Troubleshooting DNS Troubleshooting DNS configuration issues on configuration issues on domain controllers by using domain controllers by using the DNS test in the Windows the DNS test in the Windows Server 2003 SP1-based Server 2003 SP1-based version of the DCDIAG tool version of the DCDIAG tool David Rheaume David Rheaume Rapid response engineer Rapid response engineer Premier Field Engineering Premier Field Engineering Microsoft Corporation Microsoft Corporation
Transcript
Troubleshooting DNS Troubleshooting DNS configuration issues on domain configuration issues on domain controllers by using the DNS test controllers by using the DNS test in the Windows Server 2003 SP1-in the Windows Server 2003 SP1-based version of the DCDIAG toolbased version of the DCDIAG tool
David RheaumeDavid RheaumeRapid response engineerRapid response engineerPremier Field EngineeringPremier Field EngineeringMicrosoft CorporationMicrosoft Corporation
Troubleshooting DNS Troubleshooting DNS configuration issues on domain configuration issues on domain controllers by using the DNS test controllers by using the DNS test in the Windows Server 2003 SP1-in the Windows Server 2003 SP1-based version of the DCDIAG toolbased version of the DCDIAG tool
David RheaumeDavid RheaumeRapid response engineerRapid response engineerPremier Field EngineeringPremier Field EngineeringMicrosoft CorporationMicrosoft Corporation
2
David RheaumeDavid RheaumeDavid RheaumeDavid Rheaume
David Rheaume is a rapid response engineer in the Microsoft Premier Field Engineering group. David joined Microsoft in March 2000 and has supported Active Directory® during all of his time with the company. During this time, he has provided front-line and escalation support in Product Support Services (PSS), beta support for customers deploying pre-release software in the enterprise, and most recently, on-site support for Microsoft enterprise customers.
3
AgendaAgenda
Overview of Active Directory® name Overview of Active Directory® name resolution resolution
DCDIAG installation and system DCDIAG installation and system requirementsrequirements
DCDIAG /TEST:DNS drill downDCDIAG /TEST:DNS drill down
DCDIAG /TEST:DNS usage scenarios and DCDIAG /TEST:DNS usage scenarios and syntaxsyntax
DCDIAG /TEST:DNS known issuesDCDIAG /TEST:DNS known issues
4
Active Directory name resolutionActive Directory name resolution
Before Active Directory, Microsoft® Windows® domains required a relatively simple set of NetBIOS records (1B, 1C) resolved by Windows Internet Name Service (WINS).
Active Directory changed requirements to a detailed set of site-specific, domain-specific, and forest-wide service location and replication records resolved by DNS.
Detailed knowledge of Domain Name System (DNS) operation and troubleshooting was not common among Windows domain administrators.
DNS monitoring solutions were not typically deployed in the enterprise.
5
DNS configuration issues in Active Directory deployments
Many or all domain controllers in an organization may have DNS installed and can accept updates to the zones.
Replication of DNS records is subject to typical replication latency.
Automatic DNS setup in Microsoft Windows 2000 did not use optimized defaults.
DNS servers that host common Active Directory-integrated zones still require per-server configuration.
6
Key failures that are caused by DNS Key failures that are caused by DNS misconfigurationmisconfiguration
Active Directory replication
User authentication
Domain controller promotion and demotion (DCPROMO)
Domain joining
Internet access
7
DCDIAG /TEST:DNSDCDIAG /TEST:DNS
New test option in Microsoft Windows Server™ 2003 Service Pack 1 (SP1) DCDIAG
One tool for validation of forest-wide DNS configuration
8
Installation sourcesInstallation sources
Windows Server 2003 SP1 Support Tools Windows Server 2003 SP1 Support Tools http://support.microsoft.com/kb/892777http://support.microsoft.com/kb/892777
Supported installation platforms Supported installation platforms Windows Server 2003 members plus domain Windows Server 2003 members plus domain controllerscontrollersMicrosoft Windows XP Professional member Microsoft Windows XP Professional member computerscomputers
10
System requirements System requirements (2)(2)
Supported test targets Supported test targets Windows 2000 with Service Pack 2 (SP3) Windows 2000 with Service Pack 2 (SP3) Windows Server 2003Windows Server 2003Windows Server 2003 SP1Windows Server 2003 SP1
When to use DCDIAG /TEST:DNSWhen to use DCDIAG /TEST:DNSAny time that you suspect DNS is brokenAny time that you suspect DNS is broken
Any time that you want to validate DNS healthAny time that you want to validate DNS health
Best practices recommend that you Best practices recommend that you validate the DNS infrastructure at least validate the DNS infrastructure at least weekly by using DCDIAG /TEST:DNSweekly by using DCDIAG /TEST:DNS
A more frequent interval, such as daily, A more frequent interval, such as daily, provides better monitoring of the DNS provides better monitoring of the DNS infrastructureinfrastructure
Validates seven elements of DNS health Connectivity
Performed by default as part of test from previous versions
Basic DNSForwarderDelegationDynamic updateRecord registrationExternal name resolution
By default, this test is not run
13
By default, all tests other than external name By default, all tests other than external name resolution are runresolution are runAny test can be run individuallyAny test can be run individuallyTest DNS health for a single domain controller or Test DNS health for a single domain controller or for all domain controllers in a forest or naming for all domain controllers in a forest or naming contextcontextPass, Warn, or Fail status for each test in the Pass, Warn, or Fail status for each test in the summary tablesummary table
The verbose switch is required to gather The verbose switch is required to gather most of the interesting information other most of the interesting information other than summary tablethan summary table
/e/e – All specified tests are run against all – All specified tests are run against all domain controllers so that NTDS Settings domain controllers so that NTDS Settings objects are listed on the targeted domain objects are listed on the targeted domain controllercontroller
17
Syntax examples for common test Syntax examples for common test scenariosscenarios
DCDIAG /TEST:DNS /v /f:DCDIAG /TEST:DNS /v /f:filenamefilename /s /sTest DNS on a single server and log verbose Test DNS on a single server and log verbose output to a fileoutput to a file
DCDIAG /TEST:DNS /v /f:DCDIAG /TEST:DNS /v /f:filenamefilename /e /eTest DNS on all domain controllers in the Test DNS on all domain controllers in the forest and log verbose output to a fileforest and log verbose output to a file
18
Connectivity testConnectivity test
Cannot be skippedCannot be skipped
No separate syntax for connectivity test No separate syntax for connectivity test because it abecause it always runslways runs
Tests performedTests performedAre domain controllers registered in DNS?Are domain controllers registered in DNS?
Can they be pinged?Can they be pinged?
Do they have Lightweight Directory Access Do they have Lightweight Directory Access Protocol/remote procedure call (LDAP/RPC) Protocol/remote procedure call (LDAP/RPC) connectivity?connectivity?
No other tests run against a domain No other tests run against a domain controller if this test failscontroller if this test fails
19
Basic DNS testBasic DNS test
Syntax: Syntax: /DnsBasic/DnsBasic
Tests performedTests performedAre the expected services running? Are the expected services running?
DNS client serviceDNS client serviceDNS Server serviceDNS Server serviceNetlogon serviceNetlogon serviceKey Distribution Center (KDC) serviceKey Distribution Center (KDC) service
Are DNS servers available over network Are DNS servers available over network adaptors?adaptors?
20
Basic DNS test Basic DNS test (2)(2)
Additional tests performedAdditional tests performedIf DNS is installed, does the domain controller’s If DNS is installed, does the domain controller’s Active Directory namespace zone exist?Active Directory namespace zone exist?If DNS is installed, does a valid Start of Authority If DNS is installed, does a valid Start of Authority (SOA) record exist for the domain controller?(SOA) record exist for the domain controller?Is the host record (also called the A record or glue Is the host record (also called the A record or glue record) registered on at least one DNS server?record) registered on at least one DNS server?Does the root (.) zone exist?Does the root (.) zone exist?
21
Warning Additional information
Warning: Adapter adapter name has dynamic IP address (can be a misconfiguration)
Static IP addresses are recommended for all DNS servers.
Warning: adapter adapter name has invalid DNS server: name IP address
Server that is configured as DNS resolver for the adapter may not be reachable.
Warning: no DNS RPC connectivity (error or non-Microsoft DNS server is running)
Disregard this warning if the DNS server is a BIND or other non-Microsoft DNS server.
Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
Disregard if the forest root namespace is a three-segment name without a corresponding two-segment namespace, for example, the forest root “example.domain.com” where no zone “domain.com” exists.
Warning: Root zone on this DC/DNS server was found (could be a misconfiguration)
Error: Authentication failed with specified credentials
Enterprise Admin credentials are required
Error: No LDAP connectivity Network access over TCP port 389 is required
Error: No DS RPC connectivity Network access over Windows server message block (SMB) ports is required
Error: No WMI connectivity DNS test requires WMI connectivity to run on the remote machine.
Error: Cannot read operating system version through WMI
WMI connectivity and permissions are required
Error: Operating system name not supported Valid targets include Windows 2000 SP3, Windows Server 2003, and Windows Server 2003 SP1
Error: Open Service Control Manager failed Service is not running or is not installed, or account used to run the test does not have permissions to read the service
23
/DnsBasic errors /DnsBasic errors (2)(2)
Error Additional information
Error: KDC/Netlogon/DNS/DNScache is not running
Specified services are not running.
Error: Cannot read network adapter information through WMI
WMI connectivity and permissions are required.
Error: all DNS servers are invalid DNS servers configured in resolver settings cannot be pinged or are not valid DNS servers.
Error: The A record for this domain controller was not found
Missing Host record. Check that DHCP client service is running on specified machine.
Error: Enumeration of zones failed to find out whether there is a root and Active Directory zone
Error: Could not query DNS zones on this domain controller
Unable to query Active Directory name records for the DC specified.
24
Forwarders testForwarders test
Syntax: Syntax: /DnsForwarders/DnsForwarders Tests performedTests performed
Is recursion enabled?Is recursion enabled?Verifies forwarders and root hints configuration if Verifies forwarders and root hints configuration if these items are present. these items are present. Can Can _ldap_tcp.dc._msdcs._ldap_tcp.dc._msdcs.Forest root domainForest root domain domain controller locator record be resolved by domain controller locator record be resolved by domain controllers in a non-root domain?domain controllers in a non-root domain?
Notes: Notes: This test is run only if the targeted domain controller This test is run only if the targeted domain controller is running the Microsoft DNS Server service.is running the Microsoft DNS Server service.Forwarders and root hints are not used to resolve Forwarders and root hints are not used to resolve _ldap_tcp.dc._msdcs._ldap_tcp.dc._msdcs.Forest root domainForest root domain locator locator records on forest root domain controllers.records on forest root domain controllers.
25
/DnsForwarders errors/DnsForwarders errors
Error Additional information
Error: Forwarders list has invalid forwarder: IP address of the forwarder
The specified IP address is unreachable or is not answering DNS queries.
Error: Both root hints and forwarders are not configured. Please configure either forwarders or root hints
The tested DNS server is not a root server, but it is not configured to perform any external name resolution
Error: Root hints list has invalid root hint server: IP address of Root hint server
The configured root hints servers not reachable or not answering DNS queries
Error: Enumeration of root hint servers failed on DNS server name
The test could not list the root servers on the target DNS server.
26
Delegation testDelegation test
Syntax: Syntax: /DnsDelegation/DnsDelegation
Tests performedTests performedIs the delegated name server a functioning Is the delegated name server a functioning DNS server?DNS server?
Are there broken delegations?Are there broken delegations?Verifies that the host record can be resolved for Verifies that the host record can be resolved for each listed name server (NS) recordeach listed name server (NS) record
NotesNotes
This test is run only if the targeted domain This test is run only if the targeted domain controller is running the Microsoft DNS controller is running the Microsoft DNS Server service.Server service.
27
/DnsDelegation warnings/DnsDelegation warnings
Warning Additional information
Warning: DNS server: DnsServer name IP: Ipaddress Failure: Missing glue (A) record
Cannot resolve the host record for the specified delegated name server
28
/DnsDelegation errors/DnsDelegation errors
Error Additional information
DNS server: Server name IP: IP address Error: Broken delegation
The name server specified by delegation cannot resolve zone records or is not responding to DNS queries.
DNS server: Server name IP: IP address Error: Broken delegated domain delegated domain name
Error: Failed to enumerate the records at the zone root on the server
Tests performedTests performedIs the domain controller’s DNS zone configured to Is the domain controller’s DNS zone configured to accept secureaccept secure dynamic updates?dynamic updates?
Can Can _dcdiag_test_record_dcdiag_test_record be registered on the be registered on the current DNS server?current DNS server?
Deletes test registration record.Deletes test registration record.
Tests performedTests performedAre service locator (SRV) resource records for Are service locator (SRV) resource records for each network service registered on all each network service registered on all configured DNS servers?configured DNS servers?
Warning: Missing DC SRV record at DNS server record name
Ignore the error if the DNSAvoidRegisterRecord registry key or its Group Policy has been configured to prevent registration of this record.
Warning: Missing GC SRV record at DNS server record name
Ignore the error if the DNSAvoidRegisterRecord registry key or its Group Policy has been configured to prevent registration of this record.
Warning: Missing PDC SRV record at DNS server record name
Ignore the error if the DNSAvoidRegisterRecord registry key or its Group Policy has been configured to prevent registration of this record.
Warning: Record Registrations not found in some network adapters
34
/DnsRecordRegistration errors/DnsRecordRegistration errorsError Additional information
Error: Missing A record at DNS server <DNS Server IP address> : <A record name>
Domain controller has not registered its A record on the specified DNS server
Error: Missing CNAME record at DNS server <DNS Server IP address> : <CNAME record name>
Domain controller has not registered its CNAME record on the specified DNS server
Error: Missing DC SRV record at DNS server <DNS Server IP address> : <SRV record name>
Domain controller has not registered its DC SRV record on the specified DNS server
Error: Missing GC SRV record at DNS server <DNS Server IP address> : <SRV record name>
Domain controller has not registered its GC SRV record on the specified DNS server
Error: Missing PDC SRV record at DNS server <DNS Server IP address> : <SRV record name>
Domain controller has not registered specified PDC SRV record on the specified DNS server. All these records can be registered by stopping and starting Netlogon service.
Note To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. To correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot%\System32\Config.
The Dynamic Host Control Protocol The Dynamic Host Control Protocol (DHCP) client service is required to (DHCP) client service is required to dynamically register host (A) records.dynamically register host (A) records.
DHCP service is still required on statically DHCP service is still required on statically addressed computers.addressed computers.
IPCONFIG /registerdnsIPCONFIG /registerdns will reregister A will reregister A records on demand.records on demand.
The Netlogon service registers all service The Netlogon service registers all service locator (SRV) resource locator records.locator (SRV) resource locator records.
To correct stale records, rename To correct stale records, rename Netlogon.dns and Netlogon.dnb in Netlogon.dns and Netlogon.dnb in %SystemRoot%\System32\Config.%SystemRoot%\System32\Config.
To reregister SRV records, restart the To reregister SRV records, restart the Netlogon service or run Netlogon service or run NETDIAG /fixNETDIAG /fix..
37
External name resolution testExternal name resolution test
Clients that point to invalid DNS server Clients that point to invalid DNS server
DNS servers that have invalid forwarders and DNS servers that have invalid forwarders and delegationsdelegations
EffectEffect
DCDIAG waits the RPC time-out number of seconds DCDIAG waits the RPC time-out number of seconds for response to testsfor response to tests
Exponential delays in DCDIAG runtimeExponential delays in DCDIAG runtime
40
Performance factors for DCDIAG Performance factors for DCDIAG /TEST:DNS /TEST:DNS (2)(2)
Real-world performanceReal-world performance
About 4.1 to 4.5 domain controllers per minute over About 4.1 to 4.5 domain controllers per minute over “fast” wide area network (WAN) links.“fast” wide area network (WAN) links.
DCDIAGDCDIAG /e /e may not be appropriate in forests that may not be appropriate in forests that contain 1000 domain controllers.contain 1000 domain controllers.
DCDIAG /TEST:DNS has been run in forests that DCDIAG /TEST:DNS has been run in forests that contain 200 to 400 domain controllers.contain 200 to 400 domain controllers.
41
/Enterprise DNS infrastructure errors/Enterprise DNS infrastructure errors
Error Additional information
Error: Delegation is not configured on the parent domain
Delegation should be configured from parent to subordinate domain
Error: Delegation is present but the glue record is missing
Delegation is configured; Host record cannot be resolved for one or more NS records
Error: Forwarders are misconfigured from parent domain to subordinate domain
Forwarders should point “up” the namespace rather than “down”
Error: Root hints are misconfigured from parent domain to subordinate domain
Root hints should point “up” the namespace rather than “down”
Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details)
Configured forwarders are unavailable, cannot resolve the requested records, or are not responding to DNS queries
Error: Root hints are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details)
Configured root hints are unavailable, cannot resolve the requested records, or are not responding to DNS queries
42
Strategies to help interpret Strategies to help interpret /TEST:DNS output/TEST:DNS output
Load the report in Notepad or your preferred text Load the report in Notepad or your preferred text editoreditor
Multiple monitor system (Multimon) or split Multiple monitor system (Multimon) or split screen provide optimal viewing environment. screen provide optimal viewing environment.
Primary monitor or pane focuses on summary table.Primary monitor or pane focuses on summary table.
Secondary monitor or pane focuses on breakout Secondary monitor or pane focuses on breakout section of each failing domain controller. section of each failing domain controller.
43
Strategies to help interpret Strategies to help interpret /TEST:DNS output /TEST:DNS output (2)(2)
Review the summary table near the bottom of the Review the summary table near the bottom of the DCDIAG log file. DCDIAG log file.
Locate domain controllers that reported Locate domain controllers that reported failuresfailures or or warningwarning status in the summary table. status in the summary table.
Find a breakout section for a problem domain Find a breakout section for a problem domain controller by searching for “DC: controller by searching for “DC: DCNameDCName”.”.
Make required configuration changes on DNS Make required configuration changes on DNS clients and DNS servers. clients and DNS servers.
Run DCDIAG /TEST:DNS again with the Run DCDIAG /TEST:DNS again with the /e/e or or /s/s switch to validate DNS health.switch to validate DNS health.
44
Known issuesKnown issues
DCDIAG /TEST:DNS does not perform DCDIAG /TEST:DNS does not perform comprehensive Best Practices checks. No comprehensive Best Practices checks. No warnings or errors will be logged for single warnings or errors will be logged for single point-of-failure configurations such as single point-of-failure configurations such as single defined DNS resolver, forwarder, or defined DNS resolver, forwarder, or delegation.delegation.
Servers that are targeted by the DCDIAG Servers that are targeted by the DCDIAG /TEST:DNS tool must be registered in WINS /TEST:DNS tool must be registered in WINS to be discovered by the tool.to be discovered by the tool.
45
Known issues Known issues (2)(2)
In child domains, any configured root hint or In child domains, any configured root hint or forwarders will be tested for resolution of root forwarders will be tested for resolution of root domain records. domain records.
This test will occur even if a copy of the root zone, This test will occur even if a copy of the root zone, a stub zone, or a conditional forwarder is hosted a stub zone, or a conditional forwarder is hosted locally. locally.
DCDIAG /TEST:DNS will report an error when DCDIAG /TEST:DNS will report an error when these external servers cannot resolve the forest these external servers cannot resolve the forest root domain.root domain.
46
Known issues Known issues (3)(3)
DCDIAG /TEST:DNS /DNSBASIC does a pointer DCDIAG /TEST:DNS /DNSBASIC does a pointer (PTR) query for the loopback address of listed (PTR) query for the loopback address of listed forwarder or root hints server. BIND or other third-forwarder or root hints server. BIND or other third-party DNS servers that do not configure the loopback party DNS servers that do not configure the loopback zone will return “name does not exist.” DCDIAG zone will return “name does not exist.” DCDIAG /TEST:DNS interprets this response as INVALID, the /TEST:DNS interprets this response as INVALID, the query fails, and you receive the following message. query fails, and you receive the following message.
DNS server: 192.168.2.1 ()DNS server: 192.168.2.1 ()
6 test failures on this DNS server6 test failures on this DNS server
This is not a valid DNS server. PTR record query for the This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.2.11.0.0.127.in-addr.arpa. failed on the DNS server 192.168.2.1
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)][Error details: 9002 (Type: Win32 - Description: DNS server failure.)]
47
Known issues Known issues (4)(4)
In environments that are configured by using the Branch In environments that are configured by using the Branch Office Deployment Guide and that have the Office Deployment Guide and that have the DNSAvoidRegisterRecord registry key set, each server DNSAvoidRegisterRecord registry key set, each server that has the key set will generate WARN messages when that has the key set will generate WARN messages when the server is examined by the /DnsRecordRegistration the server is examined by the /DnsRecordRegistration test. test.
If the primary DNS resolver is set to 127.0.0.1 (loopback), If the primary DNS resolver is set to 127.0.0.1 (loopback), DCDIAG /TEST:DNS will report errors for the DCDIAG /TEST:DNS will report errors for the /DnsRecordRegistration/DnsRecordRegistration test. test.
127.0.0.1 is the default configuration when Windows Server 2003 127.0.0.1 is the default configuration when Windows Server 2003 DCPROMO configures DNS automatically,DCPROMO configures DNS automatically,
To correct the reported error, change the DNS resolver from the To correct the reported error, change the DNS resolver from the loopback address to the actual IP of the local computer.loopback address to the actual IP of the local computer.
Thank you for joining us for today’s event.Thank you for joining us for today’s event.
For information about all upcoming Support WebCasts, and access For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint® slides, to the archived content (streaming media files, PowerPoint® slides, and transcripts), visit the Support WebCast site at and transcripts), visit the Support WebCast site at http://support.microsoft.com/WebCasts/.
We sincerely appreciate your feedback. Please submit any comments We sincerely appreciate your feedback. Please submit any comments or suggestions about the Support WebCasts on the “Contact Us” or suggestions about the Support WebCasts on the “Contact Us” page of the Support Web site at page of the Support Web site at http://support.microsoft.com/servicedesks/webcasts/feedback.asp.
