printer madness with OS X clients in multi-OS environment


Recommended Posts

Hello all. I am having a very strange issue with printers and OS X client machines on our network. any help would be greatly appreciated.

 

Description of environment:

at my org, our network infrastructure consists of a pfSense server serving as our routing software and first layer between modem and network. We have two Windows 2012 servers running as primary and secondary DHCP and DNS servers, and we have an OS X server for random needs and jobs.

 

Many machines are laptops, and obviously wireless. Most of the desktops are wired. We use two Apple Airports as our WiFi stations, acting in tandem under the same SSID.

 

Our org contains both Windows and OS X machines. All Windows machines are Windows 7. OS X machines are either 10.6 or 10.9 depending on hardware.

 

The problem:

There is a consistent issue with Mac computers in the office being unable to successfully add printers by FQDN. To make this even more frustrating, nearly all aspects of the issue seem completely random. On any given day, a given Mac seems to have issues connecting to at least one of our networked printers by FQDN, and will only work by IP or Bonjour. One of the other Macs will be able to connect just fine to those, but maybe have trouble with another printer, and only work with NETBIOS, but not FQDN. Two of our printers are exactly the same model, and there is no pattern to be seen in that. Some of our Macs are the same model, no pattern there either. No pattern between OS X version.

 

Once a Mac successfully connects to a printer, all is good. You will be able to use that printer forever. But maybe one day you decide to disconnect the printer and reconnect for some reason, or the OS had to be reinstalled. You might find that the printer you connected to fine a day ago, now can no longer be connected to.

 

The only pattern I've seen is that IP address and Bonjour always work. Great, but not very user friendly.

 

Troubleshooting:

I have tried doing ping/nslookup/traceroute diagnostics on all the OS X machines. What I have noticed:

- Ping works as expected: FQDNs which are currently giving issues on the particular computer will not respond to pings. IP always works. Sometimes NETBIOS works but not FQDN, as I mentioned

- nslookup always works. Even for FQDNs which supposedly aren't working. It gets the gateway or DNS server(I forget which it's supposed to be) correctly as well as the correct IP address for the given FQDN. No warnings or errors.

- traceroute is interesting. It does not seem to work internally at all. Running a trace to external sites hangs on the internal section for a bit, then skips ahead to the external hops as normal. Trying to trace an internal address causes it to "* * *" forever. I have tried doing tracert on Windows machines for comparison, and it works perfectly,  internally and externally.

 

If anyone has any insight which helped me solve this, you would become my hero. Thanks in advance!

Link to comment
Share on other sites

" FQDNs which are currently giving issues on the particular computer will not respond to pings."

FQDNs do not respond to anything - they would resolve, and then that IP would ping

So when you do say

ping printer.yourdomain.tld -- do you get back the IP address or does it say host not found or some other error?

Where do you point for DNS? The only DNS in how you described your network would be your 2012 boxes - that would be the ONLY dns server you should be handing out to any client be it wired or wireless. If you hand out others this could cause you grief, because most likely pfsense does not know about your printers, etc.

what are the settings your getting for your os x clients when wireless. What does ipconfig /all show for your window machines?

pfsense should be the gateway, your 2k12 boxes should be dns

What is your domain your using for your fqdn for your printers?

Link to comment
Share on other sites

When I ping an FQDN it claims it could not resolve the host, despite nslookup working perfectly.

 

Our Windows 2012 servers are the only DNS servers in the system, and only one is primary, other is secondary/backup. Nothing else besides our Windows server is handing out DNS.

 

"pfsense should be gateway, 2012 boxes dns"

Sorry, I was wrong about what I said. Our gateway is indeed what it should be, pfsense. DNs is 2012.

blhB34L.png

 

Here are the OS X settings, from a very new Macbook Air running 10.9:

Huairous-MacBook-Pro:Desktop admin$ sh networkinfo.sh
 
   Public IP: XX.XXX.XXX.250
   Hostname: XXXXXXX-MacBook-Pro.local
 
Wireless Ethernet (en0)
-----------------------
  IP Address: 10.10.10.97 (DHCP)
  Subnet Mask: 255.255.255.0
    Router: 10.10.10.1
  DNS Server: 10.10.10.6, 10.10.10.7, 8.8.8.8
Search Domains: xxxxxx.org
  MAC Address: XX:XX:XX:XX:ee:6a
     Speed: 	media:
 
Wired Ethernet (en1)
-----------------------
  IP Address: inactive
  MAC Address: XX:XX:XX:XX:52:50

Our main, EXTERNAL domain (the one you use to reach our public website) is xxxxxxx.org, while our internal network is local.xxxxxxxx.org. So to reach one of our printers, you should be able to use the address "printer.local.xxxxxxxx.org"

Link to comment
Share on other sites

DNS Server: 10.10.10.6, 10.10.10.7, 8.8.8.8
 
There's your problem, you've got 8.8.8.8 configured as a DNS server in addition to your two internal ones. Remove that from the configuration, and your issues will likely go away.

Link to comment
Share on other sites

^ YUP exactly -- thought you said your 2k12 were the only dns

 

"Our Windows 2012 servers are the only DNS servers in the system"

 

I can tell you for fact that 8.8.8.8 has no clue to your printers IP ;)

 

You can not list dns that don't know your stuff without having grief..  Your local dns servers need to forward or look up from roots what they are not authoritative for.  That way when you look for printer you always get answer, when you look for say www.neowin.net your 10.10.10.6 box goes and asks 8.8.8.8 hey whats the ip for www.neowin.net I don't know it.

 

Another thing I see as possible issues is

 

hostname MacBook-Pro.local

Search Domains: xxxxxx.org

 

Why do you have your hosts in a .local domain, but have them search xx.org domain? - Single label domain as well from what it looks like since their hostname is XXXXXXX-MacBook-Pro.local

 

Why not put all your box in whatever domain your using locally -- what domain are you printers in?  And single label not really a good idea -- should use say xxx-macbook-pro.yourdomain.local

 

Also see a link local ipv6 there - are you using ipv6?  Are you registering AAAA in your dns?  If not just completely disable it - there is no reason for ipv6 if not actually using it.  If you want to use it then set it up correctly and your mac books should have it as well, etc.

Link to comment
Share on other sites

The Airports are set to only be access points, right? Unless a setting was missed the 8.8.8.8 DNS should not be there at all, but the pros already said that 

Link to comment
Share on other sites

Hello, and thanks for the help everyone! I will need some clarification though... where exactly should we be putting the 8.8.8.8 entry? I should mention that the reason we use Google's DNS is because our own ISPs DNS servers (TimeWarner Cable) have been iffy in the past and caused us issues with domain resolution. The 8.8.8.8 entry is NOT within the computer's settings its self, but within the router or server settings (forget which off the top of my head right now).

 

Where should I be adding the 8.8.8.8 so that DNS requests are answered properly? How do I forward them as opposed to whatever I am doing now? Is this the proper tutorial here?

http://technet.microsoft.com/en-us/library/cc754941.aspx

 

As for the rest... I honestly have no clue why the mac says ".local" as a TLD. We definitely have no such thing on our network (using custom TLDs is bad news). I assumed it was some sort of Mac quirk. and to answer your question, our interal domain is local.[xxxxxx].org. 

 

I will talk to the senior tech about diabling ipv6, though I am curious as to what problems this could cause, and I am sure he would be too. Is it just a matter of best practice?

 

Can you clarify for me what you mean by "single label"?

 

And as for our airports, they are only access points.

 

Thanks for everyone's advice!

Link to comment
Share on other sites

As to disabling ipv6 - I am sure there will be debate on is it best practice to disable or not.. Windows out of the box has 3 different methods of tunneling ipv6 out over ipv4, 6to4, teredo and isatap. You would think they would of learned their lesson from back in the day when iis was enabled out of the box.

Enabling protocols/services that are not used is security 101.. Do you run ipx/spx if your not using that network protocol? So why should you be running ipv6 unless your actively using it. I run ipv6 on a couple of boxes. All my others its disabled on - because they have no use for it as of yet. If at such time there are actual services that are only available via ipv6 then I will enabled. As of yet this is not the case.. And most likely will not be for years to come.

If you want your company to be in the front of the pack - great!! Get your network guys to correctly roll out ipv6. Leaving on what MS turned on out of the box is nothing but a sign that the network guys running this network have no clue to what they are doing in my personal opinion. Just being blunt about that - I would ask your network guys why it is enabled, you didn't show your full output - but I guess that 6to4, teredo and isatab all enabled aren't they ;) Are you using all three of those methods of getting out to ipv6 addresses?

If your mot using it its going to cause nothing but noise on your network for no reason.

Yes that article should work - 8.8.8.8 should where your AD servers go ask when a client asks hey where is www.neowin.net

Single label dns is this

hostname.tld

so mybox.local is a single label domain name.

While there is support for it

http://support.microsoft.com/kb/2269810

Its not really good practice, and yes your .local is mac thing

http://en.wikipedia.org/wiki/.local

I would do some research on macs and .local with your AD setup - there is some info about in that above link. You also are going to want to make sure that your AD box is authoritative for it if your not going to remove it from your OS X stuff. Or you start sending queries to 8.8.8.8 for something.local

So you your OS X box asks for printername.local -- well your AD doesn't know about that, so what will it do - it will ask 8.8.8.8 for it.. Well .local is not a valid public tld, so it sure and the hell is not going to know anything about it. So your just wasting queries and sending out info about names on your network to the public net for no reason, etc.

Once you get your clients from not asking 8.8.8.8 for dns, and make sure your printers are all listed in your AD dns with their actual fqdn all your name resolution problems will go away.

Link to comment
Share on other sites

Thank you so much for all your guidance! I am going to be in the offices tomorrow, so I will be able to put all of this advice to use soon. I will be back to report on my progress for sure.

Link to comment
Share on other sites

I read through the articles concerning mDNS, and the .local TLD but I aam not entirely sure what I am supposed to do about it? I tried googling mDNS configuration, but got nothing of much use. Is mDNS just a fancy way of saying I should forward .local to local.[xxxxxxx].org?

 

Thanks for the help!

Link to comment
Share on other sites

no mDNS is multicast dns, and its whole reason is to resolve stuff where there not a actual nameserver.

So these apple boxes you have - they are running in your windows AD network? If so then the .local is useless in a real network. Apple boxes will send out queries for this stuff sure.

Unless you can set them up not too, which would would think you could -- they should be aware that they are in your .[xxxxxxx].org domain.

If you don't fix them from asking for stuff in .local, then you might want to have your local nameserver(s) be authoritative for .local so that it doesn't forward it on to the internet 8.8.8.8 dns is all.

Link to comment
Share on other sites

  • 3 weeks later...

Alright. Sorry about such slow responses. I've been questioning/clarifying the authority hierarchy here, and now that I've got some answers, I'm moving ahead.

 

I noticed our pfsense (routing box) had some explicit entries for google DNS, and our ISPs DNS. I cleared them out so we have no entries, since from what I understand, ONLY Windows 2012 should be dealing with DNS. This is correct, yes?

 

There is also this option, which is currently checked:

Allow DNS server list to be overridden by DHCP/PPP on WAN
If this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS forwarder). However, they will not be assigned to DHCP and PPTP VPN clients. 

 

And this, which is NOT checked

Do not use the DNS Forwarder as a DNS server for the firewall
By default localhost (127.0.0.1) will be used as the first DNS server where the DNS forwarder is enabled, so system can use the DNS forwarder to perform lookups. Checking this box omits localhost from the list of DNS servers.

 

Is this the correct configuration?

 

Edit:

Also, when I look at the Network config settings on the macs, and check their DNS settings, I notice that their automatic config sets them up to check 10.10.10.6, 10.10.10.7, and 8.8.8.8. The first two are good, those are our Win2012 servers (.7 syncs DNS with .6) but why is 8.8.8.8 showing? I already cleared the explicit entries in pfsense. Where else might I look to see what is pushing this DNS address down to the client level?

Link to comment
Share on other sites

All laptops are DHCP. Our printers, servers, and other network infrastructure are the only things which have static addresses, but everything else is dynamic.

 

Anyways, I went and looked through the Win2012 DHCP panel, and there it was! An entry for the DNS in "Scope Options". Thanks for the direction! I removed the entry for "8.8.8.8" and I will now get back to testing everything and seeing if this solved the issue.

Link to comment
Share on other sites

Let us know how it works out.. if you look at a dhcp client, and it says its dhcp server is x.x.x.x - then clearly it got it from the dhcp server ;)

Unless you go in an say give me IP dns, but I want to use these dns..

If you ever want to know what for sure is being handed out by the dhcp server - just sniff the traffic.. And all the info is right there in the sniff in easy to read clear text in wireshark, etc.

Link to comment
Share on other sites

Ok, so it seems we do have an issue cropping up now that this is configured properly. Unfortunately, before I came here, our company LAN was running on the same domain as our website, no subdomain or anything. This is still how it is. We are in a transitional phase where our server is authoritative for the subdomain I would like to eventually use, but it still technically runs the original one.

 

Before, when we were (erroneously) going straight to the google DNS servers, we were able to connect to our external website from within the LAN without issue. However, now that we are only using the forwarder, that has quit working, and trying to reach our website returns a "webpage is not available" error. I figured that this was probably because of the domain clash, and when a client tried to access company.org, expecting the website, it would get stuck on our internal address and not return properly. I added a record for "www" to the DNS, and gave it  our website's IP, but it still is not working. What else do I need to do, or what am I missing?

Link to comment
Share on other sites

you will have to add www to the correct zone and point it to the correct ip.  That is it. 

 

I can remote in and help you out if you want. pm teamviewer info.  won't take much more than a few minutes. 

Link to comment
Share on other sites

Like I said, I tried that, and it didn't seem to work. Additionally, I removed the www entry while playing around with the config, and now when I go back to re-add it, it says it can't because it already exists. I don't see it in the list though.... ugh

Link to comment
Share on other sites

Ok we can do it the long way. I want you to look at replication event logs and dns event logs on your dc. run a nslookup from your sever to that host and the same on a issue client pc. post results please.

Also ipconfig/all of server and pc. You can mask domain name if you choose I don't need that info

Link to comment
Share on other sites

nslookup on both the server and client fail:

 

Server: Unknown

Address: 10.10.10.6, or ::1, for client/server respectively

 

*** UnKnown can't find www.xxxxxx.org: Server failed

 

I have the following issues in the event log, which are recent (only a few minutes old):

 

The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 158 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected. 


To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. 


Additional Information: 
Error: 9061 (The replicated folder has been offline for too long.) 
Replicated Folder Name: SYSVOL Share 
Replicated Folder ID: 60F19ABA-F801-4D72-BE9F-A8EF2C17E02E 
Replication Group Name: Domain System Volume 
Replication Group ID: A8231976-E55B-42D6-9E11-4FFAA6385E57 

Also this Warning:

 
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 


Operations which require contacting a FSMO operation master will fail until this condition is corrected. 


FSMO Role: DC=xxxxxx,DC=org 


User Action: 


1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 


The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

So yea, we clearly have some issues to sort out.

 

My main worry is that I added 8.8.8.8 back to our DNS list (even though this is technically incorrect) in an attempt to get the website working, and that did NOT fix it. At this point, my first priority is getting the website back up for the LAN before I leave for the day. This is a serious issue.

Link to comment
Share on other sites

Alright, the website is finally working again, though it takes a few seconds to resolve and load up. Guess something just needed a chance to refresh. Back at square one now. Where do I go from here based on what I just posted?

 

Whether or not the website loads is unreliable. Sometimes it does, sometimes it doesn't. Sigh

 

Edit: I also restarted the server, and was then able to add the record for www. So I have that there. However, I STILL have an issue with clients being able to resolve the website. What gives?! The server is configured exactly as it was before I did all this, but it's not working like it did before.

Link to comment
Share on other sites

I would really like to get in and straighten this out for you, you left out some information that I requested.

 

Ipconfig /all from both clients and servers.  You have pretty big syncronization issues which is probably due to misconfigured ips in the network properties.  This is where I would start before even thinking about looking at any other causes to replication issues. 

 

Here is an example ip setup

 

Server1:

ip address: 192.168.1.10

subnet: 255.255.255.0

gateway: 192.168.1.1

 

primary dns: 192.168.1.10

secondary dns: 192.168.1.11

 

Server2:

ip address: 192.168.1.11

subnet: 255.255.255.0

gateway: 192.168.1.1

 

primary dns: 192.168.1.11

secondary dns: 192.168.1.10

 

 

dhcp setup:

pool: 192.168.1.100-192.168.1.254

subnet: 255.255.255.0

router: 192.168.1.1

dns: 192.168.1.10 192.168.1.11

 

 

dns setup:

forward: mydomain.local

reverse: 1.168.192

Forwarders: 8.8.8.8 4.2.2.2 4.2.2.1 disable root lookups if forwarders fail

 

 

If I need www going to an outside address I would add an (A) record to the forward dns zone for the ip.  It isn't difficult, but it is often misconfigured and being that you have had your domain misconfigured from day 1 I would bet that there are some things still wrong with the basic config. 

 

Once you have posted your ipconfigs we can get into more meat if we need to. You clearly have replication issues which is causing a bunch of issues on your network.  Lets try to get them fixed.

Link to comment
Share on other sites

"My main worry is that I added 8.8.8.8 back to our DNS list"

 

Why in the world would you do that???

 

So you added www, did you do a query via nslookup or dig and actually verify it resolves correctly?

 

nslookup on both the server and client fail: -- Looks like you don't even have ptr for your own network setup, if they comeback unknown?  Or they are just not working at all and not serving up anything..

Link to comment
Share on other sites

Yup I would agree! 

 

But this is not something new

"his server has been disconnected from other partners for 158 days"

 

So has been having issues for long long time!!  I too would recommend someone just TV in and fix it.  It has been what month trying to get a simple dns problem fixed that was identified to him in post 1 of the thread ;)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.