DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm
Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Compiled 7/22/08, Published 11/29/09
Recompiled 1/31/09
Note: I may be updating this as time goes by, due to the amount of info in this blog and possibly missing something, as well as possibly updating retired Microsoft links.
Topics Covered:
- DNS & WINS Resolution Process
- Browser service without WINS across subnets
- Do I need WINS?
- Disabling the Browser service, NetBIOS
- DNS Client side Resolver service Query Process
- DNS Forwarder Resolution and Time Out Process
- If one DC or DNS is down, why can't I logon to the other DC or not use the second DNS address to find another DC?
- What happens with Exchange and Outlook when when DNS goes down?
- Related Links
==================================================================
1. DNS & WINS Resolution Process
Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses theh NetBIOS process. Legacy clients use the NetBIOS process FIRST, and if it doesn't get resolved using NetBIOS, it uses the DNS process.
If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it's in. H-Node is default, but can be changed. There are four NetBIOS Nodes:
B-Node - Broadcast ONLY
P-Node - NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node - Mixed NBNS and Broadcast, but uses WINS FIRST.
E.g. If you ping "machinename" on a Win2000 or newer machine, it will attempt to use DNS FIRST:
1. Checks it's own name.
2. Local cache.
3. HOSTS file
4. It will then suffix the Search Suffix configured on the machine, then query DNS
5. WINS
6. Broadcast
7. LMHOSTS
Legacy machines (pre-Windows 2000) use NetBIOS first.
If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.
Resolution Process Related Links:
NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/
Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html
Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. ... This means that direct-hosted SMB's cannot be disabled in Windows without disabling ...
http://support.microsoft.com/kb/204279
==================================================================
2. Browser service without WINS across subnets
It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn't say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but not sure. I cannot find anything on the mechanism. I'm one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.
Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001
Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404
Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305
New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx
Windows 2008 - Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx
==================================================================
3. Do I need WINS?
It depends. You need to inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out. And yes, keep in mind Exchange/Outlook communications require WINS.
Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391
Eileen Brown's WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx
==================================================================
4. Disabling the Browser service, NetBIOS
Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine.
1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.
Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001
What's the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser ... Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm
Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm
2. Leave that running. You need it. It works for all versions of NTLM.
NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication ...
http://msdn.microsoft.com/en-us/library/ms925943.aspx
3. If you disable the TCP NetBIOS Helper, you will not be able to map any
drives or printers using NetBIOS names or FQDN.
"Network Location Cannot be Reached" Error Message When You Try to ... To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.
To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866
4. One big advise - do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you'll get a slew of errors, and no DNS queries will get resolved.
No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to ...
http://support.microsoft.com/kb/268674
==================================================================
5. DNS Client side Resolver service Query Process
If the server gets a response, even if it is a negative ('not found') response, it's a response and will not go to the alternate. If after the query to the first one times out (after 3 tries), it removes it from the 'eligible' resolvers list and then goes to the next one in the order listed. It will not go back to the first one until a specified timeout period (read first link below) unless one of three other things happen: restart the machine, restart the DNS Client Service or DHCP Client Service, or set a reg entry to force the TTL to reset the list after each query.
Sorry about all the links. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.
How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036
W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx
DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
286834 - DNS Client Service Doesn't Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
261968 - Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968
SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
==================================================================
6. DNS Forwarder Resolution and Time Out Process
Information on how a DNS Forwarder time-out works with using multiple Forwarder:
Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client's IP properties.
Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx
Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html
Quoted from above link:
"Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.
Now, if you check the box "Do not use recursion" the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.
I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server."
----
Comment by Ace Fekay:
DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn't have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it's resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the 'eligible resolvers list' and then query the second one.
If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by "views" ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query.
Now - and this is an important "now," if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar 'HTTP 404 not found' in the browser.
For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.
To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for 'recursion available' or 'recursion not available'
So for all practical purposes, I never set more than two Forwarders, otherwise what's the use? If the first two can't resolve it, it probably is not resolvable anyway.
==================================================================
7. If one DC or DNS server goes down, why can't I logon to the other DC or not use the second DNS address to find another DC?
By Ace Fekay, updated 7/1/09
---
Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there's nobody there, did it crash?
---
Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP's DNS, or the domain is a single label name
('domain' versus the recommended minimum of 'domain.com,' domain.local,' etc),
other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.
As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.
It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the 'eligible resolvers list' for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won' even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.
As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as 'it's not working' because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can't connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.
==================================================================
8. What happens with Exchange and Outlook when when DNS goes down?
Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:
Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570
But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, "If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?"
Also with Exchange involved, it becomes a little trickier. Keep in mind, when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not 'look' for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it's best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.
I've seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.
Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.
Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it's been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on Exchange.
I hope that makes sense.
Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.
==================================================================
Related Links
How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc
DNSQueryTimeouts - How to control the client side resolver time out value in the registry)
http://technet.microsoft.com/en-gb/library/cc977482.aspx
W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
DNS Client Service Doesn't Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
261968 - Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968
SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
By Ace Fekay
2. Browser service without WINS across subnets
2. Browser service without WINS across subnets