Best Practice Ezine #42 DNS
Try this thinking exercise
I would like you to think of all the Windows 2003 services, for example: WINS, Netlogon or Alerter. Now which service would you say is the most important? Next, focus on Windows services, but this time ask yourself, which service is the most complicated to configure? I predict that DNS would be high on your list for both importance and difficulty.
There is so much to know about DNS that I can only feature a few examples in a newsletter. What I want to do is give tips for people at three levels, expert, intermediate and beginner.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Let us begin with my stock question, where do you get this Debug Logging tool? This is easy, Debug Logging is built-in. Next question where do I find it? Add or Remove Programs, Windows Components – No. DNS Snap-in, Server – YES. (The actual Server icon, not the Forward Lookup zone).
Our next decision is what DNS information should we collect? How should we filter the packets? Our answer depends on the situation. Is the problem is a client query that is not being resolved, or if it is two DNS servers that do not update one another’s host records? To troubleshoot the client problem we would collect packets showing DNS queries. Whereas with the server to server problem we would filter for zone transfers. Last question, do we want requests or responses? Guy says both usually.
Once you have decided what to log, just enter the path to filename in the DNS Debug Logging window. While you run various DNS queries or transfers, the log collects the data. Now comes the task of interpreting the data collected in the log file. The key detective skill to develop is parsing the line, breaking down the data in to recognisable patterns. To digress; have you ever been in a wood and a friend says do you see such and such a fruit, once you have seen one, you suddenly see loads? Well examining debug logs is similar. Once you see patterns like the remote IP address, the direction of packet then a blur of letters and numbers turns into meaningful chunks of information.
With attention to detail you will soon get your eye in. In no time you will spot the keywords for example, [NotAuth] means the server did not understand the zone being queried because it was not authoritative. The DNS packet is saying: ‘ I have no information for that domain. On the other hand [Refused] means, ‘ I may know, but I am not telling you for security reasons ‘.
A common error is [NXDomain] meaning this name does not exist on the network. For example attempting to contact nowhere.org resulted in this line with NXDOMAIN error.
PACKET UDP Snd [8385 A DR NXDOMAIN] (7)nowhere(3)org(2)cp(3)com(0)
Last week I did not have time to write the ezine as I was on site. Instead, I had the pleasure of working alongside a top clustering consultant ($1000 a day man). Even thought he was a genius, he used the help files. On reflection I wondered if it was the other way around, I thought he was a genius because he had mastered the art of when and how to use the help files. Could being a computer expert be that easy, just consult the builtin help?
Two final reminders.
1) Did you turn of the DNS logging when you had finished? Remember logging is very server intensive.
2) DNS Debug logging and DNSLint are new for Windows Server 2003
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
The purpose of DNSLint is to display DNS information as a web page. In many ways DNSLint reminds me of NSLookup, except that the DNSLint output is html rather than in a DOS command window. Talking of NSLookup, DNSLint gave only incomplete information on one of my tests, the reason turned out to be that no reverse lookup had been configured for the zone we were troubleshooting.
The first question that I ask about any utility is where do you find it? In the case of DNSLint the answer is: Support Cabinet on Windows Server 2003 CD.
One useful features of DSLint is that it displays Port Numbers e.g. TCP 53, this is most helpful when troubleshooting firewall problems. As with many of Windows 2003’s command line utilities there are whole bank of switches. To get started try DNSLint /d yourdom.com. However there is a trap with /d, if you are NOT connected to the internet. You must add another switch: /s server IP
Example DNSLint /d yourdom.com /s 10.1.1.100
Another feature of DNSLint is that it displays MX records which will assist in tracking down email delivery problems. For further email testing, for example SMTP or POP3, try the /c switch.
Now I am thinking of basic troubleshooting here. So if the problem is that clients cannot ‘ see ‘ the server, check these settings on both machines:
a)Master the IPCONFIG /all and also the /flushdns /registerdns /displaydns switches.
b) Network Card, TCP/IP properties.
c) System Icon, Computer Tab.
d) On the DNS server navigate to the DNS Snap-in check the Forward Lookup Zone records,
e) Again on the server, at the DNS snap-in check the server icon properties, especially the Monitor Tab.
See more interesting DNS, DHCP and IP articles