If you suspect the DNS problem is on the server itself, you can begin troubleshooting on the server. There are, of course, many troubleshooting techniques. This section covers the key ones you'll want to use.
When you are troubleshooting DNS on a DNS server, start with the server's TCP/IP configuration. As discussed previously, display the TCP/IP configuration by typing netsh interface ip show config at the command prompt. After you verify or modify the TCP/IP configuration as necessary, you can continue to troubleshoot. Like DNS clients, DNS servers have a resolver cache. The cache on servers is for query responses to lookups the server has performed either on behalf of clients or for its own name resolution purposes.
If the problem with DNS is that you think the server has stale records, you can check the DNS Server cache (as opposed to DNS Client cache) by using the following command:
dnscmd ServerName /zoneprint .where ServerName is the name or IP address of the DNS server and "." indicates that you want to examine the server cache. This cache list includes the root name servers being used by the server.
If necessary, you can force a server to clear out its cache. In the DNS console, right-click the server entry, and select Clear Cache. You can clear the cache at the command prompt by typing the following:
dnscmd ServerName /clearcachewhere ServerName is the name or IP address of the DNS server whose cache you want to clear.
Active Directory replication of changes to DNS zones is automatic. By default, Active Directory checks for changes to zones every 180 seconds. This interval is called the directory service polling interval. For advanced configuration needs, you can set the directory service polling interval using DNSCMD. Type dnscmd ServerName /config /dspollinginterval Interval, where ServerName is the name or IP address of the DNS server you want to configure and Interval is the polling interval in seconds.
If the problem has to do with failure to replicate changes to secondary servers, start by ensuring zone transfers are enabled as discussed in the section entitled "Configuring Zone Transfers" earlier in this chapter. If zone transfers are properly configured, try updating the serial number on the zone records on the primary server. In the DNS console, right-click the server entry in the DNS console, and select Update Server Data Files. This increments the serial number for zones as necessary, which should trigger zone transfers if they are necessary.
Frequently, DNS problems have to do with a DNS server's configuration. Rather than trying to navigate multiple tabs and dialog boxes to find the configuration details, you can use DNSCMD to help you out. You can view a DNS server's configuration by typing dnscmd ServerName /info at the command prompt, where ServerName is the name or IP address of the DNS server you want to check, such as Primary or 10.10.1.52. The output looks like this:
Query result:
Server info
server name = corpsvr02.cpandl.com
version = 0ECE0205 (5.2 build 3790)
DS container = cn=MicrosoftDNS,cn=System,DC=cpandl,DC=com
forest name = cpandl.com
domain name = cpandl.com
builtin domain partition = ForestDnsZones.cpandl.com
builtin forest partition = DomainDnsZones.cpandl.com
last scavenge cycle = not since restart (0)
Configuration:
dwLogLevel = 00000000
dwDebugLevel = 00000000
dwRpcProtocol = FFFFFFFF
dwNameCheckFlag = 00000002
cAddressAnswerLimit = 0
dwRecursionRetry = 3
dwRecursionTimeout = 15
dwDsPollingInterval = 180
Configuration Flags:
fBootMethod = 3
fAdminConfigured = 1
fAllowUpdate = 1
fDsAvailable = 1
fAutoReverseZones = 1
fAutoCacheUpdate = 0
fSlave = 0
fNoRecursion = 0
fRoundRobin = 1
fStrictFileParsing = 0
fBindSecondaries = 1
fWriteAuthorityNs = 0
fLocalNetPriority = 1
Aging Configuration:
ScavengingInterval = 0
DefaultAgingState = 0
DefaultRefreshInterval = 168
DefaultNoRefreshInterval = 168
ServerAddresses:
Addr Count = 1
Addr[0] => 192.168.1.50
ListenAddresses:
NULL IP Array.
Forwarders:
NULL IP Array.
forward timeout = 5
slave = 0Table 27-1 summarizes section by section the output from DNSCMD /Info. Using DNSCMD /Config, you can configure most of these options. The actual subcommand to use is indicated in parentheses in the first column, and examples of acceptable values are indicated in the final column. For example, if you wanted to set the fBindSecondaries configuration setting to allow maximum compression and efficiency (assuming you are using Windows 2000 or later DNS servers or BIND 4.9.4 or later), you would type dnscmd ServerName /config /bindsecondaries 0, where ServerName is the name or IP address of the DNS server you want to configure. This overrides the default setting to support other DNS servers.
Table 27-1. DNS Server Configuration Parameters
Section/Entry (Command) | Description | Example/Accepted Values |
|---|---|---|
Server Info | ||
Server name | The FQDN of the DNS server. | corpsvr02.cpandl.com |
Version | The operating system version and build. Version 5.2 is Windows Server 2003. | CE0205 (5.2 build 3790) |
DS container | The directory services container for a DNS server that uses Active Directory– integrated zones. | cn=MicrosoftDNS, cn=System, DC=cpandl,DC=com |
Forest name | The name of the Active Directory forest in which the server is located. | cpandl.com |
Domain name | The name of the Active Directory domain in which the server is located. | cpandl.com |
Builtin domain partition | The default application partition for the domain. | ForestDnsZones.cpandl.com |
Builtin forest partition | The default application partition for the forest. | DomainDnsZones.cpandl.com |
Last scavenge cycle | The last time records were aged/scavenged. | not since restart (0) |
Configuration | ||
dwLogLevel (/loglevel) | Indicates whether debug logging is enabled. A value other than zeros means it is enabled. | 0x0; default, no logging. |
dwDebugLevel | The debug logging level, not used. dwLogLevel is used instead. | 00000000 |
dwRpcProtocol (/rpcprotocol) | The RPC protocol used. | 0x0; disables remote procedure call (RPC) for DNS. 0x1; default, uses TCP/IP. 0x2; uses named pipes. 0x4; uses LPC. |
dwNameCheckFlag (/namecheckflag) | The name-checking flag. By default, DNS names can be in multibyte Unicode format as indicated by the example entry. | 0; Strict RFC (ANSI). 1; Non RFC (ANSI). 2; Multibyte (UTF8). 3; All Names. |
cAddressAnswerLimit (/addressanswerlimit) | The maximum number of records the server can send in response to a query. | 0; default with no maximum. [5–28]; sets a maximum. |
dwRecursionRetry (/recursionretry) | The number of seconds the server waits before trying to contact a remote server again. | 3 |
dwRecursionTimeout (/recursiontimeout) | The number of seconds the server waits before stopping contact attempts. | 15 |
dwDsPollingInterval (/dspollinginterval) | How often in seconds Active Directory polls for changes in Active Directory–integrated zones. | 180 |
Configuration Flags | ||
fBootMethod (/bootmethod) | The source from which the server gets its configuration information. | 1; loads from BIND file. 2; loads from Registry. 3; loads from Active Directory and the Registry. |
fAdminConfigured | Indicates whether the settings are administrator-configured. | 1; default for yes. |
fAllowUpdate | Indicates whether dynamic updates are allowed. | 1; default dynamic updates are allowed. 0; dynamic updates not allowed. |
fDsAvailable | Indicates whether Active Directory directory services are available. | 1; Active Directory is available. 0; Active Directory isn't available. |
fAutoReverseZones (/disableautoreversezone) | Indicates whether automatic creation of reverse lookup zones is enabled. | 1; default enabled. 0; disabled. |
fAutoCacheUpdate (/secureresponses) | Indicates how server caching works. | 0; default, saves all responses to name queries to cache. 1; saves only records in same DNS subtree to cache. |
fSlave (/isslave) | Determines how the DNS server responds when forwarded queries receive no response. | 0; default, recursion is enabled. If the forwarder does not respond, the server attempts to resolve the query itself using recursion. 1; recursion is disabled. If the forwarder does not respond, the server terminates the search and sends a failure message to the resolver. |
fNoRecursion (/norecursion) | Indicates whether the server performs recursive name resolution. | 0; default, DNS server performs if requested. 1; DNS server doesn't perform recursion. |
fRoundRobin (/roundrobin) | Indicates whether server allows round robin load balancing when there are multiple A records for hosts. | 1; default, automatically load balances using round robin for any hosts with multiple A records. 0; disables round robin. |
fStrictFileParsing (/strictfileparsing) | Indicates server behavior when it encounters bad records. | 0; default, continues to load, logs error. 1; stops loading DNS file and logs error. |
fBindSecondaries (/bindsecondaries) | Indicates the zone transfer format for secondaries. By default, DNS server is configured for compatibility with other DNS server types. | 1; default, for pre-BIND 4.9.4 compatibility. 0; enables compression and multiple transfers on Windows secondaries and others with BIND 4.9.4 or later. |
fWriteAuthorityNs (/writeauthorityns) | Indicates whether the server writes NS records in the authority section of a response. | 0; default, writes for referrals only. 1; writes for all successful authoritative responses. |
fLocalNetPriority (/localnetpriority) | Determines the order in which host records are returned when there are multiple host records for the same name. | 1; returns records with similar IP addresses first. 0; returns records in the order in which they are in DNS. |
Aging Configuration | ||
ScavengingInterval (/scavenginginterval) | Indicates the number of hours between scavenging intervals. | 0x0; scavenging is disabled. |
DefaultAgingState (/defaultagingstate) | Indicates whether scavenging is enabled by default in new zones. | 0; default, scavenging is disabled. 1; scavenging is enabled. |
DefaultRefreshInterval (/defaultrefreshinterval) | Indicates the default refresh interval in hours. | 168 (set in hexadecimal) |
DefaultNoRefreshInterval (/defaultnorefreshinterval) | Indicates the default no-refresh interval in hours. | 168 (set in hexadecimal) |
ServerAddresses | ||
Addr Count | The number of IP addresses configured on the server and the IP address used. | 1 Addr[0] => 192.168.1.50 |
ListenAddresses | ||
Addr Count | The number and value of IP addresses configured for listening for requests from clients. NULL IP Array when there are no specific IP addresses are designated for listening for requests from clients. | 1 Addr[0] => 192.168.1.50 |
Forwarders | ||
Addr Count | The number and value of IP addresses of servers configured as forwarders. NULL IP Array when there are no forwarders. | 1 Addr[0] => 192.168.12.8 |
Forward timeout (/forwardingtimeout) | Timeout for queries to forwarders in seconds. | 5 |
Slave | Indicates whether recursion is enabled. | 0; recursion is enabled 1; recursion is disabled |
Another useful command for troubleshooting DNS Server is DNSCMD /Statistics. This command shows you the following information:
DNS server time statistics, including server start time, seconds since start, stats of last cleared date and time
Details on queries and responses, including total queries received, total responses sent. The number of UDP queries received and sent, UDP responses received and sent. The number of TCP queries received and sent, TCP responses received and sent
Details on queries by record, including the exact number of each type of record sent
Details on failures and where they occurred, including recursion failures, retry limits reached, and partial answers received
Details on the total number of dynamic updates, the status for each update type. Later breakdowns on number and status of secure updates, the number of updates that were forwarded, and the types of records updated
Details on the amount of memory used by DNS, including total amount of memory used, standard allocations, allocations from standard to the heap
Tip
Save the stats to a file
Write the output of DNSCMD /STATISTICS to a file so that you don't overflow the history buffer in the command prompt. This also allows you to go through the stats at your leisure. Type dnscmd ServerName /statistics > FileName, where ServerName is the name or IP address of the DNS server and FileName is the name of the file to use, such as dnscmd corpsvr02 /statistics > dns-stats.txt.
DNSCMD provides several useful commands for helping you pinpoint problems with records. To get started, list the available zones by typing dnscmd ServerName /enumzones, where ServerName is the name or IP address of the DNS server you want to check. The output shows a list of the zones that are configured as follows:
Enumerated zone list:
Zone count = 4
Zone name Type Storage Properties
. Cache File
_msdcs.cpandl.com Primary AD-Forest Secure
1.168.192.in-addr.arpa Primary AD-Legacy Secure Rev
cpandl.com Primary AD-Domain Secure AgingThe zone names you can work with are listed in the first column. The other values tell you the type of zone and the way it is configured as summarized in Table 27-2.
Table 27-2. Zone Entries and Their Meanings
Column/Entry | Description |
|---|---|
Type | |
Cache | A cache zone (server cache). |
Primary | A primary zone. |
Secondary | A secondary zone. |
Stub | A stub zone. |
File | |
AD-Forest | Active Directory–integrated with forest-wide replication scope. |
AD-Legacy | Active Directory–integrated with legacy replication scope to all domain controllers in the domain. |
AD-Domain | Active Directory–integrated with domain-wide replication scope. |
File | Indicates the zone data is stored in a file. |
Properties | |
Secure | Zone allows secure dynamic updates only and is a forward lookup zone. |
Secure Rev | Zone allows secure dynamic updates only and is a reverse lookup zone. |
Secure Aging | Zone allows secure dynamic updates only and is configured for scavenging/aging. |
Aging | Zone is configured for scavenging/aging but isn't configured for dynamic updates. |
Update | Zone is a forward lookup zone configured to allow both secure and nonsecure dynamic updates. |
Update Rev | Zone is a reverse lookup zone configured to allow both secure and nonsecure dynamic updates. |
Down | Secondary or stub zone hasn't received a zone transfer since startup. |
After you examine the settings for zones on the server, you can print out the zone records of a suspect zone by typing dnscmd ServerName /zoneprint ZoneName at the command prompt, where ServerName is the name or IP address of the DNS server and ZoneName is the name of the zone as reported previously.
Consider the following example:
dnscmd corpsvr02 /zoneprint cpandl.com
Here, you want to examine the cpandl.com zone records on the CORPSVR02 server. The output from this command shows the records in this zone and their settings. Here is a partial listing:
;
; Zone: cpandl.com
; Server: corpsvr02.cpandl.com
; Time: Wed Mar 10 18:38:14 2004 UTC
;
@ [Aging:3534235] 600 A 192.168.1.50
[Aging:3534235] 3600 NS corpsvr02.cpandl.com.
3600 SOA corpsvr02.cpandl.com. hostmaster. 383 900 600 86
400 3600
3600 MX 10 exchange.cpandl.com.
_msdcs 3600 NS corpsvr01.cpandl.com.
_gc._tcp.Default-First-Site-Name._sites [Aging:35265] 600 SRV 0 100 3268 corps
vr02.cpandl.com.
_kerberos._tcp.Default-First-Site-Name._sites [Aging:35235] 600 SRV0 100 88
corpsvr02.cpandl.com.
_ldap._tcp.Default-First-Site-Name._sites [Aging:35335] 600 SRV 0 100 38
9 corpsvr02.cpandl.com.
_gc._tcp [Aging:3534265] 600 SRV 0 100 3268 corpsvr02.cpandl.com.
_kerberos._tcp [Aging:3534235] 600 SRV 0 100 88 corpsvr02.cpandl.com.
_kpasswd._tcp [Aging:3534235] 600 SRV 0 100 464 corpsvr02.cpandl.com.
corpsvr02 [Aging:3534281] 3600 A 192.168.1.50
corpsvr17 3600 A 192.168.15.22
DomainDnsZones [Aging:3534265] 600 A 192.168.1.50
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones [Aging:35365] 600 SRV
0 100 389 corpsvr02.cpandl.com.
_ldap._tcp.DomainDnsZones [Aging:3534265] 600 SRV 0 100 389 corpsvr02.cpan
dl.com.
ForestDnsZones [Aging:3534265] 600 A 192.168.1.50
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones [Aging:35365] 600 SRV
0 100 389 corpsvr02.cpandl.com.
_ldap._tcp.ForestDnsZones [Aging:35365] 600 SRV 0 100 389 corpsvr02.cpan
dl.com.
ny 3600 NS ns1.ny.cpandl.com.
ns1.ny 3600 A 10.10.10.52
www 3600 CNAME corpsvr17.cpandl.com.As you can see from the listing, DNSCMD /ZONEPRINT shows all the records, even the ones created by Active Directory. This is particularly useful because it means you don't have to try to navigate the many subfolders in which these SRV records are stored.