E N D
1. Using DNSLint
2. 2
3. 3 Using DNSLint (2)Presentation Content Help diagnose “lame delegation”
“Lame delegation” explained
How to diagnose “lame delegation”
Using DNSLint to diagnose “lame delegation”
Help troubleshoot Microsoft Active Directory replication issues
How Active Directory replication relies on DNS
Using DNSLint to troubleshoot replication issues
Verify important DNS records
How to use DNSLint to verify important DNS records
4. 4 Lame DelegationExplained DNS administrators use “delegations” to assign authority for DNS subdomains to DNS servers
This technique provides flexibility and scalability
5. 5 Lame Delegation (2)Explained
6. 6 Lame Delegation (3) Explained
7. 7 Lame Delegation (4) Explained Lame delegation occurs when:
Authority for a DNS subdomain is delegated to a DNS server
AND
That DNS server either does not exist or does not act authoritatively for the subdomain
8. 8 Lame Delegation (5) Explained
9. 9 Lame Delegation (6) Explained
10. 10 Lame Delegation (7) Explained Lame delegation problems are compounded when other DNS issues are present
For example, if DNS domain information is not the same on all authoritative DNS servers for a domain
Can lead to intermittent name resolution difficulties
11. 11 Lame Delegation (8) Explained Mail Exchange (MX) records are configured
But glue records are missing
Can result in inconsistent e-mail delivery
12. 12 Lame DelegationTroubleshooting To diagnose lame delegation on an Internet domain name, follow these steps:
Contact Internic or another Internet registry service
Has the domain name been registered?
What are the names of the DNS servers that are registered as authoritative for the domain?
Determine IP addresses of the authoritative DNS servers identified in step 1
13. 13 Lame Delegation (2)Troubleshooting Use Nslookup.exe to query each DNS server for each record type (NS, MX, A) separately
You may discover other authoritative DNS servers for the domain
These "additional" DNS servers must also be queried
Repeat this step until all DNS records on all DNS servers have been documented
14. 14 After collecting all DNS data:
Compare records from each authoritative DNS server to all other authoritative DNS servers
Verify that all record data is correct, valid, and the same on each server
Fix identified problems
15. 15 Lame DelegationUsing DNSLint DNSLint is designed to be an "expert system"
It reduces effort used to troubleshoot DNS issues
Performs all aforementioned steps (except step 5)
16. 16 Lame Delegation (2)Using DNSLint Two ways to check a domain name:
Check a name in one of these domains on the Internet:
.com, .net, and .org
Run:
dnslint /d domain_name
Example:
dnslint /d reskit.com
17. 17 Lame Delegation (3)Using DNSLint Check a name registered in a domain other than .com, .net, or .org on the Internet
OR
Check a name in a private namespace
Run:
dnslint /d domain_name /s <DNS_IP>
Where <DNS_IP> is the IP address of the DNS server authoritative for the domain
Example:
dnslint /d na.reskit.local /s 169.254.10.22
18. 18 Lame Delegation (4)Using DNSLint Creates a report in HTML format
Lists useful information
Server responding
SOA data for zone
Additional authoritative DNS servers
Host (A) records for name
Mail Exchange (MX) and glue records for name
Summary of errors and warnings
19. 19 Lame Delegation (5)Using DNSLint Summary of errors and warnings
Nonresponsive DNS servers
Nonauthoritative DNS servers
Missing glue records
Helps determine what must be fixed
20. 20 Lame Delegation (6)Using DNSLint Other useful options:
/c runs e-mail server connectivity tests
Tries to connect to servers identified in MX/glue records
By default, connects to TCP ports 25, 110, 143
Can specify which ports to verify by using a comma-separated list
/c smtp,pop,imap
21. 21 Lame Delegation (7)Using DNSLint Other useful options:
/v verbose output to screen
/t creates additional report in text format
/y overwrites old reports without prompting
/test_tcp tests if DNS server responds on TCP port 53
/no_open prevents report from automatically opening
22. 22 Active Directory ReplicationReplication and DNS Active Directory replication relies on DNS to resolve names to IP addresses as required
DCs typically register a variety of DNS records when its netlogon service starts
List of these records:
Q178169, “DNS Records Registered by Windows 2000 Domain Controllers”
23. 23 Active Directory Replication (2)Replication and DNS When the domain controller (DC) wants to replicate with another domain controller, it uses DNS to find other domain controllers
DC1 queries the Active Directory looking for configured replication partners
Replication partners are typically defined by Knowledge Consistency Checker (KCC)
Can also be defined manually
DC1 only knows the name of the domain controller to replicate with (DC2)
24. 24 Active Directory Replication (3)Replication and DNS DC1 finds the Global Unique Identifier (GUID) in Active Directory matching the name of DC2
Each domain controller in the forest should have its own unique GUID
DC1 sends a recursive DNS query to the locally configured DNS server for the CNAME record
25. 25 Active Directory Replication (4)Replication and DNS Record format:
guid._msdcs.<root of Active Directory forest>
Where guid is GUID DC1 found in Active Directory
Where <root of Active Directory forest> is root of Active Directory forest
Example:
91f9b084-4876-4b59-be17-59e74c340221._msdcs.reskit.com
26. 26 Active Directory Replication (5)Replication and DNS DC1’s locally configured DNS server should respond to the query for CNAME with alias
Alias is another name for GUID
Example:
dc-02.na.reskit.com
27. 27 Active Directory Replication (6)Replication and DNS DC1 must resolve alias to an IP address
DC1 sends a recursive DNS query to the locally configured DNS server for Host (A) record
Record that matches name of alias
DNS server should respond with IP address that has been mapped to alias
Example:
169.254.66.7
DC1 can now connect to DC2 and replicate Active Directory data
28. 28 Active Directory ReplicationTroubleshooting Replication with DNSLint DNSLint can help determine if DNS records used for Active Directory forest replication can be resolved
Example:
dnslint /ad 169.254.32.1 /s 169.254.10.22
/ad specifies a DC used to find GUIDs for DCs in the forest
/s specifies IP address of a DNS server that is authoritative for _msdcs.<forest root> zone
29. 29 Active Directory Replication (2)Troubleshooting Replication with DNSLint DNSLint first contacts the Active Directory DC specified after the /ad switch using LDAP
It queries this DC for all GUIDs in the Active Directory forest
DNSLint will send a DNS query to the DNS server specified using /s
This DNS server must be authoritative for _msdcs.<root of Active Directory forest>
DNSLint checks for zone delegation
30. 30 Active Directory Replication (3)Troubleshooting Replication with DNSLint DNSLint tries to discover other DNS servers that are authoritative for the root of the Active Directory forest
It queries DNS servers for CNAME records for GUIDs found in Active Directory
It also tries to resolve glue (A) records for each alias
31. 31 Active Directory Replication (4)Troubleshooting Replication with DNSLint Can also help determine if DNS records used for replication can be resolved by a particular domain controller
Example:
dnslint /ad /s localhost
When run on a DC, it verifies whether the DC can resolve the DNS records used in replication
Useful when troubleshooting replication problems on a particular domain controller
32. 32 Active Directory Replication (5)Troubleshooting Replication with DNSLint It creates a report in HTML format
Report includes:
All GUIDs found in Active Directory
DNS servers found to be authoritative for the root of Active Directory forest
Results of all CNAME and glue (A) record queries to those DNS servers
Which CNAME and glue (A) records were missing on each DNS server
33. 33 Verifying Important DNS Records Verifying a set of DNS records on multiple DNS servers helps diagnose problems caused by missing or incorrect DNS records
Example:
Verifying that all of a domain controller’s SRV records are registered on all appropriate DNS servers
May help avoid/diagnose domain logon issues
34. 34 Verifying Important DNS Records (2) More examples:
Verifying DNS records for all servers in a Web farm
May help avoid/troubleshoot client connectivity issues
Verifying MX and A records for corporate e-mail
May help avoid/troubleshoot e-mail delivery problems
35. 35 Verifying Important DNS RecordsUsing DNSLint /ql (query list) option provides this functionality
DNSLint reads instructions from the specified text file using /ql
It sends the queries specified in the file and reports the results in an HTML report
36. 36 Verifying Important DNS Records (2)Using DNSLint Input file permits administrators to customize:
Which DNS servers to query
Which DNS records to query on each server
37. 37 Verifying Important DNS Records (3)Using DNSLint The format of the input file is as follows:
DNSLint
[dns~server] 169.254.46.138
www.reskit.com,a,r
169.254.197.1,ptr,r
[dns~server] 169.254.46.200
reskit.com,cname,r
reskit.com,mx,r
_kerberos._tcp.dc._msdcs.reskit.com,srv,r
38. 38 Verifying Important DNS Records (4)Using DNSLint File must start with the word “dnslint”
[dns~server] 169.254.46.138
This line specifies the IP address of the DNS server to send queries to
The lines following this one indicate queries to send to specified DNS server
Each line is composed of comma-separated list
First field in line is name to query
Example www.reskit.com
39. 39 Verifying Important DNS Records (5)Using DNSLint Second field is type of record to query for
a = Host
ptr = Pointer
cname = Alias
mx = Mail Exchange
srv = Service Location
Third field is type of query
r = recursive
i = iterative
Optional fourth field
Adding “,tcp” will make DNSLint send query using TCP
The default is the UDP protocol
40. 40 Verifying Important DNS Records (6)Using DNSLint Creates a report in HTML format
Reports
Results of each query
Nonresponsive DNS servers
Helps determine what must be fixed
41. 41 Where Can You Get DNSLint? Microsoft Knowledge Base articles:
Q321045, “Description of the DNSLint Utility” http://support.microsoft.com/support/misc/kblookup.asp?id=Q321045
Q321046, “HOW TO: Use DNSLint to Troubleshoot Active Directory Replication Issues” http://support.microsoft.com/support/misc/kblookup.asp?id=Q321046
42. 42