Unravelling the mystery of Client DNS with Essentials family Servers
June 17, 2013 1 Comment
Probably the best title for a blog post ever right? Having seen and read about a lot of people struggling with DNS resolution problems with their clients on Essentials (2011/2012) networks, and also some dubious advice being given out for how to ‘resolve’ these problems i thought i would try and get into some deep level explanation of how, and why Essentials does what it does.
First off, if you are struggling with this type of problem, you really need to check out Sean Daniel’s post from 2011. Hopefully reading that post will give you an idea of what Microsoft is trying to achieve with this process. Let’s also not forget that the deployment scenario of choice for Essentials, is for it to be purchased pre-installed on a piece of hardware, by a non technical office manager who then plugs it into their network with an Ethernet cable, the Essentials Server then does the rest. It’s a nice idea, however in practice these mystical office managers are few and far between, and because of that some of the hidden magic Essentials does, often causes more than a little confusion. Setting the IP of a client PC to statically query the Essentials server for DNS is one such problem.
Hopefully having read Sean’s post you will now know that Essentials changes your clients DNS Server address to a static IP, in order that it send Active Directory queries to the server, rather than to a router or external DNS server.
With DNS being a critical component of Active Directory your domain joined computers MUST have the ability to query the DNS Service on the Essentials Server in order to find Active Directory resources.
In my example below, we have our Essentials server, a Router and a client laptop that is not joined to the domain. The router is running DHCP and is configured to issue an external DNS Server IP Address to the DHCP Clients. As you can see our client PC is told to use 188.8.131.52 as it’s DNS Server.
If we then go ahead and install the Essentials connector, the software will detect our Essentials server at 192.168.1.10 and configure our clients DNS Settings statically to use 192.168.1.10.
All of our clients DNS Queries now go to our Essentials server at 192.168.1.10, it is up to the Essentials Server to then resolve that query (if it is for an internal resource like Active Directory) or send that query on to an external DNS Server if it is for a resource located on the internet.
The destination of the external DNS query is based on the configuration of the DNS Server service.
If your Essentials server is on it’s default settings you will find that your router is set as a forwarder in DNS. This can introduce it’s own issues into your name resolution, because whilst some routers work well as a DNS forwarder, some consumer grade routers seem to struggle providing this service, and can lead to name resolution problems where otherwise there would not be.
If we assume our router does not perform well in this scenario, we might see 404 errors on the clients when trying to browse the internet.
You might be forgiven for thinking the problem here is that your client is set to use the Essentials server for DNS, when in actual fact, that configuration is perfectly valid but the router is failing to resolve the DNS query for us.
If we amend that DNS Service configuration, we find everything works as expected.
The server will periodically check it’s DNS forwarding configuration (as part of health monitoring every hour), and will alert you if there is a problem via the ‘Alert Viewer’.
On the Essentials Server you can use the ‘NetworkHealthPlugin-ConnectivityFeature.log’ and the ‘SharedServiceHost-NetworkConfig.log’ files to help diagnose problems with DNS.
The Windows Server LAN Configuration Service is responsible for detecting your Essentials Server and correctly configuring DNS based on whether or not the server is found. If the server is found, DNS is configured statically to point at the IP Address of the Essentials Server. If it is not found, the Service will revert your client to use a DNS Server provided by the DHCP Server.
The above scenario would work, assuming that DHCP is not issuing the IP of the Essentials Server for DNS.
If the router was providing the Essentials Server IP as the DNS Server, and the server was unavailable then your web browsing would fail.
This is what you would expect to happen if the server is unavailable, and would be relatively easy to troubleshoot or work around.
Problems seem to be occurring when people take their computers outside of the Essentials network, and the LAN Configuration Service is not reverting the client to pickup a DNS Server from DHCP.
When the service has configured a NIC in a computer it will be shown in the registry under,
No other information is held on the NIC in this registry key, other than the Name.
If a NIC is configured by the Service, but that entry no longer exists in the registry, than the Service will no longer attempt to configure that NIC, until the entry is manually recreated, or until the NIC is uninstalled and reinstalled.
In my example here you can see i have 2 NICs that have been configured by the LAN Configuration Service.
If i leave the network and join a new network, after a few minutes the service reconfigures the NICs to pickup their IPv4 information via DHCP. You do need to be patient and wait a few minutes for this to occur, although if this is a clean boot it should be pretty quick.
If i delete the Wireless Network Connection, from the registry, and leave the network the LAN Configuration service will not attempt any reconfiguration of the Wireless NIC and leave me stuck with my DNS queries going to a non existent Server.
In the Network and Sharing Center you may also see that you are successfully connected to a network, but have no internet access.
In this situation, if we check the registry to see if our NIC configuration is correct, we can take steps to resolve the problem.
As described above, we can manually recreate the registry key for the NIC that is missing.
We then simply need to wait for the LAN Configuration Service to detect the key, and correctly reconfigure our Wireless NIC.
We will then see that our Internet access is restored. If we refresh the Registry Editor, we will see that the Service has now removed the registry key for our Wireless NIC.
I have written a small PowerShell script that will attempt to query the Registry settings for you and compare them to the Interfaces on your computer.
You can download the script from the TechNet Gallery.
For troubleshooting client connectivity issues to the Essentials Server, including DNS problems you should look at the following log files on the client:
You can see below in the LAN Configuration Service Log example, the entries shown when the Server is not detected.
Another example when the server becomes available again.
Below we have an example of the ProviderRegistryService Log, showing a failed connection attempt to the server.
If your computers are not domain joined, then using the Essentials Server for DNS is not a requirement.
In this scenario you can simply disable the Windows Server LAN Configuration Service, with no ill effects on the client.