ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    DNS Update Issue

    Scheduled Pinned Locked Moved IT Discussion
    windows server 2012 r2dnsactive directory
    267 Posts 12 Posters 51.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in DNS Update Issue:

      @scottalanmiller said in DNS Update Issue:

      @wirestyle22 said in DNS Update Issue:

      @scottalanmiller said in DNS Update Issue:

      @wirestyle22 said in DNS Update Issue:

      Does anyone know what event causes this in Windows?

      Cause what, the NIC to flip? I've heard Windows people say that it's just a bug and it does it randomly. I know that it could happen from a DNS server being unavailable for a split second, just long enough to fail a lookup.

      That was my initial thought. So what--Linux OSes are checking periodically to see if they are using the first entry and Windows doesn't care until there's a hiccup?

      Linux checks every time, I believe. That's the expected behaviour. It always uses its list top to bottom, it doesn't "change" primary just because it wants to.

      See this just seems odd to me - why add in that delay every time.

      You said that it seemed odd to you, "why add in that delay every time."

      It shouldn't be odd, it should be super obvious as by far the best way. And that "delay every time" is an imperceptible delay .001% of the time. It only seems like "Every time" if you assume random DNS choices like people keep saying that Windows makes (I'm not convinced of this). Since Linux DNS is deterministic, it only adds that minuscule delay under failure conditions which in this day and age are super, duper rare (unless, apparently, you have Windows then the desktop seems to inject a server-like failure condition on its own.)

      You make it sound like this is a foolish approach, but it fixes the problems everyone is reporting with essentially no downsides.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said in DNS Update Issue:

        @Dashrender said in DNS Update Issue:

        @scottalanmiller said in DNS Update Issue:

        @Dashrender said in DNS Update Issue:

        @scottalanmiller said in DNS Update Issue:

        It's most useful only under a very specific set of circumstances where you are going with AD and LAN-based, and you have redundancy locally, not redundancy over a WAN link like many SMBs do.

        Or the opposite - home users who generally only have public DNS servers. or travelers who also only generally have public DNS servers.

        In fact, this is only an issue for those who do have internal DNS servers with internal only records.

        It's only a benefit there. For people using public, you want the Linux way. Really for everyone you want the Linux way except a very niche group of people in medium or larger businesses that somehow have non-stop DNS problems.

        The thing is is that when the Linux way fails, it fails "soft" and no one notices because the negatives are SO minor. But when the Windows way fails, it fails "hard" and causes things to not work potentially.

        You're making that claim - why? because you believe that using a public DNS should be totally acceptable for client machines as a secondary DNS?

        Of course it SHOULD be acceptable. How the hell is it okay for Windows to be so broken that reasonable failovers, whether secondary or tertiary or whatever, have to be avoided because the platform is flaky and doesn't behave predictably or usefully?

        I disagree, because assuming you have an additional working internal DNS server you should always fail to that to make sure you continue to have access to internal records.

        And it doesn't matter that public is in use here. This applies equally to other internal servers, too. What if you failed to a slow DNS over a throttled WAN link and now are stuck with it because Windows never goes back to local primary?

        OK - you do have a point here. though trying each and everytime does seem like overkill and lag inducing. I could see checking once a min or something.

        scottalanmillerS 2 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          With the Linux way, I get the best DNS performance 99.99% of the time. And I get far broader failover options. I can, at the client level, fail between several internal DNS servers AND if those all fail, I can fail to public DNS, too. It gives me "more protection", not less. Which is really nice if I have to have DNS set statically and have machines that might move off of the network.

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in DNS Update Issue:

            @scottalanmiller said in DNS Update Issue:

            @Dashrender said in DNS Update Issue:

            @scottalanmiller said in DNS Update Issue:

            @Dashrender said in DNS Update Issue:

            @scottalanmiller said in DNS Update Issue:

            It's most useful only under a very specific set of circumstances where you are going with AD and LAN-based, and you have redundancy locally, not redundancy over a WAN link like many SMBs do.

            Or the opposite - home users who generally only have public DNS servers. or travelers who also only generally have public DNS servers.

            In fact, this is only an issue for those who do have internal DNS servers with internal only records.

            It's only a benefit there. For people using public, you want the Linux way. Really for everyone you want the Linux way except a very niche group of people in medium or larger businesses that somehow have non-stop DNS problems.

            The thing is is that when the Linux way fails, it fails "soft" and no one notices because the negatives are SO minor. But when the Windows way fails, it fails "hard" and causes things to not work potentially.

            You're making that claim - why? because you believe that using a public DNS should be totally acceptable for client machines as a secondary DNS?

            Of course it SHOULD be acceptable. How the hell is it okay for Windows to be so broken that reasonable failovers, whether secondary or tertiary or whatever, have to be avoided because the platform is flaky and doesn't behave predictably or usefully?

            I disagree, because assuming you have an additional working internal DNS server you should always fail to that to make sure you continue to have access to internal records.

            And HOW is that disagreeing? You didn't state anything that is disagreeing at all.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in DNS Update Issue:

              And it doesn't matter that public is in use here. This applies equally to other internal servers, too. What if you failed to a slow DNS over a throttled WAN link and now are stuck with it because Windows never goes back to local primary?

              OK - you do have a point here. though trying each and everytime does seem like overkill and lag inducing. I could see checking once a min or something.

              It might seem like overkill, but it's not. It's the simplest, fastest solution. I think the crux here is that you perceive that delay as being far more dramatic and important than it is. And I suspect that you believe DNS failures are more common and long term than they typically are.

              The impact of that "trying every time" is undetectable to normal users, remember their local systems cache so it's super trivial to have it do this in the real world. And normal failures for DNS are insanely short lived, like seconds or a minute as a server reboots, typically.

              In the real world, doing secondary lookups for a full minute when the server is already back is the actual overkill, on average.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in DNS Update Issue:

                @Dashrender said in DNS Update Issue:

                @scottalanmiller said in DNS Update Issue:

                @wirestyle22 said in DNS Update Issue:

                @scottalanmiller said in DNS Update Issue:

                @wirestyle22 said in DNS Update Issue:

                Does anyone know what event causes this in Windows?

                Cause what, the NIC to flip? I've heard Windows people say that it's just a bug and it does it randomly. I know that it could happen from a DNS server being unavailable for a split second, just long enough to fail a lookup.

                That was my initial thought. So what--Linux OSes are checking periodically to see if they are using the first entry and Windows doesn't care until there's a hiccup?

                Linux checks every time, I believe. That's the expected behaviour. It always uses its list top to bottom, it doesn't "change" primary just because it wants to.

                See this just seems odd to me - why add in that delay every time.

                You said that it seemed odd to you, "why add in that delay every time."

                It shouldn't be odd, it should be super obvious as by far the best way. And that "delay every time" is an imperceptible delay .001% of the time. It only seems like "Every time" if you assume random DNS choices like people keep saying that Windows makes (I'm not convinced of this). Since Linux DNS is deterministic, it only adds that minuscule delay under failure conditions which in this day and age are super, duper rare (unless, apparently, you have Windows then the desktop seems to inject a server-like failure condition on its own.)

                You make it sound like this is a foolish approach, but it fixes the problems everyone is reporting with essentially no downsides.

                Well, I've missed the recent posts where people had sorta messed up DNS configs (Wirestyle's were completely hosed, not just public as a secondary issue), so I'm not sure where the recent issue is coming from - I just must have missed them.

                The Linux way is also assuming that the failure most likely was simply intermittent and that the primary will be back online nearly instantly, and frankly, using public DNS that totally makes sense. But we could hope that wouldn't be the case on a local network - and again, I'm not sure it still is a real issue.

                Does the linux way make things more transparent to the user? Sure does. And the cost, as you said, it pretty damned low... So fine - I'll give you all that, and if Windows changed to that method I definitely wouldn't complain.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by Dashrender

                  @scottalanmiller said in DNS Update Issue:

                  @Dashrender said in DNS Update Issue:

                  And it doesn't matter that public is in use here. This applies equally to other internal servers, too. What if you failed to a slow DNS over a throttled WAN link and now are stuck with it because Windows never goes back to local primary?

                  OK - you do have a point here. though trying each and everytime does seem like overkill and lag inducing. I could see checking once a min or something.

                  It might seem like overkill, but it's not. It's the simplest, fastest solution. I think the crux here is that you perceive that delay as being far more dramatic and important than it is. And I suspect that you believe DNS failures are more common and long term than they typically are.

                  The impact of that "trying every time" is undetectable to normal users, remember their local systems cache so it's super trivial to have it do this in the real world. And normal failures for DNS are insanely short lived, like seconds or a minute as a server reboots, typically.

                  In the real world, doing secondary lookups for a full minute when the server is already back is the actual overkill, on average.

                  you undoubtedly have data that shows DNS outages are that short lived, I assume.

                  I know I know - you'll ask me for data that shows that DNS outages are longer.. tit for tat.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in DNS Update Issue:

                    @scottalanmiller said in DNS Update Issue:

                    @Dashrender said in DNS Update Issue:

                    And it doesn't matter that public is in use here. This applies equally to other internal servers, too. What if you failed to a slow DNS over a throttled WAN link and now are stuck with it because Windows never goes back to local primary?

                    OK - you do have a point here. though trying each and everytime does seem like overkill and lag inducing. I could see checking once a min or something.

                    It might seem like overkill, but it's not. It's the simplest, fastest solution. I think the crux here is that you perceive that delay as being far more dramatic and important than it is. And I suspect that you believe DNS failures are more common and long term than they typically are.

                    The impact of that "trying every time" is undetectable to normal users, remember their local systems cache so it's super trivial to have it do this in the real world. And normal failures for DNS are insanely short lived, like seconds or a minute as a server reboots, typically.

                    In the real world, doing secondary lookups for a full minute when the server is already back is the actual overkill, on average.

                    you undoubtedly have data that shows DNS outages are that short lived, I assume.

                    I know I know - you'll ask me for data that shows that DNS outages are longer.. tit for tat.

                    The average DNS outage is a server reboot. Think about an AD environment with two AD servers. You do updates and reboot all of the time, that's an outage to the clients looking at that specific server. In the Linux case, it would only use the backup entry for the moments while the service is restarting. In Windows, apparently, it simply abandones that server until it has no choice but to return.

                    ObsolesceO 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in DNS Update Issue:

                      The Linux way is also assuming that the failure most likely was simply intermittent and that the primary will be back online nearly instantly, and frankly, using public DNS that totally makes sense. But we could hope that wouldn't be the case on a local network - and again, I'm not sure it still is a real issue.

                      Even private DNS, what kind of failure do you have where you assume that the outage will be a long time, but not so long that DHCP updates are in order? That's a pretty rare, small window of failures. DNS restarts (outages) are common. Total failures are once every 5-10 years if we are talking enterprise AD DNS setups. Typically it would be totally dead hardware - but only in a case where a backup and restore aren't an option.

                      DNS is something that restarts very quickly, and can be restored very quickly. And can normally be adjusted almost instantly via DHCP or state management, however you manage DNS in your environment.

                      So even in pretty extreme failures, a DNS failures is usually intermittent, even in a purely internal DNS situation.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in DNS Update Issue:

                        @Dashrender said in DNS Update Issue:

                        The Linux way is also assuming that the failure most likely was simply intermittent and that the primary will be back online nearly instantly, and frankly, using public DNS that totally makes sense. But we could hope that wouldn't be the case on a local network - and again, I'm not sure it still is a real issue.

                        Even private DNS, what kind of failure do you have where you assume that the outage will be a long time, but not so long that DHCP updates are in order? That's a pretty rare, small window of failures. DNS restarts (outages) are common. Total failures are once every 5-10 years if we are talking enterprise AD DNS setups. Typically it would be totally dead hardware - but only in a case where a backup and restore aren't an option.

                        DNS is something that restarts very quickly, and can be restored very quickly. And can normally be adjusted almost instantly via DHCP or state management, however you manage DNS in your environment.

                        So even in pretty extreme failures, a DNS failures is usually intermittent, even in a purely internal DNS situation.

                        We both agree that Windows NEVER switching back is bad. let's move past that. Now the question is - is it worth it to test on every single DNS query.
                        From a coding POV, it's probably much simpler to test every time than setting a time variable and waiting for that to expire before trying the primary again - so fine.. you win. 🙂

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in DNS Update Issue:

                          @scottalanmiller said in DNS Update Issue:

                          @Dashrender said in DNS Update Issue:

                          The Linux way is also assuming that the failure most likely was simply intermittent and that the primary will be back online nearly instantly, and frankly, using public DNS that totally makes sense. But we could hope that wouldn't be the case on a local network - and again, I'm not sure it still is a real issue.

                          Even private DNS, what kind of failure do you have where you assume that the outage will be a long time, but not so long that DHCP updates are in order? That's a pretty rare, small window of failures. DNS restarts (outages) are common. Total failures are once every 5-10 years if we are talking enterprise AD DNS setups. Typically it would be totally dead hardware - but only in a case where a backup and restore aren't an option.

                          DNS is something that restarts very quickly, and can be restored very quickly. And can normally be adjusted almost instantly via DHCP or state management, however you manage DNS in your environment.

                          So even in pretty extreme failures, a DNS failures is usually intermittent, even in a purely internal DNS situation.

                          We both agree that Windows NEVER switching back is bad. let's move past that. Now the question is - is it worth it to test on every single DNS query.
                          From a coding POV, it's probably much simpler to test every time than setting a time variable and waiting for that to expire before trying the primary again - so fine.. you win. 🙂

                          A wait "called a stand off period" would be easy, not AS easy, but trivially easy. But I think in the real world, it's not as ideal. With how DNS works today (not in the 1990s) I think it is what you would want. Having any stand off period would introduce more overhead (on average) that it would resolve. Because normal outages are so tiny, and so much DNS is cached.

                          1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce @scottalanmiller
                            last edited by

                            @scottalanmiller said in DNS Update Issue:

                            In Windows, apparently, it simply abandones that server until it has no choice but to return.

                            I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                            DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @Obsolesce
                              last edited by

                              @Obsolesce said in DNS Update Issue:

                              @scottalanmiller said in DNS Update Issue:

                              In Windows, apparently, it simply abandones that server until it has no choice but to return.

                              I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                              The problem happens when your secondary server isn't part of your internal network (assuming your primary is part of your internal network). When using the secondary you won't get resolution for internal network resources.

                              scottalanmillerS 1 Reply Last reply Reply Quote 2
                              • DonahueD
                                Donahue
                                last edited by

                                giphy.gif

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Obsolesce
                                  last edited by

                                  @Obsolesce said in DNS Update Issue:

                                  @scottalanmiller said in DNS Update Issue:

                                  In Windows, apparently, it simply abandones that server until it has no choice but to return.

                                  I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                                  That's a pretty awful process. I mean... horrendous. Kill a server just to get clients back to where you want them to be?

                                  ANd since it is random, that doesn't even work.

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in DNS Update Issue:

                                    @Obsolesce said in DNS Update Issue:

                                    @scottalanmiller said in DNS Update Issue:

                                    In Windows, apparently, it simply abandones that server until it has no choice but to return.

                                    I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                                    The problem happens when your secondary server isn't part of your internal network (assuming your primary is part of your internal network). When using the secondary you won't get resolution for internal network resources.

                                    That's the BIG problem. But not the only one. Take a common manufacturing plant with one AD at one site, and the other one at a different site. If you can't choose primary or secondary, then failover means slow DNS over a WAN link - potentially for weeks or months at a time. Sometimes for no reason at all, or something as simple as having rebooting the local one.

                                    It's not just wanting to use a public source, that clouds the issue. Lots of people don't want to use public ever, so ignore that. It's bad behaviour regardless.

                                    DonahueD ObsolesceO 2 Replies Last reply Reply Quote 0
                                    • DonahueD
                                      Donahue @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in DNS Update Issue:

                                      @Dashrender said in DNS Update Issue:

                                      @Obsolesce said in DNS Update Issue:

                                      @scottalanmiller said in DNS Update Issue:

                                      In Windows, apparently, it simply abandones that server until it has no choice but to return.

                                      I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                                      The problem happens when your secondary server isn't part of your internal network (assuming your primary is part of your internal network). When using the secondary you won't get resolution for internal network resources.

                                      That's the BIG problem. But not the only one. Take a common manufacturing plant with one AD at one site, and the other one at a different site. If you can't choose primary or secondary, then failover means slow DNS over a WAN link - potentially for weeks or months at a time. Sometimes for no reason at all, or something as simple as having rebooting the local one.

                                      It's not just wanting to use a public source, that clouds the issue. Lots of people don't want to use public ever, so ignore that. It's bad behaviour regardless.

                                      @scottalanmiller is describing my setup because he has seen it.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @Donahue
                                        last edited by

                                        @Donahue said in DNS Update Issue:

                                        @scottalanmiller said in DNS Update Issue:

                                        @Dashrender said in DNS Update Issue:

                                        @Obsolesce said in DNS Update Issue:

                                        @scottalanmiller said in DNS Update Issue:

                                        In Windows, apparently, it simply abandones that server until it has no choice but to return.

                                        I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                                        The problem happens when your secondary server isn't part of your internal network (assuming your primary is part of your internal network). When using the secondary you won't get resolution for internal network resources.

                                        That's the BIG problem. But not the only one. Take a common manufacturing plant with one AD at one site, and the other one at a different site. If you can't choose primary or secondary, then failover means slow DNS over a WAN link - potentially for weeks or months at a time. Sometimes for no reason at all, or something as simple as having rebooting the local one.

                                        It's not just wanting to use a public source, that clouds the issue. Lots of people don't want to use public ever, so ignore that. It's bad behaviour regardless.

                                        @scottalanmiller is describing my setup because he has seen it.

                                        It's a common, real world setup that makes sense. But non-deterministic DNS behaviour from Windows would be less than ideal for use in that environment. Not a show stopper, especially with a Gig link between sites, but a silly problem to have that doesn't need to exist.

                                        1 Reply Last reply Reply Quote 1
                                        • dbeatoD
                                          dbeato
                                          last edited by

                                          @scottalanmiller the only problem with Microsoft Windows DNS Clients when used for authentication that it is so random to choose which DC to login to which makes it so unpredictable. But I know that it out of the main scope of this discussion, but wanted to clarify that.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • ObsolesceO
                                            Obsolesce @scottalanmiller
                                            last edited by Obsolesce

                                            @scottalanmiller said in DNS Update Issue:

                                            @Dashrender said in DNS Update Issue:

                                            @Obsolesce said in DNS Update Issue:

                                            @scottalanmiller said in DNS Update Issue:

                                            In Windows, apparently, it simply abandones that server until it has no choice but to return.

                                            I don't see any issue there. You're getting DNS either way, what's it matter what it's from if they are the same? If clients are getting DNS from the failover DNS server and you don't want it to, turn off the DNS service on that server then, and clients will fail back... if you even care.

                                            The problem happens when your secondary server isn't part of your internal network (assuming your primary is part of your internal network). When using the secondary you won't get resolution for internal network resources.

                                            That's the BIG problem. But not the only one. Take a common manufacturing plant with one AD at one site, and the other one at a different site. If you can't choose primary or secondary, then failover means slow DNS over a WAN link - potentially for weeks or months at a time. Sometimes for no reason at all, or something as simple as having rebooting the local one.

                                            It's not just wanting to use a public source, that clouds the issue. Lots of people don't want to use public ever, so ignore that. It's bad behaviour regardless.

                                            I've never seen this. We have a DC at one site and a DC at another site. DNS at the computers primary site is always preferred.

                                            Perhaps the whole issue is because AD sites aren't set up properly.

                                            I'll test this now in a properly set up AD environment.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 9
                                            • 10
                                            • 11
                                            • 12
                                            • 13
                                            • 14
                                            • 11 / 14
                                            • First post
                                              Last post