Microsoft – DNS – Corrective Measures ( MS Windows 2003 )

Background

I have had my share of issues with my Microsoft DNS Servers lately.  I wish I could say punishing has meant learning, but no I am more confused than I should be.

Notes

So let us keep notes on things I am changing and why…

Backup

It goes without saying, backup your files

DNS

  1. Backup your DNS configuration files — [program files]\windows\system32\dns

Disable Dynamic Updates

Unless your DNS Zones are kept in Active Directory, I will suggest you disable dynamic updates.  If Dynamic Updates are on, you can receive incorrect entries over the Internet.

Here is how to disable Dynamic Updates

Code


set "serverName=LABDC"
set "ZoneName=labdomain.com"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0


GUI
DynamicUpdates

Use NetDiag /Fix

The Fix option in NetDiag fixes, temporary problems.

Temporarily allow Dynamic Updates, “invoke netdiag /fix“, disable “Dynamic Updates”.

Here are the steps:

  1. Using DNSCMD, issue Configuration Command to “Allow updates”
  2. Issue netdiag
    • /fix — fix simple erors
    • /v — verbose or debug switch
    • /d — domain name
    • /test
      • DefGw — default gateway
      • Dclist —  domain con
      • DNS — DNS
      • Kerberos
      • Ldap
      • NbtNm — NetBIOS over TCP/IP (NetBT) name test

set "serverName=ADServer"
set "ZoneName=labdomain.com"
set "namingContext=LABDOMAIN"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 1


@rem netdiag /fix
netdiag /fix /v /test:dns /d:%namingContext%  /test:DefGw /test:Dclist /test:DNS /test:DsGetDC /test:Kerberos /test:Ldap /test:NbtNm


@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0

Use DCDiag /Fix

Temporarily allow Dynamic Updates, “invoke dcdiag /fix“, disable “Dynamic Updates”.


set "serverName=ADServer"
set "ZoneName=labdomain.com"
set "namingContext=LABDOMAIN"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 1

@rem invoke dcdiag /fix
dcdiag /fix  /test:dns /s:%serverName% /n:%namingContext%


@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0

Keep in mind

If you have IP Address for ServerName


rem set "serverName=ADServer"
rem using IP Address
set "serverName=10.0.4.1"

set "ZoneName=labdomain.com"
set "namingContext=LABDOMAIN"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 1

dcdiag /fix  /test:dns /s:%serverName% /n:%namingContext%


@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0


Code


Error Message

Performing initial setup:
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
[10.0.4.1] Directory Binding Error 87:
The parameter is incorrect.
This may limit some of the tests that can be performed.
Done gathering initial info.

Configure your DNS Servers to look locally

Here is what ours look like.

DNSServerShouldHaveOwnIPAddressOrLoopbackAddress

Register Forwarders

On the AD Servers, configure forwarders to point to your ISP’s DNS.


set "serverName=ns1"
@rem specific DNS Server IP Address for your ISP
@rem in our case Comcast
set "masterIPaddressISPDNS1=75.75.75.75"
set "masterIPaddressISPDNS2=75.75.76.76"

@rem dnscmd <ServerName> /ResetForwarders <MasterIPaddress ...>
dnscmd %serverName% /ResetForwarders %masterIPaddressISPDNS1% %masterIPaddressISPDNS2%

GUI

Server-Forwarders

Missing Forwarders

If you are missing the forwarder records, you will get errors when you run dcdiag /test:dns

Missing Root hints

Textual

TEST: Forwarders/Root hints (Forw)

Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)

Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)

Screen Image

Server-Forwarders-Missing

Missing Root hints ptr records

Textual

Summary of test results for DNS servers used by the above</pre>
<pre>domain controllers:

 DNS server: 192.203.230.10 (e.root-servers.net.)
 1 test failure on this DNS server
 This is not a valid DNS server. PTR record query for the 1.0.0.17.in-addr.arpa. failed on the DNS server 192.203.230.10

Screen Image

Server-Forwarders-Missing-Ptr

Comment

So take advice from ChicagoTech – “Fixed Root hints list has invalid root hint server error” and contact your ISP via Google to get those DNS records.

Use 3rd Party DNS Validation Tools

3rd party validation tools help in so many ways:

  1. They are usually Unixes\Bind and so they give you 3rd party credibility
    • Quite a few servers out there use Unix\Linux and so you get an instant third eye
    • They give you detailed checks and error messages that you can google on

Here are some that I have used:

  1. Pingdom
    http://dnscheck.pingdom.com/
  2. ripe.net
    http://dnscheck.ripe.net/

Pingdom.com

Here is the results of running our LAB domain server against pingdom.com

PAGE 1

dnscheck_01

PAGE 2

dnscheck_02

Tools

Microsoft Tools

  1. DCDiag
    https://technet.microsoft.com/en-us/library/Cc731968.aspx
  2. NetDiag
    https://technet.microsoft.com/en-us/library/Cc731434.aspx

Summary

As noted above, pingdom.com is reporting about a baker’s dozen worth of errors and warnings.

Most of them are due to the fact that we are using the same machine for Intranet and Internet traffic.

Bad practices really do come to light on the Net!

References

Microsoft – Tools

dnscmd

  1. Dnscmd Syntax
    https://technet.microsoft.com/en-us/library/cc756116(v=ws.10).aspx

Netdiag

  1. How to use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
    https://support.microsoft.com/en-us/kb/321708

dcdiag

  1. How to use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
    https://support.microsoft.com/en-us/kb/265706

Microsoft – DNS Server – Settings

Forwarders

  1. Configure forwarders for a DNS server
    https://technet.microsoft.com/en-us/library/cc755608(v=ws.10).aspx

mcpmag.com

  1. 10 DNS Errors That Will Kill Your Network
    https://mcpmag.com/articles/2004/05/01/10-dns-errors-that-will-kill-your-network.aspx

University of Oxford

  1. Configuring DNS to support Active Directory using a Private Internal Name
    https://help.it.ox.ac.uk/windows/active/dns/internaldomain/index

ServerLab

  1. Using Linux BIND DNS Servers for Active Directory Domains
    http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/

Tver State University, Russia

  1. Managing the DNS Server Configuration
    http://edc.tversu.ru/elib/inf/0034/0596005628_dnswinsvr-chp-13-sect-3.html

Tech Republic

Conditional Forwarding

  1. Step-By-Step: Standard and conditional forwarding in Windows 2003 DNS
    http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/

WindowsNetworking.com

Conditional Forwarding

  1. Configuring Forwarders using DNSCMD
    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Network/ConfiguringForwardersusingDNSCMD.html
  2. DNS Conditional Forwarding in Windows Server 2003
    http://www.windowsnetworking.com/articles-tutorials/windows-2003/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Domain Manager Cleanup

  1. How to remove orphaned Domain Controller’s DNS records?
    http://serverfault.com/questions/595419/how-to-remove-orphaned-domain-controllers-dns-records
  2. Clean Up Server Metadata
    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
  3. Remove Active Directory Domain Controller Metadata
    https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s