WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client Distribution

WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client Distribution



Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Published 10/27/2010
Updated 4/8/2012


 


Preface


WINS is a Microsoft NetBIOS Name Server (NBNS) that’s still widely used in the industry. WINS provides a dynamic NetBIOS name to IP address database. It also interacts with the Browser Service, which assembles and provides the Browse List, or what’s better known as Network Neighborhood.


Many folks rely on browsing the Neighborhood to “look” for resources and shares on servers, such as browsing for shared drives, shared printers, etc (if not using AD to search for published printers), including mapped drive UNC paths, etc.


The Browser service relies on NetBIOS. This works fine on single subnets, however if the environment contains multiple subnets, or VPN subnets, then the Browser will fail going across subnets. Workstations on each subnet will only “see” the computers on that specific subnet.


This is due to the fact NetBIOS broadcasts are blocked by routers (including VLAN configurations), therefore browsing across subnets, such as between multiple company locations, or across client VPN connections fails.


Lack of NetBIOS support will also affect mapped drive paths in a login script, or manually created on a workstation, especially if the mapped drives were configured in the form of \\serverName\sharename, where the ‘serverName’ is a single name, hence either DirectSMB or NetBIOS kicks in (in that order with Windows 2000 and newer) to resolve it.


To support this lost functionality and provide NetBIOS name resolution across subnets, VPN Tunnels and Client VPNs, you will need WINS.


In addition, the Browser Service works hand in hand with WINS to assemble the Browse List. Many in the industry use WINS as a defacto in environments to eliminate NetBIOS broadcasts.


More specifics on the interaction of WINS and the Browser Service can be found here:


DNS, WINS & the Client Side Resolver, NetBIOS, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down, Does a Client logon to Another DC, and DNS Forwarders Algorithm
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx


WINS
http://www.comptechdoc.org/os/windows/ntserverguide/ntswins.html


.




Active Directory and the need for WINS?


Active Directory itself does not need WINS. However some legacy apps may need it.


Active Directory supports single name resolution using DirectSMB (TCP Port# 445), however many will argue that they’ve found it doesn’t perform as expected, however that’s a discussion for another time, since this doesn’t fall under the scope of this writing.


What I can say is that some legacy applications and services still require WINS that AD DirectSMB doesn’t support, some of these apps include, but not limited to are:


  • Exchange 2003 with certain Outlook features
  • McAfee Enterprise ePolicy Orchestrator
  • Symantec Endpoint Protection
  • Symantec Backup Exec
  • Computer Associates AV
  • SQL
  • Mapped Drives
  • Printer sharing (not published in AD)
  • and many more….

.



More info on Exchange 2000/2003 and WINS:


WINS is still required with both Exchange 2000 and 2003
Aug 8, 2005 … See why Exchange needs WINS and how you can get a WINS server up and running and configure Exchange to use it. …
http://articles.techrepublic.com.com/5100-10878_11-5820760.html


WINS and Exchange 2003 Server Dependencies:
I had been labouring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong. However, what I now believe …
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm


Exchange Server 2003 and Exchange 2000 Server require NetBIOS name …
You may have to use NetBIOS name resolution across different subnets for the … The following Exchange functionality still depends on WINS name resolution: …
http://support.microsoft.com/kb/837391


 .


Setting up a WINS Server


Keep in mind, when setting up a WINS server, it is suggested to install it on a DC that holds the PDC Emulator Role  because that DC is the one that will become the Master Browser. Also, when setting the WINS server IP address on any WINS server, if you have more than one WINS server, it must only point to itself if it is a WINS server, no secondaries, whereas a workstation can be configured with multiple WINS servers, but a WINS server must only point to itself. This is due to name registration and ownership of the WINS registered entries. If you only have one WINS server, no problem, just point it to itself. This is a little different than DNS, where you can provide multiple internal DNS addresses (no outside DNS addresses, of course).


To configure the WINS addresses in DHCP Scope or Server Options, add the following options:


Option 044: <WINS Server IP Address>    This sets the WINS IP addresses to offer DHCP Clients
Option 046: 0×8                                              This sets the NetBIOS Node Type


 .



WINS Installation Steps and DHCP Configuration:


1. Install WINS


For Windows 2008 or 2008 R2:

  1. Do one of the following:
    1. In Initial Configuration Tasks in Customize This Server, click Add Features. The Add Features Wizard opens.
    2. Click Start, click Administrative Tools, and then click Server Manager. In the left pane of Server Manager, click Features, and in the details pane, in Features Summary, click Add Features. The Add Features Wizard opens
  2. In Select Features, in Features, scroll down the list, select WINS Server, and then click Next.
  3. In Confirm installation selections, click Install.
  4. In Installation Results, review your installation results, and then click Close.For WIndows 2003, WINS is installed using the Control Panel Add/Remove Programs applet, WIndows Components.

For Windows 2003:

WINS is installed in Control Panel, Add/Remove, Windows Component

 

More specifics in the following links:


WINS server role: How to setup WINS Servers in Windows 2003:
http://technet.microsoft.com/en-us/library/cc780091(WS.10).aspx


WINS Server Role: How to Install Windows Internet Name Service (WINS) in Windows 2008 and 2008 R2
http://technet.microsoft.com/en-us/library/dd894432(WS.10).aspx


 



2. Configure the IP address of the WINS server to itself. To do this on the WINS server, go to NIC properties, Advanced, WINS tab. Type in ONLY the IP address of itself. THis is because a WINS server can only point to itself.


 


3. On all other IP static configured machines, add the WINS address under IP properties. Advanced, WINS tab. If you have more than one, you can specify as many as you like.


    More information on how to configure your network adapter to use WINS:


        To configure TCP/IP to use WINS – Windows XP
        http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_usewinsconfig.mspx?mfr=true


4. For DHCP properties, you will need to add two DHCP Scope Options:


 


DHCP Scope Option 044, provide the WINS server IP address. If you have more than one, provide them in the order you would like them to be configured on your DHCP clients.
DHCP Scope Option 046, type in 0×8


   More specifics on how to configure DHCP Options:


        Configuring DHCP Options
        http://technet.microsoft.com/en-us/library/cc757682(WS.10).aspx


 


5. Allow a day or two for all the machines to register, and for the browser service to stabilize.
 


 .


 


Multiple Sites or Locations


If you have a remote Site, for example across a VPN Tunnel, you can safely configure all the machines in the other sites to use the central Site. However, to reduce WAN traffic, and just in case the VPN/WAN link goes down, you may want to setup a WINS server at the other site. You can then configure the remote Site WINS server as a replication partner with the WINS server in your location.


If you have more than one Site, you can configure a multiple partnership. However to insure WINS functionality, you don’t want to create a “mesh.” In this case, you would be better off creating a Star topology, with the Central Site being the center of the star and each remote site is partnered with the Central Site.


 


 


How to setup a WINS Replication Partnership



To add replication partners, open the WINS console, then click and expand the Server name. Under it you will see “Replication Partners.” 


Right Click Replication Partners, choose ADd
Type in the WINS server’s IP address that you want to make a replication partner.
Choose both Push and Pull partnership


You can leave the rest at defaults, but here are some specifics about the settings in case you’re curious:


The “Configure” button is used to set replication intervals, retry counts, and the number of changes before sending updates. The WINS Configuration menu controls the following:


Renewal interval – Default of 96 hours, sets the amount of time between which a client must renew its name. 
Extinction Interval – Default of 96 hours – Time between when a name is released and marked as extinct. 
Extinction Time-out – Default of 96 hours with a 24 hour minimum. Time between when a name is marked as extinct and removed from the database. 
Verify Interval – Default of 576 hours (24 days). – The interval between which WINS entries owned other WINS servers are verified.


The “Advanced” button allows the following selections:


Logging enabled – To log Events in the Event Viewer
Log Detailed Events – Increases logging specifics for troubleshooting. 
Replicate Only with Partners – Enabled by default, this will allow a pull server to send to WINS servers.
Backup On Termination – When WINS Manager is closed, the database is backed up. 
Migrate On/Off – Static entries are changed to dynamic when a conflict between a static and dynamic entry is found. 
Starting Version Count – Only needed if the database becomes corrupt. Each database is identified by an ID Number. 
Database Backup Path – A local path for database backups


 .


.


WINS Muti-Partner Replication Design Guidelines


  1. Each WINS server must only point to itself in the ipconfig /all (network card settings). This is a must, or it will cause problems with WINS records ownership and trying to replicate records.
  2. For any replication partnerships, it’s recommended to create a PUSH & PULL partnership at time of creation, and not just a PULL partner, or a PUSH partner. This insures that all records get replicated.
  3. If you must add a replication PUSH or PULL in the registry, because it was not added at time of creation, then your choice is either to delete and recreate the partnerships as a PUSH/PULL, or manuall add it in the registry.The preferred choice is to remove and recreate the partnership.
  4. With multiple WINS servers, choose a HUB & SPOKE topology. Do not choose a MESH design, or expect numerous problems and errors, such as EventIDs 4102, 4243, 4242, and 4286 messages.
  5. Make absolutely sure TCP 42 and all AD ports are opened and fully allowed between all partners.

.


More info on WINS Replication Errors:


Troubleshooting WINS error event ID 4102, 4243, 4242, and 4286 messages
http://support.microsoft.com/kb/321208 


.


The difference between push and pull partners:


  • PUSH parrtners will “push” a change as soon as it occurs.
  • PULL partnerships run on a schedule.


I hope the following diagram will clear things up. Notice the purple IPs and how each server only points to itself for WINS in its ipconfig. Also notice there are two WINS servers in NYC. THe one on the left is the central WINS HUB, and the one on the right is a “spoke” partner just like all the others in the other sites.


(Click on the image for the full version)



.


.



WINS Partners and the DHCP Lease Length


With multiple WINS servers you also want to be careful on how short the DHCP Lease is.


Keep in mind with a DHCP lease, a DHCP client will attempt to renew its lease at 50% of the lease period. If it fails at that point after a certain time out period, it will retry at 87.5% of the lease.


When a DHCP client acquires a new config or renews it’s current config, it will re-register or refresh it’s WINS registration. This will cause a replication request between WINS server partners. However, if the DHCP lease is say one day, the WINS servers just can’t keep up with the constant changes, especially in a Mesh topology.


If you shorten the lease to something along the lines of one day, or even 4 hours (as I’ve seen some installations have done), keep tabs on any WINS errors that may be generated. It’s suggested the default 8 day DHCP Lease period is sufficient for most needs, including laptops that come and go even just for a day.



Side note:


DHCP – DNS registration Duplicates with Dhort LeasesAlso, on a side note, if you notice that you are seeing duplicate DNS registrations for laptops that frequently come and go, you can configure DHCP to own the records. This way when a laptop comes back up online and acquires a new lease, it will not create a duplicate, and once DHCP is configured to own all records it registers, it can update the laptop’s current entry with the new IP.


More information on this and how to configure it can be found in the following blog.


DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx


 


 .


Browser Service Elections


Also, I mentioned about Browse Master elections. When someone is sitting on a workstation, server, or DC, and selects to “browse” for something in the Neighborhood, the machine contacts the Master Browser on the subnet. If one does not exist, it will send out an election packet so it can become the Master Browser for the subnet. The order of which one will win depends on the operating system version and service installed, such as the PDC Emulator will win hands down, then if the PDC Emulator is not available, a replica DC, and if that is not available, a member server, and if one is not available, then a workstation, and the newer operating system workstations will win over an older one. Therefore, if you do not have at least one server on that subnet, one of the workstations will win. This can be prevented by setting a registry entry on each workstation in the subnet. The registry entry to prevent workstations from attempting to become a Domain Master Browser and compete with Domain Controllers:


Change the value “AUTO” to “FALSE” (without the quotes) in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList


However I do not suggest changing this setting on domain controllers or servers.


More info on possible Browser Service errors you may encounter if separating workstations on a separate subnet, such as an EventID 8003, as well as info on the registry setting, can be found in the following links:


Event ID 8003, Source Name: Browser
http://eventid.net/display.asp?eventid=8003&eventno=1918&source=Browser&phase=1


Event ID 8003 Source Namne: MRxSmb
http://eventid.net/display.asp?eventid=8003&eventno=680&source=MRxSmb&phase=1


How to Fix Master Browser (MRxSmb) Event ID 8003 errors
http://www.hightechdad.com/2007/05/09/how-to-fix-master-browser-mrxsmb-event-id-8003-errors/


8003 browsing errors with UDP forwarding:
http://support.microsoft.com/kb/135464/en-us


Windows 2000 Professional Workstations (and newer) on Microsoft Networks and the Browser Service Details, Browser Service Browsing Roles, the Browser Election Process, as well as info on Publishing Objects in Active Directory:
http://technet.microsoft.com/en-us/library/cc977266.aspx


Windows Browser Registry entry “MaintainServerList” settings information:
http://technet.microsoft.com/en-us/library/cc722044(WS.10).aspx


 


Suggestions, corrections and comments are welcomed.


Ace Fekay

EDNS0 (Extension mechanisms for DNS)

EDNS0 (Extension mechanisms for DNS)


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Published 10/11/2010
Updated 6/27/2011 – Added link.
Updated 6/20/2012 –


 


Preface


Windows 2003 and newer operating systems support EDNS0 Extension mechanisms for DNS). The first set of EDNS0 extensions were published in 1999 by the Internet Engineering Task Force as RFC 2671


EDNS0 supports a UDP query response larger than 512 bytes. Using the legacy method, UDP was used only as long as the DNS query was under 512 bytes. Over 512bytes, it changed it to TCP. With EDNS0, it allows UPD responses up to the full 1500 bytes bypassing the extra process step required to change to TCP, hence increasing efficiency.


 


Here’s a quick test to see if it is disabled or not:


Here’s a quick nslookup command to test if there’s an EDNS0 restriction in your firewall:
nslookup -type=TXT rs.dns-oarc.net


Or if you want to test a specific DNS server for EDNS0 support, whether an internal or external DNS server, use the following method:


c:\>nslookup
> server 4.2.2.2 <—- you can change this IP to whatever DNS server you want to test for EDSN0 support
> set q=txt
> rs.dns-oarc.net


Look for the part in the response that says, ” …DNS reply size limit is at least xxxx.” The xxxx is what it will support. If it’s under 512, then it is blocking EDNS0 or the Forwarder you are using is blocking or not allowing/configured to use EDNS0.


 


Should I disable it because my firewall doesn’t support it?


Good question. Of course the proper answer is no, and upgrade either ther firewall IOS or firewall itself so it supports EDNS0 traffic. Older firewalls that do not support it, or newer ones that do support it but hasn’t been enabled to allow this type of traffic, will look at it as a DNS attack.


It’s recommended to upgrade your router/firewall to support the new industry standard, but as a workaround, you can disable this feature in Windows 2003 by using dnscmd (available by installing the support tools from the Windows 2003 CDROM):


dnscmd /config /enableednsprobes 0


I would rather enable it on the firewall or upgrade the firewall, instead of having to disable it on each individual DNS server. Or you can also simply configure a Forwarder to your ISP, which will bypass your legacy firewall’s lack of EDNS0 support. However if stricly using Root Hints, the recommendation is to upgrade the firewall.


 


Cisco PIX and ASA EDNS0 support


The Cisco PIX and ASA models, which I am familiar with, do support EDNS0, however it’s not enabled by default out of the box. You’ll need to run a command to enable it, or enabled it within the PDM GUI. In the following examples, using a command line while telnetted into an ASA, I’ve set the maximum-length to 1280 bytes, because 1280 bytes was based on the recommendation in the original IETF draft.  However, if using DNSSEC, you’ll need to bump it higher.


To support proper resolution and to support DNSSEC, set the max UDP size to 4096:


fixup protocol dns maximum-length 4096
fixup protocol dns 4096


Cisco ASA 55xx series (assuming using the latest IOS 8.3.2ED and newer)
   Configuration
     Firewall
       Advanced
         Objects
           Inspect Maps
             DNS
               If a “preset_dns_map policy doesn’t exist
                   click on Add
                   type in preset_dns_map
                   Next to “Security Level,” click the Details button
                  Select the Filter tab
                   Change “Maximum Packet Length” from 512 to 4096
                   Click OK
                   File, “save Running Configuration to Flash (also suggest to save it to TFTP)
               If a “preset_dns_map policy does exist
                   Right-Click “preset_dns_map”
                   Choose “Edit”
                   Next to “Security Level,” click the Details button
                  Select the Filter tab
                   Change “Maximum Packet Length” from 512 to 4096
                   Click OK
                   File, “save Running Configuration to Flash (also suggest to save it to TFTP)            
 


Or


For ASA 55xx series up to 8.3 (8.3 and newer is different)
 policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 4096
 
And To increase the response size length:
Policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map


 


For ASA 55xx series with 8.4 and newer:
policy-map type inspect dns EDNS0
 parameters
  message-length maximum 4096


policy-map global-policy
 class global-class
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect http
  inspect dns EDNS0 dynamic-filter-snoop
  inspect esmtp


.


For more information on Cisco’s IOS commands, please read the following link:
Preparing for DNSSEC: Best Practices, Recommendations, and Tips for Successful Implementation
http://www.cisco.com/web/about/security/intelligence/dnssec.html  


Cisco PIX / ASA and DNSSEC problem approaching on May 5th?
(This link has info on the ASA and PIX commands for EDNS0):
https://supportforums.cisco.com/thread/2013390


 


More info on DNSSEC and EDNS0:


Windows client and server operating system compatibility with DNSSEC enabled root servers.
“Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported. Windows Server 2008 R2 uses a default packet size of 4096 bytes by default. “
http://support.microsoft.com/kb/2028240


In my opinion, it should be set to 4096.


 


I have problems accessing or resolving Yahoo, AOL, Hotmail and a number of other sites


The reason why Yahoo, AOL and other domains have resolution issues is because some of these domain have a huge amount of data, therefore the response is larger than 512 bytes, and the firewall or router does not support EDNS0.


The solution is to enable EDNS0 support in the edge firewall. If it doesn’t support it or the IOS can’t be upgraded to support it, the must be replaced. A Forwarder can overcome the EDNS0 limitation.


 


DNS not able to resolve some domains such as .UK.


If DNS is not able to resolve TLDs such as .uk, there is a work around. The easiest work around is to use Forwarders. There are other workarounds, but I would suggest Forwarders as the easiest, but there are many pros and cons with Forwarders, and some of the cons indicate many corporate SLAs do not allow.


Can’t access any .co.uk sites from our Windows network (using Windows 2008 DNS).
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24214068.html


2008 DNS Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/essentialbusinessserver/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx


Windows Server 2008 DNS Servers may fail to resolve queries for …Feb 25, 2009 … When name resolution is provided by root hints, Windows Server 2008 DNS may … domains like .co.uk, .cn, and .br, but is not limited to these domains. …
http://support.microsoft.com/kb/968372


 


Upgrading to Windows 2008 R2?


Also, when upgrading to Windows 2008 R2, it will not revert to TCP, which eliminates the issue when attempting a query. The only fix for this is to either disable EDNS0, or use a Forwarder to an ISP. I suggest using a Forwarder because I do not agree to disable EDNS0 just to make it work for the few DNS servers out there that do not support EDNS0. EDNS0 has been around since 1998, and if no one has bothered to update their name server to support the latest industry standards, I do not feel that we should disable a service to accomodate those servers, as well as that EDNS0 was designed to improve resolution efficiency, as well as some security enhancements. Simply creating a Forwarder will take care of the problem. More info on 2008 R2 in the following link, but like I said, I do not agree with disabling the feature on the server.


Windows Server 2008 R2 DNS Issues
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx


There are more articles cited in the Related Links section below with more information on EDNS0.


 


How to use NSLOOKUP to test EDNS0


You can test is EDNS0 is working or not by using nslookup with the set vc option, which forces TCP only. This will also tell you if the response goes thru as TCP and not UDP.


For an example query, you can use nslookup to query for Yahoo’s MX records. You will be able to see how large the response is. If you count each line, (each line is 80 bytes), it’s more than 512 bytes. If you see a 10 line response when using the set vc switch, but don’t when you run nslookup by default, then it’s clearly an EDNS0 issue.


ENDNS0 packet sizes


Keep in mind, non-EDNS0 is limited to UDP packets of 512 bytes. Nslookup and queries in general, default to UDP, and Windows 2003 defaults to using UDP & EDNS0.


Keep in mind, EDNS0 uses UDP packets sizes up to 1280 bytes by default. If the response doesn’t have your answer in that size of a response, then the query you’re looking for probably doesn’t exist.


nslookup
> set q=mx  (this change the query type to search for Mail Exchanger (MX) records)
>microsoft.com


Does a response return or does it error out?
If it errors out, try yahoo.com. If that errors out too, try the following commands:


> set vc       (the “set vc” switch forces nslookup to useTCP)


> yahoo.com
Server:  london.nwtraders.msft
Address:  192.168.5.200


Non-authoritative answer:
yahoo.com       MX preference = 1, mail exchanger = mx2.mail.yahoo
yahoo.com       MX preference = 1, mail exchanger = mx3.mail.yahoo
yahoo.com       MX preference = 5, mail exchanger = mx4.mail.yahoo
yahoo.com       MX preference = 1, mail exchanger = mx1.mail.yahoo


yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
mx2.mail.yahoo.com      internet address = 67.28.114.35
mx2.mail.yahoo.com      internet address = 67.28.114.36
mx2.mail.yahoo.com      internet address = 4.79.181.13
mx2.mail.yahoo.com      internet address = 64.156.215.8
mx3.mail.yahoo.com      internet address = 64.156.215.5
mx3.mail.yahoo.com      internet address = 64.156.215.6
mx3.mail.yahoo.com      internet address = 4.79.181.12
mx3.mail.yahoo.com      internet address = 64.156.215.18
mx4.mail.yahoo.com      internet address = 66.218.86.156
mx4.mail.yahoo.com      internet address = 67.28.113.19
mx4.mail.yahoo.com      internet address = 68.142.202.11
mx4.mail.yahoo.com      internet address = 68.142.202.12
mx1.mail.yahoo.com      internet address = 67.28.113.11
mx1.mail.yahoo.com      internet address = 4.79.181.14
mx1.mail.yahoo.com      internet address = 4.79.181.15
mx1.mail.yahoo.com      internet address = 67.28.113.10
ns5.yahoo.com   internet address = 216.109.116.17
ns1.yahoo.com   internet address = 66.218.71.63
ns2.yahoo.com   internet address = 66.163.169.170
ns3.yahoo.com   internet address = 217.12.4.104
ns4.yahoo.com   internet address = 63.250.206.138
>


If you see the above response with the set vc and not before it or only a partial set before using the set vc switch, then it is clearly an EDNS0 issue on the router.


The set vc switch tells it to use TCP instead of UDP. If it works with the vc switch, and not without it, then it is an EDNS0 block. I provided hotmail.com as an example because it’s response is definitely greater than 512 bytes. You can also not set it to ‘mx’ and leave it default when you invoke nslookup, and then try aol.com, microsoft.com, yahoo.com, as some examples with large responses.


 


Related Links


EDNS: What is all about?
By Chris Spanougakis, MCT, MVP DS
http://spanougakis.wordpress.com/2011/05/01/edns-what-is-all-about-2/


An External DNS Query May Cause an Error Message in Windows Server 2003:
http://support.microsoft.com/?id=828731


Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS Server to Windows Server 2003:
http://support.microsoft.com/?id=832223


Using Extension Mechanisms for DNS (EDNS0)
“The OPT record is sent from the querying DNS server when it sends out a query to another DNS server, where the packet tells the other DNS server that it supports UDP and what its max supported packet size is.”
http://technet.microsoft.com/en-us/library/cc785769(WS.10).aspx


.


In summary: Don’t disable it.


Questions, comments, corrections, and suggestions are welcomed!
Ace Fekay

Remove an Old DC and Introduce a New DC with the Same Name and IP Address

Remove an old DC and Introduce a new DC with the Same Name and IP Address


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/9/2010
Edited 10/19/2010 – Added an additional step in case you are introducting a new 2008 or 2008 R2 DC into a 2003 environment



Applies to Windows 2000, 2003, 2003 R2, 2008, 2008 R2



Preface


This question has arisen time to time in the Microsoft Public NNTP Newsgroups and Microsoft Social Forums. I’ve put together a set of steps over the years. Each time I post the steps, I’ve found I’ve needed to refine it, or explain certain steps. As time’s gone by, and questions have arisen on some of the steps, I’ve tried to add that information intot the steps. This procedure has grown to the point where I believe I’ve covered most of what’s involved and needed in most scenarios.


Comments, suggestions and corrections are more than welcomed. If I’ve missed something, based on your feedback, I will promptly add them to the list.



Scenario:


6 DCs, 2 in SiteA, 4 in SiteB
One of the DCs in SiteA will be replaced with a DC with the same name and IP.
DHCP installed and needs to be migrated to new DC.
All DCs are DNS servers.
All DCs are GCs.



Basic Steps are:


1. If this you are replacing the DC with new hardware but keeping with your current Windows 2003 DCs and not introducing a Windows 2008 or WIndows 2008 R2 DC into the environment, you can skip this step and go to Step 2.


Otherwise, if you are introducing a 2008 or 2008 R2 DC into your current 2003 environment, please see the following links (one has a step by step with screenshots). You must await replication if you need to do this step. To quicken replication after this step, do Step #2, then Step #12.


Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx


Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm


2. Optional – Drop the default intrasite DC to DC notification time from the default 5 minutes to 30 seconds. I normally don’t do this change and simply wait around 10 minutes. This is part of what you can call the “patience” factor. If you want to force the intrasite intervals, here how.


There are two settings you can change, the notification interval, which is 5 minutes by default, and the time to pause between notifications, which is 30 seconds by default. If you want, you can alter the notification interval down to 30 seconds, but leave the time to pause as default, since that’s fine. 


Keep in mind, this is a registery setting change. Remember to have a backup prior to this, as well as export the portion of the registry you’re modifying so you have a copy of it.


You can use the following article to show you how to change these settings.


How to Modify the Default Intra-Site Domain Controller Replication …This article describes how to modify the default intra-site domain controller replication interval.
http://support.microsoft.com/kb/214678


3. If you have a number of locations and you’ve defined and created AD Sites to optimize replication and logon/authentication traffic, you would want to drop intersite link replication interval to 15 minutes. That’s performed in AD Sites & Service on the Site Connector’s properties. The following shows you how.


How to change the interSite Replication Interval (with screenshots):
http://windowspeople.com/index2.php?option=com_content&task=emailform&id=159&itemid=1


4. Make sure all of your DCs (this site and all other sites, whether a single domain or multi-domain forest) are all GCs. Making all DCs GCs alleviates the IM-GC conflict as well as provides better GC availability for services that use it such as for the logon and other processes, etc, especially services that use it heavily such as Exchange.


Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, check the Global Catalog checkbox
Check each DC in the site to make sure they are all GCs


5. Install the new server. Get the machine up to date with the latest SP, hotfixes and updates.


6. If this is Windows 2003, copy the i386 folder to C: drive. Integrate the latest SP into the i386 folder. If this is 2008, 2008 R2, or newer, it’s not necessary, and you can skip this step.


This step helps if adding new Windows 2003 services through Add/Remove Windows Components. Simply point to this folder for the source files, and you won’t need to re-run the SP to get the new services up to date.


Example: C:\SP2\i386\update\update /s:C:\ (this command assumes the i386 is on C: drive. If it’s under another folder, you must specify the parent folder after the /s switch.


How to integrate Windows XP Service Pack 2 files into the Windows XP installation folder
(Same exact steps for Windows 2003)
http://support.microsoft.com/kb/900871


7. Set new server to use the other DC in SiteA as DNS and WINS.


If WINS is installed, you’ll need to migrate it to another server.   Read more in this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419


8. Change the DC’s DNS settings on the DC another DC in the same Site.


9. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.


If Exchange is installed on the DC, this introduces a  huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following for more information:


Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx


10. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.


How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473


How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q


11. Transfer FSMO roles to another DC in the same Site, or to a DC of your choosing, preferrably in the same site.


How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801


Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504


How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690


Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm


12. Run dcpromo and demote the DC choosing this is not the last DC in the domain. Then Restart.


Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx


Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx


13. Allow replication to occur. If your site links are still default (180 min), wait at least 3 hours, otherwise wait about 20 minutes if you had previously changed it to 15 minutes (first step). You can also force replication using repadmin if you want:


Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)


Also, to check replication status:


To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”


Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”


Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx


You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx



14. Rename the now demoted DC to something else, or keep it unplugged.


15. Check DNS to make sure it’s references (LdapIpAddres and GC) are gone.


16. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.


Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)


17. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.


18. Rename the new server to the old DC’s name.


19. Change the new server’s IP to the old DC’s IP.


20. Run dcpromo. Select to install DNS (if not already installed).  Then Restart.


How do I install Active Directory on my Windows Server 2003 server?
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm


How to Install Active Directory on Windows Server 200, 3May 19, 2005
http://technet.microsoft.com/en-us/…/aa998088(EXCHG.65).aspx


When you run Dcpromo.exe to create a replica domain controller …When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe: Error message 1 Error …
http://support.microsoft.com/kb/232070


If you are introducing a newer Operating System version, you’ll need to run ADPREP:


Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx


Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm



21. Allow it to come up. Wait about 5 – 10 minutes after it has restarted and logged in.


22. Check DNS to make sure that the LdapIpAddress registered and a Nameserver entry was created.


23. Go into AD Sites and Services and make sure you see the new DC in your Site and there are connection objects to another DC that the KCC created.


24. While in AD Sites and Services, make it a GC. It’s the preferred method now to make all DCs GCs in an infrastructure, whether there is one domain or multiple domains in the forest. This will alleviate the well-known Infrastructre Master and Global Catalog contention issue.


Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox


25. Run ipconfig /registerdns, restart netlogon service. Wait 5-10 minutes, then check DNS for the _gc._msdcs.OTEC-DC.domain.com records to see if it registered as a GC. If it’s not there yet, wait a few more minutes. Be patient. Hit F5 to refresh the console until you see it.


26. Check ADUC, look in the Domain Controllers OU for the new DC’s entry.


27. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.


28. If any Forwarders were configured in DNS, you will need to manually re-enter them.


29. If applicable, revert back any and all changes you made earlier regarding Site replication settings and intrasite DC to DC settings.


30. If you haven’t done so already, go have a cold or hot beverage of your choosing. You should be good to go.


 


 


All Comments, Suggestions or Corrections are welcomed!
Ace Fekay

Remove a Current Operational Domain Controller from Active Directory

Remove a Current Operational Domain Controller from Active Directory


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/9/2010
Updated 12/27/2011 – added time service configuration info.


 


Preface



I’ve written this blog because this question has come up numerous times in the forums, newsgroups, and from colleagues. There are other very well qualified blogs, posts and tech articles on these steps. I thought to outline the steps with adding links for each appropriate step to explain how to do it if one is not sure of the steps.


Keep in mind, you can’t simply unplug a DC and be done with it, such as you could do in the Windows NT4 days. There are numerous ramifications involved with a domain controller in the AD database and AD functionality. Other DCs will still think it’s there and will try to replicate to it because it’s still in the AD database. You must remove it properly.


Now if the domain controller has been unplugged and offline for more than the tombstone lifetime, (60 days for Windows 2000, Windows 2003 SP0, or 180 days for Windows 2003 SP1 and all newer operating systems), you will need to run a Metadata Cleanup to remove the DC. This is due to the scavenging period that AD will keep deleted objects or objects that have not been in communication with such as a domain controller.


If I’ve omitted any basic or necessary steps, please do comment and let me know. All comments and suggestions are welcome!


 


If the DC has been unplugged for more than the Tombstone Lifetime



If the case is that it’s been unplugged for longer than the tombstone with Windows 2003 or newer, you can either run a simple dcpromo /forceremoval to remove AD off the DC, or reinstall the DC from scratch. Either way, you will need to run a Metadata Cleanup procedure.


Restart the DC OFF the network
On this DC, run “DCPROMO /FORCEREMOVAL”
Run the Metadata Cleanup procedure to remove it’s reference on a current DC
If you want to reintroduce the old DC, you can simply promote the old DC back to a DC



Once you’ve done the above, run the Metadata Cleanup Procedure. Here are some links to guide you


How to remove data in Active Directory after an unsuccessful Domain Controller Promotion
http://support.microsoft.com/kb/216498


Clean up server metadata: Active Directory, Mar 2, 2005
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx


Script to run Metadata Cleanup Procedure:
Script to Remove Active Directory Domain Controller Metadata
Microsoft: The Scripting Guys, Published on 8/10/2009
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3


Delete Failed DCs from Active Directory
This link put together by Dan Petri, includes screen shots.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm


 



To remove a Current Operational DC under the Tombstone Lifetime, the Basis steps are



Reminder: Do this during off-production hours. This will allow time for changes to replicate in the AD and DNS infrastructure prior to users logging on the next production day.


1. Change the DNS addresses on the DC to point to an existing DC/DNS server in the same AD Site. If no other DCs in the Site, choose a DC in another Site with a fast link.


2. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.


How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473


How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q


3. If WINS is installed, you’ll need to migrate it to another server. Read more in this link:


How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419


4. Disable the Global Catalog service from the domain controller.


Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox


5. If this domain controller currently holds one or more FSMO operations master roles, transfer the operations master roles to another domain controller before demoting it. You can allow dcpromo to automatically transfer the roles, however, they may transfer to a DC that you may not want to transfer the roles to. This is why this is suggested in order to allow you to transfer the roles to a specific DC.


How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801


Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504


How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690


Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm


6. If you transfer the PDC Emulator FSMO role to the new DC, you will need to configure the time service on the new PDC.


On the new PDCEmulator:           (Note: ‘peers’ is an Internet time source such as time-a.nist.gov or time.windows.com):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update


On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update


After that run the following on all DCs:
net stop w32time
net start w32time


The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41. Check http://www.pool.ntp.org for time servers in your own locale.


On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source to the new PDC Emulator.


For more Windows Tims Service specifics and troublshooting, check the following:


Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx


7. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.


If Exchange is installed on the DC, this introduces a huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following or more information:


Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx


8. Run dcpromo. Choose this DC is not the last DC in the domain. Allow it to restart. If not sure how or options to choose, read the following links.


Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx


Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2     
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx


9. Go to an existing DC and check DNS to make sure it’s references (LdapIpAddres and GC) are gone.


Check _gc._msdcs.domain.com
If exists, delete the old reference.


Check the domain.com zone
If an entry for “(same as parent) A <oldIpAddress>” exists, delete it.


10. Check the domain.com and the _msdcs.domain.com zones for the NS (nameserver) records to make sure it no longer exists. If it still shows:


Right-click the zone properties
Choose Nameserver tab
Highlight the old entry
Choose Delete. Ok the message that pops up asking are you sure you want to delete it


11. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.


Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)


12. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.


13. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.


14. Go have a cold or hot beverage of your choosing. You should be good to go.


 


All comments, corrections and suggestions are welcome!


Ace Fekay

Complete Step by Step to Remove an Orphaned Domain Controller

Complete Step by Step to Remove an Orphaned Domain controller


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Published 10/5/2010
Revamped  11/3/2010 – Changed the steps to make more sense and easier to follow


 


Preface


I think at this time you’re probably thinking, “What, another blog on how to remove an Orphaned DC?” I know. There are many out there, and I commend all the ones I’ve read. I thought to put together a complete step by step with all the little nuances that are involved with links and explanations. If I’ve forgotten any, I do hope someone is kind of enough to post a comment indicating, or even if I’ve made a mistake. I would do the same. 


In a nutshell, I wrote this is in response to questions that have come up numerous times in the AD NNTP newsgroups and Microsoft Social Forums. The question isn’t usually asked directly, because in some cases some may not have realized these steps are required, rather how to remove an orphaned DC is normally a response after diagnosing a specific DC or replication issue, such as not being able to introduce a new DC with the same name as a failed one, or a DC was lost and there are numerous Event log replication errors, as well as DCDIAG and other errors, to something simple as having ran the procedure but may have forgotten a step or two.


To point out, many of the steps were taken from the following link, but I’ve extrapolated the steps and added additional information, links, and explanations.


How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846


 


Should I repair the DC or simply dump it and create a new one?


Good question. In many cases, whenever a DC is lost, the easiest and simplest way is to simply dump the machine, cleanup AD and rebuild it using the same name. Compared to doing a restore, this is the simplest procedure and will save wasted time, because it’s much faster. HOwever, just to add, if any application  or service is installed on the DC, it adds a compexity, especially if Exchange was installed on it. Needless to say, which many are aware of or already have heard, it’s recommended to never install Exchange on a DC. See the next section where I posted a link that explains this in greater detail.


Of course the decision to dump the failed DC and rebuild a new one with the same name is a sound and proven popular decision, however this it’s assumed there are no applications or major services installed and running, or files to be restored on the DC. Normally we do not recommend installing additional apps or services, other than DNS, WINS and/or DHCP. If there are, then of course the apps, services, files, etc, must be reinstalled, reconfigured, or restored.




Was Exchange on the DC?


As mentioned in the Preface , one thing I like to point out that if Exchange is on a DC, well, besides not wanting to reiterate that this is not a recommended option nonetheless, hopefully you have a full backup of the Exchange Information Store and the DC System State, because both would have to be restored. Hopefully as well you have two separate backups of each and not together in the same backup job, otherwise you may find the Exchange backup is useless to restore. More about Exchange on a DC in the following link. It’s not a DC/Exchange restore link, rather it explains why you wouldn’t want to install Exchange on a DC and the ramifications, as long as it’s not SBS, which is designed to allow Exchange on it. Read more if this applies to your scenario:


Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx


 


Were there any applications or services installed?


Was DHCP installed?


If you don’t have a backup that you can retrieve the DHCP database, your best bet is to reinstall DHCP services and start from scratch. If you do have a backup and can restore the DHCP files, follow this link:


How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
 http://support.microsoft.com/kb/325473


How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q


Was WINS installed?


If you don’t have a backup that you can retrieve the WINS database, your best bet is to reinstall WINS services and start from scratch. If the WINS server had a partner, you can possibly use that to reinitiate the database. If you do have a backup and can restore the WINS files, follow this link:


How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419


Was DNS installed?


No worries as long as the zones were AD Integrated. They’ll just replicate over from another DC automatically. No need to manually create the zones. If you do try to manually create the zones and they are AD Integrated, you’ll introduce a duplicate zone issue in the AD database, which is another topic to clean them up.


Any other applications or services installed?


Dep[ending on the application or service installed, hopefully you’ll have either a backup that you can retrieve the files, or you’ll have to reinstall. For any third party application, you’ll need to refer to the documentation or contact the vendor for assistance.



Basic High-Level steps


1. Run a Metadata Cleanup
2. Remove the old computer in “Active Directory Sites and Services.”
3. Remove old DNS and WINS records of the orphaned Domain Controller.
4. If Windows 2000, use “ADSIEdit” to remove old computer records from the Active Directory.
5. Force Active Directory replication


 


 



Steps Broken Down with a Low-Level Description


1. Make sure at least one of the current live DCs is a GC. It’s actually recommended to make all DCs GCs, whether in a single domain or multi-domain forest. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.


Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx


Enable or disable a global catalog: Active Directory
Jan 21, 2005 … Select the Global Catalog check box to enable the global catalog, or clear the check box to disable the global catalog. …
http://technet.microsoft.com/en-us/library/cc758330(WS.10).aspx


How to create or move a global catalog in Windows Server 2003 (same in 2008 & 2008 R2)
http://support.microsoft.com/kb/313994


 


2. Use the following knowledgebase to run a Metadata Cleanup to remove common Domain Controller objects and settings from Active Directory.


A. For Windows 2003


NTDSUTIL in 2003 and newer automatically removes the Computer Account and FRS Objects from Active Directory, but if you like, you can still use these steps to insure the objects were removed.


How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498


 


B. For  Windows 2000, you must use ADISEdit  to remove the Computer Account and the FRS Object from Active Directory.


 Use ADSIEdit to delete the computer account. To do this, follow these steps:   

  1.  
    1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
    4. Expand OU=Domain Controllers.
    5. Right-click CN=domain controller name, and then click Delete.

If you receive the “DSA object cannot be deleted” error message when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.

 Use ADSIEdit to delete the FRS member object. To do this, follow these steps:   

  1.  
    1.  
      1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
      2. Expand the Domain NC container.
      3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
      4. Expand CN=System.
      5. Expand CN=File Replication Service.
      6. Expand CN=Domain System Volume (SYSVOL share).
      7. Right-click the domain controller you are removing, and then click Delete.

 



C. For Windows 2008 and WIndows 2008 R2:


It’s all GUI based in 2008 and 2008 R2. However, you’ll still want to follow the rest of the steps to seize FSMOs, force replication, checking DNS & WINS, etc.


Cleanup Server Metadata Windows 2008 (GUI Based)
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx


Active Directory Metadata Cleanup (For Windows 2008 or newer – with screen shots)
By Meinolf Weber, MVP
http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx


 


Optional Script For Windows 2000, 2003,  2008, and 2008 R2


If you don’t like to use the command line tools, you can use a script that was developed to do this part for you:


You can also use Microsoft’s Script written specifically to run a Metadata Cleanup if reluctant to use ntdsutil in a command line:
Remove Active Directory Domain Controller Metadata (Microsoft) – Applies to all Windows Server Versions (2000, 2003, 2003 R2, 2008, 2008 R2, SBS 2003 & SBS 2008)
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3


 


3. If the failed DC held any of the FSMO Roles, you need to seize the FSMO to alternative Domain Controller


Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504


How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801


 


4. If the failed DC held the PDC Emulator Role, you need to configure a new authoritative timeserver in the domain. The first link is my blog with complete steps. It was compiled using the following two Microsoft KBs, among other links.


Configuring the Windows Time Service for Windows Server
Scroll down to the section “Transferring the PDC Emulator Role”
Published by acefekay on Sep 18, 2009 at 8:14 PM  3050  1 
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx


How to configure an authoritative timerver in Windows 2000
http://support.microsoft.com/kb/216734
 
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042


 


5. Remove old computer account by using “Active Directory Sites and Services” tool.


Open Active Directory Sites and Services
Expand the Sites folder
Select the site the old DC was in
Expand Servers
Delete the old DC name


 


6. Remove any old WINS records of the orphaned Domain Controller from the WINS database. If there are WINS replication partners, when you delete them, choose the “Tombstone” option.


Deletion of WINS Database Records
If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS …
http://technet.microsoft.com/en-us/library/cc959263.aspx


Deleting and tombstoning records: Windows Internet Name Service (WINS)
Jan 21, 2005 … If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are …
http://technet.microsoft.com/en-us/library/cc782886(WS.10).aspx


 


7. Force Active Directory replication by using “Repadmin.exe” tool.


Repadmin examples:


Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)


Also, to check replication status:


To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”


Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”


You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx



Repadmin: More info as well as explanations on the specific repadmin switches


Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx


Using Repadmin.exe to troubleshoot Active Directory replication
http://support.microsoft.com/kb/229896/


Initiating Replication Between Active Directory Direct Replication Partners
Written for Windows 2000, but works for Windows 2003, 2008 and 2008 R2
This article shows how to use repadmin and the necessary switches to force replication between specific or all partners in the infrastructure
http://support.microsoft.com/kb/232072


Troubleshooting replication
Updated: April 4, 2008
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc755349(WS.10).aspx


Repadmin
Updated: July 13, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008
http://technet.microsoft.com/en-us/library/cc770963(WS.10).aspx


Repadmin: Microsoft Technical Whitepaper (download link):
http://www.microsoft.com/downloads/details.aspx?familyid=c6054092-ee1e-4b57-b175-5aabde591c5f&displaylang=en


 


 8. Go through DNS with a fined-toothed comb to delete all references for the old DC. You’ll need to delete records such as such as SRV, host, LdapIPddress, and GcIpAddress.


Drill down into every record under both domain.local and _msdcs.domain.local.


Under the domain.local zone:


Delete the A (host record) for the failed DC
Delete the LdapIpAddress: Under domain.local, you will see a record such as (same as parent)  A  192.168.1.10 (using this IP as an example). Delete it.
Delete any reference in the DomainDnsZones. If the DomainDnsZones folder exists, expand it. Check and delete any reference to the failed DC’s FQDN and IP address.
Delete any reference in the ForestDnsZones. If the ForestDnsZones folder exists, expand it. Check and delete any reference to the old DC’s FQDN and IP address.


To make sure all records are gone, fully expand each folder under the domain.local zone, and delete any references you see such as for the kerberos and ldap SRV references. The subfolders are:


_sites
_tcp
_udp
domaindnszones
forestdnszones


Under the _msdcs.domain.local zone:


Delete the GcIpAddress: Click on the _gc._msdcs.domain.local folder. Delete the IP Address for the old DC.
Delete the DC’s GUID ALIAS: Click on _msdcs.domain.local. You will see an ALIAS record with a long GUID number as the name pointing to the old DC’s FQDN. Delete it.


To make sure all records are gone, fully expand each subfolder under the _msdcs.domain.local zone. Make sure you do not see any references to the failed DC. If so, please delete them. The subfolders are:


dc
domains
gc
pdc



9. Delete the NameServer reference in all DNS zones’ properties, Nameserver tab.


Right-click DNS server name, properties
Nameserver Tab
Remove the old DC FQDN and/or IP
Repeat for every zone that exists



10. Run a DNSLINT report. Make sure the old DC is no longer listed anywhere in DNS. If it still does, go back to Steps #8 and #9.


Here are some links to understand how to use it.


Dnslint Overview: Domain Name System(DNS)
Prior to the development of DNSLint, the nslookup utility was frequently …
http://technet.microsoft.com/en-us/library/cc736981(WS.10).aspx


Support WebCast: Microsoft Windows: Using the DNSLint Utility
http://support.microsoft.com/?id=329982


Description of the DNSLint utility
Dec 3, 2007 … DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
http://support.microsoft.com/kb/321045


How to use DNSLint to troubleshoot Active Directory replication issues
This article describes how to use the DNSLint utility to troubleshoot Active …
http://support.microsoft.com/kb/321046


 


 


Manually altering a DC to turn it into a non-DC


Last but not least, years ago before the /forceremoval switch, when a DC could not be removed yet wanting to keep the machine intact after demotion, there was a method posted the steps to manually rip out the pieces that make a DC a DC. FWIW, here they are:


 


14 easy manual steps to make a DC a non-DC


Some have posted this as 12 steps, 13 steps or 14 steps. They are the same steps. Some have combined multiple tasks, but they are the same.


Keep in mind, unless it was changed, this is not supported by Microsoft. I believe there was a KB on it at one time, but I don’t have the KB#. If you follow this, keep in mind, this posting is AS-IS and offers no guarantees and confers no rights from Microsoft or myself. Here are a couple of links explaining the steps, as well as the steps posted below.


This was archived at this site from an old Newsgroup post I made back in 3/11/2003:
http://www.pcreview.co.uk/forums/manually-remove-ad-t1448839p2.html


Remove failed DC from AD manually… Never been easier (step by step with screen shots)
Unlike Windows 2000 and 2003, Windows 2008 & Windows 2008 R2 have new GUI tools to remove a failed DC from the AD database.
http://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/


 


1) On another DC in the domain run NTDSUTIL to move the FSMO’s, er seize them! DOH. (If this is the only DC, then don’t worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don’t worry about it for now, but configure it correctly before promoting it to a new DC).
3) Make sure working DC is also a GC. (If just one DC, don’t worry about it).
4) Boot corrupted DC into DSRM, edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from LanmanNT to ServerNT. This key dictates if the machine is a DC or just a server. ServerNT means it’s not a DC.
5) Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,). Reboot.
12) Make sure that DNS is configured with the new domain name and updates  set to YES.
13) Run DCPROMO to create a new domain or join the domain/tree/forest again.
14) Reboot






Comments, suggestions and corrections are welcomed! 


Ace Fekay

Global Catalog and FSMO Infrastructure Master Relationship

Global Catalog and FSMO Infrastructure Master Relationship


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/1/2010


 


Overview


In a multi-domain forest, there are multiple factors that must be taken into account in the design from how to design the DNS resolving infrastructure (centralized or decentralized), to how to decide what to do with your Global Catalogs and the FSMO Role Infrastructure Master relationship. There are more factors, of course, but this blog focuses on the GC/IM relationship.


Because there are more than one domain in the forest, it is HIGHLY recommended to have a minimum two DCs in for each domain. The reason is two-fold, one because of redundancy, the other is because of the IM role conflict on a GC in a multidomain forest. If you are going to have a GC at the child domain, especially if it is in a remote location, just keep in mind of this required rule. On one of the DCs in each domain you will make one of the DCs a GC, and move the Infrastructure Master role from the GC to the non-GC. This is functional basics of domain design and FSMO role placement and the way this specific role works, or rather doesn’t work it is a GC.


 


Make All DCs GCs


Then again, it’s now commonly recommended to just make all DCs in a forest a GC, no matter how the DNS resolving infrastructure is designed. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.


Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx


 




More info on the Infrastructure Master and Global Catalog relationship


As a whole, the IM updates references from other domains. What it basically does is updates “phantoms” in its own domain for the objects. The phantoms are actually “pointers” or references to the objects in the other domains. The phantoms are based on the following identities of the other domain’s objects of members in another domain’s objects. The reason why it doesn’t pull in attributes such as the MemberOf or MemberIs, is because it’s added work on the local domain’s DC. Therefore it uses the phantoms as a pointer to query a DC in the other domain during activity when you request the object from the other domain, such as when adding a user or group to a local group in the domain in question.


Distinguished name of the object
Object GUID
Object SID


So they are basically the values that ‘point’ to the reference, and not necessarily using a MemberOf or MemberIs attribute.



An example


1) User1 (DomainA) is a member of Group1 (DomainB)
This means that when viewing membership of Group1, you should be able to see User1 there.


2) User1 in DomainA gets renamed to User2


3) This change gets replicated to all GCs across the forest


4) IM in DomainB detects that its phantom for User1 is out of date, updates it, and replicates the update to all other DCs in DomainB


This means that when viewing membership of Group1, you should be able to see User2. Without the IM, Group1 would still list User1 as its member.


 


 


Active Directory Sites


Also with the multiple locations, I suggest to create AD sites that correspond to each subnet. To do that, follow this article’s steps:


Step-by-Step Guide to Active Directory Sites and Services
http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml


[DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile Format: Microsoft Word – View as HTML
Creating a site link between two or more sites is a way to influence replication topology. By creating a site link, you provide Active Directory with …
http://filedb.experts-exchange.com/incoming/2008/08_w35/53729/Active-Directory-Sites-and-Servi.doc


 


 


DNS SRV AD Site Registration


Once you create your sites, to push the DCs to register them sooner then waiting for the default time.


On the child DC, delete the system32\config\netlogon.dns and netlogon.bak files. Then  run:


ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon


Make sure the DC’s A record, the LdapIpAddress record, which is the “same as parent” record that should show the child DC’s IP,  and the SRV data is showing up in the nl.linakorg.local zone. Check the Sites configuration to make sure the respective DCs in the child domain show up correctly. Check in the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that you made GCs show up.


 


Summary


It’s now commonly recommended to simply make all DCs GCs so you don’t have to worry about the GC-IM conflict.


 


Related Links


In the meantime, please read the following links for more info. The first link explains what I summarized in more detail, which hopefully will give you a better understanding.


Phantoms, tombstones and the infrastructure master role conflict with a global catalog
http://support.microsoft.com/kb/248047


Infrastructure Education:
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591


Global Catalog vs. Infrastructure Master
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx


Phantoms, tombstones and the infrastructure master role conflict with a global catalog in a multi-domain forest, however in a single domain forest, all DCs are recommended to be GCs.
http://support.microsoft.com/kb/248047


FSMO placement and optimization on Active Directory domain controllers:
http://support.microsoft.com/kb/223346


Infrastructure Master Education:
“Global catalog and infrastructure master role conflicts only when there are more than one Domain in the Frost. We don’t need to worry about single Domain situation.” – Mervyn Zhang, MSFT
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591


Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):
http://support.microsoft.com/kb/197132


 


Ace Fekay


Any comments or corrections are welcome

DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest

DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/1/2010


Edits:
10/4/2010  – Added a variation of the decentralized option. Even though it’s not really used in the industry as far as I know, yet it;s another option.
10/14/2010 – Changed Title to reflect the content of the material
9/22/2011 – Added info on configuring DNS to create a new tree in an existing forest


 


Overview


In an Active Directory forest with more than one domain,  there are a number of choices on how to design the DNS resolving infrastructure.


This is basically a summary of how to design a DNS infrastructure to handle parent and child domains. Keep in mind, with any DNS design, you must insure that everything in the forest can resolve any name and resource everywhere in the forest.


There are a number of ways to do this, but it comes down to two basic designs: Centralized and Decentralized.


Centralized


In a centralized mode, simply setting the parent zone to forest wide replication, install DNS on any DC, whether in the parent or in the child, and the zone will be available everywhere. When a child resource (DC, member server, client, etc), registers, a child folder for the child domain name will be created under the parent zone name in DNS. All records for the child will be populated into this folder. In this design, child resources can simply use their own local DNS servers and the zone is availablle, as well as all other child domains.


Decentralized with a Parent-Child Delegation


Other designs involving decentralization, such as with global infrastructure where there may be local legal regulations involved, you may want to allow them to handle their own DNS servers and their own zones. In such a decentralized model, the parent zone is set to domain-wide replication, and the child zones are delgated to the DC/DNS servers in the child domains.


Decentralized but all Child Domain Resources only use the Forest Root DNS Servers


I haven’t seen this design scenario in the field as of yet, rather see it more in a classroom or lab setup, but it’s another option, yet not recommended. Basically the same as the above but without a delegation. All child domain resources will only use the root’s DNS servers. However in such a design, if the child domains are across WAN links, if the WAN link goes down, the whole child domain will be useless until it’s up again.


 


How to create a DNS Parent-Child Delegation


By default, the parent.com zone’s Replication scope is set to domain-wide. This is the middle button in the zone’s replication scope properties that says “All DNS Servers in the Domain”. This means it is only available to the parent.com’s DC/DNS servers, and not to any of the child domain’s DC/DNS servers. So if you were to set the child domain DCs to use themselves as DNS, they will not find their own zone.


To overcome that, as mentioned above, you have two basic parent-child design choices:


.


1. Centralized – No delegation


If you want to use themselves for DNS in the parent and child domains, and to simplify it, you can change the parent.com zone’s Replication scope to Forest DNS Servers.


This way the zone will be available to all DC/DNS servers in the whole forest. The following link shows how to check and/or change replication scopes, that is if this is the desired design based on your company’s requirements.


How to change replication scopes:
http://technet.microsoft.com/en-us/library/cc784148.aspx


.


2. Decentralized – Parent-Child DNS Delegation


If you want the child domain’s admins to have control of their own resources, including DNS for their own domain, you can delegate the child zone to the child domain’s DC/DNS servers. To do this, you would first create a child zone under the child zone’s DC/DNS servers called child.parent.com. Then in the parent domain’s DNS server, right click parent.com, choose New Delegation, type in ‘child’ (without the quotes), and provide the child domain’s DC/DNS servers names and IP addresses. Do not change the parent zone’s Replication scope, assuming it’s still set to the default domain-wide replication scope.


Then in the child domain’s DC/DNS servers, configure a forwarder to the parent domain’s DC/DNS servers. The following link has info for you to read up on concerning these steps.


How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain:
http://support.microsoft.com/kb/255248


.




Specific information regarding how to configure Child domain delegation and DNS configuration


Assuming you have the parent AD domain (the forest root) and zone already created and functional, and you’ve already ran dcpromo on a machine to make it a child domain DC.


  1. When you first run dcpromo to create the first child domain DC, you’ll want it to use the forest root domain’s DNS server to simplify things and get the ball rolling. This will allow it to register into a subfolder (the child zone) under the parent zone.
  2. Make sure the parent DCs are only using their own DNS servers in their IP properties. If they show the local loopback, 127.0.0.1, which is what dcpromo puts in there, change it to the actual IP addresses. Do the same with the child DCs for now, meaning they are using the forest root domain DCs for DNS for the time being.
  3. Make sure the replication scope on the parent domain’s zone, we’ll call domain.com, is set to Domain wide (the middle button). This puts it in the DomainDnsZones application partition for the parent domain. If set to Forest wide (the top button), it will cause a major issue with delegation. This is because of the delegation design. You don’t want the zone forest wide in a parent-child delegation.
  4. Create a zone on the child domain DC/DNS server. For this example, we’ll call it child.domain.com. The replication scope should be set to the domain-wide in the child domain, which of course once again, is the middle button which puts it into the DomainDnsZones app partition.
  5. Reverse zone – This is optional, but recommended. Create a reverse zones on the parent for each subnet in the parent domain’s location, and set the replication scope to DomainWide (the middle button). DO NOT create a delegation for this zone.
  6. Create a reverse zone on the parent for the child domain’s location, and set the replication scope to DomainWide (the middle button). Create a delegation for this zone to the child.
  7. Make sure the zones all allow updates, whether Secure Only, or Secure and Unsecure.

.


Follow the steps in the following article to create the delegation:


How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain:
http://support.microsoft.com/kb/255248


Make sure you configure a forwarder from the child DNS servers to the parent DNS, and then optionally, but recommend, a forwarder from the parent to your ISP’s DNS.


Change the DNS IPs on the child DCs to use their own DC’s as their DNS servers.


Since there is more than one domain, it is HIGHLY recommended to have a minimum two DCs in for each domain. The reason is two-fold, one because of redundancy, the other is because of the IM role conflict on a GC in a multidomain forest. If you are going to have a GC at the child domain, especially if it is in a remote location, just keep in mind of this required rule. On one of the DCs in each domain you will make one of the DCs a GC, and move the Infrastructure Master role from the GC to the non-GC. This is functional basics of domain design and FSMO role placement and the way this specific role works, or rather doesn’t work it is a GC.


Then again, it’s now recommended to just make all DCs in a forest a GC, no matter how the DNS resolving infrastructure is designed. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.


Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx


.


.


Simple Step by Step to create a Parent-Child DNS Delegation:


If not sure about the above section, or you’ve found it too complicated to follow, try the following steps:


  1. Open DNS on one of the DCs in the forest root domain.
  2. Expand your domain.com zone
  3. Right click the domain name, choose New Delegation
  4. Type in the child domain name, such as “child1″ and not the FQDN (such as child1.domain.com)
  5. You will notice the bottom part of the window will now show the FQDN based on the child name you typed.
  6. Click Next
  7. Now type in two of the DNS servers IP addresses for the Nameservers of the child domain.
  8. Click through until done.
  9. Make sure the child domain DCs and all machines in the child domain, are only using the DC/DNS servers in that child domain and no other domains.

Video tutorial to create a Parent-Child Delegation:
http://www.youtube.com/watch?v=CoIQ8agsTpk


How to create a zone delegation in a Windows 2008 DNS server:
http://www.youtube.com/watch?v=CoIQ8agsTpk 


.


 Now create a Condition Forwarder on the child domain DNS to the Forest Root domain’s DNS servers.


Windows 2008: Create a Conditional Forwarder video:
http://www.youtube.com/watch?v=BVxqpuB9y7o 


Windows 2003: Create Conditional Forwarder vide (scroll upto timeline 3:00, where he shows how to create a conditional forwarder)
http://www.youtube.com/watch?v=w2a-0RPfKx4 


Your done!


.


.


Creating Search Suffixes


Keep in mind, with additional child domains or trees, you may need to configure Search Suffixes for each child to resolve names in other child domains. This can be set using a GPO, location can be found in:


Using GPOs to configure DNS Search Suffixes


At this time Win2k3 DHCP cannot assign a DNS suffix search list. That said,
you can assign a connection specific DNS suffix (option 015), which is added
to the search list. But, you can assign only one DNS suffix per client.


There is a GPO that assigns a custom DNS suffix search list to XP and Win2k3 clients which can be assigned by Win2k DCs if you upgrade the GPOs using a Win2k3 or XP client.


If you have Windows 2000, this option does not exist in a GPO. You must upgrade to at least Windows 2003 to have this option.


Upgrading Windows 2000 Group Policy for Windows XP:
http://support.microsoft.com/KB/307900


After the GPOs have been upgraded, expand the Group policy to here to apply
the custom search list.
Computer Configuration
   -Administrative templates
         -Network
               -DNS Client


Manually adding suffixes


If you have one Suffix to add:

  • Go into NIC properties,
  • IP4 Properties
  • Advanced
  • DNS tab
  • In the box that says “DNS SUffix for this connection:” type in the suffix
  • Click ok
  • No restart required

If you have more than one Suffix to add:

  • Go into NIC properties,
  • IP4 Properties
  • Advanced
  • DNS tab
  • Click on the Radio Button that says, “Append theses DNS Suffixes (in order):”
  • Click Add, and type in the suffix
  • Click Add for each one, and type it in
  • Click ok
  • No restart required

 


Devolution


In some designs and scenarios, you may want to kill the devolution tickbox, have a look at this article:
http://www.insidetheregistry.com/regdatabase/viewvalue.asp?valueid=320


It refers to the registry key controlled by GPO – this will over-ride the standard internal registry setting at:
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\UseDomainNameDevolution


You could also use populate the regkey by script if you didn’t want to pull in the extra ADMX GPO template… and this will force your client to JUST resolve hosts on internal.domain.com or whichever zone you want. For example:



Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“SearchList”=”domain1.com,domain2.com”




Or use the command:
reg add HKLM\system\currentcontrolset\services\tcpip\parameters /v “SearchList” /d “domain1.com,domain2.com” /f


The key thing to observe with manually creating a suffix lists, (from KB275553, link provided below), is that if you distribute a suffix list then it blocks devolution and use of primary or connection-specific suffixes… so write that list carefully!


How to configure a domain suffix search list on the Domain Name System clients
http://support.microsoft.com/?id=275553



Using DHCP Option 015 To Populate the Connection Specific Suffix (just for the interface that’s getting a DHCP IP address)


I would like to point out that DHCP 015 Option is the “Connection Specific Suffix.” This means that the connection that receives a DHCP config from DHCP, will get this suffix as the Search Suffix.


Just to illustrate what I mean, you can test it by setting a suffix in Option 015 that’s different than the domain’s zone name. First, if the AD domain’s zone name is ‘domain.com,’ then the Primary DNS Suffix become ‘domain.com’ when you join the machine to the domain. The default Search Suffix becomes the default Search Suffix. Now in DHCP Option 015, configure ‘domain1.com’ as the connection specific suffix. Now go to the workstation and run a /release and /renew. You will now see the suffix you configured in 015 in addition to the machine’s default.


So if you are trying to simply add one additional suffix, this will work for your DHCP clients. However, if you’re trying to add more than one additional suffix, and/or if you have numerous statically configured machines (such as servers), then a GPO will be the better alternative, which Tiger and JM already suggested.


 


More info on Search Suffixes:


How to configure a domain suffix search list on the Domain Name System clients (Windows 2000)
http://support.microsoft.com/kb/275553


New group policies for DNS in Windows Server 2003 (and newer)
http://support.microsoft.com/kb/294785


Manage DNS suffix configuration through Group Policy
http://blogs.techrepublic.com.com/datacenter/?p=266


Manually Configuring Query Settings in NIC properties (Search Suffixes)
http://technet.microsoft.com/en-us/library/cc959339.aspx


 .


.


Configuring DNS to Create a New Tree in an Existing Forest


 


1. Create the zone for the new tree, on the forest root’s DNS server. Configure the zone’s replication scope Forest Wide.


2. Point DNS on the new machine prior to promoting it, to the existing forest root DNS server that you just created the zone on in step# 1.


3. Promote the machine introducting a new tree.


4. After the machine has been promoted, and the necessary records have been created, install DNS on the new server.


5. Walk away for about 30 minutes and allow the zone to auto-populate through replication. DO NOT MANUALLY CREATE the zone or any other zone. It will do so automatically through AD replication.



Your next steps depends on your DNS Design choice whether you want to keep the zone replicated forest wide to all DCs in all domains, or just in the new tree’s domain. The choice comes down to whether you ahve centralized administration or decentralized administration. See the above to help make your decision.


If you’ve chosen to keep the zone in the DomainDnsZones (“All DNS servers in the Domain <New Tree’s Domain.local> zone (the middle button), follow these steps:


6. Once it’s replicated, open DNS console on the new domain controller in the new tree. Right click the zone name, properties, then change the Replication Scope in the tree’s domain name zone’s properties to the “All DNS servers in the domain <newtreeName.local> zone. This is the middle button. This puts it in the DomainDnsZones replication scope in the new tree’s Domain. This will also remove it from the ForestDnsZones partition.


7. Once again, wait for about 30 mintues and allow replication to occur. You can test to see if replication has completed by going back to the forest root’s DNS server, refresh the console. If you see the new tree’s domain name zone disappear, then it has completed. Go back to the new tree’s DC’s DNS server console and hit the refresh button.


8. Go back to the forest root DNS server. You can now create the stub zone on the original forest root DNS pointing to it. Set the stub zone to DomainDnsZones.


9. Create a Conditional forwarder from the new tree DNS server to the forest root DNS server. You can also opt to create a Stub zone (preferrable) to the forest root DNS server and AD integrate the stub zone in DomainDnsZones so it will be available on the new tree domain.


10. Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.


.
 


If you’ve chosen to keep the zone in the ForestDnsZones Partition choosing “All DNS servers in the Forest” (the top button), do the following:


Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.


 .


.


Summary


There are a number of ways to design DNS in an infrastructure. Which is the best one? It all depends on your design specs, requirements, local legal regulations, or simply if you want a centralized or decentralized design.


 


Ace Fekay


All comments or corrections are welcomed.