Archive for DNS

Updating DNS Root Hints on SBS 2011

By default, on an SBS 2008/2011 server, DNS is configured to use Root Hints for Internet resolution. I have previously posted about potential issues with resolving domain names on an SBS server.

If you are using Root Hints, it may be necessary to update your root hints from time to time, as my good MVP friend, Mick, recently reminded me. And it’s fairly simple to do:

First, you need to access a list of known root servers and note the IP address of one of them. I’m going to use


From your SBS server, open up DNS –> right click on your Server –> click Properties —> then click on the Root Hints tab to see the current list of root DNS servers.


Go ahead and click the Delete button to delete ALL the listed root hints.

image   image

Then click on the “Copy from Server” button and enter the IP address you selected, and click OK.


The list of Root Hints will be populated. Click OK and then restart DNS Services!

SBS 2011 No DNS Name Server Records

If you run the SBS 2011 Best Practices Analyzer (BPA), you may see the following warning:

No DNS name server records.
Source: 74
Issue: There are no DNS name server (NS) resource records for the delegated _msdcs forward lookup zone.

Well, that’s nice. But you may ask yourself: What does this mean? Why did it happen? and Do I need to fix it?

The short answer is that this often occurs as a result of doing a migration to SBS 2011. If your SBS 2011 server is a standalone server (not in a multi DC environment), then it’s not a big concern. You could probably just click on “Exclude this Result” to hide/ignore the warning from appearing when you run future BPA reports.


But if you’re like me, you want to resolve the issue, if possible, instead of just ignoring it.

The warning is caused by the fact that BPA is looking for a _msdcs sub zone under your domain.local zone in DNS. Here’s an example where it is missing:


An excellent tutorial on resolving this issue in detail is available on the Official Windows Server Essentials and Small Business Server Blog site. It also covers the situation where the _msdcs.domain.local zone is missing.

In my case, I already have a separate _msdcs.domain.local zone. So all that  I need to do is to manually create the _msdcs zone and restart the Netlogon service. So, let’s get to work:

  • Right click on your domain.local zone and select New Delegation, then click Next
  • Type in _msdcs for the delegated domain name, and click Next
  • Click Add, and then enter either the FQDN of your server (sbs1.kwsupport.local in my case) and click Resolve, or you can just enter your server’s IP address.
  • In either case, once you have created the new zone, and finished, you will see the new _msdcs zone listed
  • Finally, open up Services.msc and click to restart the Netlogon service, and you’re done.

Rerun the BPA and you will see that this warning message no longer appears!

Hope this helps you!

SBS 2011 DNS parameter MaxCacheTTL is not set

Running the Best Practices Analyzer for your SBS server is highly recommended. After addressing any critical errors, you may find yourself wanting to understand and clean up some of the warnings that may be identified by running BPA.

One such warning is this one:

The DNS parameter MaxCachetTL is not set
Source: 58
Issue: The DNS parameter MaxCacheTTL is not set

The reason for this warning is that there have been some identified cases where name resolution of some top level domains (such as .cn, .br, or will fail. This failure happens if you are using root hints for name resolution in your DNS server. And, by default, both SBS 2008 and SBS 2011 come configured with root hints by default.

Note: this problem with certain top level domains does not occurs if you are using DNS Forwarders for Internet name resolution.

Microsoft has a KB article on this issue and its resolution (KB 968372).

Before proceeding, I am going to completely ignore the “which is better – root hints or DNS Forwarders” argument. Do your own Bing searches on that topic and happy reading for a few days! Here’s one such link: Which is best, root hints or DNS Forwarders – Please Vote!

Let’s address this issue with three questions and answers:

Question #1: What if I don’t know if I am using Root Hints or Forwarders?

  • Open up DNS Manager, click on DNS in the left frame, right click on your server in the right frame, and click Properties.
  • Click on the Forwarders tab.  If there is nothing listed, then you are NOT using DNS forwarders
  • Click on the Root Hints tab. If you are using Root Hints, then this should be populated with a list of IP addresses, like this:


Question #2: If I am using Forwarders, what do I need to do to make this warning message go away?

  • With your BPA Reports page on display, click on the DNS parameter MaxCacheTTL warning to display details about the warning message
  • Click on Exclude this Result


Question #3: If I am using root hints, what do I do to resolve this issue?

To resolve this issue, we will need to add a new registry key and set the MaxCacheTTL to 2 days.

  • Start Registry Editor
  • Drill down to HKLM –> System –> CurrentControlSet –> Services –> DNS –> Parameters
  • Right click on Parameters, click New –> DWORD (32-bit)
  • Enter MaxCacheTTL as the New Value, and press Enter
  • Double click on the MaxCacheTTL key, and change the value to 0x2A300 (Hexadecimal) or 172800 (decimal), then click OK
  • Exit the registry and restart the DNS Server service.

Rerun BPA and the MaxCacheTTL warning should be gone!