Escolar Documentos
Profissional Documentos
Cultura Documentos
2
Agenda
Overview of Active Directory® name
resolution
DCDIAG installation and system
requirements
DCDIAG /TEST:DNS drill down
DCDIAG /TEST:DNS usage scenarios and
syntax
DCDIAG /TEST:DNS known issues
3
Active Directory name resolution
Before Active Directory, Microsoft® Windows® domains
required a relatively simple set of NetBIOS records (1B,
1C) resolved by Windows Internet Name Service (WINS).
Active Directory changed requirements to a detailed set of
site-specific, domain-specific, and forest-wide service
location and replication records resolved by DNS.
Detailed knowledge of Domain Name System (DNS)
operation and troubleshooting was not common among
Windows domain administrators.
DNS monitoring solutions were not typically deployed in the
enterprise.
4
DNS configuration issues in Active
Directory deployments
Many or all domain controllers in an organization
may have DNS installed and can accept updates
to the zones.
Replication of DNS records is subject to typical
replication latency.
Automatic DNS setup in Microsoft Windows 2000
did not use optimized defaults.
DNS servers that host common Active Directory-
integrated zones still require per-server
configuration.
5
Key failures that are caused by DNS
misconfiguration
6
DCDIAG /TEST:DNS
New test option in Microsoft Windows
Server™ 2003 Service Pack 1 (SP1)
DCDIAG
One tool for validation of forest-wide DNS
configuration
7
Installation sources
8
System requirements
9
System requirements (2)
Credential requirements
Enterprise administrators
10
DCDIAG /TEST:DNS
11
DCDIAG /TEST:DNS operations
Validates seven elements of DNS health
Connectivity
Performed by default as part of test from previous
versions
Basic DNS
Forwarder
Delegation
Dynamic update
Record registration
External name resolution
By default, this test is not run
12
DCDIAG /TEST:DNS operations (2)
13
DCDIAG /TEST:DNS syntax
14
DCDIAG /TEST:DNS syntax (2)
Additional sub tests
/DnsRecordRegistration – Records
registration tests
/DnsResolveExtName – External name
resolution test
/DnsInternetName: Internet name – For test
/DnsResolveExtName
If Internet name is not specified, default is
www.microsoft.com
/DnsAll – Runs all tests
15
DCDIAG /TEST:DNS optional
parameters
The verbose switch is required to gather
most of the interesting information other
than summary table
/s:DCName
/f:Logfile
/ferr:Logerr
/v – Displays verbose output
/e – All specified tests are run against all
domain controllers so that NTDS Settings
objects are listed on the targeted domain
controller
16
Syntax examples for common test
scenarios
17
Connectivity test
Cannot be skipped
No separate syntax for connectivity test
because it always runs
Tests performed
Are domain controllers registered in DNS?
Can they be pinged?
Do they have Lightweight Directory Access
Protocol/remote procedure call (LDAP/RPC)
connectivity?
No other tests run against a domain
controller if this test fails
18
Basic DNS test
Syntax: /DnsBasic
Tests performed
Are the expected services running?
DNS client service
DNS Server service
Netlogon service
Key Distribution Center (KDC) service
Are DNS servers available over network
adaptors?
19
Basic DNS test (2)
Additional tests performed
If DNS is installed, does the domain controller’s
Active Directory namespace zone exist?
If DNS is installed, does a valid Start of Authority
(SOA) record exist for the domain controller?
Is the host record (also called the A record or glue
record) registered on at least one DNS server?
Does the root (.) zone exist?
20
/DnsBasic warning conditions
Warn
Warning: Adapter
has dynamic IP ad
a misconfiguration
Warning: adapter
has invalid DNS s
address 21
/DnsBasic errors
Error Additional information
Error: Authentication failed with specified Enterprise Admin credentials are required
credentials
Error: No LDAP connectivity Network access over TCP port 389 is
required
Error: No DS RPC connectivity Network access over Windows server
message block (SMB) ports is required
22
/DnsBasic errors (2)
Error Additional information
Error: KDC/Netlogon/DNS/DNScache is not Specified services are not running.
running
Error: Cannot read network adapter information WMI connectivity and permissions are
through WMI required.
Error: all DNS servers are invalid DNS servers configured in resolver settings
cannot be pinged or are not valid DNS
servers.
Error: The A record for this domain controller Missing Host record. Check that DHCP
was not found client service is running on specified
machine.
Error: Enumeration of zones failed to find out
whether there is a root and Active Directory
zone
Error: Could not query DNS zones on this Unable to query Active Directory name
domain controller records for the DC specified.
23
Forwarders test
Syntax: /DnsForwarders
Tests performed
Is recursion enabled?
Verifies forwarders and root hints configuration if
these items are present.
Can _ldap_tcp.dc._msdcs.Forest root domain
domain controller locator record be resolved by
domain controllers in a non-root domain?
Notes:
This test is run only if the targeted domain controller
is running the Microsoft DNS Server service.
Forwarders and root hints are not used to resolve
_ldap_tcp.dc._msdcs.Forest root domain locator
records on forest root domain controllers.
24
/DnsForwarders errors
Error Additional information
Error: Forwarders list has The specified IP address is unreachable or is not
invalid forwarder: IP answering DNS queries.
address of the forwarder
Error: Both root hints and The tested DNS server is not a root server, but it
forwarders are not is not configured to perform any external name
configured. Please resolution
configure either forwarders
or root hints
Error: Root hints list has invalid The configured root hints servers not reachable
root hint server: IP address or not answering DNS queries
of Root hint server
Error: Enumeration of root hint The test could not list the root servers on the
servers failed on DNS target DNS server.
server name
25
Delegation test
Syntax: /DnsDelegation
Tests performed
Is the delegated name server a functioning
DNS server?
Are there broken delegations?
Verifies that the host record can be resolved for
each listed name server (NS) record
Notes
This test is run only if the targeted domain
controller is running the Microsoft DNS Server
service.
26
/DnsDelegation warnings
Warning: DNS server: DnsServer name Cannot resolve the host record for the
IP: Ipaddress Failure: Missing glue (A)specified delegated name server
record
27
/DnsDelegation errors
Error Additional information
DNS server: Server name IP: IP address The name server specified by delegation
Error: Broken delegation cannot resolve zone records or is
not responding to DNS queries.
28
Dynamic update test
Syntax: /DnsDynamicUpdate
Tests performed
Is the domain controller’s DNS zone configured to
accept secure dynamic updates?
Can _dcdiag_test_record be registered on the current
DNS server?
Deletes test registration record.
29
/DnsDynamicUpdate warnings
Warning: Dynamic update is enabled on the zone but not Non-secure dynamic update
secure zone name acceptance is a critical
security risk
Warning: Failed to add test record _dcdiag_test_record Permission to add test record was
with error error code in zone zone name denied
Warning: Failed to delete test record _dcdiag_test_record Permission to delete test record
with error error code in zone zone name was denied
30
/DnsDynamicUpdate errors
Error: Dynamic update is not Dynamic update is not enabled on the Active
enabled on the zone zone Directory zone. Therefore, the client
name cannot register its records.
31
Record registration test
Syntax: /DNSRecordRegistration
Tests performed
Are service locator (SRV) resource records for
each network service registered on all
configured DNS servers?
DSA GUID CNAME
_ldap
_gc
_pdc
32
/DnsRecordRegistration warnings
War
Warning: Missing D
DNS server record n
33
/DnsRecordRegistration errors
Err
Error: Missing A recor
<DNS Server IP addre
name>
Error: Missing CNAME
server <DNS Server IP
Note To reregister SRV records, restart the Netlogon service or run NETDIAG /fix. To
correct stale records, rename Netlogon.dns and Netlogon.dnb in %SystemRoot
34
%\System32\Config.
Correcting /DnsRecordRegistration
errors
35
Correcting /DnsRecordRegistration
errors (2)
The Netlogon service registers all service
locator (SRV) resource locator records.
To correct stale records, rename
Netlogon.dns and Netlogon.dnb in
%SystemRoot%\System32\Config.
To reregister SRV records, restart the
Netlogon service or run NETDIAG /fix.
36
External name resolution test
Syntax: /DnsResolveExtName
Tests performed
Tests name resolution outside the Active
Directory forest.
Default query is for www.microsoft.com.
An alternative target can be specified by using
/DnsInternetName.
Notes
The external name test is not run unless the
test is specified.
External name resolution fails if Internet proxies
are present. 37
/DnsResolveExtName errors
Erro
Error: Internet nam
cannot be resolve
38
Performance factors for DCDIAG
/TEST:DNS
DCDIAG /TEST:DNS performance issues
Offline domain controllers
Offline DNS servers
Clients that point to invalid DNS server
DNS servers that have invalid forwarders and
delegations
Effect
DCDIAG waits the RPC time-out number of seconds for
response to tests
Exponential delays in DCDIAG runtime
39
Performance factors for DCDIAG
/TEST:DNS (2)
Real-world performance
About 4.1 to 4.5 domain controllers per minute over
“fast” wide area network (WAN) links.
DCDIAG /e may not be appropriate in forests that
contain 1000 domain controllers.
DCDIAG /TEST:DNS has been run in forests that
contain 200 to 400 domain controllers.
40
/Enterprise DNS infrastructure errors
Error Additional information
Error: Delegation is not configured on the Delegation should be configured from parent to
parent domain subordinate domain
Error: Delegation is present but the glue record Delegation is configured; Host record cannot be
is missing resolved for one or more NS records
Error: Forwarders are misconfigured from Forwarders should point “up” the namespace
parent domain to subordinate domain rather than “down”
Error: Root hints are misconfigured from Root hints should point “up” the namespace rather
parent domain to subordinate domain than “down”
Error: Forwarders are configured from Configured forwarders are unavailable, cannot
subordinate to parent domain but some of resolve the requested records, or are not
them failed DNS server tests (See DNS responding to DNS queries
servers section for error details)
Error: Root hints are configured from Configured root hints are unavailable, cannot
subordinate to parent domain but some of resolve the requested records, or are not
them failed DNS server tests (See DNS responding to DNS queries
servers section for error details)
41
Strategies to help interpret
/TEST:DNS output
Run DCDIAG /TEST:DNS /v /f:filename /e
Load the report in Notepad or your preferred text
editor
Multiple monitor system (Multimon) or split screen
provide optimal viewing environment.
Primary monitor or pane focuses on summary table.
Secondary monitor or pane focuses on breakout
section of each failing domain controller.
42
Strategies to help interpret
/TEST:DNS output (2)
Review the summary table near the bottom of the
DCDIAG log file.
Locate domain controllers that reported failures
or warning status in the summary table.
Find a breakout section for a problem domain
controller by searching for “DC: DCName”.
Make required configuration changes on DNS
clients and DNS servers.
Run DCDIAG /TEST:DNS again with the /e or /s
switch to validate DNS health.
43
Known issues
DCDIAG /TEST:DNS does not perform
comprehensive Best Practices checks. No
warnings or errors will be logged for single
point-of-failure configurations such as single
defined DNS resolver, forwarder, or
delegation.
Servers that are targeted by the DCDIAG
/TEST:DNS tool must be registered in WINS to
be discovered by the tool.
44
Known issues (2)
45
Known issues (3)
46
Known issues (4)
47
Thank you for joining us for today’s event.