Please bear with me here...I know very little about DNS...in the DNS
mmc, under the name of my DC, I see "Forward Lookup Zones" and under
that "8Heidi.net" (the domain is 8Heidi). If I select "8Heidi.net" I
see a list of records in the right hand pane. There seems to be a
Host (A) record for each machine in the domain, including the DC, and
all of their addresses seem correct. I see only one "Name Server
(NS)" record...it's Data column shows "rachel.8heidi.net" and its Name
column reads "(same as parent folder)". Is all that correct?
Under "Reverse Lookup Zones" there is "192.168.2.x Subnet" and inside
that node I see Pointer (PTR) records for all the machines, again the
DC is included. There is also a single NS record here - it has
exactly the same form as the one in the forward zone section.
After making the above changes I retested...unfortunately nothing has
changed (DNS still gobbling CPU, no machines can talk to it using
nslookup).
Thank you for your continued help...
Ace Fekay [MVP - Directory Services, MCT]
Kip,
How many DCs do you have? If you only have one DC, then just leave
192.168.2.10 as the only DNS entry on the NIC properties.
If only one DC, there should only be one 'same as parent' record and
only pointing to 192.168.2.10.
Check your workstations. If they have problems resolving the DC's
name, then it's telling me that they may have 71.243.0.12 set as a DNS
address in their IP properties. If they are getting their configuation
from DHCP, and they do have 71.243.0.12 or something else other than
192.168.2.10, then it's telling me DHCP is not configured properly.
Is your Dc the DHCP server, or is it your router?
Please provide an ipconfig /all from one of those machines you are
having trouble with.
As for refreshing Root Hints, you can got into DNS properties,
(right-click DNS, choose properties), Root Hints tab, click on Copy
from server, and type in 4.2.2.2, and hit OK.
Ace
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Kip
>
> How many DCs do you have? If you only have one DC, then just leave
> 192.168.2.10 as the only DNS entry on the NIC properties.
>
I only have one DC, it's the one running at IP 132.168.2.10 hostname
"rachel".
> If only one DC, there should only be one 'same as parent' record and
> only pointing to 192.168.2.10.
Here's what I see under "Forward Lookup Zones"->"8Heidi.net" :
(same as parent folder) Start of Authority (SOA) [951],rachel.
8heidi.net., hostmaster.
(same as parent folder) Name Server (NS) rachel.
8heidi.net.
(same as parent folder) Host (A)
192.168.2.10
The first two are also present under "Reverse Lookup Zones"-
>"192.168.2.x Subnet", and
are identical, except the [951] is [97] instead.
>
> Check your workstations. If they have problems resolving the DC's
> name, then it's telling me that they may have 71.243.0.12 set as a DNS
> address in their IP properties. If they are getting their configuation
> from DHCP, and they do have 71.243.0.12 or something else other than
> 192.168.2.10, then it's telling me DHCP is not configured properly.
>
All of the workstations exhibit the same problem: none of them seem
able
to "talk to" the DC's DNS service. Yes, they all have the '71 IP
configured
as a secondary DNS server (with rachel as the primary). With the '71
configured as secondary, none of them get names resolved.
> Is your Dc the DHCP server, or is it your router?
It is my router, but I run all the workstations with fixed addresses.
> Please provide an ipconfig /all from one of those machines you are
> having trouble with.
I will grab one and post it here asap.
> As for refreshing Root Hints, you can got into DNS properties,
> (right-click DNS, choose properties), Root Hints tab, click on Copy
> from server, and type in 4.2.2.2, and hit OK.
I tried this. Didn't have much effect, DNS server still using far too
much CPU and no other domain members can use it.
THANK YOU !!!
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.- Hide quoted text -
>
> - Show quoted text -
Ace Fekay [MVP - Directory Services, MCT]
The first thing I would do in your workstations, is remove the
71.x.x.x IP immediately. All members of an AD infrastructure MUST only
use the internal DNS. There are no exceptions. Otherwise, it will be
asking the 71.x.x.x, "what's the IP address of my domain controller?"
It does not have that answer. Read the following for a greater
understanding of AD's DNS requirements, please.
Active Directory and Its Reliance on DNS, and using an ISP's DNS
address
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx
Have you configured a Forwarder to 4.2.2.2? If not, please do so and
report back on internet resolution, please.
As for too much CPU usage, it sounds like something else is going on.
The DNS cache poisoning update from July, 2008 actually makes DNS use
a strict set of service UDP ports. If any application is installed
that may be conflicting with these ports, it may cause this problem.
Read more on what that update did, it's purpose and other info in my
blog, to understand it a bit more.
The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and
Ports Reservation Explained
http://msmvps.com/blogs/acefekay/archive/2009/09/03/the-dns-cache-poisoning-vulnerability-microsoft-kb953230-patch-and-ports-reservation-explained.aspx
Ace
Kip
>
> >> - Show quoted text -
>
> The first thing I would do in your workstations, is remove the
> 71.x.x.x IP immediately. All members of an AD infrastructure MUST only
> use the internal DNS. There are no exceptions. Otherwise, it will be
> asking the 71.x.x.x, "what's the IP address of my domain controller?"
> It does not have that answer. Read the following for a greater
> understanding of AD's DNS requirements, please.
>
> Active Directory and Its Reliance on DNS, and using an ISP's DNS
>
> Have you configured a Forwarder to 4.2.2.2? If not, please do so and
> report back on internet resolution, please.
>
> As for too much CPU usage, it sounds like something else is going on.
> The DNS cache poisoning update from July, 2008 actually makes DNS use
> a strict set of service UDP ports. If any application is installed
> that may be conflicting with these ports, it may cause this problem.
> Read more on what that update did, it's purpose and other info in my
> blog, to understand it a bit more.
>
> The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and
>
> Ace- Hide quoted text -
>
> - Show quoted text -
Ace, as you suggest I will do some studying to try to get a better
understanding of
what I'm dealing with.
Thank you (and Meinof) very much for your generous help.
Ace Fekay [MVP - Directory Services, MCT]
You are welcome. If you have any other questions, feel free to post
back.
Cheers!
Ace
Kip
OK, I've read the suggested articles and I think I understand, at
least at a basic level,
why the external DNS server shouldn't be configured anywhere except as
a DNS forwarder,
and the basics of the cache poisoning patch.
As a test, I removed the external DNS server from the network
properties on the DC. I then
made sure that it was set as a forwarder in DNS settings, along with
4.2.2.2.
With this setup, the DNS service continues to gobble CPU and no names
get resolved on
the DC (I've stopped testing the clients at this point, figuring that
a good first step would
be to get DNS working on the DC only.)
I noticed during the suggested reading that two test commands were
suggested:
netstat -ab and netstat -ano.
Here are the results, I hope someone can help interpret them!
netstat -ab with DNS server NOT RUNNING:
================================
Active Connections
Proto Local Address Foreign Address State
PID
TCP rachel:kerberos rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:epmap rachel.8Heidi.net:0 LISTENING
828
RpcSs
[svchost.exe]
TCP rachel:ldap rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:microsoft-ds rachel.8Heidi.net:0 LISTENING
4
[System]
TCP rachel:kpasswd rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:554 rachel.8Heidi.net:0 LISTENING
3288
[WMServer.exe]
TCP rachel:593 rachel.8Heidi.net:0 LISTENING
828
RpcSs
[svchost.exe]
TCP rachel:ldaps rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:1026 rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:1027 rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:1028 rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:1042 rachel.8Heidi.net:0 LISTENING
2432
[ntfrs.exe]
TCP rachel:1050 rachel.8Heidi.net:0 LISTENING
3048
[tssdis.exe]
TCP rachel:1051 rachel.8Heidi.net:0 LISTENING
3004
[lserver.exe]
TCP rachel:3268 rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:3269 rachel.8Heidi.net:0 LISTENING
464
[lsass.exe]
TCP rachel:3389 rachel.8Heidi.net:0 LISTENING
3988
TermService
[svchost.exe]
TCP rachel:1062 rachel.8Heidi.net:0 LISTENING
1912
[alg.exe]
TCP rachel:netbios-ssn rachel.8Heidi.net:0 LISTENING
4
[System]
TCP rachel:ldap rachel.8Heidi.net:1037
ESTABLISHED 464
[lsass.exe]
TCP rachel:ldap rachel.8Heidi.net:1041
ESTABLISHED 464
[lsass.exe]
TCP rachel:ldap rachel.8Heidi.net:1038
ESTABLISHED 464
[lsass.exe]
TCP rachel:1037 rachel.8Heidi.net:ldap
ESTABLISHED 2252
[ismserv.exe]
TCP rachel:1038 rachel.8Heidi.net:ldap
ESTABLISHED 2252
[ismserv.exe]
TCP rachel:1041 rachel.8Heidi.net:ldap
ESTABLISHED 2252
[ismserv.exe]
TCP rachel:ldap rachel:2206 ESTABLISHED
464
[lsass.exe]
TCP rachel:1027 rachel:1046 ESTABLISHED
464
[lsass.exe]
TCP rachel:1027 rachel:4826 ESTABLISHED
464
[lsass.exe]
TCP rachel:1027 rachel:1088 ESTABLISHED
464
[lsass.exe]
TCP rachel:1046 rachel:1027 ESTABLISHED
2432
[ntfrs.exe]
TCP rachel:1088 rachel:1027 ESTABLISHED
464
[lsass.exe]
TCP rachel:2206 rachel:ldap ESTABLISHED
2432
[ntfrs.exe]
TCP rachel:4826 rachel:1027 ESTABLISHED
464
[lsass.exe]
TCP rachel:19704 vw-in-f100.1e100.net:http
CLOSE_WAIT 3148
[iexplore.exe]
TCP rachel:19705 yo-in-f113.1e100.net:http
CLOSE_WAIT 3148
[iexplore.exe]
TCP rachel:19706 lga15s03-in-f154.1e100.net:http
CLOSE_WAIT 3148
[iexplore.exe]
TCP rachel:4825 rachel:epmap TIME_WAIT
0
UDP rachel:microsoft-ds *:*
4
[System]
UDP rachel:isakmp *:*
464
[lsass.exe]
UDP rachel:4500 *:*
464
[lsass.exe]
UDP rachel:15134 *:*
3560
[iexplore.exe]
UDP rachel:53260 *:*
4692
[iexplore.exe]
UDP rachel:15800 *:*
5336
[iexplore.exe]
UDP rachel:1076 *:*
1900
[Dfssvc.exe]
UDP rachel:18798 *:*
464
[lsass.exe]
UDP rachel:13914 *:*
3148
[iexplore.exe]
UDP rachel:1318 *:*
1552
[spoolsv.exe]
UDP rachel:1060 *:*
3988
TermService
[svchost.exe]
UDP rachel:1056 *:*
404
[winlogon.exe]
UDP rachel:1052 *:*
3004
[lserver.exe]
UDP rachel:36260 *:*
616
[iexplore.exe]
UDP rachel:1043 *:*
2432
[ntfrs.exe]
UDP rachel:13375 *:*
232
[Explorer.EXE]
UDP rachel:1036 *:*
2252
[ismserv.exe]
UDP rachel:1031 *:*
892
[Smc.exe]
UDP rachel:ntp *:*
952
W32Time
[svchost.exe]
UDP rachel:15143 *:*
2148
[iexplore.exe]
UDP rachel:389 *:*
464
[lsass.exe]
UDP rachel:netbios-dgm *:*
4
[System]
UDP rachel:ntp *:*
952
W32Time
[svchost.exe]
UDP rachel:kpasswd *:*
464
[lsass.exe]
UDP rachel:kerberos *:*
464
[lsass.exe]
UDP rachel:netbios-ns *:*
4
[System]
netstat -ab with DNS server RUNNING:
================================
...I wanted to paste that output here, but it is so large that
it's crippling the browser.
The output is as above but with 7511 more lines of the
following form:
UDP rachel:7780 *:*
3576
[dns.exe]
Each line is the same except for the number after the colon...I used
an editor to extract some of these:
55529 17493 17236 42679 43707 11839 33684 65295 6185 27002 49618 34711
26487 41650 13123 3357 3099 44476 46018 29570
6440 31369 31112 28285 43962 22888 22374 52443 32140 57583 35738 62209
43190 54755 34452 30854 60152 12864 radacct 3097
15690 16461 53212 60151 45245 32395 53982 11320 11577 57066 32137
37277 5923 13632 65032 17230 52696 45243 48584 54238 28538
3095 47813 58092 14402 9262 56550 16715 21084 2837 36761 39074 34962
20827 58863 10546 27765 2322 60918 6434 25195 32134 17485
50124 31105 19283 28535 23909 33675 55777 13372 54234 4119 17997 35473
41898 42412 55005 31104 35216 18253 3090 29047 31617 15683
2319 21594 33416 55260 1033 9771 22621 41896 2318 41125 61685 2832
18251 51661 60913 2317 21335 48063 2830 37525 8227 4372
31357 47291 42151 47548 8483 18763 38809 42664 26729 42663 27500 36752
10538 54742 45747 54227 17733 3598 59110 24158 34695 55512
56026 10280 56797 44975 3855 14135 31868 21331 40091 1798 65020 18503
46259 40605 9251 11307 25956 27498 42147 32894 7708 14647 6423
47029 18759 20044 57823 19016 30067 47028 59878 56280 2824 23898
22099 45743 15674 27774 11069 45228 32121 25696 55508 59363 27495
15416
The output of the -ano form of the command gives very similar
results...many, many more entries with DNS running.
Are these port numbers? Does this give any clue as to what is broken?
Thanks for your continued help
Ace Fekay [MVP - Directory Services, MCT]
DNS use are the UDP ports as mentioned in my blog, however I am seeing
many other ports in the list that I do not recognize. What is
installed on the machine? List them out, please.
I see there are entries for lserver.exe. That is the terminal server
license service. Is this server running Terminal Services in
Application mode?
ANy new event log errors since you've removed the ISP's DNS addresses?
Ace
Kip
<ace...@mvps.RemoveThisPart.org> wrote:
> YOu do have quite a bit running on this machine. The normal ports that
> DNS use are the UDP ports as mentioned in my blog, however I am seeing
> many other ports in the list that I do not recognize. What is
> installed on the machine? List them out, please.
>
I'm guessing that you mean a listing from something like Control
Panel's "Add/Remove Programs" list, rather than the list above? If
so, do you want to see everything? Including items like Adobe Reader,
Microsoft Office, .NET Framework, etc. etc.? Just wanted to make sure
I understand what you're requesting before I post it.
> I see there are entries for lserver.exe. That is the terminal server
> license service. Is this server running Terminal Services in
> Application mode?
Someone else set this up for me. I can give you definitive answer if
you tell me where to check.
> ANy new event log errors since you've removed the ISP's DNS addresses?
Oh, yes, very many, the majority of them are 4000's, with 1 4001 and 2
4007's
Thanks for your continuing help/suggestions.
Ace Fekay [MVP - Directory Services, MCT]
You are welcome, so far.
You don't have to list the programs and services. It just appears
there is quite a bit on here. Not that it's a bad thing. It's just an
observation.
If you ask me, from the info you've provided, it seems normal for the
number of services and apps running.
Can you provide an updated ipconfig /all, please?
Thank you
Ace
Kip
>
> - Show quoted text -
Definitely I can provide an ipconfig /all:
C:\Program Files\Support Tools>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : rachel
Primary Dns Suffix . . . . . . . : 8Heidi.net
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : 8Heidi.net
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : 8Heidi.net
Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet
Adapter
Physical Address. . . . . . . . . : 00-14-85-6E-16-38
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.10
C:\Program Files\Support Tools>
Ace Fekay [MVP - Directory Services, MCT]
Thanks, Kip, for providing the updated ipconfig /all.
I see that Routing and WINS Proxy are both enabled. Any reason why?
This can be a cause of issues with a domain controller.
Since it is a single homed machine, and assuming RRAS is not installed
on it for VPN purposes, I suggest to disable the two.
Make sure RRAS is disabled in the RRAS console, and stopped and
disabled in Services (Routing and Remote Access service).
Also, go into the registry and disable WINS Proxy. Here's how:
========
NOTE: The EnableProxy value resides in the following registry
location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\EnableProxy
To disable Netbios Proxy on the RAS or VPN server, follow these steps.
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that you can solve problems that result
from using Registry Editor incorrectly. Use Registry Editor at your
own risk.
Start Registry Editor (Regedit.exe).
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remoteaccess\Parameters\Ip\EnableNebtBcastFwd
Change the value of the EnableNebtBcastFwd to 0.
Quit Registry Editor.
Restart the computer.
========
More info on disabling WINS Proxy can be found in the following link:
How to Disable NetBT Proxy on Incoming Connections:
http://support.microsoft.com/kb/319848
Ace
Kip
> Thanks, Kip, for providing the updated ipconfig /all.
No, thank YOU for trying to help me.
>
> I see that Routing and WINS Proxy are both enabled. Any reason why?
Probably because I know just enough to be dangerous %^(.
> This can be a cause of issues with a domain controller.
>
> Since it is a single homed machine, and assuming RRAS is not installed
> on it for VPN purposes, I suggest to disable the two.
>
> Make sure RRAS is disabled in the RRAS console, and stopped and
> disabled in Services (Routing and Remote Access service).
>
Right. So the RRAS console shows server name RACHEL and State =
Stopped (unconfigured)
In the Services console the "Routing and Remote Access" service was
not running and set to "Manual". I changed this to "Disabled."
> Also, go into the registry and disable WINS Proxy. Here's how:
>
> ========
> NOTE: The EnableProxy value resides in the following registry
> location:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\EnableProxy
This currently has a registry value of 2. Do I touch this?
> To disable Netbios Proxy on the RAS or VPN server, follow these steps.
>
> WARNING: If you use Registry Editor incorrectly, you may cause serious
> problems that may require you to reinstall your operating system.
> Microsoft cannot guarantee that you can solve problems that result
> from using Registry Editor incorrectly. Use Registry Editor at your
> own risk.
>
> Start Registry Editor (Regedit.exe).
> Locate and then click the following registry key:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remoteaccess\Parameters\Ip\EnableNebtBcastFwd
> Change the value of the EnableNebtBcastFwd to 0.
Done.
> Quit Registry Editor.
Done.
> Restart the computer.
Will do soon.
> ========
>
> More info on disabling WINS Proxy can be found in the following link:
>
> How to Disable NetBT Proxy on Incoming Connections:http://support.microsoft.com/kb/319848
>
> Ace- Hide quoted text -
>
> - Show quoted text -
Can I add one more piece of information? It may not be relevant, but
I've learned not to leave
information out when troubleshooting.
The network topology we have is as follows: There is one main wireless
router that is hardwired
to the ISP's modem. Several domain members access the network via
wireless connections to
that router (along with a couple of wireless printers.) Another
wireless connection exists to a
second wireless router, configured as a wireless bridge. Hardwired to
that bridge is one more
domain member and the DC/DNS server itself ("hardwired" meaning thin
wire Ethernet).
One of the symptoms I've been experiencing with the failing DNS is
that once the service is
started, its CPU utilization will surge to about 25%, then drop to
zero, then surge again. The
frequency of this is about 4-5 seconds, and it's very easy to see it
in perfmon... a sequence
of nicely rounded "CPU hills" if you will.
Now, I don't know what prompted me to try this, but here's what I did:
I first stopped the DNS
service. Then I went to the other machine connected to the bridge and
disabled its network
connection. Returning to the DC, I started DNS and for the first time
in quite a while now, I watched
it start up and NOT gobble CPU. I went back to client machine and re-
enabled its network
adapter. The DNS process on the DC immediately started it's CPU util.
cycling. I then
disabled the client network again, but the CPU utilization cycling
remained. I shut down DNS
and restarted it and it was quiescent again.
So it seems that as long as I don't enable the network on the other
box that's connected to the
bridge, DNS doesn't eat CPU.
I'm not sure what this means, or again if it's even relevant.
Thank you so much for your time.
Ace Fekay [MVP - Directory Services, MCT]
You are welcome. We are getting closer to straightening this out.
For RRAS, make sure it's also disabled in the registry:
=====
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 0
Refresh the Registry, then reboot the machine. That should take care
of it.
=====
As for the other question regarding the access point, and if I
understand you correctly, it is an access point, or is it a true
router/wireless router?
Reason I ask, if it is a wireless router that you're using it for the
sole purpose of a router, such as a Linksys, I set them up by plugging
a LAN port (not the WAN port) into the main switch. This way, an IP
address is provided by the DHCP server on the company network.
Essentially, this is 'bridged' to the main network. Some refer to it
as 'corporate mode.' Otherwise, it will be behind its own NAT giving
it's own IP address from it's own pool behind in its NAT network,
which in that case, will cause AD communication problems, but I don't
think that's the case here.
Just a guess...
Does that router have the DNS server in qusetion, as it's DNS address?
Does that client machine have the wireless set as its DNS address? It
may be trying to "proxy" requests to it. If so, set the client address
to the DNS server itself, and remove the address from the wireless
router, and see what happens.
Ace
Kip
> You are welcome. We are getting closer to straightening this out.
>
> For RRAS, make sure it's also disabled in the registry:
>
> =====
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
>
> Value Name: IPEnableRouter
> Value type: REG_DWORD
> Value Data: 0
>
> Refresh the Registry, then reboot the machine. That should take care
> of it.
> =====
I will do this next, thanks.
>
> As for the other question regarding the access point, and if I
> understand you correctly, it is an access point, or is it a true
> router/wireless router?
>
It was originally a wireless router but I have replaced the factory-
supplied firmware with an Open Source alternative, DD-WRT (http://
www.dd-wrt.com/wiki/index.php/What_is_DD-WRT) The reason I did that
was because the original firmware did not provide a wireless bridge
mode, while DD-WRT does. As far as it being an access point, I've
found differing opinions about the definitions of these terms. There
seems to be agreement that "wireless bridge" is equivalent to "access
point in client-mode", if that helps.
> Reason I ask, if it is a wireless router that you're using it for the
> sole purpose of a router, such as a Linksys, I set them up by plugging
> a LAN port (not the WAN port) into the main switch. This way, an IP
> address is provided by the DHCP server on the company network.
> Essentially, this is 'bridged' to the main network. Some refer to it
> as 'corporate mode.' Otherwise, it will be behind its own NAT giving
> it's own IP address from it's own pool behind in its NAT network,
> which in that case, will cause AD communication problems, but I don't
> think that's the case here.
>
My (coarse) understanding of how the wireless bridge works is that it
functions basically as a switch, except that it "knows" when packets
need to cross the bridge and when they don't. I'm afraid I'm not
clear on how what you've said above maps to that.
> Just a guess...
> Does that router have the DNS server in qusetion, as it's DNS address?
That I do not know, but will of course check.
> Does that client machine have the wireless set as its DNS address? It
> may be trying to "proxy" requests to it. If so, set the client address
> to the DNS server itself, and remove the address from the wireless
> router, and see what happens.
>
I will check all this out as you've suggested.
> Ace
I'll suppress the urge to keep thanking you, but will say: Have a
wonderful Memorial Day weekend...
Ace Fekay [MVP - Directory Services, MCT]
Hi Kip,
We had a nice Memorial Day Weekend, including a couple nights of food
and drink among friends and family. I hope you had a nice one, too.
I think we are both on the same wavelength regarding the wireless
definitions. What I did plugging a wireless router into the LAN ports
does the same thing. It acts as a wireless bridge. Now if you
installed the DD-WRT software to do the same thing, that is pluggin in
the WAN port into the office network switch (and not what I did by
plugging a LAN port into the office network switch), and setting up
the DD-WRT software to "bridge," it's really doing the same exact
thing. Think about it... :-)
Now maybe, and JUST maybe, the DD-WRT bridging feature *may* be(and I
stress *may*) blocking something. Just a thought. Unbridge it and plug
it in as I described, and see if it works.
And yes, please do set the internal DNS addresses in DD-WRT.
Ace
Kip
>
> - Show quoted text -
Ace,
Want to thank you again for your continued efforts to get me
straightened out.
Unfortunately this issue has to go on a back burner for a while, my
"real" job is
taking up all of my time at present.
When I can get back to this I'll post anything else I find.
Thanks again, Cheers!!!
Kip
>
> - Show quoted text -
More info:
I checked the secondary router - it did have a DNS server function in
it which
was enabled...I disabled that. I also checked to make sure it's own
DNS setting
pointed to my DC...it does.
As far as "plugging in" the secondary router to the main switch...I
may not be
following you exactly, but the setup is that the main router is on a
different floor
of the building. My understanding is that the connection between the
second
router (the "bridge") and the main router is wireless.
So far I've had no luck from any of these changes...the DNS server
continues
to gobble CPU on the DC when I start it.
I was considering picking up a couple of inexpensive USB wireless
adapters and
trying them with the two bridged machines (the DC and one client),
i.e. take the
bridging router out of the equation completely.
I'll post results...thanks.
Kip
This DC is beginning to look like a lost cause. It blue-screened,
reporting a corrupt registry.
I ran a CHKDSK /R on the system drive. It found quite a few errors.
After that, Win 2003 seemed to start up fine, but now there is no
connectivity at all, to anywhere, despite the fact that the system
reports the NIC as up and running.
Worse, I tried a "ping 127.0.0.1" and got a very strange response:
"Pinging $y(1) with 32 bytes of data: ..."
There are ping responses but the string labeled with (1) is very
strange: the second character is actually a y with a bar over it, and
I also think there's a non-visible 0x07 (bell) character in there,
because the computer's speaker beeps everytime this string is output
to the command window. Seems like the TCP/IP stack itself is now
corrupt.
I usually don't like to give up on problems like this, but I'm
reaching the point where I don't think it's worth further
investigation...I may just upgrade the DC to 2008.
Sorry to give up (before you did!) but I'm balancing wanting to know
exactly what's wrong with needing to have the DC running properly!
Best Regards.