Posted on

DNS Client side Resolver Service and DNS Forwarders Query Algorithm

As many of you that follow my blogs, I had originally blogged about the client side resolver a few years ago. That can be found here:

http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

I think that many readers may have missed this portion because of the size of the blog, since after all it’s buried in one of the sections. Therefore, I thought to just specifically blog about it and get right to the point.

Background:

An internal DNS infrastructure is usually designed to support internal host name resolution fir internal hosts only. This is the goal whether it’s for any AD infrastructure or non-AD infrastructure, otherwise, why bother with DNS internally?

This is of course, especially true with AD. AD uses DNS. DNS stores AD’s resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain.

If the ISP’s DNS is configured in the any of the internal AD member machines’ IP properties, (including all client machines and DCs), the machines will be asking the ISP’s DNS ‘where is the domain controller for my domain?” whenever it needs to perform a function, such as for a logon request, DC to DC replication communications requests, querying and applying GPOs, and more. Unfortunately, the ISP’s DNS does not have that info and they reply with an, “I dunno know” response, and things just fail.

Using an ISP’s DNS, or the router as a DNS address, is analogous to asking the first passerby on the street, “Hey, where’s that case of beer that was in my refrigerator last night?” He’ll either not have an answer, or he’ll tell you his friends took it, which is the wrong answer anyway.

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP’s DNS, or even using your router’s IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorithm when attempting to resolve DNS names.

To summarize:

If a DNS query has already occurred and the client had already received a response, then the response is cached in the local resolver cache for the TTL of the DNS host record.  You can run “ipconfig /displaydns” to show what’s in cache and the remaining TTL of the host record. YOu can repeatedly repeat the command to see the TTL count down to 0, at which point it will disappear from the cache.

If there was no prior query and it’s not cached or the TTL has expired, and if there are multiple DNS entries on a machine’s NIC (whether a DC, member server or client), it will ask the first entry first.

  • If it receives a response, but say if the DNS server does not have the zone data (such as if you were to use your ISP’s DNS or your router as a DNS address, and expect that to work with AD), then it will be an NXDOMAIN or NACK response, meaning it got a response, even though it was wrong, and it will not go to the next DNS entry in the NIC’s list.
  • If it doesn’t respond, which is evident of a NULL response (no response, such as if the DNS server is down), it will go to the second entry after a time out period, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won’t go back to it for another 15 minutes (or forcing it by restarting the DNS Client service). This can also happen when a DC/DNS is down, or taken offline purposely for some reason, such as performing DC maintenance during production hours, it may cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. You can also reset the eligible resolvers list by:
  • If using Windows 2008/Vista and newer, restart the DNS Client Service
  • If using Windows 2000, 2003 or XP, restart the DHCP Client Service
  • Configure a registry entry to force the TTL to reset the list after each query.
  • Run an ipconfig /flushdns
  • Restart the machine.

If the ISP’s is the first one in the list in the NIC’s properties, obviously it will be knocked out when a client is trying to login.

This will be be noticed by a significantly long logon time period the client will experience before it goes to the second one, your internal DNS. So now the first one is knocked out for 15 minutes. Then say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or use it’s Roots, it will resolve it.

Specifics on the resolver process:

Understanding the DNS Client Service and how Name Resolution works
http://networkadminkb.com/KB/a118/understanding-dns-client-service-how-name-resolution-works.aspx

Don’t Use your ISP’s DNS or your Router as a DNS Address on any Machine

So why even bother with an ISP in the client? This is another good reason to ONLY use the internal DNS server in the VPN’s DHCP service for VPN clients. Keep in mind, the client will probably be configured with an ISP’s anyway if outside the network. Fine, otherwise it can’t find the VPN server on the internet anyway. But once the VPN authenticates and is connected, the VPN interface will be the first on the binding order, which now you WANT to only have the internal DNS servers in that interface.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to Vista and newer, too)
http://support.microsoft.com/kb/320760

Therefore, the ISP’s DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD client or any other machine that is part of the AD infrastructure that must find a domain controller in order to function.

Ipconfig examples:

  • BAD EXAMPLE

In this BAD example, there are mixture of internal and external DNS servers. On top of that, there are just way too many DNS servers, which the client side resolver time out will never see beyond the third one, if lucky.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               208.67.222.222
                                              208.248.240.23
                                             4.2.2.2
                                             4.3.4.4
                                             10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

  • GOOD EXAMPLE – You can see only the internal DNS servers are specified.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

Configure a Forwarder Using your ISP’s DNS

That’s your best bet. It’s easy.

  • Open the DNS console
  • Right-click the DNS server name
  • Choose Properties
  • Click the Forwarder tab.
  • Enter the ISP’s DNS address in the Forwarders list.

And also, keep in mind, that if you have more than two or three Forwarders, the third one will probably never get checked because of the time-out of the client side resolver service *waiting* for a response to a query.

Router’s IP as a DNS Service

Don’t do it! Your router is NOT a DNS server. If you do, what the router will do is it will proxy the query request to its outside interface, which it will more than likely be using the ISP’s DNS. So that won’t work. Remove it from any machines as a DNS address.

Summary

I hope that helps understand why not to use an ISP’s DNS in your internal network.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

FaceBookTwitterLinkedIn

Posted on

Why do we ask for an ipconfig /all, when we try to help diagnose AD issues?

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

Ace here again. Yea, I had to post a blog about this because many people ask, why do you want that? Just for the IP address??

Nope. Not just for the IP.

Good question.

There is quite a bit of information that an ipconfig /all provides us configuration data as a precursor for a diagnosis. Sometimes the ipconfig /all results will help us fix it, but not always.

Many admins are reluctant to provide this sort of information citing security reasons.

In some cases, I sympathize and agree, but in many cases, security really isn’t much of a concern, because for one, your internal IP range is a private range, and two, you can substitute your actual internal domain name with something more generic, such as substituting “microsoft.local” with “mydomain.local. You should also substitute your DC names using something generic, such as dc-01. dc-02, etc. But definitely keep track of the substituted DC names if we have additional questions regarding them.

Let’s take a look at each value in an ipconfig /all

Believe it or not, the results of an ipconfig /all has numerous information that helps us get an inside view of a DC’s basic network configuration, as well as basic service configuration.

Let’s break it down:

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : company-dc-01  

  • Name is under 15 characters – good for NetBIOS compatibility. Not a huge concern for many compani
  • Possibly indicates more than one DC based on the –01 portion of the name

Primary Dns Suffix  . . . . . . . : company.com 

  • The AD DNS Domain name is not a single label name.
  • In some cases, we’ll also ask for the name in ADUC. If the name in ADUC does no match this name, then it’s a Disjointed Namespace condition).

    • Node Type . . . . . . . . . . . . : Hybrid   

    • If Hybrid is set, it tells me that WINS is in use.
    • Hybrid mode, specifically 0x8 (as you would set a WINS server Hybrid mode in DHCP Option 046), tells the client side resolver to use WINS first when attempting to resolve a single name query, and if it can’t resolve it, to then try a broadcast to resolve it. Of course, this is only after DNS resolution fails, since DNS is used first anyway, where the client side resolver will suffix the Search Suffix when attempting to resolve it as a DNS hostname query.
    • If the Node Type is set to “Unknown,” then no big deal. It just means that WINS is not being used, and the resolver service will use broadcast for a  single name resolution.

      • IP Routing Enabled. . . . . . . . : No

      • Means RRAS is not installed
      • If set to Yes, it means RRAS is installed, and it will interfere with AD communications on this DC. 
         

      WINS Proxy Enabled. . . . . . . . : No  

      • On a DC, “No” is what we want to see.
      • If set to Yes, then it means “Enable broadcast name resolution” is checked under General tab in RRAS properties.
        • If this is set to Yes, and there is only one NIC. it could mean either:
        • RRAS is installed only for VPN use
        • RRAS was disabled, but the setting stuck
      • Either way, if it is set to Yes, it will cause problems with AD communications.

      DNS Suffix Search List. . . . . . : company.com

      • This is what the client side resolver will use when attempting to resolve a single name query. For example, if I run nslookup against a single name such as computer1, the resolver will suffix company.com to it, resulting in a query of computer1.company.com.
      • If there are multiple domains in the forest, such as a parent and child domain, or multiple child domains, then each domain must be configured with a search suffix for all other domains in order to be able to resolve everything in the forest. This is also true for additional Trees in the forest.
      • The company.com in this example, was devolved from the Primary DNS Suffix.
        • If the Primary DNS suffix has multiple levels, such as Chicago.ad.company.com, then the resolver will devolve it to show search suffixes of chicago.ad.company.com, ad.company.com, and company.com.
        • However, if ad.company.com is the parent root domain, if using Windows 2008 or newer, it will only devolve to ad.company.com. Windows 2000 and 2003 devolved all levels, which led to some confusion.

      Ethernet adapter Team 1:

      • Obviously this interface is a team.

      Connection-specific DNS Suffix  . :

      • If this is a DHCP client, and DHCP Option 015 is configured with a domain suffix, then it will populate this value. It’s used for a specific interface that gets this configuration, such as if it is a wireless, then that value will populate the wireless connection, but not the wired connection, and will be used as suffix for identification and DNS registration only for that interface, but it is not used as a search suffix.

      Description . . . . . . . . . . . : BASP Virtual Adapter

      • This is the vendor brand name of the adapter

      Physical Address. . . . . . . . . : 00-18-8B-47-F0-D1

      • This is the MAC address of this adapter or Team.

      DHCP Enabled. . . . . . . . . . . : No

      • This means the NIC has a static configuration.

      IP address, mask and subnet

         IP Address. . . . . . . . . . . . : 192.168.80.10
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 192.168.80.1

      • In the above three values, we make sure the IP address and mask are on the same subnet as an ipconfig /all of another machine, if one was provided. You would be surprised how many times we’ve seen subnets mis-configured with an incorrect subnet mask. 

      DNS Servers . . . . . . . . . . . : 192.168.80.5
                                                      192.168.80.10

      • What we look for with DNS address, is only to specify the internal DNS servers hosting the AD zone. If an external DNS addresses are specified, or your router’s DNS address is specified (for example, 192.168.80.1), then you should expect to see numerous problems. This is because your machine is sending the external DNS servers or your router a query whenever it tries to login, authenticate, find domain resources, etc. The external DNS servers or your router, does not have an answer when queried for internal resources. It’s the same as me asking the first person I see walking by out front of my house, “Where’s that beer that was in my refrigerator last night?” Besides the person not having an answer, he’ll probably give me a funny or dirty look. Your DNS server and DC won’t give you a funny look, but you’ll probably get some sort of error and your machine will fail to find your AD domain.
      • The addresses you see listed in this example are showing that it is pointing to a partner DC as the first entry, and itself as the second entry.
        • You may also find in some configuration the loopback as the second entry. This is ok, too. DCPROMO puts in the loopback. Matter of fact, if you were to run the AD BPA, one of the things it looks for is the loopback as the second entry. You can leave it there if you like, or you can change it to the IP of itself, but if you do, just ignore the BPA’s warnings, if you were to run it again.

      Primary WINS Server . . . . . . . : 192.168.80.10

      • This tells me the server is running WINS. Why? Because it is pointing to itself, as it should be for a WINS server.
      • If a WINS server is pointing to any other WINS servers, it will cause numerous problems with WINS record ownership.

      NetBIOS over Tcpip. . . . . . . . : Enabled

      • Of course this one is obvious. But here’s one for you. If you have NetBIOS disabled, but you are using WINS, what’s the point??