1 / 42

using dnslint

jacob
Download Presentation

using dnslint

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Using DNSLint

    2. 2

    3. 3 Using DNSLint (2)Presentation Content Help diagnose “lame delegation” “Lame delegation” explained How to diagnose “lame delegation” Using DNSLint to diagnose “lame delegation” Help troubleshoot Microsoft Active Directory replication issues How Active Directory replication relies on DNS Using DNSLint to troubleshoot replication issues Verify important DNS records How to use DNSLint to verify important DNS records

    4. 4 Lame DelegationExplained DNS administrators use “delegations” to assign authority for DNS subdomains to DNS servers This technique provides flexibility and scalability

    5. 5 Lame Delegation (2)Explained

    6. 6 Lame Delegation (3) Explained

    7. 7 Lame Delegation (4) Explained Lame delegation occurs when: Authority for a DNS subdomain is delegated to a DNS server AND That DNS server either does not exist or does not act authoritatively for the subdomain

    8. 8 Lame Delegation (5) Explained

    9. 9 Lame Delegation (6) Explained

    10. 10 Lame Delegation (7) Explained Lame delegation problems are compounded when other DNS issues are present For example, if DNS domain information is not the same on all authoritative DNS servers for a domain Can lead to intermittent name resolution difficulties

    11. 11 Lame Delegation (8) Explained Mail Exchange (MX) records are configured But glue records are missing Can result in inconsistent e-mail delivery

    12. 12 Lame DelegationTroubleshooting To diagnose lame delegation on an Internet domain name, follow these steps: Contact Internic or another Internet registry service Has the domain name been registered? What are the names of the DNS servers that are registered as authoritative for the domain? Determine IP addresses of the authoritative DNS servers identified in step 1

    13. 13 Lame Delegation (2)Troubleshooting Use Nslookup.exe to query each DNS server for each record type (NS, MX, A) separately You may discover other authoritative DNS servers for the domain These "additional" DNS servers must also be queried Repeat this step until all DNS records on all DNS servers have been documented

    14. 14 After collecting all DNS data: Compare records from each authoritative DNS server to all other authoritative DNS servers Verify that all record data is correct, valid, and the same on each server Fix identified problems

    15. 15 Lame DelegationUsing DNSLint DNSLint is designed to be an "expert system" It reduces effort used to troubleshoot DNS issues Performs all aforementioned steps (except step 5)

    16. 16 Lame Delegation (2)Using DNSLint Two ways to check a domain name: Check a name in one of these domains on the Internet: .com, .net, and .org Run: dnslint /d domain_name Example: dnslint /d reskit.com

    17. 17 Lame Delegation (3)Using DNSLint Check a name registered in a domain other than .com, .net, or .org on the Internet OR Check a name in a private namespace Run: dnslint /d domain_name /s <DNS_IP> Where <DNS_IP> is the IP address of the DNS server authoritative for the domain Example: dnslint /d na.reskit.local /s 169.254.10.22

    18. 18 Lame Delegation (4)Using DNSLint Creates a report in HTML format Lists useful information Server responding SOA data for zone Additional authoritative DNS servers Host (A) records for name Mail Exchange (MX) and glue records for name Summary of errors and warnings

    19. 19 Lame Delegation (5)Using DNSLint Summary of errors and warnings Nonresponsive DNS servers Nonauthoritative DNS servers Missing glue records Helps determine what must be fixed

    20. 20 Lame Delegation (6)Using DNSLint Other useful options: /c runs e-mail server connectivity tests Tries to connect to servers identified in MX/glue records By default, connects to TCP ports 25, 110, 143 Can specify which ports to verify by using a comma-separated list /c smtp,pop,imap

    21. 21 Lame Delegation (7)Using DNSLint Other useful options: /v verbose output to screen /t creates additional report in text format /y overwrites old reports without prompting /test_tcp tests if DNS server responds on TCP port 53 /no_open prevents report from automatically opening

    22. 22 Active Directory ReplicationReplication and DNS Active Directory replication relies on DNS to resolve names to IP addresses as required DCs typically register a variety of DNS records when its netlogon service starts List of these records: Q178169, “DNS Records Registered by Windows 2000 Domain Controllers”

    23. 23 Active Directory Replication (2)Replication and DNS When the domain controller (DC) wants to replicate with another domain controller, it uses DNS to find other domain controllers DC1 queries the Active Directory looking for configured replication partners Replication partners are typically defined by Knowledge Consistency Checker (KCC) Can also be defined manually DC1 only knows the name of the domain controller to replicate with (DC2)

    24. 24 Active Directory Replication (3)Replication and DNS DC1 finds the Global Unique Identifier (GUID) in Active Directory matching the name of DC2 Each domain controller in the forest should have its own unique GUID DC1 sends a recursive DNS query to the locally configured DNS server for the CNAME record

    25. 25 Active Directory Replication (4)Replication and DNS Record format: guid._msdcs.<root of Active Directory forest> Where guid is GUID DC1 found in Active Directory Where <root of Active Directory forest> is root of Active Directory forest Example: 91f9b084-4876-4b59-be17-59e74c340221._msdcs.reskit.com

    26. 26 Active Directory Replication (5)Replication and DNS DC1’s locally configured DNS server should respond to the query for CNAME with alias Alias is another name for GUID Example: dc-02.na.reskit.com

    27. 27 Active Directory Replication (6)Replication and DNS DC1 must resolve alias to an IP address DC1 sends a recursive DNS query to the locally configured DNS server for Host (A) record Record that matches name of alias DNS server should respond with IP address that has been mapped to alias Example: 169.254.66.7 DC1 can now connect to DC2 and replicate Active Directory data

    28. 28 Active Directory ReplicationTroubleshooting Replication with DNSLint DNSLint can help determine if DNS records used for Active Directory forest replication can be resolved Example: dnslint /ad 169.254.32.1 /s 169.254.10.22 /ad specifies a DC used to find GUIDs for DCs in the forest /s specifies IP address of a DNS server that is authoritative for _msdcs.<forest root> zone

    29. 29 Active Directory Replication (2)Troubleshooting Replication with DNSLint DNSLint first contacts the Active Directory DC specified after the /ad switch using LDAP It queries this DC for all GUIDs in the Active Directory forest DNSLint will send a DNS query to the DNS server specified using /s This DNS server must be authoritative for _msdcs.<root of Active Directory forest> DNSLint checks for zone delegation

    30. 30 Active Directory Replication (3)Troubleshooting Replication with DNSLint DNSLint tries to discover other DNS servers that are authoritative for the root of the Active Directory forest It queries DNS servers for CNAME records for GUIDs found in Active Directory It also tries to resolve glue (A) records for each alias

    31. 31 Active Directory Replication (4)Troubleshooting Replication with DNSLint Can also help determine if DNS records used for replication can be resolved by a particular domain controller Example: dnslint /ad /s localhost When run on a DC, it verifies whether the DC can resolve the DNS records used in replication Useful when troubleshooting replication problems on a particular domain controller

    32. 32 Active Directory Replication (5)Troubleshooting Replication with DNSLint It creates a report in HTML format Report includes: All GUIDs found in Active Directory DNS servers found to be authoritative for the root of Active Directory forest Results of all CNAME and glue (A) record queries to those DNS servers Which CNAME and glue (A) records were missing on each DNS server

    33. 33 Verifying Important DNS Records Verifying a set of DNS records on multiple DNS servers helps diagnose problems caused by missing or incorrect DNS records Example: Verifying that all of a domain controller’s SRV records are registered on all appropriate DNS servers May help avoid/diagnose domain logon issues

    34. 34 Verifying Important DNS Records (2) More examples: Verifying DNS records for all servers in a Web farm May help avoid/troubleshoot client connectivity issues Verifying MX and A records for corporate e-mail May help avoid/troubleshoot e-mail delivery problems

    35. 35 Verifying Important DNS RecordsUsing DNSLint /ql (query list) option provides this functionality DNSLint reads instructions from the specified text file using /ql It sends the queries specified in the file and reports the results in an HTML report

    36. 36 Verifying Important DNS Records (2)Using DNSLint Input file permits administrators to customize: Which DNS servers to query Which DNS records to query on each server

    37. 37 Verifying Important DNS Records (3)Using DNSLint The format of the input file is as follows: DNSLint [dns~server] 169.254.46.138 www.reskit.com,a,r 169.254.197.1,ptr,r [dns~server] 169.254.46.200 reskit.com,cname,r reskit.com,mx,r _kerberos._tcp.dc._msdcs.reskit.com,srv,r

    38. 38 Verifying Important DNS Records (4)Using DNSLint File must start with the word “dnslint” [dns~server] 169.254.46.138 This line specifies the IP address of the DNS server to send queries to The lines following this one indicate queries to send to specified DNS server Each line is composed of comma-separated list First field in line is name to query Example www.reskit.com

    39. 39 Verifying Important DNS Records (5)Using DNSLint Second field is type of record to query for a = Host ptr = Pointer cname = Alias mx = Mail Exchange srv = Service Location Third field is type of query r = recursive i = iterative Optional fourth field Adding “,tcp” will make DNSLint send query using TCP The default is the UDP protocol

    40. 40 Verifying Important DNS Records (6)Using DNSLint Creates a report in HTML format Reports Results of each query Nonresponsive DNS servers Helps determine what must be fixed

    41. 41 Where Can You Get DNSLint? Microsoft Knowledge Base articles: Q321045, “Description of the DNSLint Utility” http://support.microsoft.com/support/misc/kblookup.asp?id=Q321045 Q321046, “HOW TO: Use DNSLint to Troubleshoot Active Directory Replication Issues” http://support.microsoft.com/support/misc/kblookup.asp?id=Q321046

    42. 42

More Related