Unravelling the mystery of Client DNS with Essentials family Servers
June 17, 2013 31 Comments
Probably the best title for a blog post ever right? Having seen and read about a lot of people struggling with DNS resolution problems with their clients on Essentials (2011/2012) networks, and also some dubious advice being given out for how to ‘resolve’ these problems i thought i would try and get into some deep level explanation of how, and why Essentials does what it does.
First off, if you are struggling with this type of problem, you really need to check out Sean Daniel’s post from 2011. Hopefully reading that post will give you an idea of what Microsoft is trying to achieve with this process. Let’s also not forget that the deployment scenario of choice for Essentials, is for it to be purchased pre-installed on a piece of hardware, by a non technical office manager who then plugs it into their network with an Ethernet cable, the Essentials Server then does the rest. It’s a nice idea, however in practice these mystical office managers are few and far between, and because of that some of the hidden magic Essentials does, often causes more than a little confusion. Setting the IP of a client PC to statically query the Essentials server for DNS is one such problem.
Hopefully having read Sean’s post you will now know that Essentials changes your clients DNS Server address to a static IP, in order that it send Active Directory queries to the server, rather than to a router or external DNS server.
With DNS being a critical component of Active Directory your domain joined computers MUST have the ability to query the DNS Service on the Essentials Server in order to find Active Directory resources.
In my example below, we have our Essentials server, a Router and a client laptop that is not joined to the domain. The router is running DHCP and is configured to issue an external DNS Server IP Address to the DHCP Clients. As you can see our client PC is told to use 8.8.8.8 as it’s DNS Server.
If we then go ahead and install the Essentials connector, the software will detect our Essentials server at 192.168.1.10 and configure our clients DNS Settings statically to use 192.168.1.10.
All of our clients DNS Queries now go to our Essentials server at 192.168.1.10, it is up to the Essentials Server to then resolve that query (if it is for an internal resource like Active Directory) or send that query on to an external DNS Server if it is for a resource located on the internet.
The destination of the external DNS query is based on the configuration of the DNS Server service.
If your Essentials server is on it’s default settings you will find that your router is set as a forwarder in DNS. This can introduce it’s own issues into your name resolution, because whilst some routers work well as a DNS forwarder, some consumer grade routers seem to struggle providing this service, and can lead to name resolution problems where otherwise there would not be.
If we assume our router does not perform well in this scenario, we might see 404 errors on the clients when trying to browse the internet.
You might be forgiven for thinking the problem here is that your client is set to use the Essentials server for DNS, when in actual fact, that configuration is perfectly valid but the router is failing to resolve the DNS query for us.
If we amend that DNS Service configuration, we find everything works as expected.
The server will periodically check it’s DNS forwarding configuration (as part of health monitoring every hour), and will alert you if there is a problem via the ‘Alert Viewer’.
On the Essentials Server you can use the ‘NetworkHealthPlugin-ConnectivityFeature.log’ and the ‘SharedServiceHost-NetworkConfig.log’ files to help diagnose problems with DNS.
The Windows Server LAN Configuration Service is responsible for detecting your Essentials Server and correctly configuring DNS based on whether or not the server is found. If the server is found, DNS is configured statically to point at the IP Address of the Essentials Server. If it is not found, the Service will revert your client to use a DNS Server provided by the DHCP Server.
The above scenario would work, assuming that DHCP is not issuing the IP of the Essentials Server for DNS.
If the router was providing the Essentials Server IP as the DNS Server, and the server was unavailable then your web browsing would fail.
This is what you would expect to happen if the server is unavailable, and would be relatively easy to troubleshoot or work around.
Problems seem to be occurring when people take their computers outside of the Essentials network, and the LAN Configuration Service is not reverting the client to pickup a DNS Server from DHCP.
When the service has configured a NIC in a computer it will be shown in the registry under,
HKEY_LOCAL_Machine>Software>Microsoft>Windows Server>Networking>ServerDiscovery>ChangedNICs
No other information is held on the NIC in this registry key, other than the Name.
If a NIC is configured by the Service, but that entry no longer exists in the registry, than the Service will no longer attempt to configure that NIC, until the entry is manually recreated, or until the NIC is uninstalled and reinstalled.
In my example here you can see i have 2 NICs that have been configured by the LAN Configuration Service.
If i leave the network and join a new network, after a few minutes the service reconfigures the NICs to pickup their IPv4 information via DHCP. You do need to be patient and wait a few minutes for this to occur, although if this is a clean boot it should be pretty quick.
If i delete the Wireless Network Connection, from the registry, and leave the network the LAN Configuration service will not attempt any reconfiguration of the Wireless NIC and leave me stuck with my DNS queries going to a non existent Server.
In the Network and Sharing Center you may also see that you are successfully connected to a network, but have no internet access.
In this situation, if we check the registry to see if our NIC configuration is correct, we can take steps to resolve the problem.
As described above, we can manually recreate the registry key for the NIC that is missing.
We then simply need to wait for the LAN Configuration Service to detect the key, and correctly reconfigure our Wireless NIC.
We will then see that our Internet access is restored. If we refresh the Registry Editor, we will see that the Service has now removed the registry key for our Wireless NIC.
I have written a small PowerShell script that will attempt to query the Registry settings for you and compare them to the Interfaces on your computer.
You can download the script from the TechNet Gallery.
For troubleshooting client connectivity issues to the Essentials Server, including DNS problems you should look at the following log files on the client:
LANConfigSvc.log
You can see below in the LAN Configuration Service Log example, the entries shown when the Server is not detected.
Another example when the server becomes available again.
ProviderRegistryService.log
Below we have an example of the ProviderRegistryService Log, showing a failed connection attempt to the server.
If your computers are not domain joined, then using the Essentials Server for DNS is not a requirement.
In this scenario you can simply disable the Windows Server LAN Configuration Service, with no ill effects on the client.
About Robert Pearman
Title (Required) 
Thanks to Jason over at homeservershow forums, who tipping me off to this excellent article Robert. So glad I found it!
So this is a great summary of the issue. It seems to be triggered by users who travel a lot. They are switching wireless networks. Having end users running scripts is not very practical. Has there been any resolution announced for this issue?
We have been disabling LAN config service on the client machines, especially laptops. I am no fan of Essentials, was it 2011 that also wanted a default configuration of the server as a DHCP client instead of static? Stupid. We would never use it but for the cost savings on licensing for the very small office segment.
I think if you look at the target audience for the product it made sense, however it was a poor implementation and has consistently shown not to work as expected. You might foundation server, is more your cup of tea.
Would setting the wireless adapter to use alternative DNS fix the issue. Set the primary as server DNS it would normally get fixed to in the office, and then add secondary and tertiary of like OpenDNS (208.67.222.222 and 208.67.220.220) – maybe add Google 8.8.8.8 to be anal.
i would say no, simply due to the fact that primary/secondary dns does not behave in the way you might expect.
I was supposed to have someone test it last night, but never heard back. I will keep you posted. Do you know if Microsoft has this tagged as a particular bug number? Thanks for your reply BTW.
I am not confident changing server settings. What if I point the workstation dns to the router and also to the essentials server?
If the client is domain joined it needs to point to the server first.
Thanks Robert. I have pointed the workstations and server to the server first and the router second. Next I added a forwarder 8.8.8.8 to the server as above. Would you say this is sufficient for a windows 2012 essentials server?
The problem I was initially having was that the workstations were only intermittently able to surf the internet. I believe things are okay now.
Yes that sounds fine, however you may find your ISP DNS Servers are better than Googles in certain circumstances. If it is working, then that is good enough.
Thanks Robert you are a star
So I believe I found a solution to the DNS being locked to the domain server issue. DHCP and DNS are moved back to the server. I did this on a Windows Server 2012 Essentials box. I have tested it with Windows 7 64-bit machines (just to be specific). I can’t take credit – I pieced it together from another couple of articles. The other articles were addressing the Home Edition of Server (which you guys mention), so I am not sure if they are completely different or this will work for you guys. The issue seems to be with one registry key.
Reference Info for the Home Articles:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e249b101-8165-4fd6-b92c-700000d137c6/if-the-wse-server-is-down-?forum=winserveressentials
I am the last post in the forum – gives all the info so I do not take up too much space here.
So these guys were doing all this crazy stuff during the install – maybe you guys need it. I looked at it and said – I would prefer not to do all that. So just to see if it would work, I just changed the registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery
then change
“SkipAutoDNSServerDetection” from False to True.
I have been having users try it, and so far when they are on other wireless networks it is no longer switching the DNS on the wireless over to the Server 2012 Essentials DNS statically. So far so good after about two weeks.
You can also do this with my PowerShell tool.
http://titlerequired.com/2014/02/14/essentials-2012-manage-dns-autodiscovery/
And yet another way to join the connector, without the DNS alteration of the client (avoiding the domain join) here:
https://TinkerTry.com/connect
Good to find this page. I currently trying to migrate a SBS 2011 from one network 192.168.1.x / 255.255.255.0 to a new network with new infrastructure 192.168.10.x / 255.255.255.0.
Changing the network and DNS settings seems not the only thing that needs adjustement.
When i bring the server to the new network no clients can access the shared folders anymore. Also the dashboard and launchpad don`t get connectivity, so no backup service is running. in addition the DNS seems to be flacky. I adjusted the DNS Server entry to the new router (Zyxel USG110), but this stuff won`t work as expected. Anything to change in the DC settings?
Thanks in advance
Phil
Are the clients joined to the new domain, or does it just have the same domain name?
Hi
I just finished of installing 2012 R2 server essentials, and all seems to be ok, except for one thing:
Computer clients do not have access to all internet pages ! The server is ok, has access to all internet pages but clients no. For example from the clients I have access to Facebook and Google and Youtube, but not Amazon and others.
Some people told me to add the ips addressed to the DNS fowarder (my server has two nics), but when I tried to Add those ips (since there is not ips there), when I press APPLY, I receive a message that the ip is invalid.
I don’t know what to do, and wwat would be the problem. I need the sever this Saturday at least.
Years ago I installed the 2003 SBS for the previous server and all were working fine. But this 2012 essentials has new platform and I am still new with this.
Please help me.
Eric
Are you trying to run it in a 2 NIC ‘NAT’ configuration? That is not supported, and may be contributing to your problems.
What IPs do you currently have as DNS forwarders?
What IP does the Server use for DNS?
What IP do the clients use for DNS?
Eric – did you use the Connector or traditional method for adding the workstations to the domain? When you go to a workstation and you do an IPCONFIG /ALL – what info comes up? Did you configure DHCP on the server or are you using the router for IP assignment? Can you fill in the info Robert requested above for DNS as well. Did you do both forward and reverse lookup zones in the DNS?
HI
I have 2 nics: The one who connected to the router through a cable is the integrated mainboard newtork card, the ip is 192.168.1.2 which is the network connection.
the other nic is the 192.168.0.1 is the secondary network card which goes to a switch. This switch gives internet and network access to clients and other guests computers. With windows 2003 was working very fine in that manner. In all clients we put in the properties of each nic the static ips for example: 192.168.0.17 subnetmask 255.255.255.0 default gateway 192.168.0.1 Prefered DNS Server 192.168.0.1 The guests computer don;t need that configuration since they only acces to Internet. Everything was working good with 2003 server. But now the only problem is that from clients we don;t have access to some internet pages (For example: I have access to Google, Facebook, but not Amazon.com and others). From Server I can see all internet pages,.
I tried to add the ips nics addresses to the DNS Fowarder but when I press APPLY I receive a message saying that those ips are invalid. I also tried the 8.8.8.8 and it accepted and I get Amazon.com from client (slowly) but still I don’t have access internet to other page from client computer and guest computer. All these clients computers are ok in other gateway internet access (My house and other network). It looks like that the problem is something with DNS. Please help me.
Eric
You shouldn’t run Essentials like that. It is not SBS 2003. SBS moved away from that dual Nic NAT scenario in 2008. You will find things work much better with a single Nic in the server, and if you need to separate out guests to another lan then use vlan or similar method.
I was thinking the same thing Robert. Single NIC config.
Solved! In my case, the 2012 server essentials is working with 2 nics (2 network cards as 2003 sbs did) The problem was the FIREWALL of Antivirus END POINT PROTECTION of Symantec. Until know I disabled only the firewall of antivirus only, not the antivirus itself, and I can see now ALL web pages from all computers and have access to the hard drives of server! The IP accepted in the DNS fowarder was the router IP: 192.168.1.1. Now I am working with this firewall. Thanks.!
I am running server 16 with essentials. Wanted to point out that your write up and one other was very helpful picturing the problem with slow internet that I had. My clients DNS points to the essentials server. The router was also setup with the server IP as first static DNS and with a second backup public DNS on the router. What i didnt realize was that the server was forwarding requests to the router. Net result reallly slow internet probably as things were looping back and forth maybe? I added google DNS as first forwarder on my server and things are better.
Now do you also suggest (as you show in an example above) that for a home setup that I should place the server’s IP as primary DNS on the router or should i leave the router to send DNS queries to my internet provider or for that matter google, open DNS etc? Also, what is the recommended time (currently set at 3secs) for the forwarder in the server DNS service?
thank you!!
Simple question: why? What on earth does this overly-complicated process, that rides roughshod over normal IP configuration, achieve? The only possible answer it is saves asking for an IP address for the server during initial setup.
For goodness sake Microsoft – it’s a server, not a desktop. Anyone using servers should know at least the very basics, like what static address a server should have. Because all servers should have static addresses – period.
And once you assign the server a static IP, then you can enable DHCP and configure it correctly. And once DHCP is configured correctly to work with DNS, then you have no need for any of this shenanigans. Oh wait, that was SBS which has worked perfectly well for small businesses for 17 years.
The idea for Essentials was that it would be an off the shelf device purchase, that you fired up on an existing basic network, with just a router doing DHCP. This system allowed an existing DHCP server to stay in place (untouched) and for the server to have a dynamic IP. Which, when you think about it makes sense from a design perspective, but just has not worked out in practice.
Great article. I’m using server 2016 essentials together with lightsout 2.0 and three clients (w10x64pro). Until my new setup with 2016, I used whs2011. There was no domain controller and no problem with dns/dhcp from my router (fritzbox). Now I want to use domain services like “gpo”, dns, etc. and therefore I get the problem when my server is off. My dnsserver ip was still my server (I used a static ip). Using dhcp-ip for my server box helped (ipv6 both entries to auto; ipv4 dhcp to auto, dns ip to the ip from dhcp ip setup by router, i.e. 192.168.2.100). My clients get dns/dhcp from my server (both ipv6&ipv4 auto for ip&dns) and within 2min change dns from to my router (192.168.2.1) if server is off(or standby). The magic behind seems to work also.
Does someone know the details or difference to 2012r2 essentials?
Reason to ask is that Roberts script is not working with 2016 essentials.
What is it you want to do?
Do you know how it works in server 2016 essentials (service)?
I had some trouble with one client which got a different network connection (different wlan access point). The automatic dns setting was broken (server offline: setting was still server dns ip and not my router). Only solution was to restore my c-drive from backup.
Still fighting this in 2022. Need the 2016 Essentials Connector for backups but it’s failing to revert to DHCP when the laptop leaves the office LAN. Any info on how client DNS is managed by the 2016 Connector? I don’t see a LAN Configuration Service to disable.