DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

DNS, WINS, NetBIOS, & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I need WINS?, DirectHosted SMB, if one DC is Down, does a client logon to another DC, and DNS Forwarders


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Compiled 7/22/08, Published 11/29/09
Recompiled 1/31/09 & 11/3/2010
Updated to reflect changes in Windows 7 & 2008 R2 devolution changes. 1/15/2012
Fixed “Back to Top” link so it works 1/15/2012
Added “Troubleshooting the Browser Service” 2/7/2012
Algorithm corrected to reflect 2008/Vista and newer operating systems 7/31/2012


Note: I may be updating this as time goes by, due to the amount of info in this blog and possibly missing something, as well as possibly updating retired Microsoft links, and adding newer links and changes to the operating system.


 


 Topics Covered:


  1. DNS & WINS Resolution Process
  2. Browser service without WINS across subnets
  3. Do I need WINS?
  4. Disabling the Browser service, NetBIOS
  5. DNS Client side Resolver service Query Process
  6. DNS Forwarder Resolution and Time Out Process
  7. If one DC or DNS is down, why can’t I logon to the other DC or not use the second DNS address to find another DC?
  8. What happens with Exchange and Outlook when when DNS goes down?
  9. Client side DNS Devolution on Windows 7 and Windows 2008 R2 has Changed
  10. How does resolution work in a multi-domain forest (with child domains)?
  11. Troubleshooting the Browser Service
  12. Related Links





==================================================================
1. DNS & WINS Resolution Process


Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses the NetBIOS process. Legacy pre-Windows 2000 clients, such as Windows NT, Windows 98, Windows 95, Windows 3.1, DOS, etc, use the NetBIOS process FIRST if the queried name is less than 15 characters, and if not, it uses hostname (DNS) resolution. If is is shorter than 15, then it will use NetBIOS, but if it doesn’t get resolved using NetBIOS, only then will it use the DNS hostname resolution process.
 
If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it’s in. H-Node is default, but the order can be changed with a registry change. There are four NetBIOS Nodes:


B-Node – Broadcast ONLY
P-Node – NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node – Mixed NBNS and Broadcast, but uses WINS FIRST.


Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS (WINS enabled)


  1. Checks it’s own name.
  2. Local hostname (DNS client side resolver) cache
  3. HOSTS file
  4. DNS (this is where the search suffix comes in play if a single name query)
  5. NetBIOS name cache
  6. WINS
  7. Broadcast
  8. LMHOSTS

Windows 2000 and newer – If not using WINS:


  1. Checks it’s own name.
  2. Local hostname (DNS client side resolver) cache
  3. HOSTS file
  4. DNS (this is where the search suffix comes in play if a single name query)
  5. NetBIOS name cache
  6. Broadcast
  7. LMHOSTS

Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:


  1. Is name longer than 15 characters? If so, perform Hostname (DNS) resolution process. If not, continue…
  2. Checks it’s own name.
  3. NetBIOS name cache
  4. WINS
  5. Broadcast
  6. LMHOSTS files
  7. Local hostname (DNS client side resolver) cache
  8. HOSTS file
  9. DNS (this is where the search suffix comes in play if a single name query)

 


If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.


Regarding DirectSMB,


Quoted from Aiden Cao, MIcrosoft, 2/6/2012 in thread:
TechNet Thread question: “Netbios Session Service and SMB” 2/5/2012
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e03e2d52-0761-451a-91e8-40955172f460/


“Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.


At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines, with the only caveat with legacy apps that rely on NetBIOS.”


Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. DirectSMB uses TCP 445… Direct-hosted SMB’s cannot be disabled in Windows without disabling additional features…
http://support.microsoft.com/kb/204279


 


More on the client side resolver:


How DNS works, March 28, 2003
Client side process order, etc.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx#w2k3tr_dns_how_gaxc


How NetBIOS name resolution really works, By Robert L. Bogue, March 11, 2003
http://www.techrepublic.com/article/how-netbios-name-resolution-really-works/5034239


 


 


DNS Hostname Resolution Flowchart:


The following information was quoted from:
Chapter 7: Host Name Resolution
http://technet.microsoft.com/en-us/library/bb727005.aspx
(Image 1): http://technet.microsoft.com/en-us/library/Bb727005.chp7hn01_big(en-us,TechNet.10).gif


Second two images from this link:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
(Image 2): http://i.technet.microsoft.com/Cc940063.CNBC05(en-us,TechNet.10).gif
(Image 3) http://i.technet.microsoft.com/Cc940063.CNBC05B(en-us,TechNet.10).gif


Image1:



 Image 2 & Image 3:




 


 


 


NetBIOS Name Resolution Process:


The following two images are quoted from:


Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx




 


Resolution Process Related Links:


Hostname Resolution – Describes DNS domain name resolution
http://technet.microsoft.com/en-us/library/cc958812.aspx


NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/


Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html


 


 


(This was uUpdated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)


 


 


 


Back to top of page>




==================================================================
2. Browser service without WINS across subnets

It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn’t say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but I’m not sure. I cannot find anything on the mechanism. I’m one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.



Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001



Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404


Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305


New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx


Windows 2008 – Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx


 


Back to top of page>




==================================================================
3. Do I need WINS?


That’s an extremely good question. The answer is it depends. It depends on what apps and services currently running that require NetBIOS name resolution support.


For example, unless it’s been recently changed, Symantec Backup Exec needs it to ‘browse’ for the agent in the network browse list. Therefore, Backup Exec currently uses NetBIOS to assemble a list of all machines on a network to allow you to backup up remote computers whether the agent is installed or not, and giving you the option to install the backup agent.


So it depends on what YOU have running.


For example, Some AV solutions, such as McAfee Enterprise, Symantec, and CA uses NetBIOS to “find” all machines on the network to allow you to rollout installations and administer.


Therefore, you must inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out.


And yes, keep in mind Exchange 2000/2003  and Outlook communications require WINS for certain functions, such as Calendaring. This was removed from Exchange 2007 and 2010, and uses a different mechanism.


 


Here are some relevant links:


Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391


Eileen Brown’s WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx


WINS dependencies in Exchange 2003 Server
Summary of Microsoft’s implimentation of WINS Windows Internet Name Service. How even Exchange 2003 makes NetBIOS calls. Implications for a routed network.
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm


 


If you need WINS and want to learn how to install and configure it, please see the following:


WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx


How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx


WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx


 


Back to top of page>





==================================================================
4. Disabling the Browser service, NetBIOS

Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine. See section 3 above regarding apps that may be using or need NetBIOS support.


1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.


Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001


What’s the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser … Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm


Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm


2. Leave that running. You need it. It works for all versions of NTLM.


NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication …
http://msdn.microsoft.com/en-us/library/ms925943.aspx


3. If you disable the TCP NetBIOS Helper, you will not be able to map any drives or printers using NetBIOS names or FQDN.


“Network Location Cannot be Reached” Error Message When You Try to … To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.


To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866


4. One big advise – do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you’ll get a slew of errors, and no DNS queries will get resolved.


No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to …
http://support.microsoft.com/kb/268674


 


Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates


This has changed in WIndows Vista, Windows 2008, Windows 7 and Windows 2008 R2 – It no longer uses the DHCP Client Services. It now uses the DNS Client Service.


 For Windows 2000/2003/XP, the DHCP Client Service is what performs the Dynamic DNS Update process. For Windows 2008/Vista/2008 R2/Windows 7 and all newer operating systems, it is now the DNS Client Service.


Specific details can be found in the following link:


Understanding Dynamic Update, Applies To: Windows Server 2008, Windows Server 2008 R2 (and changes to the DNS Update process from previous operating systems)
http://technet.microsoft.com/en-us/library/cc771255.aspx


Quoted from above article:


“The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, “Dynamic Updates in the Domain Name System.”  
The documentation after that indicates the DHCP CLient service, but please ignore that. There are a few of us in touch with the dev group about the documentation, and it wil be cleared up.
The point is the DHCP CLient service is no longer responsible for updates.


DHCP (Dynamic Host Configuration Protocol) Basics
http://support.microsoft.com/kb/169289


 


Back to top of page>





==================================================================
5. DNS Client side Resolver service Query Process

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:


To summarize:


If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.



If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, and either restart the DHCP Client Service (on 2000/2003/XP), (ipconfig /flushdns), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.


.


For specifics, the Microsoft DNS Whitepapers is a good start. Here’s more:


DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx


The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760


Technet Thread: “problem with secondary dns”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8fc4597c-d64e-4a87-9cfe-5fe159df5735/


.


Other references:


How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803


How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc


Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036


W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp


How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx


DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp


286834 – DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834


261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968


SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550


 


Linux and Unix client resolver works pretty much the same:



That is correct, this behavior ALSO applies to Non-Microsoft operating system client side resolver, such as the Linux/Unix Client Side Resolver


Thread: Re: Complex DNS Resolver Question – DNS
http://fixunix.com/dns/220126-re-complex-dns-resolver-question.html


Quoted from the above link:
If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN
authoritatively.


 


Client Side Options If a DC goes down:


Run the following command line to fix this problem on your Active Directory clients by emptying the DC Locator cache (Replace “DomainName” with the Fully Qualified Domain Name (FQDN) of your Active Directory domain:
nltest /dsgetdc:DomainName /force


More on this:


Domain Controller Stickiness Prevention
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/06/24/domain-controller-stickiness-prevention.aspx


AD Clients Not Authenticating to its Local Site
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-local-site.aspx


 


Back to top of page>





==================================================================
6. DNS Forwarder Resolution and the Time Out Process


Information on how a DNS Forwarder time-out works with using multiple Forwarder:


Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client’s IP properties.


Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx


Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html


Quoted from above link:


“Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.


Now, if you check the box “Do not use recursion” the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.


I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server.”


 


Comment on Forwarders:


DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn’t have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it’s resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the ‘eligible resolvers list’ and then query the second one.


If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by “views” ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query. 


Now – and this is an important “now,” if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar ‘HTTP 404 not found’ in the browser.


For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.


To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for ‘recursion available’ or ‘recursion not available’


So for all practical purposes, I never set more than two Forwarders, otherwise what’s the use? If the first two can’t resolve it, it probably is not resolvable anyway.


Back to top of page>





==================================================================
7. If one DC or DNS server goes down, why can’t I logon to the other DC or not use the second DNS address to find another DC?


Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there’s nobody there, did it crash?


Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP’s DNS, or the domain is a single label name
(‘domain’ versus the recommended minimum of ‘domain.com,’ domain.local,’ etc),
 other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.


As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.


It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. As stated above in section #5:



  • If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it STILL responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.
  • If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, or after you clear the client side cache (ipconfig /flushdns), or restart the DHCP Client Service (on 2000/2003/XP), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

.


To put it another way:

If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the ‘eligible resolvers list’ for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won’ even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.


Summary:


As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as ‘it’s not working’ because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can’t connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.


Or simply disable the DNS Client Side caching mechanism. It’s not suggested to do this due to performance and especially if you have many machines in the infrastructure. However for testing, you can give it a shot:


How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803


 


Back to top of page>





==================================================================
8. What happens with Exchange and Outlook when when DNS goes down?

Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:


Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570


But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, “If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?”


Also with Exchange involved, it becomes a little trickier. Keep in mind,  when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not ‘look’ for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it’s best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.


I’ve seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.


Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.


Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it’s been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on  Exchange.


I hope that makes sense.


Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.


Back to top of page>





==================================================================
9. Client side DNS Devolution on Windows 7 and Windows 2008 R2


Devolution is when the parent suffix is derived when there are child suffixes. For example, if in a machine is joined to a child domain “sales.test.com,” then  “test.com” is devolved from “sales.test.com.”
 
Therefore, if “fileserver1″ is not resolved in “sales.test.com” the client side resolver service on a client (keep in mind, DCs are DNS clients, too), will attempt to resend the query with the parent suffix.
 
It is best to design your forest infrastructure with unique hostnames so if “fileserver1″ doesn’t exist in a child, it doesn’t exist anywhere else. Having a computername called “fileserver1″ in a child domain and another domain, is not a good practice, nor is it a best practice. Uniqueness is the key across a forest.


DNS Devolution
Published: October 21, 2009, Updated: July 7, 2010, Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx


Quoted:
Devolution is not enabled in Active Directory domains when the following conditions are true:
 1. A global suffix search list is configured using Group Policy.
 2.The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.


Back to top of page>


 



==================================================================
10. How does resolution work in a multi-domain forest (with child domains)?


If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.


Further, if you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down. The devolution to the upper hierarchal levels is limited to the forest root domain level in the forest.


For example, if you have a forest root of ad.domain.local, and you have a child domain called child.ad.domain.local, the client side resolver will limit devolution of it’s joined domain and to the forest root domain, and will not go any higher, and will not devolve or populate domain.local as a Search Suffix, since that domain name does not exist in the forest.


Therefore, if you have a DNS suffix search list, the resolver adds those DNS suffixes in order and does not try any other domain names. In this case, if you submit the unqualified name ‘Computer,’ the resolver queries in order for the following FQDNs:


  • hostname.domain.local
  • hostname.child.domain.local


Based on the example, below shows that such a client in this scenario will only devolve the following two, and not “domain.local,” as was previous to Vist/2008.


  • child.ad.domain.local
  • ad.domain.local


More info on this behavior:


 Host Name Resolution Order
 http://support.microsoft.com/kb/172218/en-us  
 
 Configuring Query Settings:
 http://technet.microsoft.com/en-us/library/cc959339.aspx  


 DNS client name resolution behavior in windows vista VS Windows XP
 http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx 
 
 


If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.


More info on this behavior:


 Host Name Resolution Order
 http://support.microsoft.com/kb/172218/en-us  
 
 Configuring Query Settings:
 http://technet.microsoft.com/en-us/library/cc959339.aspx  


 DNS client name resolution behavior in windows vista VS Windows XP
 http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx 
 


 Back to top of page>


==================================================================
11. Troubleshooting the Browser Service


 


Keep in mind, each subnet has it’s own master browser, and they work together with the WINS service using WINS, to enumerate an infrastructure wide browse list. If not using WINS, it uses broadcasts, but if you are in a multi-subnetted environment, and you want full browsing capabilities, it’s suggested to use WINS.


We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master.


Good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propogation cycle in a multiple-segment domain environment.


And the default settings out-of-the-box, works fine, otherwise you’ll find yourself trying to change reg entries on multiple servers.


If you find workstations are becoming masters, are there any server operating systems on their subnets? If not, then a workstation will win as a master. If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.


Some basic things to look for and use:


  1. Make sure the Computer Browser service is Started.
  2. Make sure NetBIOS is enabled on everything.
  3. On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available. In Windows 2008 and newer, the utility is already installed as part of the operating system files.


Multihomed DC?


Note: A multihomed DC is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. More info regarding multihoming and why not to do it:


Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx


 


Browser Troubleshooting Steps


If there are any antivirus software, it could block browser traffic. This of course is all assuming that the Computer browser service is running.
 
Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.


To check current status of the browse service on the domain, run:


 browstat status


You should get a response similar to:


 Browsing is active on domain.
 Master browser name is: <serverName>


Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc. If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.


To find the current browse master on a segment, you’ll have to find the TransportID: 


First run:


 browstat getmaster \device\netbt_el59x1 <domainname>


It will error out because the “netbt_el59x1″ probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste  the transport that does show up into your next command:


browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>


Force an election by running:


 browstat elect \device\netbt_ieepro1 <domainname>


Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse. 


Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305


Back to top of page>



==================================================================
Related Links

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx 


The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760


ForwardingTimeout (registry settings)
http://technet.microsoft.com/en-us/library/cc940784.aspx


Appendix C: Windows Sockets and DNS Registry Parameters
For Resolver time out, see DNSQueryTimeouts
http://technet.microsoft.com/en-us/library/cc781532(WS.10).aspx


Change description of following to show its for NT4
SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550


How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc


DNSQueryTimeouts  – How to control the client side resolver time out value in the registry)
http://technet.microsoft.com/en-gb/library/cc977482.aspx


W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp


DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp


DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834


261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968


SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550


Back to top of page>









Suggestions, Comments and Corrections are welcomed


Ace Fekay


 


 



How To Delete Undeletable Files and Folders

How To delete those undeletable files and folders


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer



A little background on undeletable files and folders


I’ve seen these in the past regarding ‘pubbed’ FTP servers by software, game and movie users that find open FTP servers. They would upload their illegal software to the FTP servers they find, but they would name the files and the folder they create with extended characters and symbols that FTP supports but Windows does not directly support (ASCII characters), as well as create a very deep file structure with these extended unsupported ASCII characters, and/or file names with these characters that are greater than 256 characters. Windows directly supports ANSI characters. However, although Windows supports ASCII characters indirectly, it is not supported directly through the Windows Explorer GUI or the command line. Therefore this prevents admins from getting to them or deleting them, nor delete them. In the older NT4 days, you could install the POSIX support tools (to support UNIX based commands and using ASCII characters) to read and remove them, but that no longer applies with Windows 2000 and newer. However Windows still provides POSIX support but not directly. They can be deleted by using specific commands, but you just have to know the commands!


Also, if it was an FTP created folder and files, and the size shows zero bytes, yet you know it is much larger, then it’s also likely the files are using an alternate data stream which would explain why their file size appears as zero bytes.


 


Is the drive NTFS?



So the other factor, as mentioned, is if the file, folder name, and/or number of child folders is greater than 256 characters. Many operating system limits are based on the i386 addressable 32bit architecture, such as the number of users that can access a share, which is 4.3 billion objects. It also depends on the drive and if an app can read it. Many programs also expect a limit of 256 objects (characters, paths, bytes, etc), maybe even the deltree command is limited, however NTFS formatted drives can go beyond the 256 objects.


Therefore, not being able to delete them is caused by the factors above, special or extended ASCII characters, trailing spaces, trailing dots (periods) or reserved names in the folders, such as com, lpt, etc, such as when a machine gets ‘pubbed’ into an FTP site where the ‘pubsters’ will create these deep paths and using reserved names to prevent the admin from deleting them. If you’ve found someone accidentally created such files or subfolders with these characters, it will give you headaches to remove them. With an FTP app it’s easy to read and remove them, because FTP uses ASCII characters, such as what POSIX uses, however WIndows uses ANSI and cannot translate the folders. In this case, you can setup a local FTP service, then use an FTP app to connect to your own machine, then you wil be able to read and delete the files and folders. That is only one option, which many adminstrators are reluctant to do.


 


Removing folder examples:


Assuming the first folder is the numeral “1” on D drive (and use the quotes if you have problems and watch the required periods if the command uses it):


rm -r “//D/1″


RD \\.\c=D:\1


RmDir \\.\D:\1 /s /q


RmDir \\.\C:\YourFTP_ROOT’s_PATH\COM1 /s /q


C:\>cd inetpub\ftproot
C:\Inetpub\ftproot>rd /s /q \\?\c:\inetpub\ftproot
NOTE – The syntax is literal, do not substitue or remove the question mark (?), change only the path.



Removing files examples


Note: In the following examples, if the filename contains symbollic, extended or other characters, enter what you can and wildcard the rest or use file completion or use a full wildcard.


DEL \\.\c:\somedir\filename.


DEL \\.\c:\somedir\lpt


DEL \\.\c:\somedir\aux


DEL \\.\c:\somedir\com


etc



Read the following references for more information and instructions.


How to Remove Files with Reserved Names in Windows:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q120716


You cannot delete a file or a folder on an NTFS file system volume:
http://support.microsoft.com/kb/320081


Cannot Delete Files or Folders with Extended Characters:
http://support.microsoft.com/kb/131702


Here’s how to create a locked folder with FTP:
http://www.madchat.org/coding/w32nt.rev/dirnt.htm
 
Here’s how to delete them:
How to Remove Files with Reserved Names in Windows
http://support.microsoft.com/kb/120716



Ace Fekay

DNS Recursive Queries vs Iterative Queries

DNS Recursive Queries vs Iterative Queries


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Published Nov 12, 2009 at 6:55 PM EST
Edits:
10/6/2010 12:31 AM EST – Added section “Non-Sequitar: Windows Cache Poisoning Settings and Recursion Settings.” This was in response to a discussion associating recursion and cache poisoning that I wanted to add to clear up.


 


The Definition Between Recursive and Iterative Queries Actually Depends on Context, Such as Which Machine is Asking the Query.


The reason why I mentioned this is because basically a recursive query means the machine sends the query, such as a client machine, or even a DC, to a DNS server for resolution, and the DNS server will resolve the query based either on a zone that has been confgured locally (in its Forward Lookup Zones or Reverse Lookup Zones), or from a Stub zone, Root Hints, General Forwarder or Conditional Forwarder.


Therefore, in summary, a recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries that it does not host the zone, to another DNS server, whether through a Stub, Conditonal or General Forwarder.


Interative queries is a request from a client that tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers, whether it has the zone configured or not. The process then relies on the client to continue the process possibly by using a referral where the DNS server supplying the client NS or A records of a DNS server that is closer to the namespace which may possibly provide the answer. However we don’t see that with the normal sense of the word, ‘query,’ when a client sends a request to a DNS server, which we are more familiar with. For the most part, the DNS resolver service on Windows clients are basically ‘stub resolvers’ that rely on a recursive-enabled DNS server to resolve queries it is not aware of. Of course you can create resolver scripts to preform an interative query.


However, with a recursion request from a client to a DNS server, which as I mentioned above, is what we normally think of using the term ‘query,’ the DNS server will do its best to resolve it, either by using Stubs, Conditional or General Forwarder, or Root Hints, which is essentially an interative query to the Root Hints to devolve the namespace from the TLD backwards (such as from “com” to the second level name, etc), or a query to a Forwarder, if configured with a Forwarder, which is essentially a recursion request because technically it’s not an iterative request, even though the server repeats (iterates or re-iterates) when trying to find the answer.


You can make nslookup perform an iterative query by using the “norecurse” option (set norecurse). In this situation the DNS server will give its best response, without looking elsewhere other than its cache or zones its authoritative for.


 


To go further…


The following quote is a non-Microsoft definition, but it still applies, no matter what DNS server service is used. The quote was taken from:
http://www.linuxjournal.com/article/4198


“Since the DNS server called ns.someisp.com isn’t authoritative for a zone called wiremonkeys.org and hasn’t recently communicated for any host that is authoritive for it, it begins a query of its own on the user’s behalf. The process of asking one or more queries in order to answer (resolve) other queries is called recursion.”


Does that make sense so far? 


So to further take it another step or to look at it in a different light…


Keep in mind, recursion is not necessarily resolution. The reasons is the process of following a chain of delegations from one set of content DNS servers to another, starting at some root servers, is termed “resolution”; as exemplified in section 6.3 of RFC 1034.  It is not termed “recursion”.  “Recursion” is something else. The official definition of “recursion” is the act of a server sending back-end queries (of _whatever_ sort) to another server. Both query resolution, where back-end queries are sent to content DNS servers, and forwarding, where back-end queries are sent to proxy DNS servers, are forms of recursion.


Therefore…


  • Resoluton can be provided many times from its own authoritative zones where no recursion involved.
  • A query can be resolved from its cache where no recursion involved (directly, because it’s in its cache).
  • By forwarding, with the forwardee doing the resolution where recursion is involved.
  • However if it forwards it out, it essentially becomes an interative query because it’s proxying the request elsewhere for the client, such as an indirect query for the client, but essentially this can be viewed as an recursive query by the DNS server itself acting as a recursive client.
  • Or DNS can perform the query resolution itself where recursion is involved. An example is when Forwarding is not enabled, and the DNS server uses the Root Hints, where essentially it’s querying the Roots in a recursive manner devolving the DNS name hierarchy from the TLD backwards.
  • And more…

 Got it?


I hope that was easy. Next week we’ll discuss helion particles (a-particle of the helium-3 nucleus) and their mass.


 


Non-Sequitar:  Windows Cache Poisoning Settings and Recursion Settings


Added 10/6/2010 – This stemmed from a discussion in the Microsoft forums when one was concerned with the Cache poisoning settings and recursion when the poster was told that it’s his recursion settings causing the false positive.


If you ever had an external security threat analysis performed and the results indicated that your DNS servers were open to DNS pollution and the fix was to disable recursion, this may not necessarily be necessary. This may not be an option in many scenarios, and it may not necessarily be the answer. Simply enable the “Secure cache against pollution” setting in DNS. Keep in mind, and to veer off topic for the moment, with Windows 2003 and newer,the  “Secure cache against pollution” is enabled by default. In Windows 2000, it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution for the most part, and not necessarily affect DNS performance at the same time keeping it secure based on current vulnerabilities.
 
If “Do not use recursion for this domain” is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.
 
If Disable recursion under the Advanced Tab is checked, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don’t want anyone else to use it as a DNS server to resolve outside names.
 
If this is an internal DNS server and not exposed to the internet, “Secure cache against pollution” is set, and it’s not offering public nameserver services for any public records, I think you will be find and would leave it alone using the default settings.


 


Related Links on Recursive and Iterative Queries


Recursive and Iterative Queries – With a recursive name query, the DNS client requires that the DNS server respond to the client […]:
http://technet.microsoft.com/en-us/library/cc961401.aspx


How DNS query works: Domain Name System(DNS)Jan 21, 2005 … As DNS servers process client queries using recursion or iteration, they discover and acquire a significant store of information about the …
http://technet.microsoft.com/en-us/library/cc775637(WS.10).aspx


Cool site with a scripted demo showing how it works and the differences between a recursive and interative query:
Recursive/Iterative Queries in DNS (Chapter 2)
http://media.pearsoncmg.com/aw/aw_kurose_network_2/applets/dns/dns.html


 



Ace Fekay

Active Directory DNS Domain Name Single Label Names

Active Directory DNS Domain Name Single label names


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Originally Compiled 3/2005


Active Directory DNS Domain Name Single Label Name scenarios are slowly disappearing the more IT admins understand what they are. However, there are installations that are still plagued by this condition, whatever the original cause was, whether lack of research, planning or simply understanding AD’s DNS requirements. This article introduces what a single label name domain name is, and what can be done about it.


FQDN


First, let’s discuss the FQDN. What is an FQDN?


It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:


domain.com
domain.net
domain.local
childdomainname.domain.local
etc


What is a Single Label DNS Domain name?
The name is reminscent of the legacy style NT4 domain NetBIOS domain names, such as:


DOMAIN
CORP
COMPANYNAME
etc


The reason this does not work with DNS, which Active Directory relies on.


DNS


DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).


Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.


Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.


Unfortunately tHe old NT4 style names are not hierachal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single lable name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.


Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.


How did it happen? Most cases it’s due to lack of research on AD’s DNS requirements, or how it works, or it could have been a simple typo, yet costly typo, when originally upgrading from NT4 or promoting your new AD domain.


Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040


 


Single Label Name Explanation



Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:


The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.
Period. Why? good question. It’s based on the fact DNS is hierachal. Hierarchal meaning it must have multi levels, a minimum of two levels.


The TLD (top level domain) is the root name, such as the com, net, etc, names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc). If the name is a single label name, it thinks THAT name is the TLD.


Therefore it then hits the Internet Root servers to find how owns and is authorative for that TLD.Such as when looking up microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for microsoft.


If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.


How to fix it? Good question. Glad you’ve asked.



1.  The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.


2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).


3. As a temporary resort, you can use the patch/bandaid registry entry to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.


Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684


 


Microsoft’s Stance on Single Label Name AD DNS domain names.


The following is Microsoft’s stance on Single Label Names by Microsoft engineer Alan Woods.


Single label names, from Alan Woods, [MSFT], posted:


—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS


Hi Roger,


We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.


Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA


If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.


Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.


Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.


Thank you,


Alan Wood[MSFT]


 


Related Articles



Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040


Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036


DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382


Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264



Ace Fekay