Exchange 2000 Server:Troubleshooting DNSALAN MALMBERGSupport EngineerExchange Connectors -TexasMicrosoft CorporationMay 12, 2004

Background Information

Name ResolutionApplications that need to communicate with other networked computers, require a communication mechanismA network operating system is used to facilitate network communication requestsApplications send their requests to the operating system which handles the requestThe Windows OS provides a number of API sets to handle such requests i.e. NetBIOS, Windows Sockets

Name ResolutionApplications written using Windows sockets can use the GetHostByName API which triggers name resolution request(s)The OS tries to resolve the name that the application passed to it, into an IP addressA Windows OS uses two primary methods for name resolution:NetBIOS name resolutionHost name resolution

Windows NT 4.0

NT 4.0 Name ResolutionGenerally tries NetBIOS name resolution first, then host name resolutionNetBIOS name resolution:NetBIOS name cacheWINSB-castLMHOSTSHOSTSDNS

NT 4.0 Name ResolutionHost Name Resolution:Local Host nameHOSTSDNSNetBIOS name cacheWINSB-castLMHOSTS

Windows 2000

Simple Query for FQDNhow does www.microsoft.com become 207.46.230.218 ?Client sends a recursive query to DNS serverLocal DNS server checks in forward zone and cache- returns answer, or if nothing found,Local DNS server sends iterative query to root serversRoot servers helps us find SOA and NS for the domainLocal DNS server sends an iterative query to remote NSLocal DNS server gets answer from remote NS and sends response to client

Win 2000 Name ResolutionGenerally tries host name resolution first, then NetBIOSCaching Resolver Service is used to reduce network trafficService can be viewed, stopped and started like other servicesTo view cache: ipconfig /displaydnsTo clear the cache: ipconfig /flushdnsTo stop: net stop dns clientTo Start: net start dns client

Caching Resolver ServicePerforms these tasks:Name resolutionGeneral caching of queriesNegative cachingTracks transient network adapters (PnP)Tracks connection specific domain namesDNS server list management Prioritizes records by IP address when multiple A records are returned from a DNS server

Caching Resolver ServiceWhen the GetHostByName API is used:Resolver submits a query to DNSIf DNS resolution fails resolver checks the length of the name - is it >15 bytesIf the name is >15 bytes - resolution failsIf the name is

Getting Resolution

DNS Name TypesResolver checks what kind of name is being queried:Nulle.g. ping localhostFully qualified domain name (FQDN)e.g. host.reskit.com.Single-label, unqualified names (contain no periods)e.g. hostMultiple-label, unqualified names (not terminated with a period)e.g. host.reskit

DNS Name ResolutionWhen given a FQDN:Resolver queries DNS with that nameWhen given a multiple-label, unqualified name:Resolver adds a period to the name and queries DNS with the period-terminated nameIf the DNS server returns a Name does not exist response to this queryResolver will treat the name just like a single-label, unqualified name

DNS Name ResolutionWhen given a single-label, unqualified name:Resolver systematically appends different DNS suffixes to the name, adding periods to create a FQDNResolver submits each name, in turn, to the DNS server and waits for a responseResolver stops querying when the name is resolved, or when all DNS suffixes have been tried

Caching

Resolver CacheThe cache is always checked before queries are sent to a DNS serverPositive and negative responses can be cachedDecreases network trafficPositive entries are cached for a max period = TTL returned with the record from DNSNegative entries are cached for a max period = minimum TTL in SOA recordCannot be less than one minuteCannot be greater than 15 minutes

Resolver CacheCaching behavior is configurableEntries are cached for the number of seconds specified by the TTLBut never for longer than the values specified in registryQ245437 How to Disable Client-Side DNS Caching in Windows 2000H_L_M\SYSTEM\CCS\Services\DNSCache\ParametersSet MaxCacheEntryTtlLimit = 1 (Default = 86400)Set NegativeCacheTime = 0 (Default = 300)

Resolver CacheView TTLs in cache: ipconfig /displaydns

Name Server Lists

DNS QueriesIf the name is not in cache resolver queries the DNS servers configured on each adapter

DNS QueriesEach adapter can be configured with multiple DNS servers (list servers)Resolver sends queries to the first DNS server on the preferred adapters list Waits one second for a responseIf no response Resolver sends the query to the first DNS servers listed on all adapters listsWaits two seconds for a responseIf no response from any server Resolver sends query to all DNS servers on all adaptersWaits two seconds for a response

DNS QueriesAt the 5 second point:If a response is not received from any DNS serverResolver sends query to all DNS servers on all adapters and waits four seconds for a responseIf a response is not received from any DNS serverResolver sends query to all DNS servers on all adapters and waits 8 seconds for a responseIf no DNS servers respond Resolver responds with a Time-out messageTotal time could be 17 secondsIf resolver does not receive a response from any server on a given adapterResolver stops querying that adapters DNS serversFor 30 seconds returns a time-out

Resolver List ManagementIf the resolver receives a negative response at any point in the processIt removes every server on that adapter from consideration during that particular searchIf the resolver receives a positive response at any point in the processResolver stops querying DNS serversAdds response to cacheReturns response to client

Resolver List ManagementWhen resolver does not receive a response from a particular DNS serverResolver moves the next DNS server in the list to the top of the listResolver may move servers up or down the list based on quickly they respondKeep infrastructure as simple as possibleResolver list management behavior is not configurableRefer to Q135919 DNS Server Search Order Functionality in Windows NT

CONFIGURATIONExchange 2000 & DNS

Exchange and DNSCant install Exchange 2000Use DCdiag and Netdiag to review health of ADUsually a DNS problem, make sure DNS is configured properly based on the scenario (is exchange being installed on a 2nd DC or in child domain? Is DNS configured properly for that computer?)

Exchange and DNSCant send mail:Can you telnet to a SMTP server on the internet?can we ping by IPcan we get past a firewall or proxy server?Can you resolve the MX for the domain on the internet using nslookup?Cant receive mail:Can you telnet to the SMTP server from the internet?Does the MX for the domain point to the exchange server?

Exchange and DNSMX record tell us who the mail server isUse internic.org to find NS with SOAUse nslookup against SOA to find correct MXExchange bypasses Proxy clientInstall DNS on proxy and set internal W2K DNS to forward to proxy for external name resolution.Problems with reverse lookupsSome mail servers attempt reverse lookup to prevent spamCustomer may have SOA for domain, but not for reverse

SymptomsEstablish that the problem is in DNS. Common things to look for:There is a remote queue for the domain which is in retry.The queue diagnostic indicates DNS, or at the very least, it doesnt indicate something else.You are getting an NDR with the DNS error code (5.4.0 on E2K SP1, or 5.0.0 prior to that).Event 4000 in App log (Could be a SMTP error)

DNS: NDR Error Codes5.0.0- -The generic error code for all unknown errors. Post E2k SP1 there shouldnt be many of these.

5.4.0 (E2k SP1)- - Authoritative DNS failure on target domain.- - SMTP Outbound Protocol error

5.5.0 (E2k SP1)- - Generic SMTP protocol error- - DNS reverse lookup failure

5.4.0 NDR Auth host not foundAuth host not foundDNS suffix search order incorrectSmarthost entry is incorrectFQDN name in HOSTS (fixed in W2K SP3)X5: 186120 Fixed in W2K SP3SMTP VS does not have a valid FQDNLookup of your SMTP VS FQDN failedContacts domain does not resolve to any SMTP address spaces

Verification / ReliefVerifying DNS problemsBypass the DNS ServerQ285863 XCON: How to Bypass DNS Name Resolution to Test SMTP Mail FlowPoint the server to a known good DNS server with forwarderdialcache021.ns.uu.net (198.6.100.218) dns1.microsoft.com (131.107.1.7 )ISPs DNS Server

Adding FQDN entry in Hosts file ( if using Core SMTP DNS resolver )Beware of X5: 186120

ConfigurationConfiguration Issues Full computer name (FQDN)DNS Suffix nameVirtual Servers FQDNForwarding to invalid External DNS ServersForwarding to Root Hint Servers (timeouts)Incorrect entries in .hosts fileIncorrect records in DNSMissing records in DNS

Simple rules for DNSPrimary DNS server of a domain should always point to itself as the preferred DNS server; no secondary is needed dont Additional DNS servers of a domain should point to primary first, and to themselves as secondaryClients should only point internally to local DNSAlways delete the . zone in DNS Use Root Hints for external name resolutionUse Forwarders to help queries when needed

Suggested DNS configurationsSingle NIC MachinesMultihomed Machines

Single NIC Machines

Primary and Secondary both point to AD DNS Servers

DNS Server set up as forwarder to ISP

Multihomed Machines

Primary and/or Secondary on both NICs point to AD DNS Server

DNS Server set up as forwarder

Do not register connection in DNS on External Interface

Multiple AD DNS ServersAD Integrated or Primary/Secondary?For dynamic updates, point primary DNS setting on NIC to primary DNS for the zoneFor AD Integrated, point them to any AD DNS server

External DNS Servers

Do NOT point the Exchange Server to an external DNS server (Always point internally for DNS first)

Use Forwarders for external name resolution

Setting up ForwardersRight Click the DNS Server, Properties, Forwarders Tab

If Enabled Forwarders is grayed out, delete the . zone

Must Highlight and Refresh DANDC

Setting up ForwardersNow Enable Forwarders is not grayed out

Forward Lookup ZonesIn most DNS lookups, clients typically perform a forward lookup, which is a search based on the DNS name of another computer as stored in an address (A) resource record. This type of query expects an IP address as the resource data for the answered response.

Reverse Lookup ZonesDNS also provides a reverse lookup process, enabling clients to use a known IP address during a name query and look up a computer name based on its address.Q242906 - "DNS Request Timed Out" Error Message When Starting Nslookup

_TCP Folder and _ldapQ178169 - DNS Records Registered by Windows 2000 Domain Controllers

A client looking for a domain controller in the fbody domain would query ldap._tcp.fbody.com

_TCP Folder and _gcAll GCs are listed in the root _tcp folder.GC - specific records Type DNS Record-------------------------------------------------Gc SRV ldap._tcp.gc._msdcs.GcIpAddress A _gc._msdcs.GenericGc SRV _gc._tcp.

_kerberos and _kpasswdQ256289 - Kerberos SRV Records Not Registered in Windows 2000 DNS

This server (Domain Controller) is a Kerberos Key Distribution Center

Dynamic UpdatesWithout this you must enter all addresses manually. Not having this turned on is bad!Upgrade any BIND DNS servers to version 8.1.2 or later of the BIND software to meet the DNS requirements for Active Directory support.

TROUBLESHOOTINGTools & Demos

DNS Troubleshooting UtilitiesNetDiagDCDiagNSLookupDSADiagIPConfigNLTestNetmon CaptureRegtrace

NetdiagTests many things including DNS and DC ListsNetDiag is a Resource Kit command line utility. From a command line prompt type the commands below in thedirectory where NetDiag lives.NetDiag /test:DNSUsing the "netdiag /fix" (without the quotation marks) commandon the domain controller will verify that all SRV records that are inthe Netlogon.dns file are registered on the primary DNS server.Q219289Running netdiag with no switches runs all available tests

Running netdiag /fix will attempt to resolve problems it encounters

DCDiagdcdiag with no switches will test many things, including connectivity, machine accounts, replication, and FSMO

dcdiag /s:servername will test specific servers

Dcdiag /v for verbose output

NSLookupUsed to determine basic DNS connectivity and name resolutionExtremely powerful tool & probably best to troubleshoot DNS problemsComes with the OS by default.Internet gateways for NSLookupQ200525Using NSlookup.exeQ203204XFOR: How to Obtain MX Records with the Nslookup.exe Utility

Runs against your default DNS server unless specified otherwiseCan limit query example - Set q=mxhttp://www.codeflux.com/tools/

DSADiagDsadiag includes 2 switches, 1 and 2

Run dsadiag 1 to get a list of available DCs and GCs, and their status (Up, Down, Fast, and In Sync)

Run dsadiag 2 to force a rediscovery of the topology

IPConfigIPConfig /all

Shows configuration info for all adapters

Useful in determining problems with DNS suffixes and IP addresses

IPConfig (continued)ipconfig /flushdns clears the local DNS resolver cacheipconfig /registerdns forces re-registration of all DNS records (Note: restarting netlogon does this as well)On Domain controllers stop Netlogon and remove Netlogon.dns and Netlogon.dnb C:\WINNT\system32\configipconfig /displaydns shows the local DNS resolver cache

NLTestCapable of many things including secure channel resets and Site/DC/GC queriesRun nltest /dsgetsite if Ex2K setup fails with Could not determine Site NameRun nltest /dsgetdc:domain.com to get DC statisticsRun nltest /dsgetdc:domain.com /gc to get GC statistics Same as above except shows DC only if it has Flag of GCFlags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST

Netmon CaptureA NetMon trace can also be very useful to see what is being queried for and what fails.

RegtraceModules = SMTPFiles: If you have isolated that DNS is causing the issue, the source files for DNS are:DNSadns.cpp, smtpdns.cpp, remoteq.cxx

RegtraceDNS - The quickest way to figure out what is wrong in DNS is often to use dnsquery, dnsq.exe or nslookup.exe to troubleshoot. If this is not possible, trace files may be used.Functions that trace errors:CAsyncDns::DnsParseMessage in adns.cppTraces the hostname that was attempted to be resolved and the Win32 error code from DNS.REMOTE_QUEUE::BeginInitializeAsyncDnsQuery in remoteq.cxxTraces any errors in issuing the DNS query.

Event Viewer: DNS logAll DNS Events will be logged in the Event View under its own folder DNS Server

Reverse DNS lookup failuresSMTP Protocol LogQ265139XCON: How to Enable Exchange 2000 SMTP Protocol LoggingclntSMTP (MSONLY)For more details check \\exutils\exes\ClntSMTP\ClntSMTP.htmTelnetQ153119XFOR: Telnet to Port 25 of IMC to Test IMC CommunicationE2K Reverse lookup ImplementationQ289521 XIMS: VRFY Command Does Not Work in Exchange 2000

Slow DNSSlowness of the DMZ DNS server can result in mail accumulating in the queues if the domains to which mail is going to are external domains being resolved by the DNS Sink DMZ resolver.dnsq.exe can be used to figure out how slow a DNS server is.Workaround have more threads doing DNS resolution. The following metabase key controls this:/SmtpSvc/1/MaxRemQThreads default is 1

DNS: Queue Diagnostics

The remote server did not respond to a connection attempt.The error message can also indicate that the DMZ resolver failed to resolve the target domain (if the VSI is configured as a DMZ) in installations prior to E2K SP1 + W2K SP2.

Additional NotesPing by name does NOT tell us that DNS is fully functional (Doesnt test LDAP lookup to DC/GC)

If the customer has a DNS issue (that you cant resolve within a few minutes after this triage), get them to Win2k Networking to resolve this case.

If the customer still has an Exchange 2K issue, they need a new ticket.

Geek SlideZone Files are stored in this folder C:\WINNT\system32\dns This is if you use Standard Primary

If you use Active Directory Integrated DNS it is stored in AD at this location CN=MicrosoftDNS,CN=System,DC=domain,DC=com

Questions?

RESOURCES

Known DNS issuesQ287667XFOR: Mail Sits in the Exchange 2000 Outbound Queue Q277694DNS behind Proxy cannot resolve Internet names Q305394 XFOR: Outbound SMTP Mail Stopped With Exchange Behind ISA ServerQ303889 MX Record Failover Does Not Occur When 4xx Error Occurs Q296215 XFOR: Mail May Not Flow from One Exchange 2000 Server to AnotherQ288718XIMS: Message Cannot Be Sent to Domains with MX Record PointingQ251951XADM: Exchange System Manager Doesn't Verify Smart Host DNS NameQ287423XADM: NDR "Unable to forward the message because no directory seQ287086XCON:Exchange 2000 will not deliver mail to domains whose MX recQ280794XIMS: Message cannot be sent to domains with MX record pointingQ277693DNS Setting on Exchange 2000 Bridgehead Server for Internet MailQ264111XCON: Internet Mail Service Requires Domain Name System NameQ285863 XCON: How to Bypass DNS Name Resolution to Test SMTP Mail FlowQ289045XFOR: "Host Unknown" Message When Sending Outbound Internet Mail

ToolsAll DNS troubleshooting tools are at: \\Exutils\Exes\\Quadra\Tools

Internet Gatewayshttp://www.codeflux.com/Toolshttp://www.dnsreport.comhttp://www.dnsstuff.comhttp://www.network-tools.com/http://www.wazoo.com/inetutil.htmlhttp://samspade.org/t/

Verifying Domain NamesWhoishttp://www.internic.com/whois.htmlhttp://www.codeflux.com/tools/http://www.networksolutions.com/cgi-bin/whois/whois/The NSI Registrar database contains ONLY non-military and non-US Government domains and contacts.

DNS Server Help FileInstallation / DeploymentConfiguration & OptimizationHow tosConceptsMaintenanceTroubleshootingBest practices

DNS: Recommended ReadingWhite PapersWindows 2000 Namespace DesignActive Directory Technical SummaryWindows 2000 DNSWindows 2000 WINS Overviewhttp://www.microsoft.com/windows/server /technical/default.aspDNS and Bind (Cricket Liu) published by OReilly and AssociatesRelated RFCs 1034,1035,1995,1996,2052,1123,2136,2181,2308

RFCs related to Win2K DNS1034 Domain Names Concepts and Facilities1035 Domain Names Implementation and Specification1123 Requirements for Internet Hosts- Application and Support1886 DNS Extensions to Support IP Version 6 1995 Incremental Zone Transfer in DNS 1996 A Mechanism for Prompt DNS Notification of Zone Changes2136 Dynamic Updates in the Domain Name System (DNS UPDATE)2181 Clarifications to the DNS Specification2308 Negative Caching of DNS Queries (DNS Negative CACHE)

Internet drafts related to Win2K DNSDraft-ietf-dnsind-rfc2052bis-02.txt (A DNS RR for Specifying the Location of Services (DNS SRV))Draft-skwan-utf8-dns-02.txt (Using the UTF-8 Character Set in the Domain Name System)Draft-ietf-dhc-dhcp-dns-08.txt (Interaction between DHCP and DNS)Draft-ietf-dnsind-tsig-11.txt (Secret Key Transaction Signatures for DNS (TSIG))Draft-ieft-dnsind-tkey-00.txt (Secret Key Establishment for DNS (TKEY RR))For additional Info please go to: http://www.ietf.org/.

Exchange 2000 Server:Troubleshooting DNS(end)ALAN MALMBERGSupport EngineerExchange Connectors -TexasMicrosoft CorporationMay 12, 2004