This is an excellent post, thank you. I am having problems with DNS on our SBS2008 server. This explains some of the issues.
However, where do I find the scavenging check box? I've gone to DNS/ForwardZone/xxxx.xxx/right click on entry in rightside pane/Properties, but no scavenging text box. only Update Associated Pointer. Also, DNS/ReverseZone/xxx.xxx.in-addr.arpa/right click on entry in rightside pane/Properties, no check box
I have a number of reverse DNS enteries with a "static" timestamp that are causing problems. These are from very old PCs that have been long removed from our system. But of course we have server entries that have a "static" timestamp that we need to keep.
You help in this would be most valuable.
Thank you for your comment!
You make a good point that I forgot to mention where and how to set the Scavenging settings.
Right click your DNS Server name, choose "Set Aging/Scavenging For All records." A dialogue box pops up asking what settings you would like to set it to. I would suggest to leave it at the default 7 day settings.
I hope that helps!
Thank you! This appears to have fixed the problem I had with mixed (large) file copying between XP and Windows Server 2008. I used your Option 1 on the server and rebooted. It appears that both commands are important (rss and autotuninglevel).
I have heard that TCP scaling is not compatible with some network hardware, and I suspect my Linksys switch is in this category (see URL below). Thanks again, very helpful.
Linksys page on the same topic: forums.linksysbycisco.com/.../message
Interesting to hear that, considering I am not a woman.
You are welcome, Fred. I'm happy to hear it helped.
Yes, TCP scaling is not compatible with all NICs. I'm not sure if the switch specifically is a factor, having not tested that as a factor, but it could be.
Thank you for posting that link and your comments.
Your blog has really good information about WINS NetBIOS.
Multihomed DCs with DNS, RRAS, and/or PPPoE adapters --- Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows
implementing folder redirextion point 13: moving the location of the users home drive. simply mirror the folders? what does this mean. its gibberish.
Ian, Point #13 simply states that if you want to move the home folders (and maybe I should have added, "... move the location of everyone's redirected folders...") to a new server, recreate the home folders on the new server and set the permissions exactly as they are for each individual folder on the original server. Then change the GPO to set the new location. When the user logs on, the system will automatically move the data.
Keep in mind, this is based on the way I set this up, meaning that the users' home folder IS their My Documents folder.
Not everyone sets it up this way. You can provide users a "Home" folder that is not at the same location as their "My Documents" redirected folders. I opted to set it up so that their "My Documents" folder IS their Home folder.
I hope that makes sense and removes any perceived "gibberish."
How To Disable IPv6 Ace Fekay, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
How do the recommendations in this blog apply to Windows Server 2008 R2 Active Directory servers?
i'm really interested with your post.
but there is a little bit confusion when i read all your post.
so basically, can i use same name for local domain, with the name of my internet address?.
say: i have http://www.abc.com.au, and then i would like to create my domain or DC for the 1st time, off course i have to have forest name, which is a that is my main concern, so should i put the same name like my website name or not?...what is the good and bad things for those issue?.
Exchange e rename del dominio
EventID 1054 Ace Fekay, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2000/2003
I do find it "amusing" you can spend big bucks on a brand new server that now comes default with at least 4 NICs and if it is an DC you can't use them.
is smal problem, in Windows 7 Ultimate PL, I cannot disable rss, and i asking why?, or how i should do this?
disable RSS in regisrty
turn on regedit...go
on this level Parameters add: DWORD new key
Edit>New>DWORD name EnableRSS
so it will be looks like HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS
We create key name EnableRSS and set it 0
still in regedit...go :
on this level Parameters add: DWORD new key DisableTaskOffload
Edit>New>DWORD name DisableTaskOffload: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload
So we cerate new key name DisableTaskOffload and set it 1
after restart run cmd>netsh interface tcp global rss=disabled !!!!!!!!!!!
and now is OK...
netsh interface tcpshow global...
RSS = disabled !!!
I'm wondering if you have noticed another change in the behaviour of DNS Round Robin in Windows 7. If one of the IPs from the list returned by the DNS server goes offline, the client will failover to the next available IP. This is the best change in DNS round robin in years, other than changing the selection algorithm from one version to another.
When a person registers a domain such as“ myown. com”, he/ she is required to enter their public whois contact information so that anyone can contact the owner if a website is down or doesn’ t have their contact email or at least a form. Since the domain
Robert, you can team the NICs. Create one team with two standby NICs.
Andrei, yes, I read that, but I can't remember where I read it. I thought I read it in a KB, but I can't find it. If you have a link to it, please do post it! :-)
Maslok, thanks for posting that. I believe I have that in my RSS link, posted in the blog.
I appreciate you adding the procedure!
Thanks for the update on WINS NetBIOS. It will save me a lot of time. Thanks!
Complete Step by Step to Remove an Orphaned Domain controller Ace Fekay, MCT, MCTIP EA, MCTS Windows
Hi Domain Tools and Valiidation,
When you register a public domain name, you need to set the information the registrar requires. However, you don't necessarily have to make your information available to the public. You can opt to hide it and make it private for WHOIS lookups. It's an added feature registrars offer for an additional price. This way your information shows up as private with only the registrar's information along with a registrar's email address that people can use and the registrar will be forward it to your own email address. This keeps your information private as well as preventing domain hijacking.
These settings were intended for servers that are offering file sharing. I have not come across a situation that requires a workstation's RSS service to be disabled, nor do I know the implications of disabling it on a workstation.
Are you sharing out files for multiple users? If so, are they having problems accessing the files? Keep in mind, with any workstation operating system, file sharing is limited to 10 concurrent users, so if you have more than 10, the 11th user trying to connect will not be able to.
Domain Rename Procedure Notes Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007, MCSE
I'm sorry, I don'tunderstand Spanish. Can you repost in English, please?
Great article. I don't know why MSFT hasn't done a KB on this because to me, this is the way to go rather than annoy users with "Hey - we have a new DC/File Share Server and you need to change all your mapped drives, etc - have a nice day"
Hi Robert. Thank you. This came up at one of my customer installations. I tried to refine it and explain each step to make it easier for everyone to understand.
I'm sorry for not seeing this sooner to respond. Yes, you can use the same name as your internet public domain name. There are just caveats dealing with DNS and accessing your website if it's hosted externally.
You can see what I mean in more detail in my other blog:
Split Zone or no Split Zone - Can't Access Internal Website with External Name
Hi Mike, sorry for the really late response. It's pretty much the same. The settings are practically similar if not the same.
You really don't want to multihome a DC no matter what OS. However, SBS is designed to work with it, but many, as well as I, suggest to not multihome SBS either.
What's in an Active Directory DNS Name? Choosing the Same As Your Public Domain Name, a ".net"
I don't really understand why the parent zone can't be forest replicated in a parent-child delegation scenario. Or at least the _msdcs zone.
Also, you didn't explain how each child domain can resolve names from other child domains. Can you please clarify those two for me?
Sorry, I forgot to clarify that implementing search suffixes can't be an option for large enterprises where local admins are not really IT people, and this is why I need to know if there is a workaround that can achieve the same results.
I was thinking of creating stub zones for each child domain on the parent and forwarders on every child. This way, each child DNS resolution will go to the parent zone and will be answered via recursive queries to the stub DNS servers by the parent DNS servers. Can this be a possible design scenario?
Will using stub zones (instead of delegation) override the need to have the parent zone as domain replicated, and keep it as forest replicated?
Great article, but there are a few very critical details in regard to converting the zone to a standard primary that I think might have been left out:
1. Converting the zone on a DC that is loading the wrong zone can be disastrous.
2. Converting an AD integrated zone to a standard primary removes security for all records in the zone.
Number 2 can get very ugly after importing the zone back to AD with scavenging and aging enabled.
For me, I'd avoid pulling the zone out in this way. I would identify the duplicate zone within AD via ADSIEdit, rename it, replicate that out, then restart DNS so that both the zones load. i.e. contoso.com and contoso.bad.
Once I know that there are no issues, after a week I delete the bad zone.
And while InProgress.. are always safe to delete (and never the source of 4515s), CNF zones should be handled cautiously as they could be the zone you really want to save.
WINS - What Is It, How To Install It, and how to Configure DHCP Scopwa For WINS Client Distribution
WINS - What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client Distribution
I don't think there is any KB about this or I couldn't find one until now. I hate when MS change things and don't document it.
Hi Ace. Thanks for a very comprehensive article on the issues related to multihomed domain controllers.
We are a SMB with 3 existing Win2K3 R2 x64/Win2K8 x64 DCs (both of which are also internal DNS/DHCP and also serving other roles such as file, app, etc.) We planned to add an additional NIC to each DC to be used with iSCSI storage device.
Will we need to go through the 10 steps for each of the DCs just to eliminate the unwanted DNS registration of the SAN interface?
DNS Records Disappearing and DNS Auditing By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000
www.tooLongPath.com saved me lot of time for solving this problem
To be sure. We have the dhcp service on a DC and the user account is configured. Should we use the dnsproxyupdate group too?
Thanks a lot
register domain names at www.ezy-domain-names.com
Active Directory FSMO Roles Explained Ace Fekay, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007
Sorry for not responding sooner. Yes, you must. It's recommended to not multihome a DC due to the DNS entries created by netlogon, DNS, and the default operating system DynamicDNS registration process, otherwise you must manually control the registration process.
Configuring DNS Search Suffixes Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007
Too much work. Why create more work for yourself when Microsoft provides a way to automate.
Just setup the permissions right to begin with on a root user folder (support.microsoft.com/.../555046) and use %username% for the homedir path. Copy a template user with homedir, fill in the fields, done! New user WITH home dir all setup. Keep it simple, work smarter not harder...etc.
Ace, Great write up, not only for information/implementation, it refreshed and confirmed thoughts i had about a problem on a migration,
Zack's comment would assume that you are working on a new network that has not yet been set up, we don't always have this luxury. specially as i have joined networks where sysadmins have come and gone before me, that did not work smarter nor harder.
Many thanks from the team here in Kandahar Airfield Afghanistan.
WHERE does the entries on the DNS SERVER side come from that fill in the "srchlist" on the DNS SERVER?
Bring up nslookup on a DNS server. Do a "set all" to see the settings. I've manually fixed the "srchlist" many times on every DNS server and yet when I come back a day or so later, the settings have gone back to having a bunch of old domains that I don't even have anymore and am not even hosting showing up in the srchlist.
BTW, you need to do some work on the entry fields as where they are located is completely invisible to my browser.
thanks for the great article.
One Notice: in Step 2 the default value of the intersite replication interval for server 2003 and above is 15 seconds and 3 seconds for pause. So the 5 minutes only belong to W2k.
It can be extremely useful to use subnet calculator while subnetting.
You are right about two things:
1. There are at least twenty-gazillion articles out there on this topic.
2. This has to be the most comprehensive and concice description of this process I have seen so far. I have had to do this on several occasions and - invariably - I'd miss a step or two because many of the articles out there assume you do this every day for a living. . . . Your article leaves nothing to the imagination - complete, even includes cros-references for more information.
Have you considered putting this up on Wikipedia?
I am definitely going to book-mark this one!
but the event id in 2008 is differe than 2003
in 2008 is 5136
in 2003 is 566
Great DHCP advice. I spent way too much time trying to figure out why DHCP wasn't updating DNS in certain scenarios. Credentials fixed the issue. Thanks!
For some reason firefox/ie9 isn't showing the text box frames for the comment required inputs. The only frame I can type into visible is the "comments" textarea. The rest I had to click around for.
Entries on a DNS server can be manually added to the NIC's TCP/IP properties' suffix list or just being part of a domain will add the suffixes.
Just an addition to the GOOD informations above, I'd suggest entering a "set debug" right after running the "nslookup" command, this way the "nslookup" will show more informations and it will be able to see the response flag, those may allow to find out if a given query response got the "truncated" flag or not ;-)
Can you change the link you have off my site to point to my new community server blog? I'm trying to redirect people to that one instead of the Community server blog you have linked?
Change this link:
How to Configure Conditional Forwarders in Windows Server 2008
To this link
By the way, i've noticed it takes a looong time for stuff on my community server blog to come in serach engines :(
EventID 1054 Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008
Slow file transfer and connectivity with Windows 2003 SP2, Windows 2008, SBS 2003 SP2 & SBS 2008
Is that true that 2008 R2 wouldn't bring any help with
"Register this connection's addresses in DNS" on network card setting.
Do i have to configure support.microsoft.com this allso in 2008 R2?
Ace, oustanding post on disappearing records!! I've been searching for an in depth discussion and it appears you have nailed it. Thx, C
Long Path Tool can help you to overcome these barriers by tweaking the file tree adequately to facilitate the modification or deletion of files. The unloading of locking process and other accompanying operations are being carried out by the cannot delete file fixer at a great pace.
you should try this one
My situation is simple: I have a remote location in East Coast and the office has closed for good and of course before I got the chance to use dcpromo to take it out of my directory the server is dead (hardware failure). The server over in NY is 2003 Server R2 SP2. At HQ, I have the 2008 Server AD R2 and I want to delete/remove the NY AD server for good - keep in mind that I don't need to install or re-install the new AD server since the office is closed for good thanks. I still have 3 other sites which is running perfectly right now. Only at HQ is the main DC. Please help thanks.
Thanks for sharing.
Virtualizing Domain Controllers Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007
Virtualizing Domain Controllers and the Windows Time Service Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows
Great article. One question though. After adding the first 2008 R2 Enterprise to my 2003 Domain Environment, I see under the System Event logs some warning: Event ID 36886 - Schannel:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
I have tried to look this up. But no real answer to my question. Does anyone know why it is throwing this warning and if this is a concern or have a solution? Any input would be a great help.
I have the same exact situation in Scenario 1 except when I create my folloow the step I still cannot view my website from inside my LAN but can do so from outside my LAN.
The website is hosted on an external server with a static Ip address that does not change.
Will subnet prioritization also take place for AD sites?
Suppose there is one site that has a class C subnet whereas the default-first site has a class B subnet, will client in the class c subnet site stay within that network address space to locate an available DC?
So prioritization will have the client resolve in this manner Class C, B, then A. Is that a correct assumption?
Would these changes be applicable for a virtual Windows 2008 server running in VMware?
Good stuff...! Thanks!
There are seemingly some discrepancies with what you describe and what MS says.
You reference KB842197 in your article, so I'm not sure why the discrepancy arises.
The KB states:
"The initial release of Windows 2000 Server cannot natively use the netmask ordering feature and the round robin feature at the same time. If the netmask ordering feature is turned on, the answers are always provided to the clients in the same order. In Windows Server 2003, this behavior changed to permit the use of both the subnet-based netmask ordering feature and the round robin feature. The use of both the netmask ordering feature and the round robin feature provides proximity awareness and load-balancing. "
However you state:
"However, if Round Robin and Subnet Priortization is enabled, Round Robin wins. "
You further go on to quote technet.microsoft.com/.../cc961422.aspx
However that technet article is specifically for the 2000 resolver and it would seem the KB article which specifically states that the behavior is changed post 2000 would override the technet article and thus your description of Round Robin overrides.
Perhaps you just need to be more specific that what you describe is changed in 2003?
Or, maybe I'M missing something :D
Can you please clarify Step #8? Not sure what DNS setting to change and to which server.
If i have a domain with multiple locations
Main site class B Net, offices class C Net.
All locations have its own DC / DNS Servers AD integrated, Sites and Services are configured.
What value must i use for LocalNetPriorityNetMask? (after enabling this feature)
I suggest to set only the Main site to 0x0000ffff and let the offices on there default entry?
This is an Excellent article! The thing which i like most in your posts is simple diagrams you use to explain "how it works" . It just stays in mind forever. I have already bookmarked your blogs! :) Keep Going!
Sr.Administrator - Server Support
Assuming proper NTFS ACL's are provided on each folder required, why restrict the share at all? Aside from seeing the folder, users will just get access denied when clicked.
Domain Rename Part 1 - Setup on thelazyadmin.com is no longer available
Thanks, Mohan! I've always tried to strive for the simplest explanation. It does help to remember it!
Thanks for the great feedback!
Jim H, thanks for the feedback! I would have responded sooner, but I don't receive email updates when comments are left!
Johnny, you'll need to manually rip out the failed DC from the AD database. That's what this article addresses. I know it's a bit late responding, but have you ever resolved this?
Is there any way to control which DNS zones get replicated to the RODC? I have some internal zones which are AD integrated between all my internal DCs. I am placing an RODC in the DMZ, but I only want it to have one or maybe two of the zones. If all my zones are AD integrated, I am thinking that the RODC will try to bring them all in, as read only copies of course, but all of them since it is a DC/DNS.
Thanks In Advance!!
This is great info. Thanks for sharing!
It depends on the replication scope of the zone and if you have other domains in the forest, but basically, the way I see it, if the zone is AD integrated in the DomainDnZones, it will replicate all zones in that domain. If in a different domain's DomainDnsZones, no.
Remove a Current Operational Domain Controller from Active Directory Ace Fekay, MCT, MVP, MCITP EA, Exchange
Active Directory Lingering Objects, Journal Wraps, Tombstone Lifetime, and Event IDs 13568, 13508, 1388
Unlike mark, I think the share permissions should be more restrictive. Don't give the group in question (whether it's authenticated users or not) Full control, and then control access with ntfs solely. For defense in depth, if you're going to make the target group have read, assign the group Read at the share level too.
Remember, many a worm spread through everyone full share permissions (yes combined with lax ntfs), but if you have two locks on the door, use them.
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the DnsProxyUpdate Group
Remove an old DC and Introduce a new DC with the Same Name and IP Address Ace Fekay, MCT, MVP, MCITP
Joining a computer to a domain over a client VPN connection Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010
The Microsoft best practice method is to allow Full Control on the Share side for Auth Users and not the Everyone group, then lock it down on the NTFS side. This way it works whether a use accesses it through the share or logged on locally.
As for locking it down at the share side, say only providing a group Read, defense in depth or not, then you're locking down access altogether. So if that's the case, one way around it is to provide Auth Users Change, and Administrators FC, but then again, if the worm, virus, or whathave you, gains access under the Administrators account, the same thing will happen.
The balancing act between allowing access and security can be challengingt at times, because part of our main goal is to provide business productivity for users to do their jobs.
Hopefully there are other protection measures in place, such as an active IDS that will catch somthing like this as it occurs.
@Chris, thanks for the plug!
@Ahmed, thanks for pointing this out. For others reading this, refer to Jorge's blog explaining the additional event IDs that may appear in conjunction with auditing directory account objects:
Auditing in Windows Server 2008:
very useful and great article.
Great quality info as always...
I have a question, where do you get all your info. Can you recommend any learning material besides the 70-64x MS Press books? Thanks!
Excellent Article..... Good Job Ace!!!!!!!!!!!!!
You are MAN
Thanks, Patris! :-)
IIS 7 & IIS 7.5 - Creating an SSL Certificate Request Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010
Okay, some 'screen-shots' would be good.
One critical point you did NOT cover:
Even if you are on "Server A" and you set "Server B" as a push/pull partner, you STILL need to go onto "Server B" and set "Server A" as a push/pull partner; which is odd - you would think that, by setting Server B as a 'push/pull partner,' it would automatically somehow update Server B's WINS server info, but it doesn't.
I am trying to create a domain cert for my SCCM server which is Win2K8R2 with IIS 7.5. The CA for the domain is a Win2K3 server. Everytime I try the request I get this error: CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32:87)
I done some searching, by I am not finding any answers. I have issued a domain cert to another Win2K8R2 server in the domain from the same CA. So I am at a loss.
Your post is really usefull. Thank you
In Windows Vista (and Windows Server 2008) Microsoft moved the registration functionallity from the DHCP Client service to the DNS Client service.
Will your article be correct for Windows 7 Clients?
in multiple dns server scenarios, where scavenging has always been off, timestamps don't get replicated until i turn scavening on, right? many articles recommend only turning scavenging on one server. does this mean timestamps will get replicated *to* that one server, but not from it? (not so far in my testing.)
i want to verify the timestamps are correct everywhere *before* i enable scavenging, but i can't verify timestamp replication *until* i enable scavenging.
No takers huh! Well, I resolved the issue in a round about way. Instead of doing a domain cert, I ran a request for a cert and then manually went to the Cert server and generated a cert. I then finished the cert request and low and behold it worked. I still don't know what the error is about, but I found a work around.
Great article. Dumb question: would this work for a server that has been physically removed from the domain but keeps showing up in Group Policy Management? I thought it was correctly removed but it is causing us some problems, and it is now physically removed.
Yes, it works the same for 2000 and newer clients, no matter what the local service is called that performs DNS Dynamic registration.
Yes, you must enable scavenging on one server. And I know we've discussed this in your Technet thread posting. For others, you may want to read the thread for more info and the informative discussion on how this works:
Technet Thread Question: "DNS timestamp replication (again), and Scavenge vs Enable Automatic scavenging" (3/10/2012): social.technet.microsoft.com/.../431c3597-e2d1-4061-96ed-4672532dc126
So, I have a issue. The same as everyone else internal and external domain is the same.
Before I had a A record set up that was working fine. Then I moved to a dedicated server via godaddy. I then changed the A record in my internal DNS but it is no longer resolving. weird. I tried setting up forwarding on both of my DC in IIS. But, I am using IIS for other things internally.
Question about centralized configuration. If i have multiple child domains in a centralized configuration, can the system from a child domain query for record in another child domain using short name without dns suffix configuration?
I run 2008R2 everywhere.
My DCs are also DNs servers.
All the DC's virtualised on HyperV.
I had problems with client PCs getting the wrong result until I disabled IPv6 on my DC's.
My HyperV hosts still got the wrong result even with IPv6 disabled on the DC. It wasn't until I disabled IPv6 on the Host as well that I started to get the correct results.
Thanks for snapshots
concerning #2 if the lowest DC is 2003 and the domain level is 2003 the time is 15 seconds, right?
But at the point MaxPollInterval; 32,768 sec /60 = 546,13.. min /60 = 9,10.. hours isnt´it?
Good help for engineers who want to make this process easy.
Do have have something for below scenario?
Old DataCenter : Windows 2003 Active Directory,Exchange 2003
New DataCenter: Windows 2008 SERVER
No connectivity between old and new Datacenter.I would like to move Windows 2003 Users (DB)to windows 2008 with Same forest,Domain etc maintained as is.
Hmpf, still a lot of work IIS, even in the latest version. I hoped, they will do better with the newest release.
But good luck; one reason less to take the 2008 R2 step on the migration road.
Do you know if IE9 disregards all this, and uses it's own prioritization? We seem to have a problem with that, as described in this thread: social.technet.microsoft.com/.../4c31f436-edda-4733-910b-0f778b4dce14
Great Post! You've obviously done your homework.
I have a few additional questions:
1. Is the "OWNER" of a DNS record found by right-clicking the record in DNs and selecting Properties->Security->Advanced->Owner? Many of the DNS records seem to be owned by 'SYSTEM', some by <dhcpServerName>$, and some by <theWorkstation>$. This doesn't seem right based on what I read.
2. If a dedicated user account is used on the DHCP server to register dynamic DNS updates, does that user need to be a member of the DNSUpdateProxy group?
3. If I begin using a dedicated user account to register dynamic DNS updates, is there anything to be aware of concerning the existing DNS records?
4. DHCP option 81 - Should "Always dynamically update DNS A and PTR records" be selected?
5. DHCP option 81 - Should "Dynamically update DNS A and PTR records for DHCP clients that do not request updates" be checked?
6. DHCP lease duration for all scopes is currently set to 1 Day. No Refresh and Refresh intervals are at the defaults (7 days). Scavenging is set to occur every 7 days. I don't see this setup as incorrect except that more AD replication occurs.
Hi, I have a duplicate MicrosoftDNS Zone. Can I delete this zone? See: www.fun4me.nl/.../MicrosoftDNS.jpg
Sorry, the URL should be: www.fun4me.nl/MicrosoftDNS.jpg
A couple of minor things to watch out for here.
1. You can't type the X in for the value (you say "Type 0xffffffff in Hexadecimal". But you can't actually do that. Instead, you should type ffffffff.
2. If anybody tries to copy/paste the 0xffffffff from your site into the value, it will display correctly. However, upon clicking OK to finalize the value, it will change (and it is hard to catch unless you are paying close attention). Instead of displaying 0xffffffff, it will display 0x41ffffff! The values are different!
Hope this helps somebody!
That is great article.
Great article, full of unvaluable infos!!!
I see that some pictures are missing, as I think those pictures are very important in order to better understand the scavenging procedure is it possible to fix the link?
Many thanks in advance!
I did setup the registry keys but i still see the values enabled usign netsh. How can i certify it has changed?
I rarely comment on blogs but I must say this is one of the most informative pages I've ever read. Thank you for this contribution to my knowledge!
Sorry I didn't see this earlier. Glad to hear you figured it out!
Great article. I also use djoin.exe for ODJs.
First of all let me thank you for a great article. It helped me a lot.
Text from your article:
"...If you are using a 4 hour lease, well, that's a tough one, because the lowest you can go with scavenging is 1 day, and may provide inconsistent results..."
The question is: why do you say you can not set scavenging period in DNS shorter than 1 (one) day? The interface allows you to set the number AND the units i.e. choose between "days" and "hours". I have it set to 1 hour so that scavenging would happen soon after a record can be considered stale (I do not have many computers (200) in my domain and performance impact is not an issue for me).
It seems to work quite as expected.
All the settings I use:
1. DHCP lease : 8 hours
2. DNS no-refresh: 1 hour
3. DNS refresh: 3 hours
4. DNS scavenging: 1 hour
5. DNS Registration Refresh Interval policy enabled for entire domain and the interval is set to 1800 (30 minutes).
Hi Ace..i have been following your articles for many years and find them very helpful...Thx !!!!
How about other name resolution methods?, where do they fit in? Like LLMNR and PeerNameResolution Protocol?
May be it'something everyone know, but to perform step 6 of "Configuring DNS to Create a New Tree in an Existing Forest", you need to logon with "enterprise administrator" rights.
Overview Starting with Windows 2000, the operating syste ...
Very helpful and satisfying that you took the time and care to create a great resource which comprehensively covers this task. Thanks!
I know this is an old thread, but we are having this issue under scenario 1. The admin in charge of AD here said he has attempted the solution by putting in a port forwarder in place that forwards all traffic from port 80 instead of the IIS rule stated above. However, whenever he set it up with both DC 1 and 2 the rule wouldn't work if DC 2 was the only one up. Why would this happen?
Great solution my friend. Thank you very much.
Can you clarify the advice on time sync for DCs in Hyper-V? Referencing the Technet article ( technet.microsoft.com/.../virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx ), it says both to disable the time sync via Integration Services, and to partially disable it. There's an update note that says the current recommendation is to disable the time sync option, yet both recommendations are in the article. What's the latest advice?
Very comprehensive article.
I have a question. I have a web service sitting on a Windows 2003 server that allows AD account creation by first creating the container and so on and then setting an initial password by invoking SetPassword on the created object. This has been working without issues for years.
Now I'm trying to move the web service to a 2008 R2 server but for some reason the SetPassword throws an error "RPC server is unavailable". The container creation still works and an account gets created in AD, but the password cannot be set.
Any idea why this is happening? Any known issue on connecting from 2008 R2?
Thanks in advance.
Great article. I had the "The name limit for the local computer adaptor ...." error and no clue what the real root cause was. This article demystified it to the bone. Many thanks!!!
That is great article.
I wish you and your Family a Merry Christmas & Happy New Year and the best of health, wealth and happiness all year round!
Very informative, thanks.
I have a question. Our external domain is "example.com" and internal domain is "corp.example.com", are they considered the same or different domain names?
Thanks for such a nice infor
I am abit confused. I am researching this and still am unsure if I should use DHCP with credentials, AND place the DHCP server in teh DNSUpdateProxy group?
I have seen several of your post on TechNet.
also if the DHCP server is also a DC and is running Server 2008 (NOT R2) I DO NOT run the open proxy command. That is only for R2?
Nice Article with lot's of good Links and Information.
I have question.
With a Domain Infrastructure that has Windows 2003 and Windows 2008 Domain controllers, if I have to restrict the AD Replication\Logon Ports, the range for Windows 2003 and Windows 2008 is different.
So are we saying that the port will be different for Win2k3 and Win2k8. If yes, are we saying, we open it both the ports(hardcoded on Win2k3 and Win2k8)bi-directional on the Firewall.
So, let's say if I already have a infrastructure with Windows 2003 DC's in a Firewall zone, that had the Replication traffic restricted over 3216. I then introduce a Windows 2008 domain controller. Since the Dynamic Port range for Windows 2008 Starts from 49152, I select 49155.
So, with the above situation, do I need to start specifying two ports(3216 - 49152) over all the firewall rules.
This solved a lot of problems! Always thought it was a hardware issue since a change of our router started the problem, but as it seems this behavior can be influenced with Windows settings as well. Scenario 2 solved the problem, it was as simple as that, thanks a lot!
Hello Ace Fekay,
I was hoping to submit the comment below but I am unsure if it is going through (going to try one more time).
Your article was very helpful but I did have a further question.
If you have a PayPal account, I would not mind paying for your response as I really appreciated your article (and I’d really like to get through this issue).
Great article – quick question:
I’m assuming that if this is setup correctly, the permissions for the PTR records in the Reverse Lookup Zone should be automatically set in a specific way - which should be the same for each record in the zone.
I’m curious to know, then, how the permissions should read when setup correctly to compare to what I am seeing on my network.
I thought I had resolved my duplicate issue, but after a little over a week I have a duplicate computer name in a RLZ from yesterday.
Below are the permissions:
Record 1: 02.05.2013 – 1:00 PM (time stamp)
The permissions for the DHCP credential account are set to allow for Full Control, Read, and Write.
Record 2: 02.05.2013 - 10:00 AM (time stamp)
The permissions for the DHCP credential account are set to allow for Write and Special Permissions. The special permissions allow: Write All Properties, Read Permissions, and All Validated Writes.
The reset of the records seem to have the same permission as Record 2 – are these the permissions one would expect to see in place when the DNSUpdateProxy group (and everything else in the article) is setup and working correctly?
If not, how should they read?
What's the difference between Everyone and Authenticated Users in share permissions?
I am using scenario 2 but was always told to create a www cname record to the domain name and not use an A record
Great Article, especially the tricky bit joining the domain for the first time by using the Switch User setting while the VPN connection is still running on the local profile. Priceless. Thanks.
The error I was originally getting was "currently no logon servers available to service logon" Hopefully this document will come up for people searching that string!
I should have mentioned that Option 1 is to simply delete any CNF... or InProgres... zones you find. That's it.
Option 2 can be overwhelming, and as Mike O'Donnell said, choosing a corrupt or the incorrect zone to change to Primary Standard can produce undesired results. And if you choose one of the "bad" zones, it may be a zone that hasn't been updated, and if the issue was a replication issue, changing it to Standard Primary probably won't replicate the changed anyway, and the good zone may still exist.
I will be re-writing this blog to show that to easily fix a duplicate zone issue can be done by simply deleting any CNF... or InProgress zones you find, and that's it, no need for changing zone types, etc. As long as replicaiton is working, then you should be good to go.
Our website internally was not showing up for a long time now we have added a www record it resolves to the the public IP address of the site but still on the main page there is a banner which we are not able to see from our domain internal computers.
Thanks for your excellent article. I'm trying to assist a cllient with a really messy AD replication cleanup, and there are several conflicted / inprogress zones. However, I am unable to delete any of them and I receive the following message:
"Operation Failed. Error code 0x5. Access is Denied. 00000005: SecErr: DSID-031520B2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"
I have tried to reset the pemissions on the inprogress objects using both inheriting from parent, and directly editing the object security tab to allow the user I'm loged on as. I can successfully edit the ACL using the GUI, but it doesn't make any difference, I still cannot delete them.
I've tried with two accounts, both are members of enterprise admins, and have tried resetting the inherit permissions on the security tab of the user object (social.technet.microsoft.com/.../5683b9c1-3d1e-48b7-88c7-ae0f7515104f) but nothing is working and I'm not sure what to do next.
WOW! great job, lots of detailed info
Hi, you stated that it wasn't necessary to change the registry to set up a time server, but in the link you publish to get instrucions to do it in a windows 2008 server you have to mess with the registry so, is it necessary or not to change the registry to set up a time server in the PDC emulator?
This post is not useful. And here is why.
That a protocol work out of the box without configuration for two or more machines on the LAN is a given at this point in time. But the whole point of IP, be it v4 or v6, the whole reason it exists, is to connect two different networks. Which means if you don't talk about how to get two Windows machine on two different networks to talk to each other, you aren't talking about IP. Or aren't saying anything of value at least.
Many customers have WAN links which only support IPv4. In such an instance, IPv6 is disabled, no matter how much you enable it on the Windows machine.
For MS to "not perform any testing to determine the effects of disabling IPv6" in a world where many networks connect to each other only via IPv4 is extremely negligent.
Thanks for everyone that has responded with your comments, suggestions, etc. I hope they help others that find this.
I will also be migrating this blog to MVPS wordpress shortly, and I will copy your comments.
As for the argument about disabling it or enabling it, I agree to one thing, that everyone has an opinion on both sides of the fence. I personally haven't had any issues except that Exchange 2007 on Windows 2008 NSPI issue causing DSAccess errors with Outlook Anywhere. That was corrected in Exchange 2010, and I believe it was corrected in Exchange 2007 SP2, but don't quote me on that. I've also seen problems with IPv4 DNS registration while IPv6 was disabled, rather just unchecked in the NIC and not in the registry. So FWIW, I simply leave it enabled because the way I look at it, things just work with it on and why should I spend the time to disable it and baby sit it, or have to charge my customers the extra time to disable it only for them to call me back to find something's not working and I have to re-charge them to enable it. So I just leave it enabled and move on to the next project.
And I know I have some typos in here. That will be corrected, too.
Your post regarding DNS configuring is good and thanks for giving the valuable information and one thing I want to ask If any errors occurs while configuring What the suggestion?
I think it would be better if you discussed about the errors while configuring DNS.
Perfect admin guide - thank you
We are hosting our webserver internally, on our LAN, and internet users can access the website without problems, but when we are inside the office, we can't access our domain name.
THIS SCENARIO WASNT COVERED--SCenario One said Web Server External...where is internal web server same domain name covered
Excellent reading, thank you very much.
Do you help remotely at all? Or on skype?
I can pay you, just need some guidance and help
Configure DHCP Credentials. Note - you can do this on 2008 R2 and newer, if you chose not to use .
I am assuming the missing info is Name Protection?
Configure DHCP Credentials. Note - you can do this on 2008 R2 and newer, if you chose not to use Name Protection.
Paul hit two 3-pointers, Bryant made a layup, and his block of James led to Durant's dunk that made it 136-126. Griffin had one last forceful dunk to help close it out, throwing a pass to himself off the backboard and climbing high in his neon green sneakers to slam it home and make it 142-134.Harden had 15 points in his home arena, where the sights of the game were on the floor and the sounds were at the rim 鈥?which shook repeatedly after thunderous dunks for most of the game before, as usual, players tried to make some stops down the stretch.
Les gens, les coureurs et les non-coureurs semblables, peuvent prendre beaucoup plus que nous pensons que nous pouvons. Nous pouvons continuer même quand nos jambes sont lancinante et nos cœurs sont brisés. Cette journée horrible d'événements ne faiblira pas l'endurance de courage collectif de l'Amérique. Nous allons seulement finir fort.
Les attentats à la ligne d'arrivée du marathon de Boston a secoué la nation. Beaucoup d'enfants entendirent leurs parents en parler, ou pris un coup d'œil sur la couverture de nouvelles. Comment un parent peut discuter effectivement le cas?
"If the very first DC was installed using a Windows 2003 with integrated SP1 CD or newer, the Tombstone Lifetime Value is 120 days."
But the article you reference, msmvps.com/.../active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx , says 180 days.
Here's the breakdown on what your Tombstone Lifetime settings may be:
- Windows 2000 with all SPs = 60 Days
- Windows Server 2003 without SP = 60 Days
- Windows Server 2003 SP1 = 180 Days
- Windows Server 2003 R2 SP1, installed with both R2 disks = 60 Days
- Windows Server 2003 R2 SP1, installed with the 1st R2 disk = 180 Days
- Windows Server 2003 SP2 = 180 Days
- Windows Server 2003 R2 SP2 = 180 Days
- Windows Server 2008 = 180 Days
- Windows Server 2008 R2 = 180 Days
Just wanted to say thanks, so many tutorials for removing a DC are instructions on running dcpromo. No real world examples like this.
So we use this practice today ,but as a result of using IGUDLP for many years in our multi-domain environment it has led to Kerberos token bloat due to users becoming members of to many groups through direct and nested group memberships. Even Microsoft recognizes this as they have the same issue internally.
I have been trying to look at other ways to solve this issue outside of validating If group membership for users is still required & Dynamic membership options.
One of the questions I keep trying to ask myself is why we cannot just put users directly into a DLG. YES, Its primary purpose is to assign permissions to resources, but when you look at all the issues with Kerberos token bloat, Replication traffic due to membership changes, limitations of each Group type and membership capabilities, Placing accounts directly in a Domain Local group may increase the number of tokens created for a user and can increase authentication traffic to Domain controllers, but will reduce a user’s token size as only Domain Local SIDs of the domain in which the resource is a member of (where it is assigned) will be included in the access token.
Thanks for this... I just went through the process, and had pretty much everything break. Pointed the RUS for exchange, and about 8 reboots later, it looks like we're finally up.
Thanks for the article. I had been doing some research on this topic and this was by far the simplest on implementation. Thanks for your time on the blog.
What happens when you change permissions (remove a user) after a user logs in and is accessing a folder? are the changes immediate or do we have to have the user log off and back on?
Thanks for the article. Can you clarify a question regarding step 24 please: You say "Under the General tab, uncheck the Global Catalog checkbox". Shouldn't this be to check the Global Catalog checkbox?
This is excellent, I only have one question for now, Is there any point during this process that I would have continued service issues on the existing DC's, potential slowdown when running the forced replication maybe. I know I should do this off hours but didn't know if I needed to plan a maintenance window and alert the user population.
Hi there, thanks for all the effort to detail this. Unfortunately I find it a bit confusing. I assume that most of the steps above are to be undertaken on another DC? If so what do I need to do, if anything on the tombstoned DC? At the end there is a section about manually altering a DC, I take it these are things I should be doing on the broken DC to make it not a DC, but they allude to a method >>"/forceremoval switch" as being easier than the manual one detailed, but if this easier method is something I can use, what is it? dcpromo /forceremoval maybe? If so, do I run that on the dead DC before doing all the steps detailed above on the live DCs and do I do that with it still attached to the network? I have gleaned from the rest of the net that once it gets tombstoned to disconnect it's network card quickly, so do I need to connect that again and do the "... /forceremeoval" thing and then run through the main steps in your article?
excellent article thank you !
Thank you very much for the explanation.
Especially the latter picture helped me out.
However, could you please also provide some information regarding to block inheritance and propegate on shared resources?
Microsoft best practices state ( can't quote sorry ) that you need to individualy set permissions on the first 2/3 top levels. So, as far as I know you need to clear the option "allow inheritable permissions from the partent to propagate to this object and all child objects. Include these with entries explicitly defined here".
If you could add a small part in this document than you have a splended piece of artwork.
Thanks again for the great info.
ok.what about ftp?i have the same problem,access to website was solved.but i can't access to ftp.when i type ftp://mydomain.com, i can't access again.
After we had placed an additional DNS Server and changed the DNS server ip address assignments on computers, the existing dynamic DNS Host record of a computer/server was deleted spontaneous.
For us KB 2520155 gave the solution on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 computers/servers.
The Knowledgebase describes the hotfix to use as well as a workaround. Finally we installed the hotfix.
Restart the computer.
Restart the DNS Client service.
Run the ipconfig /registerdns command.
This is a very useful article.
Does anyone know how to artificially create this in a lab environment?
To keep management happy I need to test out the fix in a lab before potentially trashing our AD infrastructure.
Why dont you just do the "mistake" and actually create your DNS-Zone manually BEFORE ist is done by AD-replication? You can disable networking on your second DC to have time to set up the DNS-Zone manually before it is replicated.
@ Mosquito - I also noticed this, huge bold font at the start saying 'YOU DONT NEED TO TOUCH REGISTRY' and then a link saying 'Modify the registry to set up the authoritative time service'..... freaking inconsistent, this whole post is just a dump of information and links, not organized very well.
In summary, you dont need to follow the Regiswtry/MrFixit guide modifying the registry UNLESS you're having issues.
What I did was set up an external time source for the server that I wanted to be my PDC (eg pool.ntp.org) BEFORE I promoted it to a DC, and migrated the PDC role to it. This meant by the time I had set it to PDC, it already had an external time source set and I didnt need to modify any registry.
Hope that helps someone. Cheers.
What happens if you try to delete a duplicate zone (domain.com) rather than using option 2?
Excellent responses. Thank you it was very helpful. - mike
I'm configuring a Direct Access Server, but my internal domain is "a.com.mx", the external can be out.a.com.mx or how can I handled this Direct Access Server to the DA Clients on internet can access internal resources for example "x.a.com.mx"?
To # Carl Webster said on Sunday, April 28, 2013 6:02 PM
Yes, I misprinted that. It should be 180 days. I can't edit these blogs to fix it. I have started a new blog location, which I will migrate these to when I can.
Thanks for the article it is of great help to me.
I have 23 DCs in my environment.
If i check the records of one DC on another i used to have a timestamp but now they have static ip address. So i deleted the record manually from one dc and went to the machine ran ipconfig /flushdns. The new A record has a timestamp but after 30 minutes it chnaged to static. Could you help me why it happened.
We are facing same issue but in Windows Server 2003 R2. Is there any hotfix for 2003 R2?
What about enabling "Enable Journal Automatic Restore" to allow the system to automate this process?
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
 At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
 At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Click down the key path:
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.
I have question Ace. If my DHCP has option 6 (DNS servers) has 2 DNS servers (DNS1, DNS2) and on the client computer it has DNS3, DNS4. Which DNS server will be updated first?
Somewhat high natural stamina is significant. Technicians take their legs a great deal of the day and are generally actually heading plus altering affected individuals for the devices normally. Many personnel have toExamine the monetary needs. First, you will be capable to distinguish exactly what your online business must concentrate on. You'll want to ask a few things.
Thanks for this great article. I've tried this in a lab with 2 W2K8 R2 serversw that are DHCP/DC/ DNS and it works great if I don't enable name protection (that is, i've done everything else you've recommended). The moment I turn on name protection, the DHCP clients start getting registered as the owners of their records rather than the dhcpsvc credential. Can you please advise? Additionally, even though I have the option 'Discard A & PTR Records when lease is deleted' , the records don't get deleted after the lease is deleted.
Additionally, would this work with a mix of 2003 & 2008R2 servers (both of which are DCs/DNS/DHCP)?
Sengoku a product, because type imminent danger just as before provides Discipline pocket, Unwanted residential home! next.