Configuring the Windows Time Service for Windows Server

Configuring the time service on the PDC Emulator FSMO role holder


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Compilation 9/12/2009
Edit: 9/23/2009    – Added additional links (indicated in the Related Links section).
Edit: 10/10/2009  – Added additional section called “Client To DC Time Sync”
Edit: 2/11/2010    – Added info about finding out which DC is the time source by using the w32tm /monitor command
Edit: 8/9/2010       – Added additional info in the troubleshooting section
Edit: 10/12/2010  – Added additional info about debugging and transferred PDC roles
Edit: 1/17/2011    – Added information about the Microsoft Mr Fix It script for a sure fire way to reset the time service (scroll down to “Microsoft Mr Fix It”)
Edit: 1/19/2011    – Added information regarding virutalizing domain controllers and the Time service. Scroll to the bottom of this blog.


 


Prelude


There is absolutely NO NEED TO TOUCH THE TIME SERVICE REGISTRY ENTRIES


I just wanted to make a statement regarding the time service registry entries. There really is NO need to modify the time service registry entries. The time service works by default, out of the box. The only thing that’s recommended to do, is synchronize the PDC Emulator in the forest root domain to a reliable outside source. That’s it.


I’m stating this because based on numerous public postings regarding corrupted time service settings due to attempts at changing registry entries because it was thought that’s how it’s done, is usually the culprit that corrupted the time service settings. The time service should only be configured using the w32tm utility.


If there are any problems with corrupted settings, and it’s not working properly, I would suggest to simply reset the time service itself (stated in the “To Reset the Time service” section below), by simply running the following commands:


If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:


1. On the DC that you’re experiencing issues with, run the following in a command prompt:


  •  net stop w32time
  •  w32tm /unregister
  •  w32tm /register
  •  net start w32time

2. On the Server in question (whether it’s the PDC Emulator or another server), run the following in a command prompt: 


  • “net time /setsntp: ” (Note the blank space prior to the end “)  [This tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.]
  • Restart the time service:  Net stop w32time && net start w32time

3. On the PDC Emulator run the following in a command prompt:


  • W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

4. On each DC that are not holding the PDC Emulator role, run the following in a command prompt:


  • w32tm /config /syncfromflags:domhier /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

5. This will take out any errors in the Event Viewer, if there are any.


.


The only real time that you may have to configure it is only with the assistance of Microsoft Support.


That said, the following shows how the service works by default, the caveats, things to consider, troubleshooting, as well as a link to MIcrosoft’s MrFixIt to fix it for you!


.


.


Time Service Background


Kerberos is the authentication method in an Active Directory infrastructure. There are three parts of the the authentication method between members in an AD infrastructure: 1) Client, 2) Server, and 3) the trusted third party, which is Kerberos. Kerberos uses time as a “salt” to insure that the authentication sequence cannot be used in a “replay” scenario by a prospective attacker. One of the basis of preventing a “replay” is that Kerberos has a five (5) minute time skew, meaning that if the client and server (whatever two machines are authenticating, whether DC to DC, member server to DC or client, or client to DC), if the clocks are off more than five (5) minutes, the authentication sequence fails. To insure that all clients’ clocks are within the five (5) minute skew, the time service must be synched across the infrastructure.


Clients get their time source from the DC that logged them on. That DC will get it’s time synched from the PDC Emulator in its domain. If its in a child, that PDC Emulator will get its time synched from the PDC Emulator in the forest root, which should be configured to an external time source. This simply works out-of-the-box other than configuring the PDC Emulator in the forest root domain to sync with an external time source. No other action is truly necessary. To alter the time registry settings, is inviting trouble and should only be done under guidance by Microsoft Support.


To find the DC that logged a client on, run the following. This is also the client’s time server.
echo %logonserver%


In a multi-site scenario, as long as AD Sites have been configured properly with their respective subnet objects assigned to the site, and the servers have been moved to their respective sites, the client machine’s logonserver will always be the time source. 


This all assumes that none of the DCs are not multihomed (or it may become part of more than one site which will cause an error, besides other issues), the AD DNS domain name is not a single label name (“domain” vs domain.something), and using only the internal DNS servers in ipconfig, otherwise it’s guaranteed to expect other problems to occur.



Time Service Domain Hierarchy


Time Convergence


This section was quoted from:


Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799


All client desktops select an authenticating domain controller (the domain controller returned by DSGetDCName()) as their time source. If this domain controller becomes unavailable, the client re-issues its request for a domain controller.


All member servers follow the same process.


All domain controllers in a domain make 3 queries for a DC:
1. A reliable time service (preferred) in the parent domain,
2. A reliable time service (required) in the current domain,
3. The PDC of the current domain. It will select one of these returned DCs as a time source.



The PDC Emulator FSMO role holder at the root of the forest is authoritative, and can be manually set to synchronize with an outside time source (such as the United States Naval Observatory).


WIndows Time Hierarchy


The following diagram shows the time hierarchy. Quoted from:


How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx



 


Time Sync


Client to DC


How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042


The points below were quoted from the above link:


All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization


The following quote is on the time  algorithm in Windows 2000, which I haven’t seen any evidence that it has changed:
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
http://windowsitpro.com/article/articleid/8383/windows-time-synchronization-service.html


“When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller’s) time. If the target time is ahead of local (i.e., the client’s) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time. . . . “


Due to this 2 minute conversion, an authorative time server on the domain (PDC Emulator), acts a time client to an external time source, therefore you may see a lag between the time source’s time and the time on the server.


 


DC to DC Time Service Selection:


A DC will choose a PDC Emulator to sync up time. A child PDC Emulator will choose to sync up time with a parent root domain DC, and it can choose the parent PDC or any other DC in the parent root domain.


Therefore, don’t be alarmed if you are seeing a child domain DC syncying up with a Forest root DC, that’s normal. A child domain DC’s will sync with any domain controller in the forest root domain. It’s outlined in the following article in a diagram titled “Time Synchronization in an AD DS Hierarchy:”


How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx


 


Domain Controller TIme Source Queries and Score Determination


If having problems viewing the following image, please see the full-sized image at:
http://4ufq6a.blu.livefilestore.com/y1paVf9RvrfAXlM4dVk-bZvVivi0OBbK75AcXfvnEGz0RybJIkbGbRJ8NgoHGdThaEuIz3l2Z8ZBXw1KP7IuRENQR2iQvKhyCcC/Windows%20Time%20-%20Domain%20Controller%20Time%20Source%20Queries%20and%20Score%20Determination.jpg?psid=1



 


 


To set the Time Service in an Active Directory Infrastructure


Windows 2000


On the Windows 2000 PDC Emulator, run the following four commands:


C:\>net time /setsntp:Time.nrc.ca
The command completed successfully.


C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.


C:\>w32tm -once
(W32time performs numerous commands to set the time)


C:\>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.


 


Windows 2003


On the DC holding the PDCEmulator FSMO Role (example showing a US government time source):


w32tm /config /manualpeerlist:time-a.nist.gov /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time


On other DCs (that are not the PDC Emulator):
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time


 


Windows 2008


Please follow the registry entries instructions in the following Microsoft article on how to configure the Time Service in Windows 2008:


How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042




 


 


The PDC master must not be configured to synchronize with itself


This important section was quoted from:


How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


For more information about why the PDC master must not be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)


If the PDC master is configured to synchronize with itself, the following events are logged in the System log:


Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerName
Description: The time provider NtpClient cannot reach or is currently receiving invalid time data from NTP_server_IP_Address. For more information, see Help and Support Center at http://support.microsoft.com.


Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerName
Description: Time Provider NtpClient: No valid response has been received from manually configured peer NTP_server_IP_Address after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. For more information, see Help and Support Center at http://support.microsoft.com.


Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerName
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. For more information, see Help and Support Center at http://support.microsoft.com.


 



Transferring the PDC Emulator Role


If you have moved the Windows 2003 PDC Emulator role to another DC, or if you seized the role to another DC because the original PDC Emulator is no longer available, reset the time source and hierarchy:


On the new PDCEmulator (where ‘peers’ is an Internet time source such as time-a.nist.gov):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update


On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update


After that run the following on both DCs:
net stop w32time
net start w32time


The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41.


On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.


FYI, you need a reliable external time source, read the following link for a complete list of them around the internet:


The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable and easy to use NTP service for millions of clients without putting  strain on the big popular timeservers.
http://www.pool.ntp.org


 

The Net Time Command is Weak and Inaccurate with Certain Functions


DO NOT USE the “net time” command on Windows 2003 and later. It will create confusion with the time service. This command was meant for use with stand alone machines, and basically is a DOS command, and is pretty much useless in an AD environment.


The net time command is weak. It is a foreground application and is not reliable. It does not query what the local machine’s time service is set to use with the domain hierarchy. The net time command is similar to the nslookup command, where it uses its own query methods independent of the local machine.


For example, the following was quoted from:


Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp


“When you run NET TIME without the /domain option, the workstation will iterate through the list of time sources on the network, and contact the first one encountered. By default on an NT or 2000 network, only the PDC is a time source.


However, if Domain Time Server is installed on any machine, that machine also becomes a time source. Notice that the NET TIME client won’t use the nearest time source — it will use the first one found in the browser list. It also will not move on to the next source if the first one fails.”


Read more on the net time command and its limitations, in the following link. Scroll down to the heading “Problems with NET TIME”


Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp





Which server is my time source?


On a non-DC, you can run the following to see which DC logged you in. That DC wll be YOUR time source.


To confirm which server is being used as a time source, you can also run the following command:


w32tm /monitor


For example, I ran this on a non-PDC emulator DC, dc02.domain.local, in a domain with two DCs. You can see that it grabbed time from the PDC Emulator, which in this case is dc01.domain.local. It also states that dc01.domain.local got it’s time source from 192.5.41.41. You can see the offset between the two DCs is 0.0000651s (seconds), so no sync is required since it is under the 2 minute time sync tolerance.


c:\Documents and Settings\administrator>w32tm /monitor
dc01.domain.local *** PDC *** [192.168.80.10]:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from dc01.domain.local
        RefID: ntp1.usno.navy.mil [192.5.41.41]
dc02.domain.local [192.168.80.11]:
    ICMP: 0ms delay.
    NTP: +0.0000651s offset from dc01.domain.local
        RefID: dc01.domain.local [192.168.80.10]


 


 


Time Service skew: The Windows W32Time service is not as accurate or reliable as one thinks


Yes, this is true, and this statement is according to Microsoft (KB939322). The reason is the Windows time service is not reliable to synch time down to 1 or 2 seconds and such tolerances are beyond the design of the Windows time service. . It was primarily designed for loose synchronization to support Active Directory’s use of the Kerberos v5 protocol for authentication, which uses and relies on a maximum time skew of 5 minutes for it authentication ‘salt.’ However the Windows Time services is sufficient for this reason, however if you have apps that require sensitive transactional processing with timing down to the second (possibly SEC, banking, or other reasons), it is suggested to use a third party time service.


The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.


Regarding high accuracy, the following Microsoft’s position on this was quoted from:


Support boundary to configure the Windows Time service for high accuracy environments:
http://support.microsoft.com/kb/939322:


“We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:


  • Make the Kerberos version 5 authentication protocol work.
  • Provide loose sync time for client computers.
  • The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.”


 


The following passage was quoted from page 9 in the following Microsoft document.


The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc


“When the local clock offset has been determined, the following algorithm is used to adjust the time:  


  • If the local clock time of the client is behind the current time received from the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is more than three minutes ahead of the time on the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected. “

High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx


“This entry specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. “


Based on the article below, “If you change the MaxPollInterval and MinPollInterval local polling values for the Microsoft Windows Time service (W32time), the values are ignored. The service always polls at 17-minute intervals.”


Settings for minimizing periodic WAN traffic
http://support.microsoft.com/kb/819108



Configuring the MaxPollInterval


The passage below was quoted from:

Config\MaxPollInterval
http://technet.microsoft.com/en-us/library/cc739293(WS.10).aspx

“Specifies the longest interval (in units of 2n seconds, where n is the value of this entry) that is allowed for system polling. While the system does not request samples less frequently than this, a provider may refuse to produce samples when requested to do so.”

“Note: The time service itself is considered unsynchronized after 1.5 times the number of seconds specified by this entry have elapsed. The Network Time Protocol specifies that the maximum clock age is 86,400 seconds, so if the value of this entry is greater than 15, then peers will eventually ignore this server.”

So if changing it from the default of 15 to 14, the longest time interval is changed from 32,768 seconds (546.13 hours or 22.75 days), to 16,384 seconds (273 hours or 11.37 days).

 


 



Read more on this in the following links.


Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp


Support boundary to configure the Windows Time service for high accuracy environments
http://support.microsoft.com/kb/939322


 


Additional info regarding accuracy:


The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.” But Microsoft does give reference on third-party publishers of time and frequency software that can assist with those extreme high accuracy needs (NOTE: These are not Microsoft related or endorsed- just referenced)


http://tf.nist.gov/general/softwarelist.htm  (for software )
http://tf.nist.gov/timefreq/general/receiverlist.htm   (for hardware )


The following quoted from Windows Time Service Technical Reference (http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx):
“The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see


Microsoft Knowledge Base article 939322, Support boundary to configure the Windows Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459).”


High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx


 



Third Party Time Solutions


LANTIME M900 NTP Server : NTP Timeserver Platform for Customized Time and Frequency Synchronization Systems (hardware and software based solutions)
http://www.meinberg.de/english/sw/index.htm



What some folks have tried to reduce the skew based on the understanding that the Windows W32Time service does not have tight tolerances:


Time codes and testing the W32time service skew:
http://www.geisswerks.com/ryan/FAQS/timing.html


[ntp:questions] Re: Ntpd time offset threshold
Question: > The offset threhold is 128ms by default. I think it is a so large value.
> I want 1ms accuracy among all clients over LAN. So, do I have to set it to a
> smaller value? As for 1ms accuracy, set it to 0.5ms.
https://lists.ntp.org/pipermail/questions/2005-June/005711.html



Interesting third party forum and newsgroup thread quotes:


======
Following from:
Thread: Can time sync occur every 30 mins?
http://fixunix.com/ntp/67725-can-time-sync-occur-every-30-mins.html


> What is the maximum period value for:
> HKEY LOCAL
> MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\ Parameters\period
>
> I set it to 2880 for the time sync to occur ever 30mins (24x60x2), but
> the time only synchronises every 8 hours in event logs.
> Is it possible for it to sync more often than every 8 hours?
>
> SBS2000, NTP.
> Thanks
> Nick
>


You will have to ask Microsoft that question. It’s a Microsoft product.


There are two Windows builds of the reference implementation of ntpd;
either one should give you much better synchronization than W32TIME.
Ntpd will query its servers at intervals ranging between 64 seconds and
1024 seconds. The daemon adjusts the interval automatically to the best
value for current conditions.


See http://norloff.org/ntp/ or http://www.meinberg.de/english/sw/ntp.htm
The latter version comes with a Windows installer. I have not used
either version and so can’t tell you much about them except that either
should perform better than W32TIME!!!!


If you decide to try one of these, your should plan on configuring at
least four timeservers for best performance.


See http://ntp.isc.org/bin/view/Servers/WebHome for lists of publicly
available time servers and “rules of engagement”.


=>
Does anyone know whether Windows 2000 or Server 2003 is capable of
synchronising more often than every 8 hours, using w32time?


Thanks
Nick


===============



Typical performance is shown in the bottom 5 graphs here:
http://www.david-taylor.myby.co.uk/mrtg/daily_ntp.html


You can click on a graph to see weekly, monthly and yearly data


=>


> Does anyone know whether Windows 2000 or Server 2003 is capable of
> synchronising more often than every 8 hours, using w32time?


It is, but it is not simple to configure. Look in the list archives for
examples of conifguring the windows time service for use on public NTP
networks. Included there are links to Microsoft’s detailed
documentation on the Windows Time Service.


What are your requirements? Just to keep better time? Why once every
1/2 hour?


Generally, you’ll want to use a configuration command like this:


w32tm /config /manualpeerlist:”0.us.pool.ntp.org,0x8
1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8″ /syncfromflags:MANUAL
/update


That “,0x8″ after each server tells Windows Time Service to choose the
best synchronization interval itself, based on the performance of your
clock and/orn network connection.


Also, please note that the windows time service only makes event log
entries when a new time srouce is selected, plus an informational entry
once every X hours. It will not make a log entry for “small
corrections”, even if they are more frequent. This logging behavior can
also be changed with registry entries or group policies (see Microsoft
documentation).,


============


 


 



Time Service Troubleshooting


Basic support issues I’ve seen usually regard if you’ve moved the PDC Emulator role in the forest root domain to another DC, possibly due to retiring an old DC or DC failure. In this case, all you really have to do is reset the time service on the new PDC Emulator so it is authorative for the domain/forest.


Other than that, the numerous other time service tech support issues I’ve seen are due to the administrators changing registry settings to tweak the service, however they’ve found that something is amiss, and now begin back tracking, asking what the registry entries do and their results if set to this setting or that setting, etc. IMHO, I don’t believe this is necessary. Basically the Time service works out-of-the-box. The PDC Emulator in the forest root domain is the ultimate time server source for the whole forest, and all other DCs, whether in the forest root or in child domains, or additional trees in the forest, will follow the hierarchy to sync time. Why does it work out-of-the-box? Because  the time services is extremely important for Kerberos. If the time clocks between a machine and a DC are skewed beyond the 5 minute tolerance, the authentication fails, so Microsoft made sure to make the time service work without any changes required. All you have to do is configure the PDC Emulator in the forest root domain to an outside time source, and you are DONE. That’s it. Altering the time service registry, unless directed by Microsoft support, are not required.


To reset the Time Service to use the new PDC Emulator


By default, all DCs that are not PDC Emulators, should be syncing time from the PDC Emulator.  If that isn’t the case then reset time on the DC in question using the following steps (which applies to workstations, as well).


In a command prompt. I know I said not to use this command, but this is the ONLY exception to run this command on a machine to reset the time service on a machine:


“net time /setsntp: ”   (Note the blank space prior to the end “)
Tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.


Then run the following:
net stop w32time && net start w32time


Client should now be part of the time domain heirarchy


One more possibility if the above procedure doesn’t work to reset it, you can run the following on the non-PDC Emulator:


w32tm /config /syncfromflags:domhier /reliable:no /update  –  (notice the “no” switch)
net stop w32time && net start w32time


The above is explained in:


Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx


Or you can run Mr FixIt:


To Fix it, Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


 


Debug Logging and more


If the dc is already pointing at the PDCe the PDCe should be getting its time externally (Although this won’t cause your problem).  You can run debug logging to track down the error. 


How to turn on debug logging in the Windows Time Service
http://support.microsoft.com/kb/816043/en-us


 


“Microsoft Mr. Fix It” Time Service Script


This script can be found in:


How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


 To run Mr Fix It:


Keep in mind, all DCs in a domain will get their time source from its domain’s PDC Emulator. If you can’t straighten it out manually, let’s perform the following procedure, which includes running the Mr Fix It script:


1. Run a Fsmo Query  –  To find which DCs hold which FSMO roles and to determine which DC is the PDC Emulator
 netdom query fsmo


2. Run the  “Microsoft Mr Fix It” script in the above link by visiting it from each DC. You must visit it from each DC, or you can download the respective Mr Fix It Number whether for a PDC or non-PDC.


Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


The procedure is as follows:


On the new PDC Emulator AND on the non-PDC Emulators, go to http://support.microsoft.com/kb/816042. You will notice the “Microsoft Fix It” link. When you visit the link from the DC holding the PDC Emulator FSMO Role, it will show up as “Microsoft Fix It 50394,” and on the non-PDC Emulators, it will show up as “Microsoft Fix It 50395.”


Therefore:
On the PDC, go to http://support.microsoft.com/fixit/ and download Fixit 50394 (this is for the PDC)
On the BDC, go to http://support.microsoft.com/fixit/ and download Fixit 50395 (this is for non-PDCs)


When you run it will show:
Server1, 0x1 Server2, 0x1
Replace with
Time.nrc.ca, 0x1 time.nist.gov, 0x1


 


Or based on the script process, you can simply do it manually:


On the PDC Emulator, run the following in a command prompt:
W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
W32tm /resync /rediscover


This will take the errors out of Event Viewer. Then restart the time service:
Net stop w32time && net start w32time


On the non-PDC Emulator, run the following in a command prompt:
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover


This will take out any errors in the Event Viewer, if there are any. Then restart the time service:
Net stop w32time && net start w32time


 Registry Entries


You can query the registry keys with the following method:


c:\>reg query hklm\system\currentcontrolset\services\w32time\parameters
C:\> w32tm /dumpreg /subkey:parameters


 


To resync the service on a client machine:


 w32tm /resync
 w32tm /resync /rediscover


 


If some domain machines have problems


w32tm /config /syncfromflags:domhier /update


After that run:
net stop w32time
net start w32time


 


To Reset the Time Service:


If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:


net stop w32time
w32tm /unregister
w32tm /register
net start w32time


You should only have one server in the forest set as a reliable time source, so using the /reliable:yes command on anything other than the Forest Root PDC is not a good idea.


 


If getting EventID 1307 time:


A possible cause is that the “Authenticated Users” does not have read permission on the W32Time and Netlogon registry keys. Please check and correct the permission settings on the keys.


The keys are under:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32Time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon


 


Related Troubleshooting links:


To Assist in troubleshooting time service issues on the PDC Emulator and other machines, use the following link:
Troubleshooting Windows Time Service Problems
http://technet.microsoft.com/en-us/library/bb727060.aspx


 


 


 


SNTP vs NTP


NTP and SNTP are both supported. Quoted from the Microsoft Technet Article, Windows Time Service and Internet Communications article, it states:


“Windows 2003 by default use NTP, whereas Windows 2000 used SNTP. SNTP isa  simplfied version of NTP. Windows 2003 and newer by default is set to NT5DS, which uses NTP. If SNTP is required on Windows 2003 or newer, the default NT5DS type must be changed to AllSync to accept NTP and SNTP time sources.”


Additonal Links referencing SNTP vs NTP:


Windows Time Service and Internet Communication
http://technet.microsoft.com/en-us/library/cc779145(WS.10).aspx


What is the difference between NTP and SNTP?
http://www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf


[PDF] NTP vs SNTP – What is the difference between NTP and SNTP?File Format: PDF/Adobe Acrobat – Quick View
whether NTP (i.e. full implementation NTP) is being used, or if SNTP is being used. The difference between NTP and SNTP is in the time synchronization …
www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf


What is NTP?
SNTP (Simple Network Time Protocol) is basically also NTP , but lacks some … HP-UX, Irix, Linux, NetBSD, SCO UNIX, OpenBSD, OSF/1, Solaris, System V.4. …
http://www.ntp.org/ntpfaq/NTP-s-def.htm



Based on the KB223184, since Type Nt5DS uses SNTP by default in Windows 2000, to force it to NTP, you can change a Windows 2000 server Type from SNTP to NTP by changing the time service “Type” in the reg from Nt5DS to NTP. However, I remember there were issues with that syncing up years ago. The reg entries are located in the following registry key and options for the “Type:”


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters


Type : REG_SZ
Used to control how a computer synchronizes.
Nt5DS = synchronize to domain hierarchy [default]
NTP = synchronize to manually configured source
NoSync = do not synchronize time


Time Sync Frequency:


The following registry key controls how frequently the Windows Time service synchronizes:
The HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Period


65531, “DailySpecialSkew” – Sets synchronization to one time every 45 minutes until successful one time, then one time every day.
65532, “SpecialSkew” – Sets synchronization to one time every 45 minutes until successful three times, then one time every eight hours. This is the default setting.
65533, “Weekly” – Sets synchronization to one time every seven days.
65534, “Tridaily” – Sets synchronization to one time every three days.
65535, “BiDaily” – Sets synchronization to one time every two days.
0 – For NT5DS, the synchronization is one time every 45 minutes until successful three times, then one time every eight hours. For NTP, the synchronization is one time every 8 hours.
freq – freq stands for the number of times per day you want Windows Time service to synchronize. If want to use a value other than any one of those specified earlier, you must use this option.


 


Related links to the W32Time service registry entries:


Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


Registry entries for the W32Time service on Window 2000:
http://support.microsoft.com/kb/223184


Windows Time Service Tools and Settings using the w32time command. Includes Windows 2003 & 2003 R2 Time Service Registry Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


How to configure the Windows Time service against a large time offset
Basically this talks about the time service and how it keeps all machines in a domain hierarchy within 2 minutes of sync so Kerberos works.
http://support.microsoft.com/kb/884776


Configuring the Windows Time Service
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html


 



 


Failover Time Service


As for failover time source, the way it works, the time service will loop through each one starting with the first listed in the order they are listed until a time service response is received. It is suggested to use the actual IP addresses, or at least I suggest it, which is an old school thing I have because years ago, Windows 2000 had an issue with FQDNs, which was fixed with a hotfix, but I still use the IP address method.


Here’a an older KB that explains this (disregard the part about Windows 2000, because the service still operates in the same behavior:


W32Time client does not fail over to secondary NTP servers by FQDN
http://support.microsoft.com/kb/285641


w32tm /config /manualpeerlist:”MeinbergNTPdeviceIpAddressorFQDN  time-nw.nist.gov  0.pool.ntp.org ” /reliable:yes /update


Multiple Manualpeers configured


It’s recommended to use a first-level time source – Quoted from the link above (http://support.microsoft.com/kb/285641):


“There are two levels, or tiers, of Network Time Protocol (NTP) time servers that are available on the Internet. The NTP is defined in Request for Comments (RFC) 1305. The first-level time servers are primarily intended to act as source time servers for second-level time servers. The first-level time servers may also be capable of providing mission-critical time services. Some first-level time servers may have a restricted access policy.


Second-level time servers are intended for general SNTP time service needs. Second-level time servers usually enable public access. It is recommended that you use second-level time servers for normal SNTP time server configuration because they are usually located on a closer network that can produce faster updates.


It is recommended that you research any time server selection to ensure that it can meet your specific time server requirements.”


 


Domain Controllers HyperV and virtualization, and the Time Service


Regarding DC virtualization, please closely adhere to the following best practices:


    1) Do not use imaging software to take an image of the DC.
    2) Do not take or apply snapshots of the DC.
    3) Do not shut the Virtual Machine down and simply copy the virtual disk as a backup.
    4) If you have the ability to “discard changes” as you do if you are running “Virtual Server 2005 R2”, do not enable this type of setting on a DC Virtual Machine.
    5) Use NTBACKUP.EXE, WBADMIN.EXE, or any third party software that is available as long as it is certified to be AD-compatible to take system state backups.
    6) Only restore a system state to the DC or restore a full backup.
    7) Make at least one DC, the PDC Emulator in the forest root domain, a physical DC. The PDC is the default time service in the hierarchy and should not be virtualized.


For more information, please refer to:


DC’s and VM’s – Avoiding the Do-Over
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx



In addition, basically, running Domain Controllers in virtual machines requires special considerations (Time synch configuration included). I recommend reading the articles below. You will also want one Physical DC in the environment, but you can have the remaining DCs virtualized. It’s recommended to have the PDC as the physical DC.


Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx


Deployment Considerations for Virtualized Domain Controllers
http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspx


 


Virtualized DC Time service


For virtual machines that are configured as domain controllers, disable time synchronization with the host through Integration Services. Instead, accept the default Windows Time service (W32time) domain hierarchy time synchronization.


Host time synchronization makes it possible for guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.


W32Time, Windows Time, should run as LocalService in 2K8 R2 Domain Controllers. You can see the account used in Services.msc -> Windows Time -> Properties.


You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box.


How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems


How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems
http://www.sole.dk/post/how-to-configure-your-virtual-domain-controllers-and-avoid-simple-mistakes-with-resulting-big-problems/?p=387


 


 


 




Windows Time Service Related General Links


A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680


Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


Jorge’s Time Service blogs:
Configuring and Managing the Windows Time Service, Parts 1 to 4:
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-1.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-2.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-3.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-4.aspx


Support boundary to configure the Windows Time service for high accuracy environments
http://support.micorosoft.com/kb/939322


Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799


Time Service:
http://support.microsoft.com/kb/216734


How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042


How to Configure an Authoritative Time Server in Windows Server 2008 (This article is based on Microsoft KB8164042, link provided above.)
http://www.articlesbase.com/operating-systems-articles/how-to-configure-an-authoritative-time-server-in-windows-server-2008-461336.html


Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx


A comprehensive list of the Simple Network Time Protocol (SNTP) time servers:
http://support.microsoft.com/kb/262680


Windows Time Service Tools and Settings (including w32time service, w32time registry entries), and how to use the w32tm commands)
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


How Windows Time Service Works. This article provides a good overall graphical and explanation of the Time Service in Windows
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx


Network Time is off, not sure how to fix it
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/652e8200-fc4b-40c7-b579-a88d934df04d/


The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.
The following is quoted from page 9 in the following Microsoft document. The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc


How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx


Configure a client computer for automatic domain time synchronization
Applies to Windows 7 & Windows 2008 R2 Time Service
http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx


Microsoft Videos on the Time Service
http://www.microsoft.com/showcase/en/us/search?phrase=w32time


Configuring the Time Service: Enabling the Debug Log
http://blogs.msdn.com/b/w32time/archive/2008/02/28/configuring-the-time-service-enabling-the-debug-log.aspx


Windows Time Service – The official Microsoft blog site for the Windows Time Service
By Ryan Sizemore,  7 Aug 2009 12:10 PM
http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx

==================================================================


Ace Fekay

Folder Redirection

Folder Redirection


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Edit: Updated – 7/22/08
Edit: Added Troubleshooting section and a Summary section – 10/12/2009.
Edit: Broken links fixed – 11/24/09
Edit: Updated 1/22/2011 with additional information and fixed a broken link
Edit: 6/27/2011 – Added two new links, one with screenshots
Edit: 10/28/2011 – DFS section about it not being recommended or supported with Redirection
===


 


Folder Redirection Background


I believe Folder Redirection with using Offline Files is a great solution for many environments. I have it implemented in all my customer sites for laptops and desktops. I usually just opt to redirect the My Documents folder, and possibly the desktop, but I do not redirect the Application Data, Start Menu because Start Menus may be different based on what’s installed on other machines they may log onto, and the Application Data folder can grow expoentially with unwanted or uneeded data, which will  be additional data to backup on the server and the additional overhead of data and backup capacities on the server. You know how large the application folder can get, and not always a good choice to implement redirection with. Keep that in mind when you implement this feature.


It allows all their data to be available no matter which machine they logon to, as well as when new machines are deployed. There are no worries about user data being lost or deleted if using re-imaging in an environment. Just make sure all users are instructed to put all their data into the My Documents folder, and if you choose to redirect the Destop, they can also save data to the desktop, but I would rather just redirect the My Documents folder.


Therefore, depending on whwhich folders you decide to redirect, a user will get their data no matter where they login. Enabling Offline Files as well, will provide an additional performance increase on the user side, as well as the ability to take machines off-site (such as laptops) and the folks will have their data no matter where they are. As I mentioned, I usually just implement Folder Redirection with the My Documents folder, and not the others,  All data with redirection configured, as well as offline files, are cached locally and only synch up at scheduled, manually set times, when logging on, or logging off. It vastly reduces client to server traffic.


 


Implementing Folder Redirection


There are a few things that need to be setup in place to make redirection work. If in a mixed Vista/XP environment, as many are going through right now, it may be a little challenging, but they can use the same home folder setting, but the user must stick with one OS or the other, not logon to an XP, then to a Vista, or things may get skewed. You may find other ways to implement it (whether using an AD group or not, etc), but I’ve found this method successful with my implementations.


1. The user accounts need to be in the OU the Redirection Policy will apply to. It doesn’t matter where the computer accounts are. This is because Redirection is a User based Policy.


2. More than likely, the Redirection policy is probably setup to apply to a group. Therefore, make sure the  user account is part of that group.


3. Only the internal DNS servers must show up in a machine’s IP properties.


4. They way I setup the shares, is create a root folder called Users. I share it out as Users$ and set share permissions to only System=FC and Domain Admins=FC.


5. Create child folders, one for each user. The share permissions for the user must be set to Full Control, or it won’t work. For example, for a user named Bill, I create a Bill folder, then share it out as Bill$, and set the share permissions to:
Domain Admins=FC
System=FC
Bill=FC.


6. The user MUST have FC for both the share and the NTFS permissions. Therefore, I set the NTFS permissions (the Security tab) to:
Domain Admins=FC
System=FC,
Bill=FC.


6. In the user’s AD properties, Profile tab, you want to configure a home folder, and this is assuming you want their stuff redirected to the home folder, such as clicking on G, H, or whatever letter, then configuring something like \\servername\%username%$ (the $ makes it hidden). Whether to hide it or not depends on corporate SOP. The %username% is a variable that will create the folder for you, but I usually do it manually, as in the previous steps.


7. Create an AD group, call it (for example), “My Docs Redirect Group.” Create the Redirect policy based on the group membership, for example the My Documents folder, should be redirected to \\servername\username$\. You can also create it as \\servername\username$\MyDocuments Documents, which I like because their data goes into a subfolder under the user folder as My Documents. This require additional testing on your part to make sure the respective data goes into the folders you’ve specified. However, many installations simply specify the Home folder, \\servername\username$, which is easy, and and it works well. I’ve been using this method myself (outlined in the next step), however, with this method, ALL of their documents wind up directly in the root of the home folder. However, this could be a little problematic with Vista. For more info on Vista and XP in a mixed environment, and problems that may occur, please read the links at the bottom of this article that will provide additional information on how to handle this issue.


8. In the My Documents policy setting, select “Advanced – Specify Location based on various User Groups. Add the AD group you just created. For the target folder location, Redirect to the Home Folder. After you click OK, it will display a UNC in the form of: \\%HOMESERVER%%HOMEPATH%. Under the settings tab, check the box that says Grant the user exclusive rights to My Docs. Also select to Move the Contents, as well as Leave the Folder in the new location when the policy is removed.


9. I usually create a logon bat script, place it in the NETLOGON share, and specify the script name in thier AD properties, to manually map the same drive letter specified under the Profile tab for the home folder to the home folder, such as with a command line of “net use h: \\servername\username$“.


It can also be done using VB and a logon script in their GPOs. The script normally does multiple other things as well. I’m just pointing out this portion of it. It is your choice of using VB, CMD or bat files when creating a script.


10. Enable Offline Use for the redirected My Documents.


11. Repeat for the other folders, if you choose to include them. I would set them to use subfolders, such as Application Data, so the data doesn’t get intermixed with the My Docs.


12. Link the GPO to the OU you want it to apply to. Keep in mind, it will not work until you add the users that you want it to apply to, to the My Docs Redirect Group, that you’ve created.


13. If you ever need to move the Users folder location to a new server, simply mirror the shared folders and permissions from the old server on the new server drive (no need to copy the data), and change the policy to point to the new UNC. Next time the user logs on, the data will be moved automatically. The larger the amount of data, the longer it will take. For example, one customer had a 10 GB home folder. It took about 20 minutes to move, however the user was able to work. Some of the files weren’t available immediately, but they eventually showed up.




Redirecting the Desktop, My Music, Application Data, etc


For the Desktop, what I suggest is to first create a ‘Desktop” folder under each user’s folder. Then enable Destop Redirection to a specific folder, make sure the My Documents Redirect Group is specified, (based on my procedure and locations above) and set the path to \\%username%$\user$\desktop.


One issue you may come across is if you do not select to redirect My Music, simply because you don’t want that sort of stuff on the server for multiple reasons (such as drive space on the server or backup media limitations), but some of the users wise up and figure out what’s going on, and they start saving their music in their My Docs folder, you can control that using Microsoft’s FSRM.


 


Storage Reports


FSRM – File Server Resource Manager
By using File Server Resource Manager, administrators can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports:
http://technet.microsoft.com/en-us/library/cc755603(WS.10).aspx





Folder Redirection with Terminal Services


Keep in mind, There’s no problem in using TS Roaming Profiles, but if you want users’ Documents and Desktops to work, you need to combine the feature with Folder Redirection on all the servers and workstations so all user folders are redirected to the same place. It’s recommended to not use Roaming Profiles because of the added complexity.


Profile and Folder Redirection In Windows 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection:
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html


How To Configure Folder Redirection, Aug 22, 2007
How to use Group Policy to redirect the “Desktop”, “My Documents”, “Start Menu” and “Application Data” folders.
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html


Terminal Service Administration and Folder RedirectionJ, un 6, 2006
If Remote Desktop for Administration is enabled on a server that’s running Windows Server 2003, then the server can not be configured to use …
http://www.msterminalservices.org/articles/Terminal-Service-Administration-File-Redirection.html


Using Folder Redirection with Terminal Server: Terminal Services, Mar 28, 2003
Folder Redirection allows users and administrators to redirect the path of a folder to a new location.
http://technet.microsoft.com/en-us/library/cc737867(WS.10).aspx


Best practices for Folder Redirection: Group Policy, Jan 21, 2005
In general, accept the default Folder Redirection settings. Logging off the terminal server causes copying to occur in the opposite …
http://technet.microsoft.com/en-us/library/cc739647(WS.10).aspx


Profile and Folder Redirection In Windows Server 2003, Mar 1, 2005 … For example, if you created a share named PROFILES on a server named TAZ, then the path to Brien’s profile … The actual folder redirection is done through the group policy. … Terminal Servers · Thin Client Servers …
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html


Folder Redirection and Terminal Server Users : 
1 author 4 posts – Last post: Jun 1, 2004 – Archived from groups: microsoft.public.win2000.group_policy. We currently utilize folder redirection …
http://www.tomshardware.com/forum/218519-46-folder-redirection-terminal-server-users


You can also configure terminal services redirection manually in the registry:


reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v Personal /t reg_expand_sz /d “G:\MyDocs” /f


reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v Desktop /t reg_expand_sz /d “G:\Desktop” /f


reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v AppData /t reg_expand_sz /d “G:\Application Data” /f




Removing Folder Redirection


How to stop Folder Redirection in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/888203


- Make sure you have a recent backup of the server where the redirected files are prior to making any changes. If you don’t, and this may be a good practice whether you do have a good backup or not, I would suggest to recover the files from the offline cache on the machine you want to remove from the Redirection GPO. You can do that by copying the files from the My Documents folder and any other redirected folders that are in the policy, to another location on the harddrive.  Make sure you do that prior to removing the machine from the GPO or from the domain, otherwise if there are any problems or if you have no backup, it’s may be impossible to recover them afterward.


- You will probably want to include other files from the machine that may not have been part of the Redirect policy, or even if they were, such as Favorites, Desktop items, Downloads folder, etc. One important file you may want to also copy is the Outlook nickname drop-down list file. That’s the names that show up in the drop-down lisoxt that shows up when you start typing something in the To:, Cc: and Bcc: boxes. It’s stored in a file called the <OutlookProfileName>.NK2 file and is located in:
C:\Documents and Settings\UserName\Application Data\Microsoft\Outlook


It can be copied from machine to machine. Just rename it to the Outlook profile name of the target machine.


If there are any PST files, you may want to copy them, as well. The default location is:
C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Outlook


- Use Group Policy to set folder redirection back to the default location, which is your profile folder on the PC. You can’t just remove the policy, because the folders will stay where they are. You need to redirect them back to where they were.


- Re-initialize the offline cache. Redirected folders by default are synchronized to be available offline. That’s the little arrow in the corner of the icon. Unfortunately Offline files in XP will keep trying to synchonize until you re-initialize it.


How to re-initialize the offline files cache and database
Provides two methods to re-initialize the offline files cache and database.
http://support.microsoft.com/kb/230738


- If you used the method to use a group to control Folder Redirection, Remove the user from the folder redirect group. If not, move the user out of the OU where Folder Redirection GPO is linked to.


 


Troubleshooting Folder Redirection


Is the workstation receiving the policy?


You can first run the gpresults.exe utility on the client side to determine if the GPO is being applied.


Then I would suggest to use the GPMC to create an RSOP for specifics, such as to look for any access denied issues, etc. If the GPO is being applied and there are no denials or other issues in the RSOP, then I would look into the user’s folder configuration, permissions, UNC path, etc, set in the GPO. If that doesn’t help, basically, enabling Userenv logging can assist in troubleshooting GPO problems, including Folder Redirection. 


Userenvlog


The Userenv.log contains verbose information about policy and profile processing. It also contains additional logs such as the gptext.txt log. This logs events for Group Policy Extensions such as for folder redirection. among other things. This file is located in c:\windows\debuguser mode and contains entries associated with the Userenv process. It is usually a fairly small text file since verbose logging is not enabled by default. You can find out more about the userenv.log in the following link.


Userenv and GPE logging: A great tool for debugging Group Policy Extensions
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1250007,00.html


Enable logging for Folder Redirection:


Locate the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Diagnostics.


Create a new Reg_DWORD entry called FdeployDebugLevel and set its value to 0x0f.


The log file is created in %windir%\Debug\Usermode\Fdeploy.log.


General issues with Folder Redirection?


Here’s a good article on reparing Folder Redirection:


Repair folder redirection and shares
http://technet.microsoft.com/en-us/library/dd440852(WS.10).aspx


Vista: Redirected Folders Changes The User’s Home Folder Name From the “User’s Name” to “Documents”


When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents
http://support.microsoft.com/kb/947222


Was the username changed in Active Directory?


You may need to make some adjustments. Take a look at the following articles for more information.


Folder Redirection Operation Is Unsuccessful When You Rename the User
http://support.microsoft.com/kb/827059


The folder redirection process fails on a computer that is running Windows Vista or Windows XP when you change the user name in Active Directory
http://support.microsoft.com/kb/953529


 Concurrent Logon Issue occurs when users logon to more than one workstation simultaneously


Some other things to keep in mind is if and when a user may logon to a different workstation while still logged on at another. This can cause an issue where if anything changes in their files from machine to machine, the ‘last man wins’ rule jumps into play. To prevent such a thing from occuring, you must instruct users to logon at one machine at a time.


If the users do not pay attention or disregard this guideline, you have a few of options at your disposal:


1.  Take a look at LimitLogon in the following links.


Microsoft releases LimitLogin v1.0. 16-Mar-05
http://windowsitpro.com/articles/index.cfm?articleid=83236


Utility Spotlight: Limit Login Attempts With LimitLoginEver needed to limit concurrent user logins in an Active Directory® domain? Ever wanted to keep track of information about every login in a domain?
http://technet.microsoft.com/en-us/magazine/2005.05.utilityspotlight.aspx


LimitLogin – Tool to limit and monitor concurrent logins in a …LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain. It can also keep track of all logins …
http://msmvps.com/blogs/javier/archive/2005/03/14/38557.aspx


2. The Windows 2000 Server Resource Kit has the Cconnect.exe tool to prevent users from logging on more than once. But no warning is displayed. They simply won’t be able to connect. More information can be found in the following link:


Limiting a user’s concurrent connections in Windows Server 2003 …Install the Windows 2000 Resource Kit tool named CConnect.exe on each client computer. This tool, together with an .adm file that is supplied by the tool, you can limit concurrent logins.
http://support.microsoft.com/kb/237282


3. Using the PsShutdown.exe and PsLoggedOn.exe freeware, originally included in the PSTools Suite from Sysinternals, which is now part of Microsoft. The PSTools can be downloaded free from Microsoft. With these two utilities, you can add some code in your logon script to prevent a user from logging on more than once. The code and instructions on how to use it, can be found at the following link.


How can I prevent users from logging on more than once, without using the Cconnect.exe Resource Kit Tool? 08-Dec-04
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768


PsTools – The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, and much much more.
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx


Windows Sysinternals: Documentation, downloads and additional information on PSTools.
http://technet.microsoft.com/en-us/sysinternals/default.asp


 


EventID 510, Source = Folder Redirection:


“Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.”
You can enable Folder Redirection debug logging to help narrow down the issue:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\FdeployDebugLevel REG_DWORD value=oxf


Event ID 510, Source = Folder Redirection


Folder Redirection policy application never applied completely
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24558513.html


Folder Redirection encounters errors and redirection fails
“Folder Redirection, like Software Installation settings, can only be applied during computer startup or user logon. On computers running Windows XP with logon optimization enabled, this can mean that the user needs to log on more than once before the setting takes effect. “
http://technet.microsoft.com/en-us/library/cc781863(WS.10).aspx


How Folder Redirection Extension Works
“…Because background refresh is the default behavior in Windows XP, Folder Redirection and Software Installation might require as many as three logons to apply changes. “
http://technet.microsoft.com/en-us/library/cc787939(WS.10).aspx#w2k3tr_gpfdr_how_xokx


How Folder Redirection Works:
http://technet.microsoft.com/en-us/library/cc787939(WS.10).aspx


Security Considerations when Configuring Folder Redirection
http://technet.microsoft.com/en-us/library/cc775853(WS.10).aspx



Windows 7, roaming profiles, and waiting over a minute to logon (providing DNS configurations are correct):


Managing Roaming User Data Deployment Guide –
“Windows Trusted Platform Module Management Step-by-Step Guide …..
“At logon, Windows Vista typically waits 30 seconds for an active network, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless networks, it may take more time before the network connection becomes active. Enabling this policy allows Windows to wait up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or connect to the remote home folder if the logon occurred before the network connection became active.”
http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx


As shown in the above link, yhe 30 sec delay is “By Design”. Windows 7 & Windows Vista NLM (Network Location Management) Service running behind the user policy service, by default is set to wait for the network for 30 seconds, if a user has a Roaming User Profile or Remote Home Folder set in ADUC. In many cases, a 30 second logon may be unacceptable. This setting can be adjusted in a GPO.
 
Computer settings
   Policies
        Admin Template
             System
                   User Profiles
                        Set max wait time for the network if a user has a roaming user profile or remote home folder
 
Depending on your network, setting this time too short could result in the user not receiving the RUP or remote home folder.
 
One suggestion is if you want to keep a 7 – 10 second logon time, set the GPO to 1 sec, map the home folder with GPO Preferences and redirection takes care of the rest.



Profile Size Limits and Folder Redirection causing size limit reached error message


Do you have a GPO that limits the Profile Size? Have a look at the following KB article.


Error message may occur when you increase the maximum profile size
http://support.microsoft.com/kb/290324


Have you tried to clean up the profile on one computer to check if
notification goes away? (For example removing temporary internet files,
moving big files from my documents to network share deleting temporary files …)


From Mark D. MacLachlan:
For the benefit of others, you can eliminate the need to fix this manually on each PC by using the
following VBScript as a login script.


[code]
Dim WSHShell
Path = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableProfileQuota"
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.RegWrite Path, 0, "REG_DWORD"
[/code]


In case of posted line wrapping, the line starting with “Path = ” ends
with “\EnableProfileQuota” so make sure they are one line in your script.



Folder Redirect Re-targeting


Change it in GPO as well as client side reg:


“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Documents” = “%HomeShare%%HomePath%Documents”
http://vistavitals.blogspot.com/2007/11/folder-redirection-misbehaves-after.html


 


Notes on Roaming Profiles – Removing Roaming Profiles


You can setup a Folder Redirection GPO testing it to a test OU and a test user account that already has a Roaming profile. Once Folder Redirection is in place, you can copy the data into the My


Docs folder to allow redirection to sync it to their home folder. Once that is in place and working, you can remove the roaming profile by using the Delprof or Remprof utility.


User Profile Deletion Utility (Delprof.exe) – For Windows XP and previous operating systems
http://www.microsoft.com/download/en/details.aspx?id=5405 


Delprof2 – User Profile Deletion Tool
The unofficial successor to Microsoft’s Delprof that works with Windows Vista and newer.
http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/


How To Delete User Profiles by Using the User Profile Deletion …
http://support.microsoft.com/kb/315411


BombProf – GUI Based Profile Management Utility
Windows Compatible – 2000\XP\2003\Vista\2008\7 & Citrix Compatible – Metaframe\Presentation Server\XenApp
Direct Download: http://www.ctrl-alt-del.com.au/files/BOMBProf.zip
(Part of the CAD Freeware Util Pack): http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm#Freeware 


RemProf – Command-line utility to delete local user profiles that are NOT in use when this command is executed.
Direct Download NT\2k\2k3 edition: http://www.ctrl-alt-del.com.au/files/RemProf.zip
Direct Download w2k8/win7 edition: http://www.ctrl-alt-del.com.au/files/RemProf08.zip
Part of the CAD Freeware Util Pack: http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm#Freeware  


Removing Roaming Profiles  (using delprof with example command line switches)
http://www.edugeek.net/forums/windows/16924-removing-roaming-profiles.html


How To Delete User Profiles by Using the User Profile Deletion


This website provides a short overview of the free Microsoft “Delprof” tool and the commercial “Remote Profile Cleaner” tool, inlcuding scripting examples. 
http://www.delprof.eu/ 


To delete the roaming profile folders at the server side, and this is assuming the roaming profiles location is in a different location (UNC path) than the redirected folders, first remove the roaming profile path specified in the AD user accuount. Then as an administrator, you’ll find that you won’t be able to delete the actual roaming profile folder that belongs to a user account. To perform this action, you’ll need to take ownership of the folder. Read more:


Roaming Profile Folders Do Not Allow Administrative Access
http://support.microsoft.com/kb/222043



Going from Roaming Profiles to Folder Redirection:


Roaming Profiles and Folder Redirection
http://webcache.googleusercontent.com/search?q=cache:UU6f-dPW3nIJ:thelazyadmin.com/blogs/thelazyadmin/archive/2005/05/15/Roaming-Profiles-and-Folder-Redirection.aspx+lazyadmin+folder+redirection&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com  


 


 


 


DFS and Folder Redirection


This is not supported nor recommended.


Microsoft’s Support Statement Around Replicated User Profile Data
http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx


Replicating User Profiles Between Sites (With or Without DFS) – Why it Should be Avoided
http://blogs.sepago.de/helge/2009/07/30/replicating-user-profiles-between-sites-with-or-without-dfs-why-it-should-be-avoided/


Roaming Profiles using DFS? – is it possible?
http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/af23abbc-2d35-4f92-a1c1-8068cdd74cd4/


 


Summary


- Make sure you have a recent backup of the server where the redirected files are prior to making any changes. If you don’t, and this may be a good practice whether you do have a good backup or not, I would suggest to recover the files from the offline cache on the machine you want to remove from the Redirection GPO. You can do that by copying the files from the My Documents folder and any other redirected folders that are in the policy, to another location on the harddrive.  Make sure you do that prior to removing the machine from the GPO or from the domain, otherwise if there are any problems or if you have no backup, it’s may be impossible to recover them afterward.


- You will probably want to include other files from the machine that may not have been part of the Redirect policy, or even if they were, such as Favorites, Desktop items, Downloads folder, etc.


If there are any PST files, you may want to copy them, as well. However, keep in mind, PST files, along with MDB and other database files, do not work well with Redirection. FYI, the default PST location is:
C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Outlook


One important file you may want to also copy is the Outlook nickname drop-down list file. That’s the names that show up in the drop-down list box that shows up when you start typing something in the To:, Cc: and Bcc: boxes. Many a user will claim this is their “Address Book.” However we all know it is not, but they’ve come to rely on this feature and will complain if missing in their new profile. This file can be copied from machine to machine. Just rename it to the Outlook profile name of the target machine. It’s stored in a file called the <OutlookProfileName>.NK2 file and is located in (depending on operating system version):


XP and Windows 2000:
c:\Documents and Settings\UserName\Application data\Microsoft\Outlook


Windows Vista:
C:\Users\UserName\AppData\Roaming\Microsoft\Outlook


If Vista was upgraded from Windows XP:
C:\Documents and Settings\UserName\AppData\Roaming\Microsoft\Outlook


- Use Group Policy to set folder redirection back to the default location, which is your profile folder on the PC. You can’t just remove the policy, because the folders will stay where they are. You need to redirect them back to where they were.


- Re-initialize the offline cache. Redirected folders by default are synchronized to be available offline. That’s the little arrow in the corner of the icon. Unfortunately Offline files in XP will keep trying to synchonize until you re-initialize it.


How to re-initialize the offline files cache and database
Provides two methods to re-initialize the offline files cache and database.
http://support.microsoft.com/kb/230738


- If you used the method to use a group to control Folder Redirection, Remove the user from the folder redirect group. If not, move the user out of the OU where Folder Redirection GPO is linked to.


 


Related Links


Implementing Folder Redirection using Group Policy
http://www.tech-faq.com/implementing-folder-redirection-using-group-policy.html


Folder Redirection (with a step by step video)
http://www.folderredirection.com/


Recommendations for Folder Redirection: Group Policy
http://technet.microsoft.com/en-us/library/cc785925(WS.10).aspx


Folder Redirection feature in Windows
http://support.microsoft.com/kb/232692


How To Configure Folder Redirection, Aug 22, 2007 … How to use Group Policy to redirect the “Desktop”, “My Documents”, “Start Menu” and “Application Data” folders.
www.msterminalservices.org/articles/Configure-Folder-Redirection.html


How to Configure Folder Redirection
http://technet.microsoft.com/en-us/library/cc782799.aspx


How To Configure Folder Redirection
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html


User Profiles and Folder Redirection FAQ
http://www.microsoft.com/technet/community/en-us/management/manage_faq.mspx


Enabling the administrator to have access to redirected folders
http://support.microsoft.com/kb/288991


Folder Redirection in a mixed environment XP/Vista
http://www.gpanswers.com/community/viewtopic.php?t=2257


When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents
http://support.microsoft.com/kb/947222


Profile and Folder Redirection In Windows Server 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection:
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html



Ace Fekay
==================================================================

What’s in an Active Directory DNS Name? Choosing the Same As Your Public Domain Name, a ".net" Version of Your Public Name, or ".local"

What’s in an Active Directory DNS Name?  Choosing the Same As Your Public Domain Name, a “.net” Version of Your Public Name, or “.local”


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Original publication 5/2005
Updated 5/2010
Updated 10/15/2010 – Provided a link to my blog owith a How-To deal with DNS and the name chosen, and Exchange 2007 & 2010 UC/SAN certificate considerations


 


 Topics Covered:


  1. Preface: AD Design Considerations
  2. Scenario 1 – Same Name as your external name (Split-Zone)
  3. Scenario 2 – Sub domain name of the public domain name
  4. Scenario 3 – Choosing a TLD Variation of your Public Domain, such as the “.net” version of it
  5. Scenario 4 – Choosing a private TLD such as “.local”
  6. Exchange 2007 & 2010 UC/SAN certificate considerations
  7. Related Links


 


 



==================================================================
Preface: AD Design Considerations


Should I choose the same AD DNS domain name as my external public domain name (also called split-zone), choose a sub domain name of my public name, or should I choose a completely different name such as .local or .net?


I must say this is a classic question that has arisen on numerous occasions starting with the beginning days of AD.


Choosing a name for your internal AD DNS domain name can be based on a number of things, whether technical or political, or previous administrative experience. This has been highly discussed (not debated) in the past.


Whatever decision you make for an AD DNS FQDN domain name, just understand the ramifications. Actually I’m not going to try to get into any sort of debate, for there is really nothing to debate, nor help someone decide on what is ‘right’ or ‘wrong’ but rather just state the ramifications and implications of a name that you do decide on and how to get around them, no matter what the decision was based on.


 


Discussion on what name to choose


This discussion was between myself and Todd J. Heron, MVP, during the Summer of 2003.


Classic question:
“Which are the advantages of naming my domain with domain.com rather than domain.local? I have a domain.com registered for my Company that i use for my e-mail and Site Internet.”


There are different answers to this classic question and while these answers ultimately depend upon company preference, much of the direction will be based upon administrator experience.  The three basic scenarios outlined below are the most commonly given answers to the question, sometimes altogether and sometimes not.   Some company networks use a combination of these scenarios.  When explaining it to a relative beginner asking the question, many responses omit explanatory detail about all the scenarios, for fear of causing more confusion.


All three approaches will have to take both security and the end-user experience into perspective.  This perspective is colored by company size, budget, and experience of personnel running Active Directory and the network infrastructure (mostly with respect to DNS and VPN).  No one approach should be considered the best solution under all circumstances.  For any host name that you wish to have access from both your internal network and from the external Internet you need scenario 1, although it is the most DNS-intensive over time.   If you do not select this option and go with scenario 2, 3 or 4, consideration will have to be given to the fact that company end-users will need to be trained on using different names under different circumstances (based on where they are (at work, on the road or at home).


Since our discussion, I’ve expanded the Scenarios to include considerations when obtaining an Exchange 2007 or 2010 UC/SAN certificate. The certificate authorities will check all of the names for their registered owner. If you choose an internal name that just happens to be a real public domain name that you weren’t aware of, and owned by someone else, the certicate authorities will reject the certificate request. See Scenario 3 for more information.



 



==================================================================
Scenario 1 – Same Name as your external name (Split-Zone)


Choosing the same name internal/external (spilt-zone, or split-brain, whatever you want to call it) has the most administrative overhead. Why chosen?


Either because a misunderstanding of the pros/cons, political, or for ease of use.


Pros:


1. Their email address is their logon name. Easier to remember.


2.  Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.


3.  Short namespace.  Users don’t have to type in (or see) a long domain name when accessing company resources either internally or externally.  Names are “pretty”.


Cons:


1. Administrative overhead. If trying to get to your externally hosted website, it won’t resolve because a DNS server will not forward or resolve outside for what a zone that it hosts. You can overcome resolving the www.domain.com dilemma by using a delegation. Rt-click your zone, new delegation, type in ‘www’ and provide the public SOAs for the nameserver(s). This way it will send the resolution request to the SOA and resolve that way. As for http://domain.com, that is difficult and would instruct all users to only use www.domain.com. This is because of the LdapIpAddress, the record that shows up as (same as parent), which EACH domain controller registers. So if you type http://domain.com, you will round robin between the DCs. To overcome that, on EACH DC, install IIS, then under the default website properties, redirect it to www.domain.com and let the delegation handle it.


Now if you were to be using Sharepoint services, or something else that connects to the default website (no sub folders or virtual directories), then it becomes a problem. I know numerous installations setup with this and have operated fine for years.


2. Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.


3.  Any changes made to the public DNS zone (such as the addition or removal of an important IP host such as a web server, mail server, or VPN server) must added manually to the internal AD/DNS zone if internal users will be accessing these hosts from inside the network perimeter (a common circumstance).


4.  VPN resolution is problematic at best.  Company users accessing the network from the Internet will easily be able to reach IP hosts in the public DNS zone but will not easily reach internal company resources inside the network perimeter without special (and manual) workarounds such as maintaining hosts files on their machines (which must be manually updated as well everytime there is a change to an important IP host in the public zone), entering internal host data on the public zone (such as for printers, SRV records for DCs, member server hosts, etc), which exposes what internal hosts exist, or they must use special VPN software (usually expensive), such as Cisco, Netscreen, etc, which is more secure and reliable anyway.


For further reading on this scenario:
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon-common-server-names.html


 


With a Split-Zone, You may lose the abiity to access your website or other resources:


If you choose the same name, and you can’t access your internal website, or an external resource with the same name, you need to understand how to handle this with DNS. Read the following for specifics and a how-to.


Split Zone or no Split Zone – Can’t Access Internal Website with External Name
Published by acefekay on Sep 4, 2009 at 12:11 AM  1278  0
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx



 



==================================================================
Scenario 2 – Sub domain name of the public domain name


Choosing a child name or delegated sub domain name of the public zone.


Examples:  Name such as ‘ad.domain.com’, or ‘corp.microsoft.com’. The AD DNS domain name namespace starts at corp.domain.com and has nothing to do with the domain.com zone.


Pros:


1. Mimimal administrative overhead.


2. Forwarding will work.


3. The NetBIOS name will be ‘AD’ or ‘CORP’, depending on what you chose and what the users will see in the three-line legacy security logon box.


4.  Like Scenario 1, this method also isolates the internal company network but note this at the same time is also a disadvantage (see below).


5. Better than Scenario 1, internal company (Active Directory) clients can resolve external resources in the public DNS zone easily, once proper DNS name resolution mechanism such as forwarding, secondary zones, or delegation zones are set up.


6. Better than Scenario 1, DNS records for the public DNS zone do not need to be manually duplicated into the internal AD/DNS zone.


7. Better than Scenario 1, VPN clients accessing the internal company network from the Internet can easily navigate into the internal subdomain. It is very reliable as long as the VPN stays connected.



Cons:


1. Confusion on users if they decide on using their UPN.


2.  While there is security in an isolated subdomain, there is potential for exposure to outside attack.  The potential for exposure of internal company resources to the outside world, lies mainly in the fact that because when the public zone DNS servers receives a query for subdomain.externaldnsname.com, they will return the addresses of the internal DNS servers which will then provide answers to that query.


3. Longer DNS namespace.  This may not look appealing (or “pretty”) to the end-users.


4. Security. We are assuming that we can only access the internal servers thru a VPN and assuming they are in a private subnet, they won;’t be accessible. Also assuming to secure the VPN with an L2TP/IPSec solution and not just a quick PPTP connection. If this is all so, we can assume it is secure and not accessible from the outside world.


The scenario is the recommendation from the Windows Server 2003 Deployment Guide.  It states to the external registered name and take a sub zone from that as  the DNS name for the Forest Root Domain:
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/default.asp



  



==================================================================
Scenario 3 – Choosing a TLD Variation of your Public Domain, such as the “.net” version of it


Example: Public domain name is domain.com, and you choose “domain.net” as your public name.


This choice has been made by many companies.


Pros:


1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.


2. Prevents name space conflicts with external domain name. No one else owns it on the internet.


3. Forwarding works.


Cons


1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).


2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.


3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accomodate anti-spam, SPF, and RBL software.


4. Obtaining a UC/SAN certificate for Exchange 2007 & 2010 may be a challenge if you haven’t registered the “.net” version of your public domain name. This is because the Certificate Authorities will check all names in the UC/SAN cert you are requesting, including Exchange’s internal FQDN in the certificate request. This is used by the Autodiscover feature in Exchange 2007 and 2010 and needs to be in the certificate. Read more on it here:


Exchange 2007 & Exchange 2010 UC/SAN Certificate
http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx




==================================================================
Scenario 4 – Choosing a private TLD such as “.local”

Choosing a different TLD: Choosing a private TLD, such as domain.local, domain.corp, domain.abc, etc. This option is usually best for either beginners or the expert, because it’s the easiest to implement primarily because it prevents name space conflicts from the very beginning with the public domain and requires no further action on your part with that respect. 


Pros:


1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.


2. Prevents name space conflicts with external domain name. No one else owns it on the internet.


3. Forwarding works.



Cons


1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).


2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.


3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accomodate anti-spam, SPF, and RBL software.


4. You won’t have any problems obtaining an Exchange 2007 & 2010 UC/SAN certificate since the internal name is not a public name and there’s nothing to check registration-wise by the Certificate Authorities when requesting the certificate with the internal Exchange FQDN.



 



==================================================================
Exchange 2007 & 2010 UC/SAN certificate considerations


More things to consider concerning the internal AD DNS domain name and if using Exchange 2007


If you choose a TLD, be sure to not choose one that is already in use by another entity. Reason is it will cause due confusion, and will create problems if you were to get an Exchange 2007 UCC/SAN certificate and adding a name for the internal namespace on the certificate. Here are some existing TLDs that you do not want to choose if the name does not belong to your entity:


So it would be a bad choice for the complications that will arise, if you name the internal domain is registered by others.


As far as choosing what name to use internally, there are pros and cons of using your public TLD (whether the same namespace or not), or a private TLD. I prefer a private TLD. You also have to take into consideration if you will be using Exchange 2007 and expect to purchase a UC/SAN certificate. This type of cert has multiple names, and the internal Exchange server’s private FQDN will be part of it. So for instance, your company is called “A Big Company”, and your external name is abc.com. You decide to make your internal name abc.net. However you never purchased abc.net from the registrar, and someone else did. So the Exchange server internal name is exchange.abc.net. In such a case, the CA will not approve it because A Big Company is not the registered owner of abc.net at the registrar (when you do a WHOIS) and is owned by someone else.


Technically speaking, you can also use the same name for the internal domain and the external domain. Just understand the ramifications. You may encounter the following possible issues that you may have to perform a domain rename in the future.


1.  If the internal domain name that you chose is the same as your Internet public domain name, internal clients may get the domain external IP but routers and firewalls will not respond from an internal request to the external interface. Some refer to this as a U-Turn, and firewalls, routers and NATs cannot handle U-Turns for port forwarded services.


2. Worse, if the internal name you chose was registered by another entitiy.


Generic top-level domains:


biz .com .info .name  .net  .org  .pro  .aero  .asia  .cat  .coop .edu 
gov .int  .jobs  .mil .mobi  .museum   .tel  .travel


Country-Code Top-Level Domains that you want to be careful choosing, especially if someone else owns it on the internet. You’ll never get the cert approved if it is owned by someone else, despite the argument that “it’s my internal domain name…”


ac  .ad  .ae  .af  .ag  .ai  .al  .am  .an  .ao  .aq  .ar  .as  .at  .au 
aw  .ax  .az  .ba  .bb  .bd  .be  .bf  .bg  .bh  .bi  .bj  .bm  .bn  .bo 
br  .bs  .bt  .bw  .by  .bz  .ca  .cc  .cd  .cf  .cg  .ch  .ci  .ck  .cl 
cm  .cn  .co  .cr  .cu  .cv  .cx  .cy  .cz  .de  .dj  .dk  .dm  .do  .dz 
ec  .ee  .eg  .er  .es  .et  .eu  .fi  .fj  .fk  .fm  .fo  .fr  .ga  .gd 
ge  .gf  .gg  .gh  .gi  .gl  .gm  .gn  .gp  .gq  .gr  .gs  .gt  .gu  .gw 
gy  .hk  .hm  .hn  .hr  .ht  .hu  .id  .ie  .il  .im  .in  .io  .iq  .ir 
is  .it  .je  .jm  .jo  .jp  .ke  .kg  .kh  .ki  .km  .kn  .kp  .kr  .kw 
ky  .kz  .la  .lb  .lc  .li  .lk  .lr  .ls  .lt  .lu  .lv  .ly  .ma  .mc 
me  .md  .mg  .mh  .mk  .ml  .mm  .mn  .mo  .mp  .mq  .mr  .ms  .mt  .mu 
mv  .mw  .mx  .my  .mz  .na  .nc  .ne  .nf  .ng  .ni  .nl  .no  .np  .nr 
nu  .nz  .om  .pa  .pe  .pf  .pg  .ph  .pk  .pl  .pn  .pr  .ps  .pt  .pw 
py  .qa  .re  .ro  .rs  .ru  .rw  .sa  .sb  .sc  .sd  .se  .sg  .sh  .si 
sk  .sl  .sm  .sn  .sr  .st  .sv  .sy  .sz  .tc  .td  .tf  .tg  .th  .tj 
tk  .tl  .tm  .tn  .to  .tr  .tt  .tv  .tw  .tz  .ua  .ug  .uk  .us  .uy 
uz  .va  .vc  .ve  .vg  .vi  .vn  .vu  .wf  .ws  .ye  .za  .zm  .zw



 



==================================================================
Related Links



For a broad overview of this topic, read some of the links below.


Creating Internal and External Domains
http://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx


DNS Namespace Planning
http://support.microsoft.com/default.aspx?scid=kb;en-us;254680


Assigning the Forest Root Domain Name:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbc_logi_kqxm.asp



Suggestions, comments and corrections welcomed!

Ace Fekay








Split Zone or no Split Zone – Can’t Access Internal Website with External Name

“How do I resolve my external website when my internal name is the same as my external name (split zone)?”


Or


“We are hosting our webserver internally, on our LAN, and internet users can access the website without problems, but when we are inside the office, we can’t access our domain name. This also applies to Exchange OWA.”


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Updated 7/30/2009




There can be multiple scenarios. Choose your scenario.


Scenario 1: The Internal and External Domain Names are the Same


Your internal domain name and external domain name the same, and the webserver is hosted externally.
This type of same name scenario is called a split zone.


To handle a split-zone,
There are two ways to get to your website:


  1. By http://www.yourdomain.com/, using ‘www’ in front of your domain name.
  2. By http://yourdomain.com/, without the ‘www’in front of the name.

1. The simplest way to allow your internal users to get to your external website is to simply create a “A” www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.


To create the ‘www’ record:
Open DNS console
Right-click your zone name, such as yourdomain.com, choose New Host Record
Type in www
Type in the IP address of the external website


2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an “A” ‘www’ record, I would suggest to create a delegation for ‘www’ to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your ‘www’ record.


Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)


How do you find the SOA for your public domain name? Use nslookup.


In a command prompt, type in nslookup, hit enter.
Then type in the following:
> set q=soa
> server 4.2.2.2
> typeInYourDomainNameHereWithoutTheWWW.com


Once you’ve found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.


 


So you don’t want to use the WWW in front of the URL?


This question has arisen numerous time in scenarios where the external and internal AD names are the same, and the webserver is being hosted internally or externally. I usually look at it as a politics driving this request, because it’s not that hard to type in www in front of domain.com


However, if you absolutely need it to resolce http://domain.com/ without the www in front of it, there is a way, but it’s a bit more complex and warrants an explanation.


If you are not running an Active Directory infrastructure:


The easy solution is to simply create a new, blank hostname record (as in step#1 above), but without typing a name for the hostname field, and you would simply type in the IP address of the website. This is called a blank domain name record, which allows the name to resolve without the ‘www’ in front of it.


However, if you are using Active Directory:


This ‘blank’ domain name record is actually used by the domain controllers in the domain. It’s a unique record that each and every domain controller registers this record under the zone in DNS with an IP address, without a hostname, which appears under your internal zone name as:


(same as parent)   A   x.x.x.x


This record that each DC registers, is actually called the “LdapIpAddress.” Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don’t mess with it please, or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.



To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you’ve created in Step#1 or #2 above. But this procedure must be performed on each DC.


Steps summarized:


  1.  
    1. Install IIS on EACH domain controller. This must be done on each DC.
    2. Create a www record under your domain.com.
    3. Give it the private, internal IP of the webserver, or if the webserver is external, give it the public IP address of the webserver. If you don’t know the external IP, see the nslookup steps below to find it.
    4. In the IIS console, default website properties, create a redirect, and redirect it to www.domain.com.
    5. This way when any one of your users type in http//domain.com, it will resolve to the www record you created in Step 2.

 


If your website is external, for the above, you need to use Nslookup to find your external webserver IP


c:\>nslookup
server 4.2.2.2          (use this command for nslookup to use an external DNS server to get your public webserverIP address)
www.domain.com


Note: Installing IIS on a Domain Controller has security implications:


Due to security reasons. I do not condone installing IIS on a DC. Normally with some of my customers, I simply tell them to use the www in fromt of the domain name. If it is a .com name, you can simply instruct them to type in domain in the URL, and then hit <CTRL> + <Enter>. This shortcut will automatically populate the www in front and the .com in the end.


Otherwise, if the boss demands to have it work with a www in front, (usually a political and not a technical requirement), then follow the above, but take note on the security implications.



Scenario 2: Different Internal and External but you are hosting the webserver internally


Your public domain name is different, and you are hosting your webserver internally.


In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.


To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.


  1. Create a new zone using your external domain name.
  2. Open DNS console.
  3. Click on Forward Lookup Zones.
  4. Right-click, choose new Zone, type in the name of the external domain name.
  5. Once created, right-click the zone you just created, choose New Host Record.
  6. Type in ‘www’ (without the quotes), and provide the internal Private IP address of your internal webserver.

If you want to access the site with http://domain.com/ (without the www), you would need to create a ‘blank’ host record.


How?
Right-click the zone name you just created, choose New Host Record.
Leave the name field blank, and provide the internal Private IP address of your internal webserver.



Scenario 3 : Different Internal & External Domain Name


If you have a different internal domain name and external domain name, and the website is hosted externally:
There’s nothing to do. Internet resolution will handle everything.


Don’t forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won’t work. Never use your ISP’s DNS servers anyway, or your router’s IP address as a DNS address in any internal machine’s IP properties. Otherwise, expect AD problems as well.


Don’t forget to configure a forwarder for more efficient internet name resolution. I’ve always used this as a best practice. It offloads internet name resolution to your ISP’s DNS addresses so your server doesn’t have to use the Root Hints to resolve external names.


Ace Fekay, MCT

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and UDP Service Ports Reservation Explained, and DNS Memory Leakage

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and Ports Reservation Explained


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Published 7/2009
Edits:
8/9/2010  – Added update links (see the bottom of this blog).
10/5/2010 – Added info about the DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003
10/7/2010 – Added link explaining how to debug the DNS process to determine if a leak is occuring



 


Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)


The DNS patch released in July, 2008, reserves 2500 ephemeral UDP service ports.


It is a security update to prevent spoofing. Attackers know that normally, without the update, a random ephemeral response port (service port), which a port is chosen randomly using UDP 1024 and above, is used in response to the querying client resolver. These response or service ports, are used by all Windows communications (not just DNS). An attacker may guess/randomize a port attack at DNS attempting to gain access to create records into the DNS Cache, by injecting records using specially crafted commands, therefore poisoning the DNS cache with records of their choosing, which will allow a remote attacker to redirect legitimate network traffic intended for systems on the Internet to the attacker’s own systems or elsewhere, of their choosing.


By pre-reserving the port, or creating a socket pool, as the DNS patch performs, reduces the chance of a randomization attack, which attackers are using against Windows and other major DNS services, to prevent Cache Poisoning.


 


DNS Increased Memory Consumption Due To The DNS Patch


When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the increased memory consumption that you may notice. I’ve noticed the following when I’ve looked at Task Manager before and after the DNS patch was installed (your mileage may vary):


dns.exe             Before            After
Mem usage     9,758K       36,232K
Peak Mem     10,208K       36,584K
Paged Pool           71K            798K
NP Pool                 17K         4,833K
Handles                238            5,217
Threads                  20                 20


 


If the RPC Endpoint Mapper Runs Out of Ports Due to the Patch


There can also be issues with various applications installed and running on a DNS server where the RPC Endpoint Mapper has run out of ports to use because all available ports are being consumed by the app. If this is the case, it could be that the system is running out of available ports for the RPC endpoint mapper to use.


Run “netstat -ano” in a command line. It should provide a listing of ports that are in use as well as the PID of the process that owns that port.  Possibly you’re running an application on this server that isn’t releasing ports when it’s done with them.  You can also extend the available ports used by RPC but I’d recommend looking into what’s consuming them first.


Take a look at the following article for more info on the Endpoint mapper:


839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/default.aspx?scid=kb;EN-US;839880


 


DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003


If your DNS server is experiencing a large amount of memory being consumed by the DNS process to the point it hangs the DNS service and it stops responding, it may be associated to hotfix 941672. If 941672 was installed on the DNS server,
there is a known memory leak issue in the DNS process associated with this hotfix. The issue has been fixed by installing hotfix patch 975830.


Please read more about it in the following link, where you can also request the hotfix.


The memory usage of the Dns.exe process keeps increasing after you install hotfix 941672 on a computer that is running Windows Server 2003 SP2 and that has the DNS server role installed
Article ID: 975830 – Last Review: October 27, 2009 – Revision: 1.0
http://support.microsoft.com/kb/975830/en-us


DNS Memory Consumption Related Discussion:
http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/bcf3ac92-3485-4a2d-9386-55f2dcbc78f8


If you feel that you need more information to determine if a DNS process leak is occuring, you can enable debug logging, and use the following link in conjunction with the symptoms explained in KB975830 to further analyze the issue. Read the following link for more info.


DNS: Monitoring Server
http://technet.microsoft.com/en-us/library/cc783975(WS.10).aspx


 


Windows 2008, 2008 R2, Vista and Windows 7 Emepheral Ports Have Changed


The default emepheral (Random service ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).


Quoted from KB929851 (link posted below):


“To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”


Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (emepheral ports)
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/?kbid=929851


 


 


DNS Server Service Terminates Unexpectedly


Are you seeing the following error?


The DNS Server service terminated with the following error:
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.


Cause:
2500 is the default DNS Socket Pool Size value on Windows server 2008 R2. I suspect that for system steady reason BPA will always suggest to use system default settings, so this is the reason why it popped this prompt.


Meanwhile, could you verify the current value setting of registry key SocketPoolSize where under patch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters
Manually modify it to the value you want ,restart computer and check if this issue persist.


For more information please refer to the link below:


DNS Socket Pool – Windows 2008 R2
http://technet.microsoft.com/en-us/library/ee683907(WS.10).aspx


 



More info on the Microsoft DNS Cache Poisoning Vulnerability KB953230 patch and the DNS exploit issue is explained in the following links.


US-CERT Vulnerability – Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning.
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that …
https://www.kb.cert.org/vuls/id/800113


SecureWorks: DNS Cache Poisoning
The old problem of DNS cache poisoning has again reared its ugly head.
There are new attacks, which make DNS cache poisoning trivial to execute against …
http://www.secureworks.com/research/articles/dns-cache-poisoning


DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative …
Cache poisoning attacks – Variants – Prevention and mitigation
http://en.wikipedia.org/wiki/DNS_cache_poisoning


MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748


MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230


How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873


You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188


Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx


SBS Services failing after MS08-037 – KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx


 


Additional Updated LInks (added 8/9/2010):


[PDF] Windows DNS Server Cache PoisoningFile Format: PDF/Adobe Acrobat – Quick View
Microsoft Windows DNS Cache Poisoning. 6. ID. If it is not 7, it sends back a CNAME record for the next host name (i.e. a …
www.babilonics.com/files/Windows_DNS_Cache_Poisoning.pdf


==================================================================


Ace Fekay

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Revisions:

Original publication 3/2006
Recompiled 6/10/2010
Updated 12/9/2010
Updated 8/31/2014

Prologue

Ace here again. I’m cleaning up my blogs for technical and syntax errors. If you see anything that needs correction, please let me know.

Preface and Scope Of this Article

This blog explains how to use ADSI Edit to determine if duplicate zones exists in the AD database and to delete them.

When  using ADSI Edit, the duplicate zones show up in the partitions with names that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number. You will be checking EACH DC. When you find them, you will simply delete them. because they are useless and cause substantial problems.

This blog also explains how duplicate zones will appear to make zone records disappear.

Introduction to Duplicate Zones

Duplicate zones can cause numerous issues for the mere fact that the DNS zone that DNS is showing you on a specific DC may not have the latest up to date data. It literally may be missing data that you see on other DCs. If there are duplicate or conflicting zones, the zone data can’t replicate, resulting in each DC may have a different copy of the zone, which then results in unreliability and AD issues.

And to further complicate it, there are three different storage locations that AD can store AD integrated DNS zones – DomainDnsZones, ForestDnsZones, and the DomainNC partitions. You can read more on specifics in one of my other blogs:

DNS Zone Types Explained, Storage Locations in the AD database, and their Significance in Active Directory.
http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/

Symptoms?

You may have a duplicate zone or a conflicting zone if a zone exists in both the Domain NC and/or in one of the Application Partitions. Some of the symptoms include:

  • Trying to change the replication scope, you receive an unusual error message stating, “The name limit for the local computer network adapter card was exceeded.”

DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

  • Event ID 4515
  • An admin may see the data on a different DC is not there and will manually create records.
  • Zone data is disappearing, or it appears to be. This can be caused by:
  • The data on each DC is different, and you are wondering why replication isn’t brining the zone data up to date, but it won’t because replication will either not occur or won’t occur if AD sees a duplicate.
  • Causes?

    • You’ve installed DNS on another DC and you don’t see the zone under DNS that is on the other DCs, so you manually created the AD zone because you didn’t have the patience to wait for replication to occur, which it would have automatically populated.
    • You’ve promoted a new DC in another site and didn’t have the patience to wait for the zone data to replicate.
    • Antivirus not configured to exclude AD communications (common cause).
    • At one time, or currently, the AD environment is a mixed Windows 2000/2003/2008 environment and DNS is installed on all operating system versions. On Windows 2000, if the zone is AD Integrated, it is in the DomainNC partition of the AD database, and should be set the same in Windows 2003’s or newer DC/DNS server to keep the zone data compatible and allow both operating system versions to be able to read and use them.
    • Someone must have attempted to change it in Windows 2003 or 2008 DNS to place the zone in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Windows 2003 application partitions, you then must insure the zone on the Windows 2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that’s done and AD replication has been given time to occur, you can go to the Windows 2003 or newer DNS and change the partition’s replication scope to one of the application partitions.
    • A new domain controller was promoted into the domain, and the administrator manually created the zone name in DNS. This causes a duplicate. The proper way was to simply install DNS, and allow AD replication to occur. The zone will auto-populate into DNS.

    I usually don’t want to assume someone’s deleting data. That’s would be the far end of the spectrum, especially if more than one DC is showing inconsistent zone data.

    I feel the best approach to find out which is occurring is to first find out if there is a duplicate zone. This is because auditing is time consuming, and you need to parse through all the events generated in the Event Security Logs. It’s easier to run ADSI Edit to find if there are duplicates. Once you’ve determined it’s not a duplicate zone issue, then you can move on to DNS auditing. If it is a duplicate zone issue, follow the procedure below to remove them.

    *

    AD Integrated Zones Storage Locations

    First, a quick review on the partitions. Hopefully you’ve taken a few moments to read my blog link that I posted above to understand the partitions. If not, I’ll just touch base on it here so you understand it and can relate to it. For specifics and the nitty gritty, read my other blog above.

    Windows 2000:

    the physical AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Configuration partitions replicate to all DCs in a forest.

    The DomainNC is specific only to the domain the DC belongs to. That’s where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain.

    When you create an AD Integrated zone in Windows 2000, it gets stored in the DomainNC. This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs.contoso.com zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

    Windows 2003 and newer:

    There were two additional storage locations added to the AD database for DNS storage use. These areas are called “partitions,” specifically the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000’s AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain’s DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs.contoso.com zone to all DCs in the forest. By default in Windows 2003, the _msdcs.contoso.com zone is stored in the ForestDnsZones application partition.

    Selecting the Replication Scope in Windows 2003 and newer:

    When selecting a zone replication scope in Win2003, in the zone’s properties, click on the “Change” button. Under that you will see 3 options:

    • “To all DNS servers in the AD forest example.com”  The top button. This option puts the zone is in the ForestDnsZones Application Partition. This setting will allow the zone data to replicate to all domain controllers to every domain in the forest, including if additional Trees exist in the forest.
    • “To all DNS servers in the AD domain example.com”  The middle button. This option means the zone is in the DomainDnsZones Application Partition. This setting allows the zone to be stored and replicated in the DomainDnsZones Application Partition in the specific domain that it exists in. This setting is not compatible with Windows 2000 domain controllers. If Windows 2000 domain controllers exist in the domain, then the bottom option (below) will need to be used.
    • “To all domain controllers in the AD domain example.com”  The bottom button. This option means the zone is in the DomainNC (Domain Name Context) portion of the actual AD database. This is only for Windows 2000 compatibility, that is if you have any Windows 2000 domain controllers in that specific domain you are administering.

    If you receive an Event ID 4015 or the following error, it may indicate there is a duplicate or conflicting zone that exists in the DomainNC, the DomainDnsZones Application partition and/or in the ForestDnsZones partition.

    DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

    *

    Non-AD Integrated Primary and Secondary Zones

    A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

    Now **IF** you did manually create a zone (whether intentionally or unknowingly) on one DC while it already existed on another DC, then you may have a duplicate.

    *

    Duplicate zone names will start with the letters,  “CNF…” or “InProgress…”

    If there is a duplicate, you can use either ntdsutil or ADSI Edit to take a look. I will outline in this article on how to use ADSI Edit to look for the duplicate.

    A duplicate zone name will appear in ADSI Edit that starts with an “In Progress….” or “CNF…” with a long GUID number after it.

    • The CNF…” means it’s in conflict due to a duplicate in the AD database.
    • The “In Progress….” means it is trying to replicate, but it can’t because there’s another identical zone name but with a different USN version number (USNs are used for replication control between DCs) on another domain controller, which also means there’s a duplicate zone.

    You can simply delete them, which will clean up the whole problem. Yep, a simple deletion. The “CNF” data is not used by AD, but yet it will conflict with the zone that is actually used, and needs to be deleted.

    But before doing anything about it just yet, let’s read on to explain more about this and what may have caused it.

    *

    Preventing Duplicate Zones

    AD Integrated Zones will auto-populate when adding replica domain controllers

    If an AD integrated zone exists on a DC, and the DNS service is install DNS on another DC in the domain or forest, depending on the replication scope, it will automatically appear on the new DNS installation without any interaction on your part. You may have to wait a certain period of time for it to populate depending on if the other DC is in the same AD Site or not, but it WILL AUTO-POPULATE.

    However, if you attempted to manually create the zone, believing that you need to do this to make the zone available on that DC, then you’ve just introduced a duplicate zone in the AD database. It doesn’t matter if the zone say originally exists in the DomainNC, and you manually create the zone on the other DC and put it into the DomainDnsZones application partition, AD will still recognize it in the AD database.

    Duplicate zones cause numerous AD communication and access problems.

    The point is, AD is smarter than you think. Let it do it’s thing.

    *

    An Example of what an AD Duplicate Zones looks like in ADSI Edit

    This image shows “In Progress…” entries. They need to be deleted.

    *

    Using ADSI Edit to look at  your AD Partitions

    This is a manual step by step. For a screenshot step by step, see the next section.

    This section assumes you have a little familiarity withe ADSI Edit. If not, I suggest to get yourself familiar with it once you’ve connected into the various partitions as outlined below. Be careful deleting anything, for once deleted, it’s a destructive process and basically it’s gone. There is no “Back Button” or “Undelete,” or “Undo”  button. To restore data, you will need to run an Authoritative Restore from your backup program restoring that specific object that was deleted.

    Determine if there are any duplicate zone.

    While in ADSI Edit, if you see the same exact named zone in multiple partitions, such as seeing the same zone name in the Domain NC (Name Container) Partition, in the DomainDnsZones App partition), and/or in the ForestDnsZones application partition, you have duplicate zones. If this is the case, then you must choose which zone you want to keep.

    I will select a DC that isn’t having a problem and delete the duplicates and conflicts off all other DCs.

    Multiple domains or multiple tree forest?

    If the AD forest is a multidomain forest with child domains and/or multiple trees, you must look at each domain’s DomainNC and DomainDnsZones partition, because each domain has one.

    To view the DomainNC Partition (Default Naming Context)

    • In ADSI Edit, rt-click ADSI Edit, choose “Connect To,” in the Connection Point click on “Well known Naming Context”, then in the drop-down box, select “Domain”.  If this is Windows 2003 or newer, this option shows up as “Default Naming Context”
    • Expand DomainNC or Default Naming Context, then expand your domain name. Drill down to CN=System. Under that you will see CN=MicrosoftDNS.
      You will see any zones that are in the DomainNC partition under the MicrosoftDNS folder.
    • If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!
    •  

    To view the ForestDnsZones Application Partition:

    [ForestDNSZones]

    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the console tree, right-click ADSI Edit, and then click “Connect To.”
    3. Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
      DC=ForestDNSZones, DC=contoso, DC=com
    4. In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
      Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    5. You should now be able to view the DNS records which exist in this DNS partition.

    If you see anything that starts with anIn Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

    To view the DomainDnsZones Application Partition

    [DomainDNSZones]

    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the console tree, right-click ADSI Edit, and then click “Connect To.”
    3. Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.
    4. In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
      Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    5. You should now be able to view the DNS records which exist in this DNS partition.

    If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

    *

    Procedure with Screenshots:

     

     

    .

    .

    .

    .

    .

    .

    .

    .

    *

    Procedure to Delete the Duplicate zones

    The easiest is to simply delete any duplicates you find in ADSI Edit. Choice #1, to delete them, can actually be safely done during production. Matter of fact, things may just start to work after you delete them! But Choice #2, which is a lengthy procedure, must be done during non-production hours.

    Choice #1 (Recommended)

    Just go into ADSI Edit and delete the duplicate zones you’ve found.

    You can do this during production, and frankly, I’ve done it with a large infrastructure during production hours without any problems. This is my personal choice as long as there are no true duplicate zones, that is if there are duplicate zones without seeing any zone names prefixed with either an “In Progress….” or “CNF…” with a long GUID number after, and you truly see a duplicate of your actual zone, such as a domain.com in any of the partitions, then you must perform Choice #2.

    Choice #2 (Not recommended)

    This is a multi-step process to first change the zone to a Standard Primary Zone, which removes it from the AD database, allow AD replication to complete, delete the duplicates, then change the zone to AD integrated, and allow AD replication to complete.

    • Choose only one DC to perform this action.
      • For example, if the duplicate is in the DomainDnsZones partition or DomainNC partition of a child domain, perform it only on a DC in that domain.
      • If the Duplicate is in the ForestDnsZones partition, you can choose any DC in the forest.
    • Right-click the zone name, Choose Properties.
    • Under the General  tab, click on the “Change” button next to the “Type” section.
    • Then uncheck the box that says “Store the zone in Active Directory (available only if the DNS servers is a domain controller.”
    • Click Ok, Don’t click Ok again just yet. Just click on Apply.
    • IMPORTANT – You must allow AD replication to occur to replicate the change to all DCs that are in the replication scope of the zone. If you have DCs in another AD Site and have replication schedule set for example, to 3 hours, then you must WAIT for 3 hours.
    • This action makes the zone a Standard Primary zone. This means it is now stored in the system32\dns\ZoneName.com.dns text file and is no longer in the AD database.
    • You can also force replication, as well.  If there are AD Sites configured, and the replication schedule on the Site Connection objects is say 3 hours, you can reduce the replication schedule on the Site Connection objects to the minimal time allowed, which is 15 minutes. Then force replication by choosing the partner DC’s NTDS Setting, right –click, and choose Replicate Now.
    • Once confirmed that replication has occurred, and refreshing the ADSI Edit window and seeing the zones no longer exist in any of the partitions, then you can now safely delete the duplicate zones.
    • Note: Just to be clear, you will be deleting any zone names that you find that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number after it.
    • Also Note: Deleting a zone is a destructive operation. Make sure you are only deleting duplicates!
  • Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
  • In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.
  • Change the zone back to AD Integrated into the Replication Scope it’s supposed to be in.
  • Once the duplicates have been deleted, once again, you MUST allow AD replication to occur. If you had changed the Replication Schedule on the Site Connection objects to quicken AD replication, you will want to reset them to their original setting.
  • *

    References

    DNS zone replication in Active Directory
    http://technet.microsoft.com/en-us/library/cc779655(WS.10).aspx

    Oops, our AD Integrated DNS zone’s are missing in Windows 2003!
    http://blogs.technet.com/b/networking/archive/2007/05/10/oops-our-ad-integrated-dns-zone-s-are-missing-in-windows-2003.aspx

    Directory Partitions:
    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

    kbAlertz- (867464) – Explains how to use ADSI Edit to resolve app partitions issues:
    http://www.kbalertz.com/kb_867464.aspx

    Event ID 4515 is logged in the DNS Server log in Windows Server 2003
    http://support.microsoft.com/kb/867464

    *

    Summary

    It seems like a lot of steps, but it really isn’t. Just read it over a few times to get familiar with the procedure. You may even want to change it into a numbered step by step list if you like. If you only have one DC, and one Site, then it’s much easier since you don’t have to mess with secondary zones or play with the site objects.

    I hope that helps!

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services
    Complete List of Technical Blogs and Videos: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This blog is provided AS-IS with no warranties or guarantees and confers no rights.

    Suggestions, Comments and Corrections are Welcomed!