Troubleshooting DNS configuration issues on domain controllers by using the DNS test in the Windows Server 2003 SP1based version of the DCDIAG tool David Rheaume Rapid response engineer Premier Field Engineering Microsoft Corporation
David Rheaume David Rheaume is a rapid response engineer in the Microsoft Premier Field Engineering group. David joined Microsoft in March 2000 and has supported Active Directory® during all of his time with the company. During this time, he has provided front-line and escalation support in Product Support Services (PSS), beta support for customers deploying prerelease software in the enterprise, and most recently, on-site support for Microsoft enterprise customers.
2
Agenda Overview of Active Directory® name resolution DCDIAG installation and system requirements DCDIAG /TEST:DNS drill down DCDIAG /TEST:DNS usage scenarios and syntax DCDIAG /TEST:DNS known issues
3
Active Directory name resolution Before Active Directory, Microsoft® Windows® domains required a relatively simple set of NetBIOS records (1B, 1C) resolved by Windows Internet Name Service (WINS). Active Directory changed requirements to a detailed set of site-specific, domain-specific, and forest-wide service location and replication records resolved by DNS. Detailed knowledge of Domain Name System (DNS) operation and troubleshooting was not common among Windows domain administrators. DNS monitoring solutions were not typically deployed in the enterprise.
4
DNS configuration issues in Active Directory deployments Many or all domain controllers in an organization may have DNS installed and can accept updates to the zones. Replication of DNS records is subject to typical replication latency. Automatic DNS setup in Microsoft Windows 2000 did not use optimized defaults. DNS servers that host common Active Directoryintegrated zones still require per-server configuration. 5
Key failures that are caused by DNS misconfiguration Active Directory replication User authentication Domain controller promotion and demotion (DCPROMO) Domain joining Internet access
6
DCDIAG /TEST:DNS New test option in Microsoft Windows Server™ 2003 Service Pack 1 (SP1) DCDIAG One tool for validation of forest-wide DNS configuration
7
Installation sources Windows Server 2003 SP1 Support Tools http://support.microsoft.com/kb/892777
8
System requirements Supported installation platforms Windows Server 2003 members plus domain controllers Microsoft Windows XP Professional member computers
9
System requirements (2) Supported test targets Windows 2000 with Service Pack 2 (SP3) Windows Server 2003 Windows Server 2003 SP1
Credential requirements Enterprise administrators
10
DCDIAG /TEST:DNS When to use DCDIAG /TEST:DNS Any time that you suspect DNS is broken Any time that you want to validate DNS health
Best practices recommend that you validate the DNS infrastructure at least weekly by using DCDIAG /TEST:DNS A more frequent interval, such as daily, provides better monitoring of the DNS infrastructure
11
DCDIAG /TEST:DNS operations Validates seven elements of DNS health Connectivity Performed by default as part of test from previous versions
Basic DNS Forwarder Delegation Dynamic update Record registration External name resolution By default, this test is not run 12
DCDIAG /TEST:DNS operations (2) By default, all tests other than external name resolution are run Any test can be run individually Test DNS health for a single domain controller or for all domain controllers in a forest or naming context Pass, Warn, or Fail status for each test in the summary table
13
DCDIAG /TEST:DNS syntax Sub tests can be run individually by using switches /DnsBasic – Performs basic tests; cannot be skipped /DnsForwarders – Forwarders and root hints tests /DnsDelegation – Delegations tests /DnsDynamicUpdate – Dynamic update tests
14
DCDIAG /TEST:DNS syntax (2) Additional sub tests /DnsRecordRegistration – Records registration tests /DnsResolveExtName – External name resolution test /DnsInternetName: Internet name – For test /DnsResolveExtName If Internet name is not specified, default is www.microsoft.com
/DnsAll – Runs all tests
15
DCDIAG /TEST:DNS optional parameters The verbose switch is required to gather most of the interesting information other than summary table /s:DCName /f:Logfile /ferr:Logerr /v – Displays verbose output /e – All specified tests are run against all domain controllers so that NTDS Settings objects are listed on the targeted domain controller
16
Syntax examples for common test scenarios DCDIAG /TEST:DNS /v /f:filename /s Test DNS on a single server and log verbose output to a file
DCDIAG /TEST:DNS /v /f:filename /e Test DNS on all domain controllers in the forest and log verbose output to a file
17
Connectivity test Cannot be skipped No separate syntax for connectivity test because it always runs Tests performed Are domain controllers registered in DNS? Can they be pinged? Do they have Lightweight Directory Access Protocol/remote procedure call (LDAP/RPC) connectivity?
No other tests run against a domain controller if this test fails 18
Basic DNS test Syntax: /DnsBasic Tests performed Are the expected services running? DNS client service DNS Server service Netlogon service Key Distribution Center (KDC) service
Are DNS servers available over network adaptors?
19
Basic DNS test (2) Additional tests performed If DNS is installed, does the domain controller’s Active Directory namespace zone exist? If DNS is installed, does a valid Start of Authority (SOA) record exist for the domain controller? Is the host record (also called the A record or glue record) registered on at least one DNS server? Does the root (.) zone exist?
20
/DnsBasic warning conditions
Warn Warning: Adapter has dynamic IP ad a misconfiguration Warning: adapter has invalid DNS s address 21
/DnsBasic errors Error
Additional information
Error: Authentication failed with specified credentials
Enterprise Admin credentials are required
Error: No LDAP connectivity
Network access over TCP port 389 is required
Error: No DS RPC connectivity
Network access over Windows server message block (SMB) ports is required
Error: No WMI connectivity
DNS test requires WMI connectivity to run on the remote machine.
Error: Cannot read operating system version through WMI
WMI connectivity and permissions are required
Error: Operating system name not supported
Valid targets include Windows 2000 SP3, Windows Server 2003, and Windows Server 2003 SP1
Error: Open Service Control Manager failed
Service is not running or is not installed, or account used to run the test does not have permissions to read the service 22
/DnsBasic errors (2) Error Error: KDC/Netlogon/DNS/DNScache is not running
Additional information Specified services are not running.
Error: Cannot read network adapter information WMI connectivity and permissions are through WMI required. Error: all DNS servers are invalid
DNS servers configured in resolver settings cannot be pinged or are not valid DNS servers.
Error: The A record for this domain controller was not found
Missing Host record. Check that DHCP client service is running on specified machine.
Error: Enumeration of zones failed to find out whether there is a root and Active Directory zone Error: Could not query DNS zones on this domain controller
Unable to query Active Directory name records for the DC specified.
23
Forwarders test Syntax: /DnsForwarders Tests performed Is recursion enabled? Verifies forwarders and root hints configuration if these items are present. Can _ldap_tcp.dc._msdcs.Forest root domain domain controller locator record be resolved by domain controllers in a non-root domain? Notes: This test is run only if the targeted domain controller is running the Microsoft DNS Server service. Forwarders and root hints are not used to resolve _ldap_tcp.dc._msdcs.Forest root domain locator records on forest root domain controllers. 24
/DnsForwarders errors Error
Additional information
Error: Forwarders list has invalid forwarder: IP address of the forwarder
The specified IP address is unreachable or is not answering DNS queries.
Error: Both root hints and forwarders are not configured. Please configure either forwarders or root hints
The tested DNS server is not a root server, but it is not configured to perform any external name resolution
Error: Root hints list has invalid The configured root hints servers not reachable root hint server: IP address or not answering DNS queries of Root hint server Error: Enumeration of root hint The test could not list the root servers on the servers failed on DNS target DNS server. server name 25
Delegation test Syntax: /DnsDelegation Tests performed Is the delegated name server a functioning DNS server? Are there broken delegations? Verifies that the host record can be resolved for each listed name server (NS) record
Notes This test is run only if the targeted domain controller is running the Microsoft DNS Server service. 26
/DnsDelegation warnings Warning
Additional information
Warning: DNS server: DnsServer name Cannot resolve the host record for the IP: Ipaddress Failure: Missing glue (A)specified delegated name server record
27
/DnsDelegation errors Error
Additional information
DNS server: Server name IP: IP address The name server specified by delegation Error: Broken delegation cannot resolve zone records or is not responding to DNS queries. DNS server: Server name IP: IP address Error: Broken delegated domain delegated domain name Error: Failed to enumerate the records at the zone root on the server
28
Dynamic update test Syntax: /DnsDynamicUpdate Tests performed Is the domain controller’s DNS zone configured to accept secure dynamic updates? Can _dcdiag_test_record be registered on the current DNS server? Deletes test registration record.
29
/DnsDynamicUpdate warnings Warning
Additional information
Warning: Dynamic update is enabled on the zone but not Non-secure dynamic update secure zone name acceptance is a critical security risk Warning: Failed to add test record _dcdiag_test_record with error error code in zone zone name
Permission to add test record was denied
Warning: Failed to delete test record _dcdiag_test_record Permission to delete test record with error error code in zone zone name was denied
30
/DnsDynamicUpdate errors Error
Error: Dynamic update is not enabled on the zone zone name
Additional information
Dynamic update is not enabled on the Active Directory zone. Therefore, the client cannot register its records.
31
Record registration test Syntax: /DNSRecordRegistration Tests performed Are service locator (SRV) resource records for each network service registered on all configured DNS servers? DSA GUID CNAME _ldap _gc _pdc
32
/DnsRecordRegistration warnings
War
Warning: Missing D DNS server record n
33
/DnsRecordRegistration errors
Err
Error: Missing A recor
Error: Missing CNAME server
Note To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. To correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot %\System32\Config.
34
Correcting /DnsRecordRegistration errors The Dynamic Host Control Protocol (DHCP) client service is required to dynamically register host (A) records. DHCP service is still required on statically addressed computers. IPCONFIG /registerdns will reregister A records on demand.
35
Correcting /DnsRecordRegistration errors (2) The Netlogon service registers all service locator (SRV) resource locator records. To correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot%\System32\Config. To reregister SRV records, restart the Netlogon service or run NETDIAG /fix.
36
External name resolution test Syntax: /DnsResolveExtName Tests performed Tests name resolution outside the Active Directory forest. Default query is for www.microsoft.com. An alternative target can be specified by using /DnsInternetName.
Notes The external name test is not run unless the test is specified. External name resolution fails if Internet proxies are present.
37
/DnsResolveExtName errors
Erro Error: Internet nam cannot be resolve 38
Performance factors for DCDIAG /TEST:DNS DCDIAG /TEST:DNS performance issues Offline domain controllers Offline DNS servers Clients that point to invalid DNS server DNS servers that have invalid forwarders and delegations
Effect DCDIAG waits the RPC time-out number of seconds for response to tests Exponential delays in DCDIAG runtime 39
Performance factors for DCDIAG /TEST:DNS (2) Real-world performance About 4.1 to 4.5 domain controllers per minute over “fast” wide area network (WAN) links. DCDIAG /e may not be appropriate in forests that contain 1000 domain controllers. DCDIAG /TEST:DNS has been run in forests that contain 200 to 400 domain controllers.
40
/Enterprise DNS infrastructure errors Error
Error: Delegation is not configured on the parent domain
Additional information
Delegation should be configured from parent to subordinate domain
Error: Delegation is present but the glue record Delegation is configured; Host record cannot be is missing resolved for one or more NS records Error: Forwarders are misconfigured from parent domain to subordinate domain
Forwarders should point “up” the namespace rather than “down”
Error: Root hints are misconfigured from parent domain to subordinate domain
Root hints should point “up” the namespace rather than “down”
Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details)
Configured forwarders are unavailable, cannot resolve the requested records, or are not responding to DNS queries
Error: Root hints are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details)
Configured root hints are unavailable, cannot resolve the requested records, or are not responding to DNS queries
41
Strategies to help interpret /TEST:DNS output Run DCDIAG /TEST:DNS /v /f:filename /e Load the report in Notepad or your preferred text editor Multiple monitor system (Multimon) or split screen provide optimal viewing environment. Primary monitor or pane focuses on summary table. Secondary monitor or pane focuses on breakout section of each failing domain controller.
42
Strategies to help interpret /TEST:DNS output (2) Review the summary table near the bottom of the DCDIAG log file. Locate domain controllers that reported failures or warning status in the summary table. Find a breakout section for a problem domain controller by searching for “DC: DCName”. Make required configuration changes on DNS clients and DNS servers. Run DCDIAG /TEST:DNS again with the /e or /s switch to validate DNS health. 43
Known issues DCDIAG /TEST:DNS does not perform comprehensive Best Practices checks. No warnings or errors will be logged for single point-of-failure configurations such as single defined DNS resolver, forwarder, or delegation. Servers that are targeted by the DCDIAG /TEST:DNS tool must be registered in WINS to be discovered by the tool.
44
Known issues (2) In child domains, any configured root hint or forwarders will be tested for resolution of root domain records. This test will occur even if a copy of the root zone, a stub zone, or a conditional forwarder is hosted locally. DCDIAG /TEST:DNS will report an error when these external servers cannot resolve the forest root domain.
45
Known issues (3) DCDIAG /TEST:DNS /DNSBASIC does a pointer (PTR) query for the loopback address of listed forwarder or root hints server. BIND or other thirdparty DNS servers that do not configure the loopback zone will return “name does not exist.” DCDIAG /TEST:DNS interprets this response as INVALID, the query fails, and you receive the following message. DNS server: 192.168.2.1 () 6 test failures on this DNS server This is not a valid DNS server. PTR record query for the 1.0.0.127.inaddr.arpa. failed on the DNS server 192.168.2.1 [Error details: 9002 (Type: Win32 - Description: DNS server failure.)]
46
Known issues (4) In environments that are configured by using the Branch Office Deployment Guide and that have the DNSAvoidRegisterRecord registry key set, each server that has the key set will generate WARN messages when the server is examined by the /DnsRecordRegistration test. If the primary DNS resolver is set to 127.0.0.1 (loopback), DCDIAG /TEST:DNS will report errors for the /DnsRecordRegistration test. 127.0.0.1 is the default configuration when Windows Server 2003 DCPROMO configures DNS automatically, To correct the reported error, change the DNS resolver from the loopback address to the actual IP of the local computer.
47
Thank you for joining us for today’s event. For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), visit the Support WebCast site at http://support.microsoft.com/WebCasts/. We sincerely appreciate your feedback. Please submit any comments or suggestions about the Support WebCasts on the “Contact Us” page of the Support Web site at http://support.microsoft.com/servicedesks/webcasts/feedback.asp.
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.