DNS Model for MBCA 2.0 for Windows Server 2008 - download location + rule documentation


Summary


The RTM DNS MBCA 2.0 for Windows Server 2008 is available on Microsoft.com at the link Microsoft DNS (Domain Name System) Model for Microsoft Baseline Configuration Analyzer 2.0

The MBCA DNS Model has checks to ensure that the DNS server is adhering to best practices in the following areas:

- IP Address checks
- Forwarding
- Scavenging
- Root Hints
- Checks for DNS Registry Parameters
- Zone Issues
- Possible DNS Server mis-configurations
- Active Directory DNS Zone health

The DNS Model for MBCA 2.0 is also a preview of the rules that will availalbe when the Windows Server 2008 R2 DNS BPA is released.

Other DNS MBCA delated links include:

Best Practices Analyzer for Domain Name System: Configuration (external link)
Best Practices Analyzer for Domain Name System: Operation (external link)

Note:

The DNS Model for MBCA 2.0 for Windows Server 2008 does not install on Windows Server 2008 R2 computers. Attempting to install the DNS Model for MBCA 2.0 for Windows Server 2008 on a Windows Server 2008 R2 computer fails with the on-screen error:

Dialog Title Text:

Microsoft DNS Server Configuration Analysis Model Setup

Dialog Messsage text:

Microsoft DNS Server Configuration Analysis Model is not supported on this OS. Please refer to the download page for the list of supported OSes.

OK

 

More Information


MSINTERNAL LINKS

DNS_BPA.DOC describing DNS BPA rules
Best Practices Analyzer for Domain Name System: Configuration (internal link)
Best Practices Analyzer for Domain Name System: Operation (internal link)

The Internal link for DNS MBCA software is: \\157.57.107.204\DpsServiceFileStager\7\1\6\7167E322-10E8-48BB-813F-FB53E30878FF\DNS-Server-MBCAv2-Model.msi

The contents of DNS_BPA.DOC documents the rules and operation of DNS MBCA 2.0 for Windows Server 2008. A word document detailing rules in the DNS MBCA is available DNS_BPA.DOC

The contents of the DNS_BPA doc as of 2010.07.15 is shown below:  

·                  Contents

Best Practices Analyzer for Domain Name System................................................................. 10

More information about DNS.............................................................................................. 10

See Also........................................................................................................................... 10

Best Practices Analyzer for Domain Name System: Configuration........................................... 10

Best Practices Analyzer and configuration rules.................................................................. 11

Topics in this section......................................................................................................... 11

See Also........................................................................................................................... 12

DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers        12

Issue................................................................................................................................. 13

Impact.............................................................................................................................. 13

Resolution......................................................................................................................... 13

DNS: IP addresses that belong to a valid range must be configured on <adapter name>......... 14

Issue................................................................................................................................. 14

Impact.............................................................................................................................. 14

Resolution......................................................................................................................... 14

DNS: <Adapter name> must have configured DNS servers..................................................... 15

Issue................................................................................................................................. 15

Impact.............................................................................................................................. 15

Resolution......................................................................................................................... 16

DNS: Network interfaces  on <adapter name> must be configured with DNS servers that belong to a valid IP address range........................................................................................................................................ 16

Issue................................................................................................................................. 17

Impact.............................................................................................................................. 17

Resolution......................................................................................................................... 17

DNS: <Adapter name> should be configured to use both a preferred and an alternate DNS server            18

Issue................................................................................................................................. 18

Impact.............................................................................................................................. 18

Resolution......................................................................................................................... 18

DNS: <Adapter name> should have static IPv4 settings......................................................... 19

Issue................................................................................................................................. 19

Impact.............................................................................................................................. 20

Resolution......................................................................................................................... 20

DNS: IP addresses must be configured on <adapter name>................................................... 21

Issue................................................................................................................................. 21

Impact.............................................................................................................................. 21

Resolution......................................................................................................................... 21

DNS: Valid network interfaces should precede invalid interfaces in the binding order............... 22

Issue................................................................................................................................. 23

Impact.............................................................................................................................. 23

Resolution......................................................................................................................... 23

DNS: DNS servers on <Adapter name> should include the loopback address, but not as the first entry    23

Issue................................................................................................................................. 24

Impact.............................................................................................................................. 24

Resolution......................................................................................................................... 24

See Also........................................................................................................................... 25

DNS: If the Global Query Block List is enabled, then it should not be empty............................ 25

Issue................................................................................................................................. 26

Impact.............................................................................................................................. 26

Resolution......................................................................................................................... 26

Additional considerations................................................................................................... 29

See Also........................................................................................................................... 29

DNS: Cache locking should be configured to 90% or greater.................................................. 29

Issue................................................................................................................................. 29

Impact.............................................................................................................................. 30

Resolution......................................................................................................................... 30

DNS: The forwarding timeout value should be 2 to 10 seconds............................................... 31

Issue................................................................................................................................. 31

Impact.............................................................................................................................. 31

Resolution......................................................................................................................... 32

See Also........................................................................................................................... 33

DNS: The Hosts file <File name> on the DNS server should be empty.................................... 33

Issue................................................................................................................................. 34

Impact.............................................................................................................................. 34

Resolution......................................................................................................................... 34

DNS: Interface <Adapter name> on the DNS server should be configured to register its IP addresses in DNS       35

Issue................................................................................................................................. 35

Impact.............................................................................................................................. 36

Resolution......................................................................................................................... 36

Additional considerations................................................................................................... 36

See Also........................................................................................................................... 37

DNS: The DNS server must have root hints or forwarders configured...................................... 37

Issue................................................................................................................................. 37

Impact.............................................................................................................................. 37

Resolution......................................................................................................................... 38

Additional considerations................................................................................................... 39

See Also........................................................................................................................... 40

DNS: The scavenging interval <Interval value> is within the recommended range...................... 40

Issue................................................................................................................................. 40

Impact.............................................................................................................................. 41

Resolution......................................................................................................................... 41

DNS: The DNS server should have scavenging enabled......................................................... 41

Issue................................................................................................................................. 41

Impact.............................................................................................................................. 41

Resolution......................................................................................................................... 42

Additional considerations................................................................................................... 42

See Also........................................................................................................................... 42

DNS: The scavenging interval <Interval value> is not set to a recommended value................... 42

Issue................................................................................................................................. 43

Impact.............................................................................................................................. 43

Resolution......................................................................................................................... 43

Additional considerations................................................................................................... 44

DNS: Zone <Zone name> has scavenging enabled with recommended parameters.................. 44

Issue................................................................................................................................. 44

Impact.............................................................................................................................. 44

Resolution......................................................................................................................... 44

DNS: Zone <Zone name> has record aging disabled, so scavenging will not occur................. 45

Issue................................................................................................................................. 45

Impact.............................................................................................................................. 45

Resolution......................................................................................................................... 45

DNS: Zone <Zone name> scavenging server list should not be empty.................................... 45

Issue................................................................................................................................. 46

Impact.............................................................................................................................. 46

Resolution......................................................................................................................... 46

Parameters.................................................................................................................... 47

Sample Usage............................................................................................................... 47

See Also........................................................................................................................... 47

DNS: Zone <Zone name> scavenging parameters should be set to default values................... 47

Issue................................................................................................................................. 48

Impact.............................................................................................................................. 48

Resolution......................................................................................................................... 48

See Also........................................................................................................................... 48

DNS: The socket pool should be enabled with recommended settings.................................... 49

Issue................................................................................................................................. 49

Impact.............................................................................................................................. 49

Resolution......................................................................................................................... 49

See Also........................................................................................................................... 51

DNS: The recursion timeout must be greater than the forwarding timeout................................. 51

Issue................................................................................................................................. 52

Impact.............................................................................................................................. 52

Resolution......................................................................................................................... 52

DNS: Forwarding server <IP address> should respond to DNS queries................................... 53

Issue................................................................................................................................. 53

Impact.............................................................................................................................. 53

Resolution......................................................................................................................... 54

See Also........................................................................................................................... 54

DNS: At least one DNS server on the list of forwarders must respond to DNS queries............. 54

Issue................................................................................................................................. 55

Impact.............................................................................................................................. 55

Resolution......................................................................................................................... 55

See Also........................................................................................................................... 56

DNS: The list of forwarding servers must not contain the link-local IP address <IP address>.... 56

Issue................................................................................................................................. 56

Impact.............................................................................................................................. 56

Resolution......................................................................................................................... 57

See Also........................................................................................................................... 57

DNS: The list of forwarding servers must not contain the loopback address <IP address>....... 57

Issue................................................................................................................................. 58

Impact.............................................................................................................................. 58

Resolution......................................................................................................................... 58

See Also........................................................................................................................... 58

DNS: More than one forwarding server should be configured.................................................. 59

Issue................................................................................................................................. 59

Impact.............................................................................................................................. 59

Resolution......................................................................................................................... 59

See Also........................................................................................................................... 60

DNS: Zone <Zone name> master server list must not be empty.............................................. 60

Issue................................................................................................................................. 60

Impact.............................................................................................................................. 60

Resolution......................................................................................................................... 60

See Also........................................................................................................................... 62

DNS: Zone <Zone name> update notification list must not be empty...................................... 62

Issue................................................................................................................................. 62

Impact.............................................................................................................................. 62

Resolution......................................................................................................................... 63

See Also........................................................................................................................... 63

DNS: Zone <Zone name> secondary servers list should not be empty.................................... 63

Issue................................................................................................................................. 64

Impact.............................................................................................................................. 64

Resolution......................................................................................................................... 64

See Also........................................................................................................................... 65

DNS: Zone <Zone name> should be present on the secondary server <IP address> configured to receive zone update notifications...................................................................................................................... 65

Issue................................................................................................................................. 65

Impact.............................................................................................................................. 65

Resolution......................................................................................................................... 66

See Also........................................................................................................................... 66

DNS: Zone <Zone name> scavenging servers should host the zone........................................ 66

Issue................................................................................................................................. 67

Impact.............................................................................................................................. 67

Resolution......................................................................................................................... 67

Sample Usage............................................................................................................... 68

See Also........................................................................................................................... 68

DNS: The list of root hints must not contain the link-local IP address <IP address>................. 68

Issue................................................................................................................................. 69

Impact.............................................................................................................................. 69

Resolution......................................................................................................................... 69

Additional considerations................................................................................................... 70

See Also........................................................................................................................... 70

DNS: The list of root hints must not contain the host IP address or loopback address <IP address>         71

Issue................................................................................................................................. 71

Impact.............................................................................................................................. 71

Resolution......................................................................................................................... 71

Additional considerations................................................................................................... 72

See Also........................................................................................................................... 73

DNS: The list of root hints should contain more than one entry............................................... 73

Issue................................................................................................................................. 73

Impact.............................................................................................................................. 73

Resolution......................................................................................................................... 73

Additional considerations................................................................................................... 74

See Also........................................................................................................................... 75

DNS: Zone <Zone name> is Active Directory integrated and should be present and configured as primary            75

Issue................................................................................................................................. 75

Impact.............................................................................................................................. 75

Resolution......................................................................................................................... 76

DNS: Zone <Zone name> is an Active Directory integrated DNS Zone and must be available... 76

Issue................................................................................................................................. 76

Impact.............................................................................................................................. 76

Resolution......................................................................................................................... 76

See Also........................................................................................................................... 78

DNS: Zone <Zone name> is an Active Directory integrated DNS zone and must be configured as primary 79

Issue................................................................................................................................. 79

Impact.............................................................................................................................. 79

Resolution......................................................................................................................... 79

See Also........................................................................................................................... 80

DNS: Zone <Zone name> transfers from the primary to the secondary DNS server must be successful     80

Issue................................................................................................................................. 81

Impact.............................................................................................................................. 81

Resolution......................................................................................................................... 81

See Also........................................................................................................................... 82

Best Practices Analyzer for Domain Name System: Operation................................................ 82

Best Practices Analyzer and operation rules........................................................................ 82

Topics in this section......................................................................................................... 82

See Also........................................................................................................................... 83

DNS: The DNS server <IP address> on  <adapter name> must be able to resolve names in the forest root domain name zone........................................................................................................................................ 83

Issue................................................................................................................................. 83

Impact.............................................................................................................................. 84

Resolution......................................................................................................................... 84

DNS: The DNS server <IP address> on <adapter name> must be able to resolve names in the primary DNS domain zone 85

Issue................................................................................................................................. 85

Impact.............................................................................................................................. 85

Resolution......................................................................................................................... 85

DNS: The DNS server <IP address> on <adapter name> must resolve Global Catalog resource records for the domain controller........................................................................................................................... 86

Issue................................................................................................................................. 87

Impact.............................................................................................................................. 87

Resolution......................................................................................................................... 87

DNS: The DNS server <IP address> on <adapter name> must resolve Kerberos resource records for the domain controller........................................................................................................................................ 88

Issue................................................................................................................................. 88

Impact.............................................................................................................................. 88

Resolution......................................................................................................................... 89

DNS: The DNS server <IP address> on <adapter name> must resolve LDAP resource records for the domain controller    90

Issue................................................................................................................................. 90

Impact.............................................................................................................................. 90

Resolution......................................................................................................................... 90

DNS: The DNS server <IP address> on <adapter name> must  resolve PDC RRs for the domain controller           91

Issue................................................................................................................................. 92

Impact.............................................................................................................................. 92

Resolution......................................................................................................................... 92

DNS: The DNS server <IP address> on <adapter name> must  resolve the name of this computer            93

Impact.............................................................................................................................. 93

Resolution......................................................................................................................... 93

DNS: DNS servers assigned to the network adapter should respond consistently.................... 94

Issue................................................................................................................................. 95

Impact.............................................................................................................................. 95

Resolution......................................................................................................................... 95

See Also........................................................................................................................... 96

DNS: Zone <Zone name> master servers must respond to queries for the zone....................... 96

Issue................................................................................................................................. 96

Impact.............................................................................................................................. 96

Resolution......................................................................................................................... 96

See Also........................................................................................................................... 98

DNS: Zone <Zone name> secondary servers must respond to queries for the zone................. 98

Issue................................................................................................................................. 98

Impact.............................................................................................................................. 98

Resolution......................................................................................................................... 99

See Also......................................................................................................................... 100

DNS: Zone <Zone name> master server <IP address> must respond to queries for the zone.. 100

Issue............................................................................................................................... 101

Impact............................................................................................................................. 101

Resolution....................................................................................................................... 101

See Also......................................................................................................................... 102

DNS: Zone <Zone name> secondary server <IP address> should respond to queries for the zone            103

Issue............................................................................................................................... 103

Impact............................................................................................................................. 103

Resolution....................................................................................................................... 103

See Also......................................................................................................................... 105

DNS: Root hint server <IP address> must respond to NS queries for the root zone................ 105

Issue............................................................................................................................... 105

Impact............................................................................................................................. 106

Resolution....................................................................................................................... 106

Additional considerations................................................................................................. 107

See Also......................................................................................................................... 107

DNS: At least one name server in the list of root hints must respond to queries for the root zone 107

Issue............................................................................................................................... 108

Impact............................................................................................................................. 108

Resolution....................................................................................................................... 108

Additional considerations................................................................................................. 109

See Also......................................................................................................................... 109

DNS: The DNS server configured on the adapter <Adapter name> should resolve the name of this computer        110

Issue............................................................................................................................... 110

Impact............................................................................................................................. 110

Resolution....................................................................................................................... 110

DNS: Zone <Zone name> is an Active Directory integrated DNS zone and must be running.... 111

Issue............................................................................................................................... 112

Impact............................................................................................................................. 112

Resolution....................................................................................................................... 112

See Also......................................................................................................................... 113

 

In Windows management, best practices are guidelines that are considered the ideal way, under normal circumstances, to configure a server as defined by experts. While best practice violations are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.

Topics in this section can help you bring DNS running on Windows Server® 2008 or Windows Server® 2008 R2 into compliance with best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of DNS, and who want information about how to interpret and resolve scan results that identify areas of DNS that are noncompliant with best practices.

For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.

·                   More information about DNS

DNS provides technologies that host records of a distributed DNS database and use the records they host to resolve DNS name queries sent by DNS client computers, such as queries for the names of Web sites or computers in your network or on the Internet.

For more information about DNS, see the DNS page on the Windows Server 2008 TechCenter at http://go.microsoft.com/fwlink/?Linkid=135702.

·                   See Also

Best Practices Analyzer for Domain Name System: Configuration

Best Practices Analyzer for Domain Name System: Operation

Topics in this section can help you bring DNS running on Windows Server® 2008 or Windows Server® 2008 R2 into compliance with configuration best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of DNS, and who want information about how to interpret and resolve scan results that identify areas of DNS that are noncompliant with configuration best practices.

·                   Best Practices Analyzer and configuration rules

Configuration rules are applied to identify settings that might require modification for DNS to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent DNS from carrying out its prescribed duties in an enterprise.

For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.

·                   Topics in this section

·      DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers

·      DNS: IP addresses that belong to a valid range must be configured on <adapter name>

·      DNS: <Adapter name> must have configured DNS servers

·      DNS: Network interfaces  on <adapter name> must be configured with DNS servers that belong to a valid IP address range

·      DNS: <Adapter name> should be configured to use both a preferred and an alternate DNS server

·      DNS: <Adapter name> should have static IPv4 settings

·      DNS: IP addresses must be configured on <adapter name>

·      DNS: Valid network interfaces should precede invalid interfaces in the binding order

·      DNS: DNS servers on <Adapter name> should include the loopback address, but not as the first entry

·      DNS: If the Global Query Block List is enabled, then it should not be empty

·      DNS: Cache locking should be configured to 90% or greater

·      DNS: The forwarding timeout value should be 2 to 10 seconds

·      DNS: The Hosts file <File name> on the DNS server should be empty

·      DNS: Interface <Adapter name> on the DNS server should be configured to register its IP addresses in DNS

·      DNS: The DNS server must have root hints or forwarders configured

·      DNS: The scavenging interval <Interval value> is within the recommended range

·      DNS: The DNS server should have scavenging enabled

·      DNS: The scavenging interval <Interval value> is not set to a recommended value

·      DNS: Zone <Zone name> has scavenging enabled with recommended parameters

·      DNS: Zone <Zone name> has record aging disabled, so scavenging will not occur

·      DNS: Zone <Zone name> scavenging server list should not be empty

·      DNS: Zone <Zone name> scavenging parameters should be set to default values

·      DNS: The socket pool should be enabled with recommended settings

·      DNS: The recursion timeout must be greater than the forwarding timeout

·      DNS: Forwarding server <IP address> should respond to DNS queries

·      DNS: At least one DNS server on the list of forwarders must respond to DNS queries

·      DNS: The list of forwarding servers must not contain the link-local IP address <IP address>

·      DNS: The list of forwarding servers must not contain the loopback address <IP address>

·      DNS: More than one forwarding server should be configured

·      DNS: Zone <Zone name> master server list must not be empty

·      DNS: Zone <Zone name> update notification list must not be empty

·      DNS: Zone <Zone name> secondary servers list should not be empty

·      DNS: Zone <Zone name> should be present on the secondary server <IP address> configured to receive zone update notifications

·      DNS: Zone <Zone name> scavenging servers should host the zone

·      DNS: The list of root hints must not contain the link-local IP address <IP address>

·      DNS: The list of root hints must not contain the host IP address or loopback address <IP address>

·      DNS: The list of root hints should contain more than one entry

·      DNS: Zone <Zone name> is Active Directory integrated and should be present and configured as primary

·      DNS: Zone <Zone name> is an Active Directory integrated DNS Zone and must be available

·      DNS: Zone <Zone name> is an Active Directory integrated DNS zone and must be configured as primary

·      DNS: Zone <Zone name> transfers from the primary to the secondary DNS server must be successful

·                   See Also

Best Practices Analyzer for Domain Name System: Operation

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

·                   Issue

 DNS servers should include their own IP addresses on their interface lists of DNS servers. The interfaces on the adapter on the target computer that is a DNS server do not have their own IP addresses in their list of DNS servers.

·                   Impact

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers.

·                   Resolution

Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list.

Configure network adapters on this DNS server to use the loopback address (127.0.0.1) as one of the DNS servers.

To configure DNS for IPv4 loopback addressing

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Advanced, and then click DNS.

4.   Click Add, and then type the loopback IP address: 127.0.0.1.

To configure DNS for IPv6 loopback addressing

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Advanced, and then click DNS.

4.   Click Add, and then type the loopback IP address: 0:0:0:0:0:0:0:1.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Configuration

 

·                   Issue

Network interfaces must be configured with IP addresses that belong to a valid range. The interfaces on the adapter have IP addresses that belong to the range 169.254.0.0 - 169.254.255.255.

·                   Impact

Without a valid IP address, the computer will not communicate with other network computers.

Before you install Active Directory Domain Services (AD DS) and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Configure a valid IP addresses on the adapter.

We recommend that you configure the computer to use a static IP address that does not belong to the range 169.254.0.0 - 169.254.255.255. If the DNS server is configured to use an IP address belonging to the range 169.254.0.0 - 169.254.255.255, clients will not be able to resolve the address or locate the DNS server.

To configure IPv4 addressing

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following IP address, and do one of the following:

·      For a local area connection, in IP address, Subnet mask, and Default gateway, type the IP address, subnet mask, and default gateway addresses.

·      For all other connections, in IP address, type the IP address.

4.   Click Use the following DNS server addresses.

5.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Configuration

 

·                   Issue

Network interfaces must have configured DNS servers. The interfaces on the adapter do not have any DNS servers configured.

·                   Impact

If DNS servers are not configured, the computer cannot resolve names or connect to network resources. Critical operations related to Active Directory Domain Services (AD DS) might also fail.

Before you install AD DS and DNS on the first domain controller server in a new domain, make sure that the IP addresses of two DNS servers are configured in the TCP/IP settings properties so that they can be located reliably.

·                   Resolution

Configure at least two DNS servers per interface.

We recommend that you configure the computer to use a static IP address and at least two DNS servers. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure primary and secondary DNS IPv4 addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

To configure primary and secondary DNS IPv6 addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Configuration

 

·                   Issue

 Network interfaces must be configured with DNS servers that belong to a valid IP address range. The interfaces on the adapter are configured with a DNS server that belongs to the 169.254.0.0 - 169.254.255.255 range.

·                   Impact

A DNS server that belongs to an IP address range that is not valid can prevent this computer from resolving names and connecting to network resources.

Before you install Active Directory Domain Services (AD DS) and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Remove all invalid or unresponsive DNS servers.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that are not in the 169.254.0.0 - 169.254.255.255 range.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any IP addresses in the 169.254.0.0 - 169.254.255.255 range.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

·                   Issue

Network interfaces should be configured to use both a preferred and an alternate DNS server. The interfaces on the adapter have only the preferred DNS server configured.

·                   Impact

The use of a single DNS server per interface does not allow for redundancy and failover. If the configured DNS server becomes unavailable, the computer cannot resolve names and will not connect to other resources.

Before you install Active Directory Domain Services (AD DS) and DNS on the first domain controller server in a new domain, ensure that the IP addresses of two DNS servers are configured in the TCP/IP settings properties to ensure that they can be located reliably.

·                   Resolution

Configure at least two DNS servers per interface.

We recommend that you configure the computer to use a static IP address and at least two DNS servers. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure primary and secondary DNS IPv4 addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

To configure primary and secondary DNS IPv6 addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

·                   Issue

Network interfaces should have static IP settings. The interfaces on the adapter have dynamically assigned Internet Protocol version 4 (IPv4) addresses.

·                   Impact

Dynamic IP addresses can change, preventing clients from locating server resources.

Before you install Active Directory Domain Services (AD DS) and DNS on the first domain controller server in a new domain, ensure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to ensure that they can be located reliably.

·                   Resolution

Configure a static IP address on the interface.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To configure static IPv4 addressing

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following IP address, and do one of the following:

·      For a local area connection, in IP address,  Subnet mask, and Default gateway, type the IP address, subnet mask, and default gateway addresses.

·      For all other connections, in IP address, type the IP address.

4.   Click Use the following DNS server addresses.

5.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

To configure static IPv6 addressing

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following IP address, and do one of the following:

·      For a local area connection, in IP address,  Subnet mask, and Default gateway, type the IP address, subnet mask, and default gateway addresses.

·      For all other connections, in IP address, type the IP address.

4.   Click Use the following DNS server addresses.

5.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Configuration

 

·                   Issue

There are no IP addresses associated with the interfaces on the adapter.

·                   Impact

The computer cannot communicate with other computers on the network.

If a network adapter is not active or is not configured with a valid IP address, it will be unable to communicate on the network.

·                   Resolution

Configure valid IP addresses on the DNS server.

Review the status of network adapters on this computer. Configure the computer to use a static IP address for communication on the network.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To configure IPv4 addressing

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following IP address, and do one of the following:

·      For a local area connection, in IP address, Subnet mask, and Default gateway, type the IP address, subnet mask, and default gateway addresses.

·      For all other connections, in IP address, type the IP address.

4.   Click Use the following DNS server addresses.

5.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

To configure IPv6 addressing

1.   Click Start, double-click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following IP address, and do one of the following:

·      For a local area connection, in IP address, Subnet mask, and Default gateway, type the IP address, subnet prefix, and default gateway addresses.

·      For all other connections, in IP address, type the IP address.

4.   Click Use the following DNS server addresses.

5.   In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

Valid network interfaces should precede invalid interfaces in the binding order. A disabled or invalid adapter precedes a valid adapter in the network interface binding order list.

·                   Impact

The binding order determines when network interfaces will be used to make network connections by the computer. A disabled adapter high in the binding order can degrade performance.

·                   Resolution

Move all disabled and invalid interfaces to the bottom of the binding order list.

Configure the binding order so that the primary network interface used to communicate with DNS clients is first in the list. Configure interfaces that connect to secondary or backup networks lower in the binding order. Move all disabled or invalid interfaces to the bottom of the binding order, or remove them from the list.

To move all disabled and invalid interfaces to the bottom of the binding order list

1.   Click Start, click Network, click Network and Sharing Center, and then click Manage Network Connections.

2.   Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3.   Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4.   Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

 

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The network adapter does not list the loopback IP address as a DNS server, or it is configured as the first DNS server on this adapter.

The loopback IP address should be configured as one of the DNS servers on each active network adapter. To add the loopback address, configure IPv4 properties to use 127.0.0.1 as a DNS server. To configure IPv6 properties, add 0:0:0:0:0:0:0:1 as a DNS server.

·                   Impact

If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.

The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers.

·                   Resolution

Configure adapter settings to add the loopback IP address to the list of DNS servers on all active interfaces, but not as the first server in the list.

Configure network adapters on this DNS server to use the loopback address (127.0.0.1 or 0:0:0:0:0:0:0:1) as one of the DNS servers, but not as the first DNS server on the list. If the loopback address is configured as the first DNS server, then configure another DNS server first.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure IPv4 DNS settings

1.   On the DNS server, click Start, click Run, type control netconnections, and then click OK.

2.   Right-click the network adapter you wish to configure, and then click Properties.

3.   Click Internet Protocol Version 4 (TCP/IPv4), click Properties, and then click Advanced.

4.   On the DNS tab, under DNS server addresses, in order of use, click Add, type the IP address of the DNS server you wish to add, and then click Add. To add the IPv4 loopback address, type 127.0.0.1.

5.   To change the order of DNS servers, click the UP arrow or the DOWN arrow on the right side of the list. When you have completed configuring the list of DNS servers, click OK twice, and then click Close.

To configure IPv6 DNS settings

1.   On the DNS server, click Start, click Run, type control netconnections, and then click OK.

2.   Right-click the network adapter you wish to configure, and then click Properties.

3.   Click Internet Protocol Version 6 (TCP/IPv6), click Properties, and then click Advanced.

4.   On the DNS tab, under DNS server addresses, in order of use, click Add, type the IP address of the DNS server you wish to add, and then click Add. To add the IPv6 loopback address, type 0:0:0:0:0:0:0:1.

5.   To change the order of DNS servers, click the UP arrow or the DOWN arrow on the right side of the list. When you have completed configuring the list of DNS servers, click OK twice, and then click Close.

·                   See Also

DNS Server becomes an island when a domain controller points to itself for the _msdcs.ForestDnsName domain

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The DNS Global Query Block List is enabled but empty. The default strings "wpad" and "isatap" have been removed.

If the Global Query Block List is enabled, it should not be empty. By default, the host names “wpad” and “isatap” are included in the list. You should not disable the block list feature by removing the default names.

·                   Impact

Users might register DNS names that have special significance. By default, the Global Query Block List contains the strings "wpad" and "isatap".

The Global Query Block List is a list of host names that the DNS server ignores. If the block list is enabled on a DNS server and it receives a query for a zone for which it is authoritative, the DNS server checks the leftmost portion of the name. If the query matches an entry in the block list, the DNS server replies to the query as though no resource record existed, even if there is a host (A or AAAA) resource record in the zone for the name. This prevents hosts that might have registered names with special significance in your organization from diverting certain types of network traffic to that host.

·                   Resolution

Disable the Global Query Block List, or add the strings "wpad" and "isatap" to the list if you do not have these services deployed in your environment.

Important

All DNS servers that are authoritative for a zone must be configured with the same block list to ensure consistent results. The block list is a per-server setting and is not replicated between servers.

When you enable the Global Query Block List, the Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are blocked by default. WPAD is used by most web browsers to locate and apply configuration settings that make it possible for the web browsers to use a network proxy server. ISATAP provides a transition between networks that are based on IP version 4 (IPv4) and networks that are based solely on the newer IP version 6 (IPv6). If you have one of these services deployed on your network, remove the appropriate name from the block list or disable the Global Query Block List feature. Do not configure an empty block list.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To enable or disable the global query block list

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd [<ServerName>] /config /enableglobalqueryblocklist 0|1

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/config

Required. Modifies the configuration of the DNS server.

/enableglobalqueryblocklist

Required. Specifies that the command enables or disables the global query block list.

0|1

Specifies whether to enable or disable the global query block list. If you want the DNS Server service to ignore queries for the names in the block list, you set the value of the command to 1. If you want to disable the global query block list, you set the value to 0.

 

To view the global query block list

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd [<ServerName>] /info /globalqueryblocklist

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/info

Required. Specifies that the command is to return information only.

/globalqueryblocklist

Required. Specifies that the command applies to the global query block list.

 

To update the global query block list

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)or omit the host name.

/config

Required. Modifies the configuration of the DNS server.

/globalqueryblocklist

Required. Specifies that the command applies to the global query block list.

<name>

Specifies the host names that are to be inserted into the global query block list. Separate multiple names with blank spaces.

Important

The command replaces all names in the list with the names you specify. Therefore, to add a name to the list you must also include all existing names in the list. If you do not specify a name, all names are removed from the global query block list.

 

·                   Additional considerations

·      To determine whether the global query block list is enabled, type the following command at a command prompt:

dnscmd <ServerName> /info /enableglobalqueryblocklist

If the command returns a value of 1, the global query block list is enabled. If the command returns a value of 0, the global query block list is not enabled.

·                   See Also

Managing the Global Query Block List

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The cache locking value is less than 90%. By default, the cache locking value is 100%.

Cache locking provides for enhanced security against cache poisoning attacks.

·                   Impact

A low cache locking value increases the chance of a successful cache poisoning attack. Network traffic might be directed to a malicious site.

·                   Resolution

Configure the cache locking value to be 90% or greater.

Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, then the DNS server will not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the TTL. The cache locking value is stored in the CacheLockingPercent registry key. If the registry key is not present, then the DNS server will use the default cache locking value of 100.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure cache locking

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd /Config /CacheLockingPercent <percent>

3.   Restart the DNS Server service.

 

Parameter

Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/CacheLockingPercent

Required. Specifies the CacheLockingPercent registry key.

<percent>

Optional. Specifies the cache locking percent, from 0 to 100 in decimal format. If no value is entered, the cache locking percent is set to 0.

 

Tip

Use the /Info command to view the current value of a registry key, for example: Dnscmd /Info /CacheLockingPercent.

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The forwarding timeout value is less than 2 seconds or greater than 10 seconds.

The forwarding server needs to be given a reasonable amount of time to answer a DNS query. For example, a forwarding server that has root hints enabled may have to query on the Internet for an answer, which can require additional time. If the forwarding timeout value is too small, the DNS server might not have time to complete an Internet query. However, a forwarding timeout value that is too large can also DNS query failures when DNS queries time out. The default timeout for DNS queries from clients running a Microsoft Windows operating system is 15 seconds.

·                   Impact

The timeout value is not within the recommended range of 2 to 10 seconds. DNS resolutions failures can occur if the value is too small. A timeout value of more than 10 seconds can cause DNS resolution delays.

If the forwarding timeout value is set to a small value, the forwarding server may not have sufficient time to respond, causing DNS queries to fail. If the forwarding timeout value is set to a large value, then the DNS server may wait for a long time for the forwarding server to respond. This can cause delays and timeouts when responding to DNS queries.

If a forwarding server does not respond before the timeout value, the DNS server forwards the query to the next server in the forwarders list. If none of the servers respond in time, the DNS server responds to the original query based on whether or not recursion is enabled on the DNS server. If the Use root hints if no fowarders are available check box is cleared and forwarding servers do not respond, then the server will attempt to resolve the query with iterative DNS queries. If Use root hints if no forwarders are available is enabled and forwarding servers do not respond, the DNS server will send a SERVER_FAILURE response to the DNS client.

Important

Due to a code defect in Windows Server® 2008, the checkbox next to Use root hints if no forwarders are available actually configures the opposite behavior. The code defect is fixed if the DNS server is running Windows Server® 2008 R2. In Windows Server 2008, you must clear the checkbox next to Use root hints if no forwarders are available to use recursion when forwarding servers do not respond.

·                   Resolution

Configure the forwarding timeout value to a value between 2 seconds and 10 seconds.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the forwarding timeout value using the Windows interface

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the DNS server and then click Properties.

3.   On the Forwarders tab, click the IP address of the forwarder you wish to configure, and then click Edit.

4.   Type the forwarding timeout value next to Number of seconds before forward queries time out and then click OK twice. By default, the DNS server waits three seconds for a response from one forwarder IP address before it tries another forwarder IP address.

To configure the forwarding timeout value using a command line

1.   Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2.   At the command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /ResetForwarders <MasterIPaddress ...> [/TimeOut <Time>] [/Slave]

 

 

Parameter

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/ResetForwarders

Required. Configures a forwarder.

<MasterIPaddress...>

Required. Specifies a space-separated list of one or more IP addresses of the DNS servers where queries are forwarded. You may specify a list of space-separated IP addresses.

/TimeOut

Specifies the timeout setting. The timeout setting is the number of seconds before unsuccessful forward queries time out.

<Time>

Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is three seconds.

/Slave

Determines whether or not the DNS server uses recursion.

 

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd /ResetForwarders /help

·                   See Also

Toggling the "Use root hints if no forwarders are available" Checkbox Results in the Opposite Behavior in Windows Server 2008 DNS Manager Snap-in

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The Hosts file on the DNS server is not empty.

·                   Impact

Errors in the Hosts file on a DNS server can cause problems with name resolution on your network.

The Hosts file is an alternative way to resolve names on your network. By default, host to IP address mappings that are configured in the Hosts file supersede the information in DNS. If there is an entry for a domain name in the Hosts file, then the server will not attempt to query DNS servers for that name. Instead, the IP address that is configured in the Hosts file will be used. If the IP address corresponding to a name changes and the Hosts file is not updated, you may be unable to connect to the host.

Entries in the following files can cause unexpected results during name resolution.

·      %windir%\system32\drivers\etc\hosts

·      %windir%\system32\drivers\etc\hosts.ics

·      %windir%\system32\drivers\etc\lmhosts

Tip

The file %windir%\system32\drivers\etc\lmhosts.sam is a sample file that does not affect name resolution unless you remove the .sam file extension, renaming it to lmhost.

·                   Resolution

Review the entries in your Hosts file.

The Hosts file is located in the %windir%\system32\drivers\etc directory. Review information in the Hosts file, remove or comment the information and, if appropriate, add it to your authoritative DNS server. In the following procedure, replace %windir%\system32\drivers\etc\hosts with the location and filename of the Hosts file you wish to review or configure.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To review information in the Hosts file

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

type %windir%\system32\drivers\etc\hosts

To configure the Hosts file

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

notepad %windir%\system32\drivers\etc\hosts

3.   Lines that begin with a “#” are considered as comments in the file and are inactive. Add a “#” at the beginning of any lines with host entries you wish to inactivate, or delete the lines from the Hosts file.

4.   When you have completed configuring the Hosts file, click File, click Save, and then close Notepad.

 

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Error

Category

Configuration

 

·                   Issue

The interface <Adapter name> is not configured to register its addresses in DNS.

The checkbox Register this connection’s addresses in DNS is not enabled in advanced TCP/IP settings on the network adapter. This interface will not register its IP address in DNS, which can cause DNS resolution errors.

·                   Impact

IP addresses on the interface will not be automatically registered in DNS.

If the network interface on a DNS server is not configured to register in DNS, client computers may not be able to locate the DNS server on the network.

·                   Resolution

Configure the interface <Adapter name> to register the connection's addresses in DNS.

The Register this connection’s addresses in DNS checkbox is specific to the DNS suffix of the network connection. The DNS server will register its hostname in DNS for its primary domain whether or not this checkbox is enabled. If the DNS server is joined to a domain, it will register with DNS. If the DNS server is not joined to a domain, you might need to enable this setting.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To register the network connection’s addresses in DNS using the Windows interface

1.   On the DNS server, click Start, click Run, type control netconnections and then press ENTER.

2.   Right-click the network connection you wish to configure, and then click Properties.

3.   Click Internet Protocol Version 4 (TCP/IPv4) then click Properties.

Tip

If you configure this setting in IPv4 it configures the same setting for IPv6, and vice-versa.

4.   Click Advanced, and on the DNS tab click the checkbox next to Register this connection’s addresses in DNS.

5.   Click OK twice, and then click Close.

·                   Additional considerations

The RegistrationEnabled registry entry specifies that the DNS client service should register all of the network connections of a computer in DNS. This is a global setting that is applied to all interfaces on a computer. If you need to apply this setting to an individual interface, configure the registry entry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces\{interfaceGUID}. The DNS administrator might also wish to restrict some interfaces from registering in DNS.

·                   See Also

IPv4 and IPv6 Advanced DNS tab

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

If recursion is enabled then either root hints or forwarders must be configured.

If the Use root hints if no forwarders are available checkbox is cleared, then forwarders must be configured to resolve DNS queries for external zones. If the Use root hints if no forwarders are available checkbox is enabled, then root hints must be configured to permit recursion when forwarders are not responding.

·                   Impact

The DNS server will fail to resolve DNS queries for DNS zones for which it is not authoritative.

 

Recursion is not possible on this DNS server with the current configuration.

Important

Due to a code defect in Windows Server® 2008, the checkbox next to Use root hints if no forwarders are available actually configures the opposite behavior. The code defect is fixed if the DNS server is running Windows Server® 2008 R2. In Windows Server 2008, you must clear the checkbox next to Use root hints if no forwarders are available to use recursion when forwarding servers do not respond.

·                   Resolution

Configure root hints or enable forwarding and configure forwarding servers.

If you do not want the server to use recursion, then clear the Use root hints if no forwarders are available checkbox. If the server should use recursion to answer DNS queries, then ensure root hints or forwarders are correctly configured.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure Root Hints

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Root Hints tab.

5.   Modify server root hints as follows:

·      To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

·      To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

·      To remove a root server from the list, select it in the list, and then click Remove.

·      To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

To configure forwarders

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Forwarders tab.

5.   Modify the list of forwarders as follows:

·      To add a forwarder to the list, click Edit, specify the name and IP address of the server to be added to the list, and then click OK.

·      To modify a forwarder in the list, click Edit, click the forwarder you wish to configure, modify the name or IP address of the forwarder, and then click OK.

·      To remove a forwarder from the list, click Edit, click the forwarder you wish to remove, clear the IP address field, and then click OK.

Note

When at least one forwarder is configured in the list, the Use root hints if no forwarders are available checkbox is available. Due to a code defect in Windows Server® 2008, the checkbox actually configures the opposite behavior. This issue is corrected if your DNS server is running Windows Server 2008 R2. The effect of the setting is to configure the IsSlave registry entry.

To view the value of the IsSlave registry entry

1.   Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2.   At the command prompt, type the following command, and then press ENTER:

reg query HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

3.   A list of DNS registry parameters is displayed. In the list, view the value next to IsSlave REG_DWORD.

a.   If the value displayed is 0x0, then the server will attempt to use root hints to resolve DNS queries if forwarders do not respond. Root hints should be configured.

b.   If the value displayed is 0x1, then the server will not attempt to use root hints to resolve DNS queries if forwarders do not respond. If forwarders do not respond, the server will terminate the DNS query and send a SERVER_FAILURE response. Root hints are not required.

c.   If the IsSlave entry is not displayed, then forwarders are not configured on the DNS server.

Do not attempt to configure the IsSlave registry entry manually or the DNS server might fail to start or operate properly. For more information, see IsSlave

·                   Additional considerations

The following is the default list of root hints.

a.root-servers.net. 198.41.0.4

b.root-servers.net. 192.228.79.201

c.root-servers.net. 192.33.4.12

d.root-servers.net. 128.8.10.90

e.root-servers.net. 192.203.230.10

f.root-servers.net. 192.5.5.241

g.root-servers.net. 192.112.36.41

h.root-servers.net. 128.63.2.53

i.root-servers.net. 192.36.148.17

j.root-servers.net. 192.58.128.30

k.root-servers.net. 193.0.14.129

l.root-servers.net. 199.7.83.42

m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

·                   See Also

Toggling the "Use root hints if no forwarders are available" Checkbox Results in the Opposite Behavior in Windows Server 2008 DNS Manager Snap-in

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

·                   Issue

There is no issue. The scavenging configuration on this DNS server is compliant with best practices.

The purpose of this rule is to confirm the scavenging configuration. Scavenging is enabled on the DNS server and parameters are within the recommended range.

·                   Impact

There is no impact. The DNS server is compliant with best practices.

·                   Resolution

No resolution is required. The DNS server is compliant with best practices.

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

Scavenging is disabled on the DNS server.

Scavenging will not occur for any zones or records on this server because the EnableScavenging parameter is set to 0 or null on the server.

·                   Impact

The size of the DNS database can become excessive if scavenging is not enabled.

Scavenging automates the deletion of old records. When scavenging is disabled, these records must be deleted manually or the size of the DNS database can become large and have an adverse effect on performance.

·                   Resolution

Enable scavenging on the DNS server.

 

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To enable scavenging on the DNS server

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   Click the Advanced tab.

3.   Select the Enable automatic scavenging of stale records check box.

4.   To adjust the Scavenging period, in the drop-down list, select an interval in either hours or days, and then type a number in the text box. The default value for the scavenging interval is seven days. Values less than 6 hours or greater than 28 days are not recommended.

·                   Additional considerations

Stale resource records can result from performing dynamic updates because that process automatically adds resource records to zones when computers start on the network. In some cases, those resource records are not automatically removed when computers leave the network. For example, if a computer registers its own host (A) resource record at startup, and then is improperly disconnected from the network, its host (A) resource record might not be deleted. If your network has mobile users and computers, this situation can occur frequently. To allow automatic cleanup and removal of stale resource records, enable aging and scavenging on the DNS server.

·                   See Also

Enable Aging and Scavenging for DNS

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The server scavenging interval has been set to a non-recommended value of <Interval value>.

Scavenging should be enabled and the scavenging interval should be between 6 hours and 28 days.

·                   Impact

An incorrect value will lead to scavenging being run less or more often than desired.

Setting the scavenging interval to a small value may lead to excessive CPU utilization on the DNS server CPU. The DNS server might also be unable to complete the scavenging process before the start of a new scavenging cycle.

Setting the scavenging interval to a large value will allow DNS records to remain in the DNS database for longer than desired and can cause growth of the DNS database. A large DNS database requires additional server disk space and can delay tasks such as zone transfers. An excessive amount of stale resource records can also degrade DNS server performance and cause DNS clients to experience name resolution problems on the network.

·                   Resolution

Set the server scavenging interval to a value between 6 hours and 28 days.

 

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To enable automatic scavenging of stale resource records

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the DNS server, and then click Properties.

3.   Click the Advanced tab.

4.   Select the Enable automatic scavenging of stale records check box.

5.   To adjust the Scavenging period, in the drop-down list, select an interval in either hours or days, and then type a number in the text box. A scavenging interval of 7 days is recommended. Configure the interval to be no shorter than 6 hours or longer than 28 days.

·                   Additional considerations

After you enable automatic scavenging of stale resource records on the DNS server, you must also enable scavenging at the zone level. For more information, see Set aging and scavenging properties for a zone.

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

·                   Issue

There is no issue. The zone scavenging parameters are compliant with best practices.

The purpose of this rule is to confirm the scavenging configuration. Scavenging is enabled for the zone and parameters are within the recommended range.

·                   Impact

There is no impact. The zone is compliant with best practices.

·                   Resolution

No resolution is required. The zone is compliant with best practices.

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

·                   Issue

There is no issue. The zone scavenging parameters are compliant with best practices.

The purpose of this rule is to confirm the scavenging configuration. Record aging is disabled for the zone, therefore scavenging will not occur. This is a valid configuration if scavenging is not desired.

·                   Impact

There is no impact. The zone is compliant with best practices.

·                   Resolution

No resolution is required. The zone is compliant with best practices.

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

Scavenging is enabled but there are no scavenging servers specified for the zone.

If record aging is enabled for the zone, there must be at least one scavenging server configured with permission to scavenge resource records in the zone.

·                   Impact

DNS records in the zone will not be scavenged.

DNS Records in the zone will not be scavenged even through record aging is enabled. With this configuration, the zone might contain duplicate entries for some resource records.

·                   Resolution

Configure the list of DNS scavenging servers for the zone.

By default, all servers that host a DNS zone can scavenge records in the zone if scavenging is enabled. If the zone is hosted by more than one DNS server, you can limit the number of servers that are allowed to scavenge resource records. This is useful if it is preferable that scavenging only be performed by some servers loading the zone. To configure the list of scavenging servers for a zone, you must set the ZoneResetScavengeServers parameter using the dnscmd command, a command-line based tool for administering Windows DNS servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of servers that can scavenge the specified zone

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

   dnscmd [ServerName] /zoneresetscavengeservers ZoneName [ServerIPs]

·          Parameters

 ServerName

Specifies the DNS server the administrator is planning to manage, represented by local computer syntax, IP address, FQDN, or host name. If omitted, the local server is used.

 

 ZoneName

Identifies the zone to scavenge.

 

 ServerIPs

Lists the IP addresses of the servers that can scavenge records in the zone. If this parameter is omitted, then all servers hosting this zone can scavenge it.

 

·          Sample Usage

 dnscmd dnssvr1.contoso.com /zoneresetscavengeservers test.contoso.com 10.0.0.1 10.0.0.2

·                   See Also

Managing Aging and Scavenging

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The refresh and no-refresh scavenging intervals for the zone are not set to the default values.

One or both of the zone scavenging parameters: no-refresh and refresh interval, are not set to the default value of 7 days.

·                   Impact

The DNS server will scavenge resource records too frequently or not frequently enough.

If the values for the no-refresh and refresh intervals are set to a small value, the DNS server may scavenge resource records too often. If the values for the no-refresh and refresh intervals are set to a large value, the DNS server may not scavenge the DNS records in a timely manner which might cause growth in the size of the DNS database.

·                   Resolution

Configure the refresh and no-refresh intervals for the zone to the default values.

To ensure that records do not refresh prematurely, keep the no-refresh interval comparable in length to the current refresh interval for each resource record. For example, if you increase the refresh interval to a higher value, you can similarly increase the no-refresh interval. In most instances, the default interval of seven days is sufficient and does not need to be changed.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure no-refresh and refresh intervals for a zone using the Windows interface

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the applicable zone, and then click Properties.

3.   On the General tab, click Aging.

4.   Select the Scavenge stale resource records check box.

5.   Next to No-refresh interval, type 7 and then choose days from the drop-down menu.

6.   Next to Refresh, type 7 and then choose days from the drop-down menu.

7.   Click OK, and then click OK again.

·                   See Also

Set Aging and Scavenging Properties for a Zone

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The value of <parameter> in the Windows Registry is configured to a non-recommended value.

The DNS socket pool feature has been disabled or is configured to use a non-recommended value.

·                   Impact

The DNS server is more vulnerable to DNS spoofing attacks.

The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully complete the attack. When you disable the socket pool or configure the socket pool to use a small number of source ports, the DNS server is more vulnerable to attack.

·                   Resolution

Enable the socket pool and configure a recommended value for MaxUserPort.

Configure the socket pool to a size no less than the default value of 2500. You can configure the socket pool to a size value from 0 to 10000. The larger the value, the greater protection you will have against DNS spoofing attacks. If you configure a socket pool size of zero, the DNS server will use a single socket for remote DNS queries. If the DNS server is running Windows Server® 2008 R2, you can also configure a socket pool exclusion list.

 

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the socket pool size

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd /Config /SocketPoolSize <value>

3.   Restart the DNS Server service.

To view the current value of the SocketPoolSize registry key, type the following command and press ENTER:

Dnscmd /Info /SocketPoolSize

Important

To configure the socket pool exclusion list, the DNS server must be running Windows Server 2008 R2.

To configure the socket pool exclusion list

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd /Config /SocketPoolExcludedPortRanges <excluded port ranges>

3.   Restart the DNS Server service.

 

Parameter

Description

dnscmd

The command-line tool for managing DNS servers.

/Config

Required. Allows the user to change a value in the Windows Registry.

/SocketPoolSize

Required. Specifies the SocketPoolSize registry key.

<socket pool size>

Optional. Specifies the size of the socket pool in decimal format. If no value is entered, the socket pool size is reset to 0.

/SocketPoolExcludedPortRanges

Optional. Specifies the SocketPoolExcludedPortRanges registry key.

<excluded port ranges>

Optional. Specifies one or more numeric port ranges for which listen sockets will not be opened by the DNS server. Range values must start with a number smaller or equal to the ending value, and are inclusive. To specify a single port, enter the same starting and ending port number. Enter multiple port ranges separated by a space. For example: 4000-5000 34000-34000. Port numbers must be positive integers less than or equal to 65535. You must supply all port ranges in the exclusion list each time you run the command. If no value is entered, the list will be cleared.

 

Tip

Use the /Info command to view the current value of a registry key, for example:  Dnscmd /Info /SocketPoolSize and Dnscmd /Info /SocketPoolExcludedPortRanges.

See Also

Configure the socket pool

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The forwarding timeout is greater than or equal to the recursion timeout.

The recursion timeout value is not configured to allow time sufficient time for recursion to complete.

Impact

The DNS server will fail to respond to queries for external zones if forwarding servers are not available.

When a DNS server receives a recursive query, it must be given time to send the query to its forwarder and wait for a response. If the forwarding servers time out, the DNS server requires additional time to perform recursion. If the recursion timeout value is too small and does not allow additional time beyond the forwarding timeout, the DNS server will be unable to respond to a recursive query when forwarders are unavailable.

Resolution

Configure the recursion timeout to be greater than the forwarding timeout.

By default, the DNS server will wait 3 seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds before forward queries time out, you can change the number of seconds the DNS server will wait. When the server has exhausted all forwarders, it will attempt standard recursion if Use root hints if no forwarders are available is selected and the recursion timeout has not expired. The default recursion timeout value is 8 seconds.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the recursion timeout value

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd [<ServerName>] /config /recursiontimeout <timeout>

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/config

Required. Modifies the configuration of the DNS server.

/recursiontimeout

Required. Specifies that the recursion timeout value will be configured.

<timeout>

Optional. Specifies the recursion timeout value in seconds. Allowed values are from 1 to 15. If no value is entered, the recursion timeout is set to a value of 8 seconds.

 

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The forwarder is not responding to DNS queries.

One or more of the DNS servers configured in the list of forwarders is unresponsive to DNS queries.

Impact

Unresponsive forwarders can cause delays and failures in DNS resolution.

When a DNS query is sent to an unresponsive forwarder, the DNS server will wait for the forwarding timeout period before sending the query to another forwarder, or attempting to use recursion. This can cause delays and failures in DNS resolution. If the DNS server is configured to use root hints when no forwarders respond, this can increase the amount of DNS traffic that is sent to the Internet.

Resolution

Remove the unresponsive forwarder from the list of forwarders.

To repair this condition, remove the unresponsive DNS server from the list of forwarders. You can also replace the unresponsive forwarder with a different DNS server that responds to DNS queries.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of forwarders

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the DNS server and then click Properties.

3.   On the Forwarders tab, click Edit.

4.   In the Edit Forwarders dialog box, under IP Address, click the IP address of the forwarder that is not responding, and then click Delete. Alternatively, you can type the IP address of a different DNS server that you wish to use as a forwarder. Each forwarder in the list should display as OK under Validated. Click OK to finish editing forwarders.

5.   Click OK to close the DNS server properties dialog box.

See Also

Configure a DNS Server to Use Forwarders

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Error

Category

Configuration

 

Issue

All DNS servers configured in the list of forwarders are unresponsive.

None of the DNS servers configured in the list of forwarders are responsive to DNS queries.

Impact

DNS queries for external zones might fail.

Unresponsive forwarders can cause delays and failures in DNS resolution. When all forwarders are unresponsive, the DNS server will wait for the forwarding timeout period for each forwarder that is configured in the list. When all forwarders have timed out, the DNS server will attempt recursion if the recursion timeout has not expired and recursion is enabled. If the DNS server uses root hints for recursion, this can also increase the amount of DNS traffic that is sent to the Internet.

Resolution

Configure valid DNS servers in the list of forwarders.

To repair this condition, remove all unresponsive DNS servers from the list of forwarders. You can also replace unresponsive forwarders with a different DNS server that responds to DNS queries.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of forwarders

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the DNS server and then click Properties.

3.   On the Forwarders tab, click Edit.

4.   In the Edit Forwarders dialog box, under IP Address, click the IP address of each forwarder that is not responding, and then click Delete. Alternatively, you can type the IP address of a different DNS server that you wish to use as a forwarder. Each forwarder in the list should display as OK under Validated. Click OK to finish editing forwarders.

5.   Click OK to close the DNS server properties dialog box.

See Also

Configure a DNS Server to Use Forwarders

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

A link-local IP address is configured as a forwarding server.

One or more of the IP addresses configured in the list of forwarders is a link-local address, also known as an Automatic Private IP Address (APIPA). APIPA assigns IP addresses in the 169.254.0.0/16 range.

Impact

DNS queries for external zones might fail.

Forwarders that use link-local addressing will fail to respond to DNS queries, causing delays and failures in DNS resolution.

Resolution

Remove the link-local forwarder IP address from the list of forwarders.

To repair this condition, remove the link-local IP address from the list of forwarders. You can also replace the link-local IP address with a valid DNS server IP address.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of forwarders

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the DNS server and then click Properties.

3.   On the Forwarders tab, click Edit.

4.   In the Edit Forwarders dialog box, under IP Address, click the IP address of the forwarder to remove, and then click Delete. Alternatively, you can type the IP address of a different DNS server that you wish to use as a forwarder. Each forwarder in the list should display as OK under Validated. Click OK to finish editing forwarders.

5.   Click OK to close the DNS server properties dialog box.

See Also

Configure a DNS Server to Use Forwarders

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

A loopback IP address is configured as a forwarding server.

One or more of the IP addresses configured in the list of forwarders is local to the DNS server, or is the loopback address. This configuration is not supported and can cause DNS queries to loop indefinitely.

Impact

DNS queries for external zones might fail.

DNS queries in external zones that are forwarded for resolution can fail or be delayed. Repeated looping of DNS queries can also degrade performance of the DNS server.

Resolution

Remove the loopback forwarder IP address from the list of forwarders.

To repair this condition, remove the loopback IP address from the list of forwarders. You can also replace the loopback IP address with a valid DNS server IP address.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of forwarders

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the DNS server and then click Properties.

3.   On the Forwarders tab, click Edit.

4.   In the Edit Forwarders dialog box, under IP Address, click the IP address of the forwarder to remove, and then click Delete. Alternatively, you can type the IP address of a different DNS server that you wish to use as a forwarder. Each forwarder in the list should display as OK under Validated. Click OK to finish editing forwarders.

5.   Click OK to close the DNS server properties dialog box.

See Also

Configure a DNS Server to Use Forwarders

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

There is only one forwarder configured on the DNS server.

To provide redundancy, more than one DNS server should be configured in the list of forwarders.

Impact

The forwarder is a single point of failure.

If a single forwarder fails to respond, DNS clients might be unable to resolve DNS queries.

Resolution

Configure additional forwarders on the DNS server.

To repair this condition, add additional DNS servers to the list of forwarders.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of forwarders

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the DNS server and then click Properties.

3.   On the Forwarders tab, click Edit.

4.   In the Edit Forwarders dialog box, under IP Address, type the IP address of a DNS server that you wish to use as a forwarder. Each forwarder in the list should display as OK under Validated. Click OK to finish editing forwarders.

5.   Click OK to close the DNS server properties dialog box.

See Also

Configure a DNS Server to Use Forwarders

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Error

Category

Configuration

 

Issue

There are no master servers configured for the zone.

The secondary zone on the DNS server is not being updated by primary DNS servers.

Impact

The zone will not be updated on secondary DNS servers.

Zone transfers from the primary DNS servers to the secondary DNS server will fail. DNS information in the zone might be outdated.

Resolution

Update the master servers list for the zone.

Configure the list of master DNS servers for the zone to include at least one valid master server. Verify that each DNS server listed hosts a primary copy of the zone, is responding to DNS queries, and that zone transfers are allowed from the master to the secondary DNS server.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of master servers

1.   On the secondary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the secondary zone and then click Properties.

3.   On the General tab, click Edit.

4.   To add a server to the list under IP addresses of the master servers, click under IP Address, type the IP address of the new master server, and then press ENTER.

5.   Verify that OK is displayed under Validated.

6.   Repeat this procedure for each master server.

7.   When you have completed adding master servers to the list, click OK twice to exit.

To validate the list of master servers

1.   On the secondary DNS server, open an elevated command prompt.

2.   Type nslookup and press ENTER to use the nslookup tool in interactive mode.

3.   At the nslookup prompt, type the following commands, and after each one press ENTER:

server <master server>

ls <zone name>

4.   Zone transfers must be allowed from the master to the secondary DNS server. If the master server hosts a copy of the zone and is responding, the contents of the zone will be displayed.

5.   If contents of the zone are not displayed, remove the DNS server from the list of primary DNS servers, or determine why the master DNS server is not responding.

6.   Repeat this procedure for each DNS server in the list of master DNS servers.

7.   When you have completed validating all master DNS servers for the zone, type exit and press ENTER.

 

Value

Description

nslookup

The command-line tool for querying DNS servers.

server

Command to set the default server used for queries.

<master server>

Specifies the DNS host name or IP address of the DNS server to be queried.

ls

Command to list entries in a zone. The ls command attempts a zone transfer of the specified zone from the specified server, and then displays data in the zone.

<zone name>

Specifies the zone name to be queried.

 

See Also

Adding a Secondary DNS Server to a Zone

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The list of servers receiving zone update notifications for the zone is empty.

Secondary DNS servers for the zone are not being notified when the zone is updated.

Impact

Secondary servers for the zone will not be notified of changes to zone records.

DNS information in the zone on secondary servers might be out of date.

Resolution

Add secondary servers to the zone update notification list for the zone.

Configure the zone update notification list to include all secondary DNS servers for the zone. By default, all servers listed on the Name Servers tab are notified. You can also choose to specify a list of secondary servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the zone update notification list

1.   On the primary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the primary zone and then click Properties.

3.   On the Zone Transfers tab, click Notify.

4.   Click the Automatically notify check box, and then choose Servers listed on the Name Servers tab or The following servers. If you chose Servers listed on the Name Servers tab, you do not need to manually configure the zone update notification list.

5.   If you chose The following servers, click under IP address, type the IP address of a secondary DNS server for the zone, and then press ENTER.

6.   Repeat the previous step to add each secondary server to the zone update notification list.

7.   When you have finished, click OK twice to exit.

See Also

Understanding zones and zone transfer

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

Zone transfers are allowed for the primary zone but no secondary servers are configured.

Zone transfers have been specified to be allowed only to a specific list of IP addresses. However, this list is blank.

Impact

Zone transfers will be denied from this DNS server.

If the DNS server is a master server for the zone, secondary DNS servers will be unable to update information in the zone because they are denied permission to perform a zone transfer.

Resolution

Add secondary servers to the list of hosts that are allowed to receive zone transfers for the zone.

To repair this condition, add secondary servers to the list of IP addresses that are allowed to receive zone transfers. Alternatively, you can configure the Allow zone transfers setting to specify Only to servers listed on the Name Servers tab or To any server. Allowing zone transfers to any server is not recommended.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of secondary servers

1.   On the primary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the secondary zone and then click Properties.

3.   On the Zone Transfers tab, click Edit.

Note

This rule is only active if zone transfers are allowed and Only to the following servers is selected on the Zone Transfers tab and the list is empty.

4.   To secondary servers to the list click under IP Address, type the IP address of the new secondary server, and then press ENTER.

5.   Repeat the previous step for each secondary DNS server.

6.   Click OK twice to exit.

See Also

Understanding zones and zone transfer

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The secondary server is configured to receive zone update notifications for the zone, but it does not host the zone.

A list of servers has been configured to receive zone update notifications for the secondary zone, but not all servers in this list host the secondary zone.

Impact

Zone update notifications for zone will be ignored by the secondary server since it does not host the zone.

In addition to the secondary server ignoring zone update notifications, DNS clients might fail to resolve names in the zone if they query the secondary server.

Resolution

Remove the secondary server from the list of secondary servers to be notified for updates to zone.

To repair this condition, remove the secondary server from the list of servers configured to receive zone update notifications. Alternatively, determine if the secondary zone should be hosted on the DNS server and if appropriate, add the secondary zone to the server specified in the zone update notification list.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To remove a server from the zone update notification list

1.   On the primary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the primary zone and then click Properties.

3.   On the Zone Transfers tab, click Notify.

4.   Under IP Address, click the IP address of the DNS server that does not host the zone, and then click Delete.

5.   Click OK twice to exit.

See Also

Understanding zones and zone transfer

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The DNS server is listed as a scavenging server for zone, but does not host this zone.

A DNS server that is listed as a scavenging server for the zone is not responding to DNS queries for the zone.

Impact

The server cannot scavenge records in the zone.

Errors in DNS resolution might occur if no servers are available to scavenge resource records in the zone.

Resolution

Remove the server from the list of scavenging servers for the zone.

To repair this condition, remove the server from the list of scavenging servers. Alternatively, you can configure the server to host the zone. By default, all servers that host an Active Directory-integrated DNS zone can scavenge records in the zone if scavenging is enabled. To configure the list of scavenging servers for a zone, you must set the ZoneResetScavengeServers parameter using the dnscmd command, a command-line based tool for administering Windows DNS servers. Scavenging must be enabled on both the DNS server and the zone affected by this operation.

Tip

To display the current list of scavenging servers for the zone, use dnscmd [ServerName] /ZoneInfo ZoneName . The list of scavenging servers is displayed in the output below Scavenge Servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of servers that can scavenge the specified zone

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd [<ServerName>] /zoneresetscavengeservers <ZoneName> [ServerIPs]

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/zoneresetscavengeservers

Required. Configures the list of servers that are allowed to scavenge the zone.

<ZoneName>

Required. Specifies the zone to be configured.

<ServerIPs>

Optional. Lists the IP addresses of the servers that can scavenge records in the zone. If this parameter is omitted, then all servers hosting this zone can scavenge it.

 

Sample Usage

 dnscmd dnssvr1.contoso.com /zoneresetscavengeservers test.contoso.com 10.0.0.1 10.0.0.2

See Also

Managing Aging and Scavenging

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

A link-local address is configured in the list of root hints.

The use of a link-local address in root hints is not a valid configuration.

Impact

The DNS server might be unable to resolve external host names.

Recursion might fail or be delayed on this DNS server, causing DNS client computers to be unable to resolve names in external zones.

Resolution

Remove the link-local address from the list of root hints.

Update the list of root hints to include only valid root name servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To verify a root name server

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

nslookup –type=ns . <root name server>

3.   Replace <root name server> with the IP address of the root hint server that you wish to verify. If the root name server is valid, a list of authoritative servers for the root zone (root name servers) will be displayed.

To configure Root Hints

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Root Hints tab.

5.   Modify server root hints as follows:

·      To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

·      To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

·      To remove a root server from the list, select it in the list, and then click Remove.

·      To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

Additional considerations

The following is the default list of root hints.

a.root-servers.net. 198.41.0.4

b.root-servers.net. 192.228.79.201

c.root-servers.net. 192.33.4.12

d.root-servers.net. 128.8.10.90

e.root-servers.net. 192.203.230.10

f.root-servers.net. 192.5.5.241

g.root-servers.net. 192.112.36.41

h.root-servers.net. 128.63.2.53

i.root-servers.net. 192.36.148.17

j.root-servers.net. 192.58.128.30

k.root-servers.net. 193.0.14.129

l.root-servers.net. 199.7.83.42

m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

See Also

Updating Root Hints

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The IP address of this DNS server or the loopback address is configured in the list of root hints.

The use of a loopback address in root hints is not a valid configuration.

Impact

The DNS server might be unable to resolve external host names.

Recursion might fail or be delayed on this DNS server, causing DNS client computers to be unable to resolve names in external zones.

Resolution

Remove the loopback or host IP address from the list of root hints.

Update the list of root hints to include only valid root name servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To verify a root name server

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

nslookup –type=ns . <root name server>

3.   Replace <root name server> with the IP address of the root hint server that you wish to verify. If the root name server is valid, a list of authoritative servers for the root zone (root name servers) will be displayed.

To configure Root Hints

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Root Hints tab.

5.   Modify server root hints as follows:

·      To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

·      To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

·      To remove a root server from the list, select it in the list, and then click Remove.

·      To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

Additional considerations

The following is the default list of root hints.

a.root-servers.net. 198.41.0.4

b.root-servers.net. 192.228.79.201

c.root-servers.net. 192.33.4.12

d.root-servers.net. 128.8.10.90

e.root-servers.net. 192.203.230.10

f.root-servers.net. 192.5.5.241

g.root-servers.net. 192.112.36.41

h.root-servers.net. 128.63.2.53

i.root-servers.net. 192.36.148.17

j.root-servers.net. 192.58.128.30

k.root-servers.net. 193.0.14.129

l.root-servers.net. 199.7.83.42

m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

See Also

Updating Root Hints

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

Issue

The root hint that has been configured for the DNS server is a single point of failure.

The use of a single root name server in root hints is does not provide redundancy.

Impact

Loss of the single root hint server will prevent the DNS server from being able to resolve external host names.

Recursion might fail or be delayed on this DNS server if the root name server does not respond.

Resolution

Add additional root hints to the list of root hint servers.

Configure the list of root hints to include at least two valid root name servers. You can use the verification procedure below to display a list of root name servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To verify a root name server

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

nslookup –type=ns . <root name server>

3.   Replace <root name server> with the IP address of the root hint server that you wish to verify. If the root name server is valid, a list of authoritative servers for the root zone (root name servers) will be displayed.

To configure Root Hints

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Root Hints tab.

5.   Modify server root hints as follows:

·      To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

·      To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

·      To remove a root server from the list, select it in the list, and then click Remove.

·      To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

Additional considerations

The following is the default list of root hints.

a.root-servers.net. 198.41.0.4

b.root-servers.net. 192.228.79.201

c.root-servers.net. 192.33.4.12

d.root-servers.net. 128.8.10.90

e.root-servers.net. 192.203.230.10

f.root-servers.net. 192.5.5.241

g.root-servers.net. 192.112.36.41

h.root-servers.net. 128.63.2.53

i.root-servers.net. 192.36.148.17

j.root-servers.net. 192.58.128.30

k.root-servers.net. 193.0.14.129

l.root-servers.net. 199.7.83.42

m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

See Also

Updating Root Hints

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Not Critical

Category

Configuration

 

Issue

There is no issue. The Active Directory-integrated zone is configured as primary.

The purpose of this rule is to confirm that the AD integrated zone is configured as a primary zone.

Impact

There is no impact. The zone is compliant with best practices.

 

·                   Resolution

No resolution is required. The zone is compliant with best practices.

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Configuration

 

·                   Issue

The Active Directory integrated DNS zone was not found.

An Active Directory (AD)-integrated DNS zone is present in the application directory partition, but was not found in DNS.

·                   Impact

DNS queries for the Active Directory integrated zone might fail.

This DNS server will fail to respond to DNS client queries for the zone.

·                   Resolution

Restore the Active Directory integrated DNS zone.

If the problem is caused by an error in Active Directory, you can attempt to restore the application directory partition from backup. For more information, see Performing Authoritative Restore of an Application Directory Partition. Alternatively, you can export the zone contents to a file, and then restore it to an AD-integrated zone using the following procedure.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To restore an AD-integrated zone

1.   Locate a DNS server that hosts the best copy of the zone. If no DNS servers appear to host the zone, then use a master domain controller.

2.   Temporarily use this DNS server as the primary DNS server for client computers.

3.   Open an elevated command prompt on this DNS server.

4.   Perform the procedure below to back up the AD-integrated zone.

5.   Perform the procedure below to reload the AD-integrated zone.

6.   Verify that the zone data has been added to DNS on this server.

7.   Wait for AD replication to create a copy of the zone on other domain controllers. When this is complete, restore client DNS settings to the previous configuration.

To back up the AD-integrated zone

1.   Type the following command, and then press ENTER:

dnscmd /ZoneExport <zone name> <zone file name>

This command exports the zone data to a file in the %windir%\System32\DNS directory. If desired, you can copy this file to a secure location.

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

/ZoneExport

Required. Used with <zone name> and <zone file name> to specify the zone and file name to use when storing zone data in a file.

<zone name>

Required. The FQDN of the zone.

<zone file name>

Required. The name of the file used to store zone data.

 

2.   To view the contents of the file, type the following command and then press ENTER:

type <zone file name>

3.   Verify that the file exists and that it contains the correct zone data. If the file does not contain the correct zone data, attempt this procedure on a different DNS server, or restore the Active Directory partition.

To reload the AD-integrated zone

1.   Using the elevated command prompt, browse to the %windir%\System32\DNS directory.

2.   Type the following command, and then press ENTER:

dnscmd /ZoneDelete <zone name> /dsdel /f

This command will remove the zone from DNS and Active Directory.

3.   Type the following command, and then press ENTER:

dnscmd /ZoneAdd <zone name> /Primary /file <zone file name> /load

This command will add the zone to DNS as a standard file backed primary zone. After adding the zone to DNS you can convert it to AD-integrated.

4.   Type the following command, and then press ENTER:

dnscmd /ZoneResetType <zone name> /dsprimary

This command converts the zone from standard primary to AD-integrated primary.

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

/ZoneDelete

Required. Deletes a specified zone from the DNS server.

/ZoneAdd

Required. Adds a specified zone to the DNS server.

/ZoneResetType

Required. Changes the type of a specified zone.

<zone name>

Required. The FQDN of the zone.

<zone file name>

Required. The name of the file used to store zone data.

/Primary

Required. Specifies the zone type is standard file backed primary.

·                   See Also

Performing Authoritative Restore of an Application Directory Partition

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The zone is Active Directory integrated but the zone type is not configured as primary.

All Active Directory (AD)-integrated DNS zones must be configured as primary. The AD-integrated zone is not configured as primary, indicating an error.

·                   Impact

DNS queries for the Active Directory integrated zone might fail.

The zone might not replicate properly to other domain controllers, causing errors in DNS resolution.

·                   Resolution

Configure the zone type for the zone as a primary.

If the zone type was recently changed from standard primary to AD-integrated primary, DNS servers that host a secondary copy of the zone must be rebooted in order to convert the zone to an AD-integrated primary zone. This will occur automatically when you reboot the DNS server. If the zone type was not changed but the zone is no longer primary, attempt to configure the zone type as AD-integrated primary zone. If this fails, restore the zone from backup.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the zone type as AD-integrated primary

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd /ZoneResetType <zone name> /dsprimary

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

/ZoneResetType

Required. Changes the type of a specified zone.

<zone name>

Required. The FQDN of the zone.

 

·                   See Also

Performing Authoritative Restore of an Application Directory Partition

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Configuration

 

·                   Issue

The results of the last zone transfer were <zone transfer status> for the zone.

The secondary zone on this DNS server did not transfer properly from the primary DNS server.

·                   Impact

Contents of the zone on this DNS server are out of date.

DNS client computers might fail to correctly resolve DNS information in the zone.

·                   Resolution

Verify that zone transfers are allowed to this DNS server.

In order to host a secondary zone, the DNS server must be allowed to initiate a zone transfer from the master DNS server. Confirm that the master DNS server is configured to allow zone transfers to the IP addresses of all secondary DNS servers.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of secondary servers

1.   On the primary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the zone that is hosted on secondary DNS servers and then click Properties.

3.   On the Zone Transfers tab, verify that Allow zone transfers is selected.

4.   Choose Only to servers listed on the Name Servers tab or Only to the following servers.

5.   If you chose Only to the following servers, click Edit and verify that the IP address of the secondary DNS server is listed under IP addresses of the secondary servers.

6.   To add a server to the list, click below IP Address, type the IP address of the secondary DNS server, and then press ENTER.

7.   To remove a server from the list, click the IP address and then click Delete.

8.   To replace a server in the list, click the IP address you wish to replace, type the IP address of the new secondary server, and then press ENTER.

9.   Click OK twice to exit.

10.  If you chose Only to servers listed on the Name Servers tab, click the Name Servers tab and verify that the secondary DNS server is listed under Name servers.

11.  Click Add, Edit, and Remove to add, change, or delete name servers from the list, respectively.

12.  Click OK to finish.

·                   See Also

Adding a Secondary DNS Server to a Zone

Topics in this section can help you bring DNS running on Windows Server® 2008 or Windows Server® 2008 R2 into compliance with operation best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer or Microsoft Baseline Configuration Analyzer scan of DNS, and who want information about how to interpret and resolve scan results that identify areas of DNS that are noncompliant with operation best practices.

·                   Best Practices Analyzer and operation rules

Operation rules are applied to identify best-practice-related possible causes of a role’s failures to carry out its prescribed tasks in the enterprise. An example of a violation of operation rules that a Best Practices Analyzer scan might find is a service that is paused or stopped.

For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.

·                   Topics in this section

·      DNS: The DNS server <IP address> on  <adapter name> must be able to resolve names in the forest root domain name zone

·      DNS: The DNS server <IP address> on <adapter name> must be able to resolve names in the primary DNS domain zone

·      DNS: The DNS server <IP address> on <adapter name> must resolve Global Catalog resource records for the domain controller

·      DNS: The DNS server <IP address> on <adapter name> must resolve Kerberos resource records for the domain controller

·      DNS: The DNS server <IP address> on <adapter name> must resolve LDAP resource records for the domain controller

·      DNS: The DNS server <IP address> on <adapter name> must  resolve PDC RRs for the domain controller

·      DNS: The DNS server <IP address> on <adapter name> must  resolve the name of this computer

·      DNS: DNS servers assigned to the network adapter should respond consistently

·      DNS: Zone <Zone name> master servers must respond to queries for the zone

·      DNS: Zone <Zone name> secondary servers must respond to queries for the zone

·      DNS: Zone <Zone name> master server <IP address> must respond to queries for the zone

·      DNS: Zone <Zone name> secondary server <IP address> should respond to queries for the zone

·      DNS: Root hint server <IP address> must respond to NS queries for the root zone

·      DNS: At least one name server in the list of root hints must respond to queries for the root zone

·      DNS: The DNS server configured on the adapter <Adapter name> should resolve the name of this computer

·      DNS: Zone <Zone name> is an Active Directory integrated DNS zone and must be running

·                   See Also

Best Practices Analyzer for Domain Name System: Configuration

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Configuration

 

·                   Issue

Network interfaces must have DNS servers host, forward, or delegate to primary DNS domain zone. The DNS server did not respond to the query for the start of authority (SOA) record of the zone hosting the computer's forest root domain name.

·                   Impact

An unresponsive DNS server prevents this computer from resolving names and connecting to network resources.

Before you install Active Directory Domain services (AD DS) and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Remove all invalid or unresponsive DNS servers.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that are valid and responsive DNS servers.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any invalid or unresponsive DNS server addresses.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that are valid and responsive DNS servers.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any invalid or unresponsive DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

Network interfaces must have DNS servers host, forward, or delegate to primary DNS domain zone. The DNS server did not respond to the query for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

·                   Impact

An unresponsive DNS server prevents this computer from resolving names and connecting to network resources.

Before you install Active Directory Domain Services (AD DS) and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Remove all invalid or unresponsive DNS servers.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that are valid and responsive DNS servers.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any invalid or unresponsive DNS server addresses.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that are valid and responsive DNS servers.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any invalid or unresponsive DNS server addresses.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

Network interfaces must have DNS servers to resolve Global Catalog RRs for the domain controller. The DNS did not respond to the query _ldap._tcp.gc.<DnsDomainName>.

·                   Impact

Active Directory Domain Services (AD DS) operations that depend on locating a Global Catalog (GC) resource record (RR) will fail.

Before you install AD DS and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Configure DNS servers or computers that delegate or forward to other DNS servers that host the domain zone containing _ldap._tcp.gc.<DnsDomainName>.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that host the domain zone containing _ldap._tcp.gc.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not host the domain zone containing _ldap._tcp.gc.<DnsDomainName>.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that host the domain zone containing _ldap._tcp.gc.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not host the domain zone containing _ldap._tcp.gc.<DnsDomainName>.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

Network interfaces must have DNS servers that resolve Kerberos RRs for the domain controller. The DNS server did not respond to the query _kerberos._tcp.<DnsDomainName> resource record (RR).

·                   Impact

Active Directory Domain Services (AD DS) operations that depend on locating a Kerberos Key Distribution Center (KDC) will fail.

Before you install AD DS and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Configure DNS servers or computers that delegate or forward to DNS servers that host the domain zone containing _kerberos._tcp.<DnsDomainName>.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses of DNS servers or computers that delegate or forward to DNS servers that host the domain zone containing _kerberos._tcp.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not delegate or forward to DNS servers that host the domain zone containing _kerberos._tcp.<DnsDomainName>.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses of DNS servers or computers that delegate or forward to DNS servers that host the domain zone containing _kerberos._tcp.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove  to change any DNS servers that do not delegate or forward to DNS servers that host the domain zone containing _kerberos._tcp.<DnsDomainName>.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operations

 

·                   Issue

Network interfaces must have DNS servers that resolve LDAP RRs for the domain controller. The DNS server did not respond to the query _ldap._tcp.<DnsDomainName>.

·                   Impact

Active Directory Domain Services (AD DS) operations that depend on locating domain controllers will fail.

Before you install AD DS and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

Configure DNS server computers or computers that delegate or forward to DNS servers that host the domain zone containing _ldap._tcp.<DnsDomainName>.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that are valid and responsive DNS servers.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not respond to the query _ldap._tcp.<DnsDomainName>.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that respond to the query _ldap._tcp.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not respond to the query _ldap._tcp.<DnsDomainName>.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

Network interfaces must have DNS servers that resolve PDC RRs for the domain controller. The DNS server did not respond to the query _pdc._tcp.<DnsDomainName>.

·                   Impact

Active Directory Domain Services (AD DS) operations that depend on locating a primary domain controller (PDC) resource record (RR) will fail.

Before you install AD DS and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

 Configure DNS servers or computers that delegate or forward to DNS servers that host the domain zone containing _ldap._tcp.pdc.<DnsDomainName>.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that respond to the query _ldap._tcp.pdc.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not respond to the query _ldap._tcp.pdc.<DnsDomainName>.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that respond to the query _ldap._tcp.pdc.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not respond to the query _ldap._tcp.pdc.<DnsDomainName>.

 

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Impact

Other domain controllers might not be able to resolve this computer’s name. The computer might not be able to connect to network resources.

Before you install Active Directory Domain Services (AD DS) and DNS on the first domain controller server in a new domain, make sure that the IP address of the server is static, meaning it is not assigned by Dynamic Host Configuration Protocol (DHCP). DNS servers must have static addresses to be sure that they can be located reliably.

·                   Resolution

 Change adapter settings to configure DNS servers that are able to resolve names for your enterprise.

We recommend that you configure the computer to use a static IP address. If the DNS server is configured to use DHCP-assigned dynamic addresses, when the DHCP server assigns a new IP address to the DNS server, the DNS clients that are configured to use that DNS server's previous IP address will not be able to resolve the previous IP address and locate the DNS server.

To configure valid IPv4 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click View network status and tasks, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that respond to the query _ldap._tcp.pdc.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not respond to the query _ldap._tcp.pdc.<DnsDomainName>.

To configure valid IPv6 DNS server addresses

1.   Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Change Adapter settings, double-click the network connection you want to change, and then click Properties.

2.   Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

3.   Click Use the following DNS server addresses.

4.   In Preferred DNS server and Alternate DNS server, type addresses that respond to the query _ldap._tcp.pdc.<DnsDomainName>.

5.   Click Advanced, and then click DNS.

6.   Click Edit or Remove to change any DNS servers that do not respond to the query _ldap._tcp.pdc.<DnsDomainName>.

 

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Operation

 

·                   Issue

The DNS servers do not respond identically to queries for the forest root domain.

The DNS servers assigned to the network interface might be a mixture of intranet and Internet DNS servers.

·                   Impact

DNS queries might fail or be delayed.

The DNS server might be unable to resolve some host names, or obtain inconsistent results. Since Active Directory (AD) replication relies on the ability of the DNS client service to resolve host names, AD replication may fail.

·                   Resolution

Configure DNS servers on the network interface so that either both respond or neither responds to queries for the forest root domain.

Configure network properties for the adapter to use DNS servers that both belong to the organization’s domain. If the network adapter is used for external queries, then configure both DNS servers to be external to the domain. If DNS servers are assigned by DHCP, configure the DHCP scope properties to use DNS servers that both belong to the organization’s domain or that are both external to the organization’s domain.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure DNS servers on the network adapter

1.   Click Start, click Run, type control netconnections, and then press ENTER.

2.   Right-click the network connection, and then click Properties.

3.   If you are configuring IPv4 properties, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. If you are configuring IPv6 properties, click Internet Protocol Version 6 (TCP/IPv6) and then click Properties.

4.   On the General tab, choose Use the following DNS server addresses, type the IP addresses of the DNS servers you wish to use next to Preferred DNS server and Alternate DNS server, click OK, and then click Close.

·                   See Also

DHCP: The DNS server option should be configured for all IPv4 scopes

DHCP: The DNS server option should be configured for all IPv6 scopes

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Operation

 

·                   Issue

None of the master servers configured for zone are responding.

The secondary zone on the DNS server is not being updated by primary DNS servers.

·                   Impact

The secondary zone will not be updated.

Zone transfers from the primary DNS servers to the secondary DNS server will fail. DNS information in the zone might be outdated.

·                   Resolution

Validate the list of master servers for the zone.

Review the list of master DNS servers for the zone and verify that each DNS server listed hosts a primary copy of the zone and is responding to DNS queries. Configure the list of master servers, removing or replacing master servers that are not valid.

Important

Ensure that there is at least one valid master DNS server configured in the list.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of master servers

1.   On the secondary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the secondary zone and then click Properties.

3.   On the General tab, click Edit.

4.   Use the following procedure to validate each server that is listed under IP addresses of the master servers.

5.   To remove a server from the list, click the IP address and then click Delete.

6.   To replace a server in the list, click the IP address you wish to replace, type the IP address of the new master server, and then press ENTER.

7.   Click OK twice to exit.

To validate the list of master servers

1.   On the secondary DNS server, open an elevated command prompt.

2.   Type nslookup and press ENTER to use the nslookup tool in interactive mode.

3.   At the nslookup prompt, type the following commands, and after each one press ENTER:

server <master server>

ls <zone name>

4.   Zone transfers must be allowed from the master to the secondary DNS server. If the master server hosts a copy of the zone and is responding, the contents of the zone will be displayed.

5.   If contents of the zone are not displayed, remove the DNS server from the list of primary DNS servers, or determine why the master DNS server is not responding.

6.   Repeat this procedure for each DNS server in the list of master DNS servers.

7.   When you have completed validating all master DNS servers for the zone, type exit and press ENTER.

 

Value

Description

nslookup

The command-line tool for querying DNS servers.

server

Command to set the default server used for queries.

<master server>

Specifies the DNS host name or IP address of the DNS server to be queried.

ls

Command to list entries in a zone. The ls command attempts a zone transfer of the specified zone from the specified server, and then displays data in the zone.

<zone name>

Specifies the zone name to be queried.

 

·                   See Also

Adding a Secondary DNS Server to a Zone

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Operation

 

·                   Issue

None of the secondary servers configured for zone are responding.

A list of secondary DNS servers has been specified on the zone transfers tab, but none of these servers are responding to a DNS query for the zone.

·                   Impact

Secondary servers will fail DNS queries for the zone.

If secondary DNS servers are used for DNS resolution, clients might be unable to resolve host names in the zone.

·                   Resolution

Validate secondary servers for zone.

Review the list of secondary DNS servers for the zone and verify that each DNS server listed hosts a secondary copy of the zone and is responding to DNS queries. Configure the list of secondary servers, removing or replacing secondary servers that are not valid. This rule checks the list of secondary servers if you have chosen to allow zone transfers Only to servers on the Name Servers tab or Only to the following servers on the Zone Transfers tab.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of secondary servers

1.   On the primary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the zone that is hosted on secondary DNS servers and then click Properties.

3.   On the Zone Transfers tab, click Edit.

Note

This rule is only active if zone transfers are allowed and Only to the following servers is selected on the Zone Transfers tab.

4.   Use the following procedure to validate each server that is listed under IP addresses of the secondary servers.

5.   To remove a server from the list, click the IP address and then click Delete.

6.   To replace a server in the list, click the IP address you wish to replace, type the IP address of the new secondary server, and then press ENTER.

7.   Click OK twice to exit.

To validate the list of secondary servers

1.   On the primary DNS server, open an elevated command prompt.

2.   Type nslookup and press ENTER to use the nslookup tool in interactive mode.

3.   At the nslookup prompt, type the following commands, and after each one press ENTER:

server <secondary server>

ls <zone name>

4.   Zone transfers must be allowed from the master to the secondary DNS server. If the secondary server hosts a copy of the zone and is responding, the contents of the zone will be displayed.

5.   If contents of the zone are not displayed, remove the DNS server from the list of secondary DNS servers, or determine why the master DNS server is not responding.

6.   Repeat this procedure for each DNS server in the list of secondary DNS servers.

7.   When you have completed validating all secondary DNS servers for the zone, type exit and press ENTER.

 

Value

Description

nslookup

The command-line tool for querying DNS servers.

server

Command to set the default server used for queries.

<secondary server>

Specifies the DNS host name or IP address of the DNS server to be queried.

ls

Command to list entries in a zone. The ls command attempts a zone transfer of the specified zone from the specified server, and then displays data in the zone.

<zone name>

Specifies the zone name to be queried.

 

·                   See Also

Adding a Secondary DNS Server to a Zone

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Operation

 

·                   Issue

The secondary zone does not exist on the master server.

The secondary zone on the DNS server is not being updated by a primary DNS server.

·                   Impact

The secondary zone will not be transferred from the master DNS server.

Zone transfers from this primary DNS server to the secondary DNS server will fail. DNS information in the zone might be outdated.

·                   Resolution

Add the zone to the master server or remove the server from the list of master servers.

Review the list of master DNS servers for the zone and verify that each DNS server listed hosts a primary copy of the zone and is responding to DNS queries. Configure the list of master servers, removing or replacing master servers that are not valid.

Important

Ensure that there is at least one valid master DNS server configured in the list.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of master servers

1.   On the secondary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the secondary zone and then click Properties.

3.   On the General tab, click Edit.

4.   Use the following procedure to validate each server that is listed under IP addresses of the master servers.

5.   To remove a server from the list, click the IP address and then click Delete.

6.   To replace a server in the list, click the IP address you wish to replace, type the IP address of the new master server, and then press ENTER.

7.   Click OK twice to exit.

To validate the list of master servers

1.   On the secondary DNS server, open an elevated command prompt.

2.   Type nslookup and press ENTER to use the nslookup tool in interactive mode.

3.   At the nslookup prompt, type the following commands, and after each one press ENTER:

server <master server>

ls <zone name>

4.   Zone transfers must be allowed from the master to the secondary DNS server. If the master server hosts a copy of the zone and is responding, the contents of the zone will be displayed.

5.   If contents of the zone are not displayed, remove the DNS server from the list of primary DNS servers, or determine why the master DNS server is not responding.

6.   Repeat this procedure for each DNS server in the list of master DNS servers.

7.   When you have completed validating all master DNS servers for the zone, type exit and press ENTER.

 

Value

Description

nslookup

The command-line tool for querying DNS servers.

server

Command to set the default server used for queries.

<master server>

Specifies the DNS host name or IP address of the DNS server to be queried.

ls

Command to list entries in a zone. The ls command attempts a zone transfer of the specified zone from the specified server, and then displays data in the zone.

<zone name>

Specifies the zone name to be queried.

 

·                   See Also

Adding a Secondary DNS Server to a Zone

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Error

Category

Operation

 

·                   Issue

The secondary DNS server does not respond to queries for the zone.

The DNS server is configured in the list of secondary DNS servers on the zone transfers tab, but the specified server is not responding to a DNS query for the zone.

·                   Impact

DNS queries for the zone might fail.

If the specified DNS server is used for DNS resolution, clients might be unable to resolve host names in the zone.

·                   Resolution

Verify that the server is a secondary DNS server that hosts the zone.

Review the list of secondary DNS servers for the zone and verify that the specified DNS server hosts a secondary copy of the zone and is responding to DNS queries. If the DNS server is not a valid secondary server for the zone, remove it from the list. Alternatively, you can configure the DNS server to host a secondary copy of the zone. This rule checks the list of secondary servers if you have chosen to allow zone transfers Only to servers on the Name Servers tab or Only to the following servers on the Zone Transfers tab.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the list of secondary servers

1.   On the primary DNS server, click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, right-click the name of the secondary zone and then click Properties.

3.   On the Zone Transfers tab, click Edit.

Note

This rule is only active if zone transfers are allowed and Only to the following servers is selected on the Zone Transfers tab.

4.   Use the following procedure to validate each server that is listed under IP addresses of the secondary servers.

5.   To remove a server from the list, click the IP address and then click Delete.

6.   To replace a server in the list, click the IP address you wish to replace, type the IP address of the new secondary server, and then press ENTER.

7.   Click OK twice to exit.

To validate the list of secondary servers

1.   On the primary DNS server, open an elevated command prompt.

2.   Type nslookup and press ENTER to use the nslookup tool in interactive mode.

3.   At the nslookup prompt, type the following commands, and after each one press ENTER:

server <secondary server>

ls <zone name>

4.   Zone transfers must be allowed from the master to the secondary DNS server. If the secondary server hosts a copy of the zone and is responding, the contents of the zone will be displayed.

5.   If contents of the zone are not displayed, remove the DNS server from the list of secondary DNS servers, or determine why the master DNS server is not responding.

6.   Repeat this procedure for each DNS server in the list of secondary DNS servers.

7.   When you have completed validating all secondary DNS servers for the zone, type exit and press ENTER.

 

Value

Description

nslookup

The command-line tool for querying DNS servers.

server

Command to set the default server used for queries.

<secondary server>

Specifies the DNS host name or IP address of the DNS server to be queried.

ls

Command to list entries in a zone. The ls command attempts a zone transfer of the specified zone from the specified server, and then displays data in the zone.

<zone name>

Specifies the zone name to be queried.

 

·                   See Also

Adding a Secondary DNS Server to a Zone

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Operation

 

·                   Issue

The root hint server is not responding.

Recursion is enabled on the DNS server, but a root name server is not responding to a query for the root zone.

·                   Impact

The DNS server might be unable to resolve external host names.

Recursion might fail or be delayed on this DNS server, causing DNS client computers to be unable to resolve names in external zones.

·                   Resolution

Validate network connectivity to root hint servers. Remove servers from the list that are unresponsive.

Update the list of root hints to include only those servers that respond to a query for the root zone.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To verify a root name server

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

nslookup –type=ns . <root name server>

3.   Replace <root name server> with the IP address of the root hint server that you wish to verify. If the root name server is valid, a list of authoritative servers for the root zone (root name servers) will be displayed.

To configure Root Hints

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Root Hints tab.

5.   Modify server root hints as follows:

·      To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

·      To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

·      To remove a root server from the list, select it in the list, and then click Remove.

·      To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

·                   Additional considerations

The following is the default list of root hints.

a.root-servers.net. 198.41.0.4

b.root-servers.net. 192.228.79.201

c.root-servers.net. 192.33.4.12

d.root-servers.net. 128.8.10.90

e.root-servers.net. 192.203.230.10

f.root-servers.net. 192.5.5.241

g.root-servers.net. 192.112.36.41

h.root-servers.net. 128.63.2.53

i.root-servers.net. 192.36.148.17

j.root-servers.net. 192.58.128.30

k.root-servers.net. 193.0.14.129

l.root-servers.net. 199.7.83.42

m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

·                   See Also

Updating Root Hints

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

All root hints failed an NS query for the root zone.

Recursion is enabled on the DNS server, but none of the root name servers are responding to a query for the root zone.

·                   Impact

The DNS server might be unable to resolve external host names.

If forwarders are unavailable, DNS client computers will be unable to resolve external host names.

·                   Resolution

Configure the list of root hints with name servers that are responding.

Update the list of root hints to include only those servers that respond to a query for the root zone.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To verify a root name server

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

nslookup –type=ns . <root name server>

3.   Replace <root name server> with the IP address of the root hint server that you wish to verify. If the root name server is valid, a list of authoritative servers for the root zone (root name servers) will be displayed.

To configure Root Hints

1.   Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2.   In the console tree, click the name of the DNS server you wish to configure.

3.   On the Action menu, click Properties.

4.   Click the Root Hints tab.

5.   Modify server root hints as follows:

·      To add a root server to the list, click Add, and then specify the name and IP address of the server to be added to the list.

·      To modify a root server in the list, click Edit, and then specify the name and IP address of the server to be modified in the list.

·      To remove a root server from the list, select it in the list, and then click Remove.

·      To copy root hints from a DNS server, click Copy from server, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.

·                   Additional considerations

The following is the default list of root hints.

a.root-servers.net. 198.41.0.4

b.root-servers.net. 192.228.79.201

c.root-servers.net. 192.33.4.12

d.root-servers.net. 128.8.10.90

e.root-servers.net. 192.203.230.10

f.root-servers.net. 192.5.5.241

g.root-servers.net. 192.112.36.41

h.root-servers.net. 128.63.2.53

i.root-servers.net. 192.36.148.17

j.root-servers.net. 192.58.128.30

k.root-servers.net. 193.0.14.129

l.root-servers.net. 199.7.83.42

m.root-servers.net. 202.12.27.33

Tip

An updated list of root hints is available at ftp://ftp.rs.internic.net/domain/db.cache.

·                   See Also

Updating Root Hints

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Critical

Category

Operation

 

·                   Issue

The DNS server on did not successfully resolve the name of the address record for this computer.

A DNS server configured on the network adapter was unable to resolve the host name of this DNS server.

·                   Impact

The DNS server might be unavailable on the network.

Client computers might be unable to locate this DNS server on the network.

·                   Resolution

Configure DNS servers on the network adapter that can resolve names in the host domain.

Confirm that the DNS server is registering its host name in DNS. Also verify that the DNS servers configured on the network adapter are able to resolve the host name of the DNS server.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To verify DNS registration settings

1.   Click Start, click Run, type control netconnections, and then press ENTER. The Network Connections control panel will open.

2.   Right-click the network connection specified by this rule, and then click Properties.

3.   Click Internet Protocol Version 4 (TCP/IPv4) or click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

Tip

The setting to register the connection’s addresses in DNS is a global setting that affects both IPv4 and IPv6 addresses on the network interface.

4.   Click Advanced, click the DNS tab, and then verify that the Register this connection’s addresses in DNS checkbox is selected.

5.   Click OK twice, and then click Close.

To verify host name resolution

1.   Open a command prompt.

2.   Type the following command, and then press ENTER:

nslookup <Host> <Server>

 

Value

Description

nslookup

The command-line tool for querying DNS servers.

<Host>

Required. Specifies the fully qualified domain (FQDN) name of the local DNS server.

<Server>

Required. Specifies the name or IP address of the DNS server configured on the network adapter.

 

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see  Best Practices Analyzer.

 

Operating System

Windows Server 2008, Windows Server 2008 R2

Product/Feature

DNS

Severity

Warning

Category

Operation

 

·                   Issue

The Active Directory integrated zone is unavailable because it is not running.

The zone might be paused.

·                   Impact

The DNS server will not respond to queries for the zone.

DNS client computers will fail to resolve names in the zone.

·                   Resolution

Start the Active Directory integrated zone.

If the zone is in a paused state, you can use the DNS console to start the zone, or you can use dnscmd. The procedure to start the zone using a command line is provided below.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To start the zone

1.   Open an elevated command prompt.

2.   Type the following command, and then press ENTER:

dnscmd [<ServerName>] /ZoneResume <ZoneName>

 

Value

Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

<ZoneName>

Required. Specifies the fully qualified domain name (FQDN) of the zone resuming operation.

 

·                   See Also

Start or Pause a Zone