Exchange 2000 Server: Troubleshooting DNS

ALAN MALMBERG
Support Engineer Exchange Connectors -Texas Microsoft Corporation May 12, 2004

Background Information

Name Resolution
Applications that need to communicate with

other networked computers, require a communication mechanism A network operating system is used to facilitate network communication requests Applications send their requests to the operating system which handles the request The Windows OS provides a number of API sets to handle such requests i.e. NetBIOS, Windows Sockets

Name Resolution
Applications written using Windows sockets can

use the GetHostByName API which triggers name resolution request(s) The OS tries to resolve the name that the application passed to it, into an IP address A Windows OS uses two primary methods for name resolution:
NetBIOS name resolution Host name resolution

Windows NT 4.0

NT 4.0 Name Resolution

Generally tries NetBIOS name resolution
first, then host name resolution NetBIOS name resolution:
NetBIOS name cache WINS B-cast LMHOSTS HOSTS DNS

NT 4.0 Name Resolution

Host Name Resolution:
Local Host name HOSTS DNS NetBIOS name cache WINS B-cast LMHOSTS

Windows 2000

Simple Query for FQDN

how does www.microsoft.com become 207.46.230.218 ?

Client sends a recursive query to DNS server Local DNS server checks in forward zone and cache
- returns answer, or if nothing found, Local DNS server sends iterative query to root servers Root servers helps us find SOA and NS for the domain Local DNS server sends an iterative query to remote NS Local DNS server gets answer from remote NS and sends response to client

Win 2000 Name Resolution

Generally tries host name resolution first, then

NetBIOS Caching Resolver Service is used to reduce network traffic Service can be viewed, stopped and started like other services
To To To To view cache: ipconfig /displaydns clear the cache: ipconfig /flushdns stop: net stop dns client Start: net start dns client

Caching Resolver Service

Performs these tasks:
Name resolution General caching of queries Negative caching Tracks transient network adapters (PnP) Tracks connection specific domain names DNS server list management Prioritizes records by IP address when multiple A records are returned from a DNS server

Caching Resolver Service

When the GetHostByName API is used:
Resolver submits a query to DNS If DNS resolution fails resolver checks the length of the name - is it >15 bytes If the name is >15 bytes - resolution fails If the name is <15 bytes NetBIOS up? If NetBIOS is running it is used for name resolution, if no NetBIOS resolution fails

Getting Resolution

DNS Name Types

Resolver checks what kind of name is being
queried:
Null e.g. ping localhost Fully qualified domain name (FQDN) e.g. host.reskit.com. Single-label, unqualified names (contain no periods) e.g. host Multiple-label, unqualified names (not terminated with a period) e.g. host.reskit

DNS Name Resolution

When given a FQDN:
When given a multiple-label, unqualified name:
Resolver adds a period to the name and queries DNS with the period-terminated name If the DNS server returns a Name does not exist response to this query Resolver will treat the name just like a single-label,
unqualified name

Resolver queries DNS with that name

DNS Name Resolution

When given a single-label, unqualified
name:
Resolver systematically appends different DNS suffixes to the name, adding periods to create a FQDN Resolver submits each name, in turn, to the DNS server and waits for a response Resolver stops querying when the name is resolved, or when all DNS suffixes have been tried

Caching

Resolver Cache
The cache is always checked before queries are
sent to a DNS server
Positive and negative responses can be cached Decreases network traffic Positive entries are cached for a max period = TTL returned with the record from DNS Negative entries are cached for a max period = minimum TTL in SOA record Cannot be less than one minute Cannot be greater than 15 minutes

Resolver Cache
Caching behavior is configurable
Entries are cached for the number of seconds specified by the TTL But never for longer than the values specified in
registry

Q245437 How to Disable Client-Side DNS Caching in Windows 2000

H_L_M\SYSTEM\CCS\Services\DNSCache\Parameters Set MaxCacheEntryTtlLimit = 1 (Default = 86400) Set NegativeCacheTime = 0 (Default = 300)

Resolver Cache
View TTLs in cache:
ipconfig /displaydns

Name Server Lists

DNS Queries
If the name is not in cache resolver queries the DNS
servers configured on each adapter

DNS Queries
Each adapter can be configured with multiple

DNS servers (list servers) Resolver sends queries to the first DNS server on the preferred adapters list
Waits one second for a response If no response Resolver sends the query to the first DNS
servers listed on all adapters lists Waits two seconds for a response
If no response from any server Resolver sends query to all DNS servers on all adapters Waits two seconds for a response

DNS Queries
At the 5 second point: If a response is not received from any DNS server
Resolver sends query to all DNS servers on all adapters and waits four seconds for a response If a response is not received from any DNS server Resolver sends query to all DNS servers on all adapters and waits 8 seconds for a response If no DNS servers respond Resolver responds with a Timeout message

Total time could be 17 seconds If resolver does not receive a response from any server on a given adapter Resolver stops querying that adapters DNS servers For 30 seconds returns a time-out

Resolver List Management

If the resolver receives a negative response at any point in the process It removes every server on that adapter from
consideration during that particular search

If the resolver receives a positive response at any point in the process Resolver stops querying DNS servers Adds response to cache Returns response to client

Resolver List Management

When resolver does not receive a response from a particular DNS server Resolver moves the next DNS server in the list to the top of
the list

Resolver may move servers up or down the list based on quickly they respond Keep infrastructure as simple as possible Resolver list management behavior is not configurable Refer to Q135919 DNS Server Search Order Functionality in
Windows NT

CONFIGURATION
Exchange 2000 & DNS

Exchange and DNS

Cant install Exchange 2000
Use DCdiag and Netdiag to review health of AD Usually a DNS problem, make sure DNS is configured properly based on the scenario (is exchange being installed on a 2nd DC or in child domain? Is DNS configured properly for that computer?)

Exchange and DNS

Cant send mail:
Can you telnet to a SMTP server on the internet? can we ping by IP can we get past a firewall or proxy server? Can you resolve the MX for the domain on the internet using nslookup? Can you telnet to the SMTP server from the internet? Does the MX for the domain point to the exchange server?

Cant receive mail:

Exchange and DNS

MX record tell us who the mail server is Use internic.org to find NS with SOA Use nslookup against SOA to find correct MX Exchange bypasses Proxy client
Install DNS on proxy and set internal W2K DNS to forward to proxy for external name resolution.
Some mail servers attempt reverse lookup to prevent spam Customer may have SOA for domain, but not for reverse

Problems with reverse lookups

Symptoms
Establish that the problem is in DNS. Common
things to look for:
There is a remote queue for the domain which is in retry. The queue diagnostic indicates DNS, or at the very least, it doesnt indicate something else. You are getting an NDR with the DNS error code (5.4.0 on E2K SP1, or 5.0.0 prior to that). Event 4000 in App log (Could be a SMTP error)

DNS: NDR Error Codes

5.0.0
- -The generic error code for all unknown errors. Post E2k SP1 there shouldnt be many of these. - - Authoritative DNS failure on target domain. - - SMTP Outbound Protocol error - - Generic SMTP protocol error - - DNS reverse lookup failure

5.4.0 (E2k SP1)

5.5.0 (E2k SP1)

5.4.0 NDR Auth host not found

Auth host not found DNS suffix search order incorrect Smarthost entry is incorrect FQDN name in HOSTS (fixed in W2K SP3)
X5: 186120 Fixed in W2K SP3

SMTP VS does not have a valid FQDN Lookup of your SMTP VS FQDN failed Contacts domain does not resolve to any SMTP
address spaces

Verification / Relief
Verifying DNS problems
Bypass the DNS Server Q285863 XCON: How to Bypass DNS Name Resolution to Test SMTP Mail Flow Point the server to a known good DNS server with forwarder dialcache021.ns.uu.net (198.6.100.218) dns1.microsoft.com (131.107.1.7 ) ISPs DNS Server
Adding FQDN entry in Hosts file ( if using Core SMTP DNS resolver )

Beware of X5: 186120

Configuration
Configuration Issues
Full computer name (FQDN) DNS Suffix name Virtual Servers FQDN Forwarding to invalid External DNS Servers Forwarding to Root Hint Servers (timeouts) Incorrect entries in .hosts file Incorrect records in DNS Missing records in DNS

Simple rules for DNS

1) Primary DNS server of a domain should always point to
itself as the preferred DNS server; no secondary is needed dont

2) Additional DNS servers of a domain should point to

primary first, and to themselves as secondary
Always delete the . zone in DNS Use Root Hints for external name resolution Use Forwarders to help queries when needed

3) 4) 5) 6)

Clients should only point internally to local DNS

Suggested DNS configurations

Single NIC Machines Multihomed Machines

Single NIC Machines

Primary and Secondary both point to AD

DNS Servers

DNS Server set up as forwarder to ISP

Multihomed Machines
Primary and/or Secondary on both NICs
point to AD DNS Server

DNS Server set up as forwarder

Do not register connection in DNS on

External Interface

Multiple AD DNS Servers

AD Integrated or Primary/Secondary? For dynamic updates, point primary DNS

setting on NIC to primary DNS for the zone For AD Integrated, point them to any AD DNS server

External DNS Servers

Do NOT point the Exchange Server to an
external DNS server (Always point internally for DNS first)

Use Forwarders for external name

resolution

Setting up Forwarders
Right Click the DNS
Server, Properties, Forwarders Tab

If Enabled

Forwarders is grayed out, delete the . zone

Must Highlight and

Refresh DANDC

Setting up Forwarders

Now Enable

Forwarders is not grayed out

Forward Lookup Zones

In most DNS lookups, clients typically perform a

forward lookup, which is a search based on the DNS name of another computer as stored in an address (A) resource record. This type of query expects an IP address as the resource data for the answered response.

Reverse Lookup Zones

DNS also provides a reverse lookup process, enabling

clients to use a known IP address during a name query and look up a computer name based on its address. Q242906 - "DNS Request Timed Out" Error Message When Starting Nslookup

_TCP Folder and _ldap

Q178169 - DNS Records Registered by Windows 2000

Domain Controllers

A client looking for a domain controller in the fbody

domain would query ldap._tcp.fbody.com

_TCP Folder and _gc

All GCs are listed in the root _tcp folder. GC - specific records Type DNS Record ------------------------------------------------Gc SRV ldap._tcp.gc._msdcs.<DnsForestName> GcIpAddress A _gc._msdcs.<DnsForestName> GenericGc SRV _gc._tcp.<DnsForestName>

_kerberos and _kpasswd

Q256289 - Kerberos SRV Records Not

Registered in Windows 2000 DNS

This server (Domain Controller) is a Kerberos

Key Distribution Center

Dynamic Updates

Without this you must enter all addresses manually.

Not having this turned on is bad! Upgrade any BIND DNS servers to version 8.1.2 or later of the BIND software to meet the DNS requirements for Active Directory support.

TROUBLESHOOTING Tools & Demos

DNS Troubleshooting Utilities

NetDiag DCDiag NSLookup DSADiag IPConfig NLTest Netmon Capture Regtrace

Netdiag
Tests many things including DNS and DC Lists NetDiag is a Resource Kit command line utility.
From a command line prompt type the commands below in the directory where NetDiag lives. NetDiag /test:DNS Using the "netdiag /fix" (without the quotation marks) command on the domain controller will verify that all SRV records that are in the Netlogon.dns file are registered on the primary DNS server. Q219289 Running netdiag with no switches runs all available tests

Running netdiag /fix will attempt to resolve problems it encounters

DCDiag
dcdiag with no switches will test many
things, including connectivity, machine accounts, replication, and FSMO

dcdiag /s:servername will test specific

servers

Dcdiag /v for verbose output

NSLookup
Used to determine basic DNS connectivity and name

resolution Extremely powerful tool & probably best to troubleshoot DNS problems Comes with the OS by default. Internet gateways for NSLookup Q200525 Using NSlookup.exe Q203204 XFOR: How to Obtain MX Records with the Nslookup.exe Utility
otherwise Can limit query example - Set q=mx http://www.codeflux.com/tools/

Runs against your default DNS server unless specified

DSADiag
Dsadiag includes 2 switches, 1 and 2
Run dsadiag 1 to get a list of available
DCs and GCs, and their status (Up, Down, Fast, and In Sync)

Run dsadiag 2 to force a rediscovery of

the topology

IPConfig
IPConfig /all

Shows configuration info for all adapters Useful in determining problems with DNS suffixes and
IP addresses

IPConfig (continued)
ipconfig /flushdns clears the local DNS resolver

cache ipconfig /registerdns forces re-registration of all DNS records (Note: restarting netlogon does this as well) On Domain controllers stop Netlogon and remove Netlogon.dns and Netlogon.dnb C:\WINNT\system32\config ipconfig /displaydns shows the local DNS resolver cache

NLTest
Capable of many things including secure

channel resets and Site/DC/GC queries Run nltest /dsgetsite if Ex2K setup fails with Could not determine Site Name Run nltest /dsgetdc:domain.com to get DC statistics Run nltest /dsgetdc:domain.com /gc to get GC statistics Same as above except shows DC only if it has Flag of GC
DNS_DC DNS_DOMAIN DNS_FOREST

Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE

Netmon Capture
A NetMon trace can also be very useful to
see what is being queried for and what fails.

Regtrace
Modules = SMTP Files: If you have isolated that DNS is
DNS adns.cpp, smtpdns.cpp, remoteq.cxx

causing the issue, the source files for DNS are:

Regtrace
DNS - The quickest way to figure out what is

wrong in DNS is often to use dnsquery, dnsq.exe or nslookup.exe to troubleshoot. If this is not possible, trace files may be used. Functions that trace errors:
CAsyncDns::DnsParseMessage in adns.cpp
Traces the hostname that was attempted to be resolved and the Win32 error code from DNS.

REMOTE_QUEUE::BeginInitializeAsyncDnsQuery in

remoteq.cxx

Traces any errors in issuing the DNS query.

Event Viewer: DNS log

All DNS Events will be logged in the Event View under its own folder DNS Server

Reverse DNS lookup failures

SMTP Protocol Log
clntSMTP (MSONLY)
Q265139 XCON: How to Enable Exchange 2000 SMTP Protocol Logging

For more details check \\exutils\exes\ClntSMTP\ClntSMTP.htm Telnet

E2K Reverse lookup Implementation

Q289521 XIMS: VRFY Command Does Not Work in Exchange 2000

Q153119 XFOR: Telnet to Port 25 of IMC to Test IMC Communication

Slow DNS
Slowness of the DMZ DNS server can
result in mail accumulating in the queues if the domains to which mail is going to are external domains being resolved by the DNS Sink DMZ resolver. dnsq.exe can be used to figure out how slow a DNS server is. Workaround have more threads doing DNS resolution. The following metabase key controls this:
/SmtpSvc/1/MaxRemQThreads default is 1

DNS: Queue Diagnostics

The remote server did not respond to a connection attempt.

The error message can also indicate that the DMZ resolver failed to resolve the target domain (if the VSI is configured as a DMZ) in installations prior to E2K SP1 + W2K SP2.

Additional Notes
Ping by name does NOT tell us that DNS is
fully functional (Doesnt test LDAP lookup to DC/GC)

If the customer has a DNS issue (that you

cant resolve within a few minutes after this triage), get them to Win2k Networking to resolve this case.

If the customer still has an Exchange 2K

issue, they need a new ticket.

Geek Slide
Zone Files are stored in this folder
C:\WINNT\system32\dns This is if you use Standard Primary

If you use Active Directory Integrated

DNS it is stored in AD at this location CN=MicrosoftDNS,CN=System,DC=do main,DC=com

Questions?

RESOURCES

Known DNS issues

Q287667 Q277694 Q305394

Server Q303889 Q296215 Q288718 Q251951 Name Q287423 Q287086 Q280794 Q277693 Q264111 Q285863 Q289045 Mail

XFOR: Mail Sits in the Exchange 2000 Outbound Queue DNS behind Proxy cannot resolve Internet names XFOR: Outbound SMTP Mail Stopped With Exchange Behind ISA
MX Record Failover Does Not Occur When 4xx Error Occurs XFOR: Mail May Not Flow from One Exchange 2000 Server to Another XIMS: Message Cannot Be Sent to Domains with MX Record Pointing XADM: Exchange System Manager Doesn't Verify Smart Host DNS XADM: NDR "Unable to forward the message because no directory se XCON:Exchange 2000 will not deliver mail to domains whose MX rec XIMS: Message cannot be sent to domains with MX record pointing DNS Setting on Exchange 2000 Bridgehead Server for Internet Mail XCON: Internet Mail Service Requires Domain Name System Name XCON: How to Bypass DNS Name Resolution to Test SMTP Mail Flow XFOR: "Host Unknown" Message When Sending Outbound Internet

Tools
All DNS troubleshooting tools are at: \\Exutils\Exes \\Quadra\Tools

Internet Gateways
http://www.codeflux.com/Tools http://www.dnsreport.com http://www.dnsstuff.com http://www.network-tools.com/ http://www.wazoo.com/inetutil.html http://samspade.org/t/

Verifying Domain Names

Whois
http://www.internic.com/whois.html http://www.codeflux.com/tools/ http://www.networksolutions.com/cgibin/whois/whois/ The NSI Registrar database contains ONLY non-military and non-US Government domains and contacts.

DNS Server Help File

Installation / Deployment Configuration & Optimization How tos Concepts Maintenance Troubleshooting Best practices

DNS: Recommended Reading

White Papers
Windows 2000 Namespace Design Active Directory Technical Summary Windows 2000 DNS Windows 2000 WINS Overview http://www.microsoft.com/windows/server /technical/default.asp

DNS and Bind (Cricket Liu) published by OReilly

and Associates Related RFCs
1034,1035,1995,1996,2052,1123,2136,2181,2308

RFCs related to Win2K DNS

1034 Domain Names Concepts and Facilities 1035 Domain Names Implementation and Specification 1123 Requirements for Internet Hosts- Application and

Support 1886 DNS Extensions to Support IP Version 6 1995 Incremental Zone Transfer in DNS 1996 A Mechanism for Prompt DNS Notification of Zone Changes 2136 Dynamic Updates in the Domain Name System (DNS UPDATE) 2181 Clarifications to the DNS Specification 2308 Negative Caching of DNS Queries (DNS Negative CACHE)

Internet drafts related to Win2K DNS

Draft-ietf-dnsind-rfc2052bis-02.txt (A DNS RR for Specifying the

Location of Services (DNS SRV)) Draft-skwan-utf8-dns-02.txt (Using the UTF-8 Character Set in the Domain Name System) Draft-ietf-dhc-dhcp-dns-08.txt (Interaction between DHCP and DNS) Draft-ietf-dnsind-tsig-11.txt (Secret Key Transaction Signatures for DNS (TSIG)) Draft-ieft-dnsind-tkey-00.txt (Secret Key Establishment for DNS (TKEY RR)) For additional Info please go to: http://www.ietf.org/.

Exchange 2000 Server: Troubleshooting DNS (end)

ALAN MALMBERG
Support Engineer Exchange Connectors -Texas Microsoft Corporation May 12, 2004