Troubleshooting DNS

configuration issues on domain

controllers by using the DNS test
in the Windows Server 2003 SP1-
based version of the DCDIAG tool
David Rheaume
Rapid response engineer
Premier Field Engineering
Microsoft Corporation
David Rheaume

David Rheaume is a rapid response engineer in the

Microsoft Premier Field Engineering group. David
joined Microsoft in March 2000 and has supported
Active Directory® during all of his time with the
company. During this time, he has provided front-line
and escalation support in Product Support Services
(PSS), beta support for customers deploying pre-
release software in the enterprise, and most recently,
on-site support for Microsoft enterprise customers.

2
Agenda
Overview of Active Directory® name
resolution
DCDIAG installation and system
requirements
DCDIAG /TEST:DNS drill down
DCDIAG /TEST:DNS usage scenarios and
syntax
DCDIAG /TEST:DNS known issues

3
Active Directory name resolution
Before Active Directory, Microsoft® Windows® domains
required a relatively simple set of NetBIOS records (1B,
1C) resolved by Windows Internet Name Service (WINS).
Active Directory changed requirements to a detailed set of
site-specific, domain-specific, and forest-wide service
location and replication records resolved by DNS.
Detailed knowledge of Domain Name System (DNS)
operation and troubleshooting was not common among
Windows domain administrators.
DNS monitoring solutions were not typically deployed in the
enterprise.

4
DNS configuration issues in Active
Directory deployments
Many or all domain controllers in an organization
may have DNS installed and can accept updates
to the zones.
Replication of DNS records is subject to typical
replication latency.
Automatic DNS setup in Microsoft Windows 2000
did not use optimized defaults.
DNS servers that host common Active Directory-
integrated zones still require per-server
configuration.

5
Key failures that are caused by DNS
misconfiguration

Active Directory replication

User authentication
Domain controller promotion and demotion
(DCPROMO)
Domain joining
Internet access

6
DCDIAG /TEST:DNS
New test option in Microsoft Windows
Server™ 2003 Service Pack 1 (SP1)
DCDIAG
One tool for validation of forest-wide DNS
configuration

7
Installation sources

Windows Server 2003 SP1 Support Tools

http://support.microsoft.com/kb/892777

8
System requirements

Supported installation platforms

Windows Server 2003 members plus domain
controllers
Microsoft Windows XP Professional member
computers

9
System requirements (2)

Supported test targets

Windows 2000 with Service Pack 2 (SP3)
Windows Server 2003
Windows Server 2003 SP1

Credential requirements
Enterprise administrators

10
DCDIAG /TEST:DNS

When to use DCDIAG /TEST:DNS

Any time that you suspect DNS is broken
Any time that you want to validate DNS health
Best practices recommend that you
validate the DNS infrastructure at least
weekly by using DCDIAG /TEST:DNS
A more frequent interval, such as daily,
provides better monitoring of the DNS
infrastructure

11
DCDIAG /TEST:DNS operations
Validates seven elements of DNS health
Connectivity
Performed by default as part of test from previous
versions
Basic DNS
Forwarder
Delegation
Dynamic update
Record registration
External name resolution
By default, this test is not run

12
DCDIAG /TEST:DNS operations (2)

By default, all tests other than external name

resolution are run
Any test can be run individually
Test DNS health for a single domain controller or
for all domain controllers in a forest or naming
context
Pass, Warn, or Fail status for each test in the
summary table

13
DCDIAG /TEST:DNS syntax

Sub tests can be run individually by using

switches
/DnsBasic – Performs basic tests; cannot be
skipped
/DnsForwarders – Forwarders and root hints tests
/DnsDelegation – Delegations tests
/DnsDynamicUpdate – Dynamic update tests

14
DCDIAG /TEST:DNS syntax (2)
Additional sub tests
/DnsRecordRegistration – Records
registration tests
/DnsResolveExtName – External name
resolution test
/DnsInternetName: Internet name – For test
/DnsResolveExtName
If Internet name is not specified, default is
www.microsoft.com
/DnsAll – Runs all tests

15
DCDIAG /TEST:DNS optional
parameters
The verbose switch is required to gather
most of the interesting information other
than summary table
/s:DCName
/f:Logfile
/ferr:Logerr
/v – Displays verbose output
/e – All specified tests are run against all
domain controllers so that NTDS Settings
objects are listed on the targeted domain
controller
16
Syntax examples for common test
scenarios

DCDIAG /TEST:DNS /v /f:filename /s

Test DNS on a single server and log verbose
output to a file

DCDIAG /TEST:DNS /v /f:filename /e

Test DNS on all domain controllers in the
forest and log verbose output to a file

17
Connectivity test
Cannot be skipped
No separate syntax for connectivity test
because it always runs
Tests performed
Are domain controllers registered in DNS?
Can they be pinged?
Do they have Lightweight Directory Access
Protocol/remote procedure call (LDAP/RPC)
connectivity?
No other tests run against a domain
controller if this test fails
18
Basic DNS test
Syntax: /DnsBasic
Tests performed
Are the expected services running?
DNS client service
DNS Server service
Netlogon service
Key Distribution Center (KDC) service
Are DNS servers available over network
adaptors?

19
Basic DNS test (2)
Additional tests performed
If DNS is installed, does the domain controller’s
Active Directory namespace zone exist?
If DNS is installed, does a valid Start of Authority
(SOA) record exist for the domain controller?
Is the host record (also called the A record or glue
record) registered on at least one DNS server?
Does the root (.) zone exist?

20
/DnsBasic warning conditions

Warn
Warning: Adapter
has dynamic IP ad
a misconfiguration
Warning: adapter
has invalid DNS s
address 21
 /DnsBasic errors
Error
Error: Authentication failed with specified
credentials
Error: No LDAP connectivity
Error: No DS RPC connectivity
Error: No WMI connectivity
Error: Cannot read operating system version
through WMI
Error: Operating system name not supported
Error: Open Service Control Manager failed
Additional information
Enterprise Admin credentials are required
Network access over TCP port 389 is
required
Network access over Windows server
message block (SMB) ports is required
DNS test requires WMI connectivity to run on
the remote machine.
WMI connectivity and permissions are
required
Valid targets include Windows 2000 SP3,
Windows Server 2003, and Windows
Server 2003 SP1
Service is not running or is not installed, or
account used to run the test does not
have permissions to read the service
22
/DnsBasic errors (2)
Error Additional information
Error: KDC/Netlogon/DNS/DNScache is not Specified services are not running.
running
Error: Cannot read network adapter information WMI connectivity and permissions are
through WMI required.
Error: all DNS servers are invalid DNS servers configured in resolver settings
cannot be pinged or are not valid DNS
servers.
Error: The A record for this domain controller Missing Host record. Check that DHCP
was not found client service is running on specified
machine.
Error: Enumeration of zones failed to find out
whether there is a root and Active Directory
zone
Error: Could not query DNS zones on this Unable to query Active Directory name
domain controller records for the DC specified.

23
Forwarders test
Syntax: /DnsForwarders
Tests performed
Is recursion enabled?
Verifies forwarders and root hints configuration if
these items are present.
Can _ldap_tcp.dc._msdcs.Forest root domain
domain controller locator record be resolved by
domain controllers in a non-root domain?
Notes:
This test is run only if the targeted domain controller
is running the Microsoft DNS Server service.
Forwarders and root hints are not used to resolve
_ldap_tcp.dc._msdcs.Forest root domain locator
records on forest root domain controllers.
24
/DnsForwarders errors
Error Additional information
Error: Forwarders list has The specified IP address is unreachable or is not
invalid forwarder: IP answering DNS queries.
address of the forwarder
Error: Both root hints and The tested DNS server is not a root server, but it
forwarders are not is not configured to perform any external name
configured. Please resolution
configure either forwarders
or root hints
Error: Root hints list has invalid The configured root hints servers not reachable
root hint server: IP address or not answering DNS queries
of Root hint server

Error: Enumeration of root hint The test could not list the root servers on the
servers failed on DNS target DNS server.
server name

25
Delegation test
Syntax: /DnsDelegation
Tests performed
Is the delegated name server a functioning
DNS server?
Are there broken delegations?
Verifies that the host record can be resolved for
each listed name server (NS) record
Notes
This test is run only if the targeted domain
controller is running the Microsoft DNS Server
service.
26
/DnsDelegation warnings

Warning Additional information

Warning: DNS server: DnsServer name Cannot resolve the host record for the
IP: Ipaddress Failure: Missing glue (A)specified delegated name server
record

27
/DnsDelegation errors
Error Additional information
DNS server: Server name IP: IP address The name server specified by delegation
Error: Broken delegation cannot resolve zone records or is
not responding to DNS queries.

DNS server: Server name IP: IP address

Error: Broken delegated domain
delegated domain name
Error: Failed to enumerate the records at
the zone root on the server

28
Dynamic update test

Syntax: /DnsDynamicUpdate
Tests performed
Is the domain controller’s DNS zone configured to
accept secure dynamic updates?
Can _dcdiag_test_record be registered on the current
DNS server?
Deletes test registration record.

29
/DnsDynamicUpdate warnings

Warning Additional information

Warning: Dynamic update is enabled on the zone but not Non-secure dynamic update
secure zone name acceptance is a critical
security risk
Warning: Failed to add test record _dcdiag_test_record Permission to add test record was
with error error code in zone zone name denied
Warning: Failed to delete test record _dcdiag_test_record Permission to delete test record
with error error code in zone zone name was denied

30
/DnsDynamicUpdate errors

Error Additional information

Error: Dynamic update is not Dynamic update is not enabled on the Active
enabled on the zone zone Directory zone. Therefore, the client
name cannot register its records.

31
Record registration test

Syntax: /DNSRecordRegistration
Tests performed
Are service locator (SRV) resource records for
each network service registered on all
configured DNS servers?
DSA GUID CNAME
_ldap
_gc
_pdc

32
/DnsRecordRegistration warnings

War
Warning: Missing D
DNS server record n

33
/DnsRecordRegistration errors

Err
Error: Missing A recor
<DNS Server IP addre
name>
Error: Missing CNAME
server <DNS Server IP
Note To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. To
correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot
34
%\System32\Config.
Correcting /DnsRecordRegistration
errors

The Dynamic Host Control Protocol

(DHCP) client service is required to
dynamically register host (A) records.
DHCP service is still required on statically
addressed computers.
IPCONFIG /registerdns will reregister A
records on demand.

35
Correcting /DnsRecordRegistration
errors (2)
The Netlogon service registers all service
locator (SRV) resource locator records.
To correct stale records, rename
Netlogon.dns and Netlogon.dnb in
%SystemRoot%\System32\Config.
To reregister SRV records, restart the
Netlogon service or run NETDIAG /fix.

36
External name resolution test
Syntax: /DnsResolveExtName
Tests performed
Tests name resolution outside the Active
Directory forest.
Default query is for www.microsoft.com.
An alternative target can be specified by using
/DnsInternetName.
Notes
The external name test is not run unless the
test is specified.
External name resolution fails if Internet proxies
are present. 37
/DnsResolveExtName errors

Erro
Error: Internet nam
cannot be resolve

38
Performance factors for DCDIAG
/TEST:DNS
DCDIAG /TEST:DNS performance issues
Offline domain controllers
Offline DNS servers
Clients that point to invalid DNS server
DNS servers that have invalid forwarders and
delegations
Effect
DCDIAG waits the RPC time-out number of seconds for
response to tests
Exponential delays in DCDIAG runtime

39
Performance factors for DCDIAG
/TEST:DNS (2)

Real-world performance
About 4.1 to 4.5 domain controllers per minute over
“fast” wide area network (WAN) links.
DCDIAG /e may not be appropriate in forests that
contain 1000 domain controllers.
DCDIAG /TEST:DNS has been run in forests that
contain 200 to 400 domain controllers.

40
 /Enterprise DNS infrastructure errors
Error
Error: Delegation is not configured on the
parent domain
Error: Delegation is present but the glue record Delegation is configured; Host record cannot be
is missing
Error: Forwarders are misconfigured from
parent domain to subordinate domain
Error: Root hints are misconfigured from
parent domain to subordinate domain
Error: Forwarders are configured from
subordinate to parent domain but some of
them failed DNS server tests (See DNS
servers section for error details)
Error: Root hints are configured from
subordinate to parent domain but some of
them failed DNS server tests (See DNS
servers section for error details)
Additional information
Delegation should be configured from parent to
subordinate domain
resolved for one or more NS records
Forwarders should point “up” the namespace
rather than “down”
Root hints should point “up” the namespace rather
than “down”
Configured forwarders are unavailable, cannot
resolve the requested records, or are not
responding to DNS queries
Configured root hints are unavailable, cannot
resolve the requested records, or are not
responding to DNS queries
41
Strategies to help interpret
/TEST:DNS output
Run DCDIAG /TEST:DNS /v /f:filename /e
Load the report in Notepad or your preferred text
editor
Multiple monitor system (Multimon) or split screen
provide optimal viewing environment.
Primary monitor or pane focuses on summary table.
Secondary monitor or pane focuses on breakout
section of each failing domain controller.

42
Strategies to help interpret
/TEST:DNS output (2)
Review the summary table near the bottom of the
DCDIAG log file.
Locate domain controllers that reported failures
or warning status in the summary table.
Find a breakout section for a problem domain
controller by searching for “DC: DCName”.
Make required configuration changes on DNS
clients and DNS servers.
Run DCDIAG /TEST:DNS again with the /e or /s
switch to validate DNS health.
43
Known issues
DCDIAG /TEST:DNS does not perform
comprehensive Best Practices checks. No
warnings or errors will be logged for single
point-of-failure configurations such as single
defined DNS resolver, forwarder, or
delegation.
Servers that are targeted by the DCDIAG
/TEST:DNS tool must be registered in WINS to
be discovered by the tool.

44
Known issues (2)

In child domains, any configured root hint or

forwarders will be tested for resolution of root
domain records.
This test will occur even if a copy of the root zone, a
stub zone, or a conditional forwarder is hosted
locally.
DCDIAG /TEST:DNS will report an error when
these external servers cannot resolve the forest
root domain.

45
Known issues (3)

DCDIAG /TEST:DNS /DNSBASIC does a pointer

(PTR) query for the loopback address of listed
forwarder or root hints server. BIND or other third-
party DNS servers that do not configure the loopback
zone will return “name does not exist.” DCDIAG
/TEST:DNS interprets this response as INVALID, the
query fails, and you receive the following message.
DNS server: 192.168.2.1 ()
6 test failures on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-
addr.arpa. failed on the DNS server 192.168.2.1
[Error details: 9002 (Type: Win32 - Description: DNS server failure.)]

46
Known issues (4)

In environments that are configured by using the Branch

Office Deployment Guide and that have the
DNSAvoidRegisterRecord registry key set, each server
that has the key set will generate WARN messages when
the server is examined by the /DnsRecordRegistration
test.
If the primary DNS resolver is set to 127.0.0.1 (loopback),
DCDIAG /TEST:DNS will report errors for the
/DnsRecordRegistration test.
127.0.0.1 is the default configuration when Windows Server 2003
DCPROMO configures DNS automatically,
To correct the reported error, change the DNS resolver from the
loopback address to the actual IP of the local computer.

47
Thank you for joining us for today’s event.

For information about all upcoming Support WebCasts, and access

to the archived content (streaming media files, PowerPoint® slides,
and transcripts), visit the Support WebCast site at
http://support.microsoft.com/WebCasts/.

We sincerely appreciate your feedback. Please submit any comments

or suggestions about the Support WebCasts on the “Contact Us”
page of the Support Web site at
http://support.microsoft.com/servicedesks/webcasts/feedback.asp.

© 2005 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.