Directory Services

Troubleshooting Advanced DNS Problems

This session reviews the basic concepts related to DNS. In addition, it explains how to delegate DNS to child domains and how to create secondary zones and grant permissions on parent DNS. Finally, this session focuses on how to troubleshoot the advanced problems with DNS.

Session Length: Demonstrations: Lab Exercises:

4 hours None 1

Author:

Binu Kumar

See Resources for course documents and references

MICROSOFT CONFIDENTIAL - For Internal Use Only

Before You Begin

Before starting this session, you should understand: The basics of DNS. How to install and configure DNS using the MMC. How Active Directory is dependent upon DNS.

MICROSOFT CONFIDENTIAL - For Internal Use Only

What You Will Learn

After completing this session you will be able to: Review the basic concepts related to DNS. Delegate DNS to child domains. Create secondary zones and grant permissions on parent DNS. Understand how to troubleshoot advanced problems with DNS.

MICROSOFT CONFIDENTIAL - For Internal Use Only

Reviewing Basic DNS Concepts

This section reviews basic concepts related to DNS, such as:

SRV Records Zone Types

Primary versus Secondary AD Integrated versus Standard storage

GUID Records Disjoint Name

What is it? How to fix it?

See Workbook for full-size view

MICROSOFT CONFIDENTIAL - For Internal Use Only

Review of SRV Records

DCs dynamically register SRV records with DNS

Net Logon service registers records

_udp.<DNSDomainName> _tcp.<DNSDomainName> _sites.<DNSDomainName> _msdcs.<DNSDomainName>

Well-known server-type pseudonyms used as prefixes for _msdcs subdomain:

"dc" (Domain Controller) "gc" (Global Catalog) "pdc" (Primary Domain Controller) "domains" (Globally unique identifier, or GUID)

MICROSOFT CONFIDENTIAL - For Internal Use Only

Review of Zone Types

There are two main zone types:

Primary zones

Standard zone storage, using a text-based file Directory-integrated zone storage, using the Active Directory database

Secondary zones

MICROSOFT CONFIDENTIAL - For Internal Use Only

Review of GUID Record

To facilitate locating Windows domain controllers, Netlogon registers SRV records that identify the server-type pseudonyms as prefixes in the _msdcs subdomain:

dc (domain controller) gc (Global Catalog) pdc (primary domain controller) domains (globally unique identifier, or GUID)

Windows Server 2000 Behavior Windows Server 2003 Behavior

MICROSOFT CONFIDENTIAL - For Internal Use Only

Review of Disjoint Namespace

After you install a DC, the DNS suffix of your computer name may not match the domain name that the DC belongs to. Disjoint namespace can occur when the Change primary DNS suffix when domain membership changes check box is not selected before the installation. You can diagnose Disjoint namespace by comparing the properties of the following dialog box to the Primary DNS Suffix that appears when you do an Ipconfig /all.

MICROSOFT CONFIDENTIAL - For Internal Use Only

Delegating DNS to Child Domains

Two options to consider when implementing Name Resolution in child domains:

Using Parent Domain DNS servers This keeps DNS administration to a minimum number of servers. Using Child Domain DNS servers Names within a zone can also be delegated to other zone(s).

MICROSOFT CONFIDENTIAL - For Internal Use Only

Deciding to Use Parent Domain DNS Servers or Child Domain DNS Servers

When deciding whether to divide your DNS namespace to make additional zones, you should consider the following:

Need to delegate zone management Need to divide large zone into smaller zones Need to extend to extend namespace

MICROSOFT CONFIDENTIAL - For Internal Use Only

Using Child Domain DNS Servers (Slide 1 of 3)

A customer who is running Windows Server 2000 (that has both a parent and child domain) will typically create a delegation record in the parent zone for the child domain. As new DNS servers are added to the child domain, the delegation record must be updated manually on the parent DNS server to reflect those new DNS servers.

See Workbook for full-size view

10

MICROSOFT CONFIDENTIAL - For Internal Use Only

Using Child Domain DNS Servers (Slide 2 of 3)

Configuring Child Domain DNS Servers and Their Clients

1.

2. 3.

Manually create a Delegation for the Child Domain on the Parent (Root) DNS Server. Install DNS on the Child Domain Server. Create a Child Zone on the Child Domain Server and have the clients in the Child domain point to it. Change the TCP/IP address of the DNS server to point to its own TCP/IP address. Integrate DNS with the Active Directory on the child DNS server. Add the parent (root) DNS server as a forwarder on the child DNS server.

Optional Configuration Considerations

See Workbook for full-size view

11

MICROSOFT CONFIDENTIAL - For Internal Use Only

Using Child Domain DNS Servers (Slide 3 of 3)

Using Forwarders

If a DNS server does not have the data to resolve a query in its cache or in its zone data, it forwards the query to another DNS server, known as a forwarder. Forwarders are ordinary DNS servers and require no special configuration. 2000 - forwards all unresolved queries to forwarder 2003 - can specify which forwarder to use based on namespace Keep forwarder configuration uncomplicated. Avoid chaining your forwarders. Do not create inefficient resolution using forwarders.

Windows Server 2003 Conditional Forwarding

Forwarder Configuration Tips

12

MICROSOFT CONFIDENTIAL - For Internal Use Only

Creating Secondary Zones in DNS

Recommended practice calls for at least two DNS servers in each zone.

For standard primary-type zones, a secondary server is required to add and configure the zone to appear to other DNS servers in the network. For directory-integrated primary zones, secondary servers are supported but not required for this purpose. Secondary zones are also used for cross forest trusts and separate trees in the same forest.

13

MICROSOFT CONFIDENTIAL - For Internal Use Only

Secondary Zones for Name Resolution

Secondary servers:

Can provide a means to offload DNS query traffic. Can provide some name resolution in the zone if the primary server is unavailable.

14

MICROSOFT CONFIDENTIAL - For Internal Use Only

Transferring Information

A secondary server relies on DNS zone transfer mechanisms to obtain its information and keep it current. When a new DNS server is configured as a secondary server for an existing zone, it performs a full transfer of the zone.

For earlier DNS server implementations, full zone transfers were always used for updating zone information. For Windows 2000 Server and above, the DNS service supports incremental zone transfers.

15

MICROSOFT CONFIDENTIAL - For Internal Use Only

Creating Secondary Zones

To create secondary zones:

1. 2. 3.

4.

Open DNS. In the console tree, click the applicable DNS server. On the Action menu, click New Zone. Follow the instructions in the New Zone Wizard.

16

MICROSOFT CONFIDENTIAL - For Internal Use Only

Troubleshooting Advanced Problems with DNS

The common advanced problems with DNS are as follows:

Disjointed Namespace Problem Root Zone Problem Island Server Problem

17

MICROSOFT CONFIDENTIAL - For Internal Use Only

LAB 1: Troubleshooting Advanced DNS Problems

During this lab session, you will: Run MPSReports to troubleshoot DNS Configuration issues. Review advanced DNS problems. Reconfigure DNS using Forwarders and Delegations. Reconfigure DNS to use Active Directory Integrated with stub zones.

See Lab Manual

18

MICROSOFT CONFIDENTIAL - For Internal Use Only

Resources
For additional information, see: http://support.microsoft.com/default.aspx?scid=KB;EN-US;257623 http://support.microsoft.com/default.aspx?scid=KB;EN-US;262376 http://support.microsoft.com/default.aspx?scid=KB;EN-US;291382 http://support.microsoft.com/default.aspx?scid=KB;EN-US;837513 http://support.microsoft.com/default.aspx?scid=KB;EN-US;247811 http://support.microsoft.com/default.aspx?scid=KB;EN-US;267855 http://support.microsoft.com/default.aspx?scid=KB;EN-US;824449 http://support.microsoft.com/default.aspx?scid=KB;EN-US;255248 http://support.microsoft.com/default.aspx?scid=KB;EN-US;304491 http://support.microsoft.com/default.aspx?scid=KB;EN-US;275278 http://support.microsoft.com/default.aspx?scid=KB;EN-US;300684 http://support.microsoft.com/default.aspx?scid=KB;EN-US;826743

19

MICROSOFT CONFIDENTIAL - For Internal Use Only

Summary
Topics discussed in this session include: Basic concepts related to DNS Delegating DNS to child domains Creating secondary zones and granting permissions on parent DNS Troubleshooting advanced problems with DNS

20

MICROSOFT CONFIDENTIAL - For Internal Use Only

Presenter

Binu Kumar, MCSE (NT4, 2000, 2003), ADSE, MCA Technical Lead - Microsoft Small Business Server v-2bikum@mssupport.microsoft.com Phone: 425-635-3106 * 66113 Hours: Mon - Fri 4am - 1pm PST

21

MICROSOFT CONFIDENTIAL - For Internal Use Only