AD & Dynamic DNS Updates Registration Rules of engagement

Keep in mind, for the most part it automatically works “out of the box” without much administrative overhead.

Original Compilation: 11/19/2012
Updated: 9/5/2013

Prologue

What I’ve tried to do is accumulate all pertinent information about configuring dynamic DNS registration in an AD environment. I hope I haven’t missed anything, and that I’ve explained each numbered bullet point well enough and removed all ambiguity, to fully understand each point.

And yes, this blog is regarding an AD environment. If you have a non-AD environment with a Windows DNS server that you want your computers to register, please read the following blog:

DNS Dynamic Updates in a Workgroup
https://blogs.msmvps.com/acefekay/2013/06/12/dns-dynamic-updates-in-a-workgroup/

 

===

Summary

  1. The machine’s DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone. No others.
        a. DHCP Option 006 MUST only be the internal DNS server(s) you want to use, otherwise if using an ISP’s DNS or your router, expect undesired results.
  2. The Primary DNS Suffix on the machine MUST match the zone name in DNS.
    1. For joined machines, this is default. 
    2. For non-joined machines, the Primary DNS Suffix must be manually configured or scripted.
  3. If using DHCP Option 015 (Connection Specific Suffix), it must match the zone name and have “Use This Connection’s DNS Suffix in DNS Registration” along with “Register This Connection’s Addresses in DNS” checked in the NIC’s IPv4, Advanced, DNS tab.
    1. For additional information on how to configure updates in a workgroup:
      DNS Dynamic Updates in a Workgroup
      https://blogs.msmvps.com/acefekay/2013/06/12/dns-dynamic-updates-in-a-workgroup/
  4. The Zone must be configured to allow updates.
  5. For AD Integrated Zones where you have it configured for “Secure and Unsecure Updates:
    1. If the machine’s network card DNS address entries have been statically configured:
            – They must only point to the internal DNS servers that host the AD zone or to servers that have a reference to the zone (such as stubs, secondary zones, conditional forwarders, or forwarders)
            – It must be joined to the domain in order to authenticate using Kerberos to update.
    2. If statically configured and not joined to the domain, the client can’t update its record if the zone is set to Secure Only. 
    3. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.
  6. For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.
  7. If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.
    1. Read the following for more info:
      Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, management interfaces, backup interfaces, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure a DC with registry mods:
      http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
  8. If the zone is single label name, such as ‘domain’ instead of the proper minimal format of ‘domain.com,’ ‘domain.net,’ etc., it will NOT update.
  9. The client will “look” for the SOA of the zone when it attempts registration. If the SOA is not available or resolvable, it won’t register. Keep in mind with AD integrated zones the SOA rotates among the DCs because of the multimaster feature. This is default and expected behavior, but if there are any DCs that have any problems, and the client resolved the SOA to that DC, it may not accept the update.
  10. The zone in DNS must NOT be a single lable name, such as “DOMAIN” instead of the required minimum of two hierarchal levels such as domain.com, domain.local, domain.me, domain.you, etc. Single label name zones are problematic, do not conform to the DNS RFC, and causes excessive internet traffic to the Root Servers when DNS tries to resolve a single label name query, such as querying for computername.domain – in such a query, the domain name is actually treated as a TLD. ISC has made a note of the excessive traffic generated by Microsoft DNS servers configured with a single label name in 2004 with Microsoft, which in turn disabled the ability for Microsoft DNS in Windows 2000 SP4 and newer to resolve single label names without a registry band aid. More info on this:
    1. Active Directory DNS Domain Name Single Label Names – Problematic
      Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM  641  0
      http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx
  11. For Windows 2008 and all newer operating systems, IPv6 must not be disabled. If disabled, it will cause other problems:
    The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
    Quoted by Joseph Davies, MSFT:
    “IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. “Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.”
    http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
    1. Arguments against disabling IPv6
      Demoire, [MSFT], 24 Nov 2010 12:37 AM
      http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx
    2. IPv6 for Microsoft Windows: Frequently Asked Questions
      (Basically Microsoft is saying in this KB article to not disable IPv6)
      http://technet.microsoft.com/en-us/network/cc987595.aspx

 

Full explanation:

  1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs. the minimal requirement of “domain.com.” “domain.local,” etc).
  2. The Primary DNS Suffix MUST matches the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Connection Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.
  3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.
  4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them.
    1. Do not use your ISP’s, an external DNS address, your router as a DNS address
    2. Do not use any DNS that does not have a copy of the AD zone.
    3. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution.
  5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).
  6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.
    1. This means that you must NOT use an external DNS in any machine’s IP property in an AD environment.
    2. You can’t mix internal and external DNS server. This is because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm may still pick the incorrect DNS to query. Based on how the algorithm works, it will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.
    3. There is a registry entry to cut the query to 0 TTL (normally this is not necessary, but I’m posting it as a reference).
      1. The DNS Client service does not revert to using the first server …The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers …
        http://support.microsoft.com/kb/286834
    4. The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to all Operating Systems, too)
       http://support.microsoft.com/kb/320760
    5. For more info, please read the following on the client side resolver service:
      DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
      http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
  7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
  8. If using DHCP, DHCP server must only be referencing the same exact DNS
    server(s) in it’s own IP properties in order for it to ‘force’ (if you set
    that setting) registration into DNS. Otherwise, how would it know which DNS
    to send the DNS registration request data to?
  9. If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the proper format of “example.com” and/or any child of that format, such as “child1.example.com”, then we have a real big problem. DNS will not allow registration into a single label domain name.
    This is for two reasons:
    1. It’s not the proper hierarchal format. DNS is
                 hierarchal, but a single label name has no hierarchy.
                 It’s just a single name
    2. Registration attempts causes major Internet queries
                 to the Root servers. Why? Because it thinks the
                 single label name, such as “EXAMPLE”, is a TLD
                (Top Level Domain), such as “com”, “net”, etc. It
                will now try to find what Root name server out there
                handles that TLD. In the end it comes back to itself
               and then attempts to register. Unfortunately it doe NOT
               ask itself first for the mere reason it thinks it’s a TLD.
    3. Quoted from Alan Woods, Microsoft, 2004:
      “Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?”
    4. The above also *especially* applies to Windows Vista, Windows 7, &, 2008, 2008 R2, Windows 2012, and newer.
  10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP properties, DNS tab.
  11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the domain.
  12. With Windows 2000, 2003 and XP, the “DHCP client” Service is not running.  In Windows 2008, Windows Vista and all newer operating systems, it’s now the DNS Client Service.
    1. This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.
    2. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
      http://support.microsoft.com/?id=264539
  13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:
    1. DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
      Published by acefekay on Aug 20, 2009 at 10:36 AM  3758  2 
      http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

 

What will stop AD SRV registration:

  1. Any DNS server referenced in TCP/IP properties that does not host the AD zone name, or does not have a reference to the internal AD zones name.
    1. External DNS servers do not host or have a reference, therefore must NOT be used.
    2. AD Domain machines must never be pointed at an external (ISP) DNS server or even use an ISP DNS server as an “Alternate DNS server” because they do not host the internal AD zone, or have a reference to it.
      1. Only use internal DNS servers when part of an Active Directory domain. Active Directory’s Reliance on DNS, and why you should never use an ISP’s DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
        http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx
  2. Are any services disabled such as the DHCP Client service or the DNS Client Service? They are required services, whether the machine is static or DHCP.
    1. No DNS registration functions if DHCP Client Service Is Not Running (2000/2003/XP only)
      http://support.microsoft.com/?id=268674
    2. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
      http://support.microsoft.com/?id=264539
    3. For all Windows 2008, Windows Vista and all newer operating systems, it’s the DNS Client Service.
  3. The AD/DNS zone not configured to allow dynamic updates.
  4. Make sure ‘Register this connection’s address” in DNS is enabled under TCP/IP properties.
  5. Missing or incorrect “Primary DNS suffix” or “Connection-specific DNS suffix” of the domain to which the machine belongs. 
    1. I one of these are incorrect, the client side service cannot find the correct zone to register into. If missing or incorrect, it is called a Disjointed Domain Namespace.
  6. Is the firewall service enabled? (disable it).
  7. Were the default C: drive permissions altered and was a hotfix installed a recently?
    1. “Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC”
      http://support.microsoft.com/kb/909444
    2. For more info about this issue, see:
      http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx
  8. If the zone is set to Secure Updates Only, the computer may not have authenticated to the domain (which can be due to DNS misconfiguration or DNS server problem), which of course causes more problems than just DNS  registration.
  9. Is the File and Print services enabled?
    1. It must be enabled.
  10. Microsoft Client Services enabled?
    1. If not,  it must be enabled.
  11. Is DNS service listening on the private LAN interface?
    1. Check under the Interfaces tab under DNS server properties in the DNS console.
  12. More than one NIC on a client?
    1. The wrong one may be registering.
  13. Updates allowed on the zone?
    1. This is an obvious one.
  14. Primary DNS suffix matches the zone name in DNS and the AD domain name?
    1. If not, then it won’t register into the zone.
  15. Was Zone Alarm ever installed on these machines?
    1. If so, ZA leaves SYS files and other remnants that continue to block traffic.
  16. Any Event log errors?
  17. Was a Registry entry configured to stop registration?
    1. 246804 – How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
      http://support.microsoft.com/?id=246804
  18. Spyware or something else such as DotNetDns installed on it?
    1. Download the free tool at www.malwarebytes.com and run a malware scan.
    2. Download the free Malicious Software Scanner from Microsoft and run a scan
    3. Download TrendMicro HouseCall free scan tool and run it.
  19. Single Label Domain Name?
    1. Active Directory DNS Domain Name Single Label Names – Problematic – And this applies to any DNS zone name, not just AD.
      Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM  641  0
      http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx
  20. Netlogon and DFS services must be started.
  21. Malware or virus altering network services preventing it from registering.
    1. Some sort of firewall in place, whether the Windows firewall disabling File and Print Services, or a 3rd party firewall, which many AV programs now have built in and must be adjusted to allow this sort of traffic and exclude the NTDS and SYSVOL folders.
    2. If Windows Firewall, run the following to see what settings are enabled:
      netsh firewall show config
  22. Is IPv6 disabled? That will stop registration.
    1. Enable it.
  23. Do any duplicate AD integrated zones exist in the AD database?
    1. This will cause major problems. Any duplicates found must be deleted. The cause must also be determined to eliminate it from occurring again.
    2. Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
      Published by acefekay on Sep 2, 2009 at 2:34 PM  7748  2
      http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
  24. Were imaged machines cloned without the image being Sysprepped first? 
    1. If not, duplicate SIDs will cause machines to fail authentication to register into the zone.

 

Suggestions, Comments, Corrections are welcomed.

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor
   www.delcocomputerconsulting.com

Troubleshooting the Browser Service

By Ace Fekay, , MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

v2

 

Preamble:

Each subnet has it’s own master browser, and if you are using WINS, the master browser works together with the WINS service to enumerate an infrastructure wide browse list.

If not using WINS, it uses broadcasts, however, you’ll only see what’s on your own subnet, because NetBIOS broadcasts are more than likely blocked by routers, which is default, and many routers don’t allow NetBIOS broadcast across subnets to be enabled.

If you are in a multi-subnetted environment, and you want full browsing capabilities, to get around routers blocking NetBIOS broadcasts, it’s suggested to use WINS.

And the default WINS settings out-of-the-box, work fine, as long as you set up DHCP WINS options correctly. There is no need to adjust WINS’ registry parameters, otherwise you’ll find yourself trying to change registry entries on multiple servers and mis-keying something. Here’s more info on configuring WINS:

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

If you’ve just upgraded your PDC from Windows 2003 to Windows 2008 or Newer

The Computer Browser service on Windows 2008 and newer is disabled by default. If you want the PDC Emulator to do it’s job as the Master Browser and not have some workstation win the election (read below what that means), then I suggest to set it to Automatic and start it. Otherwise, browsing will not work properly and you’ll be chasing a ghost trying to figure out why. I usually just enable it on all of my DCs. More info in the following link:

NetBIOS browsing across subnets may fail after upgrading to Windows Server 2008
http://blogs.technet.com/b/networking/archive/2008/07/25/netbios-browsing-across-subnets-may-fail-after-upgrading-to-windows-server-2008.aspx

Preferably install at least one server OS on each subnet:

If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

And as mentioned, if you just upgraded the PDC emulator to 2008 or newer, set the Computer Browser service to Automatic and start it.

If you find workstations are becoming masters, that means there are no server operating systems on those subnets, in such cases, the workstation will win Master Browser election.

And I realize in many large infrastructures, it would be nearly impossible to put a server operating system on each subnet. However, as long as there is a desktop using the latest client operating system that is always up and running 24/7, that will do the trick.

If a newer client OS were to be introduced, then it would start a master browser election, and win the election (OS version and server role is a factor in the election process). And any machine that someone clicks on Network Neighborhood or clicks a Browse button somewhere, would invoke an election, but if a desktop is running on the subnet 24/7, it will win the election, since it’s already up and running.

If you don’t want any other client machine to win the election and were to opt for only that one machine, you can set a registry entry using a GPO to disable participating in the browse list for all the machines in the subnet other than the client machine you chose to keep up and running 24/7:

Set the client machine of your choosing to:
Emulator MaintainServerList=Yes, IsDomainMaster=True

All other clients on the subnet, set it to:
MaintainServerList=Auto,IsDomainMaster=False

I’m not saying this is a perfect solution, but it’s something to consider. Otherwise, if no specific machine is up and running 24/7 on any given subnet, the browse list will be rebuilt each time everyone shuts down, then brings their machines up in the morning, and the cycle starts from scratch to rebuild the list of machines on that subnet.

 

Third Party Devices Participating in the Browser Service

I would like to point out that if you have any 3rd party devices, such as a Seagate BlackArmor NAS, it will jump in on the election process and may win, which in case will snafu your browse list. I had one of those devices at a customer site last year causing numerous problems with the browse list, which in turned snowballed to cause problems with Symantec BackupExec, and other services that rely on browsing.

After some troubleshooting, I found that the BlackArmor NAS was consistently winning the election causing the problems. I couldn’t find anything specific on how to disable browser service participation on the device. It has the latest firmware. I contacted Seagate, and they said they couldn’t help me to disable the device’s ability to participate in the Browser Service.

I finally moved it on to its own VLAN so it can be king of itself on that subnet, so to speak. I gave it it’s own island. Smile

 

Browse List Propagation:

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master. A good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propagation cycle in a multiple-segment domain environment.

 

When to Troubleshoot

Below are the generic troubleshooting steps I used to troubleshoot the browser service that helped me find out the BlackArmor device was the culprit.

If you are seeing problems with the browser service, such as computers disappearing from the browse list, whether the cause is a third party device, Unix/Linux machine running Samba, or simply based on the infrastructure’s design, it might be a good idea to start troubleshooting to find the culprit.

 

Prepare to Troubleshoot:

  • Make sure the Computer Browser service is Started. Make sure NetBIOS is enabled on al machines.
  • On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available.
  • With Windows 2008 and newer, the utility is already installed as part of the operating system files.
  • If there are any antivirus software, third party firewalls, or firewall rules between locations blocking WINS traffic (TCP 42), it could block browser traffic, too. This of course, assumes the Computer browser service is running.

 

Firewall blocks – Test it with PortQry

You can use the Portqry.exe utility to test if the Browser, SMB, WINS and the ephemeral (service response) ports are permitted.

  • Browser: UDP 137/138, TCP 139
  • SMB: TCP 445
  • WINS: TCP 42
  • Ephemeral (Service Response Ports): Varies depending on OS:
    • Windows 2000/2003/XP: TCP/UDP 1024-5000
    • Windows 2008/Vista and newer: TCP/UDP 49152-65535

Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099

Active Directory Firewall Ports – Let’s Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

 

Multihomed DCs:

And if you have any multihomed DCs, among numerous other problems, that is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. I suggest to disable one of the interfaces.

More info regarding multihoming DCs and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

 

Troubleshooting Steps:

Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:
browstat status

You should get a response similar to:
Browsing is active on domain.
Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc.

If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:
First run:

browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:
browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.

 

Master Browser Election Process

I know, most of you probably wondered what the order of who would be the winner during a Master Browser election. The winner of a browse master election process is based on operating system version and role. It’s also based on each subnet.

So if a Windows XP client is on a subnet by itself, then yes, it may become an MB if nothing else beats it.

And if a Windows Server 2008 R2 DC is on subnet 192.168.50.0/24 and on subnet 192.168.30.0/24 there are only a bunch of Windows XP and 2000 computers, then the XP will win.

If the DC is multihomed, then that will definitely throw a wrench into it. Do NOT multihome your DC. Really, believe me, you don’t want to do it.

The following list shows the order of precedence of which operating system will win. And keep in mind, it’s subnet specific.

1. DC – PDC Emulator (no matter what OS)
2. DC – Non-PDC Emulator (no matter what OS)
3. Windows Server 2012
4. Windows 8
5. Windows Server 2008 R2
6. Windows 7
7. Windows Server 2008
8. Windows Vista
9. Windows Server 2003 R2
10. Windows Server 2003
11. Windows XP
12. Windows Server 2000
13. Windows 2000 Pro
14. Windows NT 4.0
15. Windows ME
16. Windows 98
17. Windows 95
18. Windows for Workgroups 3.11
19. Windows 3.1 with NDIS
20. DOS

 

Reference:

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Browser Elections
http://technet.microsoft.com/en-us/library/cc959896.aspx 

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001?wa=wsignin1.0

==============================================================

Summary

Updated 10/18/2014

I hope this helps! I’m sure I may have missed something. Comments and suggestions are welcomed.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

So you want to change your IP range?

By Ace Fekay, , MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

 

So you are looking at a major IP migration from a public range to a private range and not simply extending the current scopes, or you simply want to change the current IP range.

One good reason to change the internal IP range, is the current range matches many of the retail box store router default IP subnets, such as from Linksys, Netgear, etc. The identical subnets cause issues when users at home are using VPN to the company network. If the subnets are identical, routing won’t work, therefore they are never able to connect or access internal company resources.

Depending on the size of the infrastructure, changing the IP range can either be easy, or pretty involved and will have a major undertaking on your hands. Let’s see…

 

First come up with an IP Range

Come up with a plan that includes an IP range for all servers and static set hosts, as well as an IP range for each floor, building, etc., depending on the scope of this project, and the subnets currently in place.

You could use the same subnet for the whole building, which makes it easier to deal with, but not necessarily as efficient with network traffic, and especially if the number of hosts is so large (into the thousands), it becomes a rather large subnet broadcast domain. Also with one big subnets, you are reducing the ability to create efficient AD Sites appropriately.

For example, if one were to choose one subnet for a large building with 3000 users, you could use one subnet, such as 10.10.0.0/16, which will give you 65,000 IPs:

If you want to keep with the separate subnets for each floor, which is ideal, of course considering if you have layer 3 VLAN capable switches, that may be your better bet. Some may think it complicates matters with DHCP and routing, but looking at the network efficiency, I think it’s a better bet.

For example, if you have multiple subnets or buildings with less than 4000 total hosts (servers, users, printers, etc.), a good example is the following breakdown, which will give you 4096 hosts for each subnet (and this is just an example – your mileage may vary):

  • 10.10.0.0/20   (10.10.0.0 – 10.10.15.255)
  • 10.10.16.0/20 (10.10.16.0 – 10.10.31.255)
  • 10.10.32.0/20 (10.10.32.0 – 10.10.47.255)
  • 10.10.48.0/20 (10.10.48.0 – 10.10.63.255)
  • etc

 

Procedure (steps are not in stone)

  1. Inventory all applications that have been configured with hardcoded IP addresses in their configuration, then change the IPs to the new IPs.
  2. Ask users to shutdown all workstations.
  3. Change the DC/DNS server’s’ IP addresses.
    1. In NIC properties, change it to the new IP address.
    2. In NIC properties, change the DNS IP addresses to the new IP.
    3. Re-register the DCs in DNS so it re-creates new records.
      1. ipconfig /all
      2. restart netlogon service
    4. Reference: Change the static IP address of a domain controller
      http://technet.microsoft.com/en-us/library/cc758579(WS.10).aspx
  4. Check DNS:
    1. Server properties, Nameservers tab, insure the new IPs are listed.
    2. Remove the old ones and re-enter if needed.
    3. Check DNS zones – Make sure all old IP references are manually removed if the registration process above does not overwrite the old ones, which it should.
    4. Check the GC records (located in gc. _msdcs.domain.local).
    5. Check the LdapIpAddress records – the “same as parent” A records that each DC registers.
  5. Create a new reverse zone for the planned IP subnets. Make sure updates are allowed.
    1. Delete the old reverse zone.
    2. In lieu of deleting and recreating the reverse zones, if you’re energetic:
      1. Change the AD integrated reverse zone to a Primary Standard zone (this takes it out of AD and puts it into a text file in system32\dns.
      2. Open the system32\dns\zoneName.dns file, and change all the IPs in the zone file, save it, reload the zone. You should see all the new IPs
      3. Then change it back to AD integrated again.
  6. Change the DHCP Server’s scope.
    1. You will need to delete and re-create the scope from scratch.
    2. If you have Scope Options recreate the Scope Options.
    3. If you have Server Options, simply change the IP addresses they point to.
      1. If using WINS, change DHCP Option 044 to the new IP address of the WINS server.
      2. Option 003 is the router
      3. Option 006 is for DNS addresses
  7. If using Windows RRAS for VPN, and you are using a static IP pool, change the pool to a range in the new IP range.
    1. If using any other VPN solution, likewise.
    2. If using a Relay Agent or IP Helper, change the IP it’s pointing to.
  8. If using RRAS for NAT, change the configuration to the new internal interface’s IP.
  9. Change all of your other servers’ IPs.
    1. Run ipconfig /registerdns
  10. Change any static hosts, including printer cards, and other IP static entries.
    1. Restart the printers to take effect.
  11. With Windows machines, start them up.
    1. If they haven’t been shut down, then run ipconfig /registerdns on each.
  12. Make sure the above works, AD is functional, the DCs and servers can get to the printers, etc.
  13. You can run tests such as for Windows 2000 – 2008 R2, dcdiag /v /fix, and if Windows 2003 and older, run netdiag /v /fix.
  14. Check Event logs for any errors.
  15. Change the internal IP of the router.
  16. Recreate port-mappings (port translations) on the firewall, if required.

 

Do Multiple Internal Subnets exist?

  1. If using multiple internal subnets that you are currently connected to, change the static route entries on the edge firewall/router to insure communications work to the other subnets. The same on their end.
  2. Once again, check event logs for any errors.
  3. Test internet connectivity from your DCs and servers.
  4. DHCP – Take note of exclusions, reservations, SuperScopes, etc. Delete all scopes.
  5. Create a new big scope, or multiples if you had separate scopes, Superscopes, etc.
  6. Test DHCP by firing up a couple of workstations, logons, internet connectivity, printers, resource access, etc.
  7. Once again, check event logs for any errors.

I’m sure I may have missed a few steps and only briefed over others, but it should give you a good start and a guideline, because every infrastructure is different and unique.

 

Comments, corrections and suggestions are welcomed.

Why do we ask for an ipconfig /all, when we try to help diagnose AD issues?

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

Ace here again. Yea, I had to post a blog about this because many people ask, why do you want that? Just for the IP address??

Nope. Not just for the IP.

Good question.

There is quite a bit of information that an ipconfig /all provides us configuration data as a precursor for a diagnosis. Sometimes the ipconfig /all results will help us fix it, but not always.

Many admins are reluctant to provide this sort of information citing security reasons.

In some cases, I sympathize and agree, but in many cases, security really isn’t much of a concern, because for one, your internal IP range is a private range, and two, you can substitute your actual internal domain name with something more generic, such as substituting “microsoft.local” with “mydomain.local. You should also substitute your DC names using something generic, such as dc-01. dc-02, etc. But definitely keep track of the substituted DC names if we have additional questions regarding them.

Let’s take a look at each value in an ipconfig /all

Believe it or not, the results of an ipconfig /all has numerous information that helps us get an inside view of a DC’s basic network configuration, as well as basic service configuration.

Let’s break it down:

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : company-dc-01  

  • Name is under 15 characters – good for NetBIOS compatibility. Not a huge concern for many compani
  • Possibly indicates more than one DC based on the –01 portion of the name

Primary Dns Suffix  . . . . . . . : company.com 

  • The AD DNS Domain name is not a single label name.
  • In some cases, we’ll also ask for the name in ADUC. If the name in ADUC does no match this name, then it’s a Disjointed Namespace condition).
  • Node Type . . . . . . . . . . . . : Hybrid   

    • If Hybrid is set, it tells me that WINS is in use.
    • Hybrid mode, specifically 0x8 (as you would set a WINS server Hybrid mode in DHCP Option 046), tells the client side resolver to use WINS first when attempting to resolve a single name query, and if it can’t resolve it, to then try a broadcast to resolve it. Of course, this is only after DNS resolution fails, since DNS is used first anyway, where the client side resolver will suffix the Search Suffix when attempting to resolve it as a DNS hostname query.
    • If the Node Type is set to “Unknown,” then no big deal. It just means that WINS is not being used, and the resolver service will use broadcast for a  single name resolution.
    • IP Routing Enabled. . . . . . . . : No

      • Means RRAS is not installed
      • If set to Yes, it means RRAS is installed, and it will interfere with AD communications on this DC. 
         

      WINS Proxy Enabled. . . . . . . . : No  

      • On a DC, “No” is what we want to see.
      • If set to Yes, then it means “Enable broadcast name resolution” is checked under General tab in RRAS properties.
        • If this is set to Yes, and there is only one NIC. it could mean either:
        • RRAS is installed only for VPN use
        • RRAS was disabled, but the setting stuck
      • Either way, if it is set to Yes, it will cause problems with AD communications.

      DNS Suffix Search List. . . . . . : company.com

      • This is what the client side resolver will use when attempting to resolve a single name query. For example, if I run nslookup against a single name such as computer1, the resolver will suffix company.com to it, resulting in a query of computer1.company.com.
      • If there are multiple domains in the forest, such as a parent and child domain, or multiple child domains, then each domain must be configured with a search suffix for all other domains in order to be able to resolve everything in the forest. This is also true for additional Trees in the forest.
      • The company.com in this example, was devolved from the Primary DNS Suffix.
        • If the Primary DNS suffix has multiple levels, such as Chicago.ad.company.com, then the resolver will devolve it to show search suffixes of chicago.ad.company.com, ad.company.com, and company.com.
        • However, if ad.company.com is the parent root domain, if using Windows 2008 or newer, it will only devolve to ad.company.com. Windows 2000 and 2003 devolved all levels, which led to some confusion.

      Ethernet adapter Team 1:

      • Obviously this interface is a team.

      Connection-specific DNS Suffix  . :

      • If this is a DHCP client, and DHCP Option 015 is configured with a domain suffix, then it will populate this value. It’s used for a specific interface that gets this configuration, such as if it is a wireless, then that value will populate the wireless connection, but not the wired connection, and will be used as suffix for identification and DNS registration only for that interface, but it is not used as a search suffix.

      Description . . . . . . . . . . . : BASP Virtual Adapter

      • This is the vendor brand name of the adapter

      Physical Address. . . . . . . . . : 00-18-8B-47-F0-D1

      • This is the MAC address of this adapter or Team.

      DHCP Enabled. . . . . . . . . . . : No

      • This means the NIC has a static configuration.

      IP address, mask and subnet

         IP Address. . . . . . . . . . . . : 192.168.80.10
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 192.168.80.1

      • In the above three values, we make sure the IP address and mask are on the same subnet as an ipconfig /all of another machine, if one was provided. You would be surprised how many times we’ve seen subnets mis-configured with an incorrect subnet mask. 

      DNS Servers . . . . . . . . . . . : 192.168.80.5
                                                      192.168.80.10

      • What we look for with DNS address, is only to specify the internal DNS servers hosting the AD zone. If an external DNS addresses are specified, or your router’s DNS address is specified (for example, 192.168.80.1), then you should expect to see numerous problems. This is because your machine is sending the external DNS servers or your router a query whenever it tries to login, authenticate, find domain resources, etc. The external DNS servers or your router, does not have an answer when queried for internal resources. It’s the same as me asking the first person I see walking by out front of my house, “Where’s that beer that was in my refrigerator last night?” Besides the person not having an answer, he’ll probably give me a funny or dirty look. Your DNS server and DC won’t give you a funny look, but you’ll probably get some sort of error and your machine will fail to find your AD domain.
      • The addresses you see listed in this example are showing that it is pointing to a partner DC as the first entry, and itself as the second entry.
        • You may also find in some configuration the loopback as the second entry. This is ok, too. DCPROMO puts in the loopback. Matter of fact, if you were to run the AD BPA, one of the things it looks for is the loopback as the second entry. You can leave it there if you like, or you can change it to the IP of itself, but if you do, just ignore the BPA’s warnings, if you were to run it again.

      Primary WINS Server . . . . . . . : 192.168.80.10

      • This tells me the server is running WINS. Why? Because it is pointing to itself, as it should be for a WINS server.
      • If a WINS server is pointing to any other WINS servers, it will cause numerous problems with WINS record ownership.

      NetBIOS over Tcpip. . . . . . . . : Enabled

      • Of course this one is obvious. But here’s one for you. If you have NetBIOS disabled, but you are using WINS, what’s the point??

      Do I need NetBIOS?

      By Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
      Microsoft Certified Trainer
      Microsoft MVP: Directory Services
      Active Directory, Exchange and Windows Infrastructure Engineer
      www.delcocomputerconsulting.com

      Do you need NetBIOS? That Depends …

      Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

      With Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. That’s because Windows 2000 and newer will try to connect simultaneously over NetBIOS (port 139) and DirectSMB (port 445). If no response from the target on 445, it reverts back to 139. This offers legacy support for NetBIOS based apps.  That is why if you disable NetBIOS on a server, it will still connect to other servers, but any NetBIOS based apps that require connectivity to that server will fail.

      If you run a netstat -a, you can see port 445. It may even define it as Microsoft-DS, which means Microsoft DirectSMB. I know Vista doesn’t, but Windows 2003 will.

      What’s TCP port 445 used for in Windows 2000/XP?
      http://www.petri.co.il/what’s_port_445_in_w2k_xp_2003.htm

      Quick Brief on NetBIOS and Those Noisy Broadcasts

      Any machine that is NetBIOS capable (Windows, or Unix/Linux machines with SAMBA installed), will participate in a NetBIOS environment and with the browser service. Any NetBIOS capable machine will broadcast their NetBIOS computer name every 60 seconds, “Hey, my computer name is Computer1, and my IP address is <enterIP>, and I am offering the Workstation Service and Server Service on such and such workgroup and/or domain.”

      WINS is a NetBIOS name to IP database. It’s a flat database with no hierarchal structure – simply one name to one IP. It’s similar to DNS, but DNS is hierarchal (child3.child2.child1.domain.com, etc.).

      When you install WINS and configure all machines to use WINS, then the NetBIOS aware processes and functions will recognize there is a WINS server configured, and instead of broadcasting every 60 seconds, it simply registers its name and related services to the WINS database instead of repeatedly broadcasting, or simply put, it shuts up yelling out its name every 60 seconds.

      Without WINS, it’s like a grade school cafeteria with all the background chatter, conversation, etc. With WINS, think of it as the kids in the cafeteria quietly enter their names, thoughts into a database and the other kids can read the database, so there is no more noise. Kind of like if every kid were to be yelling back and forth using Facebook using a table or smartphone in front of them, instead of peeping one word.

      Therefore, WINS literally quiets the network. Period. But all machines must be configured with WINS to make this happen.

      When a WINS enabled client needs to resolve a name, it really tries to resolve it first by DNS (hostname resolution process), and if only that doesn’t work, only then does it query WINS. If WINS isn’t configured, it would have used broadcast to find it, and if WINS doesn’t have the name entered in the database, it will use broadcast to find it.

      The Computer Browser services enumerates and assembles the Browse List (the neighborhood) using Broadcasts. If WINS is configured, it will use the WINS database to assemble the browse list. This is why without WINS, the browse service can only assemble the local subnet, since NetBIOS does not travers across subnets. WINS provides multi-subnet support for NetBIOS resolution as well as enterprise-wide browse list so any machine anywhere in a network can browse to a machine anywhere else in a network, such as a machine in NY can browse to a machine in San Fran.

      Joining a machine to the domain.

      Yep, you need it to join a machine.

      Windows 7 or Windows Server 2008 R2 domain join displays error “Changing the Primary Domain DNS name of this computer to “” failed….”
      http://support.microsoft.com/kb/2018583

      Network and Printer Browsing

      The only complaints I’ve heard is losing network and printer browsing capabilities across subnets, since the browser service compiles the browse list from broadcasts, but broadcasts do not traverse routers to reduce excessive traffic across WAN links.However, I can’t substantiate the complaints, since all small to medium sized installations I’ve worked with kept NetBIOS enabled and used WINS.

      Then again, you can use AD printer publishing for that feature and search AD for printers (when you share a printer, there’s a checkbox to publish it in AD).

      WINS

      Your best bet for smooth sailing with multi-subnet browsing and to support legacy apps is to use WINS.

      WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
      http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

      Legacy Apps Require NetBIOS

      So the biggest caveat is with legacy apps that rely on NetBIOS. For example, SEP and McAfee ePO uses the browser service, not DirectSMB, and they will fail with central control, updates, etc.

      If you disable NetBIOS over TCP/IP, it causes functionality issues with ePO 4.x
      https://kc.mcafee.com/corporate/index?page=content&id=KB76756&cat=CORP_EPOLICY_ORCHESTRATOR&actp=LIST

      Environmental requirements for agent deployment from the ePO 4.x server
      https://kc.mcafee.com/corporate/index?page=content&id=KB56386

      Same with Backup Exec and backup agents. There are many other apps that require NetBIOS functionality.

      What I can say is that some legacy applications and services still require WINS that AD DirectSMB doesn’t support, some of these apps include, but not limited to are:

      • Exchange 2003 with certain Outlook features
      • McAfee Enterprise ePolicy Orchestrator
      • Symantec Endpoint Protection
      • Symantec Backup Exec
      • Computer Associates AV
      • SQL
      • Mapped Drives
      • Printer sharing (not published in AD)
      • and many more….

      Exchange 2000/2003 Need NetBIOS

      Yea, I know this is the day and age of Windows 2012 and Exchange 2013, but believe it or not, there are still installations out there that are running legacy operating systems and Exchange, so I had to throw this in there.

      Exchange 2000/2003require NetBIOS is Exchange 2003 for Outlook-Exchange Free/Busy communications.

      WINS is still required with both Exchange 2000 and 2003
      Aug 8, 2005 … See why Exchange needs WINS and how you can get a WINS server up and running and configure Exchange to use it. …
      http://articles.techrepublic.com.com/5100-10878_11-5820760.html

      WINS and Exchange 2003 Server Dependencies:
      I had been laboring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong. However, what I now believe …
      http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

      Exchange Server 2003 and Exchange 2000 Server require NetBIOS name …
      You may have to use NetBIOS name resolution across different subnets for the … The following Exchange functionality still depends on WINS name resolution: …
      http://support.microsoft.com/kb/837391

      So you have to ask yourself, what else are you running?

      Search Suffixes

      Search Suffixes are used to facilitate single name resolution. As long as the search suffix is properly configured for your infrastructure, you should be ok.

      Configuring DNS Search Suffixes
      http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx

      Suggestions, Corrections, & Comments are welcomed.

      Ace Fekay