Many are the times we’ve run into DNS configuration problems with Microsoft AD. After being asked for advice a few more times than normal this year, I’ve pulled together several emails for this list of “Troubleshooting Microsoft AD-integrated DNS” highlights below. We’ll first cover the generic topics of checking the configuration of your server configuration, then the configuration of the zones themselves. For each topic, we’ll do a checklist followed by an explanation.
- Is the server (Windows 2003 or higher) pointing to itself for primary DNS in the network configuration?
- If a standalone DC: Does the server have *no* secondary DNS in the network configuration?
- If there are multiple DCs: Does the server list only other DCs in the secondary DNS server list in the advanced network configuration?
- Does the server have proper forwarders in the DNS server configuration (to the parent domain or to the ISP, but not both)?
- In a command prompt, run the following:
net stop netlogon
net start netlogon
- Read DNS and System logs to make sure there are no issues being reported.
- wait 20 minutes
One of the major problems we run into is that customers will put the ISP DNS servers in the network configuration on the DC, not in the DNS Forwarders list in the DNS Server configuration. The DC *is* a DNS server. It needs to talk to itself, so that it can register crucial DNS settings in its own database. If its own database can’t find the information requested (such as www.google.com), then the DNS Server service is responsible for looking that data up, and then caching it so that it’s readily available for other clients, too. This misconfiguration also has the problem of generating DDNS update requests back to the ISP DNS servers, which are ignored at best, and a security leak at worst (like for military/government installations).
I like to tell my Unix customers “the first rule of administering Active Directory is to go get another cup of coffee.” This forces them to take their hands off the keyboard and wait for cross-site replication (hopefully) before making another change. It’s a good reminder for the seasoned Windows admins, as well.
Reverse Lookup Zones
We’ll cover reverse lookup zones before forward lookup zones, for two reasons: 1) customers screw up reverse lookup configuration much more often than forward lookup configuration ; 2) no SRV records in Reverse zones (normally).
If you have non-Microsoft DNS servers or multiple AD domains in your environment
- Does the server have reverse DNS zones defined?
- Does any *other* server (in the DNS Forwarders configuration list) have the same reverse DNS zone defined?
- Do the defined reverse zones allow “unsecured dynamic updates”?
- Are all IP subnets in your network defined as reverse DNS zones on the primary DNS servers (the last forwarders in the network before the ISP)?
- Do you have aging and scavenging turned on in the server settings? If so (you should), do you have all clients automatically renewing their records (Windows clients will by default)?
If you only have a single AD domain, or no non-Microsoft DNS servers
- Does the server have reverse DNS zones defined for all IP subnets (including IPv6) in your network?
- Do those reverse DNS zones allow dynamic updates?
- Is aging of old records enabled with sane no-refresh and refresh values in the reverse zones?
Each DNS Zone is a database. There can only be one authoritative owner of the database, defined by the SOA record on the Zone. Any other DNS servers get their information from this SOA, either by normal queries, or by zone transfer (AD replication does a kind of zone transfer). If two servers are set up with the same zone (create 0.168.192.in-addr.arpa reverse DNS zone in dns1.contoso.com and ns1.worldwidetoys.com, for example), then there is no mechanism to transfer the information between those two servers.
For example: any individual client will only talk to the DNS server it’s configured to talk to (client1.contoso.com gets its DNS info from dns1.contoso.com and winxp1.worldwidetoys.com gets its information from ns1.worldwidetoys.com). Each client will also send updates only to its own DNS server. This means that client1.contoso.com will register its IP 192.168.0.10 with dns1.contoso.com, and winxp1.worldwidetoys.com will register its IP 192.168.0.20 with ns1.worldwidetoys.com. These two records will never be synched between dns1.contoso.com and ns1.worldwidetoys.com. Therefore, when winxp1.worldwidetoys.com asks ns1.worldwidetoys.com “who has 192.168.0.10?”, ns1.worldwidetoys.com will answer “nobody!”.
The DNS admin must fix this problem by manually registering all of the records from ns1.worldwidetoys.com in the zone stored in dns1.contoso.com, deleting the 0.168.192.in-addr.arpa zone from ns1.worldwidetoys.com, and then setting up a forwarder or conditional forwarder to dns1.contoso.com. Now, that same query results in ns1.worldwidetoys.com looking in its own database, finding no answer, and reaching out to its forwarders to ask, “who has 192.168.0.10?”. Similarly, when winxp1.worldwidetoys.com goes to register 192.168.0.20, it is directed, via the SOA record, to send that registration to dns1.contoso.com. This is why reverse zones often need to allow unsecured dynamic updates.
Forward Lookup Zones
I have a customer who needs this much data now – I’ll follow up with the Forward Lookup zones in a separate post later this week.