- Introduction
- Introduction to DNS
- Planning a DNS Namespace Design
- Planning DNS Zone Requirements
- Planning DNS Forwarding Requirements
- Configuring DNS Security
- Integrating with Third-Party DNS Solutions
- Introduction to WINS
- Implementing WINS Replication
- Implementing NetBIOS Name Resolution
- Troubleshooting Name Resolution Problems
- Chapter Summary
- Apply Your Knowledge
This chapter is from the book
This chapter is from the book
This chapter is from the book
Troubleshooting Name Resolution Problems
Troubleshoot host name resolution.
- Diagnose and resolve issues related to DNS services.
- Diagnose and resolve issues related to client computer configuration.
Troubleshooting name resolution is a sometimes tricky art that you may well need to master. Fortunately, Windows Server 2003 provides a wealth of tools that you can use to quickly determine and correct the cause of the problems at hand. You have five basic tools at your disposal when it comes to troubleshooting name resolution issues:
ipconfig
ping
nbtstat
tracert
pathping
nslookup
We will briefly examine the use of each of these tools in the following sections.
ipconfig
The first, and easiest, step in troubleshooting any TCP/IP–related network problem is to gather information about the computer on which the problem is occurring or has been reported. The ipconfig command makes this process easy. To get a complete report of the computer's IP configuration properties, enter the ipconfig/all command at the command line. A typical output might look something like that shown here:
c:\>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : a51svr3142
Primary Dns Suffix . . . . . . . : lab1.area51partners.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lab1.area51partners.com
area51partners.com
Ethernet adapter Cluster:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Linksys LNE100TX
Physical Address. . . . . . . . . : 02-BF-0A-00-00-01
Ethernet adapter Administration:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139
Physical Address. . . . . . . . . : 00-E0-7D-C1-3E-70
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.123
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.240
192.168.0.100
Primary WINS Server . . . . . . . : 192.168.0.240
Secondary WINS Server . . . . . . : 192.168.0.241
You can learn several key pieces of information about your computer's network connections just from examining the output of the ipconfig/all command. First, the top of the output tells you the hostname and domain that the computer belongs to as well as the DNS suffixes that have been configured for the computer. Note that additional connection-specific DNS suffixes are listed later in the detail. Moving down to the first network connection, Cluster, notice that its status is shown as Media disconnected, which means that either the network cable is disconnected at one or both ends or that the device the cable is attached to (a switch or hub) is not powered on. This might be your first sign of a problem.
The second network connection, Administration, shows the full gamut of information that can be gleaned from the ipconfig/all command, including whether DHCP is enabled for the adapter, the IP address assigned, the default gateway (always a prime concern when problems arise with computers on different subnets), and other critical information including the IP addresses for the DNS servers in use by the network connection. All this information can be used to identify where the problem lies by determining simply "what doesn't look right." Usually, the problem jumps right out at you after you start to look around for it.
You also can use the ipconfig command to display and purge the contents of the local DNS resolver cache, as shown in the following output:
c:\>ipconfig/displaydns Windows IP Configuration 1.0.0.127.in-addr.arpa ---------------------------------------- Record Name . . . . . : 1.0.0.127.in-addr.arpa. Record Type . . . . . : 12 Time To Live . . . . : 276808 Data Length . . . . . : 4 Section . . . . . . . : Answer PTR Record . . . . . : localhost a51svr3042.lab1.area51partners.com ---------------------------------------- Record Name . . . . . : A51SVR3042.lab1.area51partners.com Record Type . . . . . : 1 Time To Live . . . . : 2721 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.0.240 Record Name . . . . . : A51SVR3042.lab1.area51partners.com Record Type . . . . . : 1 Time To Live . . . . : 2721 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 10.0.0.10 Record Name . . . . . : A51SVR3042.lab1.area51partners.com Record Type . . . . . : 1 Time To Live . . . . : 2721 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 10.0.0.1 c:\>ipconfig/flushdns Windows IP Configuration Successfully flushed the DNS Resolver Cache. c:\>ipconfig/displaydns Windows IP Configuration 1.0.0.127.in-addr.arpa ---------------------------------------- Record Name . . . . . : 1.0.0.127.in-addr.arpa. Record Type . . . . . : 12 Time To Live . . . . : 276751 Data Length . . . . . : 4 Section . . . . . . . : Answer PTR Record . . . . . : localhost localhost ---------------------------------------- Record Name . . . . . : localhost Record Type . . . . . : 1 Time To Live . . . . : 276751 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 127.0.0.1
This command can be helpful in situations in which the local DNS cache is corrupt or contains invalid information. This cache will rebuild itself over time as the computer queries DNS servers.
ping
The ping command is practically as old as TCP/IP networking itself. You can use the ping command to test basic network connectivity between two computers, over local and remote networks. The basic syntax of the ping command looks something like ping computerIP or ping HostName. This command causes Windows to send four special Internet Control Message Protocol (ICMP) packets to the remote computer that are then returned to the local computer. You can instruct Windows to send a continuous stream of ping packets by using the ping -t command. Using the ping -a command specifies that name resolution is to be performed during the ping process.
NOTE
The story of ping If you want to see the history of the ping command and learn some other interesting ping-related trivia, be sure to visit the page of the late Mike Muuss, creator of the ping application. You can find it located at http://ftp.arl.mil/~mike/ping.html.
You can see the standard output of the ping command here without the use of any modifying switches:
C:\>ping mcseworld.com Pinging mcseworld.com [207.44.182.13] with 32 bytes of data: Reply from 207.44.182.13: bytes=32 time=57ms TTL=46 Reply from 207.44.182.13: bytes=32 time=53ms TTL=46 Reply from 207.44.182.13: bytes=32 time=52ms TTL=46 Reply from 207.44.182.13: bytes=32 time=51ms TTL=46 Ping statistics for 207.44.182.13: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 51ms, Maximum = 57ms, Average = 53ms
Note, however, that some remote firewalls and routers have been configured to block ICMP packets (once commonly used to stage Denial of Service attacks), and you might see output like this:
C:\>ping microsoft.com Pinging microsoft.com [207.46.245.222] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 207.46.245.222: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
You can also test the TCP/IP stack on the local network adapter by using the ping loopback or ping 127.0.0.1 command, as shown here:
C:\>ping loopback Pinging a51svr3142.lab1.area51partners.com [127.0.0.1] with 32bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
If pinging the loopback address works, but you cannot successfully ping an outside address, you might try pinging the default gateway for the specific computer. How do you know what the default gateway is? Look back at the output of the ipconfig/all command to gather this information. Pinging the default gateway's IP address lets you know if any problems you are having are being caused by the default gateway itself. Of course, the ipconfig/all command shows only the private IP address of the default gateway; you also need to know and ping the public IP address of publicly addressable gateways, such as border routers and firewalls.
nbtstat
If your problem seems to be WINS and NetBT specific, you might consider using the nbtstat command to gather information and troubleshoot the problem at hand. nbtstat can be used to display the local NetBIOS table on the computer, display the content of the local NetBIOS cache on the computer, or even purge the local NetBIOS cache.
You can use several different switches with nbtstat to determine how it returns information to you. Using the nbtstat -n command returns the local NetBIOS name table, as shown here:
C:\>nbtstat -n
Cluster:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
Administration:
Node IpAddress: [192.168.0.123] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
A51SVR3142 <00> UNIQUE Registered
LAB1 <00> GROUP Registered
A51SVR3142 <20> UNIQUE Registered
LAB1 <1E> GROUP Registered
If you need to list the contents of the NetBIOS name cache, use the nbtstat -c command to produce the following output:
C:\>nbtstat -c
Cluster:
Node IpAddress: [0.0.0.0] Scope Id: []
No names in cache
Administration:
Node IpAddress: [192.168.0.123] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
A51SVR3042.LAB1<2E> UNIQUE 192.168.0.240 525
A51SVR3042 <20> UNIQUE 192.168.0.240 97
W2KSVR001 <00> UNIQUE 192.168.0.101 537
To examine the NetBIOS name table of a remote computer, use the nbtstat -a RemoteComputerName command to produce the following output:
C:\>nbtstat -a a51svr3042
Cluster:
Node IpAddress: [0.0.0.0] Scope Id: []
Host not found.
Administration:
Node IpAddress: [192.168.0.123] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
A51SVR3042 <00> UNIQUE Registered
LAB1 <00> GROUP Registered
LAB1 <1C> GROUP Registered
A51SVR3042 <20> UNIQUE Registered
LAB1 <1B> UNIQUE Registered
LAB1 <1E> GROUP Registered
LAB1 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-E0-7D-C1-3E-0E
To display a listing of client and server connections, use the nbtstat -s command to produce the following output:
C:\>nbtstat -s
Cluster:
Node IpAddress: [0.0.0.0] Scope Id: []
No Connections
Administration:
Node IpAddress: [192.168.0.123] Scope Id: []
NetBIOS Connection Table
Local Name State In/Out Remote Host Input Output
--------------------------------------------------------------------
A51SVR3142 <00> Connected Out W2KSVR001 <20> 97MB 92MB
You can also clear the contents of the cache and reload it from the LMHOSTS file by using the nbtstat -R command. You must use an uppercase R in this command. To release and subsequently refresh name records on a WINS server, issue the nbtstat -RR command.
tracert
tracert is another of the old standby tools that network administrations have grown to love over time. tracert routes tracing from the source to the destination, showing all intermediate hops (routers) that are used to forward and deliver the packets to their destination. As well, tracert calculates how long each hop takes. The basic use of tracert yields output like the following:
C:\>tracert mcseworld.com Tracing route to mcseworld.com [207.44.182.13] over a maximum of 30 hops: 1 16 ms 13 ms 22 ms ip68-0-16-1.hr.hr.cox.net [68.0.16.1] 2 74 ms 47 ms 19 ms 68.10.8.41 3 19 ms 14 ms 16 ms nrfksysr02-atm151103.hr.hr.cox.net
pathping
The pathping command is a new tool first introduced in Windows 2000 that combines the capabilities of ping and tracert into one tool. pathping is used to gather information about network latency and network loss at the intermediate hops between the source and destination. It accomplishes this by sending multiple ICMP messages to each router between the source and destination over a period of time and then computing results based on the packets returned from each router. pathping can thus be used to quickly determine the operational status of each router or subnet the packets must cross. A pathping output is presented here:
C:\>pathping mcseworld.com
Tracing route to mcseworld.com [207.44.182.13]
over a maximum of 30 hops:
0 a51svr3142.lab1.area51partners.com [192.168.0.123]
1 ip68-0-16-1.hr.hr.cox.net [68.0.16.1]
2 ip68-0-16-1.hr.hr.cox.net [68.0.16.1]
3 nrfksysr02-atm151103.hr.hr.cox.net [68.10.8.53]
4 nrfkdsrc02-gew0304.rd.hr.cox.net [68.10.14.17]
5 nrfkbbrc02-pos0101.rd.hr.cox.net [68.1.0.26]
6 nrfkdsrc02-gew03010999.rd.hr.cox.net [68.1.0.31]
7 ashbbbpc01pos0100.r2.as.cox.net [68.1.1.19]
8 68.105.30.70
9 hrndva1wcx2-pos0-0.wcg.net [64.200.89.1]
10 drvlga1wcx2-pos4-0.wcg.net [64.200.232.125]
11 drvlga1wcx1-oc48.wcg.net [64.200.127.49]
12 dllstx1wcx3-oc48.wcg.net [64.200.240.21]
13 dllstx1wcx2-pos10-0.wcg.net [64.200.110.133]
14 hstntx1wce2-pos4-0.wcg.net [64.200.240.74]
15 hstntx1wce2-everyonesinternet-gige.wcg.net [65.77.93.54]
16 39.ev1.net [207.218.245.39]
17 host6.wfdns.com [207.44.182.13]
Computing statistics for 425 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 a51svr3142.lab1.
area51partners.com [192.168.0.123]
0/ 100 = 0% |
1 22ms 0/ 100 = 0% 0/ 100 = 0% ip68-0-16-1.hr.hr.
cox.net [68.0.16.1]
0/ 100 = 0% |
2 22ms 0/ 100 = 0% 0/ 100 = 0% ip68-0-16-1.hr.hr.
cox.net [68.0.16.1]
0/ 100 = 0% |
3 17ms 18/ 100 = 18% 18/ 100 = 18% nrfksysr02-
atm151103.hr.hr.cox.net [68.10.8.53]
0/ 100 = 0% |
4 20ms 0/ 100 = 0% 0/ 100 = 0% nrfkdsrc02-
gew0304.rd.hr.cox.net [68.10.14.17]
0/ 100 = 0% |
5 17ms 1/ 100 = 1% 1/ 100 = 1% nrfkbbrc02-
pos0101.rd.hr.cox.net [68.1.0.26]
0/ 100 = 0% |
6 23ms 2/ 100 = 2% 2/ 100 = 2% nrfkdsrc02-
gew03010999.rd.hr.cox.net [68.1.0.31]
0/ 100 = 0% |
7 26ms 1/ 100 = 1% 1/ 100 = 1%
ashbbbpc01pos0100.r2.as.cox.net [68.1.1.19]
0/ 100 = 0% |
8 24ms 0/ 100 = 0% 0/ 100 = 0% 68.105.30.70
0/ 100 = 0% |
9 23ms 0/ 100 = 0% 0/ 100 = 0% hrndva1wcx2-pos0-0.wcg.net
[64.200.89.1]
0/ 100 = 0% |
10 35ms 0/ 100 = 0% 0/ 100 = 0% drvlga1wcx2-pos4-0.wcg.net
[64.200.232.125]
0/ 100 = 0% |
11 35ms 1/ 100 = 1% 1/ 100 = 1% drvlga1wcx1-oc48.wcg.net
[64.200.127.49]
0/ 100 = 0% |
12 53ms 1/ 100 = 1% 1/ 100 = 1% dllstx1wcx3-oc48.wcg.net
[64.200.240.21]
0/ 100 = 0% |
13 52ms 2/ 100 = 2% 2/ 100 = 2% dllstx1wcx2-pos10-0.wcg.net
[64.200.110.133]
0/ 100 = 0% |
14 58ms 0/ 100 = 0% 0/ 100 = 0% hstntx1wce2-pos4-0.wcg.net
[64.200.240.74]
0/ 100 = 0% |
15 59ms 0/ 100 = 0% 0/ 100 = 0% hstntx1wce2-
everyonesinternet-gige.wcg.net [65.77.93.54]
0/ 100 = 0% |
16 58ms 1/ 100 = 1% 1/ 100 = 1% 39.ev1.net [207.218.245.39]
0/ 100 = 0% |
17 59ms 0/ 100 = 0% 0/ 100 = 0% mcseworld.com
[207.44.182.13]
Trace complete.
As you can see from this pathping output, the network connectivity between source and destination is overall very good. The only (small) problem appears to be that the router located at 68.10.8.53 is dropping about 18% of the packets sent to it; this, however, does not appear to be adversely affecting the transmission as a whole.
nslookup
The nslookup command can be used to look up and display information for troubleshooting DNS issues. nslookup, however, is not a simple tool that you can jump right into with a fair amount of DNS knowledge. Unlike other troubleshooting tools, nslookup has an interactive and noninteractive usage mode—much the same as the netsh command.
When looking up a single item, you would be best off using the noninteractive mode by issuing a command similar to the following:
nslookup mcseworld.com 192.168.0.100
In this example, the first parameter specifies the DNS name or IP address of the computer you want to look up, and the second parameter specifies the DNS name or IP address of the DNS server you want to use. If you do not specify a DNS server, the default DNS server for the requesting computer will be used. This sample nslookup query might return a result such as this:
U:\>nslookup mcseworld.com 192.168.0.100 Server: w2ksvr001.dontpanic.local Address: 192.168.0.100 Non-authoritative answer: Name: mcseworld.com Address: 207.44.182.13
If you need to look up multiple pieces of information or more complex information, such as information about specific resource records contained in a zone, you need to use nslookup in interactive mode. You can see how interactive mode can be used to gain more advanced information, such as the list of all name servers (NS resource record) and mail exchangers (MX resource record) for the microsoft.com zone.
U:\>nslookup Default Server: w2ksvr001.dontpanic.local Address: 192.168.0.100 > server ns2.hr.cox.net Default Server: ns2.hr.cox.net Address: 68.10.16.25 > set type=ns > microsoft.com Server: ns2.hr.cox.net Address: 68.10.16.25 Non-authoritative answer: microsoft.com nameserver = dns1.tk.msft.net microsoft.com nameserver = dns3.uk.msft.net microsoft.com nameserver = dns1.cp.msft.net microsoft.com nameserver = dns1.sj.msft.net dns1.cp.msft.net internet address = 207.46.138.20 dns1.sj.msft.net internet address = 65.54.248.222 dns1.tk.msft.net internet address = 207.46.245.230 dns3.uk.msft.net internet address = 213.199.144.151 > set type=mx > microsoft.com Server: ns2.hr.cox.net Address: 68.10.16.25 : microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com microsoft.com nameserver = dns1.cp.msft.net microsoft.com nameserver = dns1.sj.msft.net microsoft.com nameserver = dns1.tk.msft.net microsoft.com nameserver = dns3.uk.msft.net maila.microsoft.com internet address = 131.107.3.124 maila.microsoft.com internet address = 131.107.3.125 mailb.microsoft.com internet address = 131.107.3.123 mailb.microsoft.com internet address = 131.107.3.122 mailc.microsoft.com internet address = 131.107.3.121 mailc.microsoft.com internet address = 131.107.3.126 dns1.cp.msft.net internet address = 207.46.138.20 dns1.sj.msft.net internet address = 65.54.248.222 dns1.tk.msft.net internet address = 207.46.245.230 dns3.uk.msft.net internet address = 213.199.144.151 >
The Non-authoritative answer label indicates that this information was retrieved from the selected DNS server's local cache and was not directly queried as a result of the nslookup query.
You can exit interactive mode at any time by typing exit.
The nslookup command has an extremely large feature set, too large to do justice to it here in this space. You can get more information on the full use and functionality of nslookup at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/nslookup.asp.
Case Study
Essence of the Case
Following are the essential elements in this case:
You will need to plan a new DNS namespace that meets the requirements outlined by the CEO and CIO.
You will need to use a delegated namespace to provide the required results.
Secure dynamic updates in an Active Directory–integrated zone will be required to provide the DNS data protection required while still allowing clients to update their IP address information in DNS.
Conditional forwarding will be configured to forward all name resolution requests for the ricksrockets.com domain to the external DNS servers provided by the ISP.
Scenario
Rick's Rockets is a leading manufacturer of toy rocket kits. Rick's currently owns the ricksrockets.com domain name and uses its ISP to host its Web, FTP, and email services through that domain name. Rick's current internal network is extremely decentralized and disorganized and is actually still functioning as a Windows 2000 workgroup. All workstations are Windows 2000 Professional, and all servers are Windows 2000 Advanced Server.
You have been hired by Rick, the CEO of Rick's Rockets, to plan and implement a completely new network infrastructure to include an internal DNS namespace to support the rollout of Windows Server 2003 and Active Directory. Rick's Rockets will not be purchasing any additional publicly accessible domain names. Rick's will be upgrading its Windows 2000 Advanced Server licenses to Windows Server 2003 Enterprise Edition licenses to support the new network plan.
Roger, the CIO of Rick's Rockets, has informed you that he wants the new internal DNS namespace to be easy for users to remember but to provide complete isolation from the external DNS namespace. Internal clients should be allowed to resolve IP addresses for external resources, but external clients should not be able to resolve IP addresses for internal resources. All clients should automatically update their IP addresses in DNS, and DNS should accept updates only from authorized clients to increase security of the internal DNS servers. The internal DNS servers should not be able to resolve external IP addresses directly but should provide forwarding to the external DNS servers maintained by Rick's ISP.
Analysis
You propose to create a delegated namespace, such as corp.ricksrockets.com for the internal network. It will provide an easy-to-remember namespace for users while still isolating the internal network from the external network.
If you create Active Directory–integrated zones using secure dynamic updates, all Windows 2000 workstation clients will be able to automatically update their DNS information after receiving a DHCP lease. Secure dynamic updates also prevent unauthorized clients from polluting the DNS data with bad information.
By configuring conditional forwarding for the ricksrockets.com zone, you can ensure that all name resolution requests are performed as quickly as possible for your clients without having to host the zone on your internal DNS servers.