by Marcin Policht
With the advent of Active Directory, the role of DNS in a Windows environment has drastically changed. DNS is no longer a manually configured database, providing optional (to WINS) name resolution method for various types of TCP/IP hosts. Instead, it has become the primary source of dynamically updated information required for many domain-based activities. For example, the presence of DNS is absolutely necessary for installation of Windows 2000 domain controllers. Similarly, the logon process uses records registered in DNS to locate the closest domain controller, PDC emulator, and global catalog. The majority of the problems with Active Directory replication can be tracked down to misconfigured or failing DNS infrastructure.
With the advent of Active Directory, DNS has become the primary source of dynamically updated information required for many domain-based activities. And since having a well-functioning DNS is so important, you should be familiar with a set of tools that can help you manage DNS more efficiently. The purpose of this article is to describe some of these tools and the features available with them.
Since having a well-functioning DNS is so important, you should be familiar with a set of tools that can help you manage DNS more efficiently. The purpose of this article is to describe some of these tools and the features available with them. Since the most commonly used tool, the DNS Management Console (part of Windows 2000 Administrative Tools), is fairly intuitive and well documented, I won’t cover it here, but rather concentrate on other options.
First, I will describe the features of NSLOOKUP (a tool very familiar to anyone dealing with name resolution in non-WINS
environments) that are applicable to troubleshooting Windows 2000 domain problems. Next, I will cover solutions specific to Windows 2000 DNS – DNSCMD.EXE and WMI DNS Provider (currently still in Beta). Before, we start, however, let’s take a look
at the most essential features of DNS in a Windows 2000 domain.
Even though it is possible to use non-Microsoft DNS implementations for Active Directory environments, these implementations have to be able to support SRV resource records. In addition, it is beneficial (although not required) if they support dynamic updates. A DNS server whose records are to be dynamically updated needs to be either a primary server for a zone
containing the domain, or (in the case of Windows 2000 DNS) the zone needs to be Active Directory integrated. Active Directory integration eliminates the need for a single primary server and allows for mulitmaster updates and replication. If
dynamic updates are not allowed or DNS server is set up as secondary, records need to be created manually on the primary server.
The SRV record type, introduced in Windows 2000, represents various domain resources. Records of this type occupy four nodes residing under the domain node in the DNS namespace: _msdcs, _sites, _tcp, and _udp. These nodes are created and populated by the Windows 2000 Netlogon service (you can try stopping and starting the Netlogon service as the first troubleshooting
step, in case you notice that they do not exist).
The SRV records have a format which follows the following convention: _service._protocol.DNSDomainName where DNSDomainName designates a Windows 2000 domain that DNS is authoritative for. Since Active Directory servers are accessed using LDAP service over TCP, then most entries will start with the prefix _ldap._tcp
For example, let’s consider a ficticious domain test.swynk.com, with two Windows 2000 sites called EastCoast and WestCoast. In the proper working environment, DNS server would contain:
– an SRV record for each of domain controllers in the domain in the
form:
_ldap._tcp.test.swynk.com
– an SRV record for each domain controller in each site (this allows clients to locate domain controllers local
to the site, in which they reside) in the form:
_ldap._tcp.EastCost._sites.test.swynk.com and
_ldap._tcp.WestCoast._sites.test.swynk.com.
– an SRV record for PDC emulator operation master for the domain, in the form:
_ldap._tcp.pdc._msdcs.test.swynk.com
– an SRV record for each global catalog server in the domain, in the form:
_ldap._tcp.gc._msdcs.test.swynk.com
– an SRV record for each global catalog in each site (this allows clients to locate global catalog servers local
to the site, in which they reside), in the form:
_ldap._tcp.EastCoast._sites.gc._msdcs.test.swynk.com and
_ldap._tcp.WestCoast._sites.gc._msdcs.test.swynk.com
There also would be CNAME records referencing GUID (Globally Unique Identifier) for each
domain controller in the test.swynk.com domain in the form:
_ldap._tcp.DCGUID.domains._msdcs.test.swynk.com
where DCGUID is the GUIDs of the Active Directory object representing this domain controller.
NSLOOKUP.EXE
NSLOOKUP allows you to run quick queries for records existing on a particular DNS server.
This can be done in one of two modes:
– interactive mode – for a single query lookup. For example, in order to find A record for win2kserver01.test.swynk.com on the DNS server 172.16.0.1, you would run:
nslookup win2kserver01.test.swynk.com 172.16.0.1
which would return:
Server: win2kdns.test.swynk.com
Address: 172.16.0.1
Name: win2kserver01.test.swynk.com
Address: 10.0.0.102
– non-interactive mode – for multiple record query, with a number of enhancements (for example a debugging feature). The non-interactive mode is run by typing at the command prompt:
nslookup – DNS_IP_Address
where DNS_IP_Address is the IP Address of the DNS server you want to query. This will display the > prompt, from which you can run nslookup specific commands. The examples below show how to get the listing of records described in the previous
section:
SRV records for domain controllers in the test.swynk.com
domain:
> set type=SRV
> _ldap._tcp.test.swynk.com
SRV records for domain controllers within the EastCost site of the test.swynk.com
domain:
> set type=SRV
> _ldap._tcp.EastCoast._sites.test.swynk.com
PDC emulator operation master for the test.swynk.com domain
> set type=SRV
> _ldap._tcp.pdc._msdcs.test.swynk.com
global catalog servers in the
test.swynk.com domain:
> set type=SRV
> _ldap._tcp.gc._msdcs.test.swynk.com
global catalog server in the EastCost site of the test.swynk.com domain:
> set type=SRV
> _ldap._tcp.EastCoast._sites.gc._msdcs.test.swynk.com
DNSCMD.EXE
DNSCMD.EXE is located in the SUPPORTTOOLS folder on the Windows 2000 installation CD. It
is a command line utility which offers a wide range of DNS management functions. For example, you can use it to list the DNS settings, such as whether the server is using fast zone transfer method (a feature referred to using the term
BINDSecondaries):
dnscmd.exe 172.16.0.1 /info BindSecondaries
Query result: Dword: 1 (00000001)
Command completed successfully.
This setting can be changed using the following command:
dnscmd.exe 172.16.0.1 /config /BindSecondaries 0
Registry property BindSecondaries successfully reset.
Command completed successfully.
To illustrate some of DNSCMD.EXE potentials, I’ll cover its ability to manage the process of aging of DNS records. Aging allows automated scavenging of stale records that haven’t been refreshed within a configurable time interval. Aging can be set on a per server, per zone, and per record basis. The following examples modify the
configuration of the aging process on the DNS server 172.16.0.1:
– setting default refresh interval for the server 172.16.0.1 to 168 hours (7 days)
dnscmd.exe 172.16.0.1 /config /DefaultRefreshInterval 168
Registry property DefaultRefreshInterval successfully reset.
Command completed successfully.
– setting default norefresh interval for the server 172.16.0.1 to 168 hours (7 days)
dnscmd.exe 172.16.0.1 /config
/DefaultNoRefreshInterval 168
Registry property DefaultNoRefreshInterval successfully reset.
Command completed successfully.
– setting scavenging period for the server 172.16.0.1 to 168 hours (7 days)
dnscmd.exe 172.16.0.1 /config /ScavengingInterval 168
Registry property ScavengingInterval successfully reset.
Command completed successfully
– setting No Refresh interval for test.swynk.com zone
dnscmd.exe 172.16.0.1 /config test.swynk.com /NoRefreshInterval 168
Registry property RefreshInterval successfully reset.
Command completed successfully.
– setting refresh interval for test.swynk.com zone
dnscmd.exe 172.16.0.1 /config test.swynk.com /RefreshInterval 168
Registry property RefreshInterval successfully reset.
Command completed successfully.
– setting scavenging servers (servers allow to scavenge the zone test.swynk.com) – option available only through DNSCMD.EXE
dnscmd 172.16.0.1 /ZoneResetScavengeServers test.swynk.com 172.16.0.1
New scavenge servers:server Count = 1
server[0] => 172.16.0.1
Reset scavenging servers on zone test.swynk.com successfully.
Command completed successfully.
You can also list records within a specific zone, in a similar way this was done previously with NSLOOKUP.EXE command. For example, here are the ways to list:
– all the domain controllers in the EastCoast site of the test.swynk.com domain
dnscmd.exe 172.16.0.1 /EnumRecords test.swynk.com tcp.EastCoast._sites.test.swynk.com. /Continue
Returned Records:
_gc [Aging:3509520] 600 SRV 0 100 3268 win2kserver01.test.swynk.com.
_kerberos [Aging:3509520] 600 SRV 0 100 88 win2kserver01.test.swynk.com.
_ldap [Aging:3509521] 600 SRV 0 100 389 win2kserver01.test.swynk.com.
Command completed successfully.
where numbers appearing to the left of the server name designate port numbers used by appropriate protocols: 389 standard
LDAP queries 3268 LDAP queries against global catalog server 88 Kerberos for TCP authentication
– all domain controllers in the test.swynk.com zone.
dnscmd 172.16.0.1 /EnumRecords test.swynk.com
_tcp.pdc._msdcs.test.swynk.com. /Continue
Returned records:
_ldap [Aging:3509521] 600 SRV 0 100 389 win2kserver01.test.swynk.com.
Command completed successfully.
Windows 2000 WMI DNS Provider
DNS WMI Provider creates and populates WMI classes, which reference information contained in DNS zones and their resource records. The provider can be used to manipulate DNS servers, zones, and individual records. All necessary files are downloadable from the Microsoft FTP Site at ftp://ftp.microsoft.com/reskit/win2000/dnsprov.zip.
To install the provider, after extracting the content of the zip file, copy the dnsschema.mof to %systemroot%system32wbemmof folder. The file should get automatically compiled and moved to the Good subfolder. Then copy the dnsprov.dll to the %systemroot%system32wbem folder and register it with the operating system by running: regsvr32 dnsprov.dll. You should get the confirmation of the successfull registration.
You can review the classes created by the MOF file compilation by either checking the documentation provided with the source files or by running any of the utilities included with WMI SDK (such as CIM WMI Studio) or WbemTest.exe, available on any computer with WMI installed (any Windows 2000 computer). DNS Provider populates a separate namespace in the WMI hierarchy – rootMicrosoftDNS. The namespace contains about 30 DNS related classes.
Along with the provider dll and MOF file, the downloaded zip file contains several VBScript examples, which allow you to accomplish most of the DNS related management tasks. For example, dnsserver.vbs can be used to:
– stop DNS server
cscript //nologo dnsserver.vbs stop
– start DNS server
cscript //nologo dnsserver.vbs start
– restart DNS server
cscript //nologo dnsserver.vbs restart
– list DNS server configuration
cscript //nologo dnsserver.vbs LIST
– list zones on the DNS server
cscript //nologo dnsserver.vbs zone
– modify the configuration of the DNS server
cscript //nologo dnsserver.vbs modify
With dnszones.vbs, you can create, modify, add, delete, pause, update, resume, reload, and refresh DNS zones.
dnsrecord.vbs allows you to add, delete, modify, and list resource records.