Share via


DNS Support for Active Directory Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

DNS Support for Active Directory Tools and Settings

In this section

  • DNS Support for Active Directory Tools

  • DNS Support for Active Directory Registry Entries

  • DNS Support for Active Directory Group Policy Settings

  • DNS Support for Active Directory WMI Classes

  • Related Information

DNS Support for Active Directory Tools

The following tools are associated with the Domain Name System (DNS) support for Active Directory. For more information about DNS tools and settings in a Windows Server 2003 network, see “DNS Tools and Settings” in DNS Technical Reference.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to Active Directory Domain Services.

Dcdiag.exe: Domain Controller Diagnostic Tool

Category

This tool is included in the Windows 2000 Server and later Support Tools.

Version compatibility

This tool runs on Windows XP, and the Windows 2000 Server and later operating systems.

You can use Domain Controller Diagnostic Tool to verify that there are sufficient resources for the DNS infrastructure when deploying the Windows 2000 Server or later Active Directory directory service. This tool analyzes the state of domain controllers in a forest or enterprise and reports any problems, to assist in troubleshooting. As an end-user reporting program, Domain Controller Diagnostic Tool queries the directory service infrastructure and uses the results to identify abnormal behavior in the system. Domain Controller Diagnostic Tool provides a framework for executing tests and a series of tests to verify different functional areas of the system. This framework selects which domain controllers are tested according to scope directives from the user, such as enterprise, site, or single server.

Dnscmd.exe: Dnscmd

Category

This tool is included in the Windows Server 2003 and later Support Tools.

Version compatibility

This tool runs on the Windows 2000 Server and later operating systems.

Dnscmd is used to view the properties of DNS servers, zones, and resource records. In addition, Dnscmd is used to modify all aspects of the DNS Server service, including creating and deleting zones and resource records, and forcing replication events between DNS server physical memory and DNS databases. Dnscmd can also be useful for developing scripts for configuring a DNS server.

Dnslint.exe: DNSLint

Category

This tool is available for download on the Microsoft Web site.

Version compatibility

This tool runs on Windows XP, and the Windows 2000 Server and later operating systems.

DNSLint is a Microsoft Windows utility that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct.

Dnsmgmt.msc: DNS console

Category

This tool is included in the Windows 2000 Server and later operating systems, and is installed when the DNS Server service is installed. This tool is also installed with the Windows 2000 Server or later Administration Tools Pack (Adminpak.msi).

Version compatibility

This tool runs on the Windows 2000 Server and later operating systems. When installed from one of the administration tools packs, this tool can also run on Microsoft Windows 2000 Professional and Windows XP.

The DNS console is used to administer the DNS Server service. It can be used to modify all aspects of the DNS Server service, including creating and deleting zones and resource records, and forcing replication events between DNS server physical memory and DNS databases. The DNS console can also be used to perform diagnostics on the DNS infrastructure of a network.

Eventvwr.exe: Event Viewer

Category

This tool is included in all Windows server and client operating systems.

Version compatibility

This tool runs on Windows XP, and the Windows 2000 Server and later operating systems.

You can use Event Viewer to monitor events recorded in event logs. Typically, a computer stores the Application, Security, and System logs. It could also contain other logs, depending on the role of the computer and the applications that are installed on it. For example, DNS servers write DNS-related events (such as errors that occur when the DNS Server service is invoked) to log files which can be read by using Event Viewer.

Ipconfig.exe: Ipconfig

Category

This tool is included in all Windows server and client operating systems.

Version compatibility

This tool runs on all Windows server and client operating systems.

Ipconfig displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and DNS settings. Used without parameters, Ipconfig displays IPv6 addresses or the IPv4 address, subnet mask, and default gateway for all adapters.

Netdiag.exe: Network Connectivity Tester

Category

This tool is included in the Windows 2000 and later Support Tools.

Version compatibility

This tool runs on Windows XP, and the Windows 2000 Server and later operating systems.

You can use Network Connectivity Tester to help isolate networking and connectivity problems, by performing a series of tests to determine the state of your network client, and whether it is functional. These tests, and the key network status information they expose, give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require that parameters or switches be specified, support personnel and network administrators can focus on analyzing the output rather than on training users how to use the tool.

Netmon.exe: Network Monitor

Category

This tool is installed with the Windows Server 2003 and later Administration Tools Pack.

Version compatibility

This tool runs on all Windows operating systems.

Network Monitor captures data about the packets on a network and logs them for subsequent analysis. The monitored data can be filtered using many criteria, including protocol, ports, physical addresses, and logical addresses. Network Monitor can be useful in many situations, such as when you are troubleshooting an environment that has a firewall between a DNS server and a client, or between two DNS servers.

There are two versions of Network Monitor: the Network Monitor that is provided as part of the Windows Server 2003 operating system, and the Network Monitor that is part of Microsoft Systems Management Server (SMS). The version of Network Monitor that is included with the Windows Server 2003 operating system captures only data about network packets that are sent to or from the server on which you run Network Monitor; it also captures data about network broadcasts that are received. The Network Monitor that is included with SMS can monitor all network packets on a network segment regardless of their source or destination.

Nslookup.exe: Nslookup

Category

This tool is included in all Windows server and client operating systems.

Version compatibility

This tool runs on all Windows server and client operating systems.

Nslookup is used to query DNS servers and to obtain detailed responses. The information obtained using Nslookup can be used to diagnose and solve name resolution problems, verify that resource records are added or updated correctly in a zone, and debug other server-related problems.

DNS Support for Active Directory Registry Entries

Active Directory uses DNS to enable client computers to locate domain controllers and to enable domain controllers to locate each other. Domain controllers register SRV records in DNS, and clients and other domain controllers query for these records. Which records are registered in DNS and how they are registered depends on settings in the Windows registry. The following registry entries are associated with DNS support for Active Directory.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, modify settings though the use of policy settings or through dedicated management tools, such as the DNS snap-in for the Microsoft Management Console (MMC), to accomplish tasks, rather than editing the registry directly. If you must edit the registry, use extreme caution.

DNS\Parameters

The following registry entries are used to configure various DNS options that control how DNS interacts with the Active Directory environment.

EnableDirectoryPartitions

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

Version

Windows Server 2003 and later

If you do not want the default DNS application directory partitions to be created automatically, you must disable the EnableDirectoryPartitions registry key. The values for this key are 0x0 (disable) and 0x1 (enable).

For more information about this registry entry, see the “Registry Reference” in the Tools and Settings Collection.

DnsAvoidRegisterRecords

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Version

Windows Server 2003 and later

Specifies the list of data corresponding to the DNS resource records that should not be registered for a domain controller by the Net Logon service. Restarting the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified within the first 15 minutes after the Net Logon service is started, there might be a short delay before the appropriate DNS updates appear and are replicated to the other DNS servers. If the modifications are made while the Net Logon service is stopped there is a short delay before the DNS updates appear after the Net Logon service is restarted.

In this value, list the data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The list of data includes:

Data Value Resource Record Type DNS Resource Record

LdapIpAddress

A

<DnsDomainName>

Ldap

SRV

_ldap._tcp.<DnsDomainName>

LdapAtSite

SRV

_ldap._tcp.<SiteName>._sites.<DnsDomainName>

Pdc

SRV

_ldap._tcp.pdc._msdcs.<DnsDomainName>

Gc

SRV

_ldap._tcp.gc._msdcs.<DnsForestName>

GcAtSite

SRV

_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>

DcByGuid

SRV

_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

GcIpAddress

A

_gc._msdcs.<DnsForestName>

DsaCname

CNAME

<DsaGuid>._msdcs.<DnsForestName>

Kdc

SRV

_kerberos._tcp.dc._msdcs.<DnsDomainName>

KdcAtSite

SRV

_kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>

Dc

SRV

_ldap._tcp.dc._msdcs.<DnsDomainName>

DcAtSite

SRV

_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

Rfc1510Kdc

SRV

_kerberos._tcp.<DnsDomainName>

Rfc1510KdcAtSite

SRV

_kerberos._tcp.<SiteName>._sites.<DnsDomainName>

GenericGc

SRV

_gc._tcp.<DnsForestName>

GenericGcAtSite

SRV

_gc._tcp.<SiteName>._sites.<DnsForestName>

Rfc1510UdpKdc

SRV

_kerberos._udp.<DnsDomainName>

Rfc1510Kpwd

SRV

_kpasswd._tcp.<DnsDomainName>

Rfc1510UdpKpwd

SRV

_kpasswd._udp.<DnsDomainName>

DNS Support for Active Directory Group Policy Settings

Active Directory uses DNS to enable client computers to locate domain controllers and to enable domain controllers to locate each other. Domain controllers register SRV records in DNS, and clients and other domain controllers query for these records. Which records are registered in DNS and how they are registered depends on specific Group Policy settings The following tables list and describe the Group Policy settings that are associated with DNS support for Active Directory.

Net Logon Group Policy Settings Associated with DNS Support for Active Directory

Group Policy Setting Description

Site Name

Specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.

Negative DC Discovery Cache Setting

Specifies the amount of time (in seconds) the DC locator retains that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.

Domain Controller Locator Group Policy Settings Associated with DNS Support for Active Directory

Group Policy Setting Description

Dynamic Registration of the DC Locator DNS Records

Determines if Dynamic Registration of the DC locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.

DC Locator DNS records not registered by the DCs

Determines which DC Locator DNS records are not registered by the Netlogon service.

Refresh Interval of the DC Locator DNS Records

Specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. This setting can be applied only to DCs by using dynamic update.

Weight Set in the DC Locator DNS SRV Records

Specifies the Weight field in the SRV resource records registered by the DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.

Priority Set in the DC Locator DNS SRV Records

Specifies the Priority field in the SRV resource records registered by DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.

TTL Set in the DC Locator DNS SRV Records

Specifies the value for the Time-To-Live (TTL) field in Net Logon registered SRV resource records. These DNS records are dynamically registered by the Net Logon service and are used to locate the domain controller (DC).

Automated Site Coverage by the DC Locator DNS SRV Records

Determines whether DCs dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog (GC) for the same forest exists). These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.

Sites Covered by the DC Locator DNS SRV Records

Specifies the sites for which the DCs register the following:

  • Site-specific DC Locator DNS SRV resource records

  • Site-specific SRV records registered for the site where the DC is located

  • Records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it

Sites Covered by the GC Locator DNS SRV Records

Specifies the sites for which the GCs should register the following:

  • Site-specific GC locator DNS SRV resource records

  • Site-specific SRV records registered for the site where the GC is located

  • Records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it

Sites Covered by the Application Directory Partition Locator DNS SRV Records

Specifies the sites for which the DCs hosting the application directory partition should register the following:

  • Site-specific, application directory partition-specific DC Locator DNS SRV resource records

  • Site-specific SRV records registered for the site where the DC is located

  • Records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.

Location of the DCs hosting a domain with a single label DNS name

Specifies whether the computers to which this setting is applied attempt DNS name resolution of single-label domain names.

For more information about Group Policy settings, see the “Group Policy Settings Reference” in the Tools and Settings Collection.

DNS Support for Active Directory WMI Classes

The WMI classes that are associated with the DNS support for Active Directory are the DNS WMI classes. The following table lists and describes the WMI classes that are associated with the DNS Server service.

WMI Classes Associated With DNS Server Service

Microsoft DNS WMI Class Description

MicrosoftDNS_Server

Describes a DNS server. Every instance of this class might be associated with one instance of class MicrosoftDNS_Cache, one instance of class MicrosoftDNS_RootHints, and multiple instances of class MicrosoftDNS_Zone.

MicrosoftDNS_Domain

Represents a domain in a DNS hierarchy tree.

MicrosoftDNS_Zone

Describes a DNS zone. Every instance of the class MicrosoftDNS_Zone must be assigned to exactly one DNS Server. Zones might be associated with multiple instances of the classes MicrosoftDNS_Domain and MicrosoftDNS_ResourceRecord.

MicrosoftDNS_Cache

Describes a cache existing on a DNS server (do not confuse this with a cache file that contains root hints). This class simplifies visualizing the containment of DNS objects, rather than representing a real object. The class, MicrosoftDNS_Cache, is a container for the resource records cached by the DNS server.

Every instance of the class MicrosoftDNS_Cache must be assigned to exactly one DNS server. It might be associated with multiple instances of MicrosoftDNS_Domain and MicrosoftDNS_ResourceRecord.

MicrosoftDNS_RootHints

Describes the RootHints stored in a cache file on a DNS server. This class simplifies visualizing the containment of DNS objects, rather than representing a real object. Class MicrosoftDNS_RootHints is a container for the resource records stored by the DNS server in a cache file.

Every instance of the class MicrosoftDNS_RootHints must be assigned to exactly one DNS server. It might be associated with multiple instances of the MicrosoftDNS_ResourceRecord class.

MicrosoftDNS_Statistic

Represents a single DNS server statistic.

MicrosoftDNS_ServerDomainContainment

Every instance of the class MicrosoftDNS_ServerDomainContainment might contain multiple instances of the class MicrosoftDNS_Domain.

MicrosoftDNS_DomainDomainContainment

Every instance of the MicrosoftDNS_DomainDomainContainment class might contain multiple other instances of MicrosoftDNS_Domain.

MicrosoftDNS_DomainResourceRecordContainment

Every instance of the class MicrosoftDNS_DomainResourceRecordComtainment might contain multiple instances of the MicrosoftDNS_ResourceRecord class.

MicrosoftDNS_ResourceRecord

Represents the general properties of a DNS RR.

MicrosoftDNS_AAAAType

Represents an IPv6 Address (AAAA), often pronounced quad-A, RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_AFSDBType

Represents an Andrew File System Database Server (AFSDB) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_ATMAType

Represents an ATM Address-to-Name (ATMA) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_AType

Represents an Address (A) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_CNAMEType

Represents a Canonical Name (CNAME) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_HINFOType

Represents a Host Information (HINFO) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_ISDNType

Represents an ISDN RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_KEYType

Represents a KEY RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MBType

Represents a Mailbox (MB) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MDType

Represents a Mail Agent for Domain (MD) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MFType

Represents a Mail Forwarding Agent for Domain (MF) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MGType

Represents an MG RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MINFOType

Represents an Mail Information (MINFO) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MRType

Represents a Mailbox Rename (MR) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_MXType

Represents a Mail Exchanger (MX) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_NSType

Represents a Name Server (NS) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_NXTType

Represents a Next (NXT) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_PTRType

Represents a Pointer (PTR) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_RPType

Represents a Responsible Person (RP) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_RTType

Represents a Route Through (RT) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_SIGType

Represents a Signature (SIG) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_SOAType

Represents a Start Of Authority (SOA) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_SRVType

Represents a Service (SRV) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_TXTType

Represents a Text (TXT) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_WINSRType

Represents a WINS-Reverse (WINSR) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_WINSType

Represents a WINS RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_WKSType

Represents a Well-Known Service (WKS) RR. Subclass of MicrosoftDNS_ResourceRecord.

MicrosoftDNS_X25Type

Represents an X.25 (X25) RR. Subclass of MicrosoftDNS_ResourceRecord.

For more information about many WMI classes, see the WMI SDK documentation on MSDN.

The following resources contain additional information that is relevant to this section.

  • “Microsoft Platform SDK” on MSDN for more information about many WMI classes that are associated with the DNS Server service.

  • “Group Policy Settings Reference” in the Tools and Settings Collection for information about Group Policy settings that are associated with the DNS Client service.

  • “Registry Reference” in the Tools and Settings Collection for information about registry entries that are associated with DNS.