Why is Active Directory being such a son of a....
July 27, 2006 8:41 AM   Subscribe

Help me keep my Windows server from DoS'ing my nameserver!

I'm the unix admin in charge of a nameserver running Slackware and Bind. The problem is that one of the recently setup Windows Domain Controllers keeps trying to update DNS records every 4-5 seconds, which seems to be causing a decent slowdown on the server.

I'm not a Windows guy, but the other Windows admins seem to not know how to stop this, so I am forced to deal with it.

If it matters, the DNS server is also our primary KDC, and all the Windows servers also authenticate off of it.
posted by Loto to Computers & Internet (6 answers total)
Is the primary DNS entry on the Windows box itself? It sounds like the primary might be the Slackware box and that is what is causing the problem. All DC's should have the primary DNS entry pointing to themselves. A lot of the functionality of Active Directory is based on DNS so it may erroneously be using the Slackware box as a replication point (which would explain the 4-5 seconds).

Is this seriously affecting the performance on the nameserver? I can't see how this would cause that level of traffic.
posted by purephase at 9:33 AM on July 27, 2006

I'm not that knowledgable about DNS and AD, but I'd try to use a packet sniffer such as Ethereal to find out what kind of updates the Windows box sends to the DNS. Or does the DNS itself keep logs on this kind of activity? This might be helpful in narrowing down the problem. But you've probably already thought of this yourself ;-)
posted by Herr Fahrstuhl at 10:00 AM on July 27, 2006


DNS servers usually read much more than they write. So the read paths are optimized while the write paths involve a full reparse of the config file. If AD is writing every couple of seconds, it's forcing a full reparse every couple of seconds, thus spawning load.


There's probably a reg key to deal with this behavior. I'd ask for packet traces, but you're probably not able to send 'em :) Can you provide any other details, like precisely what names are being updated?
posted by effugas at 10:01 AM on July 27, 2006

Response by poster: No specific name, just a lot of computers in our windows domain. Primary DNS is Unix side, since Unix runs our backbone. I refuse to let the AD machines run DNS.

I have found the problem, I think. Some of the domains needed for AD to function properly have not been registered manually. I'm going to double check this and then I'll report back.
posted by Loto at 11:52 AM on July 27, 2006

Is this related to the devices trying to register their DNS with the server?

Network Properties - {primary NIC} Properties - Internet Protocol (TCP/IP) properties - Advanced - DNS - Register this connection's addresses in DNS
posted by quiet at 4:29 PM on July 27, 2006

quiet: he said that it's a server that's hitting the BIND box. Your instructions (while valid) are more for clients.

The client boxes oughta hit the Active Directory box once they log into the domain.

We have a similar set up, and having the AD boxes look to themself for DNS helped a lot.
posted by drstein at 7:03 PM on July 27, 2006

« Older I'm not drinking any merlot!   |   What type of music is it? Newer »
This thread is closed to new comments.