controllers by using the DNS test in the Windows Server 2003 SP1- based version of the DCDIAG tool
David Rheaume Rapid response engineer Premier Field Engineering Microsoft Corporation 2 David Rheaume David Rheaume is a rapid response engineer in the Microsoft Premier Field Engineering group. David joined Microsoft in March 2000 and has supported Active Directory during all of his time with the company. During this time, he has provided front-line and escalation support in Product Support Services (PSS), beta support for customers deploying pre- release software in the enterprise, and most recently, on-site support for Microsoft enterprise customers. 3 Agenda Overview of Active Directory name resolution DCDIAG installation and system requirements DCDIAG /TEST:DNS drill down DCDIAG /TEST:DNS usage scenarios and syntax DCDIAG /TEST:DNS known issues 4 Active Directory name resolution Before Active Directory, Microsoft Windows domains required a relatively simple set of NetBIOS records (1B, 1C) resolved by Windows Internet Name Service (WINS). Active Directory changed requirements to a detailed set of site-specific, domain-specific, and forest-wide service location and replication records resolved by DNS. Detailed knowledge of Domain Name System (DNS) operation and troubleshooting was not common among Windows domain administrators. DNS monitoring solutions were not typically deployed in the enterprise. 5 DNS configuration issues in Active Directory deployments Many or all domain controllers in an organization may have DNS installed and can accept updates to the zones. Replication of DNS records is subject to typical replication latency. Automatic DNS setup in Microsoft Windows 2000 did not use optimized defaults. DNS servers that host common Active Directory- integrated zones still require per-server configuration. 6 Key failures that are caused by DNS misconfiguration Active Directory replication User authentication Domain controller promotion and demotion (DCPROMO) Domain joining Internet access 7 DCDIAG /TEST:DNS New test option in Microsoft Windows Server 2003 Service Pack 1 (SP1) DCDIAG One tool for validation of forest-wide DNS configuration 8 Installation sources Windows Server 2003 SP1 Support Tools http://support.microsoft.com/kb/892777 9 System requirements Supported installation platforms Windows Server 2003 members plus domain controllers Microsoft Windows XP Professional member computers 10 System requirements (2) Supported test targets Windows 2000 with Service Pack 2 (SP3) Windows Server 2003 Windows Server 2003 SP1
Credential requirements Enterprise administrators 11 DCDIAG /TEST:DNS When to use DCDIAG /TEST:DNS Any time that you suspect DNS is broken Any time that you want to validate DNS health Best practices recommend that you validate the DNS infrastructure at least weekly by using DCDIAG /TEST:DNS A more frequent interval, such as daily, provides better monitoring of the DNS infrastructure 12 DCDIAG /TEST:DNS operations Validates seven elements of DNS health Connectivity Performed by default as part of test from previous versions Basic DNS Forwarder Delegation Dynamic update Record registration External name resolution By default, this test is not run 13 By default, all tests other than external name resolution are run Any test can be run individually Test DNS health for a single domain controller or for all domain controllers in a forest or naming context Pass, Warn, or Fail status for each test in the summary table DCDIAG /TEST:DNS operations (2) 14 DCDIAG /TEST:DNS syntax Sub tests can be run individually by using switches /DnsBasic Performs basic tests; cannot be skipped /DnsForwarders Forwarders and root hints tests /DnsDelegation Delegations tests /DnsDynamicUpdate Dynamic update tests 15 DCDIAG /TEST:DNS syntax (2) Additional sub tests /DnsRecordRegistration Records registration tests /DnsResolveExtName External name resolution test /DnsInternetName: Internet name For test /DnsResolveExtName If Internet name is not specified, default is www.microsoft.com /DnsAll Runs all tests
16 DCDIAG /TEST:DNS optional parameters The verbose switch is required to gather most of the interesting information other than summary table /s:DCName /f:Logfile /ferr:Logerr /v Displays verbose output /e All specified tests are run against all domain controllers so that NTDS Settings objects are listed on the targeted domain controller 17 Syntax examples for common test scenarios DCDIAG /TEST:DNS /v /f:filename /s Test DNS on a single server and log verbose output to a file
DCDIAG /TEST:DNS /v /f:filename /e Test DNS on all domain controllers in the forest and log verbose output to a file
18 Connectivity test Cannot be skipped No separate syntax for connectivity test because it always runs Tests performed Are domain controllers registered in DNS? Can they be pinged? Do they have Lightweight Directory Access Protocol/remote procedure call (LDAP/RPC) connectivity? No other tests run against a domain controller if this test fails 19 Basic DNS test Syntax: /DnsBasic Tests performed Are the expected services running? DNS client service DNS Server service Netlogon service Key Distribution Center (KDC) service Are DNS servers available over network adaptors? 20 Basic DNS test (2) Additional tests performed If DNS is installed, does the domain controllers Active Directory namespace zone exist? If DNS is installed, does a valid Start of Authority (SOA) record exist for the domain controller? Is the host record (also called the A record or glue record) registered on at least one DNS server? Does the root (.) zone exist? 21 Warning Additional information Warning: Adapter adapter name has dynamic IP address (can be a misconfiguration) Static IP addresses are recommended for all DNS servers. Warning: adapter adapter name has invalid DNS server: name IP address Server that is configured as DNS resolver for the adapter may not be reachable. Warning: no DNS RPC connectivity (error or non- Microsoft DNS server is running) Disregard this warning if the DNS server is a BIND or other non-Microsoft DNS server. Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration) Disregard if the forest root namespace is a three-segment name without a corresponding two-segment namespace, for example, the forest root example.domain.com where no zone domain.com exists. Warning: Root zone on this DC/DNS server was found (could be a misconfiguration)
/DnsBasic warning conditions 22 /DnsBasic errors Error Additional information Error: Authentication failed with specified credentials Enterprise Admin credentials are required Error: No LDAP connectivity Network access over TCP port 389 is required Error: No DS RPC connectivity Network access over Windows server message block (SMB) ports is required Error: No WMI connectivity DNS test requires WMI connectivity to run on the remote machine. Error: Cannot read operating system version through WMI WMI connectivity and permissions are required Error: Operating system name not supported Valid targets include Windows 2000 SP3, Windows Server 2003, and Windows Server 2003 SP1 Error: Open Service Control Manager failed Service is not running or is not installed, or account used to run the test does not have permissions to read the service 23 /DnsBasic errors (2) Error Additional information Error: KDC/Netlogon/DNS/DNScache is not running Specified services are not running. Error: Cannot read network adapter information through WMI WMI connectivity and permissions are required. Error: all DNS servers are invalid DNS servers configured in resolver settings cannot be pinged or are not valid DNS servers. Error: The A record for this domain controller was not found Missing Host record. Check that DHCP client service is running on specified machine. Error: Enumeration of zones failed to find out whether there is a root and Active Directory zone Error: Could not query DNS zones on this domain controller Unable to query Active Directory name records for the DC specified. 24 Forwarders test Syntax: /DnsForwarders Tests performed Is recursion enabled? Verifies forwarders and root hints configuration if these items are present. Can _ldap_tcp.dc._msdcs.Forest root domain domain controller locator record be resolved by domain controllers in a non-root domain? Notes: This test is run only if the targeted domain controller is running the Microsoft DNS Server service. Forwarders and root hints are not used to resolve _ldap_tcp.dc._msdcs.Forest root domain locator records on forest root domain controllers. 25 /DnsForwarders errors Error Additional information Error: Forwarders list has invalid forwarder: IP address of the forwarder The specified IP address is unreachable or is not answering DNS queries. Error: Both root hints and forwarders are not configured. Please configure either forwarders or root hints The tested DNS server is not a root server, but it is not configured to perform any external name resolution Error: Root hints list has invalid root hint server: IP address of Root hint server The configured root hints servers not reachable or not answering DNS queries Error: Enumeration of root hint servers failed on DNS server name The test could not list the root servers on the target DNS server. 26 Delegation test Syntax: /DnsDelegation Tests performed Is the delegated name server a functioning DNS server? Are there broken delegations? Verifies that the host record can be resolved for each listed name server (NS) record Notes This test is run only if the targeted domain controller is running the Microsoft DNS Server service.
27 /DnsDelegation warnings Warning Additional information Warning: DNS server: DnsServer name IP: Ipaddress Failure: Missing glue (A) record Cannot resolve the host record for the specified delegated name server
28 /DnsDelegation errors Error Additional information DNS server: Server name IP: IP address Error: Broken delegation The name server specified by delegation cannot resolve zone records or is not responding to DNS queries. DNS server: Server name IP: IP address Error: Broken delegated domain delegated domain name Error: Failed to enumerate the records at the zone root on the server 29 Dynamic update test Syntax: /DnsDynamicUpdate Tests performed Is the domain controllers DNS zone configured to accept secure dynamic updates? Can _dcdiag_test_record be registered on the current DNS server? Deletes test registration record. 30 /DnsDynamicUpdate warnings Warning Additional information Warning: Dynamic update is enabled on the zone but not secure zone name Non-secure dynamic update acceptance is a critical security risk Warning: Failed to add test record _dcdiag_test_record with error error code in zone zone name Permission to add test record was denied Warning: Failed to delete test record _dcdiag_test_record with error error code in zone zone name Permission to delete test record was denied 31 /DnsDynamicUpdate errors Error Additional information Error: Dynamic update is not enabled on the zone zone name Dynamic update is not enabled on the Active Directory zone. Therefore, the client cannot register its records. 32 Record registration test Syntax: /DNSRecordRegistration Tests performed Are service locator (SRV) resource records for each network service registered on all configured DNS servers? DSA GUID CNAME _ldap _gc _pdc 33 /DnsRecordRegistration warnings Warning Additional Information Warning: Missing DC SRV record at DNS server record name
Ignore the error if the DNSAvoidRegisterRecord registry key or its Group Policy has been configured to prevent registration of this record. Warning: Missing GC SRV record at DNS server record name
Ignore the error if the DNSAvoidRegisterRecord registry key or its Group Policy has been configured to prevent registration of this record. Warning: Missing PDC SRV record at DNS server record name Ignore the error if the DNSAvoidRegisterRecord registry key or its Group Policy has been configured to prevent registration of this record. Warning: Record Registrations not found in some network adapters
34 /DnsRecordRegistration errors Error Additional information Error: Missing A record at DNS server <DNS Server IP address> : <A record name> Domain controller has not registered its A record on the specified DNS server Error: Missing CNAME record at DNS server <DNS Server IP address> : <CNAME record name> Domain controller has not registered its CNAME record on the specified DNS server Error: Missing DC SRV record at DNS server <DNS Server IP address> : <SRV record name> Domain controller has not registered its DC SRV record on the specified DNS server Error: Missing GC SRV record at DNS server <DNS Server IP address> : <SRV record name> Domain controller has not registered its GC SRV record on the specified DNS server Error: Missing PDC SRV record at DNS server <DNS Server IP address> : <SRV record name> Domain controller has not registered specified PDC SRV record on the specified DNS server. All these records can be registered by stopping and starting Netlogon service.
Note To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. To correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot%\System32\Config. 35 Correcting /DnsRecordRegistration errors The Dynamic Host Control Protocol (DHCP) client service is required to dynamically register host (A) records. DHCP service is still required on statically addressed computers. IPCONFIG /registerdns will reregister A records on demand. 36 Correcting /DnsRecordRegistration errors (2) The Netlogon service registers all service locator (SRV) resource locator records. To correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot%\System32\Config. To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. 37 External name resolution test Syntax: /DnsResolveExtName Tests performed Tests name resolution outside the Active Directory forest. Default query is for www.microsoft.com. An alternative target can be specified by using /DnsInternetName. Notes The external name test is not run unless the test is specified. External name resolution fails if Internet proxies are present. 38 /DnsResolveExtName errors Error Additional information Error: Internet name name cannot be resolved Specified Internet name cannot be resolved. Make sure the proxy client , servers, root hints, forwarders are configured properly.
39 Performance factors for DCDIAG /TEST:DNS DCDIAG /TEST:DNS performance issues Offline domain controllers Offline DNS servers Clients that point to invalid DNS server DNS servers that have invalid forwarders and delegations Effect DCDIAG waits the RPC time-out number of seconds for response to tests Exponential delays in DCDIAG runtime 40 Performance factors for DCDIAG /TEST:DNS (2) Real-world performance About 4.1 to 4.5 domain controllers per minute over fast wide area network (WAN) links. DCDIAG /e may not be appropriate in forests that contain 1000 domain controllers. DCDIAG /TEST:DNS has been run in forests that contain 200 to 400 domain controllers. 41 /Enterprise DNS infrastructure errors Error Additional information Error: Delegation is not configured on the parent domain Delegation should be configured from parent to subordinate domain Error: Delegation is present but the glue record is missing Delegation is configured; Host record cannot be resolved for one or more NS records Error: Forwarders are misconfigured from parent domain to subordinate domain Forwarders should point up the namespace rather than down Error: Root hints are misconfigured from parent domain to subordinate domain Root hints should point up the namespace rather than down Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details) Configured forwarders are unavailable, cannot resolve the requested records, or are not responding to DNS queries Error: Root hints are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details) Configured root hints are unavailable, cannot resolve the requested records, or are not responding to DNS queries 42 Strategies to help interpret /TEST:DNS output Run DCDIAG /TEST:DNS /v /f:filename /e Load the report in Notepad or your preferred text editor Multiple monitor system (Multimon) or split screen provide optimal viewing environment. Primary monitor or pane focuses on summary table. Secondary monitor or pane focuses on breakout section of each failing domain controller. 43 Strategies to help interpret /TEST:DNS output (2) Review the summary table near the bottom of the DCDIAG log file. Locate domain controllers that reported failures or warning status in the summary table. Find a breakout section for a problem domain controller by searching for DC: DCName. Make required configuration changes on DNS clients and DNS servers. Run DCDIAG /TEST:DNS again with the /e or /s switch to validate DNS health. 44 Known issues DCDIAG /TEST:DNS does not perform comprehensive Best Practices checks. No warnings or errors will be logged for single point-of-failure configurations such as single defined DNS resolver, forwarder, or delegation. Servers that are targeted by the DCDIAG /TEST:DNS tool must be registered in WINS to be discovered by the tool. 45 Known issues (2) In child domains, any configured root hint or forwarders will be tested for resolution of root domain records. This test will occur even if a copy of the root zone, a stub zone, or a conditional forwarder is hosted locally. DCDIAG /TEST:DNS will report an error when these external servers cannot resolve the forest root domain. 46 Known issues (3) DCDIAG /TEST:DNS /DNSBASIC does a pointer (PTR) query for the loopback address of listed forwarder or root hints server. BIND or other third- party DNS servers that do not configure the loopback zone will return name does not exist. DCDIAG /TEST:DNS interprets this response as INVALID, the query fails, and you receive the following message. DNS server: 192.168.2.1 () 6 test failures on this DNS server This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.2.1 [Error details: 9002 (Type: Win32 - Description: DNS server failure.)] 47 Known issues (4) In environments that are configured by using the Branch Office Deployment Guide and that have the DNSAvoidRegisterRecord registry key set, each server that has the key set will generate WARN messages when the server is examined by the /DnsRecordRegistration test. If the primary DNS resolver is set to 127.0.0.1 (loopback), DCDIAG /TEST:DNS will report errors for the /DnsRecordRegistration test. 127.0.0.1 is the default configuration when Windows Server 2003 DCPROMO configures DNS automatically, To correct the reported error, change the DNS resolver from the loopback address to the actual IP of the local computer. 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Thank you for joining us for todays event.
For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint slides, and transcripts), visit the Support WebCast site at http://support.microsoft.com/WebCasts/.
We sincerely appreciate your feedback. Please submit any comments or suggestions about the Support WebCasts on the Contact Us page of the Support Web site at http://support.microsoft.com/servicedesks/webcasts/feedback.asp.