Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, August 16, 2013 3:56 PM
Hi,
Recently did a fresh install of SBS 2011 standard and have a couple of issues that need resolving.
One of the issues is that after a few days, I start losing access to a number of websites. Running Microsoft Baseline Configuration Utility Analyser, the following issue is noted that appears to match my problem:-
Issue: The DNS parameter MaxCacheTTL is not set.
Impact: When name resolution is provided by root hints, Windows Server 2008 DNS Servers and Windows Server 2008 R2 DNS Servers may fail to resolve queries for the names of some top-level domains. If this occurs, the problem will continue until you clear the DNS Server cache or restart the DNS Server service. You may experience the problem with domains such as .co, .uk, .cn, and .br. However, the problem is not limited to those domains.
Resolution: For more information, see "Windows Server 2008 DNS Servers may fail to resolve queries for some top-level domains" at http://go.microsoft.com/fwlink/?LinkId=152402.
The link provides a solution which involved editing the registry; and it is this I need guidance on.
4. On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value:
- Value: MaxCacheTTL
- Data Type: DWORD
- Data value: 0x2A300 (172800 seconds in decimal, or 2 days)
I cannot see how the above is achieved in one step in the order suggested. Being wet behind the ears, I am not 100% sure how to create the new Reg file; do I first create a file and name it "MaxCacheTTL" then open the file and add the data value "0x2A300" If I am right, I cannot see why the second step is even mentioned; and, being a person that takes things literally, it creates doubt.
If I have it completely wrong, step by step guidance would be appreciated.
Thanks in advance
Peter
All replies (3)
Friday, August 16, 2013 10:32 PM ✅Answered
To create it, simply rt-click, New DWORD, type in for the name, MaxCacheTTL, then click OK, then double click on it and provide a value. Pretty much reg edit 101.
However, my take on the whole problem is that you shouldn't have to adjust this value. By default, it works fine. This governs how long a query the DNS server makes, will stay in cache if someone else requests the same query. The actual value of a record is actually derived from the DNS server that hosts the record that it came from, such as for example, Microsoft's nameservers when you query www.microsoft.com. If you set this value in the registry to 0, let's say, then the DNS server will never cache it and each time someone wants a query resolved, it's a fresh query each time. It's something we normally do not change, unless we were to setup a secure resolver (a DNS server) in our DMZ where we would reduce it to 0 to avoid cache poisoning and set forwarders from our internal DNS to the resolvers in our DMZ, however, I only see this in extremely high secure environments. For example, read the following discussion and my response to see what I mean:
Technet Thread: Problem with Windows 2008 R2 Dns Server getting SERVFAIL resolving one domain, 1/18/2012
Includes a secure DNS forwarder in the DMZ image
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b00fc041-ba44-45b6-a8a1-a00374a20edf
As you see, I don't think this is what you're looking for or possibly need, but then again I don't know your environment.
-
And as for resolving top level names, this can also be an issue if your perimeter firewall is not allowing EDNS0. That allows UDP 53 query responses to 4096 bytes. Prior to EDNS0 (it's been around since 1998), it was max UDP 53 to 500 bytes, then it would revert to TCP 53 and the server would resend the query. Without this feature, it's a bit more inefficient, and in some cases you will have trouble resolving certain sites that have large data.
What is EDNS0? (Extension mechanisms for DNS)
Published by Ace Fekay, MCT, MVP DS on Oct 11, 2010 at 2:46 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx
-
Another thing that can cause top level name resolution issues if the record is a CNAME, but the CNAME's TTL is longer than the actual A record it's pointing to. There is a DNS hotfix to address this - see below.
-
As for the problem you are seeing, there are other ways around that, including some DNS hotfixes which I will post below. In the meantime, to make sure your SBS config is optimal, if you can post the following, maybe we can help out better to resolve the issue you're seeing without drastic and possible unnecessary registry modifications.
- An unedited ipconfig /all from the SBS and a sample workstation
- Have you installed any hotfixes for DNS?
- Any event log errors?
- Provide an example of a website that you are seeing issues resolving.
- Are you using a Forwarder? If so, please post the IP address(es) of the forwarders you are using.
- To determine if there is an EDNS0 block on your perimeter firewall, assuming no forwarders are being used, please run the following without a forwarder, and post the results: nslookup -type=TXT rs.dns-oarc.net
- And if you ran the above without a Forwarder, please re-run it with your Forwarder.
-
Do you have any of these hotfixes in place?
Run the following, and if the hotfix is already installed or it doesn't apply due to service pack level or operating system version, no fret, the installer will tell you right away and will tell you to stop. Some of them require restarts.
DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2
Post Windows 2008 R2 SP1 HOTFIX available.
APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std.
Requires a restart.
http://support.microsoft.com/kb/2616776
Windows 2008 -
DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008
Post Windows 2008 SP2 Hotfix available
Requires a restart.
http://support.microsoft.com/kb/2625735/
DNS server stops responding to DNS queries from client computers in in Windows Server 2003, in Windows Server 2008 or in Windows Server 2008 R2 - Post
Service Pack Hotfix available.
Does not require a restart.
http://support.microsoft.com/kb/2655960
DNS Server service does not resolve some external DNS names after it works for a while in Windows Server 2008 R2
Hotfix release - (released 4/15/2011)
http://support.microsoft.com/kb/2508835
And if nslookup times out on MX records, it's by design: NSLOOKUP Returns Time-out Error When Query for an MX Record http://support.microsoft.com/kb/198551/en-us
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, August 20, 2013 9:18 AM
Thanks Ace for your comprehensive reply.
I have however, created the new Registry, as per the Analysers' suggestion and will see if this resolves the issue. It can take up to a week after restarting the DNS server before the problem reoccurs and it is about that time since it last happened. I will close this Thread soon if no further issues or go through some of your suggestions if not.
Thanks again.
Peter
Friday, August 23, 2013 1:29 AM
Hi,
Any update?
Please feel free to let us know if you need further assistance.
If you have solved the issue, I would be greatly appreciate it if you would share the troubleshooting steps with us.
Best regards,
Susie Long