Active Directory's Reliance on DNS, and using an ISP's DNS address

August 17, 2009, 4:35 pm

≫ Next: DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

Active Directory's Reliance on DNS, and using an ISP's DNS address

---
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Compiled 5/2007, Edited 9/18/09 to add info regarding desktops, Updated 6/14/2010
---

Prelude

You wake up and get ready for work. You sit down and have a bowl of cereal. You crack open a full gallon of milk. Now there's a little less in the gallon, but you know you have plenty of milk for the next couple of days. You walk out of your house and drive off to work. Upon returning, you find the milk is missing. You know you had some milk left over when you left for work in morning. You walk out front and see your neighbor just happens to be outside. You walk over to him and ask him, "Do you know what happen to my milk?" He just stares at you not knowing what you're talking about.

Can your neighbor, an outside entitiy to your internal household, respond to that? The same thing is occuring when you use an outside DNS server in your NIC properties (whether on the DC, member servers and/or client machines). If the machines are set to use an outside DNS address, then your machines are literally asking an outside entity, "What's the IP address of my domain controller?" The outside DNS servers do NOT have that answer.

Using an ISP's DNS

What will happen if you use an ISP's DNS addess, or a router as a DNS address on a DC or client machine, is the machine (whether a DC or client), will ask the ISP's DNS, "What is my DC's IP address? I need to know because I would like to send a logon request." The ISP's DNS doesn't have that answer. Their DNS servers do not host the your internal AD zone name therefore, they have no information about your internal AD network. It's like me asking that guy down the street that I've never met, "Hey you, where did all the beer or milk go in my refridgerator?" He won't have that answer either. :-)

I've read and responded to numerous newsgroup and forums posts requesting assistance, as well as new customers I've been called upon to fix issues, with such complaints as taking a long time to login, can't access printers or mapped drives, Outlook fails to find the Exchange servers, among other issues.

I've also seen other errors such as GPOs not working, can't find the domain, RPC issues, Exchange profusely failing and its services not wanting to start, users complaining they can't get their emails, etc, when the ISP's DNS servers are listed on a client, DCs and/or member servers, or with DCs.

After a short investigation, I've come to find that the domain controllers network properties have included either an ISP's DNS address, the ISP's router's IP address, or some other external DNS server as an IP address in the NIC's properties. I've also observerd that using a non-internal DNS addrsses were also found on internal company desktops and laptops, whether the IP conifiguration was set by a static entry, or from DHCP (DHCP Option 006).

This type of conifiguration can and will lead to numerous issues with a Active Directory, from authentication issues, replication issues, to much more.

I hope this explanation provides a greater understanding on how it all works and exemplifies to not ONLY use the internal DNS server for all internal machines, but as well as in the VPN's DHCP service for VPN clients. Keep in mind, a client machine plugged in at home, using an aircard, or say sitting at Starbucks, will probably be configured with an ISP's anyway if outside the network. That is fine. If using a VPN connected to the office, the VPN client will use that DNS to find the VPN server for your network. But once the VPN authenticates and connects, the VPN will be configured with your company's internal DNS servers on its interface, and because the VPN interface by default is the first in the binding order, therfore the first interface it will use, will be able to logon to the domain and authenticate to the domain in order to access internal resources, which is what you want it to do.

The Usual Suspects That Can Cause Issues with AD Communications, long logon times, etc

Here is a summarized list of possible causes, but NOT limited to:

Single label name Active Directory DNS domain name (extremely problematic).
SRV records missing. This can be due to DNS or network interface card (NIC) mis-configuration.
Disjointed namespace.- AD domain name doesn't match the Primary DNS Suffix and/or the zone name.
Using an ISP's or some other DNS server that is not hosting the AD zone or that doesn't have a reference to it, in IP properties of the DCs and clients.
DHCP Client service disabled on the DCs (a required service even if statically configured)
DCs are possibly multihomed. A multihomed DC has more than one unteamed NIC, more than one IP and/or RRAS installed such as for VPN purposes, which makes it problematic if not configured properly (more info on this below).
A third party firewall or security application is installed blocking traffic.
Antivirus software blocking functionality
Antispyware blocking functionality

AD & DNS Configuration

When I've visited a customer site to fix issues and noticing the DNS entries are incorrect on the DC(s), upon interviewing the parties involved that had configured the machines, simply stated they were not aware of this requirement.

Usually it simply comes down to a simple misunderstanding of AD and how DNS works, as well as the Client Side Resolver Service. Some ISPs will tell their customers that they need to use the router as a DNS address, or that they need to use their DNS servers out on the internet, or they warn them that they will not resolve internet names. The ISP customer service reps are not well versed with how AD and DNS works, and frankly provide misguided advise.

Keep in mind, if a DC goes down for whatever reason, or simply not be available because the clients can't "find" the DC,, so will your Exchange server, AD domain functions, mapped drive access, printer access, etc. If the DC actually went down, such as hardware failure, this is a worst case scenario and wouldn't matter to config your machines with the ISP's DNS. If you need, you can configure your own workstation to the ISP's during such a crisis in case you need outside communication to research the problem, but you must change it back to your internal DNS once you're done researching the issue and/or you've fixed the problem.

FYI about AD, DNS, authentication, finding the domain, GPOs, RPC issues,ISP's DNS servers, etc

Active Directory stores it's resources and service locations in DNS in the form of SRV records (those folder names with the underscores in them). These records are used for a multitude of things, such as finding the domain when a client logons, domain replication from one DC to another, authentication, and more.

If the ISP's DNS is configured in the any of the internal AD member machines' IP properties, (including all client machines and DCs), the machines will be asking the ISP's DNS 'where is the domain controller for my domain?", whenever it needs to perform a function, (such as a logon request, replication request, querying and applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info and they reply with an "I dunno know", and things just fail. Unfortunately, the ISP's DNS doesn't have information or records about your internal private AD domain, and they shouldn't have that sort of information.

Therefore, with an AD infrastructure, all domain members (DCs, clients and servers), must only use the internal DNS server(s).

If for instance a user wanted to log on, part of the logon process involves the machine to find where the DCs are. The machine will ask DNS, "Where is my domain controller?" If the machine is properly set to use only the internal DNS servers, it will be able to respond with an answer, thus the user can logon.

If the machine asks the 4.2.2.2 DNS server, "Where is my domain controller?", will it have that answer? No, unfortunately not.

Also, it is highly recommended to not use your firewall or router as a DNS or DHCP server. If you are using your NT4 as a DNS server in your AD domain, change it over to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements and dynamic updates. Windows DHCP service supports additional features for DNS Dynamic updates, as well as other features, that a router or firewall's DHCP server does not support.

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers or any other DNS other than the DNS hosting the AD zone, otherwise...
http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (whether it was upgraded or not, this is full of useful information relating to AD and DNS, among other info):
http://support.microsoft.com/?id=555040

The DNS Client Side Resolver Service

Another question that has come up is, "Why can't I use the ISP's address as the second entry?" This will cause problems as well, due to the way the client side resolver works, which is the resolver service that runs on all machines - DC or workstation - that queries DNS and what to do with the answer. Yes, the domain controller, too, after all the domain controlleris also a DNS client, because it will query DNS to "find" itself.

The Client Side Resolver will query the first DNS server listed in the NIC's properties. If that server doesn't respond, it will remove it from the 'eligible resolver list" for 15 "minutes and go on to the next one in the list. So say if the client happens to try to authenticate to AD in order to access a printer, and it's stuck on the ISP's, it will fail to connect until the 15 minute time out period expires and the list resets.

To summarize, if there are multiple DNS entries on a machine (whether a DC, member server or client), it will ask the first entry first. If it doesn't have the answer, it will go to the second entry after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won't go back to it for another 15 minutes at which time the list is reset back to the original order. This can cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. Now if the ISP's is the first one, obviously it will be knocked out when a client is trying to login. This can be noticed by a really really logon time period the client will experience before it goes to the second one, your internal DNS. Therefore, the first one is knocked out for 15 minutes. Then let's say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or using it's Root Hints, it will resolve both internal and external internet addresses.

In summary, based on the way the client side resolver service algorithm works, you simply can't mix an ISP or some other DNS server that doesn't host the AD zone name or have some sort of reference to it, whether using a conditional forwarder, stub, secondary or general forwarder, or expect problems. Read the following for more detail and understanding of the client side resolver service algorithm.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

Then if I don't use the ISP's DNS address in my machines, how will it resolve internet names?

For Internet resolution, the Root Hints will be used by default, unless a root zone exists. The root zone actually looks like a period that you normally type at the end of a sentence, such as a dot "." zone. If a root zone exists, delete it, and restart the DNS server service.

Therefore, the recommended "best practice" to insure full AD and client functionality is to point all machines ONLY to the internal server(s), and configure a forwarder to your ISP's DNS server properties (rt-click DNS servername, properties, Forwarders tab). This way all machines query your DNS and if it doesn't have the answer, it asks outside. If the forwarding option is grayed out, delete the Root zone (that dot zone). If not sure how to perform these two tasks, please follow one of the articles listed below, depending on your operating system, for step by step.

300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000 (Configure Forwarding) :
http://support.microsoft.com/?id=300202

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 (Configure Forwarding) :
http://support.microsoft.com/?id=323380

How to Configure Conditional Forwarders in Windows Server 2008
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx

Configure a DNS Server to Use Forwarders - Windows 2008 and 2008 R2
http://technet.microsoft.com/en-us/library/cc754941.aspx

DNS Conditional Forwarding in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

825036 - Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?id=825036

Multihomed Domain Controllers

Another issue I've encountered is when a non-SBS domain controller has been configured with mutiple NICs, IP addresses, and/or RRAS. This is another problematic configuration that is dubbed as a "multihomed domain controller." Multihomed DCs are extremely problematic if not configured correctly, however to configure one correctly involves a multitude of steps including registry changes to alter DNS registration. However, this blog is not intended to discuss multihomed DCs, rather to discuss using an ISP's DNS address in your network. For more information on multihomed DCs, please read the following link to my blog on it, and how to configure it.

Multihomed DCs with DNS, RRAS, and/or PPPoE adapters:
http://blogs.dirteam.com/blogs/acefekay/archive/2009/08/03/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Summary

If you have your ISP's DNS addresses in your IP configuration (all DCs, member servers and clients), they need to be REMOVED and ONLY use the internal DNS server(s). This will cause numerous problems with AD.

DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

November 29, 2009, 7:28 pm

≫ Next: DNS and Subnet Priortization & DNS Round Robin

≪ Previous: Active Directory's Reliance on DNS, and using an ISP's DNS address

DNS, WINS, NetBIOS, & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I need WINS?, DirectHosted SMB, if one DC is Down, does a client logon to another DC, and DNS Forwarders

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Compiled 7/22/08, Published 11/29/09
Recompiled 1/31/09 & 11/3/2010
Updated to reflect changes in Windows 7 & 2008 R2 devolution changes. 1/15/2012
Fixed "Back to Top" link so it works 1/15/2012
Added "Troubleshooting the Browser Service" 2/7/2012
Algorithm corrected to reflect 2008/Vista and newer operating systems 7/31/2012

Note: I may be updating this as time goes by, due to the amount of info in this blog and possibly missing something, as well as possibly updating retired Microsoft links, and adding newer links and changes to the operating system.

Topics Covered:

DNS & WINS Resolution Process

Browser service without WINS across subnets

Do I need WINS?

Disabling the Browser service, NetBIOS

DNS Client side Resolver service Query Process

DNS Forwarder Resolution and Time Out Process

If one DC or DNS is down, why can't I logon to the other DC or not use the second DNS address to find another DC?

What happens with Exchange and Outlook when when DNS goes down?

Client side DNS Devolution on Windows 7 and Windows 2008 R2 has Changed

How does resolution work in a multi-domain forest (with child domains)?

Troubleshooting the Browser Service

==================================================================
1. DNS & WINS Resolution Process

Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses the NetBIOS process. Legacy pre-Windows 2000 clients, such as Windows NT, Windows 98, Windows 95, Windows 3.1, DOS, etc, use the NetBIOS process FIRST if the queried name is less than 15 characters, and if not, it uses hostname (DNS) resolution. If is is shorter than 15, then it will use NetBIOS, but if it doesn't get resolved using NetBIOS, only then will it use the DNS hostname resolution process.

If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it's in. H-Node is default, but the order can be changed with a registry change. There are four NetBIOS Nodes:

B-Node - Broadcast ONLY
P-Node - NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node - Mixed NBNS and Broadcast, but uses WINS FIRST.

Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS (WINS enabled)

Checks it's own name.
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)
NetBIOS name cache
WINS
Broadcast
LMHOSTS

Windows 2000 and newer - If not using WINS:

Checks it's own name.
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)
NetBIOS name cache
Broadcast
LMHOSTS

Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:

Is name longer than 15 characters? If so, perform Hostname (DNS) resolution process. If not, continue...
Checks it's own name.
NetBIOS name cache
WINS
Broadcast
LMHOSTS files
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)

If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.

Regarding DirectSMB,

Quoted from Aiden Cao, MIcrosoft, 2/6/2012 in thread:
TechNet Thread question: "Netbios Session Service and SMB" 2/5/2012
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e03e2d52-0761-451a-91e8-40955172f460/

"Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines, with the only caveat with legacy apps that rely on NetBIOS."

Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. DirectSMB uses TCP 445... Direct-hosted SMB's cannot be disabled in Windows without disabling additional features...
http://support.microsoft.com/kb/204279

More on the client side resolver:

How DNS works, March 28, 2003
Client side process order, etc.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx#w2k3tr_dns_how_gaxc

How NetBIOS name resolution really works, By Robert L. Bogue, March 11, 2003
http://www.techrepublic.com/article/how-netbios-name-resolution-really-works/5034239

DNS Hostname Resolution Flowchart:

The following information was quoted from:
Chapter 7: Host Name Resolution
http://technet.microsoft.com/en-us/library/bb727005.aspx
(Image 1): http://technet.microsoft.com/en-us/library/Bb727005.chp7hn01_big(en-us,TechNet.10).gif

Second two images from this link:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
(Image 2): http://i.technet.microsoft.com/Cc940063.CNBC05(en-us,TechNet.10).gif
(Image 3) http://i.technet.microsoft.com/Cc940063.CNBC05B(en-us,TechNet.10).gif

Image1:

Image 2 & Image 3:

NetBIOS Name Resolution Process:

The following two images are quoted from:

Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

Resolution Process Related Links:

Hostname Resolution - Describes DNS domain name resolution
http://technet.microsoft.com/en-us/library/cc958812.aspx

NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/

Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

(This was uUpdated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)

Back to top of page>

==================================================================
2. Browser service without WINS across subnets

It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn't say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but I'm not sure. I cannot find anything on the mechanism. I'm one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404

Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305

New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx

Windows 2008 - Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx

Back to top of page>

==================================================================
3. Do I need WINS?

That's an extremely good question. The answer is it depends. It depends on what apps and services currently running that require NetBIOS name resolution support.

For example, unless it's been recently changed, Symantec Backup Exec needs it to 'browse' for the agent in the network browse list. Therefore, Backup Exec currently uses NetBIOS to assemble a list of all machines on a network to allow you to backup up remote computers whether the agent is installed or not, and giving you the option to install the backup agent.

So it depends on what YOU have running.

For example, Some AV solutions, such as McAfee Enterprise, Symantec, and CA uses NetBIOS to “find” all machines on the network to allow you to rollout installations and administer.

Therefore, you must inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out.

And yes, keep in mind Exchange 2000/2003 and Outlook communications require WINS for certain functions, such as Calendaring. This was removed from Exchange 2007 and 2010, and uses a different mechanism.

Here are some relevant links:

Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391

Eileen Brown's WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx

WINS dependencies in Exchange 2003 Server
Summary of Microsoft's implimentation of WINS Windows Internet Name Service. How even Exchange 2003 makes NetBIOS calls. Implications for a routed network.
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

If you need WINS and want to learn how to install and configure it, please see the following:

WINS - What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx

WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx

Back to top of page>

==================================================================
4. Disabling the Browser service, NetBIOS

Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine. See section 3 above regarding apps that may be using or need NetBIOS support.

1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

What's the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser ... Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm

Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm

2. Leave that running. You need it. It works for all versions of NTLM.

NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication ...
http://msdn.microsoft.com/en-us/library/ms925943.aspx

3. If you disable the TCP NetBIOS Helper, you will not be able to map any drives or printers using NetBIOS names or FQDN.

"Network Location Cannot be Reached" Error Message When You Try to ... To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.

To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866

4. One big advise - do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you'll get a slew of errors, and no DNS queries will get resolved.

No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to ...
http://support.microsoft.com/kb/268674

Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates

This has changed in WIndows Vista, Windows 2008, Windows 7 and Windows 2008 R2 - It no longer uses the DHCP Client Services. It now uses the DNS Client Service.

For Windows 2000/2003/XP, the DHCP Client Service is what performs the Dynamic DNS Update process. For Windows 2008/Vista/2008 R2/Windows 7 and all newer operating systems, it is now the DNS Client Service.

Specific details can be found in the following link:

Understanding Dynamic Update, Applies To: Windows Server 2008, Windows Server 2008 R2 (and changes to the DNS Update process from previous operating systems)
http://technet.microsoft.com/en-us/library/cc771255.aspx

Quoted from above article:

“The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System."
The documentation after that indicates the DHCP CLient service, but please ignore that. There are a few of us in touch with the dev group about the documentation, and it wil be cleared up.
The point is the DHCP CLient service is no longer responsible for updates.

DHCP (Dynamic Host Configuration Protocol) Basics
http://support.microsoft.com/kb/169289

Back to top of page>

==================================================================
5. DNS Client side Resolver service Query Process

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

To summarize:

If the first entry responds but doesn't have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn't have an answer but it responded), it won't go to the second entry, because it got an answer, even though it is not the answer we wanted.

If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn't respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the "eligible resolvers" list, until the list is reset after 15 minutes, and either restart the DHCP Client Service (on 2000/2003/XP), (ipconfig /flushdns), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

For specifics, the Microsoft DNS Whitepapers is a good start. Here's more:

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

Technet Thread: "problem with secondary dns"
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8fc4597c-d64e-4a87-9cfe-5fe159df5735/

Other references:

How to Disable Client-Side DNS Caching in Windows XP and Windows ...Oct 12, 2007 ...
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup ...
http://support.microsoft.com/kb/318803

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

286834 - DNS Client Service Doesn't Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 - Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Linux and Unix client resolver works pretty much the same:

That is correct, this behavior ALSO applies to Non-Microsoft operating system client side resolver, such as the Linux/Unix Client Side Resolver

Thread: Re: Complex DNS Resolver Question - DNS
http://fixunix.com/dns/220126-re-complex-dns-resolver-question.html

Quoted from the above link:
If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN
authoritatively.

Client Side Options If a DC goes down:

Run the following command line to fix this problem on your Active Directory clients by emptying the DC Locator cache (Replace "DomainName" with the Fully Qualified Domain Name (FQDN) of your Active Directory domain:
nltest /dsgetdc:DomainName /force

==================================================================
6. DNS Forwarder Resolution and the Time Out Process

Information on how a DNS Forwarder time-out works with using multiple Forwarder:

Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client's IP properties.

Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx

Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html

Quoted from above link:

"Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.

Now, if you check the box "Do not use recursion" the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.

I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server."

Comment on Forwarders:

DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn't have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it's resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the 'eligible resolvers list' and then query the second one.

If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by "views" ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query.

Now - and this is an important "now," if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar 'HTTP 404 not found' in the browser.

For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.

To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for 'recursion available' or 'recursion not available'

So for all practical purposes, I never set more than two Forwarders, otherwise what's the use? If the first two can't resolve it, it probably is not resolvable anyway.

Back to top of page>

==================================================================
7. If one DC or DNS server goes down, why can't I logon to the other DC or not use the second DNS address to find another DC?

Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there's nobody there, did it crash?
---

Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP's DNS, or the domain is a single label name
('domain' versus the recommended minimum of 'domain.com,' domain.local,' etc),
other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.

As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.

It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. As stated above in section #5:

If the first entry responds but doesn't have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn't have an answer but it STILL responded), it won't go to the second entry, because it got an answer, even though it is not the answer we wanted.
If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn't respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the "eligible resolvers" list, until the list is reset after 15 minutes, or after you clear the client side cache (ipconfig /flushdns), or restart the DHCP Client Service (on 2000/2003/XP), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

To put it another way:

If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the 'eligible resolvers list' for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won' even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.

Summary:

As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as 'it's not working' because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can't connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.

Or simply disable the DNS Client Side caching mechanism. It's not suggested to do this due to performance and especially if you have many machines in the infrastructure. However for testing, you can give it a shot:

Back to top of page>

==================================================================
8. What happens with Exchange and Outlook when when DNS goes down?

Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:

Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570

But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, "If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?"

Also with Exchange involved, it becomes a little trickier. Keep in mind, when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not 'look' for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it's best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.

I've seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.

Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.

Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it's been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on Exchange.

I hope that makes sense.

Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.

Back to top of page>

==================================================================
9. Client side DNS Devolution on Windows 7 and Windows 2008 R2

Devolution is when the parent suffix is derived when there are child suffixes. For example, if in a machine is joined to a child domain "sales.test.com," then "test.com" is devolved from "sales.test.com."

Therefore, if "fileserver1" is not resolved in "sales.test.com" the client side resolver service on a client (keep in mind, DCs are DNS clients, too), will attempt to resend the query with the parent suffix.

It is best to design your forest infrastructure with unique hostnames so if "fileserver1" doesn't exist in a child, it doesn't exist anywhere else. Having a computername called "fileserver1" in a child domain and another domain, is not a good practice, nor is it a best practice. Uniqueness is the key across a forest.

DNS Devolution
Published: October 21, 2009, Updated: July 7, 2010, Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx

Quoted:
Devolution is not enabled in Active Directory domains when the following conditions are true:
1. A global suffix search list is configured using Group Policy.
2.The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.

Back to top of page>

==================================================================
10. How does resolution work in a multi-domain forest (with child domains)?

If you have a hostname record, for example, called "Computer," in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.

Further, if you have a hostname record, for example, called "Computer," in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down. The devolution to the upper hierarchal levels is limited to the forest root domain level in the forest.

For example, if you have a forest root of ad.domain.local, and you have a child domain called child.ad.domain.local, the client side resolver will limit devolution of it's joined domain and to the forest root domain, and will not go any higher, and will not devolve or populate domain.local as a Search Suffix, since that domain name does not exist in the forest.

Therefore, if you have a DNS suffix search list, the resolver adds those DNS suffixes in order and does not try any other domain names. In this case, if you submit the unqualified name 'Computer,' the resolver queries in order for the following FQDNs:

hostname.domain.local
hostname.child.domain.local

Based on the example, below shows that such a client in this scenario will only devolve the following two, and not "domain.local," as was previous to Vist/2008.

child.ad.domain.local
ad.domain.local

More info on this behavior:

Host Name Resolution Order
http://support.microsoft.com/kb/172218/en-us

Configuring Query Settings:
http://technet.microsoft.com/en-us/library/cc959339.aspx

DNS client name resolution behavior in windows vista VS Windows XP
http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx

More info on this behavior:

Host Name Resolution Order
http://support.microsoft.com/kb/172218/en-us

Configuring Query Settings:
http://technet.microsoft.com/en-us/library/cc959339.aspx

DNS client name resolution behavior in windows vista VS Windows XP
http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx

Back to top of page>

==================================================================
11. Troubleshooting the Browser Service

Keep in mind, each subnet has it's own master browser, and they work together with the WINS service using WINS, to enumerate an infrastructure wide browse list. If not using WINS, it uses broadcasts, but if you are in a multi-subnetted environment, and you want full browsing capabilities, it's suggested to use WINS.

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master.

Good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propogation cycle in a multiple-segment domain environment.

And the default settings out-of-the-box, works fine, otherwise you'll find yourself trying to change reg entries on multiple servers.

If you find workstations are becoming masters, are there any server operating systems on their subnets? If not, then a workstation will win as a master. If there is a server OS, and it's not multihomed, especially if a DC on the subnet and it's not multihomed (multihoming a DC is a really bad idea), then it should win, unless there's a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

Some basic things to look for and use:

Make sure the Computer Browser service is Started.
Make sure NetBIOS is enabled on everything.
On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the "browstat" utility available. In Windows 2008 and newer, the utility is already installed as part of the operating system files.

Multihomed DC?

Note: A multihomed DC is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a "Multihomed Browser" scenario. More info regarding multihoming and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Browser Troubleshooting Steps

If there are any antivirus software, it could block browser traffic. This of course is all assuming that the Computer browser service is running.

Run a browstat status to see who the browse master is for the segment. If it's not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:

browstat status

You should get a response similar to:

Browsing is active on domain.
Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc. If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it's own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you'll have to find the TransportID:

First run:

browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the "netbt_el59x1" probably doesn't exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:

browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it's a device, such as I've found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting "Access Denied" when trying to browse.

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Back to top of page>

==================================================================
Related Links

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

ForwardingTimeout (registry settings)
http://technet.microsoft.com/en-us/library/cc940784.aspx

Appendix C: Windows Sockets and DNS Registry Parameters
For Resolver time out, see DNSQueryTimeouts
http://technet.microsoft.com/en-us/library/cc781532(WS.10).aspx

Change description of following to show its for NT4
SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

DNSQueryTimeouts - How to control the client side resolver time out value in the registry)
http://technet.microsoft.com/en-gb/library/cc977482.aspx

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

DNS Client Service Doesn't Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 - Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Back to top of page>

Suggestions, Comments and Corrections are welcomed

Ace Fekay

↧

DNS and Subnet Priortization & DNS Round Robin

May 29, 2010, 12:14 pm

≫ Next: Configuring DNS Search Suffixes

≪ Previous: DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

Original Publication Date: 5/28/2010

Edited 6/4/2010 - Included information regarding Windows 2003 and newer Subnet Priortization only defaults to Class C subnets. If you have any subnets other than a Class C in the environment, Subnet Priortization may not work as expected due to this reason. I included a separate section explaining this in further detail, and how to set a DNS server to take this into acccount, which of course must be set on all DNS servers in the environment.
Edited 8/9/2010 - Added information about Windows Vista, Windows 7, Windows 2008 and WIndows 2008 R2 and their differences with XP and 2000 regarding how they handle Subnet Priortization, which they handle a bit differently, and how to make it work.

DNS and Subnet Priortization & DNS Round Robin - Which one Supercedes?

This has been a question that arises from time to time. I thought to provide some information on how it works to understand what is at play with these two DNS features.

Preface on Subnet Priortization and Round Robin:

Subnet priortization works by default. No other action is required. If you have multiple identical A records, then Round Robin will supercede.

If Round Robin is not needed, it can be disabled in order to take full advantage of Subnet Priortization, otherwise, Round Robin will superceded.

In scenarios involving ISA Enterprise, because ISA Enterprise is AD enabled, you can either publish the ISA records in AD, and if AD SItes are configured, the client site will be used first by the AD client side extension disregarding Round Robin and Subnet Priortization, unless there were multiple records in each AD Site.

Some have asked regarding if an ISA Array will work. It is possible to configure an ISA Array with multiple ISA Enterprise servers which will share their web cache, however this will nothelp Subnet Priortization or Round Robin, since the Array is considered as a single logical entity and published as such.

Nslookup is a good tool to test Round Robin, and will give you a general response purely based on DNS, but the results are as expected in a non-AD Site scenario, since it can't test AD Sites responses.

You can also create an IE GPO for each Site. In the GPO, you would state the Proxy address for them to use.

Subnet Priortization and Round Robin Logic:

Keep in mind, Subnet Priortization and Round Robin work hand in hand, however, not necessarily so if an AD Site aware service is querying (such as the client side GetDcList function). If there are more than on in the same subnet, Round Robin will kick in, which DNS performs.

If there are more than one record, DNS will re-order the response with an IP that is in the same client subnet.

However, if Round Robin and Subnet Priortization is enabled, Round Robin wins.

If you do not want this default action to occur, that is you want to use Subnet Priortization, and AD Sites are not involved, you will need to disable Round Robin, otherwise, if both Round Robin and Subnet Prioritization are enabled, the server rotates among the A resource records. You may wish to check how it works if you disable the round robin if you have multiple separate subnets and you want a client to respond to a subnet closest to it's own subnet.

The following passage on the specific logic was quoted from:
Configuring Subnet Prioritization
http://technet.microsoft.com/en-us/library/cc961422.aspx

[Begin Quote]
============

If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.
If Enable round robin is deselected and the value of LocalNetPriority is 1:
The server returns the records in local net priority order. It does not rotate among available addresses.
If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
The server rotates among the available records in the order in which the records were added to the database.
If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default):
The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

============
[/End Quote]

Subnet Priortization and Round Robin Example:

The following example was quoted from:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

[Begin Quote]
===
For example, suppose there are three Web servers that all host the Web
page for www.reskit.com and they are all located on different subnets.
The DNS name server for the network contains the following resource records:

www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.18.64.33

When a Windows XP Professional–based
computer’s DNS resolver (client) receives a response to the query for
the A record of www.reskit.com, it returns A records in order,
starting with the IP addresses from subnets to which the computer is
directly connected.

For example, if a computer with the IP address
172.17.64.93 is queried for www.reskit.com, the resolver returns the
resource records in the following order:

www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.18.64.33

Subnet prioritization prevents the
resolver from choosing the first IP address returned in the DNS query
and using the DNS server’s round robin feature (defined in RFC 1794.)
With round robin enabled, the server rotates the order of resource
records returned when multiple A resource records exist for a queried
DNS domain name.

Thus, in the example described earlier, if a user
queried for www.reskit.com, the name server replies to the first
client request by ordering the addresses as follows:

172.16.64.11
172.17.64.22
172.18.64.33

It replies to the second client request by ordering the addresses as follows:

172.17.64.22
172.18.64.33
172.16.64.11

It replies to the third client request by ordering the addresses as follows:

172.18.64.33
172.16.64.11
172.17.64.22

With round robin enabled, if clients are configured to use the first
IP address in the list that they receive, different clients will use
different IP addresses, thus balancing the load among multiple network
resources with the same name. However, if the resolvers are configured
for subnet prioritization, the resolvers reorder the list to favor IP
addresses from networks to which they are directly connected, reducing
the effectiveness of the round robin feature.

Although subnet prioritization does reduce network traffic across
subnets, in some cases you might prefer to have the round robin
feature work as described in RFC 1794. If so, you can disable the
subnet prioritization feature on your clients by adding the registry
entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in
the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DnsCache\ Parameters

[...]
===========
[/End Quote]

Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet

Yep, that's correct! We need to note and keep in mind, Windows 2003 and newer, will automatically assume it's a Class C subnet, well more accurately, it's set by default to look for a Class C subnet. If the environment is anything other than a Class C, all DNS servers must be configured with the correct mask used.

The process involves understanding a little binary math. We need to take into account by defining the Hosts part of the mask that is relative for netmask ordering for the subnet in the environment, otherwise DNS will not reorder it correctly and expected results will be incorrect when testing the feature.

This can be accomplished with the DNSCMD command.

For example, using DNSCMD to set the default settings for a 255.255.255.0 subnet, is:
Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF

For anything other than a Class C, we need to alter the "/LocalNetPriorityNetMask" value to the environment's subnet.

The last two characters in the value used for a Class C subnet ("0x000000FF") is "FF." This indicates the number of hosts bits (opposite of what some may think when looking at a mask in binary). Therefore the last two digits in the value is actually Hex. Hex FF, converted to Binary, is actually equal to 1111 1111, which is equal to "FF" in Hex.

Taking that into account, we can view a simple table with the base Class subnets:

For the base Classes, the values are:

Netmask  LocalPriorityNet
255.255.255.0     0x000000ff
255.255.0.0        0x0000ffff
255.0.0.0            0x00ffffff

To set it for something other than the default classes, such as for example a /22 (255.255.252.0 or 11111111.11111111.11111100.00000000), we see there are 10 bits for the hosts. Now change only the 0's to 1's and you get 1111111111. Convert that to hex, and you get 3FF. Therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

Another example, if you have a /27 (255.255.255.224 or 11111111.11111111.11111111.11100000), convert the 0's to 1's --> 11111, convert that as a binary number to Hex, and we get 1F, therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x0000001F

Keep in mind, whatever the setting is, it MUST be set on ALL DNS servers in the environment.

Table: NetMasks broken down by CIDR to the necessary LocalPriorityNet Value
Note: Of course, some of the values can't be used in the table, but I created the table to show all possible binary values.

NetMask Binary CIDR Comments LocalPriorityNet Value

255.255.255.255 11111111.11111111.11111111.11111111   /32     Host (single addr)         0x00000000
255.255.255.254 11111111.11111111.11111111.11111110    /31     Unuseable                     0x00000001
255.255.255.252 11111111.11111111.11111111.11111100   /30     2 useable                     0x00000003
255.255.255.248 11111111.11111111.11111111.11111000   /29    6 useable                    0x00000007
255.255.255.240 11111111.11111111.11111111.11110000   /28    14 useable                   0x0000000F
255.255.255.224 11111111.11111111.11111111.11100000   /27     30 useable                    0x0000001F
255.255.255.192 11111111.11111111.11111111.11000000 /26     62 useable                    0x0000003F
255.255.255.128 11111111.11111111.11111111.10000000 /25    126 useable                 0x0000007F
255.255.255.0      11111111.11111111.11111111.00000000 /24     "Class C" 254 useable   0x000000ff

255.255.254.0     11111111.11111111.11111110.00000000 /23       2 Class C's                  0x000001FF
255.255.252.0     11111111.11111111.11111100.00000000 /22      4 Class C's                  0x000003FF
255.255.248.0    11111111.11111111.11111000.00000000 /21       8 Class C's                  0x000007FF
255.255.240.0    11111111.11111111.11110000.00000000 /20      16 Class C's                 0x00000FFF
255.255.224.0    11111111.11111111.11100000.00000000 /19      32 Class C's                  0x00001FFF
255.255.192.0    11111111.11111111.11000000.00000000    /18     64 Class C's                 0x00003FFF
255.255.128.0    11111111.11111111.10000000.00000000    /17    128 Class C's                 0x00007FFF
255.255.0.0        11111111.11111111.00000000.00000000 /16    "Class B"                         0x0000ffff

255.254.0.0          11111111.11111110.00000000.00000000 /15     2 Class B's                   0x0001FFFF
255.252.0.0        11111111.11111100.00000000.00000000   /14      4 Class B's                    0x0003FFFF
255.248.0.0      11111111.11111000.00000000.00000000 /13      8 Class B's                   0x0007FFFF
255.240.0.0          11111111.11110000.00000000.00000000   /12    16 Class B's                  0x000FFFFF
255.224.0.0          11111111.11100000.00000000.00000000 /11    32 Class B's                  0x001FFFFF
255.192.0.0          11111111.11000000.00000000.00000000 /10    64 Class B's                  0x003FFFFF
255.128.0.0          11111111.10000000.00000000.00000000 /9    128 Class B's                 0x007FFFFF
255.0.0.0             11111111.00000000.00000000.00000000 /8      "Class A"                         0x00ffffff

254.0.0.0              11111110.00000000.00000000.00000000   /7                                               0x01FFFFFF
252.0.0.0              11111100.00000000.00000000.00000000 /6                                               0x03FFFFFF
248.0.0.0            11111000.00000000.00000000.00000000 /5                                               0x07FFFFFF
240.0.0.0            11110000.00000000.00000000.00000000 /4                                              0x0FFFFFFF
224.0.0.0            11100000.00000000.00000000.00000000 /3                                               0x1FFFFFFF
192.0.0.0            11000000.00000000.00000000.00000000 /2                                               0x3FFFFFFF
128.0.0.0            10000000.00000000.00000000.00000000 /1                                              0x7FFFFFFF
0.0.0.0                 00000000.00000000.00000000.00000000 /0   IP subnet definition         0xFFFFFFFF

You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF Dnscmd.exe command to restore Windows Server 2003 settings to the default settings.

More info on this value and setting:

Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS
http://support.microsoft.com/kb/842197

Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems

Windows Vista, Windows 7 and Windows 2008 behaves a bit differently, than XP or 2000. With Windows Vista, Windows 7 and Windows 2008 and Windows 2008 R2, it changes the way it handles Subnet Priortization a bit. Here's more info, and keep in mind in mind it doesn't mention Windows 7 or WIndows 2008 R2 directly, unless Microsoft updates the KB, but it applies to Windows 7 and WIndows 2008 R2 and future operating systems:

Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default
http://support.microsoft.com/kb/968920

Please check the following registry entry. This key with a value of 1, will disable NetMaskOrdering. Is it enabled?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD = OverrideDefaultAddressSelection
Value data: = 1

DNS Round Robin and Destination IP address selection (talks about differences with Vista and 2008 non R2)
http://blogs.technet.com/b/networking/archive/2009/04/17/dns-round-robin-and-destination-ip-address-selection.aspx

However, AD Sites should prevail in an AD environment. An AD client's GetDcList functions will use Sites to determine which DC or GC to communicate with.

Therefore, basically:

Set the registry entry to 0 and the newer operating systems will behave like the older operating systems. If you leave the entry blank, such as the default with no entry, it results in the same effect as an entry equal to 1, that means no subnet mask preference.

To see the subnet mask ordering work on a Windows 7 client, you need to set up the following entry :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD = OverrideDefaultAddressSelection
Value data: = 0

Summary:

If Active Directory Sites Are Involved with AD Aware Services:

AD Sites provide two basic things: Logon & Authentication control to
limit the auth request to only a GC/DC in it's own site, and
replication traffic control between Sites. Replication is compressed
in Site to Site communications. Good for the WAN link. AD enabled apps
also use AD Sites.

You would first create a new Site giving it a unique Site Name. Then
create an IP Subnet Object that represents the subnet or subnets of
the location (you may and can create multiple IP SUbnet Objects if
needed), then associate the IP Subnet to the Site Name.

In the Site link, you will notice the default replication period is 3
hours. You can chop that down to as low as 15 minutes. You can't go
lower, because that is the max time allotted for all DCs within a site
to be able to replicate changes between each other. If DCs are added,
the KCC jumps in and re-evaluates the intra site connection objects
between DCs to optimize and keep within the 15 minute alotment.

A standalone would rely simply on DNS' ability to provide responses
either as Subnet prioritized, or Round Robin.

However, with AD Sites, and this works for AD enabled services and
entities (such as Exchange, client machines, etc). So AD aware apps
and services adds an extra twist and can be used to your advantage.
That was why I was asking if you are using ISA. ISA can be published
into AD, and set by GPO. This way a client in SiteA will always use
the ISA in SiteA.

However, if standalone servers are in use, and you can disable Round Robin.

References

Optimizing DNS - This article shows a brief description of and numerous How-To's regarding DNS parameter configuration settings and how to change them.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, as well as Windows 2008 and Windows 2008 R2.
http://technet.microsoft.com/en-us/library/cc757837(WS.10).aspx

Ace Fekay

↧

Configuring DNS Search Suffixes

February 12, 2011, 9:27 am

≫ Next: DNS Dynamic Updates in a Workgroup

≪ Previous: DNS and Subnet Priortization & DNS Round Robin

Configuring DNS Search Suffixes

First published 2/12/2011

Preface

The search suffix is used by the client side resolver to "suffix" a DNS query.

For example, if I were to ping a hostname called "serverName," if a search suffix has been configured, whether automatically (being joined to a domain), or manually (variety of methods discussed below), it will "suffix" the search suffix to my query.

For example, if there is a suffix configured for "domain.com," and I type in "ping serverName," the resulting query will be "serverName.domain.com." If there is no suffix, it will just ping the single name.

More on how the client side resolver algorith works, can be found in my other blog:

DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

More on Suffixes

By default, a freshly installed machine, out of the box, has no Suffixes created.

When you join a machine to an Active Directory domain, the machine takes on the domain's DNS FQDN as the Primary DNS Suffix. The Primary DNS Suffix also becomes the default Search Suffix, and will apply to all interfaces on the machine.

For example, if a machine is not joined to an AD domain, and no search suffixes have been configured (out of the box), the top portion of an ipconfig /all would look like this. Notice there are no suffixes:

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TestBox
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

If the AD domain name is 'domain.com," and the machine was joined to the domain, the top portion of an ipconfig /all would look like this.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TestBox
   Primary Dns Suffix . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

If the AD domain name is a child domain, such as childDomain.domain.com, the ipconfig /all would look like this. Notice how the Search Suffix is configured to devolve the parent domain, which is an automatic function. This can be altered or disabled, in the NIC's properties (IP properties, Advanced, DNS tab -> "Append parent suffixes of the primary DNS suffix"), a GPO or in the registry.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TestBox
   Primary Dns Suffix . . . . . . . : childDomain.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : childDomain.domain.com
                                                           domain.com

Windows 7, Windows 2008 & Windows 2008 R2 Devolution Nuances

With Windows 2003 and older, what you see above is default behavior, that is to append the parent suffix. However, with Windows 7 & Windows 2008, this was changed. Windows 2008, Windows 2008 R2, and Windows 7 by default have changed the way the Append parent suffixes of the primary DNS suffix (also known as "devolution") setting works. This is even if you have the "Append parent suffixes of the primary DNS suffix" setting enabled, it will still set the devolved parent zone.

To fix it and make the newer operating systems work like 2003 and older, you have to make somce changes. Read the following nicely assembled article for specifics on how to handle this with registry entried, if you feel this is affecting your environment:

Windows 2008 Append parent suffixes of the primary DNS suffix does not work
http://networkadminkb.com/kb/Knowledge%20Base/Windows2008/Windows%202008%20Append%20parent%20suffixes%20of%20the%20primary%20DNS%20suffix%20does%20not%20work.aspx

More info on this from Microsoft:

DNS DevolutionPublished: October 21, 2009, Updated: July 7, 2010
Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx

Multi-Domain Forests with two or more child domains

If you are in a multi-domain forest with two or more child domains, besides understanding the suffixes that need to be added, you'll also need to understand your DNS design options in this type of scenario. More on this in my other blog:

DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

If the environment includes Windows 7, 2008 & R2, you may want to take a look at the subsection in the section above on the nuances of the newer operating systems and how to deal with it.

Choices to Configure a Suffix

In some scenarios where either in an AD environment with multiple child domains that you need to populate the suffix of the other child domains, or with a non-joined machine (such as a home user machine in a workgroup), that you need to populate additional suffixes to resolve names in partner or specific zones, you can add them a variety of ways, some of which are:

With Active Directory

Group Policy

WSH script, Registry script, or some other type of scripting

DHCP Option 015 (however this has its limits)

DHCP 119 or DHCP Option 135 - (This is not supported with Windows DHCP and Windows clients)

In a Workgroup

DHCP Option 015 (however this has its limits)

Local Group Policy

WSH Script, Registry script, or some other type of scripting

DHCP 119 or DHCP Option 135 - (This is not supported with Windows DHCP and Windows clients)

Using Group Policy

If you are in an AD environment, this is a great option to populate a custom Search Suffix for all interfaces on a machine. It's easy, too, because it's done once and it's automatic. It works for Windows 2008R2, 2008, Windows 7, Vista, 2003, XP, and all newer operating systems. If you're still using Windows 2000 Active Directory, you'll need to upgrade the GPOs using a Windows 2003 or XP machine.

Upgrading Windows 2000 Group Policy for Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

Group policies for DNS in Windows Server 2003 and newer
http://support.microsoft.com/kb/294785

After the GPOs have been upgraded, or if the sysetm is already at the latest operating system version and service packs, expand the Group policy section to add the custom search list to the following location:

Computer Configuration
   -Administrative templates
         -Network
               -DNS Client

Also...

Take a look at the following article. You will want to alter the Primary DNS Suffix Devolution value. Just make sure you document it, so when one day comes up you don't want it anymore, you don't go crazy trying to figure out where's it coming from. You would be surprised that this question comes up once in awhile, and one of the suggestions is to check if they're coming from a GPO.

It refers to the registry key controlled by GPO - this will over-ride the standard internal registry setting at:
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\UseDomainNameDevolution

If you want to kill the devolution tickbox, have a look at this article:
http://www.insidetheregistry.com/regdatabase/viewvalue.asp?valueid=320

Just a reminder, you do not want to alter the Default Domain Policy GPO or the Default Domain Controllers GPO. You would want to create a separate GPO, and link it to the OU where the computers reside that you want apply the suffix.

Scripting

You could also use populate the regkey by a WSH or VB cript if you didn't want to pull in the extra ADMX GPO template... and this will force your client to JUST resolve hosts on internal.domain.com or whatever:

---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"SearchList"="domain1.com,domain2.com"
---

Or use the command:
reg add HKLM\system\currentcontrolset\services\tcpip\parameters /v "SearchList" /d "domain1.com,domain2.com" /f

The key thing to observe with manual suffix lists, (from KB275553, link below), is that if you distribute a suffix list then it blocks devolution and use of primary or connection-specific suffixes... therefore you'll want to enter the list carefully with exactly what you need.

How to configure a domain suffix search list on the Domain Name System clients
http://support.microsoft.com/?id=275553

DHCP Option 015

You can assign a connection specific DNS suffix using DHCP option 015, which is added to the search list. But, you can assign only one DNS suffix per client using this DHCP Option.

Because it's called the "Connection Specific Suffix, it's only good for the specific connection that received a DHCP assignment. This means that the connection that receives a DHCP config from DHCP, will get this suffix as the Search Suffix.

Just to illustrate what this means, you can test it by setting a suffix in Option 015 that's different than the domain's zone name. First, if the AD domain's zone name is 'domain.com,' then the Primary DNS Suffix become 'domain.com' when you join the machine to the domain. The default Search Suffix becomes the default Search Suffix. Now in DHCP Option 015, configure 'domain1.com' as the connection specific suffix. Now go to the workstation and run a /release and /renew. You will now see the suffix you configured in 015 in addition to the machine's default.

So if you are trying to simply add one additional suffix, this will work for your DHCP clients. However, if you're trying to add more than one additional suffix, and/or if you have numerous statically configured machines (such as servers), then a GPO will be the better alternative, which Tiger and JM already suggested.

DHCP Option 119

This is not supported under Windows DHCP or Windows clients. For non-Windows DHCP servers, you can use DHCP Option 119, which populates Search Suffixes based on RFC 3397. However, it's not supported under Windows DHCP at this time.

RFC 3397 - Dynamic Host Configuration Protocol (DHCP) Domain Sea
www.faqs.org/rfcs/rfc3397.html

DHCP Option 135

You can use DHCP Option 135, however DHCP Option 135 is not supported by Microsoft DHCP. DHCP option 135 is usually used for devices, such as a phone system, based on RFC 4578, unless it was superceded, or this one superceded a prior one
defining such an option value. Take a look at the list of DHCP options in the following article, but keep in mind, Microsoft does not support all of them and many are used by IP based device manufacturers.

RFC 4578 - Dynamic Host Configuration Protocol (DHCP) Options for the Intel Preboot eXecution Environment (PXE)
http://www.faqs.org/rfcs/rfc4578.html

DHCP and BootP Options
http://www.networksorcery.com/enp/protocol/bootp/options.htm

You can *possibly* create the option in DHCP, but that would require some testing on your part.
http://www.isaserver.org/img/upl/isaedukit/5automate/5automate_files/image057.jpg

Summary

If in an Active Directory environment, you'll find it much easier to populate suffixes using a GPO.

If in a workgroup, you can use DHCP Option 015, or a script. But as I mentioned above, Option 015 is just the "connection specific suffix," which only the interface that gets a DHCP configuration from this scope will apply to, meaning that if there are additional interfaces, they will not receive it. The GPO method applies to the machine for all interfaces.

Ace Fekay

↧

DNS Dynamic Updates in a Workgroup

June 12, 2013, 11:49 am

≫ Next: How to Recover a Journal Wrap Error (JRNL_WRAP_ERROR) and a Corrupted FRS SYSVOL from a Good DC – What option do I use, D4 or D2? What’s the Difference between D4 and D2?

≪ Previous: Configuring DNS Search Suffixes

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

www.delcocomputerconsulting.com

Prelude

So the machines and devices you want to register into DNS are not in an Active Directory. Therefore, that means none of your Windows computers have been configured with a Primary DNS Suffix. When you join a computer to a domain, one of the many things that occur on the computer is that the Primary DNS Suffix is automatically configured, which matches the name of the AD DNS domain name, which should also be identical to the DNS zone name.

And further, as we already know, that’s what a computer needs to register into a zone with the same name. If you weren’t aware of this basic requirement, you can catch up on how Dynamic DNS registration works by reading my other blog:

AD & Dynamic DNS Updates Registration Rules of engagement
http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement

Primary DNS Suffix

However, workgroup computers normally do not have a Primary DNS Suffix, unless you’ve already manually configured all of them. Neither do other devices, such as mobile phones, tablets and other non-Microsoft products.

No fret. We can make this work without a Primary DNS Suffix. After all, non-Windows devices, such as phones and tables, do not have such a setting to configure.

There are actually a number of ways to get this to work. One way is to force the Primary DNS Suffix on your Windows workgroup computers by using a registry script (outlined later below). However, that will only be good for your Windows computers. What about those non-Windows devices?

To register your Windows computers and non-Windows devices, an easier way to go about it is to use Windows Server DHCP to register all leases into the DNS zone. We can do this by using the DHCP service on a non-AD joined Windows Server configured with DHCP credentials, DHCP Option 015, and configured to force all leases to register into the zone whether the device has the ability to register on its own or not.

The credentials allows DHCP to own the record, so in case the device leaves and returns at a later date and gets a new IP, the DHCP service can update the old host record in DNS with the new IP. Without credentials, the device will update, but it may not be able to update its old record, which then you may wind up with duplicate host entries in the zone. Of course, we wouldn’t want that.

Use Windows DHCP to Force Register All Leases

The first thing we need is a Windows Server with the DHCP and DNS services installed and running. To provide a 30,000’ view of what’s involved, we start by creating a regular, non-Administrator, local user account on the server that will be used to configure the DHCP scope to use as credentials for registration. And to stress what I just said, it does NOT have to, nor should it be, an Administrator account. It should just be a plain-Jane user account, but give it a really strong password. In an AD domain environment, the credentials would be a plain-old AD Domain User account. But in this case, it’s a local User account. Then configure DHCP to force update all records, whether the entity can register or not.

Zone’s NS & SOA Entries

For the DNS service to properly work, the DNS server itself must have its own host (A) record reregistered into the zone, as well as registered its record as an NS record in the zone’s properties. This means that the Windows server DNS is installed on, must be configured with a Primary DNS Suffix matching one of the zones that DNS will be authoritative for (meaning that DNS is hosting the zone). We usually pick the main zone for the company environment. Once configured, then this part will automatically occur. If it doesn’t have a Primary DNS Suffix, then this automatic part will not happen.

You can easily tell if any Windows computer has a Primary DNS Suffix by a simple ipconfig /all, however I’m sure you already know if your server has one configured one or not, since this must be manually done on a workgroup computer. As stated, an AD joined computer (server or workstations) will automatically configure itself with a Primary DNS Suffix that matches the AD DNS domain name,

Detailed Steps:

First, assuming you haven’t already installed DNS and created a zone in DNS, let’s go ahead and install and create your zone.

You can install the DNS service Role (yes, it’s a Role, not a Feature), using Server Manager in Windows Server 2008, 2008 R2, 2012, and newer.
Install a DNS Server
http://technet.microsoft.com/en-us/library/cc725925.aspx
Once installed, create your zone, such as adatum.com. Also in the zone properties, make sure you allow Updates. And note, with DNS on a non-DC, the only option you have is either “None,” or “Nonsecure and secure.” You have no choice other than “Nonsecure and secure.”
(Click image to see a larger version of the image in a new window)

Obviously it’s important that the DNS & DHCP server is set to a static IP configuration. Pick an IP, and stick to it. Then make sure that the server itself is ONLY using its own IP for DNS entry in its NIC. No others must be in here, otherwise you’ll get unexpected and possibly undesired results.
(Click image to see a larger version of the image in a new window)

I need to stress that this is extremely important.
If you have any computers in the environment that have a static IP address configured (not getting an IP from DHCP), you must also make sure they are configured with only your own Windows DNS server’s IP.
If you’ve configured it with your ISP’s DNS, because you thought that’s what you need for internet resolution, then that’s wrong, and more importantly, that computer will not register nor be able to resolve internal hosts.
Same thing using your router (either ISP provided, or something you bought from a retail store such as a Linksys, Dlink, etc). Do not use your router as a DNS address. They are not DNS servers, and they only proxy to an external DNS, which is useless if you are running DNS internally.
And no, you CAN’T mix internal and external DNS entries. It doesn’t work that way. It’s not a DNS server thing, rather it’s based on a DNS client, specifically it’s based on how the client side resolver algorithm works. For a technical explanation for the technically curious, please read my blog explaining it:

http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

The DNS server can use Root Hints to resolve internet names. Or you can configure a Forwarder:

Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
http://technet.microsoft.com/en-us/library/cc754941.aspx
(Click image to see a larger version of the image in a new window)

Configure a Primary DNS Suffix on your Windows Servers that’s hosting DNS. To do that:
Go to Start
Right-click Computer, properties
In the computer name tab click change settings
Then click change
Then click More
Type your domain name here.
Click Ok a few of times, and restart the server.
(Click image to see a larger version of the image in a new window)

After the restart, make sure it registered into the your zone, for example, contoso.com. You can simple check by running an ipconfig /all. Look for the Primary DNS Suffix name.
(Click image to see a larger version of the image in a new window)

For more information on all the info that an ipconfig /all provides, please read the following:

Why do we ask for an ipconfig /all, when we try to help diagnose AD issues and other issues?
http://blogs.msmvps.com/acefekay/2013/03/02/why-do-we-ask-for-an-ipconfig-all-when-we-try-to-help-diagnose-ad-issues/

In the contoso.com zone properties, Nameserver tab. Make sure it registered itself. If not, manually add it by clicking Add, then type in the server’s FQDN, and click Resolve. If all things are configured correctly, then it should resolve it. Click OK.
(Click image to see a larger version of the image in a new window)

On the “Start of Authority (SOA)” tab click “Browse…” next to the Primary server field and browse for the server’s A record in the contoso.com zone. Click OK.
(Click image to see a larger version of the image in a new window)

Repeat step 4 for the reverse zone, and any other zones you’ve created in DNS.

DHCP Options

DHCP Option 015 must be set to your zone, such as adatum.com. This provides a way to work for the interface to use that zone for registration, as well as for the DHCP server to use it to register into the zone.
DHCP Option 006 must be set to only your internal DNS servers. Do not use your router as a DNS address (it’s really not a DNS server anyway), or your ISP’s DNS servers.
(Click image to see a larger version of the image in a new window)

Configure scavenging. The scavenging NoRefresh and Refresh values combined should add up to or greater than the lease length. For example, if the DHCP lease length is 8 days, then the NoRefresh value should be 4, and the Refresh value should be 4.
More info:

Good article by Sean Ivey, MSFT:
How DNS Scavenging and the DHCP Lease Duration Relate
(Make the NoRefresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

In DHCP properties, DNS tab (note -this tab is actually DHCP Option 081, even though it doesn’t say it), choose to force DHCP to update all records whether a DHCP client asks or not. And configure it to register records for machines that can’t.
(Click image to see a larger version of the image in a new window)

Configure a user account to be used for DHCP Credentials (as I said above), then go into DHCP, IPv4, properties, Advanced, Credentials, and enter the credentials.
(Click image to see a larger version of the image in a new window)

Restart the DHCP service.

It should now work.

Example of what you should see after it’s configured and working:

(Click image to see a larger version of the image in a new window)

Other notes and references:

There are a number of ways to get this to work. Read the following discussion for more info:

Technet thread: “Server 2008 R2: DNS records not dynamically registering in workgroup situation” 12/31/2010
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2380872f-2e71-49eb-8fbb-87f980920fc7/

Registry summarized:

Not that this will work for your non-Windows devices, but I’m providing this information if you want to only configure your Windows computers.

You can create and remotely run a registry script for the interface on the workgroup machines using a tool called PSEXEC (free download from Microsoft). Of course you must have the local admin account credentials on all your computers to run this remotely, and the remote Registry service started, and possibly antivirus software and Windows firewall configured to allow this.

You’ll want to target and populate the following two registry entries with your zone name, such as adatum.com:

HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain

Using the above two keys, try this VB script:
SET WSHShell = CreateObject(“WScript.Shell”)
WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain”, “adatum.com“, “REG_SZ”
WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain”, “adatum.com“, “REG_SZ”

If you are in an AD Environment

Oh, and if you’re curious how DHCP should be configured in an AD environment to force updates, etc, read my blog on it, please:

DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a “pen” icon, and more…
Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM 3758 2
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

Good summary:
How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

Summary

I hope you’ve found this helpful. Any suggestions, errors, comments, etc., are all welcomed!

Ace Fekay

↧

How to Recover a Journal Wrap Error (JRNL_WRAP_ERROR) and a Corrupted FRS SYSVOL from a Good DC – What option do I use, D4 or D2? What’s the Difference between D4 and D2?

August 28, 2013, 9:37 am

≫ Next: Windows Server 2012 AD Cloning, Snapshot Support & Preventing USN Rollbacks

≪ Previous: DNS Dynamic Updates in a Workgroup

Original: 11/21/2013
Updated 8/30/2014

Errata

Ace here again. I’ working on updating all of my blogs. If you see any inconsistencies, please let email me and let me know.

Prologue

Are you seeing Event ID 13508, 13568, and anything else related to SYSVOL, JRNL_WRAPS, or NTFRS?

Note – I will not address Event ID 2042 or 1864. That’s an issue with replication not working beyond the AD tombstone. If you are seeing them, you’re best bet is to forcedemote the machine, run a metadata cleanup, and re-promote it, and make sure you configure your firewall and/or AV to allow replication traffic or stop using the ISP’s or router as a DNS address, or disable IP routing and WINS Proxy, to prevent this in the future. And while you’re at it bump up your AD tombstone to 180 days,

As for the NTFRS, after talking to numerous folks whether directly assisting a customer, or through the TechNet forums, there seems to be some confusion associated with how to handle Journal Wrap errors, what caused them, and what are the differences between the D2 and D4 options. I’ll try to quell this confusion in this blog, as well as provide an easy step-step and providing an explanation for the steps, to get out of this error. Note: The steps are from Microsoft KB290762. I just thought to further break it down so a layman will understand them.

Reference KB: Using the BurFlags registry key to reinitialize File Replication Service Replica Sets
http://support.microsoft.com/kb/290762

For Windows 2008/2008 R2/2012/2012 R2 with DFSR

Follow this KB to fix it:

How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like “D4/D2″ for FRS)
http://support.microsoft.com/kb/2218556

Backing Up and Restoring an FRS-Replicated SYSVOL Folder
http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518(v=vs.85).aspx

What Caused the Journal Wrap?

First you have to ask yourself, what caused this error on my DC? What did I do to get here? In a nutshell, JRNL_WRAPS are caused by SYSVOL corruption.

The usual culprit can be a number of things:

Abrupt shutdown/restart. I don’t usually see this unless there are power issues in the building with not power protection or UPS battery system.
Disk errors – corrupted sectors. This is a common issue with a DC on older hardware.
AV not configured to exclude SYSVOL, NTDS and the AD processes. This is the typical culprit I’ve seen in many cases.

Ok, So what do I have to do to fix this?

To get yourself out of this quandary, it’s rather simple. Yea, you might say yea, right, this is not so simple, but it really isn’t that hard. It just requires a little understanding of what you have to do, which is all it’s doing is simply copying a good SYSVOL folder and subfolders from a good DC to the bad DC (the one with the errors.

Basically, you first choose which DC is the good DC to be your “source” DC for the SYSVOL folder. Then you you stop the NTFRS service on all DCs. Yes, NTFRS must to be stopped on all DCs to perform this. Then set the registry key on the good DC and the bad DC. That’s it. The process will take care of itself and reset the keys back to default after it’s done.

If you only have one DC, such as an SBS server, and SYSVOL appears ok, or restore just the SYSVOL from a backup. Then just follow the “Specific” steps I’ve outlined below.
If more than one DC, but not that many where you can’t shutdown the NTFRS on all of them, such as if you have 40 DCs, pick and choose the best one and set Burflags to D2 on the bad and D4 on the good.
If there are numerous DCs, such as a large infrastructure, simply run dcpromo /forcedemote the DC with the error, run a metadata cleanup, then re-promote to a DC back into the domain. If you unplug the DC and run a metadata cleanup, then you will have to rebuild the DC from scratch. The forcedemote switch removes the AD binaries off the machine allowing you to re-promote it.

To summarize:

You have two choices as to a restore from a good DC using FRS:

D2 is set on the bad DC: Non-Authoritative restore: Use the D2 option on the DC with the empty SYSVOL folder, or the SYSVOL folder with the incorrect data. This way it will get a copy of the current SYSVOL and other folders from the good DC that you set the BurFlags D4 option on.
D4 is set on the good DC: Authoritative restore: Use the BurFlags D4 option on the DC that has a copy of the current policies and scripts folder (a good, not corrupted folder).

The BurFlags option – D4 or D2? What do I use?

The steps refer to changing a registry setting called the BurFlags value. If the BurFlags key does not exist, simply create it. It’s a DWORD key.

More importantly, it references change the BurFlags to one of two options: D4 or D2. Therefore, before going further, I would like to squelch the confusion on what the D2 and D4 settings mean:

D2/D4 – Which is which?

D2, also known as a Nonauthoritative mode restore – this gets set on the DC with the bad or corrupted SYSVOL
D4, also known as an Authoritative mode restore – use this on the DC with the good copy of SYSVOL.
You must shut the NTFRS service down on ALL DCs while you’re doing this until instructed to start it.
You’ll probably want to copy the current SYSVOL structure on the good DC to another folder as a backup prior to doing this.

The D2 option on the bad DC will do two things:

Copies the current stuff in the SYSVOL folder and puts it in a folder called “Pre-existing.” That folder is exactly what it says it is, it is your current data. This way if you have to revert back to it, you can use the data in this folder.
Then it replicates (copies) good data from the GOOD DC (D4) to the bad guy (D2).

Once again, simply put:

The BurFlags D4 setting is “the Source DC” that you want to copy its good SYSVOL folder from, to the bad DC.
The bad DC BurFlags is set to D2, which tells it to pull from the source DC, the one you set D4 on.

Here are the steps summarized:

For an Authoritative Restore you must stop the NTFRS services on all of your DCs
In the registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process
1. Set the BurFlags setting to HEX “D4” on a known DC that has a good SYSVOL (or at this time restore SYSVOL data from backup then set the Burflag to D4)
2. Then start NTFRS on this server.
3. You may want to rename the old folders with .old extensions prior to restoring good data.
Clean up the folders on all the remaining servers (Policies, Scripts, etc) – renamed them with .old extensions.
Set the BurFlags to D2 on all remaining servers and then start NTFRS.
Wait for FRS to replicate.
Clean up the .old stuff if things look good.
If the “D4″ won’t solve the problem try the “D2″ value.

So circling back, to fix this and make it work, just copy the contents of SYSVOL to another location, then follow the KB, which simply states you must stop the NTFR service on ALL DCs. Then pick a good one to be the “Source DC.”

Of course, as I’ve stated above, if you have a large number of DCs, the best bet is to forcedemote the bad DC, run a metadata cleanup to remove its reference from AD, then re-promote it.

If you have a small number of DCs, and if you have a good DC and a bad DC, on the good DC, you would set the BurFlags to D4, and on the BAD DC you would set the Burflags to D2.

Example run:

In the example below, if you set BurFlags to D4 on a single domain controller and set BurFlags to D2 on all other domain controllers in that domain, you can rebuild the SYSVOL from the D4 DC (the source DC).

I’ve also heard of admins manually copying the SYSVOL folder, then set the BurFlags options as mentioned, which works too. But no, I haven’t tested it. That would be for a lab on another day. :-)

Authoritative Restore Example

Use the BurFlags D4 option on the DC that has a copy of the current policies and scripts folder (a good, not corrupted folder).

Stop the FRS service on all DCs. To do this to all DCs from one DC, you can download PSEXEC and run “psexec \\otherDC net stop ntfrs” one at a time for each DC.
On a good DC that you want to be the source, run regedit and go to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double-click “BurFlags.” (or Rt-click, Edit DWORD)
Type D4 and then click OK.
On the bad DC, run regedit and go to the following key:   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
   In the right pane, double-click “BurFlags.” (or Rt-click, Edit DWORD)
   Type D2 and then click OK.
Quit Registry Editor, and then switch to the Command Prompt (which you still have opened).
On the good DC, start the FRS service, or in a command prompt, type in “net start ntfrs” and hit <enter>
On the bad DC, start the FRS service, or in a command prompt, type in “net start ntfrs” and hit <enter>
On the bad DC, check the Sysvol folder to see if it started populating.
Check for EventID 13565 which shows the process started
Check for EventID 13516, which shows it’s complete
Start FRS on the other DCs.

The following occurs after running the steps above after you start the FRS service (NTFRS):

The value for BurFlags registry key returns to 0.
Files in the reinitialized FRS folders are moved to a <var>Pre-existing</var> folder.
An event 13565 is logged to signal that a nonauthoritative restore is started.
The FRS database is rebuilt.
The member replicates (copies) the SYSVOL folder from the GOOD DC.
The reinitialized computer runs a full replication of the affected replica sets when the relevant replication schedule begins.
When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

Note: The placement of files in the <var>Pre-existing</var> folder on reinitialized members is a safeguard in FRS designed to prevent accidental data loss. You can copy this stuff back if it didn’t work, but I have not yet seen when this has not worked!

Summary

I hope this helps cleaning up your FRS and SYSVOL replication issues.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This blog is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Windows Server 2012 AD Cloning, Snapshot Support & Preventing USN Rollbacks

October 17, 2013, 10:31 am

≫ Next: How to Create a Delegated Subnet Reverse Zone

≪ Previous: How to Recover a Journal Wrap Error (JRNL_WRAP_ERROR) and a Corrupted FRS SYSVOL from a Good DC – What option do I use, D4 or D2? What’s the Difference between D4 and D2?

Updated 4/16/2014

Preamble

Virtualization is a valuable asset for many organizations, including cloud computing. However, there were some drawbacks that many administrators weren’t aware of when implementing a Hyper-V infrastructure.

For example, there are ramifications of cloning servers without Sysprepping the base image first. Sysprep generate a new SID (the unique Security Identifier each machine has) upon first-time boot up. There are also ramifications with the Virtual host time service, which provides time to the virtual guests, but if the guests are part of an AD infrastructure, or if the guests are DCs, then the host time synchronization service will cause problems with the default AD forest time hierarchy, due to Kerberos’ five minute skew tolerance. Easy enough, it’s recommended to disable time synchronization on the host to prevent this from occurring.

One of the more important ramifications, which we will discuss in the section, involves virtualized snapshots and domain controllers and using the Revert feature to roll back a virtual machine to a previous point in time using a previously saved snapshot. The ramifications can effectively make a DC useless.

In this blog, we’ll talk about:

What is a Snapshot?
What is the USN?
What is a USN Rollback?
Windows Server 2012 Snapshot Support
Windows Server 2012 Cloning Support

What is a Snapshot?

Hyper-V provides the ability to create a point-in-time copy of a virtual guest. The point-in-time copy is called a snapshot. The snapshot can be used to “revert” the virtual guest back to the point-in-time the snapshot was created.

Snapshots are a convenient means to return a virtual machine to a previous state, such as to return to a state prior to installing an application that is no longer behaving properly.

What is the USN?

The USN, or Update Sequence Number, is the basis of how Active Directory Replication works.

The USN is a value stored with each attribute that changes by either a local change, or a replicated change from a partner domain controller. Each domain controller keeps track of its own changes, and other domain controllers in the infrastructure are aware of all other domain controller USN value.

Active Directory replication relies on Update Sequence Numbers (USNs) on each domain controller. The USN acts as a counter. Each DC’s USN value is unique to a domain controller. The replication system is designed with this restriction in mind.

When an inbound replication partner domain controller sees its partner has a higher USN value for any attribute, a replication pull request is made to replicate the changes to the partner.

Active Directory Replication does not depend on or use time displacement or a time stamp to determine what changes need to be propagated. Time based propagation as some directory services use, are based on a time stamp with the “last writer wins” rule, however this can pose a problem if the clock were to be rolled back.

A time stamp is used in Active Directory, but it’s only used to determine and resolve a conflict when an attribute has been modified at two different DCs simultaneously. In this case, the DC receiving the update will use one of three values to resolve a conflict:

The Version number that is incremented on an attribute by the original writer
The originating time of the original writer
The originating DSA value, which is the GUID of the domain controller (found in ADSI Edit and in the _msdcs.contoso.com DNS zone).

And because these USN counters are local to each DC, it ensures and is determined that the USN to be reliable by replication partner DCs, because the local DC keeps track of all its own changes.

The USN can never “run backward” (decrease in value). If it does, replication partner DCs will recognize the decreased value, and determine it as an inconsistency, and will remove the DC from its own replica set. This is called a USN Rollback. Although they can be repaired, in many cases, it’s easier and more time efficient to simply force remove the DC with the USN Rollback, and re-promote it back into the domain.

You can use Ldp.exe or ADSI Edit to read the current USN, which is the highestCommittedUsn attribute that can be found on the RootDSE object properties for the domain controller.

Up-to-Dateness, High-Watermark, Propagation Dampening, InvocationID

Replication takes into account specific values and follows a pre-defined algorithm to insure replication consistency among domain controllers to reduce or eliminate divergence, such as the following:

Up-To-Dateness vector

This is a value that the destination domain controller maintains for tracking the originating updates that are received from all source domain controllers.
- This value helps the source DC filter irrelevant attributes (and entire objects if all attributes are filtered) on the basis of the relationships between all sources of originating updates and a single destination.
- To see the Up-to-datenes vector value, run the repadmin /showvector command.

High-watermark

This is a value that the destination domain controller maintains to keep track of the most recent change that it has received from a specific source domain controller for an object in a specific directory partition.
- This value prevents irrelevant objects from being considered by the source domain controller with respect to a single destination.
- To see the value of the High-watermark, run repadmin /showreps /verbose and look for each line that starts “USNs:”. The high-watermark USN is the number that is followed by “/OU”.

Propagation Dampening

Fault tolerance is helpful by installing multiple DCs, and provides multiple replication paths between them to reduce latency; however, you might expect the same replication change to be replicated in an endless loop. The Up-to-dateness vector eliminates this possibility along with the InvocationID. The InvocationID of a domain controller and its USN combined provides a unique identifier in the forest associated with every write-transaction performed on each domain controller.

Replication example

To understand the consequences of snapshots prior to Windows Server 2012 requires a brief explanation and basic understanding of how Active Directory replication works.

Scenario: Single Domain, single AD Site, three DCs. DC-A, DC-B, and DC-C, all are replication partners between each other.

Replication Steps

DC-A updates a password. The USN is set to 3.
DC-B detects a USN change on DC-A
DC-B requests the change from DC-A
DC-B sends its high-watermark and up-to-dateness vector to DC-A

—–> DC-A looks at the high-watermark and up-to-dateness vector values, and the object that was changed, (the password attribute).
—–> DC-A sees that the originating DSA for the password change is DC-A (itself).
—–> DC-A reads the up-to-dateness vector from DC-B and finds that DC-B is guaranteed to be Up-To-Date from the change from DC-A (itself), but has a USN value of 2.
—–> DC-A sees that the originating USN is 3 on that password attribute.

Based on the fact 3 is greater than 2, DC-A sends the changed password to DC-B.

Summary

In summary, propagation dampening occurs if DC-B already received the changed password from DC-C, which received it from DC-A, therefore, DC-B will not request the changed password from DC-A.

Additional reading, and summarized from:
Tracking Updates (Active Directory Replication)
http://technet.microsoft.com/en-us/library/cc961798.aspx

Pre-Windows 2012 Virtualized DC recommendations

Do not take snapshots or revert back to a snapshot of a domain controller virtual machine.
Do not copy the domain controller VHD file.
Do not export the virtual machine that is running a domain controller.
Do not restore a domain controller or attempt to roll back the contents of an Active Directory database by any other means than a supported backup solution.

Undetected USN Rollback

From: Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#usn_and_usn_rollback

Detected USN Rollback

From: Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
http://technet.microsoft.com/en-us/library/hh831734.aspx

Repairing USN Rollbacks

To repair a USN Rollback may be difficult. You can use the replication monitoring and diagnostic tools to determine the extent of the damage. If severe where the USN Rollback is undetected, such as when the VHD file attached to a different virtual host is copied and run on another virtual host, which will make it extremely difficult to determine the cause due to duplicate DC SID numbers, besides the rollback, or if the USN on a restored DC has increased past the last USN that the other domain controller has received. In this case, the USN values of the originating DC are different than what the replication partner believes they should be.

The easiest way to repair a USN rollback is to force remove the domain controller that was reverted, run a metadata cleanup to remove the domain controller’s reference from the AD database, and re-promote it.

Reverting back to a snapshot can cause ramifications with other types of services. For one, you must keep in mind of the secure channel that is used by Active Directory members to communicate to the domain. The secured channel uses a password that gets renewed every seven days. For example, if you revert the machine back prior to the point with a previous password, it may no longer be able to communicate. To repair such a scenario, you can reset the machine account, or disjoin it then rejoin it back to the domain. For servers, such as a Microsoft Exchange server, the implications can be much deeper. Besides the secured channel, users will lose any emails that were received between the current time and snapshot time.

Windows Server 2012 Snapshot Support Prevents USN Rollbacks

Until the introduction of Windows Server 2012, cloning, snapshotting, or copying, are unsupported. The only supported method to repair a DC is to potentially either using Windows Backup, or a third party backup that supports non-Authoritative or Authoritative restores, or simply force demote and rebuild the DC from scratch and promote it back into the domain. Otherwise, as we’ve discussed, snapshots and cloning have serious ramifications that can result in USN rollbacks or lingering objects, just to name a few.

Windows Server 2012 now supports DC cloning and snapshot restore of domain controllers. The requirements to support the new feature are:

Hypervisor that supports VM-GenerationID. Window Server 2012 Hyper-V supports VM-GenerationID. If using a third party Hypervisor, check with the vendor if their latest version supports this feature.
The source virtual domain controller must be running Windows Server 2012.
A Windows Server 2012 PDC Emulator FSMO Role must be running and available for the cloned DC.

How does the VM-GenerationID work?

When you promote a domain controller in a supported Hypervisor, AD DS stores the VM-GenerationID (msDS-GenerationID attribute) in the DC’s computer object in the Ad database. This attribute will now be tracked by a Windows driver in the virtual machine.

If you revert to a snapshot, the driver looks at the current VM-GenerationID value and compares it to the value in the AD database on its computer object. The comparison also occurs each time a DC is rebooted.

If the VM-GenerationID are different:

The InvocationID is reset
The RID pool is deleted
The new value is updated in the AD database, thus preventing any possibility of the USN values to be re-used.
A non-authoritative SYSVOL synchronization occurs to safely restore and re-initialize SYSVOL (to prevent a JRNL-WRAP error).
Each time a DC is rebooted, the value is compared, and if they are different, this rule and action applies.
These actions also safeguards shutdown virtual DCs.

If the VM-GenerationID are the same:

The snapshot and transaction is committed.

Windows Server 2012 Cloning

In Windows Server 2012, administrators no longer need to use Sysprep to clone a machine, promote it to a domain controller, then complete any additional tasks such as Windows Updates, or install organization standard applications. After the first domain controller is freshly installed from scratch or using Sysprep in a domain, Administrators can now safely deploy cloned domain controllers by simply copying an existing virtual domain controller.

This feature is domain specific. A domain must have at least one DC installed that can be copied. You still want to properly configure DNS settings, validate each DC’s health, replication status, and run the Active Directory Best Practice Analyzer after each Dc deployment.

This feature provides the following advantageous and benefits:

Rapid DC deployment
Quick restores
Optimize private cloud deployments
Rapid DC provisioning to quickly meet increased capacity needs

What if I Don’t Want the VM-Generation ID Mechanism to Kick In?

Perhaps there’s a time when you don’t want this protection, such as if you are trying to clone your environment to a lab. If you follow the rules, the VM-Generation ID will protect the USN and probably not give you what you want, and worse, if the DCs you’re trying to clone are having trouble replicating SYSVOL, you have more problems to deal with.

One way around it to prevent the VM-Generation ID to kick in at the hypervisor level is to shut down the VMs, and simply do a flat file copy to another hypervisor, then create a new VM from using the existing files.That should help the attribute mechanism from kicking in. More info on this and other thoughts:

Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe -Part 1
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2013/08/28/cases-where-vm-generationid-doesn-t-help-make-active-directory-virtualization-safe-part-1.aspx

Why Windows Server 2012 AD VM-Generation ID functionality is not an alias for Active Directory anti-USN Rollback functionality
http://blog.joeware.net/2013/02/20/2675/

Additional Reading:

Tracking Updates (USN & Active Directory Replication)
http://technet.microsoft.com/en-us/library/cc961798.aspx

Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#usn_and_usn_rollback

How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
http://support.microsoft.com/kb/875495

Steps for deploying a clone virtualized domain controller
http://technet.microsoft.com/en-us/library/hh831734.aspx#steps_deploy_vdc

Virtual Domain Controller Cloning in Windows Server 2012
http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx

By Ace Fekay

MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Comments are welcomed.

↧

How to Create a Delegated Subnet Reverse Zone

November 10, 2013, 9:22 am

≫ Next: DNS Client side Resolver Service and DNS Forwarders Query Algorithm

≪ Previous: Windows Server 2012 AD Cloning, Snapshot Support & Preventing USN Rollbacks

You really, really want to host your public DNS records? If you do, you may also want to host your public IP range, instead of having to call your ISP every time you need a reverse (PTR) entry created or updated.

The key thing is setting the NS records in your zone file to the nameservers that are authorative for the zone based on ARIN and remove all iterations of your own nameservers.

Follow the syntax to create the delegated subnetted zone by using the syntax for “Child subnetted reverse lookup zone file” in the following article. But you must keep in mind, this MUST be done using a Standard Primary zone, so if it’s an AD Integrated zone, you must revert it to a Standard Primary zone so you can work on the zone files. Once you’re done you can change it back to AD Integrated, if you so desire.

How to configure a subnetted reverse lookup zone on Windows NT, Windows 2000, or Windows Server 2003
http://support.microsoft.com/kb/174419

Let’s try this example:

IP Subnet example: 192.168.10.160/27 (or 255.255.255.224)
IP Subnet Range: 192.168.10.160 to 192.168.10.191

If you take a look at that KB article I posted, it shows the exact steps needed to create it. That’s how I did it!

Let’s see if I can do it for your subnet range. I am not guaranteeing it will work, because it’s also reliant on how your ISP has it delegated.

Your IP subnet, 192.168.10.173 /255.255.255.224, indicates it is part of a range starting with 192.168.10.160 to 192.168.10.191, which give you 32 addresses in the range, 30 usable, assuming one is of course the router (gateway), which makes it 29 usable IPs.

Therefore, if this range was delegated to you, then the key IP to look at, which actually “Describes” the network block, as 192.168.10.160/27 or 192.168.10.160/255.255.255.224.

Based on the above:

Let’s run through the steps…

Ask the ISP to delegate the subnetted zone, 192.168.10.160/27 to your hostname servers (you need two of them).
Then to create the zone name, we must base it on your subnet starting IP and the subnet bit count.
The IP subnet is 192.168.10.160/27
 The starting IP of this subnet = 192.168.10.160
 The bit count of this subnet = 27
Therefore the syntax will be:
 <SubnetStartIP>-<SubnetBits>.10.168.192-in-addr.arpa
 OR
 160-27.10.168.192.in-addr.arpa.dns zone
Based on that, create an ARPA (reverse) zone called 160-27.10.168.192.in-addr.arpa.dns zone.
Then save it as a Standard Primary Zone (not an AD Integrated zone).
Stop the DNS Server Service – In the DNS console, right click the server name, choose Stop.
Then go into the file (system32\dns folder), and change all NS iterations from your server.InternalDomainName.com to the ISP’s. such as ns.ISP’sAuthorativeServer.com.
(Please read the KB article for more information on how the zone file should be configured.)
Save the file.
Then Start the DNS Service – In the DNS console, right click the server name, choose Start.
Then right-click the zone, choose Reload.
Then right-click the zone, properties, Nameserver tab, remove your own server as an NS record only keeping the authorative server.
Create a PTR record, such as for 192.168.10.173, under the zone, and call it whatever you want, such as ace.WhateveYourZoneNameIs.com.

Test it

Run nslookup or DIG to test a query to 192.168.10.173 internally and trying it using an external public nameserver.

If it doesn’t work, go through the above steps again. Follow the syntax EXACTLY.
If it does work, pour yourself a cold one.

References:

Technet Thread: “How to setup a Reverse lookup zone on windows 2008 server with IP address 65.19.134.173 and subnetmask 255.255.255.224.”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/7c81a129-efa2-4b88-80bb-591c4119beb4/

Thread title: “Reverse DNS smaller than /24 (v4)”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4147e8fe-43d8-4eff-a890-a0e1e31a96ea/#bd664835-05b3-4d53-9b08-d845b177d9d2

By Ace Fekay

Comments are welcomed.

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor
   www.delcocomputerconsulting.com

↧

DNS Client side Resolver Service and DNS Forwarders Query Algorithm

March 28, 2014, 10:15 pm

≫ Next: Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan

≪ Previous: How to Create a Delegated Subnet Reverse Zone

As many of you that follow my blogs, I had originally blogged about the client side resolver a few years ago. That can be found here:

I think that many readers may have missed this portion because of the size of the blog, since after all it’s buried in one of the sections. Therefore, I thought to just specifically blog about it and get right to the point.

Background:

An internal DNS infrastructure is usually designed to support internal host name resolution fir internal hosts only. This is the goal whether it’s for any AD infrastructure or non-AD infrastructure, otherwise, why bother with DNS internally?

This is of course, especially true with AD. AD uses DNS. DNS stores AD’s resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain.

If the ISP’s DNS is configured in the any of the internal AD member machines’ IP properties, (including all client machines and DCs), the machines will be asking the ISP’s DNS ‘where is the domain controller for my domain?” whenever it needs to perform a function, such as for a logon request, DC to DC replication communications requests, querying and applying GPOs, and more. Unfortunately, the ISP’s DNS does not have that info and they reply with an, “I dunno know” response, and things just fail.

Using an ISP’s DNS, or the router as a DNS address, is analogous to asking the first passerby on the street, “Hey, where’s that case of beer that was in my refrigerator last night?” He’ll either not have an answer, or he’ll tell you his friends took it, which is the wrong answer anyway.

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP’s DNS, or even using your router’s IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorithm when attempting to resolve DNS names.

To summarize:

If a DNS query has already occurred and the client had already received a response, then the response is cached in the local resolver cache for the TTL of the DNS host record. You can run “ipconfig /displaydns” to show what’s in cache and the remaining TTL of the host record. YOu can repeatedly repeat the command to see the TTL count down to 0, at which point it will disappear from the cache.

If there was no prior query and it’s not cached or the TTL has expired, and if there are multiple DNS entries on a machine’s NIC (whether a DC, member server or client), it will ask the first entry first.

If it receives a response, but say if the DNS server does not have the zone data (such as if you were to use your ISP’s DNS or your router as a DNS address, and expect that to work with AD), then it will be an NXDOMAIN or NACK response, meaning it got a response, even though it was wrong, and it will not go to the next DNS entry in the NIC’s list.
If it doesn’t respond, which is evident of a NULL response (no response, such as if the DNS server is down), it will go to the second entry after a time out period, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won’t go back to it for another 15 minutes (or forcing it by restarting the DNS Client service). This can also happen when a DC/DNS is down, or taken offline purposely for some reason, such as performing DC maintenance during production hours, it may cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. You can also reset the eligible resolvers list by:

If using Windows 2008/Vista and newer, restart the DNS Client Service
If using Windows 2000, 2003 or XP, restart the DHCP Client Service
Configure a registry entry to force the TTL to reset the list after each query.
Run an ipconfig /flushdns
Restart the machine.

If the ISP’s is the first one in the list in the NIC’s properties, obviously it will be knocked out when a client is trying to login.

This will be be noticed by a significantly long logon time period the client will experience before it goes to the second one, your internal DNS. So now the first one is knocked out for 15 minutes. Then say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or use it’s Roots, it will resolve it.

Specifics on the resolver process:

Understanding the DNS Client Service and how Name Resolution works
http://networkadminkb.com/KB/a118/understanding-dns-client-service-how-name-resolution-works.aspx

Don’t Use your ISP’s DNS or your Router as a DNS Address on any Machine

So why even bother with an ISP in the client? This is another good reason to ONLY use the internal DNS server in the VPN’s DHCP service for VPN clients. Keep in mind, the client will probably be configured with an ISP’s anyway if outside the network. Fine, otherwise it can’t find the VPN server on the internet anyway. But once the VPN authenticates and is connected, the VPN interface will be the first on the binding order, which now you WANT to only have the internal DNS servers in that interface.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to Vista and newer, too)
http://support.microsoft.com/kb/320760

Therefore, the ISP’s DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD client or any other machine that is part of the AD infrastructure that must find a domain controller in order to function.

Ipconfig examples:

BAD EXAMPLE

In this BAD example, there are mixture of internal and external DNS servers. On top of that, there are just way too many DNS servers, which the client side resolver time out will never see beyond the third one, if lucky.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
DNS Servers . . . . . . . . . . . : 10.10.100.20
                                             208.67.222.222
                                              208.248.240.23
                                             4.2.2.2
                                             4.3.4.4
                                             10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

GOOD EXAMPLE – You can see only the internal DNS servers are specified.

C:\>ipconfig /all

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

Configure a Forwarder Using your ISP’s DNS

That’s your best bet. It’s easy.

Open the DNS console
Right-click the DNS server name
Choose Properties
Click the Forwarder tab.
Enter the ISP’s DNS address in the Forwarders list.

And also, keep in mind, that if you have more than two or three Forwarders, the third one will probably never get checked because of the time-out of the client side resolver service *waiting* for a response to a query.

Router’s IP as a DNS Service

Don’t do it! Your router is NOT a DNS server. If you do, what the router will do is it will proxy the query request to its outside interface, which it will more than likely be using the ISP’s DNS. So that won’t work. Remove it from any machines as a DNS address.

Summary

I hope that helps understand why not to use an ISP’s DNS in your internal network.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan

April 25, 2014, 7:42 pm

≫ Next: Event ID 5774

≪ Previous: DNS Client side Resolver Service and DNS Forwarders Query Algorithm

Published 4/2014

Original blog post reference:
Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/

As many of you that follow my blog know that I have blogged about the Time Service in the past. The original blog can be found here. However, the blog has so much information in it, you may have got lost trying to figure out exactly what to do. In this blog, I’ve condensed it and made it much easier to read by offering the steps as a pseudo flowchart. I hope you find it useful.

Windows Server Time Sync Configuration

The following steps can be used to configure DCs the default Windows time service hierarchy in an AD forest. The procedure will also remove any errors in the Event Viewer, if any existed.

Do not use if you are using a third party stratum service and refer to the vendor’s documentation for further instructions

Check and Document the Current Time Configuration on the PDC Emulator

First check and document the current configuration:
1. All Windows Server domain operating systems – run the following on the forest root domain PDC Emulator.
  1. Note: In some cases you must wait a little time for the service to instantiate.
  2. If you do not see expected results immediately, wait 10 min and re-run the following steps
W32tm /query /configuration
1. This command confirms the PDC Emulator shows the current source in the [TimeProviders] section, Look for “Type:” You will see one of the following:
  1. Type: NT5DS (Local) -This means that it’s not synced externally.
  2. Type: NTP (Local) -This command it is syncing externally.
    NtpServer: time.windows.com [65.55.56.206] (Local)
2. For all other DCs, use the command, w32tm /monitor (step 4 below)
w32tm /query /source
1. On the PDC Emulator, this shows the actual source. One of two possibilities:
  1. CMOS clock -Signifies not synced to an external source (Not what you want to see)
  2. time.windows.com -The NTP source IPaddress/FQDN This is correct.
w32tm /monitor or w32tm /monitor /computers:DCNAME
1. On the PDC Emulator, this command shows the outside time source.
  1. Good example:
    dc01.contoso.com *** PDC ***[10.10.10.200:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from dc02.contoso.com
    RefID: time.windows.com [65.55.56.206]
    Stratum: 4
2. On all other DCs, this command shows the current time source DC for this DC.
  1. You will see an “offset for the PDC from its configured NTP source.
  2. Good example result showing the DC02 is syncing with dc01.contoso.com:
    dc02.contoso.com 10.10.10.210]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from dc01.contoso.com
    RefID: dc01.contoso.com [10.10.10.200]
    Stratum: 4
w32tm /tz
1. This shows the current time zone to make sure it’s correct.
w32tm /stripchart /computer: target /samples: n /dataonly
1. This command will show you the time difference between the local computer and a target computer and is helpful in determining if there is an offset. The “n” value is the number of time samples that will be returned from the target to test basic NTP communications.
w32tm /dumpreg
1. This command dumps the current registry settings found in:
  HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  You can see the current time service configuration entries, such as:
  Type: NTP
  NTPServer:

*

Configure time sync to a reliable source on the forest rood domain PDC Emulator ONLY.

Do not perform on any other DC in any domain in the forest. PDC in the forest root only.

Windows 2003 and all newer:
1. Open an Administrator Command Prompt.
  1. Note that the examples below use either time.windows.com or the pool.ntp.org servers. You can get a full list of reliable time services at:
    A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet: http://support.microsoft.com/kb/262680
2. w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
  OR – if you want to use the pool.ntp.org time source servers:
3. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update
4. w32tm /resync /rediscover
5. net stop w32time && net start w32time
6. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below.
Windows 2000:
Generally speaking, the w32tm command is similar to Windows 2003 and newer operating systems. However, Windows 2000 uses the net time /setsntp method, which was removed in later versions. There are also some differences between Windows 2000 RTM and various service packs. Therefore, if any issues arise from the commands not setting, it’s recommended to follow the instructions using the registry to configure the time service in Windows 2000:
How to configure an authoritative time server in Windows 2000:
http://support.microsoft.com/kb/216734
1. Open an Administrator Command Prompt.
2. net time /setsntp:174.140.19.7 – Windows 2000 uses this command to configure an outside source.
3. net stop w32time
4. w32tm -once W32tm performs numerous commands. Their results are displayed on the screen.
5. net start w32time
6. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
Use the procedure in Step #1 to check and document the new configuration.
Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Configure all other DCs to sync using the forest time hierarchy

This includes all other DCs in the forest root domain that are not holding the PDC Emulator role, and any DC in any other domains and trees, including the PDC in those domains.

Do NOT run the following on the PDC Emulator in the forest root domain.

First check and document the current configuration: See Section #3 above.
Windows Server 2003 and all newer server operating systems:
1. Open an Administrator Command Prompt
2. w32tm /config /syncfromflags:domhier /update /reliable:no
3. w32tm /resync /rediscover
4. net stop w32time && net start w32time
5. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
Windows 2000:
For reference with Windows 2000, see the following link for more info:
How to configure an authoritative time server in Windows 2000
http://support.microsoft.com/kb/216734
1. Open an Administrator Command Prompt.
2. w32tm –s
3. Net stop w32time && net start w32time
4. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
Use the procedure in Step #1 to check and DOCUMENT the new configuration.
Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Time configuration on FSMO transferred or seized DCs

On the new forest root domain PDC Emulator, run the following:
1. Open an Administrator command prompt:
2. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org /syncfromflags:manual /reliable:yes /update
  1. Note: time.windows.com is a working time source, however you choose any reliable time services in your locale.
3. W32tm /resync /rediscover
4. net stop w32time && net start w32time
5. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
On the server formerly holding the PDC Emulator role, run the following:
1. Open an Administrator command prompt.
2. w32tm /config /syncfromflags:domhier /update
3. w32tm /resync /rediscover
4. net stop w32time && net start w32time
5. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
Follow the procedure in Step #1 to check and DOCUMENT the new configuration.
Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Corrupted Time Service Resolution Section (Contingency)

If any of the procedures did not work or event log errors indicate any issues, you can reset the time service registry entries back to default. The procedure should be done on the DC that you are experiencing issues with and not necessarily on each DC. Note: This procedure can also be used as a contingency to return a DC (PDC and non-PDCs) back to local CMOS time sync.

On the DC that you’re experiencing issues with, run the following:
1. Open an Administrator command prompt.
2. net stop w32time
3. w32tm /unregister
4. w32tm /register
5. net start w32time
6. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.
The next command is ONLY for Windows 2000 to 2008 DCs. It does not apply to 2008 R2 or newer and will be ignored if you try it.
1. “net time /setsntp: ” – Do not use the quotes. Note that there’s a blank space prior to the closing quote.
  This command tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.
2. net stop w32time && net start w32time
3. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.

*

W32Time Service Accuracy

Please bear in mind that the Windows W32Time service is not a full featured, accurate service for time sensitive application requirements, nor will Microsoft support it as such. You must use a third party time service that will support this requirement.

For more information, please visit the following link:

Support boundary to configure the Windows Time service for high-accuracy environments
http://support.microsoft.com/kb/939322

==================================================================

References

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/71e76587-28f4-4272-a3d7-7f44ca50c018

Windows Time Service Technical Reference
http://technet.microsoft.com/en-us/library/a0fcd250-e5f7-41b3-b0e8-240f8236e210

Windows Time Service Tools and Settings
Includes specific w32tm command switches and registry entries.
http://technet.microsoft.com/en-us/library/cc773263

=================================================================

Summary

I hope this helped you to easily configure your time service and what to do if it didn’t work.

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Event ID 5774

July 26, 2014, 8:18 am

≫ Next: OU Structures and Group Policy Objects (GPOs) Design Considerations and Guidelines

≪ Previous: Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan

In general, these events indicates that the machine is unable to register its records with the DNS server Sleeping half-moon it’s configured.

Possible causes:

An ISP’s DNS server, or the router’s IP address, is set to be used as a DNS server in NIC properties.
The AD zone is configured to not allow dynamic updates.
If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic.
Altered default security settings on the zone.
Altered default security settings in AD.
Altered default security settings on C: drive or C:\Windows folder.
Antivirus not configured to allow domain communications and services exceptions. See the antivirus vendor documentation on how to configure DCs for exclusions.
If the zone is set to Secure Only, possible Kerberos authentication errors will prevent registration. Causes of Kerberos errors can be numerous including misconfigured time service and antivirus exclusion, using an ISP’s DNS, third party installed firewalls or AV, and more.

Note on Firewalls

Active Directory communications require over 29 ports to be allowed, plus the ephemeral ports, and differ among operating system versions:

Windows 2003, Windows XP and older: UDP 1024 – 5000
Windows 2008, Windows Vista, & newer: UDP 49152 – 65536

DNS updates require TCP 53 & UDP 53, not just TCP 53.
It can be extremely challenging to configure a firewall for AD communications/ General rule of thumb is to just allow all traffic between locations.

Here’s a good list of the ports:

Active Directory Firewall Ports – Let’s Try To Make This Simple (RODC, too)
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

If you need to control the ports AD uses across a firewall:

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html
http://www.pbbergs.com/windows/articles.htm

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553

You can run the following tests on AD to ensure there are no errors:

DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
Netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
ntfrsutl ds domain.com > c:\sysvol.log

Possible solutions:

On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.
The following registry value is incorrect: “SiteCoverage” under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
This value typically should equal the domain name.
You can try to flip the zone types to reset default settings.
1. Change the zone type from Active Directory integrated to “Standard Primary”, then stop & start DNS.
2. Then stop & start the netlogon service on the child DC & verify that the records are registered.
3. If verified, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Event log errors when the netlogon service is stopped & started.
Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s not pointing to the ISPs DNS server).
Verify if there is no manually created CNAME, A or other record) for the same hostname. If there is, it will prevent the DCs from dynamically registering its host and you need to remove the manually created record.
In a Parent – Child delegated scenario, and Event ID 5774 was logged on the domain controllers in the child domain:
    Setup:
    On the parent DNS servers, there is a delegation for the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
    Cause and Fix:
    On the Security tab in the delegations, check if “Authenticated Users” is missing.
    Added “Authenticated Users” and enabled Full Control.

References:

Domain Controller Generates a Netlogon Error Event ID 5774
http://support.microsoft.com/?id=284963

A DNS Update is recorded as failed: Event ID 5774, 1196, or 1578
This problem occurs when you use a third-party server application for DNS resolution. This includes SCCM causing false alarms, and cluster resources not initiating using a third party DNS server.
Hotfix available for Windows Server 2008 R2 or Windows 7.
http://support.microsoft.com/kb/977158

Event ID: 5774 Source: NETLOGON
http://eventid.net/display.asp?eventid=5774&eventno=353&source=NETLOGON&phase=1

Other References:

Technet thread: “Event 5774, NETLOGON” Friday, November 20, 2009
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Technet thread: “Netlogon event 5774” Tuesday, February 01, 2011
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/cf5c1e9e-dccb-45e2-9f14-144f8ba1f838/

================================================

Summary

I hope this helps with figuring out and fixing an Event ID 5774.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

OU Structures and Group Policy Objects (GPOs) Design Considerations and Guidelines

August 24, 2014, 9:27 pm

≫ Next: After Delegating Permissions for an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), Create a Custom MMC or Custom RSAT

≪ Previous: Event ID 5774

Original posting: 8/25/2014

Hey everyone, Ace here, again. This is an accumulation of notes on OU structures. It’s not very well laid out, but I hope it gives you some ideas on how to design an OU structure and to help with applying GPOs.

Default Domain Policy and OU Design

It’s suggested and recommended to not change the Default Domain Policy.
Keep in mind, whatever you set at the domain level will flow downhill to
everything. I would suggest to design your OU structure to reflect your
organization and/or departments, which will also help you create GPOs for
the OU design.

For example, for a company with more than one location/site, I would suggest
the following – and this is just that… a suggestion.

Domain
…..Philly OU
…………..Accounting
…………..Sales
…………..Marketing
…………..Desktop
…………..Users
…………..Groups
…………..Laptops
…..Seattle OU
…………..Accounting
…………..Sales
…………..Marketing
…………..Desktops
…………..Users
…………..Groups
…………..Laptops

In the above example, I separated Laptops and Desktops because I have two different Windows Update GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas the Laptop Updates run at 3:30 PM while the users have the laptops in the
office.

I also separated groups just to “group” them together, and for no other reason.

This design also allows me to create GPOs for the different offices,
or I can create one and link them to both offices. The design possibilities
are endless, especially if you control flow with Block Inheritance, Loopback, WMI filtering, disabling the Computer or User portion of a GPO, etc., however in many cases I do not use these features because trying to support them 8 months later when there’s a problem it is difficult to remember what you had blocked, etc.

And yes, you can use RSOP to look at what is being applied, etc., but I find it easier to simply create another OU or a child OU to have a different setting than the parent, such as the following, where I created a GPO to lock the desktop with two different time settings.

The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout OU directly beneath it. Because the identical setting is different on the child, it overrides the parent’s setting. I can simply “look” at my OUs and know what I have applied.

…..Seattle OU
…………..Accounting
…………..Sales
…………..Marketing
…………..Desktops
………………..15 Minute Timeout OU
…………..Users
…………..Laptops

These are just suggestions, and you may find that it may work for you, or not. Even in a single site, I still do it this way, because it is flexible. You never know when the customer or your company may expand. If they do, simply create another OU for the new location.

GPO Inheritance:

There was one question that came up regarding the above example that I thought
I would share:

So lets say I open AD users and Computers and create a new OU named Philly OU,
then inside this OU I create another six sub-OU such as: Accounting,Sales,Marketing, etc..

My questions is do I need right click on each sub-OU such as Accounting,Sales,Marketing, etc… in the GPO tab to configure the same policy settings or just enough by setting up a GPO policy in the Philly OU parent OU folder to automatically apply to all other sub-OU?

The simple answer is yes, the policy will inherit or flow downhill (traverse), as long as:

• There are no blocks or filtering not allowing it to apply to the target (user or computer).
• No other policy has enforcement override with conflicting settings
• Whether the GPO is targeting user accounts or computer objects, the user and computer objects must have read rights to the following attributes:
– gpLink
– gpOptions

Note: The Read permissions is also important if you were to enable Loopback Processing, as well as List Object Mode on the directory, which is a form of filtering views in the ADUC and GPMC.

Loopback processing explained:

Loopback processing of Group Policy, explained. Sunday, 26 July 2009
http://kudratsapaev.blogspot.co.uk/2009/07/loopback-processing-of-group-policy.html

You can use the Loopback to apply a GPO that depend only on which computer the user logs on to, say for example if the computer object is in a different OU. It’s a feature normally used to lock down a computer that a user is on. It’s normally used with Kiosk mode, such as a self-checkout register at the grocery store, but it can be used for anything you need. More info on this feature:

Circle Back to Loopback – Part 1
By Jonathan Stephens, MSFT
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx

Back to the Loopback: Troubleshooting Group Policy loopback processing, Part 2
By Jonathan Stephens, MSFT
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx

Loopback processing of Group Policy
http://support.microsoft.com/kb/231287

Videos that should help understand this better:

Video: Active Directory: Introduction to Group Policy
Compiled From MOC 2279b Planning, Implementing & Maintaining a Microsoft Windows 2003 AD Infrastructure, Module 6, by Ace Fekay

Video: Introduction to Active Directory’s Logical Design
Compiled From MOC 2279b Planning, Implementing & Maintaining a Microsoft Windows 2003 AD Infrastructure, Module 1, by Ace Fekay
http://www.youtube.com/watch?v=TLZZ1iHMr2Q

References

Dude, where’s my GPO? Using PowerShell to find all of your Group Policy links.
“… you can easily create a report of all your Group Policy Objects (GPOs) …”
Cool article to list out all your GPOs in one spot with PowerShell. Can be helpful with troubleshooting.
http://blogs.technet.com/b/ashleymcglone/archive/2013/05/29/dude-where-s-my-gpo-using-powershell-to-find-all-of-your-group-policy-links.aspx

A good discussion on GPO Design in the following thread with good info by Christoffer Andersson:
Thread: “Building Organization Hierarchy with Active Directory” 6/2013
http://social.technet.microsoft.com/Forums/windowsserver/en-US/798bf766-a351-4fdb-b8f8-927ad60e1270/building-organisation-hierarchy-with-active-directory

Reviewing OU Design Concepts, Updated: April 11, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2 (These concepts also apply to 2003):
Quoted: “While there is no technical limit to the number of levels in your OU structure, for manageability we recommend that you limit your OU structure to a depth of no more than 10 levels. There is no technical limit to the number of OUs on each level. Note that Active Directory Domain Services (AD DS)–enabled applications might have restrictions on the number of characters used in the distinguished name (that is, the full Lightweight Directory Access Protocol (LDAP) path to the object in the directory) or on the OU depth within the hierarchy.”
http://technet.microsoft.com/en-us/library/cc725715(v=ws.10).aspx

Here’s a basic visual of how GPOs work, and how it would flow downhill.
http://cid-0c7b9fd0852378b8.photos.live.com/self.aspx/Technet%20Forum%20Support/GPOs/gpoflow.jpg

Design Considerations for Organizational Unit Structure and Use of Group Policy Objects
http://technet.microsoft.com/en-us/library/cc785903.aspx

TechNet Magazine: Group Policy
http://technet.microsoft.com/en-us/magazine/cc135925.aspx

Group Policy and Advanced Group Policy Management
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

Win2k3 AD OU/GPO Design Discussion
http://www.tomshardware.com/forum/190896-46-win2k3-design-discussion

AD Scalability and GPOs
http://technet.microsoft.com/en-us/library/cc756101.aspx

You receive a “Failed to delete Group Policy Object” error message when you try to delete the default domain policy or the default domain controller policy in Windows Server 2003 and in Windows 2000 Server”
“… the default domain Group Policy object (GPO) and the default domain controller Group Policy object cannot be deleted.”
http://support.microsoft.com/kb/910201

Default Group Policy objects become corrupted: disaster recovery
http://technet.microsoft.com/en-us/library/cc739095(WS.10).aspx

Chapter 4: Strengthening Domain and Domain Controller Policy Settings (applies to all operating systems)
http://technet.microsoft.com/en-us/library/cc773205(v=WS.10).aspx

Summary

I hope this helps to set you on the right track to design your AD structure. I’ll update this blog time to time, so check back in the future, please.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

After Delegating Permissions for an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), Create a Custom MMC or Custom RSAT

September 3, 2014, 8:39 pm

≫ Next: FRS to DFS-R Migration

≪ Previous: OU Structures and Group Policy Objects (GPOs) Design Considerations and Guidelines

Prologue

Note- this was put together and fast published and there may be errors. Check back for updates when I add RSAT info.

Ace here again. Yep, me again. This scenario comes up time to time. Sure, you can use the RSAT tools, but here an old fashioned, truly tried method that works nicely so a delegated OU admin can only see and do what they need to do in their OU.

Scope

After you Delegate Permissions in to a limited admin in Active Directory, such as the ability to reset passwords, you may want to create a custom ADUC MMC (console or custom taskpad) for the delegated admin to control the portion of AD (the OU) they are allowed or delegated in.

For Windows 2003 AD – but it will work in 2008 and newer

The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the right-click feature.

You can also choose to remove the left hand pane (tree view).

MMC v2 and v3 are the same:

Start/run/mmc, hit enter
File, Add-Remove Snap-in, Add ADUC
Drill down under the domain to the OU you want.
Right-click on that OU, choose new window from here.
A new window pops up with the OU in the left pane and the contents in the right pane.
Close the original ADUC window leaving the new window open that you’ve just created.
Expand the window to take up the whole console. – This will keep them in this section and they will not be able to go up levels and are ‘stuck’ in this OU.
Select View/Customize
Uncheck everything but Console Tree.
File/Options Choose Console Mode, then select:

User mode: Limited Access single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it.

Logon as a test user that was delegated permissions and test it.

If you want to eliminate the ability for the delegated admin to right-click on a user account, uncheck the Console Tree above, then change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset password, or anything else in the right column, choose an icon, and finish.

Copy the .MSC file via a UNC connected to the delegated person’s XP workstation’s \Documents and Settings\username\desktop folder, or if Windows Vista or newer, in the C:\users\username\desktop folder.

Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.

For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:

Copy over the following three DLLS from the 2003 or newer DC you are on, to their client’s system32 folder. All three of these are needed on a 2003 DC or newer, or the ADUC won’t open. However, on an XP or newer machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

adprop.dll (for object properties)
dsadmin.dll (ability to alter object properties)
dsprop.dll (for object properties related to directory services)

Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.
Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

psexec \\machinename regsvr32 adprop.dll
psexec \\machinename regsvr32 dsadmin.dll
psexec \\machinename regsvr32 dsprop.dll

Here are some screenshots at the following link:

Create Taskpads for Active Directory Operations:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

===============================================

For AD on Windows 2008 and newer:

You can use the ADAC & RSAT Tools, or you can use the above method.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.

For the Active Directory Administration Center and the RSAT tools:

For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.

Active Directory Administration Center (ADAC):

Active Directory Administrative Center: Getting Started
http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx

Active Directory Administrative Center — a New AD interface for Win7 and Win 2008 and newer
http://techibee.com/active-directory/active-directory-administrative-center-a-new-ad-interface-for-win7-and-win-2008/290

Learn New Features in Active Directory Administrative Center
http://www.enterprisenetworkingplanet.com/windows/article.php/3887136/Learn-New-Features-in-Active-Directory-Administrative-Center.htm

Description of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830

Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx

Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

Customizing – Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

==================================================================

Summary

I hope this helps!

Last updated – 2/2006, refined a bit 9/3/2014

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

FRS to DFS-R Migration

October 17, 2014, 9:13 pm

≫ Next: PowerShell: Getting AD groups of one User and Add them to a List of Other Users

≪ Previous: After Delegating Permissions for an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), Create a Custom MMC or Custom RSAT

Understand FRS to DFS-R Migration Stages
From MOC 6425C p12.70 – 12.73

Because SYSVOL is critical to the health and functionality of your domain, Windows does not provide a mechanism with which to convert from FRS to DFS-R replication of SYSVOL instantly. In fact, migration to DFS-R involves creating a parallel SYSVOL structure. When the parallel structure is successfully in place, clients are redirected to the new structure as the domain’s system volume. When the operation has proven successful, you can eliminate FRS.

Migration to DFS-R therefore consists of four stages or states:

0 (start). The default state of a domain controller. Only FRS is used to replicate SYSVOL.

1 (prepared). A copy of SYSVOL is created in a folder called SYSVOL_DFSR and is added to a replication set. DFS-R begins to replicate the contents of the SYSVOL_DFSR folders on all domain controllers. However, FRS continues to replicate the original SYSVOL folders and clients continue to use SYSVOL.

2 (redirected) SYSVOL share is redirected to SYSVOL_DFSR for client use.
SYSVOL is still replicated by FRS for failback.

3 (eliminated). Replication of the old SYSVOL folder by FRS is stopped. The original SYSVOL folder is not deleted. Therefore, if you want to remove it entirely, you must do so manually.

You move the DCs through these stages or states, by using the DFSMig command. You will use three options with dfsrmig.exe:

getglobalstate state
The setglobalstate option configures the current global DFSR migration state, which applies to all domain controllers. The state is specified by the state parameter, which is 0–3. Each domain controller will be notified of the new DFSR migration state and will migrate to that state automatically.
getglobalstate
The getglobalstate option reports the current global DFSR migration state.
getmigrationstate
The getmigrationstate option reports the current migration state of each domain controller. Because it might take time for domain controllers to be notified of the new global DFSR migration state, and because it might take even more time for a domain controller to make the changes required by that state, domain controllers will not be synchronized with the global state instantly. The getmigrationstate option enables you to monitor the progress of domain controllers toward the current global DFSR migration state.

If there is a problem moving from one state to the next higher state, you can revert to previous states by using the setglobalstate option. However, after you have used the setglobalstate option to specify state 3 (eliminated), you cannot revert to the earlier states.

To migrate SYSVOL replication from FRS to DFS-R, perform the following steps:

1. Open the Active Directory Domains and Trusts snap-in.
2. Right-click the domain and choose Raise Domain Functional Level.
3. If the Current domain functional level box does not indicate Windows Server 2008, select Windows
Server 2008 or Windows Server 2008 R2 from the Select an available domain functional level list.
4. Click Raise. Click OK twice in response to the dialog boxes that appear.
5. Log on to a domain controller and open a command prompt.
6. Type dfsrmig /setglobalstate 1.
7. Type dfsrmig /getmigrationstate to query the progress of domain controllers toward the Prepared
global state. Repeat this step until the state has been attained by all domain controllers.
This can take 15 minutes to an hour or longer.
8. Type dfsrmig /setglobalstate 2.
9. Type dfsrmig /getmigrationstate to query the progress of domain controllers toward the
Redirected global state. Repeat this step until the state has been attained by all domain controllers.
This can take 15 minutes to an hour or longer.
10. Type dfsrmig /setglobalstate 3.
After you begin migration from state 2 (prepared) to state 3 (replicated), any changes made to the
SYSVOL folder will have to be replicated manually to the SYSVOL_DFSR folder.
11. Type dfsrmig /getmigrationstate to query the progress of domain controllers toward the
Eliminated global state. Repeat this step until the state has been attained by all domain controllers.
This can take 15 minutes to an hour or longer.
12. For more information about the dfsrmig.exe command, type dfsrmig.exe /?.

More info on migration steps:

SYSVOL Replication Migration Guide: FRS to DFS Replication
http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx

Migrate a Domain-based Namespace to Windows Server 2008 Mode – Applies To: Windows Server 2008 R2
“To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings. To do so, use the following procedure.”
http://technet.microsoft.com/en-us/library/cc753875.aspx

Why Migrate?

1. “Access-based enumeration- Access-based enumeration allows users to see only files and folders on a file server to which they have permission to access. This feature is not enabled by default for namespaces (though it is enabled by default on newly-created shared folders in Windows Server 2008), and is only supported in a DFS namespace when the namespace is a standalone namespace hosted on a computer running Windows Server 2008, or a domain-based namespace by using the Windows Server 2008 mode.”

Above quoted from:
Distributed File System – Why migrate?
http://technet.microsoft.com/en-us/library/cc753479(WS.10).aspx

Enable Access-Based Enumeration on a Namespace
http://technet.microsoft.com/en-us/library/dd919212(WS.10).aspx

2. Cluster support - DFS Namespaces in Windows Server 2008 supports creating stand-alone namespaces on a failover cluster from within the DFS Management snap-in. To do so, specify a failover cluster on the Namespace Server page of the New Namespace Wizard.

3. Improved command-line tools – DFS Namespaces in Windows Server 2008 includes an updated version of the Dfsutil command and the new Dfsdiag command, which you can use to diagnose namespace issues.

Changes and improvements to Dfsutil:
http://go.microsoft.com/fwlink/?LinkId=136572

Dfsdiag:
http://go.microsoft.com/fwlink/?LinkId=136571

4. Windows Server 2008 mode domain-based namespaces – Windows Server 2008 includes the ability to create a domain-based namespace in Windows Server 2008 mode. Doing so enables support for access-based enumeration and increased scalability. The domain-based namespace introduced in Windows® 2000 Server is now referred to as “domain-based namespace (Windows 2000 Server mode).”

To use the Windows Server 2008 mode, the domain and domain-based namespace must meet the following minimum requirements:
     – The forest uses the Windows Server 2003 or higher forest functional level.
     – The domain uses the Windows Server 2008 or higher domain functional level.
     – All namespace servers are running Windows Server 2008.

If your environment supports it, choose the Windows Server 2008 mode when you create new domain-based namespaces. This mode provides additional features and scalability, and also eliminates the possible need to migrate a namespace from the Windows 2000 Server mode.

For information about migrating a namespace to Windows Server 2008 mode, see
Migrate a Domain-based Namespace to Windows Server 2008 Mode.
http://technet.microsoft.com/en-us/library/cc753875(WS.10).aspx

5. Content Freshness – DFS Replication in Windows Server 2008 has a new feature called Content Freshness, which prevents a server that was offline for a long time from over-writing fresh data when it comes back online with stale (out-of-date) data.

6. Improvements for handling unexpected shutdowns – In Windows Server 2008, DFS Replication now allows for quicker recovery from unexpected shutdowns. Unexpected shutdowns can occur because of the following reasons:
     – Unexpected shutdown of DFS Replication: This could occur if the DFS Replication process crashes, is ended, or stops because there are insufficient resources.
     – Unexpected shutdown of the computer: This could occur if the computer crashes or loses power while DFS Replication is running.
     – Unexpected shutdown of the volume: This could occur if the volume hosting a DFS Replication content set loses power, is disconnected, or is forced to dismount.
Unexpected shutdowns of the computer and the volume can cause the NTFS file system to lose changes which have not been copied to disk. Therefore the DFS Replication database can become inconsistent with the on-disk file system state.

On Windows Server 2003 R2, an unexpected shutdown may force DFS Replication to perform a complete database rebuild, which can be very time consuming. DFS Replication in Windows Server 2008 usually does not need to rebuild the database following unexpected shutdowns, and thus recovers much more quickly.

7. DFS Replication performance improvements – DFS Replication in Windows Server 2008 includes the following performance improvements:
     – Faster replication both for small and large files.
     – Initial synchronization completes faster.
     – Better network bandwidth utilization on LANs and high latency networks such as WANs.

8. Propagation report – DFS Management in Windows Server 2008 includes a new type of diagnostic report called a propagation report. This report displays the replication progress for the test file created during a propagation test.

9. Replicate now – DFS Management now includes the ability to force replication to occur immediately, temporarily ignoring the replication schedule.
     To force replication immediately
       1. In the console tree, under the Replication node, select the appropriate replication group.
       2. Click the Connections tab.
       3. Right-click the member you want to use to replicate, and then click Replicate Now.

10. Support for Read-Only Domain Controllers – In Windows Server 2008, DFS Replication supports Read-Only Domain Controllers (RODCs).
For more information about RODCs, see http://go.microsoft.com/fwlink/?LinkId=96517.

11. SYSVOL replication using DFS Replication – DFS Replication replaces the File Replication Service (FRS) as the replication engine for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level.

=================================================================

Summary

I hope this helped you to easily configure your time service and what to do if it didn’t work.

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

PowerShell: Getting AD groups of one User and Add them to a List of Other Users

July 27, 2015, 8:53 pm

≫ Next: Get-QADGroupMember to CSV

≪ Previous: FRS to DFS-R Migration

Prologue

Ace here again. Yep, me again. I’ve been on the sidelines lately with a big mail migration, then changed roles to the AD and Windows management side of things.

Part of what I do is perform necessary file maintenance (FSRM, DFS, fileserver migration, etc.), and of course, respond to tickets for requests or issues.

One request that came in was for 16 new users that are to have identical group memberships as a current user. I looked at the group membership of the user in question and saw he was part of 11 or 12 groups. Hmm, and he wants this done for 16 users? I could sit there and add group to each user one at a time. Nah, too much work.

So I thought to try to do it programmatically, because who knows when this will come up again.

Script

It’s pretty straight forward.

#===========================================================================================
# This was created for a ticket request to mimic one user, SomeSamAccountUsername, group membership to add to a list of user accounts.
# By Ace Fekay 7/15/2015
#
# First, get a memberOf for SomeSamAccountUsername and save it to a file called c:\PSScripts\SomeSamAccountUsername-grouplist.txt
#     Run Get-QADMemberOf SomeSamAccountUsername
#
#     Copy and paste the output from the screen to the file
#     In the file, keep the DN values and delete everything else.
#
# Second, get a list of the user accounts that you want adjusted from the ticket owner
#     Then save the list in another text file called c:\PSscripts\Usernames.txt
#     Prefix the user accounts with the domain name, such as philly\username
#
# Third, read the first user in the list, then add the groups to that user, then read the next user in the list, repeat.
#===========================================================================================

# The next line adds all of the Quest tools.

Add-PSSnapIn Quest *
Get-QADMemberOf SomeSamAccountUsername

#===========================================================================================
# Sample output from Get-QADMemberOf SomeSamAccountUsername:
#===========================================================================================
#
#Name                           Type            DN
##
#Domain Users                   group           CN=Domain Users,OU=IT,DC=philly,DC=contoso,DC=com
#Deployment Technician          group           CN=Deployment Technician,OU=IT,DC=philly,DC=contoso,DC=com
#Desktop-Technician             group           CN=Desktop-Technician,OU=IT,DC=philly,DC=contoso,DC=com
#AddComputerToDomain            group           CN=AddComputerToDomain,OU=IT,DC=philly,DC=contoso,DC=com
#Vendor-A-contractors           group           CN=Vendor-A-contractors,OU=IT,DC=philly,DC=contoso,DC=com
#General-Group                  group           CN=General-Group,OU=IT,DC=philly,DC=contoso,DC=com
#Wireless-Users                 group           CN=Wireless-Users,OU=IT,DC=philly,DC=contoso,DC=com
#Group-B                        group           CN=Group-B,OU=IT,DC=philly,DC=contoso,DC=com
#IT-Staff                       group           CN=IT-Staff,OU=IT,DC=philly,DC=contoso,DC=com
#IT-Admins                      group           CN=IT-Admins,OU=IT,DC=philly,DC=contoso,DC=com
#IT-Technicians                 group           CN=IT-Technicianss,OU=IT,DC=philly,DC=contoso,DC=com
#Client-Support                 group           CN=Client-Support,OU=IT,DC=philly,DC=contoso,DC=com

# #=================================================================================================
# Sample of what C:\PSScripts\groupmembership\SomeSamAccountUsername-grouplist.txt will look like:
# #=================================================================================================
# CN=Domain Users,OU=IT,DC=philly,DC=contoso,DC=com
# CN=Deployment Technician,OU=IT,DC=philly,DC=contoso,DC=com
# CN=Desktop-Technician,OU=IT,DC=philly,DC=contoso,DC=com
# CN=AddComputerToDomain,OU=IT,DC=philly,DC=contoso,DC=com
# CN=Vendor-A-contractors,OU=IT,DC=philly,DC=contoso,DC=com
# CN=General-Group,OU=IT,DC=philly,DC=contoso,DC=com
# CN=Wireless-Users,OU=IT,DC=philly,DC=contoso,DC=com
# CN=Group-B,OU=IT,DC=philly,DC=contoso,DC=com
# CN=IT-Staff,OU=IT,DC=philly,DC=contoso,DC=com
# CN=IT-Admins,OU=IT,DC=philly,DC=contoso,DC=com
# CN=IT-Technicians,OU=IT,DC=philly,DC=contoso,DC=com
# CN=Client-Support,OU=IT,DC=philly,DC=contoso,DC=com
#=================================================================================================

#===========================================================================================
# Sample of what C:\PSScripts\groupmembership\List-Of-Usernames.txt username list will look like:
#==========================================================================================
# philly\username1
# philly\username2
# philly\username3
# philly\username4
# philly\username5
# philly\username6
# philly\username7
# philly\username8
# philly\username9
# philly\username10
# philly\username11
# philly\username12
# philly\username13
# philly\username14
# philly\username15
# philly\username16
#==========================================================================================

$GroupList = get-content C:\PSScripts\groupmembership\SomeSamAccountUsername-grouplist.txt
$UsernameList = get-content C:\PSScripts\groupmembership\List-Of-Usernames.txt

# Now pull in each user one a time:
Foreach ($Username in $UsernameList)
{

# Now pull in each group one at a time and add them to the user
   Foreach ($Group in $GroupList)

# Add the group to the user
    {
    Add-QADGroupMember -Identity $Group -Member $Username

# Write out on the screen what username is and what group they were added to:
    write-host $Username “has been added to ” $Group

# Repeat for next group until all groups are done.
   }

# Repeat for the next user
}
#===========================================================================================
# That’s it!
#===========================================================================================

Summary

I hope this helps!

Published 7/27/2015

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Get-QADGroupMember to CSV

August 17, 2015, 9:03 pm

≫ Next: Script to Search Netlogon logon scripts and Replace Drive Mappings

≪ Previous: PowerShell: Getting AD groups of one User and Add them to a List of Other Users

Prologue

Ace Fekay here again.

You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks. The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, when tasked to quickly get a list of users in a group.

I hope this, and my future scripts, especially with Office 365, help you out.

Scope

I needed to get a user membership list from a global group called, “Marketing Dept,” into a CSV. Group scope doesn’t matter. I just need a list of the members because the share owner that the group is controlling access, needed a list to ensure that it’s current and to clean up any disabled accounts from users that have left the company.

And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up and there is no one place to get all of this at the simple level. All I see are elaborate scripts that do more than what I needed. Hence, my posts.

I usually kick it off with a get-credential because I run this from my workstation logged on with my non-admin account. And because I work in a multi-forest, multi domain environment, I must connect to the specific domain where the group exists.

Of course, we must add the PS Quest snap-in. In addition, I use the “-NoTypeInformation” switch to suppress the silly “Type” data that shows up in the output.

Code

get-credential
add-pssnapin Quest*
connect-qadservice domain2
Get-QADGroupMember “Marketing Dept” | Select-Object DisplayName,Name,AccountIsDisabled | Export-Csv c:\output\Domain2-MarketinDept.csv –NoTypeInformation

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 8/17/2015

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Script to Search Netlogon logon scripts and Replace Drive Mappings

September 9, 2015, 8:18 pm

≫ Next: Office 365 PowerShell Fun with Mailbox Permissions

≪ Previous: Get-QADGroupMember to CSV

Prologue

Ace Fekay here again!

Once again, As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory. And why am I posting simple stuff, you ask. Well, because we need to use this stuff day to day, that’s why.

Yea, this may be simple, but you’d be surprised who may struggle with it, like I did. I had to get help from a colleague who put the bulk of this together. I first had an idea with my beginner’s mentality to do it a little differently, but when I saw what he suggested, I said, hmm, I still have lots to learn.

I hope this, and my future scripts, especially with Office 365, help you out.

Scope

After migrating shares from one server to another server using a Robocopy script (that I’ll post later), we needed to change the drive mappings in the logon scripts in the Netlogon share.

Keep in mind, we already have a robust DFS in place. The new sharename has targets to the old server. However, we needed to change any logon scripts still referencing the old server by either NetBIOS or by FQDN (OldServer.domain.com).Well, with 28,000 scripts, that’s something we’re not going to do manually.

This script replaces any mappings using the old server name, “OldServer” such as either \\olderserver\sharename or \\oldserver.contoso.com\sharename, to the new DFS name, \\contoso.com\NewShareName.

Code

This works fine. Watch the word-wrap in the blog.

# First run the robocopy script to copy all data
# Then run the netlogon report script to see how many bat files in netlogon reference OldServer
# Then run this script to replace any reference to “OldServer” to the new DFS sharename in the batch files for each share.
# By Ace Fekay and a colleague, who put together the bulk of this together.
# I added counters and report to the screen.

# If you need to run it as a different users, un-remark the following
# get-credential

$Path = “\\contoso.com\NETLOGON\”
$FilesAltered = 0
$FilesProcessed = 0

# This code snippet gets all the files in $Path that end in “.bat”.
cd $Path

Get-ChildItem -Filter “*.bat” | foreach{
$file = Get-Content $_

    #only modify files that contain the string “OldServer”
    if (Select-String -InputObject $file “OldServer”){

    $file = Get-Content $_
    $file = $file -replace “\\\\OldServer\\Users”,”\\contoso.com\\OldServer-Users”
    $file = $file -replace “\\\\OldServer.contoso.com\\users”,”\\contoso.com\OldServer-User”
    $file = $file -replace “\\\\OldServer\\Department”,”\\contoso.com\\OldServer-Department”
    $file = $file -replace “\\\\OldServer.contoso.com\\Department”,”\\contoso.com\OldServer-Departmentt”
    $file = $file -replace “\\\\OldServer\\GDrive”,”\\contoso.com\OldServer-GDrive”
    $file = $file -replace “\\\\OldServer\\FDrive”,”\\contoso.com\OldServer-FDrive”
    $file = $file -replace “\\\\OldServer\\HDrive”,”\\contoso.com\OldServer-HDrive”
    $file = $file -replace “\\\\OldServer\\Share2\$”,”\\contoso.com\OldServer-Share2$”

#comment out any net time statements, if they exist
    $file = $file -replace “^net time”,”REM net time”

#write out the changes
    Set-Content -Value $file -Path $_;
    Write-Host $_.Name
    write-host $file
    Write-Host “”
    $FilesAltered++
   }
$FilesProcessed++
}
Write-Host $FilesAltered ” altered out of a total of” $FilesProcessed “files processed.”

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 9/9/2015

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Office 365 PowerShell Fun with Mailbox Permissions

September 10, 2015, 9:16 pm

≫ Next: Office 365 PowerShell Fun with Calendars

≪ Previous: Script to Search Netlogon logon scripts and Replace Drive Mappings

Published 9/11/2015

Prologue

Ace Fekay here again.

I hope this blog and my future scripts blogs, especially with Office 365, help you out.

Scope

These are a few examples of dealing with every day requests for mailbox delegation and permissions administration. Sure, you can do it from your web based, Office 365 tenant dashboard, but what fun is that?

Open PowerShell session and Login – Of course you first have to open a PowerShell session to your tenant account

Open a PowerShell window.
Run the following:
$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $AceCred -Authentication Basic -AllowRedirection

This will prompt you to login using your credentials.

Then run:
import-pssession $MySession

To be able to run Start-OnlineCoexistenceSync Dirsync – on a DC

After you make any changes in your local AD, instead of waiting for the dirsync schedule to run, you can manually run a dirsync on your onprem AD to force a sync:

Command Prompt
cd “C:\Program Files\Microsoft Online Directory Sync”
Run:
.\DirSyncConfigShell.psc1

Or just run:
“C:\Program Files\Microsoft Online Directory Sync\DirSyncConfigShell.psc1”
Then run:
Start-OnlineCoexistenceSync or invoke-dirsync

To view the dirsync log, click on the DirSync icon in task bar that opens the Synchronization Service Manager. If it’s not on the task bar, it can be found in:

“C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”

===========================================================

To find who has been delegated to a mailbox

Get-Mailbox JohnDoe@contoso.com | fl displayname, GrantSendOnBehalfTo

To see the whole list of delegated users:

PS C:\Windows> Get-Mailbox JohnDoe@contosl.com | select -expandproperty GrantSendOnBehalfTo
Output:
user1
user2
user3
user4
user5
user6

Or you can run this, too:

PS C:\Windows> (Get-Mailbox JohnDoe@contoso.com|).grantsendonbehalfto
Output:
user1
user2
user3
user4
user5
user6

Remove Mike Smith as a delegate – example:

First find the permission:

This will give you a summary list:
get-mailboxpermission –identity Dept1-Shared-Mailbox | ft

This will give you a full list:
Get-MailboxPermission -identity Dept1-Shared-Mailbox | fl

Then remove it:

Remove-mailboxpermission -identity Dept1-Shared-Mailbox -user NAMPRD999\Mike.Smith8047888747747123 -AccessRights FullAccess -Inheritance All

Remove-mailboxpermission -identity Dept1-Shared-Mailbox -user NAMPRD999\Mike.Smith8047888747747123 -AccessRights SendAs -Inheritance All

To find who has FullAccess Permissions on a Mailbox

There are two ways the results can be displayed:

FT – Format Table – One big summarized list
FL – Format List – in sections with detail

using FT

get-mailboxpermission JohnDoe@contoso.com | ft

Output example:

Identity                   User                 AccessRights        IsInherited Deny
——–                    —-                      ————        ———– —-
JohnDoe               NT AUTHORITY\SELF    {FullAccess, Rea… False       False
JohnDoe               S-1-5-21-24478488… {FullAccess}        False       False
JohnDoe               NAMPRD05\jar02546… {FullAccess}        False       False
JohnDoe               NAMPRD05\FullAcce… {FullAccess}        False       False
JohnDoe               NAMPRD05\Administ… {FullAccess}        True        True
JohnDoe               NAMPRD05\Domain A… {FullAccess}        True        True
JohnDoe               NAMPRD05\Enterpri… {FullAccess}        True        True
JohnDoe               NAMPRD05\Organiza… {FullAccess}        True        True
JohnDoe               NT AUTHORITY\SYSTEM {FullAccess}        True        False
JohnDoe               NT AUTHORITY\NETW… {ReadPermission}    True        False
JohnDoe               PRDMGT01\View-Onl… {ReadPermission}    True        False
JohnDoe               NAMPRD05\Administ… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Domain A… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Enterpri… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Organiza… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Public F… {ReadPermission}    True        False
JohnDoe               NAMPRD05\Exchange… {FullAccess, Rea… True        False
JohnDoe               NAMPRD05\Exchange… {FullAccess, Del… True        False
JohnDoe               NAMPRD05\Managed … {ReadPermission}    True        False

using FL

get-mailboxpermission JohnDoe@contoso.com | fl

Output Example:

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : S-1-5-21-2447848828-1310731447-1641304557-6207581
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NAMPRD05\jar02546711232540629
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NAMPRD05\FullAccessAdmin
Identity        : JohnDoe
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : aaa56ea5-574b-45dc-8489-d85a2013bc58
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : NAMPRD05\Administrator
Identity        : JohnDoe
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

etc

Other tidbits:

===========================

To display FullAccess on a Mailbox

Get-MailboxPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights | fl

===========================

This will display SendOnBehalf:

Get-RecipientPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights | fl

===========================

View SendAs:

Get-RecipientPermission JohnDoe | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘Null sid’)} | select Identity,Trustee,AccessRights | fl

==========================

View all “Send As permissions” you’ve configured in your organization

Careful running this on a really large tenant or you will tie up the bandwidth and get throttled.

Get-RecipientPermission | where {($_.Trustee -ne ‘nt authority\self’) -and ($_.Trustee -ne ‘Null sid’)} | select Identity,Trustee,AccessRights

============================

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

Get-RecipientPermission JohnDoe | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights | fl

============================

Display a list of recipient’s that have FULL ACCESS permission on other recipient’s

$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like ‘*Discovery Management*’) } | Select Identity, user, AccessRights | fl

=============================

Revoke “Send As” Permissions

Remove-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan

Adjustments & Improvements – To avoid the need for confirmation, we can add the option: “-Confirm:$False”
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False

More to come…

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 8/17/2015

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Office 365 PowerShell Fun with Calendars

September 13, 2015, 12:27 am

≫ Next: Migrate Files to a new File Server using RoboCopy, IP addresses, and Relative Paths using the Administrative Shares

≪ Previous: Office 365 PowerShell Fun with Mailbox Permissions

Published 9/13/2015

Prologue

Ace Fekay here again.

I hope this blog and my future scripts blogs, especially with Office 365, help you out.

Scope

These are a few examples of dealing with every day requests for calendar administration. Sure, you can do it from your web based, Office 365 tenant dashboard, but what fun is that?

And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up. I’ve found various websites that provide how-tos, but when it comes to handling variables and piping, I’ve found there is no one place to get various examples and have found myself looking at multiple places to get this info, including my colleagues, who are extremely adept at scripting. With many place, I also see elaborate scripts that do more than what I need. They are fabulous blogs and websites, but sometimes I need the simple one-liners to perform day to day stuff.

Open PowerShell session and Login – Of course you first have to open a PowerShell session to your tenant account

This will prompt you to login using your credentials.
Then run:
import-pssession $MySession

To be able to run Start-OnlineCoexistenceSync Dirsync – on a DC

After you make any changes in your local AD, instead of waiting for the dirsync schedule to run, you can manually run a dirsync on your onprem AD to force a sync:

Command Prompt
cd “C:\Program Files\Microsoft Online Directory Sync”
Run:
.\DirSyncConfigShell.psc1

Or just run:
“C:\Program Files\Microsoft Online Directory Sync\DirSyncConfigShell.psc1”
Then run:
Start-OnlineCoexistenceSync or invoke-dirsync

To view the dirsync log, click on the DirSync icon in task bar that opens the Synchronization Service Manager. If it’s not on the task bar, it can be found in:

“C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”

===========================================================

General Calendar Commands

To view the rights on a calendar:

get-mailboxfolderpermission MarySmith@contoso.com:\Calendar

To add rights to a calendar for a user, JohnDoe, and providing him “Editor” access rights:

Add-MailboxFolderPermission -Identity Office.Vacation.Calendar@contoso.com:\Calendar -User JohnDoe@contoso.com -AccessRights Editor

To remove JohnDoe’s rights from a calendar:

remove-mailboxfolderpermission -Identity Office.Vacation.Calendar@contoso.com:\Calendar -User JohnDoe@contoso.com

Rule to move anything with subject, “Sent by Microsoft Exchange Server 2013” to a folder called, “Rejected Calendar Notifications”

New-InboxRule “Sent by Exchange 2013” -Mailbox MarySmith@contoso.com -MyNameInToBox $true -FlaggedForAction Any -SubjectOrBodyContainsWords “Sent by Microsoft Exchange Server 2013” -MoveToFolder “Rejected Calendar Notifications” -StopProcessingRules

New-InboxRule “SendOnBehalf Sent by Exchange 2013” -Mailbox JohnDoe -MyNameInToBox $true -FlaggedForAction Any -SubjectOrBodyContainsWords “Sent by Microsoft Exchange Server 2013” -MoveToFolder “Rejected Calendar Notifications” –StopProcessingRules

Create a shared calendar in Office 365 without creating it in our Active Directory so we don’t get charged for a license.

This is an example for creating a shared calendar called “Ace’s Cancelled Meetings” with a username of AceCancelledMeetings.

1. New-Mailbox -Name “AceCancelledMeetings” -DisplayName “Ace’s Cancelled Meetings” -Share

If required:
2. UserPrincipalName: AceCancelledMeetings@YourDomain.onmicrosoft.com

Give permissions for Mary Smith (MarySmith) to access the calendar.
3. Add-MailboxfolderPermission AceCancelledMeetings:\Calendar -user “MarySmith” -AccessRights editor

Give permissions for John Doe (JohnDoe) to access the calendar.
4. Add-MailboxfolderPermission AceCancelledMeetings:\Calendar -user “JohnDoe” -AccessRights editor

Give permissions for John Smith (JohnSmith) to access the calendar:
5. Add-MailboxfolderPermission AceCancelledMeetings:\Calendar -user “JohnSmith” -AccessRights editor

Get permissions Examples for a calendar:

PS C:\Windows> (Get-MailboxFolderPermission JohnDoe:\Calendar) | select user

Output:

User
—-
Default
User One
User Two
User Three
User Four
User Five
User Six
User Seven
User Eight

To display the accessrights for a calendar:

PS C:\> (Get-MailboxFolderPermission JohnDoe:\Calendar) | select user,accessrights

User                AccessRights
—-                ————
Default                {AvailabilityOnly}
User One            {Reviewer}
User Two            {Reviewer}
User Three            {Reviewer}
User Four            {Reviewer}
User Five            {Reviewer}
User Six            {Editor}
User Seven            {Editor}
User Eight            {Editor}
User Nine            {Owner}

PS C:\> get-MailboxFolderPermission -Identity ConfRoom1:\Calendar

FolderName           User        AccessRights
———-           —-        ————
Calendar             Default        {AvailabilityOnly}
Calendar             Anonymous        {None}
Calendar             Ace Fekay        {Editor}
Calendar             User One        {PublishingEditor}
Calendar             User Two        {PublishingEditor}
Calendar             User Three        {PublishingEditor}
Calendar             User Four        {PublishingEditor}
Calendar             User Five        {Editor}

Office 365 Alias issues

If the user’s alias, such as “JohnDoe,” doesn’t work, run the following to find and use the identifier Microsoft assigned to the user:
get-mailbox JohnDoe@contoso.com
    For example, the above query returned:
        JohnDoe_8672d315f2
    Therefore, I had to run the following command to add permissions for that user:
    Add-MailboxFolderPermission -Identity ConfRoom22:\Calendar -User “JohnDoe_8672d315f2” -AccessRights Reviewer

Command to Add permissions to one Calendar for multiple users (list of users) importing a list of users in a text file and piping the command:

Get-Content c:\Scripts\users.txt | foreach {Add-MailboxFolderPermission -Identity Classroom2:\calendar -User $_ -AccessRights Editor}

Content of “users.txt:”
UserOne@contoso.com
UserTwo@contoso.com
UserThree@contoso.com
UserFour@contoso.com
UserFive@contoso.com
UserSix@contoso.com
UserSeven@contoso.com
UserEight@contoso.com

If you need to change the permissions on the calendar for a set of user, use the same format except use the ‘set-calendar’ command:

Get-Content c:\Scripts\users.txt | foreach {Set-MailboxFolderPermission -Identity Classroom2:\calendar -User $_ -AccessRights Editor}

If you need to give a single user permissions to multiple calendars:

This is giving MikeSmith@contoso.com access to multiple calendars

Get-Content C:\Scripts\ListOfCalendars.txt | foreach {Add-MailboxFolderPermission -Identity $_ -User MikeSmith@contoso.com -AccessRights Editor}

Content of “ListOfCalendars.txt:”

HospitalFloor1West@contoso.com:\Calendar
HospitalFloor1East@contoso..com:\Calendar
HospitalFloor1South@contoso..com:\Calendar
HospitalFloor1North@contoso..com:\Calendar
HospitalFloor2West@contoso..com:\Calendar
HospitalFloor2East@contoso..com:\Calendar
HospitalFloor2South@contoso..com:\Calendar
HospitalFloor2North@contoso..com:\Calendar

To provide permissions to multiple calendars for a list of users.

There are two variables in this scenario.

First you must bring in the list of users into memory. In this case, the users are in filename, “ListOfUsers.txt.” Now run the following to bring the users

Pull the list into memory:
PS C:\> $users= get-content C:\Scripts\ListOfUsers.txt

If you like, you can double check and see what’s in the file you just pulled in by simply typing in the variable name and hit enter:

PS C:\> $users
UserOne@contoso.com
UserTwo@contoso.com
UserThree@contoso.com
UserFour@contoso.com
UserFive@contoso.com
UserSix@contoso.com
UserSeven@contoso.com
UserEight@contoso.com
etc

You can also run the following format to get the same info on the file:

PS C:\> $users | get-member
UserOne@contoso.com
UserTwo@contoso.com
UserThree@contoso.com
UserFour@contoso.com
UserFive@contoso.com
UserSix@contoso.com
UserSeven@contoso.com
UserEight@contoso.com
etc

Then you bring the list of rooms into memory, “ListOfRooms.txt”
PS C:\> $resources = get-content c:\Scripts\ListOfRooms.txt

Then to see what’s in the file, run:
PS C:\> $resources

ConfRoom1
ConfRoom2
ConfRoom3
ConfRoom4
ConfRoom5
ConfRoom6
ConfRoom7
ConfRoom8
etc

Now let’s take a look at what the calendar processsing is for one of the rooms:
PS C:\> Get-CalendarProcessing ConfRoom1

Identity                                                     AutomateProcessing
——–                                                     ——————
ConfRoom1                                                    AutoUpdate

To get more information about the calendar processing data for the room:
PS C:\> Get-CalendarProcessing ConfRoom1 | fl

RunspaceId : <snipped>
AutomateProcessing : AutoUpdate
AllowConflicts : False
BookingWindowInDays : 180
MaximumDurationInMinutes : 1440
AllowRecurringMeetings : True
EnforceSchedulingHorizon : True
ScheduleOnlyDuringWorkHours : False
ConflictPercentageAllowed : 0
MaximumConflictInstances : 0
ForwardRequestsToDelegates : True
DeleteAttachments : True
DeleteComments : True
RemovePrivateProperty : True
DeleteSubject : True
AddOrganizerToSubject : True
DeleteNonCalendarItems : True
TentativePendingApproval : True
EnableResponseDetails : True
OrganizerInfo : True
ResourceDelegates : {}
RequestOutOfPolicy : {}
AllRequestOutOfPolicy : False
BookInPolicy : {}
AllBookInPolicy : True
RequestInPolicy : {}
AllRequestInPolicy : False
AddAdditionalResponse : False
AdditionalResponse :
RemoveOldMeetingMessages : True
AddNewRequestsTentatively : True
ProcessExternalMeetingMessages : False
RemoveForwardedMeetingNotifications : False
MailboxOwnerId : ConfRoom1
Identity : ConfRoom1
IsValid : True
ObjectState : Changed

And now the moment you’ve been waiting for: Run the following command to set Calenar Processing settings for multiple users for multiple calendars:

PS C:\> $resources | foreach {Set-CalendarProcessing $_ -AutomateProcessing autoaccept -bookinpolicy $users}

Another example providing Editor rights to a list of calendars

This is for the IT-Rooms where we must give a list of users “Editor” permissions to a list mailbox Calendars.

List of users are in file: c:\Scripts\ListOfUsers.txt
List of mailbox room calendars c:\ListOfRooms.txt

=====
1. Pull the list of users into memory first:
$users= get-content c:\Scripts\ListOfUsers.txt

Run $users to see what’s in the file to be sure:
$users
or
$users | get-member

=====
2. Pull in the rooms or calendars into memory:
$resources = get-content c:\ListOfRooms.txt

If you want, run this to see what’s in that file:
$resources
or
$resources | get-member

If you want, run this to see what calendar processing is currently set on one of the rooms:
get-CalendarProcessing ConfRoom1 | fl

=====
3. Run it:

$resources | foreach {Add-MailboxFolderPermission -Identity $_:\calendar -User $Users -AccessRights Editor}

=====
Or just create a DL, and add the list of users to the DL, then run the following:

This gives the group ConfRoomSchedulers@contoso.com “Editor” access rights on the rooms listed in the file ListOfRooms.txt:

Get-Content ListOfRooms.txt | foreach {Add-MailboxFolderPermission -Identity $_ -User ConfRoomSchedulers@contoso.com -AccessRights Editor}

ListOfRooms.txt contains:
ConfRoom1@contoso.com:\calendar
ConfRoom2@contoso.com:\calendar
ConfRoom3@contoso.com:\calendar
ConfRoom4@contoso.com:\calendar
ConfRoom5@contoso.com:\calendar

Change the “Default” user on a list of calendars (rroms) or users to “None.”

Get-Content c:\Scripts\ListOfRooms.txt | foreach {Set-MailboxFolderPermission -Identity $_:\Calendar -User Default -AccessRights None}

Removing Permissions for a folder (calendar in this example)

Remove-MailboxFolderPermission -Identity <mailbox>:\Calendar –User <Mailbox-that-will-be-removed-from-Calendar-Permissions>
remove-MailboxfolderPermission ConferenceRoom1 -user “John Doe” -AccessRights editor
remove-MailboxfolderPermission ConferenceRoom1:\Calendar -user “JohnDoe”

Then confirm with:
get-MailboxFolderPermission -Identity ConferenceRoom1:\Calendar

Create a conference room. Do not allow anyone to book the room other than the people that have access rights to the room:

Set-Calendarprocessing VeryImportantConfRoom7thFloor@contoso.com -AddAdditionalResponse $true -AdditionalResponse “<font color=red

size=4>Scheduling request denied.Reason code: You are not authorized to schedule meetings or

appointments in the Very Important Conference Room 7th Floor. If you must book an entry in the room, please submit a request to either Mary Smith,

John Doe, or Robert Redford. Thank you.Your Company’s IT Department.”

More to come…

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 9/13/2015

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Migrate Files to a new File Server using RoboCopy, IP addresses, and Relative Paths using the Administrative Shares

October 2, 2015, 9:47 pm

≫ Next: PowerShell Script to Search Netlogon for a Specific List of Script files to Replace or Alter Drive Mappings

≪ Previous: Office 365 PowerShell Fun with Calendars

Prologue

Ace Fekay here again.

I hope this, and my future scripts, especially with Office 365, help you out.

Scope

This is one method to migrate data from one file server to another. I have one method that I will post later, that does it by the share names. This is to just get the two closer to having the same data before I run the final script.

DFS

Keep in mind, we use DFS. I will already have created a new target to the new file server for the current share, but keep the new targets disabled until ready to cut over.

However, when we cut over the target to the new server, we would like to shut off the shares on the source (old) server, to prevent anyone from using it. Of course, we’ve already communicated to the user base the migration schedule.

Therefore, since the shares will be deleted, we must rely on running this by using IP addresses and relative paths from the default administrative shares (c$, d$, etc).

Share and NTFS Permissions Backup

Yes, absolutely! You definitely want to back up your Share and NTFS permissions on this server just in case something happens! The following link is a great article to show you how to do it:

How to Back Up and Restore NTFS and Share Permissions
http://blogs.technet.com/b/askds/archive/2008/11/24/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx

Easy? Nah…

Many may say this is simple stuff. Sure, for the seasoned scripter, which I’m not, The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up. I’ve found various websites that provide how-tos, but when it comes to handling variables and piping, I’ve found there is no one place to get various examples and have found myself looking at multiple places to get this info, including my colleagues, who are extremely adept at scripting. With many place, I also see elaborate scripts that do more than what I need. They are fabulous blogs and websites, but sometimes I need the simple one-liners to perform day to day stuff.

Script:

# Uses relative paths
# Make sure you change directory to where your script is located on the computer you are running this before running
#
# =========================================================================================
#Function: Get the Total Size of Folder

function Get-Size
{
param([string]$pth)
“{0:n2}” -f ((gci -path $pth -recurse | measure-object -property length -sum).sum /1mb) + ” mb”
}
# =========================================================================================
#
cd “C:\PSScripts\OldServerName”

$SourceServerNetBIOSName =     “OldServerName”
$SourceServerIP =         “10.100.200.200”
$DestinationServerName =     “NewFileServer.contoso.com”

#**************************************************************************************
#Ignore this section
#Test files with only one share

#Note: This section was a test to see if I can get this script to work if there is only one share.
#I could not get it to work with one share. The reason is there must be two (2) or more shares for
#this to work, because I’m using an array. There is no such thing as a single array.

#$SourceServerPath = @()
#$SourceServerShares = @()
#$DestinationServerShareNames = @()

#$SourceServerPath = Get-Content ‘.\OldServerName-Share-paths-test.txt’
#$SourceServerShares = Get-Content ‘.\OldServerName-SourceSharesList-test.txt’
#$DestinationServerShareNames = Get-Content ‘.\OldServerName-DestinationSharesList-test.txt’

#Ignore this section
#**************************************************************************************

$SourceServerPath = Get-Content ‘.\OldServerName-Share-paths.txt’
$SourceServerShares = Get-Content ‘.\OldServerName-SourceSharesList.txt’
$DestinationServerShareNames = Get-Content ‘.\OldServerName-DestinationSharesList.txt’

$LogDestinationFolder = “.\Logs”
$LogfileName = $SourceServerNetBIOSName+”.txt”
$LogFileAndPath = $LogDestinationFolder+”\”+$LogfileName

# Checks for existence of a directory for log files if not, one gets created.
If (!(Test-Path -Path $LogDestinationFolder)){
New-Item -ItemType directory -Path $LogDestinationFolder
}

write-host “Total Share count = ” $SourceServerShares.count

for ($i = 0; $i -lt $SourceServerShares.count; $i++){

    $srcpath = $SourceServerPath[$i] -replace ‘(.*):’,’$1$’
    #$srcpath = $SourceServerPath -replace ‘(.*):’,’$1$’
    $dstpath = $DestinationServerShareNames[$i]

$FullSourcePath = “\\”+$SourceServerIP+”\”+$srcpath
$FullDestPath = “\\”+$DestinationServerName+”\”+$dstpath

    write-host “”

    if ((Test-Path $FullSourcePath) -and (Test-Path $FullDestPath))
    {
        $log = $LogDestinationFolder + “\” + $SourceServerNetBIOSName + “-” + $SourceServerShares[$i] +”.txt”
        write-host “Current share’s log:” $Log

        robocopy $FullSourcePath $FullDestPath /E /R:1 /W:1 /TEE /log:$log | Out-String

#This is trying different switches – Ignore
#robocopy $FullSourcePath $FullDestPath /MIR /copy:DT /W:5 /R:1 /V /IT /FP /NFL /TS /log:$log | Out-String

#This was a local drive to drive attempt – Ignore
#robocopy e:\users y: /copy:DATSO /E /R:1 /W5 /TEE /log:c:\robocopy.log

    write-host “Source path is: ” $srcpath
        write-host “Full Source Path is: ” $FullSourcePath
    write-host “Destination path is:” $dstpath
        write-host “Full Destination path is: ” $FullDestPath

        $SharesProcessedSoFar = $i + 1
        write-host “Shares processed so far =” $SharesProcessedSoFar ” out of a total share count of ” $SourceServerShares.count
        write-host “”
        Write-Host “”
    }

else

    {
        write-host “Problem with: ”           $srcpath         “Destination sharename is:”     $dstpath
        write-host “Referencing full Source Path:” $FullSourcePath “Destination Path:”         $FullDestPath
        $SharesProcessedSoFar = $i + 1
        write-host “Shares processed so far =” $SharesProcessedSoFar ” out of a total share count of ” $SourceServerShares.count
    }
}
write-host “Total Shares processed = ” $SourceServerShares.count

More to come…

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 10/3/2015

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

↧

Active Directory's Reliance on DNS, and using an ISP's DNS address

Prelude

Using an ISP's DNS

The Usual Suspects That Can Cause Issues with AD Communications, long logon times, etc

AD & DNS Configuration

FYI about AD, DNS, authentication, finding the domain, GPOs, RPC issues,ISP's DNS servers, etc

The DNS Client Side Resolver Service

Multihomed Domain Controllers

Summary

Related Links

DNS, WINS, NetBIOS, & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I need WINS?, DirectHosted SMB, if one DC is Down, does a client logon to another DC, and DNS Forwarders

Topics Covered:

==================================================================1. DNS & WINS Resolution Process

Regarding DirectSMB,

More on the client side resolver:

DNS Hostname Resolution Flowchart:

NetBIOS Name Resolution Process:

Resolution Process Related Links:

(This was uUpdated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)

==================================================================2. Browser service without WINS across subnets

==================================================================3. Do I need WINS?

If you need WINS and want to learn how to install and configure it, please see the following:

==================================================================4. Disabling the Browser service, NetBIOS

Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates

==================================================================5. DNS Client side Resolver service Query Process

To summarize:

For specifics, the Microsoft DNS Whitepapers is a good start. Here's more:

Linux and Unix client resolver works pretty much the same:

Client Side Options If a DC goes down:

==================================================================6. DNS Forwarder Resolution and the Time Out Process

Quoted from above link:

Comment on Forwarders:

==================================================================7. If one DC or DNS server goes down, why can't I logon to the other DC or not use the second DNS address to find another DC?

To put it another way:

Summary:

==================================================================8. What happens with Exchange and Outlook when when DNS goes down?

==================================================================9. Client side DNS Devolution on Windows 7 and Windows 2008 R2

==================================================================10. How does resolution work in a multi-domain forest (with child domains)?

==================================================================11. Troubleshooting the Browser Service

Some basic things to look for and use:

Multihomed DC?

Browser Troubleshooting Steps

==================================================================Related Links

Suggestions, Comments and Corrections are welcomed

Ace Fekay

DNS and Subnet Priortization & DNS Round Robin - Which one Supercedes?

Preface on Subnet Priortization and Round Robin:

Subnet Priortization and Round Robin Logic:

Subnet Priortization and Round Robin Example:

Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet

More info on this value and setting:

Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems

Summary:

References

Ace Fekay

Configuring DNS Search Suffixes

Preface

More on Suffixes

Windows 7, Windows 2008 & Windows 2008 R2 Devolution Nuances

Multi-Domain Forests with two or more child domains

Choices to Configure a Suffix

With Active Directory

In a Workgroup

Using Group Policy

Scripting

DHCP Option 015

DHCP Option 119

DHCP Option 135

Summary

Ace Fekay

Prelude

Primary DNS Suffix

Use Windows DHCP to Force Register All Leases

Zone’s NS & SOA Entries

Detailed Steps:

Example of what you should see after it’s configured and working:

Other notes and references:

Registry summarized:

If you are in an AD Environment

Summary

==================================================================
1. DNS & WINS Resolution Process

==================================================================
2. Browser service without WINS across subnets

==================================================================
3. Do I need WINS?

==================================================================
4. Disabling the Browser service, NetBIOS

==================================================================
5. DNS Client side Resolver service Query Process

==================================================================
6. DNS Forwarder Resolution and the Time Out Process

==================================================================
7. If one DC or DNS server goes down, why can't I logon to the other DC or not use the second DNS address to find another DC?

==================================================================
8. What happens with Exchange and Outlook when when DNS goes down?

==================================================================
9. Client side DNS Devolution on Windows 7 and Windows 2008 R2

==================================================================
10. How does resolution work in a multi-domain forest (with child domains)?

==================================================================
11. Troubleshooting the Browser Service

==================================================================
Related Links