Troubleshooting DNS problems in Windows Server 2003

DNS is a vital service in a Windows Server 2003 environment. If DNS isn't working properly, chances are, neither is your network. Here are some things you can do to troubleshoot DNS.

Windows Server 2003’s DNS service is integral to the proper functioning of Active Directory and the proper functioning of the network. Even though it’s a well known and well understood service, Windows Server 2003’s DNS implementation can still create headaches for the administrator that needs to maintain it. Here are some problems that you might encounter with the Windows 2003 DNS service and the steps that you need to take to correct them.

Firewalls and EDNS
New in Windows Server 2003 is support for Extension Mechanisms for DNS (EDNS) as defined in RFC 2671. These extensions allow for the transfer of DNS packets in excess of 512 bytes, which was the restriction imposed by RFC 1035. When Windows Server 2003 contacts a remote DNS server, this capability is negotiated and enabled if both ends support it, resulting in DNS record sets of a size greater than 512 bytes.

Unfortunately, some firewalls have trouble with this enhancement as they are configured to drop DNS packets in excess of 512 bytes. As you can imagine, this will result in significant problems with DNS servers on opposite sides of the firewall!

EDNS can be turned off in Windows Server 2003. Disabling EDNS results in your server never advertising that it has the capability to handle DNS packets in excess of 512 bytes. It will drop back to using the RFC 1035 defined limits.

To disable this capability, type dnscmd /Config /EnableEDnsProbes 0 at the command prompt. Dnscmd.exe is a part of the Windows Server 2003 Support Tools. These tools are located in the Support Tools folder on the Windows Server 2003 CD and can be installed by running the suptools.msi installation program located there. You should restart the DNS service after you make this change.

Hosting internal sites
A common problem faced by many organizations is the need to host sites behind the firewall or in the DMZ that are also behind NAT IP addresses. Web interfaces to e-mail servers are an instance of this need. As an example, consider an Outlook Web Access front end sitting behind a company’s firewall. Assume that the Web Access server is assigned as an IP address, which is NAT-resolved to a “real” IP address so that it’s accessible from the outside of the network. The local machines need to address the machine using the private IP address while external clients need to use the real IP address.

Windows 2003 can be used to service the needs of the local clients and can be configured to forward external requests to your ISP’s DNS servers. In this example, your internal clients will resolve internal addresses using the local DNS servers. In turn, this server will use your ISP’s DNS servers for requests that it can’t handle. External clients will use your ISP’s DNS servers to get the real IP address of the Web server.

To configure forwarding on your Windows Server 2003 DNS server, start the DNS manager at Start | Administrative Tools | DNS. Right-click the name of your DNS server and select Properties from the shortcut menu. On the Forwarders tab, add the IP addresses for your ISP’s DNS servers or the addresses to which this DNS server should resolve requests. Figure A below shows a sample of this window.

Figure A
DNS forwarders are configured to handle requests that this server can’t.

The case of the missing SRV records
If you implement DNS on a Windows 2003 system and the server is using DHCP to get its address, DNS is configured without dynamic updates being enabled, and your DNS zone name is different than your Active Directory domain name, you may run into a problem. When you run the DNS manager again, you'll notice that the service resource records (SRV records) for the domain are missing. These records are critical to the proper functioning of Active Directory as a pointer to the location of directory services.

To correct the problem, make sure that the zone name has the same name as the Active Directory domain and that it is configured to allow dynamic updates. Also make sure that the server has a static IP address. To make sure that the domain allows dynamic updates, start the DNS manager and right-click the zone name you want to verify. From the shortcut menu, select Properties. On the General tab’s Dynamic Updates selection, make sure that either Nonsecure And Secure or Secure Only is selected, as shown in Figure B.

Figure B
Select Nonsecure And Secure or Secure Only to allow dynamic updates.

Restart DNS services to make the changes take effect. If this doesn’t work, stop and restart the netlogon service to force the records to be reregistered.

Incorrect name resolution is taking place
Incorrect name resolution can wreck your whole day as it can be a bear to track down. When it happens, you can’t get to where you need to go, services break, and your users are generally not pleased.

With Windows Server 2003’s DNS service, there are some common causes of this problem. The first thing to check is that a mistake wasn’t made in a manual entry for a DNS record. It’s easy to transpose the numbers in an IP address! This information can be verified by performing an nslookup on the name in question and verifying the address, or by checking it using the DNS manager.

Second, there could be a stale entry in the DNS server cache that is causing your problem. The DNS server cache can be cleared in a couple of ways: (1) using the DNS console or (2) using the command line. To clear the DNS server cache using the DNS server console, open up the DNS manager and right-click the DNS server. From the shortcut menu, select Clear Cache, as shown in Figure C.

Figure C
Clearing the DNS server cache from the GUI

Alternatively, you can use the command line to perform the same action. To do this, type dnscmd ServerName /clearcache at the command line replacing ‘ServerName’ with the name of the server whose DNS cache you need to clear.

Is the problem limited to resources outside your network?
If you’re having problems resolving resources outside your network, make sure that the DNS forwarders on the local DNS server are properly configured, as discussed earlier in this article.

DNS server is not responding
Probably the easiest type of problem to diagnose is a situation in which the DNS server isn’t responding to clients at all. A consistent problem is always easier to solve than an intermittent problem or a problem where the cause is difficult to determine.

The most obvious potential problem lies with the DNS server service itself. Make sure it’s running! If it’s not running, it’s going to have a really hard time serving clients!

Second, make sure that the DNS server service is bound to an IP address on which the client’s request can be answered. If you’ve configured your DNS server to only listen on an interface that is different from the interface that your clients use, they will be unable to use the service.

This parameter is configured by right-clicking the name of your server in the DNS manager and selecting the Properties option. On the Interfaces tab, you can either select All IP Addresses or specify exactly which addresses the server should listen on as shown in Figure D. Verify that the server is listening on the right address.

Figure D
The DNS server listening interface configuration

That's it!
Windows Server 2003’s DNS service is robust and easy to administer but there may come a day when you’ll run into a problem with it. These few tips will get you started on your troubleshooting endeavor and will hopefully cut down the time it takes to resolve a problem!

Editor's Picks

Free Newsletters, In your Inbox