LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

Transcription

1 LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Microsoft DNS Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Microsoft DNS Log Collection Introduction to Microsoft DNS Prerequisites Configuring Microsoft DNS Installing and Configuring Project Lasso Enabling the LogLogic Appliance to Capture Log Data Automatically Identifying a Microsoft DNS Device Adding a Microsoft DNS Device Verifying the Configuration Chapter 2 How LogLogic Supports Microsoft DNS How LogLogic Captures Microsoft DNS Log Data Supported Microsoft DNS Operational s LogLogic Real-Time Reports LogLogic Search Filters Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Reference LogLogic Support for Microsoft DNS s Microsoft DNS Log Configuration Guide 3

4 4 Microsoft DNS Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. LogLogic support for Microsoft DNS enables LogLogic Appliances to capture logs from machines running Microsoft DNS. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft DNS operations. For more information on creating reports and alerts, see the LogLogic Users Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft DNS Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft DNS Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Microsoft DNS Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft DNS logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft DNS log data. Introduction to Microsoft DNS Prerequisites Configuring Microsoft DNS Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration Introduction to Microsoft DNS LogLogic enables you to capture operational event log data to monitor Microsoft DNS Server events. Microsoft DNS operational events record information related to DNS server Startup, Shutdown, and Restart, as well as DNS server configuration changes and status information. Microsoft DNS operational logs are captured by LogLogic s open source Windows Collector, Project Lasso. The Windows Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft DNS and the LogLogic Appliance depend upon your environment and how the Windows Collector is configured. For more information, see How LogLogic Captures Microsoft DNS Log Data on page 12 and the LogLogic Windows Collector Guide (Project Lasso). Prerequisites Prior to configuring Microsoft DNS and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft DNS running on Windows Server 2000 SP3 or 2003 SP1 Administrative access on the Windows server Project Lasso Release 4.0 or later installed on the Windows server. For more information, see the LogLogic Windows Collector Guide (Project Lasso). LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft DNS Server support Administrative access on the LogLogic Appliance Microsoft DNS Log Configuration Guide 7

8 Configuring Microsoft DNS Logging is configured by default on a Microsoft DNS server. Make sure that your configuration matches the one described in the following steps. To enable Microsoft DNS server logging: 1. Log in to the Microsoft DNS server. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools. 4. Double-click DNS. The DNS console appears. 5. Expand the tree on the left, and select the applicable DNS server from the list. 6. On the Action menu, click Properties. 7. On the Logging tab, select the All events radio button. 8. Click OK. Figure 1 DNS Console 8 Microsoft DNS Log Configuration Guide

9 Installing and Configuring Project Lasso The Microsoft DNS logs are collected and transported using Project Lasso. Project Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Project Lasso program directory is located at: C:\Program Files\Lasso Project Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Project Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Project Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Windows Collector Guide (Project Lasso). Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft DNS log data. Automatically Identifying a Microsoft DNS Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft DNS events by default using the Syslog Listener. As the Syslog messages come into the Appliance, they are automatically identified and a new Microsoft DNS device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > System Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device Type and Host IP information. To edit an existing Microsoft DNS device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click on an existing Microsoft DNS device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Microsoft DNS Log Configuration Guide 9

10 Adding a Microsoft DNS Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft DNS device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. To add Microsoft DNS as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. Figure 2 Adding a Device to the LogLogic Appliance 4. Type in the following information for the device: Name Name for the Microsoft DNS device Description (optional) Description of the Microsoft DNS device Device Type Select Microsoft DNS from the drop-down menu Host IP IP address of the Microsoft DNS appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 5. Click Add. 10 Microsoft DNS Log Configuration Guide

11 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft DNS server, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft DNS and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft DNS device. If the device name (Microsoft DNS) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Microsoft DNS logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft DNS configuration, the Project Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft DNS by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 15 for more information. Microsoft DNS Log Configuration Guide 11

12 Chapter 2 How LogLogic Supports Microsoft DNS This chapter describes LogLogic s support for Microsoft DNS. LogLogic enables you to capture operational log data to monitor Microsoft DNS events. How LogLogic Captures Microsoft DNS Log Data Supported Microsoft DNS Operational s LogLogic Real-Time Reports LogLogic Search Filters How LogLogic Captures Microsoft DNS Log Data LogLogic s Windows Collector, Project Lasso, is used to collect Microsoft DNS operational logs stored in Windows System Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. In hybrid mode, the collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft DNS Server and Project Lasso with LogLogic Appliance Components and Processes Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft DNS. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide. 12 Microsoft DNS Log Configuration Guide

13 Supported Microsoft DNS Operational s Microsoft DNS related operational events are recorded in the Windows System Log. This includes, by default, major activities that potentially affect the operating system (e.g., Microsoft DNS server startup, shutdown, errors, and change of configuration options). Table 1 on page 18 lists the Microsoft DNS operational events that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Microsoft DNS logs, but includes only specific messages for report/alert generation. For more information see Appendix A Reference on page 17 for sample log messages for each event and event to category mapping. LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Microsoft DNS log data. The following Real-Time Reports are available: All Unparsed s Displays data for all events retrieved from the Microsoft DNS log for a specified time interval To access LMI 4 Real-Time Reports: 1. In the left navigation pane, click Real-Time Reports. 2. Click Logs. The following Real-Time Report is available: All Unparsed s To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Operational. The following Real-Time Report is available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Microsoft DNS log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available: Microsoft DNS Log Configuration Guide 13

14 Microsoft DNS: Availability Report Displays details on Microsoft DNS starting and shutdown related errors or status messages Microsoft DNS: Capacity Management Displays details on messages related to disk space or memory Microsoft DNS: Configuration Changes Displays details on Microsoft DNS configuration changes Microsoft DNS: Critical Errors Displays details on Microsoft DNS critical errors Microsoft DNS: Security s Displays all Microsoft DNS security events Microsoft DNS: Server Start/Stop Displays details on DNS server start and stop activities Microsoft DNS: System Health Displays details on Microsoft DNS system health information For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. 14 Microsoft DNS Log Configuration Guide

15 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft DNS. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Is your version of Microsoft DNS supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you will require an upgrade. Contact LogLogic Support for more information. Are you running Project Lasso 4.0 or later? If you are running an release prior to 4.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft DNS. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft DNS events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Project Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Windows Collector Guide (Project Lasso). Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft DNS Device on page 9 and Adding a Microsoft DNS Device on page 10. If events are not displaying on the LogLogic Appliance even after configuring Microsoft DNS and Project Lasso correctly... Microsoft DNS sends the logs, via UDP or TCP, in Syslog format to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft DNS machine. For more information on supported protocols and ports, see the LogLogic Administration Guide and the LogLogic Windows Collector Guide (Project Lasso). Microsoft DNS Log Configuration Guide 15

16 Frequently Asked Questions How does the LogLogic Appliance collect logs from Microsoft DNS? For log collection, an open source Windows Collector, Project Lasso, is required in order to read the.evt files from the Windows machine, convert them into text, and forward them in Syslog format, via UDP or TCP, to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog Server. For more information, see How LogLogic Captures Microsoft DNS Log Data on page 12. What access permissions are required? To configure logging on Microsoft DNS, the Windows user must have administrative permissions. How do I configure logging on Microsoft DNS? Follow the procedures on Configuring Microsoft DNS on page 8. Also make sure that you have properly installed and configured Project Lasso. For more information, see Installing and Configuring Project Lasso on page 9 and the LogLogic Windows Collector Guide (Project Lasso). 16 Microsoft DNS Log Configuration Guide

17 Appendix A Reference This appendix lists the LogLogic-supported Microsoft DNS events. The Microsoft DNS event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft DNS s The following list describes the contents of each of the columns in the table below. ID Microsoft DNS event identifier for operational events Note: There are no IDs for debug events. Debug events are identified as Query or Response events. Agile Reports/Search Defines if the Microsoft DNS event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Description of the event Category All events belong to the Operational category Type Type of event such as Success, Failure, etc. Sample Log Message Sample Microsoft DNS log messages in text format Microsoft DNS Log Configuration Guide 17

18 Table 1 Microsoft DNS s ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 1 1 Search Starting Microsoft DNS server. Operational <13>Feb 15 11:56: MSWinLog 0 DNS Server 233 Thu Feb 15 11:53: DNS Unknown User N/A Information LAB None Unknown Search The DNS server has started. Operational <13>Feb 15 11:51: MSWinLog 0 DNS Server 226 Thu Feb 15 11:47: DNS Unknown User N/A Information LAB None Unknown Search The DNS server has shutdown. Operational <13>Feb 15 11:56: MSWinLog 0 DNS Server 239 Thu Feb 15 11:53: DNS Unknown User N/A Information LAB None Unknown Search An administrator has changed the type and zone storage options of zone %1.The zone is now type %2. The zone will be stored in the zone file % Search An administrator has changed the type and/or Active Directory location of zone %1.The zone is now type %2. The zone will be stored in Active Directory at % Search An administrator has changed the zone storage options for zone %1. The zone will now be stored in the zone file %2. Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Wed Feb 21 16:46: DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has changed the type and zone storage options of zone DNSDHCP.com. The zone is now type 2. The zone will be stored in the zone file DNSDHCP.com.dns. 20 Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Wed Feb 21 16:46: DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has changed the type and/or Active Directory location of zone DNSDHCP.com.The zone is now type 2 The zone will be stored in Active Directory at DC=DNSDHCP.com,cn=MicrosoftDNS,cn=System,DC=DNSDHCP,D C=com. 20 Operational <13>Feb 21 18:42: MSWinLog 0 DNS Server Wed Feb 21 16:36: DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has changed the zone storage options for zone DNSDHCP.com. The zone will now be stored in the zone file DNSDHCP.com.dns Microsoft DNS Log Configuration Guide

19 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search An administrator has moved the zone %1 to a new location in Active Diretory.The zone will be stored in Active Directory at % Search To prevent the event log from filling up too rapidly the DNS server has suppressed event ID %1 a total of %2 times in the last %3 minutes Search To prevent the event log from filling up too rapidly the DNS server has suppressed event ID %1 a total of %2 times in the last %3 minutes. These events were in relation to zone % Search The DNS server received a bad DNS query from %1. The query was rejected or ignored. The event data contains the DNS packet Search The DNS server encountered an invalid domain name in a packet from %1. The packet will be rejected. The event data contains the DNS packet Search The DNS server encountered a domain name exceeding the maximum length in the packet from %1.The event data contains the DNS packet. Operational <13>Feb 21 18:42: MSWinLog 0 DNS Server Wed Feb 21 16:37: DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has moved the zone DNSDHCP.com to a new location in Active Diretory. The zone will be stored in Active Directory at DC=DNSDHCP.com,cn=MicrosoftDNS,cn=System,DC=DNSDHCP,D C=com. 15 Operational The log format for this event is supported by the LogLogic Appliance, Operational The log format for this event is supported by the LogLogic Appliance, Operational Error <13>Feb 15 11:51: MSWinLog 0 DNS Server 226 Thu Feb 15 11:47: DNS Unknown User N/A Information LAB None The DNS server received a bad DNS query from server1. The query was rejected or ignored. The event data contains the DNS packet. 5 Operational Error <13>Feb 21 18:42: MSWinLog 0 DNS Server Wed Feb 21 16:37: DNS Unknown User N/A Information WIPRO-LOG-222 None The DNS server encountered an invalid domain name in a packet from The packet will be rejected.the event data contains the DNS packet. 15 Operational Error <13>Feb 15 11:51: MSWinLog 0 DNS Server 226 Thu Feb 15 11:47: DNS Unknown User N/A Information LAB None The DNS server encountered a domain name exceeding the maximum length in the packet from The event data contains the DNS packet.. 5 Microsoft DNS Log Configuration Guide 19

20 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server encountered an invalid domain name offset in a packet from %1. The event data contains the DNS packet Search The DNS server encountered a name offset exceeding the packet length from %1. The event data contains the DNS packet Search The DNS server encountered a packet name exceeding the maximum label count from %1. The event data contains the DNS packet Search The DNS server encountered an invalid DNS update message from %1. The packet was rejected. The event data contains the DNS packet Search The DNS server encountered an invalid response message from %1. The packet was rejected. The event data contains the DNS packet Search The DNS server encountered a name with a label whose length exceeds the maximum of 63 bytes from %1. The event data contains the DNS packet. Operational Error <13>Feb 21 17:39: MSWinLog 0 DNS Server Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server encountered an invalid domain name offset in a packet from The event data contains the DNS packet. 101 Operational Error <13>Feb 15 11:51: MSWinLog 0 DNS Server 226 Thu Feb 15 11:47: DNS Unknown User N/A Information LAB None The DNS server encountered a name offset exceeding the packet length from The event data contains the DNS packet. 5 Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error <13>Feb 15 11:51: MSWinLog 0 DNS Server 226 Thu Feb 15 11:47: DNS Unknown User N/A Information LAB None The DNS server encountered an invalid DNS update message from The packet was rejected.the event data contains the DNS packet. 5 Operational Error The log format for this event is supported by the LogLogic Appliance, Operational The log format for this event is supported by the LogLogic Appliance, 20 Microsoft DNS Log Configuration Guide

21 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server list of restricted interfaces contains IP addresses that are not configured for use at the server computer. Use the DNS manager server properties, interfaces dialog, to verify and reset the IP addresses the DNS server should listen on. ID: 412 Description: The DNS server is bound to a large number of IP addresses. Each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware Search The DNS server is bound to a large number of IP addresses. Each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware. For more information, see "Configuring multihomed servers" in the online Help Search The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate. Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server list of restricted interfaces contains IP addresses that are not configured for use at the server computer. Use the DNS manager server properties, interfaces dialog, to verify and reset the IP addresses the DNS server should listen on. ID: 412 Description: The DNS server is bound to a large number of IP addresses.each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not equired to support server networking hardware. 101 Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server is bound to a large number of IP addresses.each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware. For more information, see "Configuring multihomed servers" in the online Help 101 Operational <13>Feb 13 12:32: MSWinLog 0 DNS Server Thu Jan 18 14:53: DNS Unknown User N/A Warning LOGLOGIC-SRV1 None The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate Microsoft DNS Log Configuration Guide 21

22 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start Search The zone %1 was previously loaded from the directory partition %2 but another copy of the zone has been found in directory partition %3. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.if an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.if there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict Search The DNS server is using a large amount of memory. The data is the current memory allocated Search The DNS server received a request from %1 for a UDP-based transfer of the entire zone. The request was ignored because full zone transfers must be made using TCP. Operational Error <13>Feb 21 17:39: MSWinLog 0 DNS Server 4013 Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start Operational The log format for this event is supported by the LogLogic Appliance, Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server is using a large amount of memory. The data is the current memory allocated. 101 Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server received a request from for a UDP-based transfer of the entire zone. The request was ignored because full zone transfers must be made using TCP Microsoft DNS Log Configuration Guide

23 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone % Search Zone %1 version %2 is newer than version %3 on DNS server at %4. The zone was not updated. DNS servers supplying zones for transfer must have the most recent version of the zone, based on the primary zone. If zone on remote server %4, is in fact the most recent version of the zone, do the following at that server: (1) stop the DNS server, (2) delete the zone file (not the zone itself) and (3) restart the DNS server The DNS server will transfer the new version and write its zone file. When deleting the zone file at server %4, locate the file named %1.dns in the %SystemRoot%\System32\Dns directory and delete it. An alternative solution is to delete and recreate the secondary zone at server %4. This could be preferred if this server hosts large zones and restarting it at this time would be a consuming or costly operation. Operational The log format for this event is supported by the LogLogic Appliance, Operational The log format for this event is supported by the LogLogic Appliance, Microsoft DNS Log Configuration Guide 23

24 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server encountered a packet addressed to itself on IP address %1. The packet is for the DNS name "%2". The packet will be discarded. This condition usually indicates a configuration error. Check the following areas for possible self-send configuration errors: 1) Forwarders list. (DNS servers should not forward to themselves). 2) Master lists of secondary zones. 3) Notify lists of primary zones. 4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server. 5) Root hints. Example of self-delegation: -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, (bar.example.microsoft.com NS dns1.example.microsoft.com) -> BUT the bar.example.microsoft.com zone is NOT on this server. Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record. You can use the DNS server debug logging facility to track down the cause of this problem. Operational <13>Feb 21 17:39: MSWinLog 0 DNS Server Mon Feb 19 16:14: DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: P%.. The DNS server encountered a packet addressed to itself on IP address The packet is for the DNS name "_ldap._tcp.pdc._msdcs.dnsdhcp.com.". The packet will be discarded. This condition usually indicates a configuration error. Check the following areas for possible self-send configuration errors: 1) Forwarders list. (DNS servers should not forward to themselves). 2) Master lists of secondary zones. 3) Notify lists of primary zones. 4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server. 5) Root hints. Example of self-delegation: -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. -> The example.microsoft.com zone contains a delegation of bar.example.microsoft to dns1.example.microsoft.com, (bar.example.microsoft.com NS dns1.example.microsoft.com) -> BUT the bar.example.microsoft.com zone is NOT on this server. Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record. You can use the DNS server debug logging facility to track down the cause of this problem Microsoft DNS Log Configuration Guide

25 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that preceded these run-time events. The data is the number of events that have been suppressed in the last 60 minute interval Search The DNS server is not root authoritative and no root hints were specified in the cache.dns file. Where the server is not a root server, this file must specify root hints in the form of at least one name server (NS) resource record, indicating a root DNS server and a corresponding host (A) resource record for that root DNS server. Otherwise, the DNS server will be unable to contact the root DNS server on startup and will be unable to answer queries for names outside of its own authoritative zones. To correct this problem, use the DNS console to update the server root hints Search The DNS server encountered invalid domain name "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this name, it is strongly recommended that you either correct the name or remove the resource record from the zone file, which is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered invalid domain name "%1". Operational <13>Feb 20 12:11: MSWinLog 0 DNS Server Tue Feb 20 12:08: DNS Unknown User N/A Error LAB None 0000: 2a *#.. The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that preceded these run-time events. The data is the number of events that have been suppressed in the last 60 minute interval. 160 Operational Error <13>Feb 20 12:11: MSWinLog 0 DNS Server Tue Feb 20 12:08: DNS Unknown User N/A Error LAB None 0000: 2a *#.. The DNS server is not root authoritative and no root hints were specified in the cache.dns file. Where the server is not a root server, this file must specify root hints in the form of at least one name server (NS) resource record, indicating a root DNS server and a corresponding host (A) resource record for that root DNS server. Otherwise, the DNS server will be unable to contact the root DNS server on startup and will be unable to answer queries for names outside of its own authoritative zones. To correct this problem, use the DNS console to update the server root hints. 160 Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error <13>Feb 20 12:11: MSWinLog 0 DNS Server Tue Feb 20 12:08: DNS Unknown User N/A Error LAB None 0000: 2a *#.. The DNS server encountered invalid domain name "dhcp.com" 160 Microsoft DNS Log Configuration Guide 25

26 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server encountered domain name "%1" exceeding maximum length. Although the DNS server continues to load, ignoring this name, it is recommended that you either correct the name or remove the resource record from the zone file, which is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered an invalid token "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this token, it is recommended that you either correct the token or remove the resource record from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered a name outside of the specified zone in zone file %1 at line %2. Although the DNS server continues to load, ignoring this resource record (RR), it is recommended that you either correct the RR or remove it from the zone file, which is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered an invalid name server (NS) resource record in zone file %1 at line %2. The use of NS resource records (RR) must be at either the zone root node or be placed at at the sub-zone context within the zone for a domain being delegated away from this zone. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct the RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, 26 Microsoft DNS Log Configuration Guide

27 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server encountered an invalid host (A) resource record in zone file %1 at line %2. The use of A resource records (RRs) must be at a domain name within the zone, with the exception of glue A RRs which are used to resolve the host name specified in an NS RR also contained at the same domain node and used for a zone delegation. Although the DNS server continues to load, ignoring this RR, it is strongly recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered an unknown or unsupported resource record (RR) type %1 in zone file %2 at line %3. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct the record type or remove this RR from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered an invalid SOA (Start Of Authority) resource record (RR) in file %1 at line %2. An SOA record is required in every zone files and must satify the following conditions: 1) The SOA record must be the first record in the zone file. 2) The SOA record must belong to the root of the zone ("@" in zone file). 3) Only one SOA is allowed in the zone. 4) SOA records are NOT valid in root-hints (cache.dns) file. To correct the problem modify or repair the SOA RR in zone file %1, which can be found in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Microsoft DNS Log Configuration Guide 27

28 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server encountered a text string "%1" in zone file %2 at line %3 that exceeds the maximum permissible length. Although the DNS server continues to load, ignoring this resource record (RR), it is strongly recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered an invalid IP address "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this resource record (RR), it is recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Search The DNS server encountered an invalid IPv6 address "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this resource record (RR), it is recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Search The DNS server could not find protocol "%1" specified for the well known service (WKS) resource record (RR) in zone file %2 at line %3. Although the DNS server continues to load, ignoring this RR, it is strongly recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, 28 Microsoft DNS Log Configuration Guide

29 ID Agile Reports/ Search Title/Comments Category Type Sample Log Message Search The DNS server could not find the service "%1" specified for the well known service (WKS) resource record (RR) in zone file %2 at line %3. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error <13>Feb 20 12:11: MSWinLog 0 DNS Server Tue Feb 20 12:08: DNS Unknown User N/A Error LAB None 0000: 2a *#.. The DNS server could not find the service serv specified for the well known service (WKS) resource record (RR) in zone file file1 at line 4. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory Search The DNS server encountered the port "%1" specified for the well known service (WKS) resource record (RR) in zone file %2 at line %3. This port exceeds the maximum port supported for the WKS RR. Although the DNS server continues to load, ignoring this RR, it is strongly recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Search The DNS server unable to write zone file %1 for zone %2. Most likely the server disk is full. Free some disk space and re-initiate zone write. Operational Error <13>Feb 20 12:11: MSWinLog 0 DNS Server Tue Feb 20 12:08: DNS Unknown User N/A Error LAB None 0000: 2a *#.. The DNS server unable to write zone file file1 for zone DNSDHCP.com. Most likely the server disk is full. Free some disk space and re-initiate zone write. 160 Microsoft DNS Log Configuration Guide 29