We run a Windows network with a W2K Active Directory and DNS server.
There are approximately 30 workstations running W2K or XP (and one
with 98). There is a significant amount of database traffic, which
depends on name resolution.

Each workstation on the network loses its ability to communicate with
servers on a semi-regular basis (every hour or so). This causes extra
grief when batch jobs are interfered with.

The problem is remedied by flushing and restarting the ?DNS Client?
service on the workstation. Running a periodical scheduled task that
restarts the service eliminates most of the problem. However, the
problem sometimes surfaces anyway.

When the problem occurs, you still can contact servers (ping or open
full connection) by their IP.

How can we fix this problem?


Remedies already tried:

[on both server and workstation]
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters
registry subkey. Setting the value of NegativeCacheTime to 0 (the
default value is 300 seconds).

[on server]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)

[on workstation]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: DnsCacheTimeout
Data Type: REG_DWORD
Radix: Decimal
Value: 60 (time in seconds)

[on workstation]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
MaxCacheEntryTtlLimit
Value: 1

[on workstation]
Disabling the DNS client service altogether.
This works, but slows everything down significantly (too significantly).

---

Clarification of Question by theheretic-ga on 24 Aug 2004 00:16 PDT

We are running DHCP on the network, also from the same computer as the
DNS server. DHCP configured clients to use our own DNS server as
primary server, and our ISP's DNS server as backup server.

We removed reference to our ISP's DNS from the config from one
workstation. It seems to have worked so far. We are now evaluating
this change on the whole network. We are not aware of any reason why
it would make a difference... so we'll let you know how it goes!

We tried setting both cache times to 0, and it did not work. It is not
feasible to keep a host file synchronised on all computers on our
network. That sort of defeats the purpose of DHCP.

---

Clarification of Question by theheretic-ga on 02 Sep 2004 00:07 PDT

The problem has been solved! After removing the reference to the
secondary DNS server (our ISP's), everything is working well. The
reason this seems confusing is that I didn't think that the
workstations would even try to register to the secondary DNS at all,
because the primary Active Directory server is always working fine. Is
it possible that the workstations are trying to register to it
regularly because they can't connect properly to the primary one? Or
is it just that they check the secondary one intermittently, and when
they do, the DNS client service fails?

Anyway, thanks heaps crythias for your aid!

You don't want to disable DNS on workstations in your domain. You've
already figured out that they take FOR-EVER to start up if they
(especially xp/2k) can't find a DNS to log on.

I hate to ask an obvious question, but are you certain that the only
DNS IP on the workstations is the IP address of the server? (Manual or
DHCP?)

If you want to also access Internet, you merely add forwarding DNS to
your DNS server.

If perhaps WINS is somehow installed, you may wish to make sure that
it's off. Also, some feedback from Event Viewer from affected
workstations as well as the Application, System, and DNS logs from the
server at about the same time period would be helpful. Check out
www.eventid.net as well.

In the first fix you attempted (the NegativeCacheTime), did you try setting
NetFailureCacheTime and NegativeSOACacheTime to 0 as well?

Also, you could try putting the hostnames of thet dns servers into
your %windir%\System32\Drivers\Etc\HOSTS file, so that there is no
question of resolving the nameservers themselves.

Hope this helps, I am still looking into this.  I've had it happen
previously, but so far the only clear answer is a client reinstall,
and even then it reoccurs often.

-SilverShadow

Or the equivalent of a unix systems /etc/resolv.conf with a listing of
nameserver addresses. and I agree try modifying the timeout seconds.

Having your ISP's DNS in DHCP makes a difference because the
workstation can't register to a non-active directory DNS. They must
only register to any server that's running Active Directory DNS.

In the DNS server Management Console, right-click on DNS, properties,
and set forwarding servers to your ISP's DNS to handle non-active
directory issues (read: handle Internet Requests).

You'll see repeated attempts and failures on your workstations to
register to the DNS of the ISP's. This creates unwanted traffic and
instability ... basically what your original request indicated. You'll
see lots of benefits on this, including faster boot times for the
workstations.

If I wasn't clear in the last statement, I meant to say that those
workstations still having DNS point to ISP will see errors, while
those who have DNS only to the AD DNS server will see the benefits...

You might wish to cancel the question ...