Your account | Cart Cart
 Search
Home Products FAQs Download Shop Contact
UMove for Active Directory
IntroductionIntroduction
Choice of OperationChoice of Operation
Loading Active DirectoryLoading Active Directory
Advanced TopicsAdvanced Topics
NetworkingNetworking
Configuring DNSConfiguring DNS
Configuring DHCPConfiguring DHCP
Error MessagesError Messages

Configuring DNS

The Domain Name System (DNS) is an Internet standard for mapping Internet computer names (called “host names”) to numerical Internet Protocol addresses (called “IP addresses”). The DNS server contains a database of all of the host names for a domain.

Active Directory uses DNS to locate the domain controllers in a domain.

Note: Incorrect configuration of DNS is the #1 cause of problems with Active Directory. If DNS is configured incorrectly, domain controllers will not be able to locate each other for replication. Client computers will not find their domain controller(s), and users will not be able to log on.
UMove moves all DNS settings

Because DNS is critical for Active Directory, UMove is careful to move all DNS settings from the source computer to the destination computer. This includes the following:

  • Client DNS settings
  • Server DNS settings
  • Server DNS zone data files (\Windows\system32\dns\*)
  • Hosts and lmhosts text files (\Windows\system32\drivers\etc\*)

By moving all DNS settings, UMove prevents potential DNS errors due to differences in the DNS settings between the old and new computers.

Types of moves

When doing an emergency move or a planned move, the DNS settings will carry over transparently to the new computer. The only issue is re-registering dynamic DNS records written more than 7 days ago (see below).

When doing a test move, you need to consider additional issues (see below).

Troubleshooting DNS Problems

Use the console commands ping and nslookup to test connectivity with DNS. To avoid confusion due to negative caching by the DNS Client service, you may want to temporarily turn that service off while troubleshooting DNS. (Exception: If your server depends on DHCP you must leave the DNS Client service turned on.)

netlogon.dns

To assist you in troubleshooting DNS problems, upon each boot the domain controller will write a copy of its desired DNS records to a text file. The text file is named C:\Windows\System32\config\netlogon.dns. You can inspect this file (use NOTEPAD.EXE) in order to verify that your DNS server contains the correct A, PTR, and SRV records for the domain controller.

If your DNS server does not contain the records listed in netlogon.dns, you need to find the cause and correct it. If you are using dynamic DNS updates, you need to investigate why the domain controller failed to update the dynamic records (for example, the NIC has the wrong DNS client IP address). If you are using static DNS, you may need to manually recreate the necessary A, PTR, and SRV records.

The DNSLint Utility

The DNSLint tool can be used to diagnose DNS errors. On the moved domain controller type the command
dnslint /ad 127.0.0.1 /s localhost /v

Immediate re-registration of DNS records

If you see errors in the Event Log due to problems with locating a domain controller in DNS that has failed to dynamically register its DNS address, and you do not want to wait 5-10 minutes for automatic re-registration, you can force the domain controller to immediately register its IP address with the DNS server. Type the following console commands:

ipconfig /flushdns
ipconfig /registerdns
nltest /dsregdns

The ipconfig command will tell the computer to send ("register") its DNS A and PTR records with the DNS server. The nltest command will register the SRV records. The SRV records are used to locate domain controllers.

ipconfig is a built-in utility. nltest is part of the Windows Support Tools, located on the Windows Server CD.

Restoring DNS from a backup more than 7 days old

Many DNS zones use dynamic updates. When a computer boots that is a member of a dynamic DNS zone it will write its IP address and host name to the DNS server. (This is called “registering with DNS”.) The computer will send an update when it boots, and again periodically - typically once per day. Domain controllers will send dynamic updates to the DNS server just like other computers.

The DNS server will erase stale records if they are not updated after (typically) 7 days.

If you restore the DNS server database from a backup that is more than 7 days old, and if the DNS server on that computer has dynamic DNS zones, upon booting the DNS server will immediately erase all the dynamic records. This is because the DNS server checks the timestamp of each dynamic DNS record when it boots (and periodically thereafter). If the timestamp is older than the aging interval (default 7 days), the DNS record is erased.

During the initial boot with a newly loaded Active Directory you may see some spurious errors in the Event Log regarding the inability to locate a domain controller or the Global Catalog. These error messages are temporary and can be ignored. Each domain controller will attempt to dynamically re-register its IP address every 5-10 minutes until it succeeds.

The first registration attempt may fail because the DNS server has not yet fetched the DNS zone records from AD. This can happen if you use integrated DNS zones. (see below). This is normal, and the next registration attempt should succeed.

Error: The DNS Service cannot load integrated DNS Zones from AD

By default each DNS zone database is stored in C:\Windows\System32\DNS\* as a simple text file. When creating a DNS zone you have the option to instead store the DNS zone inside of Active Directory as an AD object. A DNS zone stored in AD is called an “integrated” DNS zone.

If you use integrated DNS zones, and you are using dynamic DNS registration, there is a circular dependency between DNS and AD that can cause a delay of up to 30 minutes during the initial boot. The reason for the delay is that DNS needs to contact AD to fetch its zone records, but AD will refuse to accept requests until it can register its IP address with DNS. But DNS will refuse to honor AD's registration request because DNS has not loaded the zone records yet from AD. The result is a circular deadlock. The DNS service will report (via the DNS Event Log) that it is unable to load the integrated DNS zones from Active Directory.

Within 30 minutes AD will recognize the problem and start without DNS, breaking the deadlock. If you do not want to wait for 30 minutes, you can manually stop and restart the DNS service. This will break the deadlock. (The deadlock will not happen on subsequent boots. This is because DNS will cache the AD-integrated zone records and use them on subsequent boots.)

If you stop and restart the DNS service, also stop and restart the DNS Client service. The DNS Client service caches results from the DNS service. This includes “negative” results where an address is not found. To avoid confusion during troubleshooting of DNS, when you restart the DNS service you should restart the DNS Client service also. This will prevent “negative” caching from confusing your troubleshooting.

For the best results when troubleshooting DNS you should turn off the DNS Client service. You can leave the DNS Client serivce turned off as long as your server does not use client DHCP. (Client DHCP depends on Client DNS.)

Test move: Not moving all DNS servers

If you are not moving all the DNS servers to your test lab, you must reconfigure DNS so that the test domain controller(s) can continue to locate each other and so that test client computers can locate the domain controllers.

Test move: Creating a dummy root DNS zone

Your test lab will be isolated from the rest of the network. This means that DNS queries for external zones outside of the test lab will time out. Some Microsoft components will attempt to access external DNS zones, such as microsoft.com. Because the DNS server cannot forward these requests, they will time out, causing irritating delays.

To avoid delays due to timeouts for external DNS zones, you can create a dummy root DNS zone on the DNS server in your test lab. This will cause the DNS server to immediately fail external lookup requests instead of trying to forward them (and timing out).

To create a dummy root DNS zone use the following procedure:

  1. Start the DNS MMC snap-in: Click on Administrative Tools -> DNS.
  2. Right-click Forward lookup zones, then click New Zone.
  3. When the New Zone Wizard starts, click Next.
  4. Click Primary, clear the checkbox Store the zone in Active Directory so that it is not checked, and then click Next.
  5. In the Zone Name box, type a single dot (.), and then click Next.
  6. Click Create a new file with this file name and type root.dns (default), and click Next.
  7. Click Do not allow dynamic updates (default) and click Next. Then click Finish.

Do this procedure on the “topmost” DNS server in your test lab.

For more information

For more information on how to configure DNS please refer to these Microsoft Knowledge Base articles:

  • Setting Up the Domain Name System for Active Directory (Q237675)
  • Frequently Asked Questions About Windows 2000 and Windows Server 2003 DNS (Q291382)
  • How to Verify That SRV DNS Records Have Been Created for a Domain Controller (Q816587)
  • How to Create a New Zone on a DNS Server in Windows Server 2003 (Q323445)
  • How to Configure DNS Dynamic Update in Windows Server 2003 (Q816592)
  • Best Practices for DNS Client Settings in Windows 2000 Server and Windows Server 2003 (Q825036)
  • How to Replace the Current Primary DNS Server with a new Primary DNS Server in Windows Server 2003 (Q323383)
Algin Technology LLC
   Home -- Products -- FAQs -- Shop -- Download -- Reseller -- Privacy -- Contact
Copyright © 2008, Algin Technology LLC