You are on page 1of 11

DNS : Troubleshooting - Part 1

SUNDAY, OCTOBER 17, 2010


1. TCP/IP Configuration Points to Public DNS Servers
A perfect TCP/IP configuration gives better communication performance
of a Network.Check the TCP/IP Configuration twice or thrice to make
sure everything configured perfectly. Try pinging the other servers in
network using the names (not using IP's). Try NSLOOKUP, check the
name resolution working correctly or not. If NSLOOKUP, gives any
errors try checking the A records and PTR records for that server. Make sure the DNS server working correctly
and the correct DNS server configured on the server you are working on.
2. Improper DNS Suffix Handling
If your computer is multi homed (multiple networks), make sure the DNS suffix is configured correctly for the
correct interface. I mean, for every computer only one interface is configured with the suffix because every
network only has one DNS server and this interface is configured to communicate with that DNS server. So make
sure the interface which is communicating to DNS server must be configured with correct suffixes in order. These
suffixes are used when you try to access a server on the network with its NetBIOS name, not with entire domain
name. Because of this configuration you can able to access the server with NetBIOS name itself. No need to give
entire DNS name like... ex.. server1.subdomain.domain.com. But simply you can access the
3. Improperly Configured Forwarding
DNS forwarders configuration is must for each and every DNS server as forwarders handle all the requests which
are not handled by that DNS server. The requests which are not related to internal network also handled by
forwarders only. so make sure correct forwarder is configured for the DNS server in your environment. Basically
these are provided by your Internet service provider.
4. Improper DNS Configuration
In windows 2000/2003/2008 the DNS configuration is handled automatically by DCPROMO itself. When you try
to install AD on a standalone server, as a part of the process DNS server application will be installed and
configured automatically. Some times we may need to configure the DNS server manually. In that case we may
forget to configure some service locator records(SRV) or other records which are required to run the DNS
perfectly. We can fix these type of problems using "netdiag /fix" command.
5. Failure to Verify Dynamic Update of Resource Records
SOA record is very important in multi DNS server environments. Primary DNS server sends DNS updates
automatically to Secondary DNS server depending on the SOA record number. When ever any update happens on
the DNS server, the number of the SOA record will be incremented. This number should be same on both DNS
servers, so that we can confirm that the both servers are in sync. Sometimes due to communication problems
between Primary and Secondary these updates will not sync. Make sure both servers are pinging perfectly.

Understanding DNS : Part - II


THURSDAY, OCTOBER 7, 2010
Hi Guys,
In my previous discussion about Understanding DNS, you learned most of the
basic things related to DNS. In this post i want to elaborate more about DNS. Let's
start...
DNS Records
There are so many records associated with a DNS Server. Name resolution process does not happen in a proper
way with out these records.
As you know the DNS server main purpose is to resolve the host names to IP's and vice versa.

• A Record : Contains information about IP address. It is helpful in resolving host names to IP


addresses.
• PTR Record : Pointer record, contains information about host name. It is helpful in resolving IP
address to hostname.
• CNAME Record : Alias of A Record. It is helpful in giving multiple names to a single host. Which
means, the same host is able to provide multiple services. In that case, for segregation of service and to
communicate with that service we need to give different names to each service. Even though these services
are hosted on a single server, but we can send our request to the target service. CNAME record was helpful
in identifying and communicating with that service on that server.
• MX Record : It is a record helpful in identifying the mail server in a DNS domain (for that
organization)
• NS Record : It is a record helpful in identifying the DNS server in a DNS domain (for that
organization)
• SRV Record : This record is created when we install a service which is DNS dependent. It is
automatically generated and will be associated with a specific IP address. It is called as Service record.
• SOA Record : Start of Authority record, this is not a record associated with any IP address. But it is
associated with a number, which determines the update number. What ever the update, when ever it is done
this number will be incremented.

These are the records associated with each and every server in this world. A fact is that " DNS is the biggest
database in the world and that is the only one which gets updated every second " And this database is not
located at a single place, it is spread across the world in different places like, different companies, different ISP's,
different homes etc. And the name resolution process is explained in my previous post Understanding DNS. That
is the reason why, a DNS request goes to different location to get the correct answer.
In my next article related to DNS, i will discuss about HOW TO TROUBLESHOOT DNS PROBLEMS, KEEP
VISITING OR SUBSRCIBE NOW TO GET THE LATEST POST UPDATES.
Active Directory : Schema
WEDNESDAY, SEPTEMBER 22, 2010

Hi Guys,
Its very long time since my last windows related post. Today i
want to present you something about AD Schema. A very
important concept behind active directory. With out schema
there is no active directory.
What is Schema?
Schema is a collection of Objects , Object classes and their attributes. If you see in the image above Administrator
is a user object in Active Directory, and the properties of that user object are called as Attributes. Here Remote
control is an attribute, COM+ is an attribute. Further every attribute again has more attributes like Dial-in attribute
has Allow Access, Deny Access and so on.... This is simply what we call it as Schema.
This is good enough about Schema, and this schema is embedded with Active Directory. Whenever an object
created in Active Directory, its all attribute information is stored in AD it self. Now the question is...
Where this information Stored?
It is stored in DIT(Data Information Tree) file only, where as it is sub divided into partitions internally and
Schema Partition is one of them. Active Directory database contains 3 Partitions as follows..
Schema partition - Defines rules for object creation and modification for
all objects in the forest. Replicated to all domain controllers in the forest.
Replicated to all domain controllers in the forest, it is known as an
enterprise partition.
Configuration partition - Information about the forest directory
structure is defined including trees, domains, domain trust relationships,
and sites (TCP/IP subnet group). Replicated to all domain controllers in
the forest, it is known as an enterprise partition.
Domain partition - Has complete information about all domain objects
(Objects that are part of the domain including OUs, groups, users and others). Replicated only to domain
controllers in the same domain. Partial domain directory partition - Has a list of all objects in the directory with a
partial list of attributes for each object.
Well very nice another question is.....
What happens to schema whenever i install a new application like Exchange or SQL into my Active
Directory?
If you read the documentation for respective application, they will describe about extending the schema before
installing the specific application. That means, objects and their attributes related to that specific application will
be added to DIT file Schema Partition before going to install the application itself. So that there is a chance of
reducing functional errors of that application. This can be done simply using some switches like "Setup.exe
/ADprep" "Setup.exe /Forestprep" etc.
Super, Fantastic... one more last question is.....
How this Schema will be replicated ?
As mentioned above it is replicated to all DC's in
the forest. We can replicate only Schema Partition
using replmon tool. So that we can confirm each
and every object and its attribute is replicated to all
the DC's. If we get any errors in the replication,
then we will look into it to troubleshoot.
In the image beside notice there is a partion named
CN=Schema,CN=Configuration. It is Schema
Partition and the others are Domain, Configuration
and DNS partitions. You can individually replicate
them if you want by right clicking on each partition
to London and New York Sites.
How to Manage Schema?
By default there is no management console added
in the Administrative tools. If you want to have a
look at Schema, you need to register a dll first
using " regsvr32 schmmgmt.dll ", and then open a
blank microsoft management console from run prompt using "mmc" command. In the mmc, click on file menu,
select Add/Remove Snap-in. There you will find Schema Management option, select it and click on Add. Save the
console as Schema Management to your Administrative Tools folder or Desktop. That is your AD schema.

DHCP : Dynamic Host Configuration Protocol


MONDAY, JULY 26, 2010
Hi Friends,
Let’s support our organizations using simple way of IP Management. DHCP stands for Dynamic Host
Configuration Protocol.
Dynamic = Automatic
Host Configuration = Basic Network Configuration
Protocol = Rules which needs to be followed to make this happen.

DHCP is an application which is either installed on Windows Server Operating system or on UNIX OS to service
an enterprise in the aspect of IP configuration and management. Its main goal is to provide & configure the client
computers with specific ip configuration to enable identification and communication in the network. Prior to
DHCP another protocol have been used, it is called BOOTP. BOOTP(Boot Protocol) has only one future that is
Reservation. So the administrators who are worked with BOOTP, need to get all the MAC addresses and write
them on a notepad to enable the use of BOOTP. After writing all the MAC addresses, the same need to be added to
BOOTP table with corresponding IP addresses. That makes lot of work for administrators, even though its an
automated process, but admin’s need to work a lot to get the MAC addresses of all the machines in the network.
Later it has gained lot of improvements to serve the network and became DHCP.

How to Install and Configure DHCP?


It very simple and straight forward process. First you need to install the application from Add/Remove Windows
Components. After installing you will have a console in the Administrative Tools. I think instead of giving lot of
steps.. i will post a simple video of 7mins, just watch it for better understanding of this concept.
Video Link
Now you are ready with your DHCP server installed and configured. so lets talk about why and how it is used? As
i said previously it is used for Automatic assignment of IP addresses to client computers which are in the same
network with DHCP server. This is the way it will be used. Whenever a computer powered on, it will check itself
for the network configuration, if it is configured with manual ip address, the machine broadcasts a message that it
was powered on. If it is configured to get the ip automatically, then the machine broadcast a message in search of
DHCP server. Then starts the process. It is simply called as “DORA” process.
D = Discovery – Request for discovering DHCP server from client machine.
O = Offer – Respective DHCP server Offers the IP Configuration.
R = Received – Client receives the IP configuration.
A = Acknowledgement - Client Acknowledges that it has received the IP configuration.
Once the client gets the IP configuration, it will then broadcasts another message to all other clients in the network
with its identity.
Interview Questions related to DHCP
1. Explain the DORA process
2. What is an exclusion range and reservation?
An exclusion range is a range of IP addresses which needs to be excluded from DHCP scope, so that these IP’s
never assigned automatically. A reservation is an IP address will be reserved for a server every time it boots up
and it has been done using the MAC address of that server. Before configuring reservations, we need to exclude
them from DHCP scope.
3. How do you configure the AD Server, DNS Server, IIS Server and FTP Server using the DHCP server?
Using the reservations only, so that every time the same address will be assigned to the server. If you take a DNS
server, it should have same IP all the time, because it is responsible for name resolutions in that network. If the IP
address getting changed every time, its very difficult to the clients which are requesting name resolutions. That is
the reason, it should have same IP all the time, we can do that automatically using reservations.
4. What is DHCP relay agent?
DHCP relay agent, is an option configured on DHCP server. Which enables the client machine requests to go
through the routers. That means, if the DHCP server is in one network and the client is in another network, these
networks are connected by routers. By default the routes will never allow the DHCP packets through them, by
configuring this option, these requests will pass between two networks.

Windows 2008 Server Roles : Different Faces


TUESDAY, AUGUST 17, 2010
Active Directory Certificate Services (AD CS) : AD CS role services install on a number of operating systems,
including Windows Server 2008, Windows Server 2003, and Windows 2000 Server. Naturally the fullest
implementation of AD CS is only possible on Windows Server 2008. You can deploy AD CS as a single
standalone certification authority (CA), or you can deploy multiple servers and configure them as root, policy, and
certificate issuing authorities. You also have a variety of Online Responder configuration
possibilities.
Active Directory Domain Services (AD DS) : This is the role in the Windows Server 2008 operating system that
stores information about users, computers, and other resources on a network. AD DS is also used for directory-
enabled applications such as Microsoft Exchange Server. AD also stores all information required for Group
Policy.
Active Directory Federation Services (AD FS) : AD FS employs technology that allows users over the life of a
single online session to securely share digital identity and entitlement rights, or ‘‘claims,’’ across security and
enterprise boundaries. This role—introduced and supported on all operating systems since Microsoft
WindowsServer 2003 R2— provides Web Single Sign-On (SSO) services to allow a user to access multiple,
related Web applications.

Active Directory Lightweight Directory Services (AD LDS) : This service is ideal if you are required to support
directory-enabled applications. AD LDS is a Lightweight Directory Access Protocol (LDAP) compliant directory
service.
Active Directory Rights Management Services (AD RMS) : This service augments an organization’s security
strategy by protecting information through persistent usage policies. The key to the service is that the right
management policies are bound to the information no matter where it resides or to where it is moved. AD RMS is
used to lock down documents, spreadsheets, e-mail, and so on from being infiltrated or ending up in the wrong
hands. AD RMS, for example, prevents e-mails from being accidentally forwarded to the wrong people.
The Application Server role : This role supports the deployment and operation of custom business applications
that are built with Microsoft .NET Framework. The Application Server role lets you choose services for
applications that require COM+, Message Queuing, Web services, and Distributed Coordinated Transactions.
DHCP and DNS : These two roles install these two critical network service services required for every network.
They support Active Directory integration and support IPv6.
Fax Server role : The fax server lets you set up a service to send and receive faxes over your network. The role
creates a fax server and installs the Fax Service Manager and the Fax service on the server.
File Server role : This role lets you set up all the bits, bells, and whistles that come with a Windows file server.
This role also lets you install Share and Storage Management, the Distributed File System (DFS), the File Server
Resource Manager application for managing file servers, Services for Network File System (NFS), Windows File
Services, which include stuff like the File Replication Service (FRS), and so on.
Network Policy and Access Services : This provides the following network connectivity solutions: Network
Access Protection (NAP), the client health policy creation, enforcement,and remediation technology; secure
wireless and wired access (802.1X), wireless access points, remote access solutions, virtual private network (VPN)
services, Radius, and more.
Print Management role : The print services provide a single interface that you use to manage multiple printers
and print servers on your network.
Terminal Services role : This service provides technologies that enable users to access Windows-based programs
that are installed on a terminal server. Users can execute applications remotely (they still run on the remote server)
or they can access the full Windowsdesktop on the target server.
Universal Description, Discovery, and Integration (UDDI) : UDDI Services provide capabilities for sharing
information about Web services. UDDI is used on the intranet, between entities participating on an extranet, or on
the Internet.
Web Server role : This role provides IIS 7.0, the Web server, ASP.NET, and the Windows Communication
Foundation (WCF).
Windows Deployment Services : These services are used for deployment of new computers in medium to large
organizations.
Hyper-V Role : A Hypervisor platform to host and manage virtual machines in an efficient way. Introduced in
Windows 2008.

Note : Windows 2008 available only in 64Bit for Production Environments. For demo purposes you can download
32bit version.
How to monitor replication between sites?
TSDAY, AUGUST 3, 2010
Hi Friends,
In the previous posts i discussed about Active Directory Replication. In this post i wan to talk about monitoring the
replication traffic between AD Sites.
Active Directory database is made up of 3 naming contexts or partitions.
1. Schema Partition :
The schema container defines the objects (such as users) and attributes (such as telephone numbers) that can be
created in the Active Directory, and the rules for creating and manipulating them. Schema information (which
attributes are mandatory for object creation, what additional attributes can be set, and what attribute data types are
used) is replicated to all domain controllers to ensure that objects are created and manipulated in accordance
with the rules.
2. Configuration Partition :
The configuration container includes information about the Active Directory as a whole—what domains exist,
what sites are available, what domain controllers are running in the particular sites and domains, and what
additional services are offered. All enterprise domain controllers need this information to make operational
decisions (such as choosing replication partners) so it is replicated to all of them.
3. Domain Partition :
A domain naming context holds objects such as users, groups, computers, and organizational units. A full domain
naming context replica contains a read-write replica of all information in the domain—all objects and attributes. A
domain controller holds a full replica of its domain naming context. A partial domain naming context replica
contains a read-only subset of the information in the domain—all objects, but only selected attributes. A domain
controller that's a global catalog (GC) server contains a partial replica of every other domain in the forest (and a
full replica of its own domain.)
There are some specific tools developed by Microsoft to Initiate, Monitor and Troubleshoot the replication Traffic.
• replmon - is a GUI tool, used to monitor replication in the partition level, you can run it from
Windows Resource Kit Tools / Windows Support Tools.

• repadmin - is a command line utility to initiate replication, find replicas, create site links etc, you can
run it from Windows Resource Kit Tools / Windows Support Tools.

• dcdiag – is a command line utility to diagnose communication problems between dc’s (sites)
• netdiag – is a command line utility to diagnose network problems in a domain environment.

• Active Directory : Replication


• MONDAY, AUGUST 2, 2010
• Hi Friends,
• Welcome Back !!!! :)
• In the previous post i discussed something about Active Directory and the files associated with it. In this post
i want to tell you about the magic behind Active Directory replication.
• What is meant by Replication?
• Replication is the process of making a replica (a copy) of something. A replication is a copy. Using
replication process we can copy the active directory database from one site to another site. This process is initiated
when we create additional domain controller for the existing domain. That means we are creating a backup/secondary
copy of the original domain controller to make sure it is available in the case of failures.
• How the Replication happens in Windows Server?
• After replica of Active Directory implemented, from there on every
change that is being made to Primary copy will be replicated to Secondary.
When you are trying to implement a replica for the first time, in the process
of implementation all the objects from Primary Domain Controller will be
copied over to the Secondary Domain controller. At this point both DC’s are
in sync state. But when a new object created or deleted in/from the Primary
DC, the same will be copied to Secondary DC immediately. Remember in
Windows 2003/2008 the Secondary DC are always read-only copies. In the
situation of failure of the Primary DC, we can change the Secondary DC as
read/write copy. When the Secondary DC acting as Read-Only copy, it will
not allows us to create or delete objects. It only updates it’s information
from the Primary DC. This was implemented in this way to avoid conflicts
in the objects. Every object has an property called USN (Update Sequence
Number), depending on this attribute the Secondary DC identifies whether
the updates are available or not. For example, for a user object if the USN is 124 on Primary DC, and the same is 123
on Secondary DC, then the secondary DC requests the Primary DC to send the updated information. In this way both
DC’s are in sync all the time. If one of the DC goes down, we still have updated information in the Other.
• If you are creating the replica in same location as the Primary, there is no issue at all in the process of
replication, but if you are creating the replica in branch office location there might be some problems associated with
the design. You can manage the inter-site (between sites) or intra-site(same site) replication using the AD Sites and
Services. A site is a collection of computers which are working together in the same IP Subnet. Replication is
controlled by the Site Link objects created in between the sites. We can schedule the replication process and
replication interval using the Site Link Properties. The Site Links are “automatically generated” using the
ISTG(Intra Site Topology Generator). KCC (Knowledge Consistency Checker) is the part of ISTG which
generates Site Link objects in Inter-Site replication. If in any case if the automatically generated site links are not
working for some reason, we can create them manually using
repadmin /kcc command.
• If you have multiple domain controllers (multiple copies) in
each site, replication process consumes high amount of bandwidth.
To avoid this, every site must have only one domain controller acting
as the replication partner. It is called as Bridgehead server. This
bridgehead server again sends the updates to the other DC’s which
are located in its site. In the image, the server in Russia acting as
Bridgehead for Server in Germany(Think it as Russia Second
server).

• By Right clicking on a site link and by selecting “replicate now” you can initiate replication between the
domain controllers in same site or different sites.

How to join a
computer to the domain which is in different network(VLAN)?

MONDAY, AUGUST 2, 2010


This is a real time environment requirement. Let’s see how can we achieve this.

• Make sure both VLAN’s are communicating


• Disable windows firewall on the AD machine and Add exceptions to the following ports.
• Open required ports for DNS, NetBIOS, RPC, LDAP and ICMP in both ways from source to
destination.
• Set the AD gateway as the default gateway for client machine.

Ensure that all the required firewall ports are open to enable communication between domain controller and client
which are in different networks.

How to reset TCP/IP in Windows or How to delete TCP/IP entries from Registry ?
FRIDAY, JULY 9, 2010
Resetting TCP/IP solves many problems. So how to reset it ?
Actually all the parameters of the TCP/IP for every interface is stored in Windows Registry Database. Its not
stored in a single location, but in many locations. So finding all the values and deleting them manually is not at all
possible. It may disturb our system configuration if you edit the registry manually. My sincere request is backup
your system registry before you modify anything, otherwise you will get lot of issues. :)

So to simplify this situation, we have a command in windows, which takes care of everything in resetting tcp/ip.
Finally the beautiful command is “netsh”. It really helps us in many conditions. And it can be available as a
download from microsoft.com for older machines.

How to work with it ?


1. Apply command netsh at the command prompt.
2. Type interface command at netsh> prompt
3. Type ip command at netsh interface> prompt
4. Type reset reset.txt command, to reset the tcp/ip.
But here what is reset.txt, we are just sending the output details to that file, if anything goes wrong you can get
back to your previous config from this file.

5. Go and look at your tcp/ip properties tab, you will set to “Obtain Automatically Mode”, surprised!!!
6. This command is used in situations like follows….
sometimes DNS servers information will not erase from the registry
sometimes virtual ip settings also not erase from the registry
sometimes configuration changes doesn’t takes place