Diagnostics for VMware Cloud Foundation: DNS Dashboard
Article ID: 381707
Updated On:
Products
Issue/Introduction
Even though you configure DNS settings during deployment for fresh installations, or by migrating or importing existing infrastructure, if you do not monitor them over time, you might end up with a series of issues of DNS reverse lookup might cause, such as failing vSphere vMotion tasks. For example, if you do not set up a DNS reverse lookup, in some environments you get such connections labeled as insecure, which can break certain integrations with errors that no secure connection can be established. The resolution section lists links for troubleshooting DNS configuration issues, other issues caused by resolution issues, and general guides.
VMware Cloud Foundation Operations provides information about the DNS configuration for vCenter, ESX and NSX Manager.
Diagnostics reports whether DNS is configured for a given component, and if so, the DNS servers used. The count of configured/non-configured components includes only components that are inaccessible. Use the dashboard linked to the tile to verify that components within the same VCF deployment are configured with the same DNS servers.
Diagnostics also reports whether forward and reverse lookups succeed. Forward and reverse lookups are evaluated using the DNS server with which the Operations Appliance is configured. The DNS lookups report success if the PTR or A record lookup returns a value.
Note: VMware Cloud Foundation Operations includes the VMware Infra Health Overview dashboard that shows DNS configuration data. You may observe some transient discrepancies between the two. This Infra Health dashboard is populated by data from SDDC Manager while Diagnostics uses data from the individual components. SDDC Manager data is refreshed once every 24 hours.
Environment
Operations for VMware Cloud Foundation 9.0
Resolution
The VIH adapter performs forward (A record) and reverse (PTR record) queries against known vCenters, NSX and ESX hosts. It reports the number of failed forward and reverse lookups for each Domain, VCF Instance and across VCF Instances. A failure is considered a critical condition and is reported in the summary tile under their respective vCenters, ESX, NSX as well as Domain and VCF Instances. However, some customers may prefer not to do these scans in every VIH adapter's cycle or it is possible that they may want to disable the scan for their lower environments. In VCF 9.0. two control points can be used to achieve the desired behavior; A customer may enable or disable DNS for a set of objects and/or change the frequency at which the DNS scans run.
DNS scan frequency control
Navigate to Infrastructure Operations → Configurations → Inventory Management → Adapter Instances → VMware Infrastructure Health Adapter Instance
For each Infrastructure Health Adapter Instance, use the pencil icon from the menubar to Edit Object.
In the Edit Object screen, expand the Advanced Settings and set the "DNS Metrics Collection Delay (in Multiples of Collection Interval Time)" . Interpret this as "Run DNS scan once every N collection cycles".
Example: If the Collection Interval is set for 5 min and the "DNS Metrics Collection Delay (in Multiples of Collection Interval Time)" is set to 5 (as shown below), then the DNS scan will run every 5 min x 5 = 25 min.
DNS scanning specific objects
Note: This can be applied to the Default Policy to disable/enable DNS scanning completely or to a custom policy if you want to activate or deactivate DNS scanning for specific objects.
- To disable DNS scans, deactivate the "DNS forward lookup status is not passed" and the "DNS reverse lookup status is not passed" from the Alerts and Symptoms → Symptoms Definitions page. Infrastructure Operations → Configurations → Policy Definitions → <select policy> → Alerts and Symptoms → Symptoms Definitions Search Object Type: vCenter App.
- Repeat step 1 with Search Object Type: NSX-T App.
If you want the DNS scanning activated then set these definitions to "Activated".
- Then under Infrastructure Operations → Configurations → Policy Definitions → <select policy> → Metrics and Properties Search Object Type: vCenter App.
- Expand Properties → DNS Summary. Deactivate Forward Lookup Status and/or Reverse Lookup Status
- You can deactivate NSX-T DNS scanning by repeating steps 3 and 4 but using Search Object Type: NSX-T App
If you want the DNS scanning activated then set the properties described above to "Activated".
For troubleshooting and known issues related to DNS please refer to the following KBs.
Reasons why DNS may not be configured
- VMware vCenter Server Appliance hostname and DNS configuration revert after a reboot
- Unable to update DNS Servers using the SDDC Manager
Issues Caused by DNS Resolution problems
- Identifying issues with and setting up DNS name resolution on ESXi Server
- Resolving ESXi Host Disconnects Caused by DNS Resolution Failures in vCenter Server
- Failing to update/remediate/rotate NSX-T edge node root password with error: Failed to find a VM having prefix match of DNS name with FQDN
- Using checkADConfig to detect connectivity and DNS issues between vCenter Server and Active Directory
Instructions for Changing/Updating DNS
- How to change/update DNS Server IP address for vCenter Server
- ESX link to be determine
- Configure NSX Manager for Access by DNS Server
- SDDC manager link to be determined
Additional Information
Feedback
