windowswideopen.com

Microsoft Windows DNS Troubleshooter

Posted on August 31st, 2007 by thehabgroup

Name resolution Failures

Internal domain lookup failures

It is important to understand the customer’s internal name resolution configuration. When troubleshooting a particular issue, you will need to know what servers are authoritative for the zone and how the client is configured to retrieve the record. In most cases, the client should only point to DNS servers that can resolve the internal domain name.

What to check for on client:

Improper client configuration

- Check local DNS settings under the TCP/IP settings of the NIC.
- In most cases, the client should not be pointing to an ISP’s DNS server for either the Preferred or Alternate DNS server. This is due in part to the SLM feature on the client resolver. For behavior of Server List Management, see article 261968.

What to check for on DNS server:

Configured DNS server not using Forwarders

Improperly Configured Forwarders

· 200525

Client pointing to a DNS server that has recursion disabled

Improper zone delegation

·

·

Failure to properly configure Internal Root Servers in AD domain

· 249868.

Failure to resolve Internet names

Customer will need to provide information on their infrastructure including the path to resolves names on the internet. The failure to resolve internet names for a domain member client is most often a DNS server side issue.

What to check for:

Check for a Root zone on local DNS server.

- Check for “.” (root) zone under forward lookup zones in DNS and if one is present, delete it. See article 229840 for additional information. The presence of a root zone will prevent the server from performing any queries to the Internet.

Improperly Configured Forwarder

Failure of Forwarder

- Server unable to resolve Internet names due to some failure.
- Use NSLOOKUP against the forwarded server for testing name resolution, see article 200525.

Cache pollution

· DNS Server will stop resolving properly for certain domains. When the DNS server service is restarted the problem will be resolved for a period of time. This can sometimes be difficult to diagnose because the server will resolve some names properly and not others. This can be because the server is pulling from cache, or because only queries in part of the namespace may be affected.

- Set “Secure against cache pollution” under DNS Server Properties/Advanced/Server Options, see article 316786.

Name resolution through a firewall

· 260186.

- - HKLM\SYSTEM\CCS\Services\DNS\Parameters\SendPort

Value type: REG_DWORD Value in decimal: 53

Failure to resolve names using the host name

For a single labeled unqualified host query, the Client Resolver will add suffixes to the unqualified name and send queries to it’s configured DNS server. Understand how the client will use these suffixes in order to properly resolve a name.

What to check for:

Primary & Connection specific suffixes

- Selecting “Append primary and connection specific DNS suffixes” and “Append parent suffixes of the primary DNS suffix” will suffice in some environments where there are multiple domains, but a contiguous name space.

Client suffix searchlist

- If “Append these DNS suffixes (in order):” is selected, ensure that all of the domains are listed that the client may need to query. Using a suffix searchlist is used in a somewhat complex environment where multiple suffixes may need to be used and there is not a contiguous name space.

As an alternative, use WINS lookup records in the Forward lookup zone. See article 164176.

Misc. Issues

Round Robin does not work as expected

- The use of an alias for round robin is not supported, use an A record instead. See article 168322.
- Netmask Ordering (LocalNetPriority) enabled by default on Windows 2000 DNS server. The server orders the responses according to the client IP address that sent the query (even if round robin is enabled). Can be disabled through Advanced tab in DNS MMC, see article 177883.
- PrioritizeRecordData is enabled by default on the client side. This feature will cause the client to sort the answers it receives from best to worst based on the local routing table. To disable, see article 196500.

Wildcard record entry not resolving correctly

· This will cause the wildcard address to never be returned to a client query.

· Example of adding a host or A record:

dnscmd <Server_IP> /recordadd zonename * A IPADDRESS

DNS Server is using Root Hints when configured to use a Forwarder

Dynamic Updates failures

Dynamic updates can fail due to a number of issues including client configuration, zone configuration, failed name resolution for the domain, or security settings.

Client Configuration Problems (A and PTR records)

What to check for:

Verify that the appropriate connection specific DNS registrations are enabled on the client NIC in Advanced TCP/IP Properties.

- Enable “Register this connection’s addresses in DNS”.
- Enable “Use this connection’s DNS suffix in DNS registration”.

Verify that the DHCP Client Service is started.
Verify that the Primary and/or Connection specific DNS suffixes are correct for the domain in which the host should be registering.
If the customer is using a single label DNS domain name, see article 300684.
Verify that dynamic updates aren’t disabled in the client’s registry for all adapters, see article 246804 – HKLM\System\CCS\Services\Tcpip\Parameters DisableDynamicUpdate = 1.
Verify that dynamic updates aren’t disabled in an AD policy (XP & Windows Server 2003). See article 294785 for policy location.
Check the DNS servers that the client is configured for.

- The client should typically not be pointed to an ISP’s DNS server for preferred or alternate DNS server unless the Windows 2000 domain SOA record can be resolved from an Internet ISP’s DNS server.
- Verify that the SOA record for the zone can be resolved by the host, try using nslookup with a querytype=SOA. See article 200525.
- If the previous fails, the host must be only pointed to DNS servers that can resolve the SOA record for the zone consistently. Windows 2000 domain members should typically only be pointed to internal DNS servers for the domain.

Improper Zone Configuration

What to check for:

Verify that dynamic updates are enabled on the zone.
If zone is configured for “Only secure updates”, test by setting the zone to “Yes” for non-secure updates. If this works, go to Secure update failures section.
Check that the proper delegation was made from the parent zone if applicable.
Verify a record doesn’t already exist of the same name. Record may not be overwritten because of DisableReplaceAddressesInConflicts registry setting on client, see article 246804.

Netlogon records not registering

Failure to register Netlogon records can be accompanied with Event logs errors 5774, 5775, or 5781.

What to check for:

After verifying settings in client & zone configuration sections, restart the Netlogon service.
Delete netlogon.dns & dnb files on the DC and restart the Netlogon service. See article 259277.
Verify that the domain controller is not configured with disjointed namespace, see article 257623.
Verify Netlogon dynamic updates are not disabled in registry.

- Under HKLM\System\CCS\Services\Netlogon\Parameters

UseDynamicDNS = 0.

If SRV records are properly registering, and Netlogon A records are not, check the registry setting of:

HKLM\System\CCS\Services\Netlogon\Parameters

RegisterDnsARecords = 0

DC is not registering a GUID. Netlogon event 5774 for SRV record. Check for MX wildcard entry, see article 325208.

Secure Dynamic Updates Failing

What to check for:

Before troubleshooting a secure dynamic update problem, it is best to verify that the problem is with secure dynamic updates and not a general dynamic update issue. For a test, change “Allow dynamic updates” to “Yes” from “Only secure updates” (for testing only). If this test is not successful, proceed to other sections of this tshooter or perform normal tshooting measures.
Verify machine attempting update is a domain member (must be).
Check ACLs on zone for Authenticated Users “Create all child objects” must be Allowed.
Verify that the specific machine account isn’t denied access under the “Security” tab of the zone properties.
Verify that a given record is not already registered in DNS with ACLs for another domain host.
If ACLs have been modified on zone, you can reset the zone security to the default using the following command:

Dsacls cn=MicrosoftDNS,cn=system,dc=example,dc=com /S /T

(this is for a domain called example.com)

Microsoft & BIND methods of performing secure dynamic updates are incompatible. If the customer has a BIND server, then it must allow non-secure updates or delegate a zone to a Windows Server that can require secure updates.

DHCP Server

What to check for:

DHCP Server Fails to Register Records

- Verify DHCP server settings in DNS tab of Server properties, see article 228803.
- Verify scope specific settings in DNS tab of Scope Properties.
- Verify that the DHCP server can resolve the SOA for zone.
- If clients are capable of dynamic updates and DHCP server is performing all updates, then enable connection specific DNS registration on the clients as well for option 81 to work properly. See article 314822.

DHCP Server Fails to remove records

- Under the DNS tab for the Server or Scope, the following select must be made “Discard forward (name-to-address) lookups when lease expires”. This setting is essential for the removal of both A and PTR records, see article 306780.
- If the DHCP Server has a large number of clients and receives numerous requests, try the following setting:
  - HKLM\System\CCS\Services\DHCPServer\Parameters
  - DatabaseCleanupInterval = 60 ;decimal value
  - See solution object SOX020712700079.

Unable to Prevent a Specific NIC from registering records

What to check for:

Verify dynamic registration is disabled for the adapter in Advanced TCP/IP properties.
By default, the DNS service registers a host record for each IP address bound to any adapter. There are two options:
- Configure DNS to not listen on the IP address of NIC that should not be registered.
- Configure the DNS service to only register host record on specific IP addresses:

HKLM\System\CCS\Services\DNS\Parameters

PublishAddresses

o 246804.

Netlogon service registers A records for all bound IP addresses, regardless of their dynamic DNS configuration at the adapter level. Disable all Netlogon A records registration by using RegisterDnsARecords registry key, see 246804. Note: If the server is a Global catalog server, the GC A record will have to be manually added to zone, see 258213.

Active Directory Issues

DC Promotion/Demotion Fails

What to check for:

If joining a DC to a domain, verify that the current domain controller(s) do not have disjointed namespace, see article 257623.
If promoting or demoting a server in an existing domain, verify SRV records are properly registered in the forward lookup zone. As an initial check, verify that the following 4 folders exist directly beneath the root or child domain: _msdcs, _sites, _tcp, _udp

- Some examples of records that should be registered in the DNS zone are:

_ldap._tcp.dc._msdcs.<domain>

_ldap._tcp.<site>._sites.dc._msdcs.<domain>

_kerberos._tcp.<site>._sites.dc._msdcs.<domain>

A Server being promoted must be pointed to a DNS server that can resolve records for local domain and forest root. For additional information, see section on “Internal domain lookup failures”.

Logon Slow or Failed

What to check for:

Usually associated with failed logon 5719 Event log error.
Verify host is not pointing to an ISP’s DNS server for Preferred or Alternate.
A host that is logging on must be pointed to a DNS server that can resolve records for local domain and forest root. For additional information, see section on “Internal domain lookup failures”.
If logon is in a child domain, insure child is properly delegated from parent zone if applicable.

Replication Issues

What to check for:

Verify DCs that are replication partners in the domain have their guid registered in the forest root zone.

- Example of domain guid record:

name = e99e82d5-deed-11d2-b15c-00c04f5cb503._msdcs.domain.com

type = cname

data = server.domain.com

Verify that both DCs involved in the replication can resolve the above records for each other.
If there are replication problems in the forest root zone, verify that DCs are not pointing to themselves for DNS. As a rule, only one Domain Controller in the forest root domain should be pointed to itself for either Preferred or Alternate DNS server in their TCP/IP properties setting, and all other DCs should be pointed to DNS servers other than themselves. See article 275278.

Failure to join domain because of DNS

What to check for:

Verify that the following records for domain controllers exist in the DNS zone along with the corresponding A records, see articles 330095 & 266324.

_ldap._tcp.dc._msdcs.<DnsDomainName>

_ldap._tcp.<ClientSiteName>._sites.dc._msdcs.<DnsDomainName>

Zone transfer Failures

What to check for:

Zone security issue

- - Either select “To any server” or limit DNS servers that can receive zone transfers.
- Master zone Serial numbers out of Sync in an Active Directory Integrated Zone
  - Configure secondary DNS Server to only point to one AD Integrated master server.

· Update needed, see article 331907.

Transferring a zone to a BIND server

- BIND 4.9.4 and earlier cannot accept multiple records in a DNS message during a zone transfer, and the Microsoft primary server must have “BIND Secondaries” set in the Advanced properties of the DNS server, see article 198409.
- When allowing zone transfers to BIND DNS servers, it’s recommended to configure the zone “Name checking” for “Strict RFC”.

Transferring a zone from a BIND server

- Message size issue (16 kb limit on Windows 2000 DNS) with BIND 9.x (64 kb AXFR message limit) – fixed SP3, see Article 297936.

· 260021.

DNS Administration Issues

Permissions issues

What to check for:

To perform server administration, i.e. change server parameters, a user must have FULL CONTROL permissions on the MicrosoftDNS container in Active Directory.
To perform zone administration, i.e. change zone parameters, a user must have FULL CONTROL permissions on the zone object within the MicrosoftDNS container in Active Directory.

- Note: It is not possible to allow a user to make changes to a zone and yet keep them from possibly deleting the zone.

To allow a user to read the server and/or zone parameters but not change them, they must have READ permissions on the MicrosoftDNS container and/or the Zone object.
If ACLs have been modified on zone, you can reset the zone security to the default using the following command:

Dsacls cn=MicrosoftDNS,cn=system,dc=example,dc=com /S /T

(this is for a domain called example.com)

DNS not Scavenging Stale Records

What to check for:

Verify that DNS Scavenging is enabled in the server Advanced properties.
Verify that the zone in question has scavenging enabled.
Verify that the record(s) have a timestamp. In the DNS MMC, select View\ Advanced and then right-click the record and select properties.
Record time stamp must be older than the combination of the No-refresh + Refresh intervals to be subject to scavenging. Be aware that automatic scavenging of the zone will not occur until the DNS Server service has been running for a period of time equal to the Refresh Interval set on the zone.
To initiate a scavenge manually, in the DNS MMC, right-click on the DNS server and select “Scavenge stale resource records”.
If a large number of records do not have a timestamp and are in need of having one set (to be subject to scavenging), the dnscmd utility can be used to accomplish this. Note: using this utility to force the aging of all records in a zone will cause records for hosts that are not dynamically updated to eventually be scavenged from the zone. CAUTION:

dnscmd <Server_IP> /ageallrecords <zone_name>

Misc. Issues

MMC not displaying filtered results (Update needed, see article 811136)
7062 Errors – These errors are almost always from a lame delegation. Another DNS server has delegated a zone to the DNS server logging these errors, however the server logging the errors does not have the given zone. See article 235689 for further troubleshooting.

Common BIND Interoperability issues

BIND 4.9.6 or later necessary to support SRV records.
BIND 8.2.1 or later recommended to support dynamic updates.
BIND 8.2 and later necessary for incremental zone transfer.
BIND 4.9.4 and earlier cannot accept multiple records in a DNS message during a zone transfer, and the Microsoft primary server must have “BIND Secondaries” set in the Advanced properties of the DNS server. See article 198409.
When allowing zone transfers to BIND DNS servers, it is recommended to not replicate the WINS or WINS-R lookup records. See article 164176.
When allowing zone transfers to BIND DNS servers, it’s recommended to configure the zone “Name checking” for “Strict RFC”.
Secure dynamic updates are not possible between BIND and Microsoft clients.

Troubleshooting Tools

Listed below are some of the most common tools available for troubleshooting DNS related issues.

DNS Logging

DNS logging can be used to troubleshoot many name resolution problems. It is configured in the DNS MMC in the Advanced server properties. In order for any logging to occur, one of the boxes from each of the following sections must be checked:

Query | Notify | Update

Questions | Answers

Send | Receive

UDP | TCP

For example, in order to log responses that a DNS server receives for a query, it would be necessary to check at least the following boxes – Query, Answers, Receive, UDP

NSLOOKUP

Nslookup is a primary tool to use in testing and verifying a DNS server’s response to queries. It can be use in interactive & non-interactive mode. Interactive mode is generally used when more than one query will be performed. Non-interactive mode is good to use when you want to pipe the query result to a text file, or simply to perform one query. See article 200525.

Example of using nslookup to query for an SOA record in interactive mode, press enter after each command:

C:\>Nslookup

Server <ip address> ;use the IP address of the DNS server you wish to query

Set querytype=SOA

Domain.com.

Using non-interactive mode to pipe the query result to a file:

nslookup –option <record> <DNS server> >dns.txt

Example of doing a query for www.microsoft.com:

C:\>nslookup –d2 www.windowswideopen.com/blog 207.46.138.20 >DNS.txt

NOTE: The above will perform a query for the A record of www.microsoft.com to the server with the IP address specified with d2 level logging. Debug or d2 logging is very helpful when you need detailed information bout the DNS server’s response to a specified query.

DNSLINT

This utility can be used when it is necessary to query a set of records on multiple DNS servers, which would be more difficult to do with nslookup. See articles 330105 & 321045 for an explanation on how to use this utility.

NETDIAG

To use Netdiag on a client to perform diagnostic logging for DNS issues:

Netdiag /test:dns /debug

Using Netdiag to force DNS registration of records:

Netdiag /fix

Note: Be sure to use the latest version of this utility. Updates to the “Support Tools” are not contained in the Service Pack itself.

http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/supporttools.asp

DNSCMD

This utility can be used to perform most of the tasks that can be accomplished through the DNS MMC. You can create, delete, and view records etc. See article 286041 for additional details.

Debug Logging

In some cases it is necessary to perform some advanced troubleshooting measures to diagnose a problem. A checked build of dns.exe can be installed on a DNS server and the service can be configured to write the desired logging information to a file. Use the following article for specific information on how to get DNS to log to a file, and the type of debug information that can be logged. Article 142270 “Displaying Windows DNS Server Status and Debug Messages”.

windowswideopen.com

Home

Translate

Sponsored Links

Link Ads

Recent Posts

Related Products

How Many Visitors?

Important Links

Microsoft Windows DNS Troubleshooter

Name resolution Failures

Internal domain lookup failures

What to check for on client:

What to check for on DNS server:

Failure to resolve Internet names

What to check for:

Failure to resolve names using the host name

What to check for:

Misc. Issues

Related Knowledge Base Articles

Dynamic Updates failures

Client Configuration Problems (A and PTR records)

What to check for:

Improper Zone Configuration

What to check for:

Netlogon records not registering

What to check for:

Secure Dynamic Updates Failing

What to check for:

DHCP Server

What to check for:

Unable to Prevent a Specific NIC from registering records

What to check for:

Related Knowledge Base Articles

Active Directory Issues

DC Promotion/Demotion Fails

What to check for:

Logon Slow or Failed

What to check for:

Replication Issues

What to check for:

Failure to join domain because of DNS

What to check for:

Related Knowledge Base Articles

Zone transfer Failures

What to check for:

Related Knowledge Base Articles

DNS Administration Issues

Permissions issues

What to check for:

DNS not Scavenging Stale Records

What to check for:

Misc. Issues

Related Knowledge Base Articles

Common BIND Interoperability issues

Related Knowledge Base Articles

Troubleshooting Tools

DNS Logging

NSLOOKUP

DNSLINT

NETDIAG

DNSCMD

Debug Logging

Related Knowledge Base Articles

Link to Me!!

RSS Feed

Pages

Categories

Archives

Products

Blogroll

Buzz

News