Recommended Posts

Hey all,

 

A while back, I made a topic regarding some major networking issues my organization was having. I DID basically solve them, and everything works smoothly for the most part. Thanks to all who helped!

 

However, there is a small issue that I thought I had fixed, which seems to have come back to some extent.

 

Basically, our network exists on domain.org. We also have a publicly accessible website which is hosted offsite, outside of the network, at the address domain.org.

 

If you access the website from anywhere BUT the office, there is no problem. Everything loads fine. However, if you try to access domain.org (or www.domain.org, or http://www.domain.org) then it seems to take a really long time to resolve. The browser just sits there churning for a bit, and then finally, the website pulls up and loads normally. It should be noted that if you access it via IP address, it loads perfectly fine, even within the network.

 

Clearly, there is some sort of DNS/resolution issue going on, bu I am stumped as to what the problem is. I already have an alias which points the parent directory (domain.org) to the proper IP address. I also have a www alias which points to the same IP address. From my understanding, that is all I should need to get things working properly,but that doesn't seem to be the case.

 

I did notice there is a secondary host record for domain.org which points to our local server's internal IP address. This record seems to be dynamically and automatically added - I didn't add it myself, and it has a timestamp, rather then the "static" tag that the record I added for our website has.

 

Perhaps there is an issue where the dynamic record gets checked first, and only reverts to the manual record after some sort of time-out? I'm not entirely sure. I'm afraid that if I remove the dynamic record which points to our internal server, that will break functionality for our internal system.

 

Any insight or recommendations would be greatly appreciated. Thanks in advance!

Sorry, I forgot to put details into the post, rather then just the (admittedly vague) tags. We are using Windows 2012 R2 to manage a variety of things, including DNS. And yes, it's a publicly resolvable domain, but as I said, the same exact domain is used for our internal network, thus, by default directs to 10.10.10.6, rather then the public IP address of our external website.

So computers are computername.domain.com and your website is say www.domain.com.

You should have an A Record pointing your external IP of the web-server to www.domain.com in your DNS records, and making sure you are not using http://domain.com to browse the site.

But you said http://www.domain.com and http://domain.com both take just as long?

Also maybe take a look at this - http://www.itgeared.com/articles/1005-active-directory-domain-name/

Yes, I do have an A record for www, as well as the parent directory, which points to the proper IP. Yet, even when using www.domain.org, it takes a long time. I forgot to mention that when you do type it in like that, it ends up being converted to domain.org anyways so I suspect that on the web host's end, they are directing all requests back to domain.org, making my A records useless. Does that make sense?

 

Anyways, as for the fact that our AD domain is domain.org, that is unfortunately something beyond me. The previous technician set it up that way, even though I myself would have set it up on local.domain.org for simplicity sake and saved us a lot of headaches. I did try migrating us to the local domain, but I had issues. Having said that, we had LOTS of issues when I tried that, many of which I fixed since. Perhaps a migration would work now.

 

I was hoping to have a quick fix for the website though, until I can manage to do that.

"he same exact domain is used for our internal network"

 

Not a good idea!!

 

So what is the real domain, it sure isn't domain.org -- I want to look at it what resolve pubic and from where.  You do not host your own external dns off your AD dns servers this 2012r2 box do you?

 

Where do you clients point for dns?  It should only be your AD dns server..  Do a simple query for www.domain.org (using your real domaing) does it resolve the internal IP address..  Your saying it resolves to local IP of 10.10.10.6 -- well then that should be pretty much instant..

 

From a client machine do nslookup and then set debug.

 

C:\>nslookup
Default Server:  pfSense.local.lan
Address:  192.168.9.253

> set debug
> www.domain.org
Server:  pfSense.local.lan
Address:  192.168.9.253

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.domain.org.local.lan, type = A, class = IN

------------
------------
Got answer:

 

And post that full output...  Notice how looked for www.domain.org.local.lan first -- this is suffix search..  Wonder if that is causing you problems?  Please post the whole ouput.. you can replace whatever your real domain is with domain.org if you must.. 

 

Also are your browsers using a proxy?  Or do they directly access the internet?  A great test would be sniffing on a client and then going to your website www.domain.org, make sure you do a ipconfig /flushdns first so that we get to see the dns queries in the sniff as well.

 

As to www.domain.org being converted back to domain.org -- so that is setup on your website, that is not a dns related mechanism..  That is a mod rewrite doing that or other method once you hit your website..  We will see what happens with the nslookup debug.

 

while the nslookup debug is helpful - to be honest nslookup is a horrific tool for dong any real dns troubleshooting.  I would really suggest you grab dig.. Its part of the bind install, you can just install the tools for windows so you can use dig https://www.isc.org/downloads/

I installed ISC BInd as you recommended, and ran nslookup on our domain as well as dig. I replaced our actual domain with "domain" and ***'d the first three octets of our website's IP address, but the results are otherwise unedited.

 

nslookup:

>"C:\Program Files\ISC BIND 9\bin\nslookup.exe" domain.org
Server:         10.10.10.6
Address:        10.10.10.6#53


Name:   domain.org
Address: 10.10.10.6
Name:   domain.org
Address: **.***.***.171


>"C:\Program Files\ISC BIND 9\bin\nslookup.exe" www.domain.org
Server:         10.10.10.6
Address:        10.10.10.6#53


Name:   www.domain.org
Address: **.***.***.171

dig:

>"C:\Program Files\ISC BIND 9\bin\dig.exe" domain.org


; <<>> DiG 9.10.2-P2 <<>> domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32494
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;domain.org.                   IN      A


;; ANSWER SECTION:
domain.org.            600     IN      A       10.10.10.6
domain.org.            600     IN      A       **.***.***.171


;; Query time: 3 msec
;; SERVER: 10.10.10.6#53(10.10.10.6)
;; WHEN: Thu Jul 16 16:43:15 Eastern Daylight Time 2015
;; MSG SIZE  rcvd: 72


>"C:\Program Files\ISC BIND 9\bin\dig.exe" www.domain.org


; <<>> DiG 9.10.2-P2 <<>> www.domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.domain.org.               IN      A


;; ANSWER SECTION:
www.domain.org.        3600    IN      A       **.***.***.171


;; Query time: 2 msec
;; SERVER: 10.10.10.6#53(10.10.10.6)
;; WHEN: Thu Jul 16 16:43:27 Eastern Daylight Time 2015
;; MSG SIZE  rcvd: 60

 

Thanks for any help!

As for your question about a proxy, we are definitely not. All our machines have a direct connection to the internet, and this problem occurrs on personal machines as well (such as my laptop) which have no problem outside of the office.

;; ANSWER SECTION:
domain.org.            600     IN      A       10.10.10.6
domain.org.            600     IN      A       **.***.***.171

 

Why do you have 2 entries here.. You have one for private site the 10.x address and then one for public -- that going to be a problem!!

 

You didn't set debug, with dig you can do +trace

 

But can tell you right now that is a problem where you have 2 A records for your domain.org -- so 1 time you might get 10 other time public, with a ttl of 10 minutes until they forget that and ask again which again then is 50/50 shot they get the one they want.  Is your website hosted on 10.10.10.6 ? ;)

 

Do you want your using access domain.org or www.domain.org?  And I have to assume the site is hosted pubic right?  So resolving it to 10 going to be a problem

  On 17/07/2015 at 12:22, Jared- said:

Split brain DNS ugh.

 

Use .local, .internal, .company, something other than your public dns name.  

You didn't read the in between posts, huh? Tsk tsk.

 

@BudMan: Woops, sorry about forgetting the debug argument.

 

As for the double entry... the A entry for the website is static and was added by me. However, the 10.10.10.6 entry is dynamic, and seems to be automatically made by Windows. I was afraid that if I remove it, some sort of functionality might break? Of course, that could be a worthless worry, and everything will be just fine. I guess the other question would be, how do I prevent Windows 2012 from just automatically recreating the entry again, which seems to be something it does?

On that interface uncheck auto registration.

 

post-14624-0-97495000-1437157730.png

 

But that should not be registered since there is no host..

 

This is why you don't use the same ad domain as your public.

 

Your other option is have the site use www.domain.com vs redirecting to domain.com  Then you can remove your public entry for domain.com in your AD.

I've already requested that the site redirect to www, but at the time we had.... some issues in regards to the IT management  :hmmm: I'll leave it at that, but as it happens, we are switching hosts now, and the people who made my job harder are more or less out of the picture. I have made sure to specifically request our website redirect to www.

 

However, many people will simply type "huairou.org" into the browser regardless, so it would be nice to get this working in either case.

 

I am leaving the country this Sunday though for two and a half weeks, and am VERY reluctant to make any changes that could possibly break things until I get back. Is there any way this would cause something to break?

  • 5 weeks later...

Hey, sorry for the longer then expected wait! I just made those changes you recommended, and everything seems to be working perfectly now! I guess my next project is to try and migrate our domain over to the local FQDN...

Thanks for all the help!

 

This topic is now closed to further replies.
  • Posts

    • Wonder if the HDMI Forum will allow AMD to use HDMI 2.2 under Linux.
    • Where did you hear visio is discontinued? It's still available and being updated on Office 365 and even has an online free version now too.. and dont tell me because visio 2021 has EOL listed a Oct 13, 2026.. they have a beta version right now for visio 2026
    • PC gaming is stalling as well, recent analyst post I read is that it will stall for at least two years because of prices, tariffs and AI demand impacting GPU cost and availability. So far the only console to go up in price has been the Xbox. Which IMHO is just part of Microsoft’s plans to get out of the traditional insole market and move to a “Xbox” console that is just a PC made by an OEM with a Xbox sticker on it.
    • Jumping unicorns means people initiate Nintendo gaming
    • KB5060829: Microsoft makes Windows 11 File Explorer, Search faster with Build 26100.4482 by Sayan Sen Microsoft has released a new Release Preview build for Windows 11 Insiders. The new build, 26100.4482, under KB5060829, improves the performance of the File Explorer in case of extracting archives. The company says "has been enhanced when extracting archive files" and that the improvement will mainly be felt "in the case of copy pasting large numbers of files out of large 7z or .rar archives." Aside from File Explorer, Microsoft says that users can also expect a snappier Search. Microsoft notes that earlier the feature would respond "very slowly—the Search Box can take over 10 seconds to load before you can use it." Besides those, Taskbar has also received an improvement as it will better use the available real estate space more effectively with new ability to resize icons so more apps can fit. The build also brings new PC Migration tool. Start menu pins have also changed You can view the full changelog below: Gradual rollout [App defaults] New! We are rolling out some small changes in the EEA region for default browsers via the Set default button in Settings > Apps > Default apps: Additional file and link types will be set for the new default browser, if it registers them. The new default browser will be pinned to the Taskbar and Start menu unless you choose not to pin it by clearing the checkboxes. There is now a separate one-click button for browsers to change your .pdf default, if the browser registers for the .pdf file type. [Start menu] New! For Admins, the Configure Start Pins policy now includes an option to apply Start menu pins only once. This means users will receive the admin Start menu pins on their first sign-in (day 0), but afterward, they can personalize their pinned layout, and those changes will be retained. This policy can also be applied through group policy, in addition to the existing configuration service provider (CSP) method. [Taskbar & System Tray] New! The taskbar now resizes icons to fit more apps when space runs low, keeping everything visible and easy to access. You can adjust how icons appear in settings—reduce icon size only when the taskbar is full (default), keep icons at their original size at all times by selecting Never, or use smaller icons all the time by selecting Always. To change this setting, right-click an empty area on the taskbar, select Taskbar settings, expand the Taskbar behaviors section, and choose your preference under Show smaller taskbar buttons. New! In addition to the new grouping of the Accessibility menu in Quick settings, there are text descriptions for the assistive technologies like Narrator, Voice access, and more for easier identification and learning. New! Adjusted the indicator (pill) under taskbar apps to make it wider and more visible. Fixed: Clicking the top third of the buttons in the top row doesn’t work to enable or disable the button. Fixed: WIN + CTRL + Number doesn’t work anymore for switching windows of an open app in the taskbar Fixed: When using taskbar in Windows, the media controls that appear in the preview windows for apps might unexpectedly flicker. [Windows Share] New! When you share links or web content using the Windows share window, you will see a visual preview for that content. New! In the Windows share window, you can select a compression level—High, Medium, or Low Quality—when editing and sharing images, instead of selecting from a 0–100 scale. [PC Migration] We’re beginning the rollout of a new PC-to-PC migration experience in Windows. You’ll start to see the landing and the pairing page in the Windows Backup app, giving you a first look at what’s coming. In the full experience, you will be able to transfer your files and settings from your old PC to the new one during the PC setup process. Support during the PC setup will be available in a future update. We are releasing in phases for a smooth experience and will provide more details soon. [File Explorer] Improved: Performance has been enhanced when extracting archive files – this will particularly help in the case of copy pasting large numbers of files out of large 7z or .rar archives. Narrator New! The Screen Curtain feature in Narrator helps protect your privacy and improve focus by blacking out the screen while Narrator reads content aloud. This is especially helpful in public or shared spaces, where you can work with sensitive information without others seeing your screen. To turn on Narrator, press Ctrl + Windows + Enter. Then press Caps Lock + Ctrl + C to enable Screen Curtain. While it’s on, you can use Narrator as usual with the screen hidden. Press Caps Lock + Ctrl + C again to turn it off. New! Narrator makes it easier to discover and learn about its features directly within the experience. Whether you’re new or exploring advanced options, Narrator will guide you through the latest updates using a series of steps and prompts that explain each new feature and change. [Voice Access] New! You can now use voice access to navigate, dictate, and interact with Windows using voice commands in Simplified Chinese and Traditional Chinese. New! You can add custom words to the dictionary in voice access. The feature will be available in all the currently supported voice access languages. [Settings] New! The Settings homepage on PCs managed by IT administrators now includes cards tailored for enterprise use. These include familiar options like “Recommended settings” and “Bluetooth devices,” along with two cards for device info and accessibility preferences. If a user signs in with both a work or school account and a Microsoft account, an additional accounts card appears to show both account types. New! Added the country or region selected during device setup under Settings > Time & language > Language & region. Fixed: The storage card in Settings > System > About shows an incorrect or unreadable character instead of the proper disk size. [Windowing] Fixed: When you ALT + Tab out of a full screen game, other windows (like Windows Terminal might stop responding. Fixed: An underlying issue might lead to unexpected window size and position changes after sleep/resume for some devices. Fixed: Explorer.exe might stop working unexpectedly when dragging a window if window snapping is enabled. [Scripting] Fixed: Running a script on a remote SMB share might take an unexpectedly long time if the share was an older Windows Server version like Windows Server 2019. [Graphics] Improved: Made some underlying changes to help improve display related user experiences, including reducing screen flashing in some display configuration transitions and removing unnecessary display resets which was happening in some cases. Fixed: Certain displays might be unexpectedly green. Fixed: If User Account Control (UAC) is set to Always Notify and the button under Settings > System > Display for color calibration is selected for your display and canceled, Settings will stop responding. [Color Filters] Improved: Adjusted the location of the intensity and color boost sliders under Settings > Accessibility > Color Filters, so the color previews at the top of the page are visible while adjusting the sliders. [Input] Fixed: Typing Japanese with the touch keyboard may stop working after switching to typing with an English keyboard and back. [Printing] Fixed: Printed lines might be unexpectedly thicker than expected. [MSFTEdit.dll] Fixed: Some apps like Sticky Notes and dxdiag might stop working when the display language is set to Arabic or Hebrew. Normal rollout [Copilot] Fixed: Improved the Copilot key’s reliability and resolved an issue that prevented users from restarting Copilot after using the key. [Performance] Fixed: This update addresses an issue to maintain efficiency of Storage Spaces Direct (S2D). When running complex software defined data center (SDDC) related workflows, it’s possible the system might become unresponsive. [Storage optimization] Fixed: An issue that prevented unused language packs and Feature on Demand packages from being fully removed, which led to unnecessary storage use and longer Windows Update installation times. [Windows Search] Fixed: Windows Search responds very slowly—the Search Box can take over 10 seconds to load before you can use it. Fixed: This update enhances the reliability of Windows Search and resolves an issue that prevented users from typing in Windows Search in some cases. You can find the official blog post here on Microsoft's website.
  • Recent Achievements

    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later
    • Week One Done
      Karan Khanna earned a badge
      Week One Done
    • First Post
      MikeK13 earned a badge
      First Post
    • Week One Done
      OHI Accounting earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      690
    2. 2
      ATLien_0
      264
    3. 3
      Michael Scrip
      201
    4. 4
      +FloatingFatMan
      167
    5. 5
      Steven P.
      137
  • Tell a friend

    Love Neowin? Tell a friend!