Created 2001-04-01 Rainer Gerhards.
If a Windows 2000 server with Active Directory is installed using the standard setup, often no DNS resolution for Internet addresses will fail. This ultimately results in lost Internet connectivity. The reason are some defaults in the Active Directory wizards.
Background
Active Directory absolutely needs a working DNS to function correctly (background information can be found at our article “Active Directory and DNS“). Because of this, the Active Directory installation wizard (dcpromo.exe) installs not only Active Directory but also a DNS server if none is already installed on the machine dcpromo is running on. During this process, a very basic but extremely important questions is asked: “Would you like to make this server a DNS root server?”. The default answer is “Yes”.
If that default is accepted, this newly installed DNS server assumes it is a “real” Internet root server and as such responsible for DNS resolution in the whole Internet. Being a root server, it assumes that it is able to resolve all valid names – an assumption that of course is not correct. Why this assumption? A real DNS root server is a server that indeed is responsible for the top level domains, that is the .COM, .NET, .ORG and country specific domains like .US, .UK or . DE. If your own machine deems itself as a root server, it will never ask any other DNS server for help with name resolutions, as it assumes it itself is at the top of that hierarchy. However, it does not have the actual data for all of this top level domains. So it effectively is no longer able to resolve any real Internet name. Any machine using this DNS server will not be able to resolve Internet names. If someone tries to access e.g. a web site from such a machine, the browser will simply display an “host not found” error message.
How to diagnose this problem?
As we said, this problem does not occur under all circumstances – but it happens often. To detect it, we need a small bit more DNS theory: when we think of domain names, things like “windows-expert.net” or “microsoft.com” come to our mind. However, there must be a way to indicate the root of the DNS system (did you ever wonder how .com can be resolved). In DNS, the root is called “.” – a single period. Each DNS server serving the “.” Zone, is behaving like a root server.
Armed with that knowledge, diagnosis is simple: just call up the Windows DNS manager, select your server and switch to its forward looking zones. The hardcopy below has a typical scenario that is experiencing the misconfiguration (root domain indicated in red):
DNS-Server mit Root-Domäne
If your DNS manager looks similiar (and has the “.” zone), you have just found the cause of the problem.
How to Fix it?
Good news: this situation is extremely easy to fix! Just delete the root zone (the “.” entry). To do so, select the dot under forward looking zones and delete it (either by pressing delete or right clicking it and selecting “delete”). As deleting a zone is an important and potentially disastrous action, the DNS manager requires a confirmation before committing the deletion:
Click OK. Now the root zone is removed from the server and it knows that it is now only able to resolve names from zones it is configured for (pkl.adiscon.com in the above sample).
Internet Name Resolution
Remains the question how we can have our DNS to correctly resolve real Internet names. There are two ways to do it: either the server itself connects to the real Internet DNS root servers or it uses a so-called “forwarder”. Windows DNS’ server can use both methods – it needs to be configured to use one of them.
To view or modify the configuration, right click the server in DNS manager. Then, select “Properties” from the context menu. A new dialog appears. There, select “Forwarder”:
If “Enable Forwarders” is checked, your DNS server will use the forwarders specified to resolve names it cannot resolve itself. Forwarder addresses are specified in the big listbox. In the above sample, there is a single forwarder with IP 172.16.0.1. Please note that forwarders need to be specified by IP address and not DNS name, as most probably your DNS server would not be able to resolve the IP address without using the forwarder – what would yield us to an endless loop.
In a typical setup, the DNS forwarders should be provided by your local Internet access provider. As DNS queries are cached, this will result in optimal performance. We recommend having at least two forwarders. If – as in the example – only a single forwarder is available, this is a single point of failure. If it goes down, no name resolution and thus Internet access is possible – even if the connection and all other servers are working perfectly well. Most ISPs provide at least two servers for their customers. If in doubt, ask!
In short: use a forwarder whenever possible. The ISP’s DNS server is typically very well connected to the Internet. This, together with a large amount of already cached DNS queries, will typically ensure best performance for name resolution. Keep in mind that even root server queries are typically faster when done from the provider’s server because it has typically a much broader connection to the Internet (and thus the root servers) than your server has. If you experience difficulties with DNS resolution, however, it might be a good idea to temporarily disable the forwarders and use direct root server resolution. If that solves the problems, it is time to seriously talk to your provider!
Using Internet Root Servers
If – for whatever reason – you decide not to use forwarders, you need to uncheck “Enable Forwarders”. In this case, your DNS server itself will contact the Internet root servers to resolve the DNS request. To do so, it must know the root servers’ IP addresses. Once again, these can not be obtained via DNS because this would force it to an endless loop. So how does it know these addresses? It’s no mistery at all: they are devlivered by Microsoft (and any other vendor of DNS servers)! Please have a look at the “Root Hints” tab in the DNS server’s properties:
These are the actual root server IP addresses – really hardcoded! These entries can be changed – you can add and delete root servers. This is most often done to integrate into an alternative DNS. HOWEVER: if you modify the root server settings, make sure you exactly know what you do. This is not the place for experiments. Wrong root server entries can cause very serious problems and result in total loss of DNS resolution and de facto Internet connectivity!
My strong recommendation: do not change anything here if you do not absolutely need to do this. If you do, be sure to fully understand the DNS system!
Related Software
- WinSyslog – the enhanced syslog server for Windows. If your router is syslog enabled, WinSyslog can receive the router events, so you know when the router dials out.
- MonitorWare Agent – does all WinSyslog does, plus more. Great for intrusion detection.