DNS Troubleshooting PDF

Module 6: Optimizing and Troubleshooting DNS
Contents Overview Lesson: Optimizing DNS Servers Lesson: Troubleshooting Host Name Resolution Demonstration: Examining Resource Records Using Nslookup Demonstration: DNS Troubleshooting Tools Lab A: Troubleshooting DNS 1 2 16 17 18 28
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, MSDN, PowerPoint, SharePoint, Visual Basic, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
iii
Instructor Notes
Presentation: 90 minutes Lab: 30minutes This module provides students with guidelines and strategies for optimizing a Domain Name System (DNS) server. In addition, the module provides steps for troubleshooting a DNS server. After completing this module, students will be able to:

Optimize a DNS server. Optimize DNS server-to-server communications. Optimize DNS client support traffic. Troubleshoot host name resolution.
Required materials
To teach this module, you need the following materials:

Microsoft PowerPoint file 2278B_06.ppt Demonstration file: Examining Resource Records Using Nslookup
Important It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides may not be displayed correctly. Preparation tasks To prepare for this module:

Read all of the materials for this module. Complete the practices and lab, and read the lab answer key. Observe the multimedia demonstration. Practice the instructor-led demonstration. Review the prerequisite courses and modules.
iv
How to Teach This Module

This section contains information that will help you to teach this module.
How To Pages, Guidelines and Practices, and Labs

Explain to the students how the How To pages, practices, and labs are designed for this course. A module includes two or more lessons. Most lessons include How To pages and a practice. After completing all of the lessons for a module, the module concludes with a lab. How To pages The How To pages are designed for the instructor to demonstrate how to perform a task. The students do not perform the tasks on the How To page with the instructor. They will use these steps to perform the practice at the end of each lesson. The guidelines pages provide you with the key decision points for the topic of the lesson. You will use these guidelines as a reinforcement of the lesson content and objectives. After you have covered the contents of the topic and demonstrated the How To procedures for the lesson, explain that a practice gives the students a chance for hands-on learning of all the tasks discussed in the lesson. At the end of each module, the lab enables the students to practice the tasks that are discussed and applied in the entire module. Using scenarios that are relevant to the job role, the lab gives the students a set of instructions in a two-column format. The left column provides the task, for example: Create a group. The right column provides specific instructions that the students need to perform the task, for example: From Active Directory Users and Computers, double-click the domain node. An answer key for each lab exercise is located on the Student Materials compact disc in case the students need step-by-step instructions to complete the lab. They can also refer to the practices and How To pages in the module.
Guidelines pages
Practices
Labs
Lesson: Optimizing DNS Servers

This section describes the instructional methods for teaching this lesson. Overview When you introduce this lesson, emphasize that optimizing steps vary depending on different DNS servers. The important thing is to look at the role each DNS server performs in an environment and configure the server accordingly. This will improve the performance and security of the computing environment. To illustrate the concept of adapting the DNS servers configuration to the role that it plays in its environment, you may need to use the white board to draw an environment that includes, for example, cachingonly servers, servers with recursion disabled, servers with root hints removed, and so on. When you discuss this topic, emphasize that disabling recursion at the server level also disables forwarding, so you would only do this on certain servers in an environment.
Disabling Recursion on a DNS Server
Optimizing DNS Server Response
Point out that round-robin rotation may not be required if Network Load Balancing is used. However, round-robin rotation can be used in addition to Network Load Balancing. Discussing this helps prepare the students for the example used in the practice. When presenting this topic, clarify that caching-only servers are not only used in situations with slow wide area network (WAN) links. If time allows, demonstrate to the students other situations where a caching-only server may be useful, for example, in a screened subnet. Emphasize that using Extension Mechanisms for DNS (EDNS0) is a way of reducing the number of Transmission Control Protocol (TCP) sessions that are required for DNS name resolution. It is only an issue if your DNS messages are likely to be over 512 bytes, which can happen in an Active Directory directory service environment. Point out that intermediate devices must support User Datagram Protocol (UDP) packets larger than 512 bytes for this to be useful.
Optimizing DNS Server Functionality
Optimizing Server Functionality Using EDNS0
Lesson: Troubleshooting Host Name Resolution

This section describes the instructional methods for teaching this lesson. Overview When you introduce this lesson, emphasize that in an Active Directory environment, problems with DNS often appear to be problems with Active Directory. Students may have many questions about DNSLint, so make sure that you are fully familiar with the tool before doing the demo. To prepare, read the DNSLint documentation located on the Student Materials compact disc to familiarize yourself with its uses and capabilities. Perform this demonstration on the London computer. When discussing this topic, emphasize that these problems may occur at a lower level than is immediately suggested. For example, host name resolution may fail because the wrong DNS server is specified due to an incorrectly configured Dynamic Host Configuration Protocol (DHCP) server. Remind the students that the default settings are not appropriate on all servers. When the students have configured each server to work correctly, they should document the settings on each server so that they can return to those settings quickly if the settings are altered.
Demonstration: DNS Troubleshooting Tools
How to Troubleshoot Host Name Resolution
Restoring Server Default Preferences
Lab A: Troubleshooting DNS

Before beginning the lab, the students should have completed all of the practices. Remind the students that they can return to guidelines and content pages in the module for assistance. The answer key for each lab is provided on the Student Materials compact disc.
vi
Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2278, Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication or customization.
Overview
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module provides guidelines and strategies for optimizing a Domain Name System (DNS) server. In addition, the module details steps for troubleshooting a DNS server. After completing this module, you will be able to:

Objectives
Optimize a DNS server. Optimize DNS server-to-server communications. Optimize DNS client support traffic. Troubleshoot host name resolution.
Lesson: Optimizing DNS Servers
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you have your DNS servers operating, you may find the need to optimize their performance, which can be done in several ways. This lesson discusses the most common ways to optimize DNS servers. After completing this lesson, you will be able to:

Lesson objectives
Disable recursion on a DNS server. Delete and modify root hints on a DNS server. Optimize DNS server response. Optimize DNS server functionality. Optimize server functionality using ENDS0. Optimize the DNS server.
Disabling Recursion on a DNS Server
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In the process of recursion, a DNS server queries or contacts other DNS servers on behalf of a requesting client to fully resolve a name, and then it sends an answer back to the client. You should disable recursion on any servers that do not require this functionality. You should disable recursion on Internet-facing DNS servers that are authoritative for one or more zones. This will allow the DNS server to respond to queries from other DNS servers for your zone information, but it will prevent Internet clients from using your DNS server to resolve other domain names on the Internet. You can also disable recursion if you want to restrict your clients to resolving names that are internal to your organization. The primary benefit of disabling recursion is that it reduces the load on a DNS server because the DNS server does not attempt to resolve names outside of its own zone. This has the added benefit of reducing the likelihood that the DNS server will be misused or attacked. Recursion can be used by attackers to deny the DNS Server service. However, if you disable recursion, you will not be able to resolve names outside of your own zone by using either recursion or forwarding. As a best practice, you should disable recursion on all DNS servers in your network that are not intended to receive recursive queries. You can disable recursion either by configuring the DNS server object in the DNS Microsoft Management Console (MMC) snap-in, or by using the command-line tool dnscmd. To perform this task, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Administrators group might be able to perform this procedure. Tip To view the complete syntax for dnscmd, at a command prompt, type dnscmd /Config /help
Why disable recursion?
Benefits and consequences of disabling recursion
Best practice How to disable recursion
Deleting and Modifying Root Hints on a DNS Server
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Depending on the role a particular DNS server plays in your organization, you may need to delete or modify information contained in root hints on the DNS server. Root hints is a list of preliminary resource records that the DNS service can use to locate other DNS servers that are authoritative for the root of the DNS domain namespace tree. By default, Microsoft Windows DNS servers use a root hints file, Cache.dns, that is stored in the systemroot\System32\Dns folder on the server computer (where systemroot is the folder that contains the Windows 2000 system files). The contents of this file are preloaded into server memory when the service is started and contain pointer information to root servers on the Internet. This allows each DNS server to resolve queries for Internet resources on behalf of Internet clients. If you delete the root hints file from a DNS server, you remove the ability of that server to directly contact a server that is authoritative for the root of the DNS infrastructure. If you delete the root hints file, you should configure servers to forward requests to another server that has a root hints file. This is a good practice in many organizations because it allows you to define a specific path to the Internet and to use a firewall to block the internal DNS servers from communicating directly with the Internet.
Definition
Deleting the root hints file
Modifying the root hints file
If the DNS server is configured to contact the DNS servers on the Internet directly, you can either edit or update the local root hints information when the Internet root hints file or the Named.root file is updated and released by the owners of the Internet root zone. Note For a current copy of the root hints file, you can use anonymous File Transfer Protocol (FTP) to ftp://ftp.internic.net/domain/named.root. If you are not connected to the Internet, you may need to create a root domain to use internally for name resolution. On servers that are authoritative for the root domain, you can safely remove the root hints information entirely because these servers do not use the root hints file. On the other servers in your organization, you should remove the default resource records and replace them with resource records of types A (host) and name server (NS) for the DNS authoritative servers at the root domain of your organization.
Updating the root hints file
You should update the root hints file after installation to reflect the way DNS is being used on the network: either as an internal DNS namespace only or as a way to resolve names both internally and externally on the Internet. Note In a Windows Server 2003 environment, when you use the DNS Server Wizard to create a new DNS server, you automatically update the root hints. You may need to modify the root hints later if new servers that are authoritative for the root zone are added. Tip If, on startup, the zone data is loaded from a file, edit the cache.dns file directly.
Optimizing DNS Server Response
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You can optimize server response by disabling either local subnet prioritization or round-robin rotation. You use local subnet prioritization to force the client application to connect to the host by using its closest available IP address for connection. You use round-robin rotation to distribute the network load. Disabling either of these features reduces the clients response time. By default, the DNS service uses local subnet prioritizing as the method for giving preference to IP addresses on the same network when a client query resolves to a host name that is mapped to more than one IP address. The DNS service uses local subnet priority as follows: 1. The DNS service determines if local subnet prioritization is needed to order the query response. If more than one resource record of type A matches the queried host name, the DNS service can reorder the records by their subnet locations. If the queried host name only matches a single type A resource record, or if the IP network address of the client does not match an IP network address for any of the mapped addresses in an answer list of multiple resource records, no prioritizing is necessary. 2. For each resource record in the matched answer list, the DNS service determines which records, if any, match the subnet location of the requesting client.
Prioritizing local subnets
3. The DNS service reorders the answer list so that type A resource records that match the local subnet of the requesting client are placed first in the answer list. 4. The answer list, which is prioritized by subnet order, is returned to the requesting client. Note You impose IP subnetting by using a custom or non-default subnet mask value with all of the IP addresses on your network. You can disable local subnet prioritization by configuring the server object in the DNS MMC snap-in or by using the dnscmd command-line tool. Round-robin rotation Round-robin rotation is a load balancing mechanism used by DNS servers to share and distribute network resource loads. You can use it to rotate all resource record types that are contained in a query answer if multiple resource records are found. By default, DNS uses the round-robin method to rotate the order of resource record data returned in query answers where multiple resource records of the same type exist for a queried DNS domain name. This feature provides a simple method for load balancing client use of Web servers and other frequentlyqueried multiple-homed computers. If round-robin rotation is disabled for a DNS server, the order of the response for queries is based on a static ordering of resource records in the answer list as they are stored in the zone (either the DNS servers zone file or in the Active Directory directory service). Note Local subnet priority supersedes the use of round-robin rotation for multiple-homed names. However, when round robin is enabled, resource records continue to be rotated by using round-robin rotation as the secondary method of sorting the response list. Restricting round-robin rotation for selected resource record types By default, DNS performs round-robin rotation for all resource record types. You can specify that certain resource record types not be round-robin rotated in the registry. The registry entry DoNotRoundRobinTypes (REG_SZ) has a string value containing a list of resource record types. You can modify this entry to turn off round-robin rotation for specific resource record types. For example, to prevent round-robin rotation for A, pointer (PTR), service (SRV), and NS record types, you would enter a ptr srv ns as the value for the registry entry.
Restricting round-robin rotation for all resource record types
You can disable round-robin rotation by configuring the server object in the DNS MMC snap-in or by using the dnscmd command-line tool. The default setting for round-robin rotation is contained in the registry entry RoundRobin (REG_DWORD). By default, this entrys value is 1, which rotates all the resource record types except those listed in the DoNotRoundRobinTypes registry entry. If the value of RoundRobin is set to 0, no resource record types are round-robin rotated. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after applying manual changes.
Optimizing DNS Server Functionality
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Zone transfer You can optimize your DNS server functionality by either adjusting the start of authority (SOA) records or by using caching-only servers. Generally, you do not need to adjust the SOA record settings. However, depending on how often your DNS data changes and how frequently updates are required, you might need to lengthen or shorten the SOA Time to Live (TTL) intervals. The following table defines the available zone transfer intervals.
Interval Refresh Description The time that a secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. When the refresh interval expires, the secondary DNS server requests a copy of the current SOA record for the zone from its source, which answers this request. The secondary DNS server then compares the serial number of the source servers current SOA record (as indicated in the response) with the serial number in its own local SOA record. If they are different, the secondary DNS server requests a zone transfer from the primary DNS server. The default for this field is 15 minutes (900 seconds). The time that a secondary server waits before retrying a failed zone transfer. Generally, this time is less than the refresh interval. The default value is 10 minutes (600 seconds). The time before a secondary server stops responding to queries after a lapsed refresh interval where the zone was not refreshed or updated. Expiration occurs because, at this point in time, the secondary server must consider its local data unreliable. The default value is 24 hours (86,400 seconds).
Retry
Expire
10
Why use zone replication and zone transfers?
Because zones play such an important role in DNS, they are intended to be available from more than one DNS server on the network to provide availability and fault tolerance when resolving name queries. Otherwise, if you use a single server and it does not respond, queries for names in the zone can fail. For additional servers to host a zone, zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host the zone. When you add a new DNS server to your network and configure it as a new secondary server for an existing zone, it performs a full initial transfer of the zone to obtain and replicate a complete copy of resource records for the zone. For most earlier DNS server implementations, you use the same method of full zone transfer when the zone requires updating after changes are made to it. For DNS servers running Windows Server 2003, the DNS service supports incremental zone transfer, a revised DNS zone transfer process for intermediate changes.
Caching-only servers
Caching-only servers perform name resolution on behalf of clients, and then they cache, or store, the results. This type of server is not configured to be authoritative for a zone and, therefore, does not store standard primary or standard secondary zones. The cache is populated with the most frequently requested names. These names and their associated IP addresses are available from the cache for answering subsequent client queries. When determining whether to use a caching-only server, you should be aware that a caching-only server has no cached information when it is initially started. The server obtains information over time as it services client requests. However, if you are dealing with a slow-speed wide area network (WAN) link between sites, using a caching-only server might be the ideal option because the traffic decreases after the cache is built. In addition, caching-only servers do not perform zone transfers, which can also be network-intensive in WAN environments. To configure a caching-only server, install the DNS Server service on a computer running Windows 2000 Server and do not configure any forward or reverse lookup zones. You should configure a caching-only server to perform recursive rather than iterative queries by configuring it to use forwarders. A forwarder is a DNS server that other DNS servers designate to forward queries for resolving external domain names. Using forwarders reduces the amount of traffic across the WAN for performing name resolution.
When to use cachingonly servers
Configuring a cachingonly server
11
Optimizing Server Functionality Using EDNS0
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You might encounter situations in which you would like to adjust the User Datagram Protocol (UDP) packet size to decrease the network load and speed up the name-resolution process. If you determine that adjusting the UDP packet size would benefit your enterprise, you will need to modify the Extension Mechanisms for DNS (EDNS0). The DNS protocol (as defined in RFC 1035) specifies a maximum allowable size for a DNS message sent over UDP at 512 bytes. When a DNS server responds to a client request, it only sends those records that fit within a 512 byte packet and then sets the truncation bit to indicate that the response is incomplete. To receive a complete response, the client repeats the previous query but sends it using Transmission Control Protocol (TCP) instead of UDP, causing the DNS server to respond using TCP. This increases the network load and slows the name resolution process. To alleviate this problem, EDNS0 (as defined in RFC 2671) provides a standard for defining a larger UDP packet size. EDNS0 allows DNS requestors to advertise the size of their UDP packets and, therefore, allow the transfer of packets larger than 512 bytes. Before a DNS server assumes that the requestor supports EDNS0, the DNS server must receive a query containing an OPT resource record. An OPT record contains no actual DNS data, and its contents relate to only the UDP transport layer message. The OPT record stores the senders UDP payload size in its CLASS field and lists the number of octets in the largest UDP payload that the requestor can deliver in the requestors network. When the DNS server receives a query containing an OPT record advertising the maximum UDP packet size, it truncates any UDP response that is larger than the limit specified in the OPT record.
EDNS0
How EDNS0 works
12
By default, the DNS server includes the OPT resource records indicating its UDP maximum in responses to queries containing the OPT resource records. If the DNS server receives a query that does not contain an OPT resource record, it assumes that the requestors server does not support EDNS0 and responds to the requestor assuming that the sender does not accept UDP packets larger than 512 bytes. EDNS0 cache With Windows Server 2003, when the DNS server receives a request or response from a host containing an OPT record, it caches the EDNS version supported by the host (such as EDNS0). If there is no OPT record in a request or response from a host, the DNS servers cache indicates that the host does not support EDNS0. If the cache already indicates that the host supports ENDS0, cache does not changed. The default value for how long the EDNS0 support information is cached is one week (25,200 seconds). You can modify this value in the EDNSCacheTimeout registry entry in the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dns\ Parameters The values allowed range from 1 hour (3,600 seconds) to 182 days (15,724,800 seconds). Caution When considering packet sizes, you should take into account the network transmission paths discovered Maximum Transmission Unit (MTU), if this information is available. When configuring the UDP packet size to be larger than 512 bytes, remember that the UDP packets must travel through devices other than UDP hosts and that these devices, such as routers, might not support UDP packets that are larger than 512 bytes. The maximum UDP packet size should always be compared with the MTU, which in some cases might be smaller. It is recommended that you establish the maximum UDP packet length support for all devices and configure your UDP hosts for this maximum.
13
Optimizing the DNS Server
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Disable recursion on the DNS server This topic presents several procedures that you can perform to optimize the performance of your DNS server. Disabling recursion prevents the DNS server from communicating with other DNS servers to resolve queries outside your zone. Reasons for disabling recursion include:

To limit the scope of name resolution on a server. To limit the DNS clients to resolving names to a specific server. Because the DNS server is incapable of resolving external DNS names.
Configure a forwardonly server
You can configure a DNS server to not perform recursion after forwarders fail. If a forward-only server does not receive a successful query response from any of the servers that are configured as forwarders, the forward-only server fails the query. This has the benefit of transferring the load of recursion onto another server in your organization or to DNS servers at your Internet service provider (ISP). Root hints is the list of preliminary resources that the DNS service can use to locate other DNS servers that are authoritative for the root of the DNS domain namespace. You update the root hints after you have determined how the DNS server is being used on your network. Disabling the local subnet prioritization eliminates preferential treatment of IP addresses on the same network. You use round-robin rotation as a load balancing technique that rotates all the resource record types contained in a query answer. You can disable the rotation for specific resource record types or for all resource record types. If round-robin rotation is disabled, the order of the response for these queries is based on a static ordering of resource records in the answer list as they are stored in the zone (either its zone file or Active Directory).
Update root hints on the DNS server
Disable local subnet prioritization for multihomed computers Disable round-robin rotation for multiplehomed names
14
Modify zone transfer settings Use a caching-only server Use EDNS0
Depending on how often your DNS data changes, you might need to adjust the SOA record settings in situations in which you want to either lengthen or shorten these intervals. Caching-only servers perform name resolution on behalf of clients and then store the results. You might need to use a caching-only server if you are dealing with a slow WAN link between sites. EDNS0 allows you to change the maximum allowable size for a DNS message sent over UDP, which facilitates transfer of packets larger than 512 bytes.
15
Practice: Optimizing DNS Performance
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Objective Instructions In this practice, you will discuss strategies for optimizing DNS performance and the challenges that these strategies present. The objective of this practice is to optimize DNS performance. 1. Read the scenario. 2. Prepare to discuss the challenges of this task in a post-practice discussion. Scenario You are a systems engineer for Contoso, Ltd, a rapidly growing custom automobile parts distributor and manufacturer. The company plans to build a new facility a short distance from its present headquarters. Because employees at the new facility will be working on confidential government contracts, the site cannot be connected to any outside network. The DNS design for this facility calls for an internal-only namespace with domain names that cannot be registered on the Internet. No Internet name resolution will be possible. How will you plan to optimize your DNS servers to operate in this environment? Plan to create your own root servers. You should remove the root hints file on the root servers because root servers do not use root hints files. On the other DNS servers (or forwarders, depending on the final plan), you should modify the root hints file with the NS and A records of the internal root servers. _______________________________________________________________ _______________________________________________________________
Practice
16
Lesson: Troubleshooting Host Name Resolution
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson introduces the Microsoft Solutions Framework (MSF) troubleshooting procedure for host name resolution. The lesson discusses the various troubleshooting tools that are used to identify, isolate, and resolve host name resolution problems. After completing this lesson, you will be able to:

Lesson objectives
Explain how to examine resource records using Nslookup. Identify DNS troubleshooting tools. Troubleshoot host name resolution. Restore server default preferences. Troubleshoot host records registration. Troubleshoot dynamic updates. Troubleshoot common DNS issues.
17
Demonstration: Examining Resource Records Using Nslookup
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Learning objectives The objective of this demonstration is to explain how you can use the Nslookup command-line tool to examine resource records. You will learn how to:

Run Nslookup at a command prompt. Set a default DNS server. List all of the A (host) records for a domain. List only the NS records. List only the SOA resource records. Change the output serial values. Validate a zone transfer.
Key questions
When viewing this demonstration, you should consider the following questions:
What DNS feature must be turned on to permit Nslookup to access the records? How can Nslookup be configured to return only the required records for multiple queries? How would you verify that a zone transfer has taken place between two DNS servers using Nslookup?
18
Demonstration: DNS Troubleshooting Tools
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You will often need to determine delegation issues manually by using the Nslookup command-line tool, which can be a time-consuming and laborious task. You can automate this task by using DNSLint, a Windows utility that helps to diagnose common name-resolution issues. This demonstration shows you how DNSLint works and what types of information you can gather by using it. 1. Open a command prompt. 2. From the DNSLint directory, run DNSLint with no parameters to show the different command line options. 3. Discuss the required parameters (/d, /ql, and /ad) and their uses. 4. Discuss some of the more important optional parameters, such as /s and /c. 5. Run DNSLint to test the nwtraders.msft Active Directory domain in the classroom by typing the following command at a command prompt: dnslint /ad /s localhost /v /no_open 6. Scroll back to the top and step through the output, pointing out what DNSLint is doing at each step. 7. Open the DNSLint.htm file in the DNSLint directory and show the report that was created in addition to the screen output. 8. Step through the information in the file. 9. Run DNSLint again, using the following parameters: dnslint /d nwtraders.msft /s 10.0.0.2 /v /no_open 10. Type y to overwrite the output file. 11. Go through the screen and file output again.
Demonstration
19
How to Troubleshoot Host Name Resolution
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When troubleshooting host name resolution issues, you can focus on several specific areas. Adopting a generic troubleshooting process will help you to scope any host name resolution issue. The following is a step-by-step troubleshooting procedure for troubleshooting host name resolution. You need to determine if only one host cannot resolve names, or multiple hosts; if multiple hosts cannot resolve names, the problem is probably with the server and not the client(s). In addition, you should determine if only one name cannot be resolved or several names. This will help you to identify if it is a client or server problem. If your scope determination indicates that the problem might be with the client, you should check to make sure that client configuration settings are correct. If your scope determination indicates that the problem might be with the server or the network infrastructure, you need to investigate the server settings and the infrastructure for possible failure. If you have determined that the problem is with the client(s), you need to verify that the client settings are correct including the IP addresses of the DNS server, client domain name, connection suffix, suffix names to append to queries, and so on. If the client settings are incorrect, you have discovered the source of the problem. If you have ruled out a client problem, you need to make sure that network traffic can reach the server. You can use ping, pathping, and so on to perform this function. You also need to make sure that DNS traffic is not being filtered by any intermediate devices.
Determine the scope of the problem
Identify if it is a client or server problem
Verify that client settings are correct
Verify that network traffic can reach the server
20
Verify that server records are correct
To ensure that the server records are correct, you should:

Verify that the server is running and the DNS service is operational. Make sure that the server is listening on the proper interface. Check the zone for proper records. Check logs and events. Check any filters.
Capture packets to determine the problem
After you have performed the preceding steps and verified that all server records are accurate, you need to capture the DNS traffic between the server and client(s)to further determine the problem.
21
Restoring Server Default Preferences
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You might encounter situations in which DNS preferences have been changed and adversely affect DNS server performance. If this is the case, you might need to restore the default server settings before troubleshooting further. To restore default server preferences: 1. Open DNS. 2. In the console tree, right-click the applicable DNS server, and then click Properties. 3. Click the Advanced tab. 4. Click Reset to Default, and then click OK. Default property settings Clicking Reset to Default configures the DNS server with its initial configuration settings. The following table details these settings.
Property Disable recursion BIND secondaries Fail on load if bad zone data Enable round robin Enable netmask ordering Secure cache against pollution Name checking Load zone data on startup Enable automatic scavenging of stale records Setting Off On Off On On On Multibyte (UTF8) From Active Directory and registry Off
Restoring default server preferences
22
How to Troubleshoot Host Records Registration
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The primary reason why host records registration fails is because the primary DNS suffix does not match the zone name. For example, if the Active Directory domain and corresponding DNS domain are nwtraders.com and the computers primary DNS suffix is something different, such as sales.nwtraders, the computer would try to register at sales.nwtraders, which probably does not exist. You generally set this primary DNS suffix when the computer joins the Active Directory domain, but it can be changed by the user. To examine the primary DNS suffix: 1. In Control Panel, double-click System to open the System Properties dialog box. 2. In the System Properties dialog box, click the Computer Name tab. 3. Click Change. If the computer is a domain controller, a dialog box appears stating that domain controllers cannot be moved from one domain to another. Click OK. 4. In the Computer Name Changes dialog box, click More.
Examining the primary DNS suffix
5. Examine the DNS primary suffix.
23
How to Troubleshoot Dynamic Updates
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Dynamic updates might not occur for the following reasons:

The zone has not been configured to receive dynamic updates. The client is using a DNS product from a third party that does not support dynamic updates. Dynamic updates have been disabled on the clients side.
If dynamic updates are not occurring and you know that the zone is configured to receive dynamic updates, you need to check the settings on the clients side. Checking client-side settings To check dynamic update settings on the clients side: 1. In Control Panel, double-click Network Connections to open the Network Connections dialog box. 2. Open the Properties page of the network interface. 3. Open the Properties page for Internet Protocol (TCP/IP). 4. Click Advanced. 5. Click the DNS tab.
6. To dynamically register the interface IP address, the Register this

connections address in DNS check box should be selected.
24
Troubleshooting Common DNS Issues
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The three most common DNS problems are:

Inability to resolve some names in the namespace. Inability to resolve names outside the DNS zone. Incorrect configuration of DNS client primary and secondary DNS servers.
Inability to resolve some names in the namespace
The inability of a DNS server to resolve some names in the namespace is often due to an incorrect or missing delegation. You must have a valid NS record and a valid A (host) record for each server that is authoritative for the delegated zone. You can use the New Delegation Wizard to make delegation easier. You can also use DNSLint or Nslookup to help diagnose bad delegations.
Inability to resolve names outside the DNS zone
The primary reason why servers are unable to resolve names outside the DNS zone is that forwarders are missing. This may be due to a lack of understanding of what forwarders are and how to use them. If you are in an Active Directory environment, you need to ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses) and configure the DNS server to forward DNS requests to the appropriate ISP or corporate DNS servers.
25
Troubleshooting forwarders on the DNS server
To troubleshoot forwarders on the DNS server: 1. Start the DNS Management console. 2. Right-click the name of the server, and then click Properties. 3. Click the Forwarders tab. 4. Select the Enable Forwarders check box. Note If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone (usually identified by a zone named only with a period, or dot (".")). You must delete this zone to enable the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server or a corporate DNS server, you can use a root zone entry. 5. Ensure that the appropriate IP addresses are present for the DNS servers that will accept forwarded requests from this DNS server. The list reads in order from the top downif there is a preferred DNS server, place it at the top of the list. 6. Click OK to accept the changes.
Incorrect configuration of DNS client primary and secondary DNS servers
Incorrect configuration can occur on both domain controllers and workstations, which are often configured for their ISPs DNS server rather than their own DNS server that hosts their Active Directory domain registrations. You need to check the DNS server configuration on the computer in question.
26
Practice: Troubleshooting Host Name Resolution
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Objective Instructions In this practice, you will troubleshoot DNS and discuss the troubleshooting strategies that you employed. The objective of this practice is to troubleshoot DNS. 1. Read the scenario. 2. Prepare to discuss the challenges of this task in a post-practice discussion. Scenario You are a systems engineer for Contoso, Ltd and have received an e-mail message from a help desk technician. It appears that a recently installed domain controller on the network is not registering in DNS. The help desk technician tried pinging the IP address of the DNS server, and that was successful.
27
Practice
What other strategies would you recommend that the help desk technician try to troubleshoot this problem further? Have the help desk technician run ipconfig /all to see if the IP configuration on the domain controller is as expected and that valid DNS servers are listed. Also have the help desk technician run ipconfig /registerdns to try to recreate the records on the DNS server. Check to make sure that the primary domain suffix on the domain controller matches the DNS domain where the Active Directory data is registered. This is automatically configured during the Active Directory Installation Wizard (DCPromo.exe), but it can be changed. Check the TCP/IP Properties page on the domain controller to make sure that the computer is configured for the proper DNS server. Check to make sure that the zone on the DNS server is configured for dynamic updates, and that the domain controllers TCP/IP properties are correctly configured to dynamically register its IP addresses. _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ _______________________________________________________________ _______________________________________________________________
28
Lab A: Troubleshooting DNS
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives Scenario After completing this lab, you will be able to troubleshoot a DNS server configuration supporting an internal and external namespace. You are a systems engineer for Northwind Traders and have been asked to troubleshoot the DNS configuration in the main corporate office in London. Users are reporting that they cannot connect to some server resources on remote internal sites. Northwind Traders maintain eight separate public Web servers that are used for Internet-based access by customers. The Web servers are configured as follows:
Two Network Load Balancing clusters of three servers each supporting http://www.nwtraders.com by using round-robin DNS records A single Network Load Balancing cluster of two servers supporting b2b.nwtraders.com
The internal namespace is corp.nwtraders.com and uses Active Directory integrated zones configured on the domain controllers. All resource servers within the corporate environment use DNS names and are not configured with NetBIOS names. The external public namespaces are hosted on geographically dispersed DNS servers provided by an ISP for improved reliability. These servers are Berkeley Internet Name Domain (BIND)based DNS servers.
29
Diagrams
30
31
Estimated time to complete this lab: 30 minutes
32
Exercise 1 Troubleshooting DNS Name Resolution for the Internal Namespace

Introduction
In this exercise, you will correct the configuration of DNS to resolve issues that clients are having in connecting to the resource servers. The provided design document shows the placement and configuration of DNS servers in the internal network. Describe the changes you would implement to the DNS configuration settings for either the server or client to correct the problems that are occurring.
Scenario
The following problem report is escalated to you on Tuesday by the help desk personnel and documents the problems experienced by a user in the London office:
The user is a copyeditor who needs to collect the files for editing from the document server located in the Coventry office. The user has been unable to connect to DocServ1 since yesterday. The user first reported the problem to the help desk on Sunday when it was determined that DocServ1 was indeed down. The help desk personnel reported to the user that the server was being upgraded to a new computer and was offline for three hours. The help desk personnel suggested that the user contact the IT specialist in the Coventry office to ask when the server would be back online. The user closed the help desk call on Sunday and reported that the IT specialist in Coventry restored his access to the server. The user reopened the help desk problem report on Monday when he was again unable to access the server. He reported that the server was obviously up because another user near him could access it. The help desk technician asked the user to open a command prompt and ping the remote server, and the user reported that the server timed out.
33
Practice
In analyzing the problem, you complete the following tasks:
You ping the server in Coventry from your desk and get the following data: Pinging docserv1.corp.nwtraders.com [192.168.4.23] with 32 bytes of data Reply from 192.168.4.23: bytes=32 time<3ms TTL=128 Reply from 192.168.4.23: bytes=32 time<3ms TTL=128 Reply from 192.168.4.23: bytes=32 time<2ms TTL=128 Reply from 192.168.4.23: bytes=32 time<2ms TTL=128 Ping statistics for 192.168.4.23: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss) Approximate round-trip times in milliseconds Minimum = 2ms, Maximum = 3ms, Average = 2.4ms
You telephone the user and discuss the problem with him. He tells you that the IT specialist in Coventry fixed the problem on Sunday in just a minute or two and hes getting really annoyed at how long this is taking to resolve. You have the user start a remote assistance connection so that you can analyze his computer. You use remote assistance to ping the server in Coventry and get the following data: Pinging docserv1.corp.nwtraders.com [192.168.6.175] with 32 bytes of data Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.6.175: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
34
You execute the IPConfig utility and display the client-side DNS cache: Windows IP Configuration lon-off-dist.corp.nwtraders.com Record Name . . . . . : lon-off-dist.corp.nwtraders.com Record Type . . . . . : 1 Time To Live . . . . : 2164 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.11.21 lon-dc-03.corp.nwtraders.com Record Name . . . . . : lon-dc-03.corp.nwtraders.com Record Type . . . . . : 1 Time To Live . . . . : 3301 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.11.14
1.0.0.127.in-addr.arpa Record Name . . . . . : 1.0.0.127.in-addr.arpa. Record Type . . . . . : 12 Time To Live . . . . : 0 Data Length . . . . . : 4 Section . . . . . . . : Answer PTR Record . . . . . : localhost Docserv1.corp.nwtraders.com Record Name . . . . . : Docserv1.corp.nwtraders.com Record Type . . . . . : 1 Time To Live . . . . : 0 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.4.175
35
localhost ---------------------------------------Record Name . . . . . : localhost Record Type . . . . . : 1 Time To Live . . . . : 0 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 127.0.0.1 You execute the IPConfig utility and flush the client-side DNS cache, but the problem remains the same.
Practice
Tasks
1.
Special instructions
Describe the changes you would implement to the DNS configuration settings for either the server or client to correct the problems that are occurring Answer the following questions
2.
Use the scenario and the provided information
Why cant the user connect to the docserv1 server in Coventry? How you would rectify the problem?
36
Exercise 2 Troubleshooting DNS Name Resolution for the External Namespace

Introduction
In this exercise, you will correct the configuration of DNS to resolve problems experienced by clients in a new office when connecting to the Northwind Traders Internet site. The provided design document shows the placement and configuration of DNS servers in both the internal and external networks.
Scenario
The following problem report is escalated to you by the help desk personnel and documents the problems experienced by users in the new Glasgow branch office:
Users in the new Glasgow office are able to connect to all of the internal resources they need, but they are unable to connect to the nwtraders public Web or FTP site. The users have reported that they also cannot resolve other Internet-based sites without problems. The configuration of the new office is specified in the design document as follows: The Glasgow office will be configured as part of the main corporate office (nwtraders) domain. The Glasgow office is connected to the main office by a 128-Kbps ISDN link configured as a permanent circuit. The Glasgow office will have its own domain controller and will be configured as an Active Directory site so that Active Directory replication can be scheduled to occur outside of normal business hours. The domain controller will host Active Directoryintegrated DNS, DHCP, and print services for the office.
The help desk personnel provide the following additional information: All user computers in the Glasgow office are configured as DHCP clients, and the local DNS server on the domain controller is correctly specified for them. Users can resolve all internal resource servers within nwtraders.msft. Users cannot resolve http://www.nwtraders.com or ftp.nwtraders.com. One of the Microsoft Certified Systems Engineers (MCSEs) at the help desk was responsible for building the new domain controller (Glasgow), and he:

Installed the operating system. Installed and configured DNS and configured the zone transfers. Deleted the cache.dns file. Configured the DNS server address in the TCP/IP properties to point to a London Active Directoryintegrated DNS server. Ran the Active Directory Installation Wizard (DCPromo.exe) to install Active Directory.
37
The domain controller was transported to the Glasgow office and connected to the network. Tests indicated that it was working as expected, and users were able to log on to the domain and connect to all internal and external resources. The last actions taken were to create a site for the Glasgow office, move the domain controller into that site, and change the DNS address to point to the local DNS server. Help desk tests indicate that Active Directory replication and DNS zone transfers are occurring as expected.
You are in the London office and can connect to the Glasgow office domain controller over the network. You perform a series of investigative tests and collect the following information: NSLookup output file C:\MOC\2278\Labfiles\nslookup_lsd_glasgow_text_start.txt DNSCmd output file C:\MOC\2278\Labfiles\dnscmd_text_start.txt DNS.log output file C:\MOC\2278\Labfiles\dns_log_events_start.txt
Based on your analysis of the collected information:
Tasks
1.
Special instructions
Describe the changes you would make to the DNS configuration settings for either the server or client to correct the problems that are occurring Answer the following questions
2.
Using the scenario and the information provided
Why cant the public nwtraders Web and FTP server names be resolved? What configuration changes would you make to the domain controller or clients?
THIS PAGE INTENTIONALLY LEFT BLANK

DNS Troubleshooting PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

DNS Troubleshooting PDF

Загружено:

Авторское право:

Доступные форматы

Module 6: Optimizing and Troubleshooting DNS

Module 6: Optimizing and Troubleshooting DNS

To teach this module, you need the following materials:

Module 6: Optimizing and Troubleshooting DNS

How to Teach This Module

How To Pages, Guidelines and Practices, and Labs

Lesson: Optimizing DNS Servers

Disabling Recursion on a DNS Server

Module 6: Optimizing and Troubleshooting DNS

Optimizing DNS Server Response

Optimizing DNS Server Functionality

Optimizing Server Functionality Using EDNS0

Lesson: Troubleshooting Host Name Resolution

Demonstration: DNS Troubleshooting Tools

How to Troubleshoot Host Name Resolution

Restoring Server Default Preferences

Lab A: Troubleshooting DNS

Module 6: Optimizing and Troubleshooting DNS

Module 6: Optimizing and Troubleshooting DNS

Module 6: Optimizing and Troubleshooting DNS

Lesson: Optimizing DNS Servers

Module 6: Optimizing and Troubleshooting DNS

Disabling Recursion on a DNS Server

Why disable recursion?

Benefits and consequences of disabling recursion

Best practice How to disable recursion

Module 6: Optimizing and Troubleshooting DNS

Deleting and Modifying Root Hints on a DNS Server

Deleting the root hints file

Module 6: Optimizing and Troubleshooting DNS

Modifying the root hints file

Updating the root hints file

Module 6: Optimizing and Troubleshooting DNS

Optimizing DNS Server Response

Prioritizing local subnets

Module 6: Optimizing and Troubleshooting DNS

Module 6: Optimizing and Troubleshooting DNS

Restricting round-robin rotation for all resource record types

Module 6: Optimizing and Troubleshooting DNS

Optimizing DNS Server Functionality

Module 6: Optimizing and Troubleshooting DNS

Why use zone replication and zone transfers?

When to use cachingonly servers

Configuring a cachingonly server

Module 6: Optimizing and Troubleshooting DNS

Optimizing Server Functionality Using EDNS0

How EDNS0 works

Module 6: Optimizing and Troubleshooting DNS

Module 6: Optimizing and Troubleshooting DNS

Optimizing the DNS Server

Configure a forwardonly server

Update root hints on the DNS server

Module 6: Optimizing and Troubleshooting DNS

Modify zone transfer settings Use a caching-only server Use EDNS0

Module 6: Optimizing and Troubleshooting DNS

Practice: Optimizing DNS Performance

Module 6: Optimizing and Troubleshooting DNS

Lesson: Troubleshooting Host Name Resolution

Module 6: Optimizing and Troubleshooting DNS

Demonstration: Examining Resource Records Using Nslookup

Module 6: Optimizing and Troubleshooting DNS

Demonstration: DNS Troubleshooting Tools

Module 6: Optimizing and Troubleshooting DNS