-
Exchange 2000 Server:Troubleshooting DNSALAN MALMBERGSupport
EngineerExchange Connectors -TexasMicrosoft CorporationMay 12,
2004
-
Background Information
-
Name ResolutionApplications that need to communicate with other
networked computers, require a communication mechanismA network
operating system is used to facilitate network communication
requestsApplications send their requests to the operating system
which handles the requestThe Windows OS provides a number of API
sets to handle such requests i.e. NetBIOS, Windows Sockets
-
Name ResolutionApplications written using Windows sockets can
use the GetHostByName API which triggers name resolution
request(s)The OS tries to resolve the name that the application
passed to it, into an IP addressA Windows OS uses two primary
methods for name resolution:NetBIOS name resolutionHost name
resolution
-
Windows NT 4.0
-
NT 4.0 Name ResolutionGenerally tries NetBIOS name resolution
first, then host name resolutionNetBIOS name resolution:NetBIOS
name cacheWINSB-castLMHOSTSHOSTSDNS
-
NT 4.0 Name ResolutionHost Name Resolution:Local Host
nameHOSTSDNSNetBIOS name cacheWINSB-castLMHOSTS
-
Windows 2000
-
Simple Query for FQDNhow does www.microsoft.com become
207.46.230.218 ?Client sends a recursive query to DNS serverLocal
DNS server checks in forward zone and cache- returns answer, or if
nothing found,Local DNS server sends iterative query to root
serversRoot servers helps us find SOA and NS for the domainLocal
DNS server sends an iterative query to remote NSLocal DNS server
gets answer from remote NS and sends response to client
-
Win 2000 Name ResolutionGenerally tries host name resolution
first, then NetBIOSCaching Resolver Service is used to reduce
network trafficService can be viewed, stopped and started like
other servicesTo view cache: ipconfig /displaydnsTo clear the
cache: ipconfig /flushdnsTo stop: net stop dns clientTo Start: net
start dns client
-
Caching Resolver ServicePerforms these tasks:Name
resolutionGeneral caching of queriesNegative cachingTracks
transient network adapters (PnP)Tracks connection specific domain
namesDNS server list management Prioritizes records by IP address
when multiple A records are returned from a DNS server
- Caching Resolver ServiceWhen the GetHostByName API is
used:Resolver submits a query to DNSIf DNS resolution fails
resolver checks the length of the name - is it >15 bytesIf the
name is >15 bytes - resolution failsIf the name is
-
Getting Resolution
-
DNS Name TypesResolver checks what kind of name is being
queried:Nulle.g. ping localhostFully qualified domain name
(FQDN)e.g. host.reskit.com.Single-label, unqualified names (contain
no periods)e.g. hostMultiple-label, unqualified names (not
terminated with a period)e.g. host.reskit
-
DNS Name ResolutionWhen given a FQDN:Resolver queries DNS with
that nameWhen given a multiple-label, unqualified name:Resolver
adds a period to the name and queries DNS with the
period-terminated nameIf the DNS server returns a Name does not
exist response to this queryResolver will treat the name just like
a single-label, unqualified name
-
DNS Name ResolutionWhen given a single-label, unqualified
name:Resolver systematically appends different DNS suffixes to the
name, adding periods to create a FQDNResolver submits each name, in
turn, to the DNS server and waits for a responseResolver stops
querying when the name is resolved, or when all DNS suffixes have
been tried
-
Caching
-
Resolver CacheThe cache is always checked before queries are
sent to a DNS serverPositive and negative responses can be
cachedDecreases network trafficPositive entries are cached for a
max period = TTL returned with the record from DNSNegative entries
are cached for a max period = minimum TTL in SOA recordCannot be
less than one minuteCannot be greater than 15 minutes
-
Resolver CacheCaching behavior is configurableEntries are cached
for the number of seconds specified by the TTLBut never for longer
than the values specified in registryQ245437 How to Disable
Client-Side DNS Caching in Windows
2000H_L_M\SYSTEM\CCS\Services\DNSCache\ParametersSet
MaxCacheEntryTtlLimit = 1 (Default = 86400)Set NegativeCacheTime =
0 (Default = 300)
-
Resolver CacheView TTLs in cache: ipconfig /displaydns
-
Name Server Lists
-
DNS QueriesIf the name is not in cache resolver queries the DNS
servers configured on each adapter
-
DNS QueriesEach adapter can be configured with multiple DNS
servers (list servers)Resolver sends queries to the first DNS
server on the preferred adapters list Waits one second for a
responseIf no response Resolver sends the query to the first DNS
servers listed on all adapters listsWaits two seconds for a
responseIf no response from any server Resolver sends query to all
DNS servers on all adaptersWaits two seconds for a response
-
DNS QueriesAt the 5 second point:If a response is not received
from any DNS serverResolver sends query to all DNS servers on all
adapters and waits four seconds for a responseIf a response is not
received from any DNS serverResolver sends query to all DNS servers
on all adapters and waits 8 seconds for a responseIf no DNS servers
respond Resolver responds with a Time-out messageTotal time could
be 17 secondsIf resolver does not receive a response from any
server on a given adapterResolver stops querying that adapters DNS
serversFor 30 seconds returns a time-out
-
Resolver List ManagementIf the resolver receives a negative
response at any point in the processIt removes every server on that
adapter from consideration during that particular searchIf the
resolver receives a positive response at any point in the
processResolver stops querying DNS serversAdds response to
cacheReturns response to client
-
Resolver List ManagementWhen resolver does not receive a
response from a particular DNS serverResolver moves the next DNS
server in the list to the top of the listResolver may move servers
up or down the list based on quickly they respondKeep
infrastructure as simple as possibleResolver list management
behavior is not configurableRefer to Q135919 DNS Server Search
Order Functionality in Windows NT
-
CONFIGURATIONExchange 2000 & DNS
-
Exchange and DNSCant install Exchange 2000Use DCdiag and Netdiag
to review health of ADUsually a DNS problem, make sure DNS is
configured properly based on the scenario (is exchange being
installed on a 2nd DC or in child domain? Is DNS configured
properly for that computer?)
-
Exchange and DNSCant send mail:Can you telnet to a SMTP server
on the internet?can we ping by IPcan we get past a firewall or
proxy server?Can you resolve the MX for the domain on the internet
using nslookup?Cant receive mail:Can you telnet to the SMTP server
from the internet?Does the MX for the domain point to the exchange
server?
-
Exchange and DNSMX record tell us who the mail server isUse
internic.org to find NS with SOAUse nslookup against SOA to find
correct MXExchange bypasses Proxy clientInstall DNS on proxy and
set internal W2K DNS to forward to proxy for external name
resolution.Problems with reverse lookupsSome mail servers attempt
reverse lookup to prevent spamCustomer may have SOA for domain, but
not for reverse
-
SymptomsEstablish that the problem is in DNS. Common things to
look for:There is a remote queue for the domain which is in
retry.The queue diagnostic indicates DNS, or at the very least, it
doesnt indicate something else.You are getting an NDR with the DNS
error code (5.4.0 on E2K SP1, or 5.0.0 prior to that).Event 4000 in
App log (Could be a SMTP error)
-
DNS: NDR Error Codes5.0.0- -The generic error code for all
unknown errors. Post E2k SP1 there shouldnt be many of these.
5.4.0 (E2k SP1)- - Authoritative DNS failure on target domain.-
- SMTP Outbound Protocol error
5.5.0 (E2k SP1)- - Generic SMTP protocol error- - DNS reverse
lookup failure
-
5.4.0 NDR Auth host not foundAuth host not foundDNS suffix
search order incorrectSmarthost entry is incorrectFQDN name in
HOSTS (fixed in W2K SP3)X5: 186120 Fixed in W2K SP3SMTP VS does not
have a valid FQDNLookup of your SMTP VS FQDN failedContacts domain
does not resolve to any SMTP address spaces
-
Verification / ReliefVerifying DNS problemsBypass the DNS
ServerQ285863 XCON: How to Bypass DNS Name Resolution to Test SMTP
Mail FlowPoint the server to a known good DNS server with
forwarderdialcache021.ns.uu.net (198.6.100.218) dns1.microsoft.com
(131.107.1.7 )ISPs DNS Server
Adding FQDN entry in Hosts file ( if using Core SMTP DNS
resolver )Beware of X5: 186120
-
ConfigurationConfiguration Issues Full computer name (FQDN)DNS
Suffix nameVirtual Servers FQDNForwarding to invalid External DNS
ServersForwarding to Root Hint Servers (timeouts)Incorrect entries
in .hosts fileIncorrect records in DNSMissing records in DNS
-
Simple rules for DNSPrimary DNS server of a domain should always
point to itself as the preferred DNS server; no secondary is needed
dont Additional DNS servers of a domain should point to primary
first, and to themselves as secondaryClients should only point
internally to local DNSAlways delete the . zone in DNS Use Root
Hints for external name resolutionUse Forwarders to help queries
when needed
-
Suggested DNS configurationsSingle NIC MachinesMultihomed
Machines
-
Single NIC Machines
Primary and Secondary both point to AD DNS Servers
DNS Server set up as forwarder to ISP
-
Multihomed Machines
Primary and/or Secondary on both NICs point to AD DNS Server
DNS Server set up as forwarder
Do not register connection in DNS on External Interface
-
Multiple AD DNS ServersAD Integrated or Primary/Secondary?For
dynamic updates, point primary DNS setting on NIC to primary DNS
for the zoneFor AD Integrated, point them to any AD DNS server
-
External DNS Servers
Do NOT point the Exchange Server to an external DNS server
(Always point internally for DNS first)
Use Forwarders for external name resolution
-
Setting up ForwardersRight Click the DNS Server, Properties,
Forwarders Tab
If Enabled Forwarders is grayed out, delete the . zone
Must Highlight and Refresh DANDC
-
Setting up ForwardersNow Enable Forwarders is not grayed out
-
Forward Lookup ZonesIn most DNS lookups, clients typically
perform a forward lookup, which is a search based on the DNS name
of another computer as stored in an address (A) resource record.
This type of query expects an IP address as the resource data for
the answered response.
-
Reverse Lookup ZonesDNS also provides a reverse lookup process,
enabling clients to use a known IP address during a name query and
look up a computer name based on its address.Q242906 - "DNS Request
Timed Out" Error Message When Starting Nslookup
-
_TCP Folder and _ldapQ178169 - DNS Records Registered by Windows
2000 Domain Controllers
A client looking for a domain controller in the fbody domain
would query ldap._tcp.fbody.com
-
_TCP Folder and _gcAll GCs are listed in the root _tcp folder.GC
- specific records Type DNS
Record-------------------------------------------------Gc SRV
ldap._tcp.gc._msdcs.GcIpAddress A _gc._msdcs.GenericGc SRV
_gc._tcp.
-
_kerberos and _kpasswdQ256289 - Kerberos SRV Records Not
Registered in Windows 2000 DNS
This server (Domain Controller) is a Kerberos Key Distribution
Center
-
Dynamic UpdatesWithout this you must enter all addresses
manually. Not having this turned on is bad!Upgrade any BIND DNS
servers to version 8.1.2 or later of the BIND software to meet the
DNS requirements for Active Directory support.
-
TROUBLESHOOTINGTools & Demos
-
DNS Troubleshooting
UtilitiesNetDiagDCDiagNSLookupDSADiagIPConfigNLTestNetmon
CaptureRegtrace
-
NetdiagTests many things including DNS and DC ListsNetDiag is a
Resource Kit command line utility. From a command line prompt type
the commands below in thedirectory where NetDiag lives.NetDiag
/test:DNSUsing the "netdiag /fix" (without the quotation marks)
commandon the domain controller will verify that all SRV records
that are inthe Netlogon.dns file are registered on the primary DNS
server.Q219289Running netdiag with no switches runs all available
tests
Running netdiag /fix will attempt to resolve problems it
encounters
-
DCDiagdcdiag with no switches will test many things, including
connectivity, machine accounts, replication, and FSMO
dcdiag /s:servername will test specific servers
Dcdiag /v for verbose output
-
NSLookupUsed to determine basic DNS connectivity and name
resolutionExtremely powerful tool & probably best to
troubleshoot DNS problemsComes with the OS by default.Internet
gateways for NSLookupQ200525Using NSlookup.exeQ203204XFOR: How to
Obtain MX Records with the Nslookup.exe Utility
Runs against your default DNS server unless specified
otherwiseCan limit query example - Set
q=mxhttp://www.codeflux.com/tools/
-
DSADiagDsadiag includes 2 switches, 1 and 2
Run dsadiag 1 to get a list of available DCs and GCs, and their
status (Up, Down, Fast, and In Sync)
Run dsadiag 2 to force a rediscovery of the topology
-
IPConfigIPConfig /all
Shows configuration info for all adapters
Useful in determining problems with DNS suffixes and IP
addresses
-
IPConfig (continued)ipconfig /flushdns clears the local DNS
resolver cacheipconfig /registerdns forces re-registration of all
DNS records (Note: restarting netlogon does this as well)On Domain
controllers stop Netlogon and remove Netlogon.dns and Netlogon.dnb
C:\WINNT\system32\configipconfig /displaydns shows the local DNS
resolver cache
-
NLTestCapable of many things including secure channel resets and
Site/DC/GC queriesRun nltest /dsgetsite if Ex2K setup fails with
Could not determine Site NameRun nltest /dsgetdc:domain.com to get
DC statisticsRun nltest /dsgetdc:domain.com /gc to get GC
statistics Same as above except shows DC only if it has Flag of
GCFlags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
-
Netmon CaptureA NetMon trace can also be very useful to see what
is being queried for and what fails.
-
RegtraceModules = SMTPFiles: If you have isolated that DNS is
causing the issue, the source files for DNS are:DNSadns.cpp,
smtpdns.cpp, remoteq.cxx
-
RegtraceDNS - The quickest way to figure out what is wrong in
DNS is often to use dnsquery, dnsq.exe or nslookup.exe to
troubleshoot. If this is not possible, trace files may be
used.Functions that trace errors:CAsyncDns::DnsParseMessage in
adns.cppTraces the hostname that was attempted to be resolved and
the Win32 error code from
DNS.REMOTE_QUEUE::BeginInitializeAsyncDnsQuery in remoteq.cxxTraces
any errors in issuing the DNS query.
-
Event Viewer: DNS logAll DNS Events will be logged in the Event
View under its own folder DNS Server
-
Reverse DNS lookup failuresSMTP Protocol LogQ265139XCON: How to
Enable Exchange 2000 SMTP Protocol LoggingclntSMTP (MSONLY)For more
details check
\\exutils\exes\ClntSMTP\ClntSMTP.htmTelnetQ153119XFOR: Telnet to
Port 25 of IMC to Test IMC CommunicationE2K Reverse lookup
ImplementationQ289521 XIMS: VRFY Command Does Not Work in Exchange
2000
-
Slow DNSSlowness of the DMZ DNS server can result in mail
accumulating in the queues if the domains to which mail is going to
are external domains being resolved by the DNS Sink DMZ
resolver.dnsq.exe can be used to figure out how slow a DNS server
is.Workaround have more threads doing DNS resolution. The following
metabase key controls this:/SmtpSvc/1/MaxRemQThreads default is
1
-
DNS: Queue Diagnostics
The remote server did not respond to a connection attempt.The
error message can also indicate that the DMZ resolver failed to
resolve the target domain (if the VSI is configured as a DMZ) in
installations prior to E2K SP1 + W2K SP2.
-
Additional NotesPing by name does NOT tell us that DNS is fully
functional (Doesnt test LDAP lookup to DC/GC)
If the customer has a DNS issue (that you cant resolve within a
few minutes after this triage), get them to Win2k Networking to
resolve this case.
If the customer still has an Exchange 2K issue, they need a new
ticket.
-
Geek SlideZone Files are stored in this folder
C:\WINNT\system32\dns This is if you use Standard Primary
If you use Active Directory Integrated DNS it is stored in AD at
this location CN=MicrosoftDNS,CN=System,DC=domain,DC=com
-
Questions?
-
RESOURCES
-
Known DNS issuesQ287667XFOR: Mail Sits in the Exchange 2000
Outbound Queue Q277694DNS behind Proxy cannot resolve Internet
names Q305394 XFOR: Outbound SMTP Mail Stopped With Exchange Behind
ISA ServerQ303889 MX Record Failover Does Not Occur When 4xx Error
Occurs Q296215 XFOR: Mail May Not Flow from One Exchange 2000
Server to AnotherQ288718XIMS: Message Cannot Be Sent to Domains
with MX Record PointingQ251951XADM: Exchange System Manager Doesn't
Verify Smart Host DNS NameQ287423XADM: NDR "Unable to forward the
message because no directory seQ287086XCON:Exchange 2000 will not
deliver mail to domains whose MX recQ280794XIMS: Message cannot be
sent to domains with MX record pointingQ277693DNS Setting on
Exchange 2000 Bridgehead Server for Internet MailQ264111XCON:
Internet Mail Service Requires Domain Name System NameQ285863 XCON:
How to Bypass DNS Name Resolution to Test SMTP Mail
FlowQ289045XFOR: "Host Unknown" Message When Sending Outbound
Internet Mail
-
ToolsAll DNS troubleshooting tools are at:
\\Exutils\Exes\\Quadra\Tools
-
Internet
Gatewayshttp://www.codeflux.com/Toolshttp://www.dnsreport.comhttp://www.dnsstuff.comhttp://www.network-tools.com/http://www.wazoo.com/inetutil.htmlhttp://samspade.org/t/
-
Verifying Domain
NamesWhoishttp://www.internic.com/whois.htmlhttp://www.codeflux.com/tools/http://www.networksolutions.com/cgi-bin/whois/whois/The
NSI Registrar database contains ONLY non-military and non-US
Government domains and contacts.
-
DNS Server Help FileInstallation / DeploymentConfiguration &
OptimizationHow tosConceptsMaintenanceTroubleshootingBest
practices
-
DNS: Recommended ReadingWhite PapersWindows 2000 Namespace
DesignActive Directory Technical SummaryWindows 2000 DNSWindows
2000 WINS Overviewhttp://www.microsoft.com/windows/server
/technical/default.aspDNS and Bind (Cricket Liu) published by
OReilly and AssociatesRelated RFCs
1034,1035,1995,1996,2052,1123,2136,2181,2308
-
RFCs related to Win2K DNS1034 Domain Names Concepts and
Facilities1035 Domain Names Implementation and Specification1123
Requirements for Internet Hosts- Application and Support1886 DNS
Extensions to Support IP Version 6 1995 Incremental Zone Transfer
in DNS 1996 A Mechanism for Prompt DNS Notification of Zone
Changes2136 Dynamic Updates in the Domain Name System (DNS
UPDATE)2181 Clarifications to the DNS Specification2308 Negative
Caching of DNS Queries (DNS Negative CACHE)
-
Internet drafts related to Win2K
DNSDraft-ietf-dnsind-rfc2052bis-02.txt (A DNS RR for Specifying the
Location of Services (DNS SRV))Draft-skwan-utf8-dns-02.txt (Using
the UTF-8 Character Set in the Domain Name
System)Draft-ietf-dhc-dhcp-dns-08.txt (Interaction between DHCP and
DNS)Draft-ietf-dnsind-tsig-11.txt (Secret Key Transaction
Signatures for DNS (TSIG))Draft-ieft-dnsind-tkey-00.txt (Secret Key
Establishment for DNS (TKEY RR))For additional Info please go to:
http://www.ietf.org/.
-
Exchange 2000 Server:Troubleshooting DNS(end)ALAN
MALMBERGSupport EngineerExchange Connectors -TexasMicrosoft
CorporationMay 12, 2004