Thursday, November 3, 2011

Troubleshooting tips for DNS

Time to Live, Aging, and Scavenging
Time to Live (TTL)
How long a DNS record will be valid
When records inserted into the DNS server reach expiration and are removed
Remove old DNS records

Time to Live – TTL depends on the type of DNS record. MX records have a longer TTL than a host A record, for example. The TTL can be modified.
Resource Record Types
Aging – DNS record removal helps to keep DNS accurate and using less disk space.
Scavenging – If DNS records have not been aged, we can force a database cleanup by removing stale records. This can be done by scavenging DNS records. Stale resource records can slow down DNS lookups and cause errors.

Steps to modify Aging and Scavenging and TTL

Server name is svr-1 in this example. The domain in this example is
1.       Start | Administrative Tools | DNS
2.       Right click svr-1
3.       Click on Set Aging/Scavenging for All Zones...
4.       In the Server Aging/Scavenging Properties dialog box, check the Scavenge stale resource records box. You can modify the No-refresh interval and Refresh interval, if desired. 
5.       Expand svr-1. Expand Forward Lookup Zones. Expand
6.       Right click and click Properties.
7.       Look at the Start of Authority (SOA) tab. At the bottom of the tab is a TTL for this record: 0     :1   :0   :0    (DDDDD:HH.MM.SS) indicated a TTL of one hour. This means if a record from this zone is in the resolver cache on a machine, it will be there in the cache for one hour. This setting is a global setting. Individual records will override the TTL for the zone.
8.       Click OK.
9.       Let us look at an individual record. Select View menu in the DNS Manager and Advanced. Notice Cached Lookups has appeared in the bottom left of DNS Manager. In the details pane, choose another A record for In this example, we will choose Client-A. Right click and select Properties. You can now modify individual TTL entries.
10.   Go back to the View menu and switch off Advanced features.
11.   Shut down the DNS Manager console.

Test the DNS Server Configuration

Test the DNS server by:

1.       A simple query ensures the DNS service is answering.
2.       A recursive query ensures the DNS server can communicate with the upstream DNS service.
On the DNS server Monitoring tab, you can test a simple and recursive query.

Advanced Tools to Identify Problems with DNS

Troubleshoot DNS problems (interactive and non-interactive mode)
Edit DNS configuration
Diagnose common DNS issues. Can perform Whois queries against INTERNIC

Steps for Troubleshooting DNS

Launch nslookup from the DNS console

1.       Start |Administrative Tools | DNS
2.       Right click on the DNS server.
3.       Launch nslookup

Launch Nslookup from the command prompt

1.       Start | run | cmd
2.      Type: nslookup
3.       This is interactive mode which means you can run more than one query against the DNS server using nslookup
4.       Look at MX records for the DNS server.  Type: set query=mx and press return. Type the domain name. You will see mail records about the domain.
5.       Look up the A (host) records about the domain.  Type: set query=a. Press return. Type the machine name. You will see the domain name and IP address associated with that machine.
6.       Exit nslookup.   Type: exit.
7.       Quit the command prompt.  Type: exit, again.


Dnslint utility (not included with Windows Server 2008)

DNSlint can be downloaded from Microsoft.
Troubleshooting DNS Servers

You can configure a DNS client with Windows Server 2008 R2 or Windows 7 to locate the nearest domain controller instead of searching randomly. Configure the Try Next Closest Site Group Policy setting. This is useful for improving network performance for networks with multiple domain controllers and branch offices.
Download dnslint, go to the command prompt and point to the drive where the utility is located. Below, is an example of how to run dnslint:
1.       Start | Run | cmd
2.       TypeCd  to change to dirname and folder where dnslint utility is stored
3.       Type: dnslint
4.       Available switches will list
5.       Type: Dnslint /ad /s localhost /v (tests Active Directory records, stops the query from going to the internet and gives you verbose output in an html file). Use /ad option to request Active Directory tests. Use the /ad switch with the /s option, where /s specifies the IP address of a DNS server that is authoritative for the _msdcs zone in the AD forest root. Use /ad option and /s localhost to determine whether the local system can resolve records found in AD tests. Use /v to request verbose output.
6.       Close the command prompt

Dnscmd utility

  • Start | Run | cmd
  • Type: Dnscmd /zoneinfo domain
  • Press Enter

Stop DNS

  • Start | Run
  • Type: sc stop dns
  • Press Enter

Start DNS

  • Start | Run
  • Type: sc start dns
  • Press Enter

Verify SOA records by using Nslookup

  • Start | Run
  • Type: Nslookup.exe
  • Press Enter
  • Type: set querytype=SOA
  • Press Enter
  • Type: domain name

Use DNSLint to verify name server records

  • Access the D drive:
  • Start | Run | cmd
  • Press Enter
  • Type CD  (change to directory and folder where you downloaded DNSLint from Microsoft, earlier)
  • Press Enter
  • Type: dnslint
  • Press Enter
  • You will see command-line help associated with dnslint.
  • Type: dnslint /s ip address /d domain name
  • ·         /s option specifies the IP address of a DNS server
  • ·         /d option specifies domain name test. Useful to troubleshoot lame delegation issues
  • ·         Insert the domain name IP address being tested
  • Press Enter

Select Manage computer

  • Start | right-click Computer | Manage
  • The above will take you to Server Manager
  • Expand Diagnostics
  • Expand Reliability and Performance
  • Expand Monitoring Tools
  • Click Performance Monitor
  • In the center pane, click the “+ Icon. (This is the icon to Add Counters)
  • In the Available counters list, double-click DNS
  • Select Total Query Received and click Add
  • Select Total Query Received/sec and click Add
  • Click OK.
  • Open DNS by going to Start | Administrative Tools | DNS
  • In the left pane, right-click the DNS server, and click Properties
  • On the Monitoring tab, check A simple query against this DNS server
  • Check A recursive query to other DNS servers
  • Click Test Now several times
  • Close DNS Manager
  • In the Server Manager console, the graph shows the queries on the server. Press CNTL-G and press CNTL-G again in the Server Manager to see a report of the total number of queries the server has received.

Verify DNS replication

  • Start | Administrative Tools | DNS
  • In the left pane, expand the server.
  • Expand Forward Lookup Zones.
  • Select right-click the domain
  • Click New host (A or AAAA)
  • Type: test in the Name text box in the New Host dialog box
  • Type: the IP address, and click Add Host
  • Accept Message by clicking OK
  • In the New Host box, click Done
  • Switch to the DNS server to verify replication.
  • Start | Administrative Tools | DNS
  • In the left pane, expand the server.
  • Expand Forward Lookup Zones.
  • Click the domain secondary zone.
  • Verify the new test record has been replicated.
  • If the record does not appear, right-click the domain and click Refresh.
  • If the record still does not appear, right-click the domain, click transfer from master, and then click Refresh again.

1 comment:

"Comment As:" anonymous if you would rather not sign into an account!