Topic Last Modified: 2009-04-03

The Microsoft Exchange Analyzer Tool examines the TCP/IP settings on computers that are running Exchange Server 2007. Specifically, Exchange Analyzer examines the Domain Name System (DNS) settings to verify that the server is configured to register DNS suffixes correctly. If the DNS suffix settings are configured incorrectly, the tool generates one or more of the following messages:

Connection's addresses of network connection '<ConnectionID>' are not registered in DNS on server <ServerName>. Please select 'Register this connection's addresses in DNS' in 'Advanced TCP/IP Settings' dialog.

Primary and connection specific DNS suffixes are not appended on server <ServerName>. Please select 'Append primary and connection specific DNS suffixes' in 'Advanced TCP/IP Settings' dialog.

Additionally, on a server that is configured as a Continuous Cluster Replication (CCR) server, the following warning message is generated:

Parent suffixes of the primary DNS suffix are not appended on server <ServerName>. Please select 'Append parent suffixes of the primary DNS suffix' in 'Advanced TCP/IP Settings' dialog.

If one or more of the following conditions are true, you may experience CCR log replication issues:

• A connection's addresses are not registered in DNS.
  
  
• Nondefault DNS suffixes are appended to the connection.
  
  
• Parent DNS suffixes are not appended to the connection.
  
  

In this scenario, CCR log copy operations may become backed up (queued). This problem occurs if Kerberos authentication among CCR nodes is unsuccessful. In a scenario in which the DNS search order for CCR members is incorrect, the following behavior occurs:

1. The Exchange replication server receives incorrect information from a DNS lookup that it performs to obtain the Kerberos Service Principal Name (SPN) of the destination computer.
   
   
2. Therefore, the Exchange replication server submits a Kerberos ticket request for an incorrect or nonexistent SPN.
   
   
3. The incorrect Kerberos ticket request results in a "Service Principal Unknown" error from the Key Distribution Center (KDC) service on the domain controller.
   
   
4. Because Kerberos authentication fails, Exchange fails back to Windows authentication (NTLM). However, because the Exchange Replication service runs under the context of the Local System account, network access from this context results in NULL credentials being passed to the server. This results in a STATUS_ACCESS_DENIED result.
   
   

By default, Windows uses the primary DNS suffix, such as contoso.com, as the DNS suffix for any network adapter that is installed on the computer. Therefore, a primary DNS suffix such as contoso.com identifies a host name, such as Server-1 as Server-1.contoso.com.

A connection-specific DNS suffix is configured on a per-connection basis. Connection-specific DNS suffixes override the primary DNS suffix. Therefore, DNS registrations from a connection that has a connection-specific DNS suffix of corp.contoso.com override a primary DNS suffix of contoso.com.

Consider the following configuration:

• The computer has a host name of Server-1.
  
  
• The primary DNS suffix is set to contoso.com.
  
  
• A connection-specific DNS suffix is set to corp.contoso.com.
  
  

In this configuration, DNS registrations from all network adapters except for the one on which a connection-specific DNS suffix is configured, are registered as Server-1.contoso.com. DNS registrations from the network adapter on which the connection-specific DNS suffix is configured are registered as Server-1.corp.contoso.com. For correct DNS registration and successful DNS lookup operations, Exchange requires that the appropriate DNS suffixes are registered in DNS.

To address this issue, modify the DNS-related settings on the computer to specify DNS registration and to specify the appropriate DNS suffix entries.

To modify the DNS suffix configuration in Windows Server 2003

1. Log on to the computer by using an account that has Administrator rights.

2. Click Start, click Run, type ncpa.cpl, and then click OK.

3. In the Network Connections dialog box, right-click the network connection, and then click Properties.

4. Click Internet Protocol (TCP/IP), and then click Properties.

5. Click Advanced, and then click the DNS tab.

6. Click Append primary and connection specific DNS suffixes.

7. Click to select the Append parent suffixes of the primary DNS suffix check box.

8. Click to select the Register this connection's addresses in DNS check box.

9. Click OK two times, and then click Close.

10. Open a command prompt.

11. At the command prompt, type ipconfig /flushdns && ipconfig /registerdns, and then press ENTER.

To modify the DNS suffix configuration in Windows Server 2008

1. Log on to the computer by using an account that has Administrator rights.

2. Click Start, click Run, type ncpa.cpl, and then click OK.

3. In the Network Connections dialog box, right-click the network connection, and then click Properties.

4. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

5. Click Advanced, and then click the DNS tab.

6. Click Append primary and connection specific DNS suffixes.

7. Click to select the Append parent suffixes of the primary DNS suffix check box.

8. Click to select the Register this connection's addresses in DNS check box.

9. Click OK two times, and then click Close.

10. Open a command prompt.

11. At the command prompt, type ipconfig /flushdns && ipconfig /registerdns, and then press ENTER.

© 2009 Microsoft Corporation. All rights reserved.