DNS issues on 2003 network
-
@BRRABill said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
Weird. And what about
nslookup www.cnn.com 8.8.8.8from your print- or fileserver?
Should look like this:
nslookup www.cnn.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Nicht autorisierende Antwort: Name: prod.turner.map.fastlylb.net Address: 151.101.36.73 Aliases: www.cnn.com turner.map.fastly.netReceived the same error.
Any firewall in between? Some local AV with firewall included?
We use Symantec endpoint protection, but can It really be that? Based on yesterday I can't think of anything that would cause any of those settings to change
Many times I have uninstalled AV from Symantec (or McAfee) that suddenly fixed all Internet issues.
Symantec isn't on any of the servers but the DC though. If that were the issue wouldn't everything be triggered?
-
@wirestyle22 said in DNS issues on 2003 network:
@BRRABill said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
Weird. And what about
nslookup www.cnn.com 8.8.8.8from your print- or fileserver?
Should look like this:
nslookup www.cnn.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Nicht autorisierende Antwort: Name: prod.turner.map.fastlylb.net Address: 151.101.36.73 Aliases: www.cnn.com turner.map.fastly.netReceived the same error.
Any firewall in between? Some local AV with firewall included?
We use Symantec endpoint protection, but can It really be that? Based on yesterday I can't think of anything that would cause any of those settings to change
Many times I have uninstalled AV from Symantec (or McAfee) that suddenly fixed all Internet issues.
Symantec isn't on any of the servers but the DC though. If that were the issue wouldn't everything be triggered?
Not nessecarily
Just imagine a "ban" added to the filter set because the fileserver asked the DNS too many times. For example because the fileserver queries the DNS about a client, which may happen very often within a small time window on a fileserver, usually early in the morning.
-
@wirestyle22 said in DNS issues on 2003 network:
@BRRABill said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
Weird. And what about
nslookup www.cnn.com 8.8.8.8from your print- or fileserver?
Should look like this:
nslookup www.cnn.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Nicht autorisierende Antwort: Name: prod.turner.map.fastlylb.net Address: 151.101.36.73 Aliases: www.cnn.com turner.map.fastly.netReceived the same error.
Any firewall in between? Some local AV with firewall included?
We use Symantec endpoint protection, but can It really be that? Based on yesterday I can't think of anything that would cause any of those settings to change
Many times I have uninstalled AV from Symantec (or McAfee) that suddenly fixed all Internet issues.
Symantec isn't on any of the servers but the DC though. If that were the issue wouldn't everything be triggered?
It gets complex. It could do any number of things depending on what factor was causing this to happen.
-
@wirestyle22 said in DNS issues on 2003 network:
@BRRABill said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
Weird. And what about
nslookup www.cnn.com 8.8.8.8from your print- or fileserver?
Should look like this:
nslookup www.cnn.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Nicht autorisierende Antwort: Name: prod.turner.map.fastlylb.net Address: 151.101.36.73 Aliases: www.cnn.com turner.map.fastly.netReceived the same error.
Any firewall in between? Some local AV with firewall included?
We use Symantec endpoint protection, but can It really be that? Based on yesterday I can't think of anything that would cause any of those settings to change
Many times I have uninstalled AV from Symantec (or McAfee) that suddenly fixed all Internet issues.
Symantec isn't on any of the servers but the DC though. If that were the issue wouldn't everything be triggered?
BUT please think twice before you are going to uninstall SEP
Have seen weird things after an uninstall of Symantec products. -
@scottalanmiller said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@BRRABill said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
Weird. And what about
nslookup www.cnn.com 8.8.8.8from your print- or fileserver?
Should look like this:
nslookup www.cnn.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Nicht autorisierende Antwort: Name: prod.turner.map.fastlylb.net Address: 151.101.36.73 Aliases: www.cnn.com turner.map.fastly.netReceived the same error.
Any firewall in between? Some local AV with firewall included?
We use Symantec endpoint protection, but can It really be that? Based on yesterday I can't think of anything that would cause any of those settings to change
Many times I have uninstalled AV from Symantec (or McAfee) that suddenly fixed all Internet issues.
Symantec isn't on any of the servers but the DC though. If that were the issue wouldn't everything be triggered?
It gets complex. It could do any number of things depending on what factor was causing this to happen.
Yup. Like disaster-bingo.
-
So what are my options here? Are there any other tests I can run?
-
Yep... Symantec will do this even if it isn't broken it just decides that all the things are wrong. This is bottom of the barrel along with Norton and McAfee.
-
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@BRRABill said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
Weird. And what about
nslookup www.cnn.com 8.8.8.8from your print- or fileserver?
Should look like this:
nslookup www.cnn.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Nicht autorisierende Antwort: Name: prod.turner.map.fastlylb.net Address: 151.101.36.73 Aliases: www.cnn.com turner.map.fastly.netReceived the same error.
Any firewall in between? Some local AV with firewall included?
We use Symantec endpoint protection, but can It really be that? Based on yesterday I can't think of anything that would cause any of those settings to change
Many times I have uninstalled AV from Symantec (or McAfee) that suddenly fixed all Internet issues.
Symantec isn't on any of the servers but the DC though. If that were the issue wouldn't everything be triggered?
BUT please think twice before you are going to uninstall SEP
Have seen weird things after an uninstall of Symantec products.Yes, you need to uninstall, but you can't do it casually. SEP is "designed" to destroy systems as it is removed. It's how they get people to keep it around. It's why it is on our blacklist, our people can't recommend or install it. We consider it malware. It might be that they are just idiots and don't care that they do damage, it might be intentional, we have no idea. But the result is the same, SEP is a danger to install and should never happen. And you want to remove it, but it's dangerous even after removed. We always do clear rebuild if we find a machine with SEP on it. Have to be sure.
Thank goodness for virtualization. You can snapshot before attempting anything so you can just roll back.
-
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
-
@coliver said in DNS issues on 2003 network:
Yep... Symantec will do this even if it isn't broken it just decides that all the things are wrong. This is bottom of the barrel along with Norton and McAfee.
Well, SEP is Norton. Two names, same product (SEP has more "features" that break your environment.) McAfee is bad, but far better than either of those. All three are worse than "just using nothing" though.
-
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
Probably the way to go. This system is suspect. You need clean builds and new systems. Why fix what is broken when you could actually fix the problems?
-
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
Yep, this would probably be your best bet.
-
@scottalanmiller said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
Probably the way to go. This system is suspect. You need clean builds and new systems. Why fix what is broken when you could actually fix the problems?
I would be going from 2003 - 2012 R2. I wanted to do it on my test environment before I did it in a live environment
-
@wirestyle22 said in DNS issues on 2003 network:
I would be going from 2003 - 2012 R2. I wanted to do it on my test environment before I did it in a live environment
There's not much to be afraid of. Add two new DC's, transfer FSMO etc, remove old DC's after a couple of days, upgrade forest level if required, done.
-
@wirestyle22 said in DNS issues on 2003 network:
@scottalanmiller said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
Probably the way to go. This system is suspect. You need clean builds and new systems. Why fix what is broken when you could actually fix the problems?
I would be going from 2003 - 2012 R2. I wanted to do it on my test environment before I did it in a live environment
Why? It's just a domain migration. I'm not knocking testing, but given the situation and the near pointlessness of testing something so generic and standard, I would not let a lack of testing stop you from fixing the problems.
-
@wirestyle22 said in DNS issues on 2003 network:
@scottalanmiller said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
Probably the way to go. This system is suspect. You need clean builds and new systems. Why fix what is broken when you could actually fix the problems?
I would be going from 2003 - 2012 R2. I wanted to do it on my test environment before I did it in a live environment
You can do that but DNS, DHCP, and AD are so trivial that you most likely won't have an issue.
-
You can check the Event Viewer on your server with nslookup errors and also on the DC, should be easy to see what the problem is.
If you do an ipconfig /flushdns on your client pc, can you ping the file server afterwards? But yes you should definitely make another dc ratehr than 2003.
-
@coliver said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
@scottalanmiller said in DNS issues on 2003 network:
@thwr said in DNS issues on 2003 network:
@wirestyle22 said in DNS issues on 2003 network:
So what are my options here? Are there any other tests I can run?
You could add another DC and DNS to your domain, 2003 is out of support anyway
Probably the way to go. This system is suspect. You need clean builds and new systems. Why fix what is broken when you could actually fix the problems?
I would be going from 2003 - 2012 R2. I wanted to do it on my test environment before I did it in a live environment
You can do that but DNS, DHCP, and AD are so trivial that you most likely won't have an issue.
Trivial, non-destructive and standard.
-
@momurda said in DNS issues on 2003 network:
You can check the Event Viewer on your server with nslookup errors and also on the DC, should be easy to see what the problem is.
If you do an ipconfig /flushdns on your client pc, can you ping the file server afterwards? But yes you should definitely make another dc ratehr than 2003.
No I can't ping it
-
@momurda said in DNS issues on 2003 network:
You can check the Event Viewer on your server nslookup errors and also on the DC, should be easy to see what the problem is.
If you do an ipconfig /flushdns on your client pc, can you ping the file server afterwards? But yes you should definitely make another dc ratehr than 2003.
5(?) people looked into this and we had to guess a lot because the symptoms didn't make much sense. Event log on the server maybe, but who knows. Getting rid of SEP prior of anything else is his best bet IMHO.
