DNSLint issues.

[=?iso-8859-1?Q?Bj=F8rn_Tore_Jakobsen?=]

Hi.

Actually, i'm trying to get in tuch with Tim Rains or any
other PSS personnel that knows DNSLint. I've seen Tim has
produced som webcasts about the DNSLINT tool.

Situation:

Runnings DNSLint in a enterprise enviroment with /d
switch to check DNS zones, does not list all autoritative
name servers.
Out of a 15 defined NS records in Windows 2000 DNS, only
6 are returned in the additional authotitative(NS) Record
section of the report.

Running DNSLINT with the /AD switch in a enterprise
enviroment(50+ DC's) results in a crash after a while of
running:

AppName: dnslint.exe AppVer: 0.0.0.0 ModName:
dnslint.exe
ModVer: 0.0.0.0 Offset: 0000ed12

or with the newer version of dnslint:
AppName: dnslint1.exe AppVer: 5.2.3790.0 ModName:
dnslint1.exe
ModVer: 5.2.3790.0 Offset: 00010e0b

Is there a limit on how big an enviroment can be with
DNSLINT ?

Does really the authoritative function with /D work ?

Regards
Bjørn Tore Jakobsen

 

[Tim Rains [MSFT]]

Hello Bjørn Tore. Thank-you for your post.

My name is Tim Rains and I developed DNSLint. I noticed you wanted to ask
me some questions regarding it. Let me try to answer the questions in your
post...

Question: Running DNSLINT with the /AD switch in a enterprise
enviroment(50+ DC's) results in a crash after a while of running...Is there
a limit on how big an enviroment can be with DNSLINT ?

Answer: DNSLint should be able to deal with an environment where 500 DNS
servers are authoritative for the domain name you are testing. It should
also handle tens of thousands of additional authoritative DNS servers
reported by those 500 DNS servers. If I remember correctly, it should be
able to deal with 5000 GUIDs/DCs. It has been run on many large networks
including Microsoft's corporate network. Some of these networks have had
hundreds of DNS servers and hundreds of DCs. I suspect that you are not
running into a limitation related to the size of the environment or the
number of DNS servers or DCs. The access violation that DNSLint is
generating is probably a result of DNSLint receiving a response from a DNS
server that contains malformed data or null fields. DNSLint tries to print
this type of response to the console and/or to the report, and it crashes.
I have heard one report of this happening in an environment that has BIND
DNS servers, but I have not isolated the problem yet. In your environment
on your DNS servers, I would make sure that all the fields on the NS
records and SOA records for the domain name being tested are properly
populated. This is just speculation since I don't have any data, but it
may solve the problem.

Question: Does really the authoritative function with /D work ?

Answer: I'm sorry, I don't understand this question, so I will try to
answer it a couple of different ways. The /d and /ad options cannot be
used together. The /ad option requests the "Active Directory" tests and
the /d option requests domain name verification tests. The /d option will
successfully identify the additional authoritative name servers for the
domain name tested only if the DNS servers that are queried are configured
with additional authoritative name servers. i.e. the list of DNS servers
to query is provided by Internic, or the user using the /s option. The
list of additional authoritative name servers to query is gathered by
querying these DNS servers. If you have DNS servers that are authoritative
for the domain name being tested, but DNSLint did not find them, then it
sounds like the DNS servers identified by Internic or specified after the
/s option are not returning those additional DNS servers to DNSLint when it
queries those servers for a list of authoritative DNS servers for the
domain name being tested. If this is the case, make sure that the "primary
server" listed on the SOA tab of the zone's properties is accurate and that
all 15 authoritative DNS servers are listed in the list under the name
servers tab of the zones properties. If this appears to be configured
properly on the Windows 2000 DNS server, I would start a network monitor
trace on the Windows 2000 DNS server and then run DNSLint. After DNSLint
finishes running, inspect the network monitor trace for DNS traffic between
the DNS server and the client running DNSLint. Did the DNS server return
all 15 DNS servers when DNSLint queried it for NS records? Was DNSLint
able to resolve the names of these DNS servers to IP addresses? Walk
through the network monitor trace and try to determine where the failure
was.

These sound like two different problems, and I hope that my response
answers your questions Bjørn Tore.

Tim Rains
Product Support Services
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.