Tech Line
DNS Suffix Struggle
Configuring DNS suffix search order is a critical component of any multi-domain LAN without a WINS server.
Chris: We recently upgraded our network to a Windows 2003
domain and got rid of WINS in the process. All of our workstations run
either Windows 2000 Pro or Windows XP Pro. After the upgrade, users starting
losing connectivity to mapped drives and not everyone can connect to the
intranet Web server by host name. Short of rewriting my logon scripts
and having users use a FQDN to connect to the intranet server or redeploying
the WINS server, is there anything else that I can do?
— Andy
Somewhere in the world a Unix admin is laughing and thinking to himself,
"See! Windows networks can't run without WINS!" After talking
with Andy, I learned that his network has three domains. Since DNS resolves
fully qualified domain names to IP addresses, the DNS server wasn't much
help when users and scripts tried to connect to file servers or the Web
server by host name alone. By default, Windows clients will append their
domain name to a host name when they try and query DNS. However, when
other domains exist on the network, a host will not automatically append
the names of the other domains to any DNS name resolution requests.
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
For example, suppose a computer named bsod is a member of the domain
mcpmag.com. If a user tried to connect to http://server1, the computer
would query DNS for the IP address of bsod.mcpmag.com. If server1 was
a member of redmondmag.com and thus no record for server1 existed in the
mcpmag.com forward lookup zone on the DNS server, the client request would
time out. At this point you could solve this problem the ugly way and just
add an A record for server1 to the mcpmag.com forward lookup zone on the
DNS server, but this is not recommended. I'm only mentioning this because
I've seen it done in the field as a way to put out a name resolution fire.
Each time I've run into this, the hairs on my neck stand on end. Well
maybe I'm being a little dramatic here, but it does gnaw at my anal-retentive
personality.
Now let's get away from the problem and start talking about the solution.
First, each server should have an A record in each domain's forward lookup
zone on the DNS server. Next, you need to configure the DNS suffix search
order on each system on the network. This allows a host to try multiple
fully qualified domain name combinations when it tries to resolve a name
using DNS. For example, if the domain name redmondmag.com was added to
bsod's DNS suffix search order, bsod would first attempt to resolve the
host name server1 as server1.mcpmag.com. It would then query DNS for server1.redmondmag.com.
Once it received a reply from DNS, bsod would then connect to server1.
You can configure the DNS suffix search order on a Windows system by
following these steps:
- Access the properties of the network interface you wish to configure.
- Double-click on "Internet Protocol (TCP/IP)."
- In the Internet Protocol (TCP/IP) Properties dialog box, click the
Advanced button.
- Click the DNS tab in the Advanced TCP/IP Settings dialog box.
- Click the "Append these DNS suffixes (in order)" radio
button.
- Now click the Add button to add DNS suffixes to the connection.
- In the TCP/IP Domain Suffix dialog box, enter the name of the first
domain name to append to any DNS search (Example: mcpmag.com).
- Repeat steps 6-7 for each additional domain.
- When finished, click OK to close the Advanced TCP/IP Settings dialog
box.
- Click OK to close the Internet Protocol (TCP/IP) Properties dialog
box.
- Click OK to close the network connection's Properties dialog box.
Now on a large network, you'd probably be insane if you tried to use
the above procedures to manually configure the DNS suffix search order
on each workstation. Microsoft seemed to think so to, and with Windows
Server 2003 you can now configure DNS suffix search order with a GPO.
If you create a new GPO or edit an existing GPO on a Windows 2003 domain
controller, you'll see that you can set the DNS suffix search order by
navigating to Computer Configuration | Administrative Templates | Network
| DNS Client. Then double-click on the DNS Suffix Search List object.
Once you click the Enabled radio button you'll be able to add domain names
(separated by commas) to the DNS Suffixes field. If you need further help
with this setting, click the Explain tab.
If you're not running a Windows 2003 domain, you could still change the
DNS suffix search order via a VBScript. Microsoft has posted a sample
script that works on Windows 98/NT/2000/XP/2003 at the TechNet Script
Repository.
Finally, if you want to see the DNS query process from a DNS client that
is configured to search for names across multiple domains, you can enable
debug logging on the DNS server. To do this, follow these steps:
- In the DNS MMC, right-click the DNS server object and select Properties.
- Check the Log Packets for Debugging check box.
- Leave all other default options checked and click OK. (No, you really
don't need every default, but it's easier for me to document this way!)
Run nslookup on a DNS client and query a name of a server (by host name
only) that is in the second domain in the DNS suffix search list. Then
you can open the %systemroot%\system32\dns\dns.log file on the DNS server
to see the query results. Following my earlier example, after configuring
mcpmag.com first and redmondmag.com second in the DNS suffix search order
of my Windows XP client, I then ran the command nslookup server1 and received
the following response from the DNS server:
Name: server1.redmondmag.com
Address: 192.168.0.7
After receiving a response from the DNS, I then opened the dns.log file
on the DNS server and scrolled the log file down toward the bottom (time
of the query). Here are the results specific to my query:
13:09:09 704 PACKET UDP Rcv 192.168.0.120 0009 Q [0001 D
NOERROR] (7)server1(6)mcpmag(3)com(0)
13:09:09 704 PACKET UDP Snd 192.168.0.120 0009 R Q [8385
A DR NXDOMAIN] (7)server1(6)mcpmag(3)com(0)
13:09:09 704 PACKET UDP Rcv 192.168.0.120 000a Q [0001 D
NOERROR] (7)server1(10)redmondmag(3)com(0)
13:09:09 704 PACKET UDP Snd 192.168.0.120 000a R Q
[8385 A DR NOERROR] (7)server1(10)redmondmag(3)com(0)
In the first line listed, the DNS client is requesting to resolve the
name server1.mcpmag.com. In the second line, the server is responding
to the client with NXDomain (non-existent domain). The client then requests
to resolve server1.redmondmag.com (line 3) and the DNS server replies
to the client with the correct A record. Since DNS logging is pretty verbose,
I would only keep it enabled long enough to perform your test. After that
I would disable it.
So, as you can see, properly configuring the DNS suffix search order
can make a world of difference with name resolution on your network. Also,
with a tuned DNS infrastructure, life without WINS is possible. Sometimes
I think WINS is like crack. We were given it with Windows NT and many
became addicted. In the end, you can break the addiction (some relapses
are possible). If there was a 7 step program for WINS addiction, properly
configuring DNS suffix search order would probably be the first step.
I'll leave steps 2-7 up to your imagination.
[Chris Wolf has just released Virtualization:
From the Desktop to the Enterprise (Apress) and also welcomes your
virtualization questions for this column. —Editors]