DNS Round Robin and Netmask Ordering with different AD Sites

2012-04-18

Question

_{Wednesday, April 18, 2012 4:49 PM}

Hi all,
one AD forest with multiple Sites. DNS Round Robin and Netmask ordering is enabled.

DCs in SiteA
DC1=172.18.0.1/24
DC2=172.18.0.2/24

DCs in SiteB
DC3=10.0.0.5/16
DC4=10.0.0.6/16

Client in SiteB with IP 10.0.56.32/16 does the following DNS lookup multiple times:

nslookup domainname

As DNS round robin is enabled i've no problem with DC3 and DC4 are chaning with order number 1 and 2 but i often also get the two DCs from SiteA on the first two postitions. As the two DCs in SiteB are in the same subnet as the Client i don't get it why the two DCs from SiteA are listed in the above postitions?!

I have also Clients where the correct behaviour takes place. Also the DCs are always returning the correct result.

Any idead?

Thanks a lot.

All replies (7)

_{Friday, April 20, 2012 12:04 AM ✅Answered}

John,

Maybe this will help, too:

DNS Subnet Priortization and Round Robin

If Round Robin and Subnet Priortization are both enabled, they both work together hand in hand, however, Round Robin will supercede. But it also depends if it's an AD Site aware service requesting it (such as the client side GetDcList function). If there are more than one in the same subnet, Round Robin will kick in, which is a function operformed by DNS when replying with available records. Based on the Microsoft article (http://technet.microsoft.com/en-us/library/bb457118.aspx), if there is more than one record, DNS will re-order the response with an IP that is in the same client subnet. However, if Round Robin and Subnet Priortization is enabled, Round Robin wins. Please read the following quote that I thought would be helpful for this discussion, for examples..

The following below, was quoted from:
Configuring Subnet Prioritization
http://technet.microsoft.com/en-us/library/bb457118.aspx

===========
[...]

For example, suppose there are three Web servers that all host the Web page for www.reskit.com and they are all located on different subnets. The DNS name server for the network contains the following resource records:
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.18.64.33

When a Windows XP Professional–based computer’s DNS resolver (client) receives a response to the query for the A record of www.reskit.com, it returns A records in order, starting with the IP addresses from subnets to which the computer is directly connected. For example, if a computer with the IP address 172.17.64.93 is queried for www.reskit.com, the resolver returns the resource records in the following order:

www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.18.64.33

Subnet prioritization prevents the resolver from choosing the first IP address returned in the DNS query and using the DNS server’s round robin feature (defined in RFC 1794.) With round robin enabled, the server rotates the order of resource records returned when multiple A resource records exist for a queried DNS domain name. Thus, in the example described earlier, if a user queried for www.reskit.com, the name server replies to the first client request by ordering the addresses as follows: 172.16.64.11 172.17.64.22 172.18.64.33. It replies to the second client request by ordering the addresses as follows:

172.17.64.22
172.18.64.33
172.16.64.11

It replies to the third client request by ordering the addresses as follows:

172.18.64.33
172.16.64.11
172.17.64.22

With round robin enabled, if clients are configured to use the first IP address in the list that they receive, different clients will use different IP addresses, thus balancing the load among multiple network resources with the same name. However, if the resolvers are configured for subnet prioritization, the resolvers reorder the list to favor IP addresses from networks to which they are directly connected, reducing the effectiveness of the round robin feature.

Although subnet prioritization does reduce network traffic across subnets, in some cases you might prefer to have the round robin feature work as described in RFC 1794. If so, you can disable the subnet prioritization feature on your clients by adding the registry entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ DnsCache\ Parameters [...]

The following is quoted from:
Configuring Subnet Prioritization
http://technet.microsoft.com/en-us/library/cc961422.aspx

===========
If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.

If Enable round robin is deselected and the value of LocalNetPriority is 1:
The server returns the records in local net priority order. It does not rotate among available addresses.

If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
The server rotates among the available records in the order in which the records were added to the database.

If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default): The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

In Summary, as I've stated above, if Round Robin and Subnet Priortization are both enabled, they both work together hand in hand, however, Round Robin will supercede. In cases where you may want to only have Subnet Priortization to provide a resource in the client's requesting subnet, you may need to disable Round Robin. You will need to test it to determine if it will give you the desired results.

I hope that helps.

Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, April 19, 2012 1:43 AM}

If I understand your question, you are using nslookup to determine if the proper AD Site records resolve for the location of a client?

If I understood that, then nslookup won't return the records as one expects in this scenario because nslookup is not AD Site aware. Running nslookup domain.local should return the LdapIpAddress records (the 'same as parent') records, and reorder them.

If you feel there is an AD problem with what DCs are being chosen by a client machine's AD client side extensions, you may want to enable netlogon logging, then take a look at the netlogon.log after you enable netlogon logging. Here's more info:

==================
How to enable Netlogon logging:

To check for clients which subnets are not configured to Sites & Services, among other things, you can check the system32\config\netlogon.log file. It's recommended to enable Netlgon service logging by running nltest instead of modifying the registry. Please read the following for more info:

Enabling debug logging for the Net Logon service, Last Review: May 3, 2011 - Revision: 11.0, Applies to: all operating systems.
http://support.microsoft.com/kb/109626

**To enable netlogon service logging:
** nltest /dbflag:2080ffff
net stop netlogon
net start netlogon

After you restart Net Logon, Net Logon-related activity may be logged to %windir%\debug\netlogon.log.

To disable netlogon service logging:
nltest /dbflag:0
net stop netlogon
net start netlogon

If seeing Event ID 5807, it indicates that there are subnets which are not mapped to existing sites. If you are seeing this event, run the following:
net stop netlogon
Delete the current netlogon file:
   del netlogon.log
Or rename it:
   ren netlogon.log netlogonold.txt
   net start netlogon

Instead of Notepad, you can also use nlparse.exe to view the log file. It is a GUI tool that comes with ALTools.exe file at
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
nlparse contains the most common Netlogon error codes and stores the output in two files – %windir%\debug\netlogon - folders: netlogon.log-out.scv and netlogon.log-summaryout.txt

Keep in mind, the log will grow rapidly. The default Max log file size is 20MB. You can change this by editing registry:
HKLM\System\Currentcontrolset\Services\Netlogon\Parameters
Value Name: MaximimLogFileSize
Value Data: <Max log file size in Bytes>

More info:
Enable logging and analyze the content of the Netlogon log:
http://www.windowsitpro.com/article/log-files/logging-with-the-netlogon-service

References:

Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Active Directory Diagnostic Logging
http://technet.microsoft.com/en-us/library/cc961809.aspx

Logging with the Netlogon service
http://www.windowsitpro.com/article/log-files/logging-with-the-netlogon-service

You may receive event ID 5807 on a Windows Server 2003-based domain controller
"When a client computer logs on to a domain that includes Microsoft Windows Server 2003-based domain controllers and Active Directory directory service sites, the client computer is authenticated by a remote domain controller instead of by the local domain controller"
http://support.microsoft.com/kb/889031

=========================================

If I misunderstood your question, I apologize.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, April 19, 2012 6:00 AM}

If i run the nslookup query i expect the both DCs which are in the same subnet as the client to be listed at the first two positions.

Result i have for example:

C:\nslookup mydomain.net
Name:    mydomain.net
Addresses: 172.18.0.1
                  10.0.0.5
                  172.18.0.2
                  10.0.0.6

Results how i should be:

C:\nslookup mydomain.net

Name:    mydomain.net
Addresses: 10.0.0.5
                  10.0.0.6
                  172.18.0.2
                  172.18.0.1

C:\nslookup mydomain.net

Name:    mydomain.net
Addresses: 10.0.0.6
                  10.0.0.5
                  172.18.0.2
                  172.18.0.1

You know what u mean? It's cause of the round robin and netmask ordering i think

_{Thursday, April 19, 2012 1:49 PM}

AS I said, nslookup is not AD aware. That's why you're seeing what you're seeing.

What's more, here's an excerpt from my blog (you may have missed this part):

Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults
to a Class C Subnet

Yep, that's correct! We need to note and keep in mind, Windows 2003 and
newer, will automatically assume it's a Class C subnet, well more accurately,
it's set by default to look for a Class C subnet. If the environment is anything
other than a Class C, all DNS servers must be configured with the correct mask
used.

Please re-read that section and below it that explains how it uses the longer network bit count first.

Note: AD client side extensions doesn't do that if AD Sites are configured properly. Nslookup is not suitable to test this for AD clients. You must use netlogon logging.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, April 20, 2012 7:18 AM}

Hi Jonas,

Thanks for posting here.

I agree with Ace , we may first test by disabling round robin on the DNS server which they are potting and using now and cleaning DNS cache on client .

After that we can try to “ping <domain name>” and see which IP address returned and clean local cache again . Ideally the “closest” IP address should always be picked up.

Thanks.

Tiger Li

TechNet Community Support

_{Thursday, May 3, 2012 8:24 AM}

As the DCs in SiteB have a Class C (/16) Netmask i had to change the Netmask Ordering Config

The following command did the trick.

dnscmd /config /LocalNetPriorityNetMask 0x0000ffff

Thanks for your help

_{Thursday, May 3, 2012 4:59 PM}

Glad to hear the information was helpful. The command overrode the defaults, which did the trick! :-)

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

DNS Round Robin and Netmask Ordering with different AD Sites

Question

All replies (7)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ DnsCache\ Parameters [...]

If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default): The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

Additional resources