Blocking USB Devices and Removable Media through User based GPO

  I have seem many people asking how to block the use of USB memory sticks so people can't use them to transfer files on or off of a PC This how-to will give you a simple effective and free way to block these as well as other forms of removable media on a windows computer.

Create a GPO

The first step is to open Group Policy Management and create a new GPO.

I typically like to create 2 GPO's One for blocking read access and one for blocking write access.

By Creating 2 separate policies I can apply each individually so I can allow read access for certain groups of users while blocking write access and I can apply both policies to other groups so I can block all access.

The policy we are about to create is user based This means that it will apply to the users and not the computer. This means we can block access as need for normal users on a computer while still allowing access for other users like say IT (ourselves) so we can still do our thing without any issues.

These policies apply to all forms of removable media not just USB based media. therefor you can use them to block other media access such as CD and DVD access as well.     

Set the Desired Policy Items

In your GPO browse to the following location.

User Configuration >> Policies >> Administrative Templates >> System >> Removable Storage Access

If you look through the list of options you will see 2 choices for each media type. One choice when enabled blocks write access and the other choice blocks read access.

In my attached image i show an example of blocking all read access.

Therefor to block read access to each of these media types simply enable the deny read access item for each.
If you want to block write access enable the block write access options.
If you want to block both the enable both options.

Its really that simple.

----------------------------------------------------------------
Note:
For some reason Digital cameras require both read and write access. So if you have users that need access to a digital camera directly through the camera's USB connection they will need read and write access. Even if all they want to do is read files from the camera. However if you remove the memory card from the camera and read it with a memory card reader it only needs read access as expected.                      

 Apply the GPO

Now that you have created your GPO Policy (or policies if you want more granular control like I did) all that you need to do is apply the GPO to the Users you wish to restrict removable media for by assigning it the correct OU's.

Once applied simply wait for the policy to update on the users computer or run "gpupdate /force" to speed things up and test it out.                               

Conclusion

This is a simple and reliable way to control user access to removable media for users with the bonus of still being able to allow yourself or other special users of your choice the ability to use that same removable media

About TFS

  Getting Started with TFS
       Because TFS is large and encompassing, it can be difficult to know where to begin.
       The answer could depend on your role.

 TFS Administrator Tasks

• Set up new servers
• Create new team projects
• Creating backups and restore data
• Security configuration management

Project Lead Tasks

• Monitor day-to-day activity
• Create queries and reports
• Assign work items
• Monitor project activities

---

Project Members

• Members of the project team
• Individuals must know their roles on the project
• Understand how to use source control

---

TFS Concepts

• Collaboration
• Enhanced Communication
• Project Portal
• Team Explorer
• Alerts
• Source Control
• Builds
• Tracking Work Status
• Work Item History
• Queries
• Microsoft Project and Excel Integration
• Reports
• Roles
• Roles in Help Documentation
• Roles in Process
• Security Groups
• Process Enactment
• Tool Integration
• Integration in the Integrated Development Environment
• Team Foundation Extensibility
• Integration with Other Tools

---

TFS Integration with VisualStudio One of the advantages of TFS is the integration with VisualStudio.
Developers love the way TFS seamlessly works with VisualStudio.
TFS allows developers to easily flip between multiple version control tool inside of VisualStudio. It is as easy as a couple of clicks the developer can flip between TFS, VSS and Subversion. It works like a dream.
Project Managers like to use the item tracking for task tracking. TFS Item Tracking easily integrates into Microsoft Project. Giving the Project Manager greater project control.
TFS allows project groups. These allow for the setting of different permissions based on roles. Here are the out-of-the-box roles:

• Readers - Members of this group have access to the team project
• Project Administrators - Members of this group can perform all operations in the team project
• Contributors - Members of this group can add, modify and delete items within the team project
• Build Services - Members of this group have build service permissions for the team project. For service accounts only

You can also create additional groups to fit your development structure and process

.

SQL Server: useful query for DBAs

If you are a Database Administrator and you work with MS SQL Server, there are some useful queries you could use to check how things are going with your databases. Being always aware of what's going on is very important, and in some cases a good control panel with appropriate queries can be developed just to quickly display the databases status.
We are going to explore some interesting administration queries. Just select those that you might be interested in and add them to your personal control panel.

Check your machine

The first query allow us to know the server status:

SELECT
  SERVERPROPERTY('MachineName') as Server_Name,
  SERVERPROPERTY('InstanceName') as Instance,
  SERVERPROPERTY('Edition') as Edition,
  SERVERPROPERTY('ProductLevel') as ServicePack,
  Case SERVERPROPERTY('IsClustered') when 1 then 'CLUSTERED' else 'STANDALONE' end as Server_Type,
  @@VERSION as Version

With the above query, we get the Server Name, the Instance, the Edition, Service Pack version, the Server Type (clustered or standalone) and the Version.
It basically gives us a full view of the SQL Server configuration.

Security status

In order to get the Database security status we can use the following query:

SELECT l.name, l.denylogin, l.isntname, l.isntgroup, l.isntuser
FROM master.dbo.syslogins l
WHERE l.sysadmin = 1 OR l.securityadmin = 1

Compatibility, recovery and state

If we want to check the various database for compatibility level, recovery model and current status, we need to query the sys.databases table:

SELECT name,compatibility_level,recovery_model_desc,state_desc 
FROM sys.databases

Last backup date and its physical path
Backups are an important element for DBAs. If we would like to know when the last backup was performed, we can use the following query:

SELECT db.name,
case when MAX(b.backup_finish_date) is NULL then 'No Backup' else convert(varchar(100),
MAX(b.backup_finish_date)) end AS last_backup
FROM sys.databases db
LEFT OUTER JOIN msdb.dbo.backupset b ON db.name = b.database_name
AND b.type = 'D'
WHERE db.database_id NOT IN (2)
GROUP BY db.name
ORDER BY 2 DESC

At the same time, we might need to know where those backups are stored. To do so we need to query the backupmediafamily table:

SELECT Distinct physical_device_name FROM msdb.dbo.backupmediafamily

I believe that a good control panel can be easily developed using the above queries. We can create a simple ASP page, and place it in the Database Administration menu. That way, we could have a quick overview and keep things under good control

How to take DNS server backup in an AD environment

If you are an Active direc­tory admin, there is no need to men­tion the impor­tance of DNS. A DNS sever is poten­tially the sin­gle point of fail­ure in an AD envi­ron­ment… where an inter­rup­tion of its ser­vice or cor­rup­tion of any DNS records can bring the whole ser­vice down. This demands the need for a proper backup strat­egy for DNS servers.

Most pre­ferred method for tak­ing back up of DNS server is to do a sys­tem state backup. But this can­not be use­ful in many cases as it requires you to restore AD, Reg­istry set­tings, DNS etc. while busi­ness require­ment only needs you to restore the DNS server.

Also there may be cases where the sys­tem state restore cat­a­log may be cor­rupted and you could not restore it. Per­son­ally, I have faced sit­u­a­tions where the clients are com­plain­ing about cor­rupt sys­tem state back­ups where the users are not able to restore the DNS data using it. So it is always best to keep an inde­pen­dent backup of DNS server along with your nor­mal sys­tem state backup.

Before men­tion­ing how these inde­pen­dent back­ups can be taken for DNS servers, it’s worth men­tion­ing about dif­fer­ent AD zones in an AD environment.

• Pri­mary and Sec­ondary zones.

• Active direc­tory inte­grated zone.

Microsoft rec­om­mends using Active direc­tory inte­grated zone in DNS servers on an AD envi­ron­ment.

Now let’s check how inde­pen­dent back­ups can be taken on DNS server.

Pri­mary and sec­ondary zones:

Here the zone infor­ma­tion will be stored in plain text files. The backup and restore process is pretty straight for­ward where you can take a copy of text file con­tain­ing the zone infor­ma­tion using XCOPY.

The below com­mand can be used to backup.

XCOPY %SYSTEMROOT%\system32\dns c:\backup\dns /y

To restore the pri­mary and sec­ondary zone infor­ma­tion, you only need to sim­ply copy the files from the

\backup\DNS folder to the %SYSTEMROOT%\system32\dns folder

Active Direc­tory inte­grated zones:

You may be aware that the zone infor­ma­tion for Active Direc­tory inte­grated zone will be stored in AD data­base rather than as a text file. So the first step in tak­ing the backup is to export the zone infor­ma­tion to a file.

DNSCMD /zoneexport test.com backup\test.com.dns.bak

The backup file will be placed in the %systemroot%\system32\dns\backup folder, and will be named test.com.dns.bak.

You can use the backup file just cre­ated to restore the AD inte­grated zone if needed. How­ever, the restore process is bit more complex.

The restora­tion is a 2 step process.

a. You need to cre­ate a pri­mary zone by using the backup file you have cre­ated ear­lier.

b. Converting the pri­mary zone to AD inte­grated zone.

Before per­form­ing the first step, you need to copy the backup file you had cre­ated to 

%systemroot%\system32\dns folder from the backup loca­tion. Now, exe­cute the fol­low­ing com­mand.

DNSCMD /zoneadd test.com /primary /file test.com.dns.bak /load

The above com­mand will setup a pri­mary zone in the DNS server using the zone infor­ma­tion in the file test.com.dns.bak

Now, you need to con­vert the pri­mary DNS zone you just cre­ated to an AD inte­grated zone. You can use the fol­low­ing com­mand for that.

DNSCMD /zoneresettype test.com /dsprimary

Done!!

Note: If you want to enable secure dynamic updates, then you must enter the fol­low­ing command:

DNSCMD /config test.com /allowupdate 2

As a gen­eral back up guide­line is always a best prac­tice to test the integrity of the backup files at reg­u­lar inter­vals by doing test restores on any test network.

Thanks

R.karthikeyan

HP Proliant Management Controller Driver (Device ID: HPQ000B)

Today, we are discussing about a common driver issue with HP 100 Series sever. We have installed Windows 2008 on a HP ML150 G6 Server and found that one of the driver is missing in Windows device manger. Whenever you come across with driver issue (Or unknown device in Device manager), we need to find the Device IDs/Hardware IDs of the unknown device . So we have checked the Hardware Ids of this unknown device and we found that it has the ID: ACPI\HPQ000B

I did some search on Internet/HP forums and found that the above said device ID is for HP ProLiant 100-Series Management Controller. Most of the HP Proliant 100 series servers are shipped with HP Lights-Out 100 (LO100) and it needs a driver to function properly. In Device manager, this device is listed under “System Devices” category (When driver is installed). This device will be listed under Unknown device when no drivers are installed. 
Another common driver issue with HP Proliant server is the NULL IPMI driver. The NULL IPMI driver is dependent on Lights-Out driver.

HP ProLiant 100-Series Management Controller can have below said Hardware Ids:

ACPI\HPQ000B\0
ACPI\HPQ000B
*HPQ000B

Where can I download Drivers:

HP Driver download page will list HP ProLiant 100-Series Management Controller driver. However, I am listing the HP ProLiant 100-Series Management Controller drivers for all versions of Windows:
Windows 2003 32 bit, click here
Windows 2003 64 bit, click here
Windows 2008 32 bit, click here
Windows 2008 64 bit, click here
Windows 2008 R2, click here

How Do You FIX: The trust relationship between this workstation and the primary domain failed

If you Google “the trust relationship between this workstation and the primary domain failed”, you get plenty of information from support blogs and Microsoft articles; however, most of them ask you to rejoin your machine to the domain. That’s not always possible.

What’s the problem and how did I get here?

---

The underlying problem when you see this error is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined.  The machine’s private secret is not set to the same value store in the domain controller.  You can think of this secret as a password but really it’s some bits of cryptographic data called a Kerberos keytab stored in the local security authority.  When you try to access this machine using a domain account, it fails to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally.  I think you can also come across this error if for some reason the system time on the machine is out of sync with the system time on the domain controller.  This solution also fixes that problem.

This problem can be caused by various circumstances, but I most commonly run into it when I reset a virtual machine to a system snapshot that I made months or even years before.  When the machine is reset, it is missing all of the automatic password changes that it executed against the domain controller during the intervening months.  The password changes are required to maintain the security integrity of the domain.

The standard fix

---

Support blogs and Microsoft will generally tell you to rejoin the domain to restore the trust relationship.  Another option they will give is to delete the computer object and recreate it without a password and rejoin.

Microsoft support article on the topic: http://support.microsoft.com/kb/162797

I’m not a fan of any of these options.  This seems heavy handed and sometimes they aren’t even possible.

Recently, when I ran into this problem, the virtual machine that reset was an enterprise certificate authority joined to my test domain.  Well, guess what, Microsoft will not allow you to rename or unjoin a computer that is a certificate authority—the button in the computer property page is greyed out.  There may be another way to unjoin but I wasn’t going to waste time on it when it isn’t even necessary.

A better fix

---

Just change your computer password using netdom.exe!

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password

Here are the full steps:

1. You need to be able to get onto the machine. I normally just log in with the local Administrator account by typing, ".\Administrator" in the logon window. I hope you remember the password. If you’re creative and resourceful you can hack your way in without the password. Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. Your domain user’s cached credential has the same problem as the machine’s private secret.
2. You need to make sure you have netdom.exe. Where you get netdom.exe depends on what version of Windows you’re running. Windows Server 2008 and Windows Server 2008 R2 ship with netdom.exe you just have to enable the Active Directory Domain Services role. On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link: http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx"
3. Extra steps if the machine is a domain controller. If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. I haven’t done this for a while, but I think this works:
   1. Turn off the Kerberos Key Distribution Center service. You can do this in the Services MMC snap-in. Set the startup type to Manual. Reboot.
   2. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.exe. You can get that tool here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17657
   3. Post change steps. Do these in conjunction with 5 below. Turn the Kerberos Key Distribution Center Service back on before rebooting. You should reboot the domain controller and then force replication in the Active Directory Sites and Services MMC snap-in.
4. Run netdom.exe to change the password.
   1. Open an administrative command prompt. On Windows platforms with UAC enabled, you will need to right-click on cmd.exe and select "run as Administrator".
   2. Type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
5. Reboot the machine.

Here is more information on netdom.exe: http://support.microsoft.com/kb/325850

I hope this is helpful.  This problem comes up every few months for me, so I wanted to document it for my own use.  It is difficult to find when you just search for the error you get in the login window.

Microsoft Virtual Academy Top 10 FAQs

Keep your Microsoft skills up-to-date with free online courses

Keeping up with technology is often one of the toughest parts about being in IT. Technology is constantly changing and evolving, and you need to stay on top of the latest developments to keep your skill levels current. Although a number of different training venues are available, one of the least well-known, but also one of the most easily accessible, is Microsoft Virtual Academy (MVA), an online portal for IT pros to learn about Microsoft's cloud-based technologies. In this column you'll get answers to the top 10 FAQs about MVA.
1. What does MVA cost?
Believe it or not, Microsoft Virtual Academy is completely free. Training is one of those areas where Microsoft really provides extra value to IT professionals. Naturally, the courses focus on Microsoft products, but that's what you'd expect from Microsoft training. The only requirement is that you have a Windows Live ID.
2. If the courses are free, are they valuable and up-to-date?
MVA covers topics in a wide range of Microsoft technologies, and there are different levels of courses. Some examples of the current courses include "Windows Server 2012: First Look," "System Center 2012: Orchestrator & Service Manager," "Microsoft Licensing Fundamentals," and "System Center 2012: Virtual Machine Manager." Although I noticed the material for the "Windows Server 2012: First Look" course was based on the beta and didn't reflect the latest updates, it still provides a good overview of the new features.
3. How many people have taken courses from MVA?
For such a little-known offering, MVA has a surprising number of participants. Although these numbers are always changing, to date MVA states that 768,500 students have registered for Microsoft courses and that 826,200 self-assessment exams have been passed.
4. How are the courses organized?
The courses are typically organized into multiple modules with a self-assessment exam at the end of each module. For instance, the "Windows Server 2012: First Look" course has the following modules: "Windows Server 2012 Overview," "Beyond Virtualization," "The Power of Many Servers," "Modern Workstyle Enabled," and "Every App, Any Cloud." Successful completion of each module accumulates a certain number of track completion points.
5. Do the results count toward certifications?
No. However, the training can certainly help with taking other certifications. The MVA program tracks accumulated points for successfully completing different modules. You see a dashboard when you sign in that tracks your point progress for Bronze (0-99), Silver (100-499), Gold (500-2,999), and Platinum (3,000+) levels.
6. Are you limited in how many courses you can take at any given time?
No. You can take any number of courses at any time. You can also retake each of the self-assessment exams as many times as you want.
7. What are the courses like?
The courses consist of multiple modules. Each module typically contains a collection of different resources. Some MVA modules are video presentations that you can stream over the web, and others are Word or PDF documents that you can read online or download and review offline. In case you're wondering, the MVA modules don't let you skip right to the self-assessment exam—you must review some of the study materials first.
8. How many tracks and courses are available?
Microsoft is continually adding and updating the content of the MVA courses. At the time of this writing, there are 15 major tracks: Business Intelligence, Licensing, Office 365, Private Cloud, Public Cloud, Security, SQL Azure, SQL Server, System Center 2012, VDI, Virtualization, Windows Azure, Windows Client, Windows Server 2008 R2, and Windows Server 2012. Each track has at least two courses, and many have more. There are 39 total courses.
9. Where do you register for MVA training?
You can find Microsoft Virtual Academy online.
10. How do you get started taking MVA courses?
You get started by signing in to MVA with your Windows Live ID and then filling out the registration page. At that point, a confirmation email is sent to the email account that you supplied during registration. Clicking on the confirmation link in the email opens your new MVA account page. From there you can begin selecting courses.

Thanks
R.karthikeyan

DNS Troubleshooting

What problem are you having?

• The DNS server is not responding to clients.
• The DNS server does not resolve names correctly.
• The DNS server appears to be affected by a problem for reasons not described here.

The DNS server is not responding to clients.

Cause:  The Domain Name System (DNS) server is affected by a network failure.

Solution:  Verify that the server computer has a valid functioning network connection. First, check that related client hardware (cables and network adapters) are working properly at the client by using basic network and hardware troubleshooting steps.

If the server hardware appears to be prepared and functioning properly, check that it has network connectivity by using the ping command to contact other computers or routers (such as its default gateway) that are used and available on the same network as the affected DNS servers.

Cause:  The DNS server is reachable through basic network testing, but it is not responding to DNS queries from clients.

Solution:  If the DNS client can ping the DNS server computer, verify that the DNS server is started and able to listen to and respond to client requests. Try using the nslookup command to test whether the server can respond to DNS clients.

For more information, see Start or Stop a DNS Server.

Cause:  The DNS server has been configured to limit service to a specific list of its configured IP addresses. The IP address originally used in testing its responsiveness is not included in this list.

Solution:  If the server was previously configured to restrict the IP addresses for which it responds to queries, it is possible that the IP address that are being used by clients to contact it is not in the list of restricted IP addresses that are permitted to provide service to clients.

Try testing the server for a response again, but specify a different IP address that is known to be in the restricted interfaces list for the server. If the DNS server responds for that address, add the missing server IP address to the list.

Cause:  The DNS server has been configured to disable the use of its automatically created default reverse lookup zones.

Solution:  Verify that automatically created reverse lookup zones have been created for the server or that advanced configuration changes have not been previously made to the server.

By default, DNS servers automatically create the following three standard reverse lookup zones based on Request for Comments (RFC) recommendations.

These zones are created with common IP addresses covered by these zones that are not useful in a reverse lookup search (0.0.0.0, 127.0.0.1, and 255.255.255.255). By being authoritative for the zones corresponding to these addresses, the DNS service avoids unnecessary recursion to root servers to perform reverse lookups on these types of IP addresses.

It is possible, although unlikely, that these automatic zones are not created. This is because disabling the creation of these zones involves advanced manual configuration of the server registry by a user.

To verify that these zones have been created, do the following:

1. Open DNS Manager.
2. On the View menu, click Advanced.
3. In the console tree, click Reverse Lookup Zones.
   
   Where?
• DNS/applicable DNS server/Reverse Lookup Zones
4. In the details pane, verify that the following reverse lookup zones are present:
• 0.in-addr.arpa
• 127.in-addr.arpa
• 255.in-addr.arpa

Cause:  The DNS server is configured to use a nondefault service port, for example, in an advanced security or firewall configuration.

Solution:  Verify that the DNS server is not using a nonstandard configuration.

This is a rare but possible cause. By default, the nslookup command sends queries to targeted DNS servers using User Datagram Protocol (UDP) port 53. If the DNS server is located on another network and is reachable only through an intermediate host (such as a packet-filtering router or proxy server), the DNS server might use a nonstandard port to listen for and receive client requests.

If this situation applies, determine whether any intermediate firewall or proxy server configuration is intentionally used to block traffic on well-known service ports that are used for DNS. If not, you might be able to add such a packet filter to these configurations to permit traffic to standard DNS ports.

Also, check the DNS server event log to see if Event ID 414 or other critical service-related events have occurred that might indicate why the DNS server is not responding.

The DNS server does not resolve names correctly.

Cause:  The DNS server provides incorrect data for queries that it answers successfully.

Solution:  Determine the cause of the incorrect data for the DNS server.

Some of the most likely causes include the following:

• Resource records were not dynamically updated in a zone.
• An error was made when static resource records were manually added or modified in the zone.
• Stale resource records in the DNS server database that were left from cached lookups or zone records were not updated with current information or removed when they were no longer needed.

To help prevent the most common types of problems, be sure to first review best practices for tips and suggestions for deploying and managing your DNS servers. Also, follow and use the checklists that are appropriate for installing and configuring DNS servers and clients, based on your deployment needs.

If you are deploying DNS for Active Directory Domain Services (AD DS), note the new directory-integration features. These features can cause some differences for DNS server defaults—when the DNS database is directory-integrated—that differ from the DNS server defaults that are used with traditional file-based storage.

Many DNS server problems start with failed queries at a client. Therefore, it is often a good idea to start there and troubleshoot the DNS client first.

For more information, see Troubleshooting DNS Clients

Cause:  The DNS server does not resolve names for computers or services outside your immediate network, for example, the names of computers or services that are located on external networks or the Internet.

Solution:  The server has a problem with its ability to correctly perform recursion. Recursion is used in most DNS configurations to resolve names that are not located within the configured DNS domain name that is used by the DNS servers and clients.

If a DNS server fails to resolve a name for which it is not authoritative, the cause is usually a failed recursive query. Recursive queries are used frequently by DNS servers to resolve remote names that are delegated to other DNS zones and servers.

For recursion to work successfully, all DNS servers in the path of a recursive query must be able to respond to and forward correct data. If not, a recursive query can fail for any of the following reasons:

• The recursive query times out before it can be completed.
• A remote DNS server fails to respond.
• A remote DNS server provides incorrect data.

Cause:  The DNS server is not configured to use other DNS servers to assist it in resolving queries.

Solution:  Check whether the DNS server can use both forwarders and recursion.

By default, all DNS servers are enabled to use recursion, although the option to disable its use is configurable in DNS Manager to modify advanced server options. The other possible situation in which recursion might be disabled is if the server is configured to use forwarders and recursion has been specifically disabled for that configuration.

Note  

If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

.

For more information, see Configure a DNS Server to Use Forwarders.

Cause:  Current root hints for the DNS server are not valid.

Solution:  Check whether server root hints are valid.

If they are configured and used correctly, root hints should always point to DNS servers that are authoritative for the zone that contains the domain root and top-level domains.

By default, DNS servers are configured to use root hints that are appropriate to your deployment, based on the following available choices when you use DNS Manager to configure a server:

1. If the DNS server is installed as the first DNS server for your network, it is configured as a root server.
   
   For this configuration, root hints are disabled at the server because the server is authoritative for the root zone.
2. If the installed server is an additional DNS server for your network, you can direct the Configure a DNS Server Wizard to update its root hints from an existing DNS server on the network.
3. If you do not have other DNS servers on your network but you still need to resolve Internet DNS names, you can use the default root hints file, which includes a list of Internet root servers that are authoritative for the Internet DNS namespace.

Cause: The DNS server does not have network connectivity to the root servers.

Solution:  Test for connectivity to the root servers.

If root hints appear to be configured correctly, verify that the DNS server that is used in a failed query can ping its root servers by IP address

If a ping attempt to one root server fails, it might indicate that an IP address for that root server has changed. Reconfiguration of root servers, however, is uncommon.

A more likely cause is a full loss of network connectivity or in some cases, poor network performance on the intermediate network links between the DNS server and its configured root servers. Follow basic TCP/IP network troubleshooting steps to diagnose connections and determine whether this is the problem.

By default, the DNS service uses a recursive time-out of 15 seconds before failing a recursive query. Under normal network conditions, this time-out does not have to be changed. If performance requires it, however, you can increase this value.

To review additional performance-related information for DNS queries, you can enable and use the DNS server debug log file, Dns.log. This log can provide extensive information about some types of service-related events.

Cause: Other problems exist with updating DNS server data, such as an issue that is related to zones or dynamic updates.

Solution:  Determine whether the problem is related to zones. As needed, troubleshoot any issues in this area, such as possible failure of zone transfer.

For more information, see Troubleshooting Dynamic Updates; Troubleshooting zone problems.

The DNS server appears to be affected by a problem for reasons not described here.

Cause:  My problem is not described here.

Solution:  Search TechNet (http://go.microsoft.com/fwlink/?LinkId=170) for the latest technical information that might relate to the problem. If necessary, you can obtain information and instructions that pertain to your problem or issue.

If you are connected to the Internet, the latest operating system updates are available at Microsoft Update (http://go.microsoft.com/fwlink/?LinkId=284).