DNS Client side Resolver Service and DNS Forwarders Query Algorithm

As many of you that follow my blogs, I had originally blogged about the client side resolver a few years ago. That can be found here:

http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

I think that many readers may have missed this portion because of the size of the blog, since after all it’s buried in one of the sections. Therefore, I thought to just specifically blog about it and get right to the point.

Background:

An internal DNS infrastructure is usually designed to support internal host name resolution fir internal hosts only. This is the goal whether it’s for any AD infrastructure or non-AD infrastructure, otherwise, why bother with DNS internally?

This is of course, especially true with AD. AD uses DNS. DNS stores AD’s resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain.

If the ISP’s DNS is configured in the any of the internal AD member machines’ IP properties, (including all client machines and DCs), the machines will be asking the ISP’s DNS ‘where is the domain controller for my domain?” whenever it needs to perform a function, such as for a logon request, DC to DC replication communications requests, querying and applying GPOs, and more. Unfortunately, the ISP’s DNS does not have that info and they reply with an, “I dunno know” response, and things just fail.

Using an ISP’s DNS, or the router as a DNS address, is analogous to asking the first passerby on the street, “Hey, where’s that case of beer that was in my refrigerator last night?” He’ll either not have an answer, or he’ll tell you his friends took it, which is the wrong answer anyway.

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP’s DNS, or even using your router’s IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorithm when attempting to resolve DNS names.

To summarize:

If a DNS query has already occurred and the client had already received a response, then the response is cached in the local resolver cache for the TTL of the DNS host record.  You can run “ipconfig /displaydns” to show what’s in cache and the remaining TTL of the host record. YOu can repeatedly repeat the command to see the TTL count down to 0, at which point it will disappear from the cache.

If there was no prior query and it’s not cached or the TTL has expired, and if there are multiple DNS entries on a machine’s NIC (whether a DC, member server or client), it will ask the first entry first.

  • If it receives a response, but say if the DNS server does not have the zone data (such as if you were to use your ISP’s DNS or your router as a DNS address, and expect that to work with AD), then it will be an NXDOMAIN or NACK response, meaning it got a response, even though it was wrong, and it will not go to the next DNS entry in the NIC’s list.
  • If it doesn’t respond, which is evident of a NULL response (no response, such as if the DNS server is down), it will go to the second entry after a time out period, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won’t go back to it for another 15 minutes (or forcing it by restarting the DNS Client service). This can also happen when a DC/DNS is down, or taken offline purposely for some reason, such as performing DC maintenance during production hours, it may cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. You can also reset the eligible resolvers list by:
  • If using Windows 2008/Vista and newer, restart the DNS Client Service
  • If using Windows 2000, 2003 or XP, restart the DHCP Client Service
  • Configure a registry entry to force the TTL to reset the list after each query.
  • Run an ipconfig /flushdns
  • Restart the machine.

If the ISP’s is the first one in the list in the NIC’s properties, obviously it will be knocked out when a client is trying to login.

This will be be noticed by a significantly long logon time period the client will experience before it goes to the second one, your internal DNS. So now the first one is knocked out for 15 minutes. Then say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or use it’s Roots, it will resolve it.

Specifics on the resolver process:

Understanding the DNS Client Service and how Name Resolution works
http://networkadminkb.com/KB/a118/understanding-dns-client-service-how-name-resolution-works.aspx

Don’t Use your ISP’s DNS or your Router as a DNS Address on any Machine

So why even bother with an ISP in the client? This is another good reason to ONLY use the internal DNS server in the VPN’s DHCP service for VPN clients. Keep in mind, the client will probably be configured with an ISP’s anyway if outside the network. Fine, otherwise it can’t find the VPN server on the internet anyway. But once the VPN authenticates and is connected, the VPN interface will be the first on the binding order, which now you WANT to only have the internal DNS servers in that interface.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to Vista and newer, too)
http://support.microsoft.com/kb/320760

Therefore, the ISP’s DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD client or any other machine that is part of the AD infrastructure that must find a domain controller in order to function.

Ipconfig examples:

  • BAD EXAMPLE

In this BAD example, there are mixture of internal and external DNS servers. On top of that, there are just way too many DNS servers, which the client side resolver time out will never see beyond the third one, if lucky.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               208.67.222.222
                                              208.248.240.23
                                             4.2.2.2
                                             4.3.4.4

                                             10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

  • GOOD EXAMPLE – You can see only the internal DNS servers are specified.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               10.10.100.30

   NetBIOS over Tcpip. . . . . . . . : Enabled

Configure a Forwarder Using your ISP’s DNS

That’s your best bet. It’s easy.

  • Open the DNS console
  • Right-click the DNS server name
  • Choose Properties
  • Click the Forwarder tab.
  • Enter the ISP’s DNS address in the Forwarders list.

And also, keep in mind, that if you have more than two or three Forwarders, the third one will probably never get checked because of the time-out of the client side resolver service *waiting* for a response to a query.

Router’s IP as a DNS Service

Don’t do it! Your router is NOT a DNS server. If you do, what the router will do is it will proxy the query request to its outside interface, which it will more than likely be using the ISP’s DNS. So that won’t work. Remove it from any machines as a DNS address.

Summary

I hope that helps understand why not to use an ISP’s DNS in your internal network.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

FaceBookTwitterLinkedIn

DNS Dynamic Updates in a Workgroup

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

www.delcocomputerconsulting.com

Prelude

So the machines and devices you want to register into DNS are not in an Active Directory. Therefore, that means none of your Windows computers have been configured with a Primary DNS Suffix. When you join a computer to a domain, one of the many things that occur on the computer is that the Primary DNS Suffix is automatically configured, which matches the name of the AD DNS domain name, which should also be identical to the DNS zone name.

And further, as we already know, that’s what a computer needs to register into a zone with the same name. If you weren’t aware of this basic requirement, you can catch up on how Dynamic DNS registration works by reading my other blog:

AD & Dynamic DNS Updates Registration Rules of engagement
https://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement

Primary DNS Suffix

However, workgroup computers normally do not have a Primary DNS Suffix, unless you’ve already manually configured all of them. Neither do other devices, such as mobile phones, tablets and other non-Microsoft products.

No fret. We can make this work without a Primary DNS Suffix. After all, non-Windows devices, such as phones and tables, do not have such a setting to configure.

There are actually a number of ways to get this to work. One way is to force the Primary DNS Suffix on your Windows workgroup computers by using a registry script (outlined later below). However, that will only be good for your Windows computers. What about those non-Windows devices?

To register your Windows computers and non-Windows devices, an easier way to go about it is to use Windows Server DHCP to register all leases into the DNS zone. We can do this by using the DHCP service on a non-AD joined Windows Server configured with DHCP credentials, DHCP Option 015, and configured to force all leases to register into the zone whether the device has the ability to register on its own or not.

The credentials allows DHCP to own the record, so in case the device leaves and returns at a later date and gets a new IP, the DHCP service can update the old host record in DNS with the new IP. Without credentials, the device will update, but it may not be able to update its old record, which then you may wind up with duplicate host entries in the zone. Of course, we wouldn’t want that.

Use Windows DHCP to Force Register All Leases

The first thing we need is a Windows Server with the DHCP and DNS services installed and running. To provide a 30,000’ view of what’s involved, we start by creating a regular, non-Administrator, local user account on the server that will be used to configure the DHCP scope to use as credentials for registration. And to stress what I just said, it does NOT have to, nor should it be, an Administrator account. It should just be a plain-Jane user account, but give it a really strong password. In an AD domain environment, the credentials would be a plain-old AD Domain User account. But in this case, it’s a local User account. Then configure DHCP to force update all records, whether the entity can register or not.

Zone’s NS & SOA Entries

For the DNS service to properly work, the DNS server itself must have its own host (A) record reregistered into the zone, as well as registered its record as an NS record in the zone’s properties. This means that the Windows server DNS is installed on, must be configured with a Primary DNS Suffix matching one of the zones that DNS will be authoritative for (meaning that DNS is hosting the zone). We usually pick the main zone for the company environment. Once configured, then this part will automatically occur. If it doesn’t have a Primary DNS Suffix, then this automatic part will not happen.

You can easily tell if any Windows computer has a Primary DNS Suffix by a simple ipconfig /all, however I’m sure you already know if your server has one configured one or not, since this must be manually done on a workgroup computer. As stated, an AD joined computer (server or workstations) will automatically configure itself with a Primary DNS Suffix that matches the AD DNS domain name,

Detailed Steps:

  1. First, assuming you haven’t already installed DNS and created a zone in DNS, let’s go ahead and install and create your zone.
  1. You can install the DNS service Role (yes, it’s a Role, not a Feature), using Server Manager in Windows Server 2008, 2008 R2, 2012, and newer.
    Install a DNS Server
    http://technet.microsoft.com/en-us/library/cc725925.aspx
  2. Once installed, create your zone, such as adatum.com. Also in the zone properties, make sure you allow Updates. And note, with DNS on a non-DC, the only option you have is either “None,” or “Nonsecure and secure.” You have no choice other than “Nonsecure and secure.”
    (Click image to see a larger version of the image in a new window)
  • Obviously it’s important that the DNS & DHCP server is set to a static IP configuration. Pick an IP, and stick to it. Then make sure that the server itself is ONLY using its own IP for DNS entry in its NIC. No others must be in here, otherwise you’ll get unexpected and possibly undesired results.
    (Click image to see a larger version of the image in a new window)
    1. I need to stress that this is extremely important.
    2. If you have any computers in the environment that have a static IP address configured (not getting an IP from DHCP), you must also make sure they are configured with only your own Windows DNS server’s IP.
    3. If you’ve configured it with your ISP’s DNS, because you thought that’s what you need for internet resolution, then that’s wrong, and more importantly, that computer will not register nor be able to resolve internal hosts. 
    4. Same thing using your router (either ISP provided, or something you bought from a retail store such as a Linksys, Dlink, etc). Do not use your router as a DNS address. They are not DNS servers, and they only proxy to an external DNS, which is useless if you are running DNS internally.
    5. And no, you CAN’T mix internal and external DNS entries. It doesn’t work that way. It’s not a DNS server thing, rather it’s based on a DNS client, specifically it’s based on how the client side resolver algorithm works. For a technical explanation for the technically curious, please read my blog explaining it:
    6. http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    7. The DNS server can use Root Hints to resolve internet names. Or you can configure a Forwarder:
    8. Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
      http://technet.microsoft.com/en-us/library/cc754941.aspx
      (Click image to see a larger version of the image in a new window)

  • Configure a Primary DNS Suffix on your Windows Servers that’s hosting DNS. To do that:
    Go to Start
    Right-click Computer, properties
    In the computer name tab click change settings
    Then click change
    Then click More
    Type your domain name here.
    Click Ok a few of times, and restart the server.
    (Click image to see a larger version of the image in a new window)

  • After the restart, make sure it registered into the your zone, for example, contoso.com. You can simple check by running an ipconfig /all. Look for the Primary DNS Suffix name.
    (Click image to see a larger version of the image in a new window)

    For more information on all the info that an ipconfig /all provides, please read the following:
  • Why do we ask for an ipconfig /all, when we try to help diagnose AD issues and other issues?
    https://blogs.msmvps.com/acefekay/2013/03/02/why-do-we-ask-for-an-ipconfig-all-when-we-try-to-help-diagnose-ad-issues/

  • In the contoso.com zone properties, Nameserver tab. Make sure it registered itself. If not, manually add it by clicking Add, then type in the server’s FQDN, and click Resolve. If all things are configured correctly, then it should resolve it. Click OK.
    (Click image to see a larger version of the image in a new window)
  • On the “Start of Authority (SOA)” tab click “Browse…” next to the Primary server field and browse for the server’s A record in the contoso.com zone. Click OK.
    (Click image to see a larger version of the image in a new window)
  • Repeat step 4 for the reverse zone, and any other zones you’ve created in DNS.
  • DHCP Options
    1. DHCP Option 015 must be set to your zone, such as adatum.com. This provides a way to work for the interface to use that zone for registration, as well as for the DHCP server to use it to register into the zone.
    2. DHCP Option 006 must be set to only your internal DNS servers. Do not use your router as a DNS address (it’s really not a DNS server anyway), or your ISP’s DNS servers.
      (Click image to see a larger version of the image in a new window)
  • Configure scavenging. The scavenging NoRefresh and Refresh values combined should add up to or greater than the lease length. For example, if the DHCP lease length is 8 days, then the NoRefresh value should be 4, and the Refresh value should be 4.
    More info:
  • Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the NoRefresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

  • In DHCP properties, DNS tab (note -this tab is actually DHCP Option 081, even though it doesn’t say it), choose to force DHCP to update all records whether a DHCP client asks or not. And configure it to register records for machines that can’t.
    (Click image to see a larger version of the image in a new window)
  • Configure a user account to be used for DHCP Credentials (as I said above), then go into DHCP, IPv4, properties, Advanced, Credentials, and enter the credentials.
    (Click image to see a larger version of the image in a new window)
  • Restart the DHCP service.
  • It should now work.
  •  

    Example of what you should see after it’s configured and working:

    (Click image to see a larger version of the image in a new window)

    Other notes and references:

    There are a number of ways to get this to work. Read the following discussion for more info:

    Technet thread: “Server 2008 R2: DNS records not dynamically registering in workgroup situation” 12/31/2010
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2380872f-2e71-49eb-8fbb-87f980920fc7/

    Registry summarized:

    Not that this will work for your non-Windows devices, but I’m providing this information if you want to only configure your Windows computers.

    You can create and remotely run a registry script for the interface on the workgroup machines using a tool called PSEXEC (free download from Microsoft). Of course you must have the local admin account credentials on all your computers to run this remotely, and the remote Registry service started, and possibly antivirus software and Windows firewall configured to allow this.

    You’ll want to target and populate the following two registry entries with your zone name, such as adatum.com:

    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain
    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain

    Using the above two keys, try this VB script:
    SET WSHShell = CreateObject(“WScript.Shell”)
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain”, “adatum.com“, “REG_SZ”
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain”, “adatum.com“, “REG_SZ”

    If you are in an AD Environment

    Oh, and if you’re curious how DHCP should be configured in an AD environment to force updates, etc, read my blog on it, please:

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a “pen” icon, and more…
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Summary

    I hope you’ve found this helpful. Any suggestions, errors, comments, etc., are all welcomed!

    Ace Fekay

    Why do we ask for an ipconfig /all, when we try to help diagnose AD issues?

    Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP: Directory Services
    Active Directory, Exchange and Windows Infrastructure Engineer
    www.delcocomputerconsulting.com

    Ace here again. Yea, I had to post a blog about this because many people ask, why do you want that? Just for the IP address??

    Nope. Not just for the IP.

    Good question.

    There is quite a bit of information that an ipconfig /all provides us configuration data as a precursor for a diagnosis. Sometimes the ipconfig /all results will help us fix it, but not always.

    Many admins are reluctant to provide this sort of information citing security reasons.

    In some cases, I sympathize and agree, but in many cases, security really isn’t much of a concern, because for one, your internal IP range is a private range, and two, you can substitute your actual internal domain name with something more generic, such as substituting “microsoft.local” with “mydomain.local. You should also substitute your DC names using something generic, such as dc-01. dc-02, etc. But definitely keep track of the substituted DC names if we have additional questions regarding them.

    Let’s take a look at each value in an ipconfig /all

    Believe it or not, the results of an ipconfig /all has numerous information that helps us get an inside view of a DC’s basic network configuration, as well as basic service configuration.

    Let’s break it down:

    C:\>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : company-dc-01  

    • Name is under 15 characters – good for NetBIOS compatibility. Not a huge concern for many compani
    • Possibly indicates more than one DC based on the –01 portion of the name

    Primary Dns Suffix  . . . . . . . : company.com 

    • The AD DNS Domain name is not a single label name.
    • In some cases, we’ll also ask for the name in ADUC. If the name in ADUC does no match this name, then it’s a Disjointed Namespace condition).
    • Node Type . . . . . . . . . . . . : Hybrid   

      • If Hybrid is set, it tells me that WINS is in use.
      • Hybrid mode, specifically 0x8 (as you would set a WINS server Hybrid mode in DHCP Option 046), tells the client side resolver to use WINS first when attempting to resolve a single name query, and if it can’t resolve it, to then try a broadcast to resolve it. Of course, this is only after DNS resolution fails, since DNS is used first anyway, where the client side resolver will suffix the Search Suffix when attempting to resolve it as a DNS hostname query.
      • If the Node Type is set to “Unknown,” then no big deal. It just means that WINS is not being used, and the resolver service will use broadcast for a  single name resolution.
      • IP Routing Enabled. . . . . . . . : No

        • Means RRAS is not installed
        • If set to Yes, it means RRAS is installed, and it will interfere with AD communications on this DC. 
           

        WINS Proxy Enabled. . . . . . . . : No  

        • On a DC, “No” is what we want to see.
        • If set to Yes, then it means “Enable broadcast name resolution” is checked under General tab in RRAS properties.
          • If this is set to Yes, and there is only one NIC. it could mean either:
          • RRAS is installed only for VPN use
          • RRAS was disabled, but the setting stuck
        • Either way, if it is set to Yes, it will cause problems with AD communications.

        DNS Suffix Search List. . . . . . : company.com

        • This is what the client side resolver will use when attempting to resolve a single name query. For example, if I run nslookup against a single name such as computer1, the resolver will suffix company.com to it, resulting in a query of computer1.company.com.
        • If there are multiple domains in the forest, such as a parent and child domain, or multiple child domains, then each domain must be configured with a search suffix for all other domains in order to be able to resolve everything in the forest. This is also true for additional Trees in the forest.
        • The company.com in this example, was devolved from the Primary DNS Suffix.
          • If the Primary DNS suffix has multiple levels, such as Chicago.ad.company.com, then the resolver will devolve it to show search suffixes of chicago.ad.company.com, ad.company.com, and company.com.
          • However, if ad.company.com is the parent root domain, if using Windows 2008 or newer, it will only devolve to ad.company.com. Windows 2000 and 2003 devolved all levels, which led to some confusion.

        Ethernet adapter Team 1:

        • Obviously this interface is a team.

        Connection-specific DNS Suffix  . :

        • If this is a DHCP client, and DHCP Option 015 is configured with a domain suffix, then it will populate this value. It’s used for a specific interface that gets this configuration, such as if it is a wireless, then that value will populate the wireless connection, but not the wired connection, and will be used as suffix for identification and DNS registration only for that interface, but it is not used as a search suffix.

        Description . . . . . . . . . . . : BASP Virtual Adapter

        • This is the vendor brand name of the adapter

        Physical Address. . . . . . . . . : 00-18-8B-47-F0-D1

        • This is the MAC address of this adapter or Team.

        DHCP Enabled. . . . . . . . . . . : No

        • This means the NIC has a static configuration.

        IP address, mask and subnet

           IP Address. . . . . . . . . . . . : 192.168.80.10
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Default Gateway . . . . . . . . . : 192.168.80.1

        • In the above three values, we make sure the IP address and mask are on the same subnet as an ipconfig /all of another machine, if one was provided. You would be surprised how many times we’ve seen subnets mis-configured with an incorrect subnet mask. 

        DNS Servers . . . . . . . . . . . : 192.168.80.5
                                                        192.168.80.10

        • What we look for with DNS address, is only to specify the internal DNS servers hosting the AD zone. If an external DNS addresses are specified, or your router’s DNS address is specified (for example, 192.168.80.1), then you should expect to see numerous problems. This is because your machine is sending the external DNS servers or your router a query whenever it tries to login, authenticate, find domain resources, etc. The external DNS servers or your router, does not have an answer when queried for internal resources. It’s the same as me asking the first person I see walking by out front of my house, “Where’s that beer that was in my refrigerator last night?” Besides the person not having an answer, he’ll probably give me a funny or dirty look. Your DNS server and DC won’t give you a funny look, but you’ll probably get some sort of error and your machine will fail to find your AD domain.
        • The addresses you see listed in this example are showing that it is pointing to a partner DC as the first entry, and itself as the second entry.
          • You may also find in some configuration the loopback as the second entry. This is ok, too. DCPROMO puts in the loopback. Matter of fact, if you were to run the AD BPA, one of the things it looks for is the loopback as the second entry. You can leave it there if you like, or you can change it to the IP of itself, but if you do, just ignore the BPA’s warnings, if you were to run it again.

        Primary WINS Server . . . . . . . : 192.168.80.10

        • This tells me the server is running WINS. Why? Because it is pointing to itself, as it should be for a WINS server.
        • If a WINS server is pointing to any other WINS servers, it will cause numerous problems with WINS record ownership.

        NetBIOS over Tcpip. . . . . . . . : Enabled

        • Of course this one is obvious. But here’s one for you. If you have NetBIOS disabled, but you are using WINS, what’s the point??

        Should I Disable IPv6? No…

        12/11/2014 – Ace here again. I’ve revamped this blog bringing it up to date, but you know what, there was nothing really to change, because guess what? It’s not recommended to disable IPv6. Period.

        I hope you find this helpful.

        Preface

        This topic has been discussed numerous times. Previously in this article I wrote:

        There are known issues regarding IPv6 affecting communications in certain scenarios, such as with errors when using Outlook Anywhere such as to fix an Exchange 2007 running on WIndows 2008 when there is a DC NSPI port 6004 communication issue.

        Read the link in the “Related Links” section below for more information on this issue. Therefore, to eliminate communications issues regarding whether this is a factor or not, it is recommended to disable IPv6 in registry on the Exchange server, as well as on the domain controllers, or any server for that matter, especially if there are no plans in using IPv6. For the same reasons, it is also recommended to disable the RSS TCP Chimney Offload feature on the same servers.

        IPv6 provides a robust means for IP addressing that offers additional information in the IP address. However, if the current network does not have the necessary supporting hardware to support it, such as a router, nor if IPv6 is currently in use, some say it’s additional overhead on the machine, which many have claimed, including myself in the past, to recommend disabling it. There is also an incompatibility with using IPv6 with UNC paths, such as mapping a drive using an IPv6 address, but I don’t think that’s relevent to the context of this article.

        However, things have changed

        The only time to disable IPv6 is with the above scenario using Exchange 2007 on a Windows 2008 server. At no other time should you disable IPv6. It must be kept enabled, or it will break many features in Windows. Read the next section…

         

        Should I Disable IPv6? Nope

        .

        When I originally wrote this article, my original recommendations to disable IPv6 were based on a problem I found back in 2008 with an Exchange 2007 installation on Windows 2008 and DSAccess communications to a Windows 2008 DC/GC. I couldn’t figure out what was causing it. I finally called Microsot PSS. After some digging around, the support engineer recommended disabling IPv6, which he said was causing the issue. It actually fixed the communications problem. He referenced an article explaining the issue:

        The installation of the Exchange Server 2007 Hub Transport role may be unsuccessful on a Windows Server 2008-based computer
        http://support.microsoft.com/?kbid=952842

        However, that article has been retired and is no longer available. Microsoft is now recommending to keep IPv6 enabled. You can read more about it in this article, which I highly suggest reading it:

        The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
        http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

        Basically, Joseph Davies in the above article, said (quoted directly from the article):

        The Argument against Disabling IPv6

        It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

        From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

        Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.

        .

        Ipconfig /all shows IPv6 “::1” Loopback address as the First DNS Entry

        In some cases, there may be some issues with IPv6 because it is the default protocol. When you run an ipconfig /all, you may find that the IPv6 “::1” Loopback address shows up as a DNS address when you run an ipconfig /all. Because it’s at the top of the DNS addresses, some say it slows down resolution because the resolver is trying to use an IPv6 address to resolve it first before attempting to resolve the IPv4 address.

        Who cares. Leave it alone. What harm is it doing? Just because it doesn’t look right?

        Well, if you really want to remove the ::1, you can, although to me, it’s really a cosmetic thing when running nslookup. If it will make you feel warm and fuzzy not to see it, and rather see the IPv4 address, you can remove it using the following steps.

        .

        You can delete the “::1” IPv6 loopback address by the following method.

        Run an ipconfig /all. Determine the “Local Area Connection” name. In the example below, I used “Local Area Connection” for the interface name:

        netsh interface ipv6 delete dnsserver “Local Area Connection” ::1

        You can add it back in, if you like: 

        netsh interface ipv6 add dnsserver “Local Area Connection” ::1

        .

        For more info on the netsh command reference for Windows 2008 & 2008 R2, see the following. For command info on IPv6, click on “Netsh Command for Interface IPv4 and IPv6,” then click on ” Netsh commands for Interface IPv6.” :

        Netsh Command Reference
        (Comprehensive Command Reference) – Updated: July 2, 2009 – Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
        http://technet.microsoft.com/en-us/library/cc754516(WS.10).aspx

        .

        Originally, I illustrated in this blog to do it in the following fashion from a previous post (provided below), however this appears to not work for some. I suggest running the method above.

        You can eliminate that from showing up on that specific interface. One way to do that is to find the IDX# of the interface by running:

        netsh interface ipv6 show interfaces

        Once you’ve identified the IDX# for that interface, you can delete it on that specific interface by running:

        netsh interface ipv6 delete dnsserver name=”IDX#” address=::1

        You’ll find resolution will be quicker, as well as not getting that familiar nslookup initialization error message saying it “can’t find server…”

        Originally posted in:

        Windows 2008 R2 with AD integerated DNS
        http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29b204fd-fabc-4715-9891-95eb86bd1d32/?prof=required

        .

        .

        Windows 2008 R2, and Windows 7 will use IPv6 as the first preferred protocol.

        In my opinion, if you just leave things as default, things will work fine.

        However, for whatever reason you want to alter these settings, whether real or imagined, that is your choice.

        That disclaimer out of the way, if you still need to force the TCP stack to use IPv4 first instead of IPv6, you can do so in the registry. The following procedure in this section was quoted from the following Microsoft KB article:

        How to disable IP version 6 (IPv6) or its specific components in Windows 7, in Windows Vista, in Windows Server 2008 R2, and in Windows Server 2008
        http://support.microsoft.com/kb/929852

        .

        To force the system to use IPv4 first, before IPv6

        The key you are looking for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents. If it doesn’t exist, you have to created it.

        Or if you do not want to do this manual procedure, you can now use the Microsoft “Mr Fix It” script to automatically do it for you. The scripts are in the KB929852 article above.

        1. In Registry Editor, locate and then click the following registry subkey:
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

        2. Double-click DisabledComponents to modify the DisabledComponents entry.
          Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:
          1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
          2. Type DisabledComponents, and then press ENTER.
          3. Double-click DisabledComponents.
        3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.

        .

        .

        Again, do not disable IPv6

        However, if you still need to disable IPv6, the following steps show how To Disable IPv6 on 2008 (non-SBS 2008), Vista or Windows 7.

        Note: You can now use the Microsoft “Mr Fix It” script to automatically disable it, see:

        How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
        http://support.microsoft.com/kb/929852

        You can also do it manually: The following steps are from:

        How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
        http://support.microsoft.com/kb/929852

        The installation of the Exchange Server 2007 Hub Transport role is unsuccessful on a Windows Server 2008-based computer
        (This article is no longer available. It originally recommended to disable IPv6 to overcome Exchagne 2007 installed on Windows 2008 (not 2008 R2) that have DSAccess NSPI to GC Communications issues.)
        http://support.microsoft.com/?id=952842

        Paul Berg also has a good article on disabling IPv6, too:
        Disabling IPv6 on Windows 2008 or Vista
        http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

         

        1. Uncheck IPv6 in NIC properties
        2. Uncheck the two LinkLayer Topology Discovery components
        3. Then Navigate to:
        4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
          • In the details pane, click New, and then click DWORD (32-bit) Value.
          • Type in DisabledComponents , and then press ENTER.
          • Double-click DisabledComponents,
          • Type 0xffffffff in Hexadecimal.
          • It should look like this if you’ve entered it correctly:
            • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
            • “DisabledComponents”=dword:ffffffff

        .

        Or more specifically, and with a complete list of values this key supports:

         

        In Registry Editor, locate and then click the following registry subkey:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

        1. Double-click DisabledComponents to modify the DisabledComponents entry.

          Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:

          1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
          2. Type DisabledComponents, and then press ENTER.
          3. Double-click DisabledComponents.
        2. Type any one of the following values in the Value data: field to configure the IPv6 protocol to the desired state, and then click OK:
          1. Type 0 to enable all IPv6 components. (Windows default setting)
          2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface.
          3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.
          4. Type 0x10 to disable IPv6 on all nontunnel interfaces (on both LAN and Point-to-Point Protocol [PPP] interfaces).
          5. Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo.
          6. Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.

        .

        Disabling IPv6 on SBS 2008 & 2011

        Don’t do it. But if you must, to disable IPv6 on SBS 2008 is slightly different.

        Read the reasons why, and the instructions in the following link, but as noted above, it’s no longer recommended to disable IPv6.

        Issues After Disabling IPv6 on Your NIC on SBS 2008
        http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx

        .

        .

        Related Links

        TCP Chimney and RSS Features May Cause Slow File Transfers or Cause Connectivity Problems:
        http://msmvps.com/blogs/acefekay/archive/2009/08/20/tcp-chimney-and-rss-features-may-cause-slow-file-transfers-or-cause-connectivity-problems.aspx

        .

        .

        ==================================================================

        Summary

        I hope this helps!

        Original Publication Date: 11/1/2011
        Updated 12/11/2014

        Ace Fekay
        MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
        Microsoft Certified Trainer
        Microsoft MVP – Directory Services

        clip_image00262[2][2] clip_image00462[2][2] clip_image00662[2][2] clip_image00862[2][2] clip_image01062[2][2] clip_image01262[2][2] clip_image01462[2][2]

        Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

        This posting is provided AS-IS with no warranties or guarantees and confers no rights.