Ace Fekay again!!!!
Compiled 8/13/2018
I know everyone always has trouble with this topic, as in why doesn’t DNS failover on the client, especially that I set four or five DNS addresses on it??? Why!!!
Because it doesn’t work that way! And NO, it’s not a “Microsoft” client thing or server thing, it’s based on the client side resolver service defined as an industry standard that all manufacturer’s (Microsoft, Apple, Unix flavors, Android, etc) operating systems follow, including your phone.
Topics Covered
- DNS & WINS Resolution Process
- Browser service without WINS across subnets
- Do I need WINS?
- Disabling the Browser service, NetBIOS
- DNS Client side Resolver service Query Process
- DNS Forwarder Resolution and Time Out Process
- If one DC or DNS is down, why can’t I logon to the other DC or not use the second DNS address to find another DC?
- What happens with Exchange and Outlook when when DNS goes down?
- Client side DNS Devolution on Windows 7 and Windows 2008 R2 has Changed
- How does resolution work in a multi-domain forest (with child domains)?
- Troubleshooting the Browser Service
- Related Links
========================================
1. DNS & WINS Resolution Process
Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses the NetBIOS process. Legacy pre-Windows 2000 clients, such as Windows NT, Windows 98, Windows 95, Windows 3.1, DOS, etc, use the NetBIOS process FIRST if the queried name is less than 15 characters, and if not, it uses hostname (DNS) resolution. If is is shorter than 15, then it will use NetBIOS, but if it doesn’t get resolved using NetBIOS, only then will it use the DNS hostname resolution process.
If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it’s in. H-Node is default, but the order can be changed with a registry change. There are four NetBIOS Nodes:
B-Node – Broadcast ONLY
P-Node – NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node – Mixed NBNS and Broadcast, but uses WINS FIRST.
Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS (WINS enabled)
- Checks it’s own name.
- Local hostname (DNS client side resolver) cache
- HOSTS file
- DNS (this is where the search suffix comes in play if a single name query)
- NetBIOS name cache
- WINS
- Broadcast
- LMHOSTS
Windows 2000 and newer – If not using WINS:
- Checks it’s own name.
- Local hostname (DNS client side resolver) cache
- HOSTS file
- DNS (this is where the search suffix comes in play if a single name query)
- NetBIOS name cache
- Broadcast
- LMHOSTS
Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:
- Is name longer than 15 characters? If so, perform Hostname (DNS) resolution process. If not, continue…
- Checks it’s own name.
- NetBIOS name cache
- WINS
- Broadcast
- LMHOSTS files
- Local hostname (DNS client side resolver) cache
- HOSTS file
- DNS (this is where the search suffix comes in play if a single name query)
If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.
Regarding DirectSMB,
Quoted from Aiden Cao, MIcrosoft, 2/6/2012 in thread:
TechNet Thread question: “Netbios Session Service and SMB” 2/5/2012
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e03e2d52-0761-451a-91e8-40955172f460/
“Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.
At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines, with the only caveat with legacy apps that rely on NetBIOS.”
Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. DirectSMB uses TCP 445… Direct-hosted SMB’s cannot be disabled in Windows without disabling additional features…
http://support.microsoft.com/kb/204279
More on the client side resolver:
How DNS works, March 28, 2003
Client side process order, etc.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx#w2k3tr_dns_how_gaxc
How NetBIOS name resolution really works, By Robert L. Bogue, March 11, 2003
http://www.techrepublic.com/article/how-netbios-name-resolution-really-works/5034239
DNS Hostname Resolution Flowchart:
The following information was quoted from:
Chapter 7: Host Name Resolution
http://technet.microsoft.com/en-us/library/bb727005.aspx
(Image 1): http://technet.microsoft.com/en-us/library/Bb727005.chp7hn01_big(en-us,TechNet.10).gif
Second two images from this link:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
(Image 2): http://i.technet.microsoft.com/Cc940063.CNBC05(en-us,TechNet.10).gif
(Image 3) http://i.technet.microsoft.com/Cc940063.CNBC05B(en-us,TechNet.10).gif
Image1:
.gif)
Image 2 & Image 3:
.gif)
.gif)
NetBIOS Name Resolution Process:
The following two images are quoted from:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
.jpg)
.jpg)
Resolution Process Related Links:
Hostname Resolution – Describes DNS domain name resolution
http://technet.microsoft.com/en-us/library/cc958812.aspx
NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/
Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html
(This was Updated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)
========================================
2. Browser service without WINS across subnets
It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn’t say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but I’m not sure. I cannot find anything on the mechanism. I’m one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.
Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001
Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404
Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305
New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx
Windows 2008 – Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx
========================================
3. Do I need WINS?
That’s an extremely good question. The answer is it depends. It depends on what apps and services currently running that require NetBIOS name resolution support.
For example, unless it’s been recently changed, Symantec Backup Exec needs it to ‘browse’ for the agent in the network browse list. Therefore, Backup Exec currently uses NetBIOS to assemble a list of all machines on a network to allow you to backup up remote computers whether the agent is installed or not, and giving you the option to install the backup agent.
So it depends on what YOU have running.
For example, Some AV solutions, such as McAfee Enterprise, Symantec, and CA uses NetBIOS to “find” all machines on the network to allow you to rollout installations and administer.
Therefore, you must inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out.
And yes, keep in mind Exchange 2000/2003 and Outlook communications require WINS for certain functions, such as Calendaring. This was removed from Exchange 2007 and 2010, and uses a different mechanism.
Here are some relevant links:
Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391
Eileen Brown’s WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx
WINS dependencies in Exchange 2003 Server
Summary of Microsoft’s implimentation of WINS Windows Internet Name Service. How even Exchange 2003 makes NetBIOS calls. Implications for a routed network.
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm
If you need WINS and want to learn how to install and configure it, please see the following:
WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx
How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx
WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx
========================================
4. Disabling the Browser service, NetBIOS
Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine. See section 3 above regarding apps that may be using or need NetBIOS support.
1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.
Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001
What’s the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser … Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm
Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm
2. Leave that running. You need it. It works for all versions of NTLM.
NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication …
http://msdn.microsoft.com/en-us/library/ms925943.aspx
3. If you disable the TCP NetBIOS Helper, you will not be able to map any drives or printers using NetBIOS names or FQDN.
“Network Location Cannot be Reached” Error Message When You Try to … To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.
To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866
4. One big advise – do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you’ll get a slew of errors, and no DNS queries will get resolved.
No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to …
http://support.microsoft.com/kb/268674
Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates
This has changed in WIndows Vista, Windows 2008, Windows 7 and Windows 2008 R2 – It no longer uses the DHCP Client Services. It now uses the DNS Client Service.
For Windows 2000/2003/XP, the DHCP Client Service is what performs the Dynamic DNS Update process. For Windows 2008/Vista/2008 R2/Windows 7 and all newer operating systems, it is now the DNS Client Service.
Specific details can be found in the following link:
Understanding Dynamic Update, Applies To: Windows Server 2008, Windows Server 2008 R2 (and changes to the DNS Update process from previous operating systems)
http://technet.microsoft.com/en-us/library/cc771255.aspx
Quoted from above article:
“The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, “Dynamic Updates in the Domain Name System.”
The documentation after that indicates the DHCP CLient service, but please ignore that. There are a few of us in touch with the dev group about the documentation, and it wil be cleared up.
The point is the DHCP CLient service is no longer responsible for updates.
DHCP (Dynamic Host Configuration Protocol) Basics
http://support.microsoft.com/kb/169289
========================================
5. DNS Client side Resolver service Query Process
The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:
To summarize:
If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.
If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, and either restart the DHCP Client Service (on 2000/2003/XP), (ipconfig /flushdns), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.
.
For specifics, the Microsoft DNS Whitepapers is a good start. Here’s more:
DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx
The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760
Technet Thread: “problem with secondary dns”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8fc4597c-d64e-4a87-9cfe-5fe159df5735/
.
Other references:
How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803
How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036
W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx
DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
286834 – DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968
SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
Linux and Unix client resolver works pretty much the same:
That is correct, this behavior ALSO applies to Non-Microsoft operating system client side resolver, such as the Linux/Unix Client Side Resolver
Thread: Re: Complex DNS Resolver Question – DNS
http://fixunix.com/dns/220126-re-complex-dns-resolver-question.html
Quoted from the above link:
If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN
authoritatively.
Client Side Options If a DC goes down:
Run the following command line to fix this problem on your Active Directory clients by emptying the DC Locator cache (Replace “DomainName” with the Fully Qualified Domain Name (FQDN) of your Active Directory domain:
nltest /dsgetdc:DomainName /force
Domain Controller Stickiness Prevention
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/06/24/domain-controller-stickiness-prevention.aspx
AD Clients Not Authenticating to its Local Site
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-local-site.aspx
========================================
6. DNS Forwarder Resolution and the Time Out Process
Information on how a DNS Forwarder time-out works with using multiple Forwarder:
Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client’s IP properties.
Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx
Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html
Quoted from above link:
“Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.
Now, if you check the box “Do not use recursion” the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.
I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server.”
Comment on Forwarders:
DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn’t have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it’s resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the ‘eligible resolvers list’ and then query the second one.
If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by “views” ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query.
Now – and this is an important “now,” if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar ‘HTTP 404 not found’ in the browser.
For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.
To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for ‘recursion available’ or ‘recursion not available’
So for all practical purposes, I never set more than two Forwarders, otherwise what’s the use? If the first two can’t resolve it, it probably is not resolvable anyway.
========================================
7. If one DC or DNS server goes down, why can’t I logon to the other DC or not use the second DNS address to find another DC?
Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there’s nobody there, did it crash?
—
Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP’s DNS, or the domain is a single label name
(‘domain’ versus the recommended minimum of ‘domain.com,’ domain.local,’ etc),
other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.
As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.
It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. As stated above in section #5:
- If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it STILL responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.
- If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, or after you clear the client side cache (ipconfig /flushdns), or restart the DHCP Client Service (on 2000/2003/XP), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.
.
To put it another way:
If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the ‘eligible resolvers list’ for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won’ even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.
Summary:
As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as ‘it’s not working’ because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can’t connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.
Or simply disable the DNS Client Side caching mechanism. It’s not suggested to do this due to performance and especially if you have many machines in the infrastructure. However for testing, you can give it a shot:
How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803
========================================
8. What happens with Exchange and Outlook when when DNS goes down?
Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:
Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570
But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, “If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?”
Also with Exchange involved, it becomes a little trickier. Keep in mind, when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not ‘look’ for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it’s best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.
I’ve seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.
Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.
Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it’s been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on Exchange.
I hope that makes sense.
Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.
========================================
9. Client side DNS Devolution on Windows 7 and Windows 2008 R2
Devolution is when the parent suffix is derived when there are child suffixes. For example, if in a machine is joined to a child domain “sales.test.com,” then “test.com” is devolved from “sales.test.com.”
Therefore, if “fileserver1” is not resolved in “sales.test.com” the client side resolver service on a client (keep in mind, DCs are DNS clients, too), will attempt to resend the query with the parent suffix.
It is best to design your forest infrastructure with unique hostnames so if “fileserver1” doesn’t exist in a child, it doesn’t exist anywhere else. Having a computername called “fileserver1” in a child domain and another domain, is not a good practice, nor is it a best practice. Uniqueness is the key across a forest.
DNS Devolution
Published: October 21, 2009, Updated: July 7, 2010, Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx
Quoted:
Devolution is not enabled in Active Directory domains when the following conditions are true:
1. A global suffix search list is configured using Group Policy.
2.The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.
========================================
10. How does resolution work in a multi-domain forest (with child domains)?
If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.
Further, if you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down. The devolution to the upper hierarchal levels is limited to the forest root domain level in the forest.
For example, if you have a forest root of ad.domain.local, and you have a child domain called child.ad.domain.local, the client side resolver will limit devolution of it’s joined domain and to the forest root domain, and will not go any higher, and will not devolve or populate domain.local as a Search Suffix, since that domain name does not exist in the forest.
Therefore, if you have a DNS suffix search list, the resolver adds those DNS suffixes in order and does not try any other domain names. In this case, if you submit the unqualified name ‘Computer,’ the resolver queries in order for the following FQDNs:
- hostname.domain.local
- hostname.child.domain.local
Based on the example, below shows that such a client in this scenario will only devolve the following two, and not “domain.local,” as was previous to Vist/2008.
- child.ad.domain.local
- ad.domain.local
More info on this behavior:
Host Name Resolution Order
http://support.microsoft.com/kb/172218/en-us
Configuring Query Settings:
http://technet.microsoft.com/en-us/library/cc959339.aspx
DNS client name resolution behavior in windows vista VS Windows XP
http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx
If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.
========================================
11. Troubleshooting the Browser Service
Keep in mind, each subnet has it’s own master browser, and they work together with the WINS service using WINS, to enumerate an infrastructure wide browse list. If not using WINS, it uses broadcasts, but if you are in a multi-subnetted environment, and you want full browsing capabilities, it’s suggested to use WINS.
We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master.
Good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propogation cycle in a multiple-segment domain environment.
And the default settings out-of-the-box, works fine, otherwise you’ll find yourself trying to change reg entries on multiple servers.
If you find workstations are becoming masters, are there any server operating systems on their subnets? If not, then a workstation will win as a master. If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.
Some basic things to look for and use:
- Make sure the Computer Browser service is Started.
- Make sure NetBIOS is enabled on everything.
-
On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available. In Windows 2008 and newer, the utility is already installed as part of the operating system files.
Multihomed DC?
Note: A multihomed DC is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. More info regarding multihoming and why not to do it:
Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
Browser Troubleshooting Steps
If there are any antivirus software, it could block browser traffic. This of course is all assuming that the Computer browser service is running.
Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.
To check current status of the browse service on the domain, run:
browstat status
You should get a response similar to:
Browsing is active on domain.
Master browser name is: <serverName>
Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc. If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.
To find the current browse master on a segment, you’ll have to find the TransportID:
First run:
browstat getmaster \device\netbt_el59x1 <domainname>
It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:
browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>
Force an election by running:
browstat elect \device\netbt_ieepro1 <domainname>
Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.
Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305
========================================
Related Links
DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx
The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760
ForwardingTimeout (registry settings)
http://technet.microsoft.com/en-us/library/cc940784.aspx
Appendix C: Windows Sockets and DNS Registry Parameters
For Resolver time out, see DNSQueryTimeouts
http://technet.microsoft.com/en-us/library/cc781532(WS.10).aspx
Change description of following to show its for NT4
SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc
DNSQueryTimeouts – How to control the client side resolver time out value in the registry)
http://technet.microsoft.com/en-gb/library/cc977482.aspx
W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968
SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
Summary
I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.
Major revision – Published 3/20/2018
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility
As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.
I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.
I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.
Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
![clip_image0023[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image00232-1.jpg "clip_image0023[2]"){kind=small}
![clip_image0043[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image00432-1.jpg "clip_image0043[2]"){kind=small}
![clip_image0063[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image00632-1.jpg "clip_image0063[2]"){kind=small}
![clip_image0083[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image00832-1.png "clip_image0083[2]"){kind=small}
![clip_image0103[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image01032-1.jpg "clip_image0103[2]"){kind=small}
![clip_image0123[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image01232-1.png "clip_image0123[2]"){kind=small}
![clip_image0143[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image01432-1.jpg "clip_image0143[2]"){kind=small}
![clip_image0163[2]](https://blogs.msmvps.com/acefekay/files/2016/10/clip_image01632-1.png "clip_image0163[2]"){kind=small}
it’s configured. 
