- DNS Logging and Diagnostics
- DNS logging and diagnostics
- Performance considerations
- Debug logging
- Audit and analytic event logging
- Installing and enabling DNS diagnostic logging
- To install DNS diagnostic logging
- To enable DNS diagnostic logging
- Using DNS server audit and analytic events
- Using ETW consumers
- Audit events
- Устранение неполадок DNS-клиентов Troubleshooting DNS clients
- Проверка IP-конфигурации Check IP configuration
- Проверка сетевого подключения Check network connection
- Проверка связи Ping test
- Тесты запросов DNS DNS query tests
- Тестирование клиента Test a client
- Тестирование DNS-сервера Test the DNS server
- Тестирование записи, в которой происходит сбой Test the failing record
- Проверка общедоступного адреса в Интернете Test a public Internet address
- Следующий шаг Next step
DNS Logging and Diagnostics
Applies To: Windows Server 2012 R2
Enhanced DNS logging and diagnostics is available by default in Windows ServerВ® 2016 Technical Preview. This feature is also available in Windows ServerВ® 2012 R2 when you install the query logging and change auditing hotfix, available from https://support.microsoft.com/kb/2956577.
DNS logging and diagnostics
See the following sections in this topic:
Performance considerations
DNS server performance can be affected when additional logging is enabled, however the enhanced DNS logging and diagnostics feature in Windows Server 2012 R2 and Windows Server 2016 Technical Preview is designed to have a very low impact on performance. The following sections discuss DNS server performance considerations when additional logging is enabled.
Debug logging
Prior to the introduction of DNS analytic logs, DNS debug logging was an available method to monitor DNS transactions. DNS debug logging is not the same as the enhanced DNS logging and diagnostics feature discussed in this topic. Debug logging is discussed here because it is also a tool that is available for DNS logging and diagnostics. See Using server debugging logging options for more information about DNS debug logging. The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.
Audit and analytic event logging
Enhanced DNS logging and diagnostics in Windows Server 2012 R2 and later includes DNS Audit events and DNS Analytic events. DNS audit logs are enabled by default, and do not significantly affect DNS server performance. DNS analytical logs are not enabled by default, and typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. There is no apparent performance impact for query rates of 50,000 QPS and lower. However, it is always advisable to monitor DNS server performance whenever additional logging is enabled.
Installing and enabling DNS diagnostic logging
Perform the following procedures to install and enable DNS diagnostic logging on Windows Server 2012 R2. To install DNS diagnostic logging, the computer must be running the DNS Server role service.
If the DNS server is running Windows Server 2016 Technical Preview or later, diagnostic logging is already installed and you can skip the first procedure, performing only the steps in To enable DNS diagnostic logging below.
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To install DNS diagnostic logging
If the DNS server is running Windows Server 2012 R2, download the hotfix from https://support.microsoft.com/kb/2956577.
Double-click the self-extracting file, for example 475151_intl_x64_zip.exe.
In the Microsoft Self-Extractor dialog box, click Continue.
Type a location where you want to save the extracted files, for example C:\hotfix. If the directory does not yet exist, you will be asked if you wish to create it. Click Yes and confirm that All files were successfully unzipped is displayed, then click Ok.
In the location where files were unzipped, double-click the Windows Update file, for example Windows8.1-KB2956577-v2-x64.msu.
The Windows Update Standalone Installer will verify that the computer meets requirements to install the update. These requirements include some prerequisite updates. When verification is complete, click Yes when asked if you wish to install the Hotfix for Windows (KB2956577).
If recently downloaded updates have not yet been installed, you might need to restart the computer before the current hotfix can be installed. If this is required, you must restart the computer first and then run the Windows8.1-KB2956577-v2-x64.msu a second time after the computer has completed installing necessary updates. The Windows Update Standalone Installer will notify you that installation of the hotfix is not yet complete. If this happens, and you are prompted to restart the computer, click Restart Now.
If the computer is ready to install the update when you run the hotfix, installation will complete and you must restart the computer for the update to take effect. If Installation complete is displayed, click Restart Now for the update to take effect.
You can confirm that the hotfix was successfully installed by viewing installed updates in the Programs and Features control panel. If the update is successfully installed, Hotfix for Microsoft Windows (KB2956577) will be displayed. You can also verify installation of the hotfix by typing wmic qfe | find «KB2956577» at an elevated command prompt. The URL and date of installation for the hotfix will be displayed if it was successfully installed.
To enable DNS diagnostic logging
Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer.
In Event Viewer, navigate to Applications and Services Logs\Microsoft\Windows\DNS-Server.
Right-click DNS-Server, point to View, and then click Show Analytic and Debug Logs. The Analytical log will be displayed.
Right-click Analytical and then click Properties.
Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually), select the Enable logging checkbox, and click OK when you are asked if you want to enable this log. See the following example.
.jpeg)
Click OK again to enable the DNS Server Analytic event log.
By default, analytic logs are written to the file: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl.
See the following sections for details about events that are displayed in the DNS server audit and analytic event logs.
Using DNS server audit and analytic events
DNS logs are compatible with Event Tracing for Windows (ETW) consumer applications such as logman, tracelog, and message analyzer. For more information about using event tracing, see About Event Tracing.
Using ETW consumers
You can use ETW consumers such as tracelog.exe with DNS server audit and analytic events by specifying a GUID of .
You can get tracelog.exe by downloading and installing the Windows Driver Kit (WDK). Tracelog.exe is included when you install the WDK, Visual Studio, and the Windows SDK for desktop apps. For information about downloading the kits, see Windows Hardware Downloads. For example, when you download and install Windows Driver Kit (WDK) 8 and accept the default installation path, tracelog.exe is available at C:\Program Files (x86)\Windows Kits\8.0\Tools\x64\tracelog.exe.
For more information about using tracelog.exe, see Tracelog Command Syntax. The following examples demonstrate how to use tracelog.exe with DNS audit and analytic event logs:
The following command will enable both analytical and audit logging:
While the trace is active, all analytical and audit events will be recorded in the C:\analytic_audit.etl file that was specified on the command line. You can stop tracing by issuing a stop command:
After stopping the trace, you can view the .etl file in Event Viewer by clicking Action and then clicking Open Saved Log. See the following example.
.jpeg)
The following example enables just the analytical channel and matches only the keywords to 0x7FFFF:
A logging level of 5 is used in the previous examples. The following logging levels are available:
Only critical events are logged, for example process exit or termination. If no logging level is given by the user this level is used by default.
Only severe error events are logged, for example failures to complete a required task.
Errors that can cause a service issue, but are acceptable or recoverable, for example the first attempt to contact a forwarder has failed.
Very high-level events are recorded in the event log. These might include one message for each major task performed by the service. Use this setting to begin an investigation when the location of the problem is in doubt, for example a scavenger thread was started.
All events are logged. This provides a complete log of the operation of the service. Use this level when the problem is traced to a particular category or a small set of categories.
Audit events
DNS server audit events enable change tracking on the DNS server. An audit event is logged each time server, zone, or resource record settings are changed. This includes operational events such as dynamic updates, zone transfers, and DNSSEC zone signing and unsigning. The following table summarizes DNS server audit events.
Table 1: DNS Server Audit Events
Устранение неполадок DNS-клиентов Troubleshooting DNS clients
В этой статье рассматривается устранение неполадок DNS-клиентов. This article discusses how to troubleshoot issues from DNS clients.
Проверка IP-конфигурации Check IP configuration
Откройте окно командной строки от имени администратора на клиентском компьютере. Open a Command Prompt window as an administrator on the client computer.
Выполните следующую команду: Run the following command:
Убедитесь, что у клиента есть допустимый IP-адрес, маска подсети и шлюз по умолчанию для сети, к которой он присоединен и используется. Verify that the client has a valid IP address, subnet mask, and default gateway for the network to which it is attached and being used.
Проверьте DNS-серверы, указанные в выходных данных, и убедитесь, что указанные IP-адреса указаны правильно. Check the DNS servers that are listed in the output, and verify that the IP addresses listed are correct.
Проверьте в выходных данных DNS-суффикс подключения и убедитесь, что он указан правильно. Check the connection-specific DNS suffix in the output and verify that it is correct.
Если у клиента нет допустимой конфигурации TCP/IP, используйте один из следующих методов. If the client does not have a valid TCP/IP configuration, use one of the following methods:
Для динамически настроенных клиентов используйте ipconfig /renew команду, чтобы вручную обновить конфигурацию IP-адресов на DHCP-сервере. For dynamically configured clients, use the ipconfig /renew command to manually force the client to renew its IP address configuration with the DHCP server.
Для статически настроенных клиентов измените свойства TCP/IP клиента, чтобы они использовали допустимые параметры конфигурации, или завершите настройку DNS для сети. For statically configured clients, modify the client TCP/IP properties to use valid configuration settings or complete its DNS configuration for the network.
Проверка сетевого подключения Check network connection
Проверка связи Ping test
Убедитесь, что клиент может связаться с предпочитаемым (или альтернативным) DNS-сервером, обратившись к предпочитаемому DNS-серверу по его IP-адресу. Verify that the client can contact a preferred (or alternate) DNS server by pinging the preferred DNS server by its IP address.
Например, если клиент использует предпочитаемый DNS-сервер 10.0.0.1, выполните следующую команду в командной строке: For example, if the client uses a preferred DNS server of 10.0.0.1, run this command at a command prompt:
Если ни один настроенный DNS-сервер не отвечает на прямую проверку связи с IP-адресом, это означает, что источником проблемы является более вероятное сетевое подключение между клиентом и DNS-серверами. If no configured DNS server responds to a direct pinging of its IP address, this indicates that the source of the problem is more likely network connectivity between the client and the DNS servers. В этом случае выполните основные действия по устранению неполадок сети TCP/IP, чтобы устранить проблему. If this is the case, follow basic TCP/IP network troubleshooting steps to fix the problem. Помните, что для работы команды ping трафик ICMP должен быть разрешен через брандмауэр. Keep in mind that ICMP traffic must be allowed through the firewall in order for the ping command to work.
Тесты запросов DNS DNS query tests
Если DNS-клиент может проверить связь с компьютером DNS-сервера, попробуйте использовать следующие nslookup команды, чтобы проверить, может ли сервер отвечать на DNS-клиенты. If the DNS client can ping the DNS server computer, try to use the following nslookup commands to test whether the server can respond to DNS clients. Так как nslookup не использует кэш DNS клиента, разрешение имен будет использовать настроенный клиент DNS-сервер. Because nslookup doesn’t use the client’s DNS cache, name resolution will use the client’s configured DNS server.
Тестирование клиента Test a client
Например, если клиентский компьютер имеет имя КЛИЕНТ1, выполните следующую команду: For example, if the client computer is named client1, run this command:
Если успешный ответ не возвращается, попробуйте выполнить следующую команду: If a successful response is not returned, try to run the following command:
Например, если полное доменное имя — CLIENT1.Corp.contoso.com, выполните следующую команду: For example, if the FQDN is client1.corp.contoso.com, run this command:
При выполнении этого теста необходимо включить конечную точку. You must include the trailing period when you run this test.
Если Windows успешно обнаружит полное доменное имя, но не сможет найти его, проверьте конфигурацию DNS-суффикса на вкладке DNS (дополнительные параметры TCP/IP сетевого адаптера). If Windows successfully finds the FQDN but cannot find the short name, check the DNS Suffix configuration on the DNS tab of the Advanced TCP/IP Settings of the NIC. Дополнительные сведения см. в разделе Настройка разрешения DNS. For more information, see Configuring DNS Resolution.
Тестирование DNS-сервера Test the DNS server
Например, если DNS-сервер называется DC1, выполните следующую команду: For example, if the DNS server is named DC1, run this command:
Если предыдущие тесты были успешными, этот тест также должен быть успешным. If the previous tests were successful, this test should also be successful. Если проверка не прошла успешно, проверьте подключение к DNS-серверу. If this test is not successful, verify the connectivity to the DNS server.
Тестирование записи, в которой происходит сбой Test the failing record
Например, если неудачная запись была App1.Corp.contoso.com, выполните следующую команду: For example, if the failing record was app1.corp.contoso.com, run this command:
Проверка общедоступного адреса в Интернете Test a public Internet address
Например: For example:
Если все четыре теста выполнены успешно, запустите ipconfig /displaydns и проверьте в выходных данных имя, которое завершилось ошибкой. If all four of these tests were successful, run ipconfig /displaydns and check the output for the name that failed. Если в неудачном имени появится сообщение «имя не существует», то на DNS-сервере был возвращен отрицательный ответ, который был кэширован на клиенте. If you see «Name does not exist» under the failing name, a negative response was returned from a DNS server and was cached on the client.
Чтобы устранить эту проблему, очистите кэш, выполнив ipconfig /flushdns . To resolve the issue, clear the cache by running ipconfig /flushdns .
Следующий шаг Next step
Если разрешение имен по-прежнему не выполняется, перейдите к разделу Устранение неполадок DNS-серверов . If name resolution is still failing, go to the Troubleshooting DNS Servers section.
