Troubleshooting DNS

configuration issues on domain

controllers by using the DNS test
in the Windows Server 2003 SP1-
based version of the DCDIAG tool

David Rheaume
Rapid response engineer
Premier Field Engineering
Microsoft Corporation
2
David Rheaume
David Rheaume is a rapid response engineer in the
Microsoft Premier Field Engineering group. David
joined Microsoft in March 2000 and has supported
Active Directory during all of his time with the
company. During this time, he has provided front-line
and escalation support in Product Support Services
(PSS), beta support for customers deploying pre-
release software in the enterprise, and most recently,
on-site support for Microsoft enterprise customers.
3
Agenda
Overview of Active Directory name
resolution
DCDIAG installation and system
requirements
DCDIAG /TEST:DNS drill down
DCDIAG /TEST:DNS usage scenarios and
syntax
DCDIAG /TEST:DNS known issues
4
Active Directory name resolution
Before Active Directory, Microsoft Windows domains
required a relatively simple set of NetBIOS records (1B,
1C) resolved by Windows Internet Name Service (WINS).
Active Directory changed requirements to a detailed set of
site-specific, domain-specific, and forest-wide service
location and replication records resolved by DNS.
Detailed knowledge of Domain Name System (DNS)
operation and troubleshooting was not common among
Windows domain administrators.
DNS monitoring solutions were not typically deployed in
the enterprise.
5
DNS configuration issues in Active
Directory deployments
Many or all domain controllers in an organization
may have DNS installed and can accept updates
to the zones.
Replication of DNS records is subject to typical
replication latency.
Automatic DNS setup in Microsoft Windows 2000
did not use optimized defaults.
DNS servers that host common Active Directory-
integrated zones still require per-server
configuration.
6
Key failures that are caused by DNS
misconfiguration
Active Directory replication
User authentication
Domain controller promotion and demotion
(DCPROMO)
Domain joining
Internet access
7
DCDIAG /TEST:DNS
New test option in Microsoft Windows
Server 2003 Service Pack 1 (SP1)
DCDIAG
One tool for validation of forest-wide DNS
configuration
8
Installation sources
Windows Server 2003 SP1 Support Tools
http://support.microsoft.com/kb/892777
9
System requirements
Supported installation platforms
Windows Server 2003 members plus domain
controllers
Microsoft Windows XP Professional member
computers
10
System requirements (2)
Supported test targets
Windows 2000 with Service Pack 2 (SP3)
Windows Server 2003
Windows Server 2003 SP1

Credential requirements
Enterprise administrators
11
DCDIAG /TEST:DNS
When to use DCDIAG /TEST:DNS
Any time that you suspect DNS is broken
Any time that you want to validate DNS health
Best practices recommend that you
validate the DNS infrastructure at least
weekly by using DCDIAG /TEST:DNS
A more frequent interval, such as daily,
provides better monitoring of the DNS
infrastructure
12
DCDIAG /TEST:DNS operations
Validates seven elements of DNS health
Connectivity
Performed by default as part of test from previous
versions
Basic DNS
Forwarder
Delegation
Dynamic update
Record registration
External name resolution
By default, this test is not run
13
By default, all tests other than external name
resolution are run
Any test can be run individually
Test DNS health for a single domain controller or
for all domain controllers in a forest or naming
context
Pass, Warn, or Fail status for each test in the
summary table
DCDIAG /TEST:DNS operations (2)
14
DCDIAG /TEST:DNS syntax
Sub tests can be run individually by using
switches
/DnsBasic Performs basic tests; cannot be
skipped
/DnsForwarders Forwarders and root hints
tests
/DnsDelegation Delegations tests
/DnsDynamicUpdate Dynamic update tests
15
DCDIAG /TEST:DNS syntax (2)
Additional sub tests
/DnsRecordRegistration Records
registration tests
/DnsResolveExtName External name
resolution test
/DnsInternetName: Internet name For test
/DnsResolveExtName
If Internet name is not specified, default is
www.microsoft.com
/DnsAll Runs all tests

16
DCDIAG /TEST:DNS optional
parameters
The verbose switch is required to gather
most of the interesting information other
than summary table
/s:DCName
/f:Logfile
/ferr:Logerr
/v Displays verbose output
/e All specified tests are run against all
domain controllers so that NTDS Settings
objects are listed on the targeted domain
controller
17
Syntax examples for common test
scenarios
DCDIAG /TEST:DNS /v /f:filename /s
Test DNS on a single server and log verbose
output to a file

DCDIAG /TEST:DNS /v /f:filename /e
Test DNS on all domain controllers in the
forest and log verbose output to a file

18
Connectivity test
Cannot be skipped
No separate syntax for connectivity test
because it always runs
Tests performed
Are domain controllers registered in DNS?
Can they be pinged?
Do they have Lightweight Directory Access
Protocol/remote procedure call (LDAP/RPC)
connectivity?
No other tests run against a domain
controller if this test fails
19
Basic DNS test
Syntax: /DnsBasic
Tests performed
Are the expected services running?
DNS client service
DNS Server service
Netlogon service
Key Distribution Center (KDC) service
Are DNS servers available over network
adaptors?
20
Basic DNS test (2)
Additional tests performed
If DNS is installed, does the domain controllers
Active Directory namespace zone exist?
If DNS is installed, does a valid Start of Authority
(SOA) record exist for the domain controller?
Is the host record (also called the A record or glue
record) registered on at least one DNS server?
Does the root (.) zone exist?
21
Warning Additional information
Warning: Adapter adapter name
has dynamic IP address (can be
a misconfiguration)
Static IP addresses are
recommended for all DNS
servers.
Warning: adapter adapter name
has invalid DNS server: name IP
address
Server that is configured as
DNS resolver for the adapter
may not be reachable.
Warning: no DNS RPC
connectivity (error or non-
Microsoft DNS server is running)
Disregard this warning if the
DNS server is a BIND or other
non-Microsoft DNS server.
Warning: The Active Directory
zone on this DC/DNS server was
not found (probably a
misconfiguration)
Disregard if the forest root
namespace is a three-segment
name without a corresponding
two-segment namespace, for
example, the forest root
example.domain.com where
no zone domain.com exists.
Warning: Root zone on this
DC/DNS server was found (could
be a misconfiguration)


/DnsBasic warning conditions
22
/DnsBasic errors
Error Additional information
Error: Authentication failed with specified
credentials
Enterprise Admin credentials are required
Error: No LDAP connectivity Network access over TCP port 389 is
required
Error: No DS RPC connectivity Network access over Windows server
message block (SMB) ports is
required
Error: No WMI connectivity DNS test requires WMI connectivity to run
on the remote machine.
Error: Cannot read operating system version
through WMI
WMI connectivity and permissions are
required
Error: Operating system name not supported Valid targets include Windows 2000 SP3,
Windows Server 2003, and Windows
Server 2003 SP1
Error: Open Service Control Manager failed Service is not running or is not installed, or
account used to run the test does not
have permissions to read the service
23
/DnsBasic errors (2)
Error Additional information
Error: KDC/Netlogon/DNS/DNScache is not
running
Specified services are not running.
Error: Cannot read network adapter
information through WMI
WMI connectivity and permissions are
required.
Error: all DNS servers are invalid DNS servers configured in resolver
settings cannot be pinged or are not
valid DNS servers.
Error: The A record for this domain controller
was not found
Missing Host record. Check that DHCP
client service is running on specified
machine.
Error: Enumeration of zones failed to find out
whether there is a root and Active
Directory zone
Error: Could not query DNS zones on this
domain controller
Unable to query Active Directory name
records for the DC specified.
24
Forwarders test
Syntax: /DnsForwarders
Tests performed
Is recursion enabled?
Verifies forwarders and root hints configuration if
these items are present.
Can _ldap_tcp.dc._msdcs.Forest root domain
domain controller locator record be resolved by
domain controllers in a non-root domain?
Notes:
This test is run only if the targeted domain controller
is running the Microsoft DNS Server service.
Forwarders and root hints are not used to resolve
_ldap_tcp.dc._msdcs.Forest root domain locator
records on forest root domain controllers.
25
/DnsForwarders errors
Error Additional information
Error: Forwarders list has
invalid forwarder: IP
address of the forwarder
The specified IP address is unreachable or is not
answering DNS queries.
Error: Both root hints and
forwarders are not
configured. Please
configure either
forwarders or root hints
The tested DNS server is not a root server, but
it is not configured to perform any external
name resolution
Error: Root hints list has
invalid root hint server: IP
address of Root hint
server
The configured root hints servers not reachable
or not answering DNS queries
Error: Enumeration of root
hint servers failed on
DNS server name
The test could not list the root servers on the
target DNS server.
26
Delegation test
Syntax: /DnsDelegation
Tests performed
Is the delegated name server a functioning
DNS server?
Are there broken delegations?
Verifies that the host record can be resolved for
each listed name server (NS) record
Notes
This test is run only if the targeted domain
controller is running the Microsoft DNS
Server service.

27
/DnsDelegation warnings
Warning Additional information
Warning: DNS server: DnsServer name
IP: Ipaddress Failure: Missing glue
(A) record
Cannot resolve the host record for the
specified delegated name server

28
/DnsDelegation errors
Error Additional information
DNS server: Server name IP: IP
address Error: Broken delegation
The name server specified by
delegation cannot resolve zone
records or is not responding to
DNS queries.
DNS server: Server name IP: IP
address Error: Broken delegated
domain delegated domain name
Error: Failed to enumerate the records
at the zone root on the server
29
Dynamic update test
Syntax: /DnsDynamicUpdate
Tests performed
Is the domain controllers DNS zone configured to
accept secure dynamic updates?
Can _dcdiag_test_record be registered on the
current DNS server?
Deletes test registration record.
30
/DnsDynamicUpdate warnings
Warning Additional information
Warning: Dynamic update is enabled on the zone but
not secure zone name
Non-secure dynamic update
acceptance is a critical
security risk
Warning: Failed to add test record _dcdiag_test_record
with error error code in zone zone name
Permission to add test record
was denied
Warning: Failed to delete test record
_dcdiag_test_record with error error code in zone
zone name
Permission to delete test record
was denied
31
/DnsDynamicUpdate errors
Error Additional information
Error: Dynamic update is not
enabled on the zone zone
name
Dynamic update is not enabled on the Active
Directory zone. Therefore, the client
cannot register its records.
32
Record registration test
Syntax: /DNSRecordRegistration
Tests performed
Are service locator (SRV) resource records for
each network service registered on all
configured DNS servers?
DSA GUID CNAME
_ldap
_gc
_pdc
33
/DnsRecordRegistration warnings
Warning Additional Information
Warning: Missing DC SRV record at
DNS server record name

Ignore the error if the
DNSAvoidRegisterRecord registry key
or its Group Policy has been
configured to prevent registration of
this record.
Warning: Missing GC SRV record at
DNS server record name

Ignore the error if the
DNSAvoidRegisterRecord registry key
or its Group Policy has been
configured to prevent registration of
this record.
Warning: Missing PDC SRV record at
DNS server record name
Ignore the error if the
DNSAvoidRegisterRecord registry key
or its Group Policy has been
configured to prevent registration of
this record.
Warning: Record Registrations not found
in some network adapters


34
/DnsRecordRegistration errors
Error Additional information
Error: Missing A record at DNS server
<DNS Server IP address> : <A record
name>
Domain controller has not registered its A
record on the specified DNS server
Error: Missing CNAME record at DNS
server <DNS Server IP address> : <CNAME
record name>
Domain controller has not registered its
CNAME record on the specified DNS
server
Error: Missing DC SRV record at DNS
server <DNS Server IP address> : <SRV
record name>
Domain controller has not registered its DC
SRV record on the specified DNS server
Error: Missing GC SRV record at DNS
server <DNS Server IP address> : <SRV
record name>
Domain controller has not registered its GC
SRV record on the specified DNS server
Error: Missing PDC SRV record at DNS
server <DNS Server IP address> : <SRV
record name>
Domain controller has not registered
specified PDC SRV record on the specified
DNS server. All these records can be
registered by stopping and starting Netlogon
service.

Note To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. To
correct stale records, rename Netlogon.dns and Netlogon.dnb in
%SystemRoot%\System32\Config.
35
Correcting /DnsRecordRegistration
errors
The Dynamic Host Control Protocol
(DHCP) client service is required to
dynamically register host (A) records.
DHCP service is still required on statically
addressed computers.
IPCONFIG /registerdns will reregister A
records on demand.
36
Correcting /DnsRecordRegistration
errors (2)
The Netlogon service registers all service
locator (SRV) resource locator records.
To correct stale records, rename
Netlogon.dns and Netlogon.dnb in
%SystemRoot%\System32\Config.
To reregister SRV records, restart the
Netlogon service or run NETDIAG /fix.
37
External name resolution test
Syntax: /DnsResolveExtName
Tests performed
Tests name resolution outside the Active
Directory forest.
Default query is for www.microsoft.com.
An alternative target can be specified by using
/DnsInternetName.
Notes
The external name test is not run unless the
test is specified.
External name resolution fails if Internet
proxies are present.
38
/DnsResolveExtName errors
Error Additional information
Error: Internet name name
cannot be resolved
Specified Internet name cannot
be resolved. Make sure the
proxy client , servers, root hints,
forwarders are configured
properly.

39
Performance factors for DCDIAG
/TEST:DNS
DCDIAG /TEST:DNS performance issues
Offline domain controllers
Offline DNS servers
Clients that point to invalid DNS server
DNS servers that have invalid forwarders and
delegations
Effect
DCDIAG waits the RPC time-out number of seconds
for response to tests
Exponential delays in DCDIAG runtime
40
Performance factors for DCDIAG
/TEST:DNS (2)
Real-world performance
About 4.1 to 4.5 domain controllers per minute over
fast wide area network (WAN) links.
DCDIAG /e may not be appropriate in forests that
contain 1000 domain controllers.
DCDIAG /TEST:DNS has been run in forests that
contain 200 to 400 domain controllers.
41
/Enterprise DNS infrastructure errors
Error Additional information
Error: Delegation is not configured on the
parent domain
Delegation should be configured from parent to
subordinate domain
Error: Delegation is present but the glue
record is missing
Delegation is configured; Host record cannot be
resolved for one or more NS records
Error: Forwarders are misconfigured from
parent domain to subordinate domain
Forwarders should point up the namespace
rather than down
Error: Root hints are misconfigured from
parent domain to subordinate domain
Root hints should point up the namespace
rather than down
Error: Forwarders are configured from
subordinate to parent domain but some of
them failed DNS server tests (See DNS
servers section for error details)
Configured forwarders are unavailable, cannot
resolve the requested records, or are not
responding to DNS queries
Error: Root hints are configured from
subordinate to parent domain but some of
them failed DNS server tests (See DNS
servers section for error details)
Configured root hints are unavailable, cannot
resolve the requested records, or are not
responding to DNS queries
42
Strategies to help interpret
/TEST:DNS output
Run DCDIAG /TEST:DNS /v /f:filename /e
Load the report in Notepad or your preferred text
editor
Multiple monitor system (Multimon) or split
screen provide optimal viewing environment.
Primary monitor or pane focuses on summary table.
Secondary monitor or pane focuses on breakout
section of each failing domain controller.
43
Strategies to help interpret
/TEST:DNS output (2)
Review the summary table near the bottom of
the DCDIAG log file.
Locate domain controllers that reported failures
or warning status in the summary table.
Find a breakout section for a problem domain
controller by searching for DC: DCName.
Make required configuration changes on DNS
clients and DNS servers.
Run DCDIAG /TEST:DNS again with the /e or /s
switch to validate DNS health.
44
Known issues
DCDIAG /TEST:DNS does not perform
comprehensive Best Practices checks. No
warnings or errors will be logged for single
point-of-failure configurations such as single
defined DNS resolver, forwarder, or
delegation.
Servers that are targeted by the DCDIAG
/TEST:DNS tool must be registered in WINS
to be discovered by the tool.
45
Known issues (2)
In child domains, any configured root hint or
forwarders will be tested for resolution of root
domain records.
This test will occur even if a copy of the root zone,
a stub zone, or a conditional forwarder is hosted
locally.
DCDIAG /TEST:DNS will report an error when
these external servers cannot resolve the forest
root domain.
46
Known issues (3)
DCDIAG /TEST:DNS /DNSBASIC does a pointer
(PTR) query for the loopback address of listed
forwarder or root hints server. BIND or other third-
party DNS servers that do not configure the loopback
zone will return name does not exist. DCDIAG
/TEST:DNS interprets this response as INVALID, the
query fails, and you receive the following message.
DNS server: 192.168.2.1 ()
6 test failures on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.2.1
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]
47
Known issues (4)
In environments that are configured by using the Branch
Office Deployment Guide and that have the
DNSAvoidRegisterRecord registry key set, each server
that has the key set will generate WARN messages when
the server is examined by the /DnsRecordRegistration
test.
If the primary DNS resolver is set to 127.0.0.1 (loopback),
DCDIAG /TEST:DNS will report errors for the
/DnsRecordRegistration test.
127.0.0.1 is the default configuration when Windows Server 2003
DCPROMO configures DNS automatically,
To correct the reported error, change the DNS resolver from the
loopback address to the actual IP of the local computer.
2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Thank you for joining us for todays event.

For information about all upcoming Support WebCasts, and access
to the archived content (streaming media files, PowerPoint slides,
and transcripts), visit the Support WebCast site at
http://support.microsoft.com/WebCasts/.

We sincerely appreciate your feedback. Please submit any comments
or suggestions about the Support WebCasts on the Contact Us
page of the Support Web site at
http://support.microsoft.com/servicedesks/webcasts/feedback.asp.