The DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records

The DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Compilation: 4/2009
Posted/Published 1/3/2009
Updated 10/28/2011

Note:
This is a compilation of data from various resources. I hope you find it helpful.

Controlling which DC responds in a Site

This section is to understand how to change the Netlogon Registry Data to control SRV weights and priorities, that are referenced in the links above. Be careful when implementing these changes. It MUST be documented so if another DC in the site were to go down, users may experience a delay or worse, an inability to logon, and if the changes made were forgotten, it will be extremely difficult to troubleshoot.

To find out which DC logged you in:
echo %logonserver%

You can also test which DCs are nearest to your workstation in your site (copy nltest.exe from the DC to the workstation’s system32 folder):
nltest /sc_query:YourDomainName.com

To find the GC your workstation used (copy nltest.exe from the DC to the workstation’s system32 folder):
nltest /dgsgetdc:your_domain_name.com /GC

This is performed altering the default weight and/or priority settings that get registered in the SRV records. The changes are made in the specific DC’s netlogon registry entry. I would suggest to change all your DCs in a Site for more finite control. The reason is it controlled in the netlogon registry entry, is because the netlogon service is the component that registers a DC’s data into their respective SRV folders.

When changing them, keep in mind a client will attempt to contact a server with the lowest priority first. If there are more than one server with the same priority, DNS load balancing is used when selecting the target server. If the weights are changed with the same priority, then a server is chosen based a percentage by dividing the weigth by the sum of all weights of all DCs in an AD Site.

Let’s say you have 3 DCs: DC01, DC02 and DC03. Weights are assigned as follows:
DC01 = 10
DC02 = 20
DC03 = 30

In this example:
DC01 will be contacted 1 out of every 6 times (10/(30+20+10))
DC02 will be contacted 2 out of every 6 times (10/30(20/(30+20+10)))
DC03 will be contacted 3 out of every 6 times (10/20(30/(30+20+10)))

You can use nslookup to find the SRV weights:
nslookup
q=srv
_ldap._tcp.dc01._msdcs.domain.com

Then verify the correct SRV records were created based on the registry changes you made:
How to verify that SRV DNS records have been created for a domain controller:
http://support.microsoft.com/kb/816587

The CSEs (client side extensions) is what chooses a DC in this order:

1.A DC in its own AD Site based on the client’s IP address and subnet its in.
2.If more than one DC in the same Site to choose from in the same IP subnet, Round Robin prevails
3.If more than one DC in the same AD Site but one of the DCs are in the same subnet and the other is not, then Subnet Priortization prevails to choose the DC in its own subnet.
4.If more than one DC in the same AD Site but both of the DCs are in different IP subnets than the client, and the two DCs are in the same subnet, then Round Robin will prevail to choose one of the DCs in that same subnet.
5.If more than one DC in the same AD Site but both of the DCs are in different IP subnets than the client, then Subnet Priortization will prevail to choose one of the subnets that a closest match based on the network bits (see this for more info on subnet priortization and bit selection: Technet Thread – DNS issue : DHCP relay + VLANs + multiple AD Sites (Heavily discusses subnet priortization and subnet bits)
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/ea03c013-7484-4a24-96be-d95219b69b3f/

 Summary:

AD client DC locator steps

 

Good discussion on DC locator process and how the client handles AD Sites, when a DC goes down, and when a client moves between sites.
Thread Question: “how to control sequence of domain controllers a client computer logging on”
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/77bc547f-4d0d-4a0c-b463-359b1c771a81/

AutoSiteCoverage
Domain controllers cover, that is, provide services to, the site in which they reside and to other sites listed in the value of the SiteCoverage entry. In addition, when the value of AutoSiteCoverage is 1, the system can add sites that do not have domain controllers to this domain controller’s coverage area.
http://technet.microsoft.com/en-us/library/cc939530.aspx

AD Site Coverage:
Reg entry: Specifies a list of sites in which this domain controller registers itself. These sites are in addition to the site in which the domain controller resides and the sites listed in the value of the AutoSiteCoverage entry.
http://technet.microsoft.com/en-us/library/cc937924.aspx

SRV Resource Records

The above section described how to control which DC responds. The reason it works is based on SRV records. Therefore, I thought to provide information regarding SRV records that are associated with this process. This section describes the SRV records used by Active Directory. The following is a quote, however I did not quote the whole article, just what is pertinent to logon and DC locations.

This section was quoted from:
SRV Resource Records
http://technet.microsoft.com/en-us/library/cc961719.aspx

When a Windows 2000 or Windows 2003 domain controller starts up, the Net Logon service uses dynamic updates to register SRV resource records in the DNS database, as described in an Internet Engineering Task Force draft that defines “A DNS RR for specifying the location of services (DNS SRV).” For more information about this draft, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.

The SRV record is used to map the name of a service (in this case, the LDAP service) to the DNS computer name of a server that offers that service. In a Windows 2000 network, an LDAP resource record locates a domain controller.

A workstation that is logging on to a Windows 2000 domain queries DNS for SRV records in the general form:
_Service._Protocol.DnsDomainName

Active Directory servers offer the LDAP service over the TCP protocol; therefore, clients find an LDAP server by querying DNS for a record of the form:
_ldap._tcp.DnsDomainName

 
Note:
The service and protocol strings require an underscore (_) prefix to prevent potential collisions with existing names in the namespace.

_msdcs Subdomain
There are possible implementations of LDAP servers other than Windows 2000–based domain controllers. There are also possible implementations of LDAP directory services that employ Global Catalog servers but are not servers that are running Windows 2000. To facilitate locating Windows 2000–based domain controllers, in addition to the standard _Service._Protocol.DnsDomainName format, the Net Logon service registers SRV records that identify the well-known server-type pseudonyms “dc” (domain controller), “gc” (Global Catalog), “pdc” (primary domain controller), and “domains” (globally unique identifier, or GUID) as prefixes in the _msdcs subdomain. This Microsoft-specific subdomain allows location of domain controllers that have Windows 2000–specific roles in the domain or forest, as well as the location by GUID when a domain has been renamed. To accommodate locating domain controllers by server type or by GUID (abbreviated “dctype”), Windows 2000–based domain controllers register SRV records in the following form:
_Service._Protocol.DcType._msdcs.DnsDomainName

The addition of the _msdcs subdomain means that two sets of DNS names can be used to find an LDAP server: DnsDomainName is used to find an LDAP server or Kerberos server that is running TCP (or, in the case of a Kerberos server, either TCP or the User Datagram Protocol [UDP]), and the subdomain _msdcs.DnsDomainName is used to find an LDAP server that is running TCP and also functioning in a particular Windows 2000 role. The name “_msdcs” is reserved for locating domain controllers. The single keyword “_msdcs” was chosen to avoid cluttering the DNS namespace unnecessarily. Other constant, well-known names (pdc, dc, and gc) were kept short to avoid exceeding the maximum length of DnsDomainName.

 

SRV Records Registered by Net Logon

The list that follows provides the definitions of the names associated with registered SRV records. It also describes the lookup criteria supported by each record and the checks performed by Netlogon as each record is registered. Text in bold type denotes constant record components; text in italic type denotes variable names.

In the descriptions of registered SRV records, DnsDomainName refers to the DNS domain name that is used during creation of the domain controller when the domain tree is joined or created (that is, while the computer is running the Active Directory Installation Wizard). DnsForestName refers to the DNS domain name of the forest root domain.

The following is a list of the owner names of the SRV records that are registered by Net Logon. An owner name is the name of the DNS node to which the resource record pertains.

_ldap._tcp.DnsDomainName.
Allows a client to locate a server that is running the LDAP service in the domain named by DnsDomainName. The server is not necessarily a domain controller — that is, the only assumption that can be made about the server is that it supports the LDAP application programming interface (API). All Windows 2000 Server–based domain controllers register this SRV record (for example, _ldap._tcp.reskit.com.).
_ldap._tcp.SiteName._sites.DnsDomainName.

Allows a client to locate a server that is running the LDAP service in the domain named in DnsDomainName in the site named by SiteName. SiteName is the relative distinguished name of the site object that is stored in the Configuration container in Active Directory. The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers register this SRV record (for example, _ldap._tcp.charlotte._sites.reskit.com.).

_ldap._tcp.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller (dc) of the domain named by DnsDomainName. All Windows 2000 Server–based domain controllers register this SRV record.

_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller for the domain named by DnsDomainName and in the site named by SiteName. All Windows 2000 Server–based domain controllers register this SRV record.

_ldap._tcp.pdc._msdcs.DnsDomainName.
Allows a client to locate the server that is acting as the primary domain controller (also known as a “PDC”) in the mixed-mode domain named in DnsDomainName. Only the PDC emulator master of the domain (the Windows 2000–based domain controller that advertises itself as the primary domain controller to computers that need a primary domain controller) registers this SRV record.

_ldap._tcp.gc._msdcs.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this forest. Only domain controllers that are functioning as Global Catalog servers for the forest named in DnsForestName register this SRV record (for example, _ldap._tcp.gc._msdcs.reskit.com.).

_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this forest in the site named in SiteName. Only domain controllers that are serving as Global Catalog servers for the forest named in DnsForestName register this SRV record (for example, _ldap._tcp.charlotte._sites.gc._msdcs.reskit.com.).

_gc._tcp.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this domain. The server is not necessarily a domain controller. Only a server that is running the LDAP service and functioning as the Global Catalog server for the forest named in DnsForestName registers this SRV record (for example, _gc._tcp.reskit.com.).

 
Note:
In Windows 2000, a Global Catalog server is a domain controller. Other non-Windows 2000 implementations of directory services can also register servers as Global Catalog servers.

_gc._tcp.SiteName._sites.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this forest in the site named in SiteName. The server is not necessarily a domain controller. Only a server that is running the LDAP service and functioning as the Global Catalog server for the forest named in DnsForestName registers this SRV record (for example, _gc._tcp.charlotte._sites.reskit.com.).

_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName.
Allows a client to locate a domain controller in a domain on the basis of its GUID. A GUID is a 128-bit number that is automatically generated for referencing objects in Active Directory — in this case, the domain object. This operation is expected to be infrequent; it occurs only when the DnsDomainName of the domain has changed, the DnsForestName is known, and DnsForestName has not also been renamed (for example, _ldap._tcp.4f904480-7c78-11cf-b057-00aa006b4f8f.domains._msdcs.reskit.com.). All domain controllers register this SRV record.

_kerberos._tcp.DnsDomainName.
Allows a client to locate a server that is running the Kerberos KDC service for the domain that is named in DnsDomainName. The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.

_kerberos._udp.DnsDomainName.
Same as _kerberos._tcp.DnsDomainName, except that UDP is implied.

_kerberos._tcp.SiteName._sites.DnsDomainName.
Allows a client to locate a server that is running the Kerberos KDC service for the domain that is named in DnsDomainName and is also in the site named in SiteName. The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.

_kerberos._tcp.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller that is running the Windows 2000 implementation of the Kerberos KDC service for the domain named in DnsDomainName. All Windows 2000 Server–based domain controllers that are running the KDC service (that is, that implement a public key extension to the Kerberos v5 protocol Authentication Service Exchange subprotocol) register this SRV record.

_kerberos.tcp.SiteName._sites.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller that is running the Windows 2000 implementation of the Kerberos KDC service for the domain that is named in DnsDomainName and that is also in the site named in SiteName. All Windows 2000 Server–based domain controllers that are running the KDC service (that is, that implement a public key extension to the Kerberos protocol Authentication Service Exchange subprotocol) register this SRV record.

_kpasswd._tcp.DnsDomainName.
Allows a client to locate a Kerberos Password Change server for the domain. All servers that provide the Kerberos Password Change service (which includes all Windows 2000–based domain controllers) register this name. This server at least conforms to “Kerberos Change Password Protocol.” (For more information about this draft, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Use a keyword search to locate the draft.) The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.

_kpasswd._udp.DnsDomainName.
Same as _kpasswd._tcp.DnsDomainName, except that UDP is implied.
If multiple domain controllers have the same criteria, multiple records exist with the same owner name. A client that is looking for a domain controller with specific criteria would receive all the applicable records from the DNS server. The client would pick one of the returned records to select a domain controller, as described in “A DNS RR for specifying the location of services (DNS SRV).” For more information about this draft, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.
For information about the Kerberos v5 authentication protocol and Kerberos subprotocol extensions, see “Authentication” in this book.

Host Records for Non-SRV-Aware Clients
Net Logon registers the following DNS A records for the use of LDAP clients that do not support DNS SRV records (that is, that are “non-SRV-aware”). The Locator does not use these records.

The following owner names of A (host) records are registered by Net Logon:

DnsDomainName.
Allows a non-SRV-aware client to locate any domain controller in the domain by looking up an A record. A name in this form is returned to the LDAP client through an LDAP referral. (For more information about LDAP referrals, see “LDAP Referrals” later in this chapter.) A non-SRV-aware client looks up the name; an SRV-aware client looks up the appropriate SRV resource record.

gc._msdcs.DnsForestName.
Allows a non-SRV-aware client to locate any Global Catalog server in the forest by looking up an A record. A name in this form is returned to the LDAP client through an LDAP referral. A non-SRV-aware client looks up this name; an SRV-aware client looks up the appropriate SRV resource record.
Netlogon also registers a DNS CNAME (alias) record for use by Active Directory replication. The Locator does not use this record.

The owner name of the CNAME record is:
DsaGuid._msdcs.DnsForestName.
Allows a client to locate any domain controller in the forest by looking up an A record. The only information that is known about the domain controller is the GUID of the directory system agent (also known as the “DSA”) object for the domain controller and the name of the forest in which the domain controller is located. This record is used to facilitate renaming a domain controller.

Other SRV Record Content

The following information is also included in an SRV record:
Priority   The priority of the server. Clients attempt to contact the server with the lowest priority.
Weight   A load-balancing mechanism that is used when selecting a target host from those that have the same priority. Clients randomly choose SRV records that specify target hosts to be contacted, with probability proportional to the weight.

Port Number  
The port where the server is listening for this service.

Target  
The fully qualified domain name of the host computer.

The following example illustrates the combined information that is contained in A resource records and SRV resource records. A domain controller named Phoenix in the domain reskit.com has an IP address of 157.55.81.157. It registers the following A records and SRV records with DNS:
phoenix.reskit.com   A   157.55.81.157
_ldap._tcp.reskit.com    SRV  0 0 389 phoenix.reskit.com
_kerberos._tcp.reskit.com   SRV  0 0 88 phoenix.reskit.com
_ldap._tcp.dc._msdcs.reskit.com  SRV  0 0 389 phoenix.reskit.com
_kerberos._tcp.dc._msdcs.reskit.com  SRV  0 0 88 phoenix.reskit.com.

When the appropriate SRV records and A records are in place, a DNS lookup of _ldap._tcp.dc._msdcs.reskit.com returns the names and addresses of all domain controllers in the domain.
For more information about A records, SRV records, DNS, and dynamic updates, see “Introduction to DNS” and “Windows 2000 DNS” in the TCP/IP Core Networking Guide.

If the DCs are in a truly configured “Site”, then to change the priority and weights, you must change the registry entries under the Netlogon key. Once changed, then it will register that info into DNS.

 

Windows Vista/2008 and Windows 7/2008 R2 Updated Features with DC Locator Improvements

Windows Vista and newer, allows auto-rediscovery if their original logon server is no longer available:

If a Windows 2000 or XP client is are already authenticated by a DC, in order for it to use another DC, they would have to log off and logon again, or reboot to re-authenticate with other DC. This has been augmented with Windows Vista. 2008 with GPO and other options, such as forcing DC rediscover by running:
 
nltest /dsgetdc:<FQDN Domain Name> /force

How does Windows Server 2008 resolve Domain Controller Load Balancing problems
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/HowdoesWindowsServer2008resolvesDomainControllerLoadBalancingproblems.html

Windows 2008 R2 DC Locator improvements:

Enabling Clients to Locate the Next Closest Domain Controller, Updated: December 29, 2009 – Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc733142%28WS.10%29.aspx

Enable Site Costed Referrals on [Windows 2008 & 2008 R2] Domain Controllers
by Qasim Zaidi – Published on 4/29/2010 
“SiteCostedReferrals is enabled by default in 2008 DCs.
http://gallery.technet.microsoft.com/scriptcenter/a4605fb3-2a19-4f5d-a0fe-38336f15ba1a

Good discussion on DC locator process and AD Sites:
Thread Question: “how to control sequence of domain controllers a client computer logging on”
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/77bc547f-4d0d-4a0c-b463-359b1c771a81/

How does Windows Server 2008 resolve Domain Controller Load Balancing problems?
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/HowdoesWindowsServer2008resolvesDomainControllerLoadBalancingproblems.html

The following was quoted from the above link:
“The DC Locator Service has been re-designed in Windows Server 2008 to include a new mechanism. When a client computer finds a preferred domain controller, it sticks to this domain controller unless that domain controller stops responding or the client computer is restarted. This is generally called Domain Controller Stickiness. If you take this domain controller offline for maintenance purpose or it goes down, the clients that were connected to it will look for another domain controller to shift their connections to new domain controller. But when the domain controller comes online again, these connections are not shifted back because client computers do not refresh themselves to check to see if domain controller is back again. This can cause load-balancing issues because client computers remain connected to same domain controller.

Windows Server 2008 includes a new Group Policy setting for client computers. If a domain controller goes down and whenever the DC Locator Service invokes itself to execute the DcGetDCName API call, it retrieves a domain controller name from its cache. It checks to see if this cached entry is expired. If it is expired, it discards this domain controller and tries to search a new domain controller for the client.”

 

The domain controller locator cannot find an appropriate domain controller on a computer that is running Windows XP or Windows Server 2003

(This is based on a reg entry that …”After you install the hotfix, the DNS locator client in Windows XP and in Windows Server 2003 updates its domain controller cache after a default interval.

The DNS locator client tries to rediscover a suitable domain controller. The life cycle of a cached entry is controlled by the value of the ForceRediscoveryInterval registry entry.”
 
Workaround:
Method 1
Some client computers periodically retrieve the domain controller name by using the DS_FORCE_REDISCOVERY flag to call the DsGetDcName function. Determine which client computers do this. Then, deploy a script to these client computers.

Method 2
Update the cache on each client. To do this, run the following command at a command prompt:
nltest /dsgetdc:DomainName /force

The domain controller locator cannot find an appropriate domain controller on a computer that is running Windows XP or Windows Server 2003
http://support.microsoft.com/kb/939252 

 

Sharepoint’s People Picker and DC/GC Access

This has been brought up time to time, and I thought I would provide my notes on this.

Sharepoint People Picker and choosing a Global Catalog:
http://marc-antho-etc.net/blog/post/SharePoint-People-Picker-and-Active-Directory-Part-1.aspx

SharePoint People Picker and Active Directory
http://sharepoint-talk.blogspot.com/2011/09/sharepoint-people-picker-and-active.html

Sharepoint using People Picker in a Resource Forest Model
Forcing the picker to use a specific GC:
“However we can point SharePoint explicitly to a particular GC that is located in the site locally where the SharePoint box is located. This can be done through the following commandline:
Stsadm -o setproperty -pn peoplepicker-searchadforests -pv “forest:GCSERVER.DOMAIN.INTRANET” -url
http://URLofWebApplication

This would ensure that we don’t keep bouncing between different DCs/GCs for individual lookups of different forests but go directly to the only GC which responds back with list of users.”
http://www.networksteve.com/enterprise/topic.php/Sharepoint_using_People_Picker_in_a_Resource_Forest_Model/?TopicId=4512&Posts=4

 

 

 

I hope you’ve found this blog useful. If you have any comments or corrections, please let me know.

Related Links and Resources

DC Locator Process in W2K, W2K3(R2) and W2K8 – PART 1, Part 2, Part 3, and Which DCs are used when promoting a server to a DC?
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=2
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=3

Local Logon Process for Windows 2000
http://support.microsoft.com/?kbid=231789

Logon and Authentication Technologies
http://technet.microsoft.com/en-us/library/cc780455.aspx

Active Directory SRV Records
http://www.petri.co.il/active_directory_srv_records.htm

How to reconfigure an _msdcs subdomain to a forest-wide DNS application directory partition when you upgrade from Windows 2000 to Windows Server 2003
http://support.microsoft.com/?id=817470

How to optimize the location of a domain controller or global catalog that resides outside of a client’s site
http://support.microsoft.com/default.aspx?kbid=306602

Change the weight for DNS SRV records in the registry
http://technet.microsoft.com/en-us/library/cc778225(WS.10).aspx

Change the priority for DNS SRV records in the registry
http://technet.microsoft.com/en-us/library/cc781155(WS.10).aspx

Authentication Topology – Configure DNS SRV records to speed authentication (may have to registry to read the whole article):
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=37935&pg=4

More info on how it actually works:
http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true

How Interactive Logon Works
http://technet.microsoft.com/en-us/library/cc780332.aspx

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/kb/314861

Logon Process for Active Directory Domain User Account With a Windows NT 4.0 Computer Account (non-DNS, non-Kerberos)
http://support.microsoft.com/kb/319494

Directory Service Functions
http://msdn.microsoft.com/en-us/library/ms675900(VS.85).aspx

AD Cookbook by Robie Allen and Laura E. Hunter
http://books.google.com/booksid=AUx3jzI4DI8C&pg=PA106&lpg=PA106&dq=netlogon+srv+weight&source=bl&ots=ibZbfuSOoB&sig=k1ZVAX3ePERu9i9DXnSxjft8v9Y&hl=en&ei=r8mkScbzJNKgtwfn1ODMBA&sa=X&oi=book_result&resnum=1&ct=result#PPA105,M1

JSI Tip 4527. How can I manage which Windows 2000 domain controller a client contacts? (WIndows 2000 & 2003 are the same):
http://windowsitpro.com/article/articleid/75836/jsi-tip-4527-how-can-i-manage-which-windows-2000-domain-controller-a-client-contacts.html

DC SiteCoverage
http://technet.microsoft.com/en-us/library/cc937924.aspx

Reducing the workload on the PDC emulator master (allows making Netlogon registry changes with SRV weights and priorities so the PDC Emulator doesn’t process all logon requests).
http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx

Change the Priority for DNS SRV Records in the Registry (This applies to all versions of Windows):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EMPAC

Change the Weight for DNS SRV Records in the Registry (This applies to all versions of Windows):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EWIAE

Appendix B – Active Directory General Procedures Reference (This applies to all versions of Windows):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx

How DNS Support for Active Directory Works
http://technet.microsoft.com/en-us/library/cc759550.aspx

Reducing the workload on the PDC emulator master
http://technet.microsoft.com/en-us/library/cc787370.aspx

Ace Fekay

How To Delete Undeletable Files and Folders

How To delete those undeletable files and folders

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

A little background on undeletable files and folders

I’ve seen these in the past regarding ‘pubbed’ FTP servers by software, game and movie users that find open FTP servers. They would upload their illegal software to the FTP servers they find, but they would name the files and the folder they create with extended characters and symbols that FTP supports but Windows does not directly support (ASCII characters), as well as create a very deep file structure with these extended unsupported ASCII characters, and/or file names with these characters that are greater than 256 characters. Windows directly supports ANSI characters. However, although Windows supports ASCII characters indirectly, it is not supported directly through the Windows Explorer GUI or the command line. Therefore this prevents admins from getting to them or deleting them, nor delete them. In the older NT4 days, you could install the POSIX support tools (to support UNIX based commands and using ASCII characters) to read and remove them, but that no longer applies with Windows 2000 and newer. However Windows still provides POSIX support but not directly. They can be deleted by using specific commands, but you just have to know the commands!

Also, if it was an FTP created folder and files, and the size shows zero bytes, yet you know it is much larger, then it’s also likely the files are using an alternate data stream which would explain why their file size appears as zero bytes.

 

Is the drive NTFS?

So the other factor, as mentioned, is if the file, folder name, and/or number of child folders is greater than 256 characters. Many operating system limits are based on the i386 addressable 32bit architecture, such as the number of users that can access a share, which is 4.3 billion objects. It also depends on the drive and if an app can read it. Many programs also expect a limit of 256 objects (characters, paths, bytes, etc), maybe even the deltree command is limited, however NTFS formatted drives can go beyond the 256 objects.

Therefore, not being able to delete them is caused by the factors above, special or extended ASCII characters, trailing spaces, trailing dots (periods) or reserved names in the folders, such as com, lpt, etc, such as when a machine gets ‘pubbed’ into an FTP site where the ‘pubsters’ will create these deep paths and using reserved names to prevent the admin from deleting them. If you’ve found someone accidentally created such files or subfolders with these characters, it will give you headaches to remove them. With an FTP app it’s easy to read and remove them, because FTP uses ASCII characters, such as what POSIX uses, however WIndows uses ANSI and cannot translate the folders. In this case, you can setup a local FTP service, then use an FTP app to connect to your own machine, then you wil be able to read and delete the files and folders. That is only one option, which many adminstrators are reluctant to do.

 

Removing folder examples:

Assuming the first folder is the numeral “1” on D drive (and use the quotes if you have problems and watch the required periods if the command uses it):

rm -r “//D/1”

RD \\.\c=D:\1

RmDir \\.\D:\1 /s /q

RmDir \\.\C:\YourFTP_ROOT’s_PATH\COM1 /s /q

C:\>cd inetpub\ftproot
C:\Inetpub\ftproot>rd /s /q \\?\c:\inetpub\ftproot
NOTE – The syntax is literal, do not substitue or remove the question mark (?), change only the path.

Removing files examples

Note: In the following examples, if the filename contains symbollic, extended or other characters, enter what you can and wildcard the rest or use file completion or use a full wildcard.

DEL \\.\c:\somedir\filename.

DEL \\.\c:\somedir\lpt

DEL \\.\c:\somedir\aux

DEL \\.\c:\somedir\com

etc

Read the following references for more information and instructions.

How to Remove Files with Reserved Names in Windows:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q120716

You cannot delete a file or a folder on an NTFS file system volume:
http://support.microsoft.com/kb/320081

Cannot Delete Files or Folders with Extended Characters:
http://support.microsoft.com/kb/131702

Here’s how to create a locked folder with FTP:
http://www.madchat.org/coding/w32nt.rev/dirnt.htm
 
Here’s how to delete them:
How to Remove Files with Reserved Names in Windows
http://support.microsoft.com/kb/120716

Ace Fekay

DNS Recursive Queries vs Iterative Queries

DNS Recursive Queries vs Iterative Queries

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Published Nov 12, 2009 at 6:55 PM EST
Edits:
10/6/2010 12:31 AM EST – Added section “Non-Sequitar: Windows Cache Poisoning Settings and Recursion Settings.” This was in response to a discussion associating recursion and cache poisoning that I wanted to add to clear up.

 

The Definition Between Recursive and Iterative Queries Actually Depends on Context, Such as Which Machine is Asking the Query.

The reason why I mentioned this is because basically a recursive query means the machine sends the query, such as a client machine, or even a DC, to a DNS server for resolution, and the DNS server will resolve the query based either on a zone that has been confgured locally (in its Forward Lookup Zones or Reverse Lookup Zones), or from a Stub zone, Root Hints, General Forwarder or Conditional Forwarder.

Therefore, in summary, a recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries that it does not host the zone, to another DNS server, whether through a Stub, Conditonal or General Forwarder.

Interative queries is a request from a client that tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers, whether it has the zone configured or not. The process then relies on the client to continue the process possibly by using a referral where the DNS server supplying the client NS or A records of a DNS server that is closer to the namespace which may possibly provide the answer. However we don’t see that with the normal sense of the word, ‘query,’ when a client sends a request to a DNS server, which we are more familiar with. For the most part, the DNS resolver service on Windows clients are basically ‘stub resolvers’ that rely on a recursive-enabled DNS server to resolve queries it is not aware of. Of course you can create resolver scripts to preform an interative query.

However, with a recursion request from a client to a DNS server, which as I mentioned above, is what we normally think of using the term ‘query,’ the DNS server will do its best to resolve it, either by using Stubs, Conditional or General Forwarder, or Root Hints, which is essentially an interative query to the Root Hints to devolve the namespace from the TLD backwards (such as from “com” to the second level name, etc), or a query to a Forwarder, if configured with a Forwarder, which is essentially a recursion request because technically it’s not an iterative request, even though the server repeats (iterates or re-iterates) when trying to find the answer.

You can make nslookup perform an iterative query by using the “norecurse” option (set norecurse). In this situation the DNS server will give its best response, without looking elsewhere other than its cache or zones its authoritative for.

 

To go further…

The following quote is a non-Microsoft definition, but it still applies, no matter what DNS server service is used. The quote was taken from:
http://www.linuxjournal.com/article/4198

“Since the DNS server called ns.someisp.com isn’t authoritative for a zone called wiremonkeys.org and hasn’t recently communicated for any host that is authoritive for it, it begins a query of its own on the user’s behalf. The process of asking one or more queries in order to answer (resolve) other queries is called recursion.”

Does that make sense so far? 

So to further take it another step or to look at it in a different light…

Keep in mind, recursion is not necessarily resolution. The reasons is the process of following a chain of delegations from one set of content DNS servers to another, starting at some root servers, is termed “resolution”; as exemplified in section 6.3 of RFC 1034.  It is not termed “recursion”.  “Recursion” is something else. The official definition of “recursion” is the act of a server sending back-end queries (of _whatever_ sort) to another server. Both query resolution, where back-end queries are sent to content DNS servers, and forwarding, where back-end queries are sent to proxy DNS servers, are forms of recursion.

Therefore…

  • Resoluton can be provided many times from its own authoritative zones where no recursion involved.
  • A query can be resolved from its cache where no recursion involved (directly, because it’s in its cache).
  • By forwarding, with the forwardee doing the resolution where recursion is involved.
  • However if it forwards it out, it essentially becomes an interative query because it’s proxying the request elsewhere for the client, such as an indirect query for the client, but essentially this can be viewed as an recursive query by the DNS server itself acting as a recursive client.
  • Or DNS can perform the query resolution itself where recursion is involved. An example is when Forwarding is not enabled, and the DNS server uses the Root Hints, where essentially it’s querying the Roots in a recursive manner devolving the DNS name hierarchy from the TLD backwards.
  • And more…

 Got it?

I hope that was easy. Next week we’ll discuss helion particles (a-particle of the helium-3 nucleus) and their mass.

 

Non-Sequitar:  Windows Cache Poisoning Settings and Recursion Settings

Added 10/6/2010 – This stemmed from a discussion in the Microsoft forums when one was concerned with the Cache poisoning settings and recursion when the poster was told that it’s his recursion settings causing the false positive.

If you ever had an external security threat analysis performed and the results indicated that your DNS servers were open to DNS pollution and the fix was to disable recursion, this may not necessarily be necessary. This may not be an option in many scenarios, and it may not necessarily be the answer. Simply enable the “Secure cache against pollution” setting in DNS. Keep in mind, and to veer off topic for the moment, with Windows 2003 and newer,the  “Secure cache against pollution” is enabled by default. In Windows 2000, it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution for the most part, and not necessarily affect DNS performance at the same time keeping it secure based on current vulnerabilities.
 
If “Do not use recursion for this domain” is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.
 
If Disable recursion under the Advanced Tab is checked, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don’t want anyone else to use it as a DNS server to resolve outside names.
 
If this is an internal DNS server and not exposed to the internet, “Secure cache against pollution” is set, and it’s not offering public nameserver services for any public records, I think you will be find and would leave it alone using the default settings.

 

Related Links on Recursive and Iterative Queries

Recursive and Iterative Queries – With a recursive name query, the DNS client requires that the DNS server respond to the client […]:
http://technet.microsoft.com/en-us/library/cc961401.aspx

How DNS query works: Domain Name System(DNS)Jan 21, 2005 … As DNS servers process client queries using recursion or iteration, they discover and acquire a significant store of information about the …
http://technet.microsoft.com/en-us/library/cc775637(WS.10).aspx

Cool site with a scripted demo showing how it works and the differences between a recursive and interative query:
Recursive/Iterative Queries in DNS (Chapter 2)
http://media.pearsoncmg.com/aw/aw_kurose_network_2/applets/dns/dns.html

 

Ace Fekay

Active Directory DNS Domain Name Single Label Names

Active Directory DNS Domain Name Single label names

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Originally Compiled 3/2005

Active Directory DNS Domain Name Single Label Name scenarios are slowly disappearing the more IT admins understand what they are. However, there are installations that are still plagued by this condition, whatever the original cause was, whether lack of research, planning or simply understanding AD’s DNS requirements. This article introduces what a single label name domain name is, and what can be done about it.

FQDN

First, let’s discuss the FQDN. What is an FQDN?

It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

The reason this does not work with DNS, which Active Directory relies on.

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately tHe old NT4 style names are not hierachal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single lable name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? Most cases it’s due to lack of research on AD’s DNS requirements, or how it works, or it could have been a simple typo, yet costly typo, when originally upgrading from NT4 or promoting your new AD domain.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

 

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.
Period. Why? good question. It’s based on the fact DNS is hierachal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc, names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authorative for that TLD.Such as when looking up microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for microsoft.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

1.  The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.

2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).

3. As a temporary resort, you can use the patch/bandaid registry entry to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

 

Microsoft’s Stance on Single Label Name AD DNS domain names.

The following is Microsoft’s stance on Single Label Names by Microsoft engineer Alan Woods.

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

Ace Fekay

Configuring the Windows Time Service for Windows Server

Configuring the time service on the PDC Emulator FSMO role holder

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Compilation 9/12/2009
Edit: 9/23/2009    – Added additional links (indicated in the Related Links section).
Edit: 10/10/2009  – Added additional section called “Client To DC Time Sync”
Edit: 2/11/2010    – Added info about finding out which DC is the time source by using the w32tm /monitor command
Edit: 8/9/2010       – Added additional info in the troubleshooting section
Edit: 10/12/2010  – Added additional info about debugging and transferred PDC roles
Edit: 1/17/2011    – Added information about the Microsoft Mr Fix It script for a sure fire way to reset the time service (scroll down to “Microsoft Mr Fix It”)
Edit: 1/19/2011    – Added information regarding virutalizing domain controllers and the Time service. Scroll to the bottom of this blog.

 

Prelude

There is absolutely NO NEED TO TOUCH THE TIME SERVICE REGISTRY ENTRIES

I just wanted to make a statement regarding the time service registry entries. There really is NO need to modify the time service registry entries. The time service works by default, out of the box. The only thing that’s recommended to do, is synchronize the PDC Emulator in the forest root domain to a reliable outside source. That’s it.

I’m stating this because based on numerous public postings regarding corrupted time service settings due to attempts at changing registry entries because it was thought that’s how it’s done, is usually the culprit that corrupted the time service settings. The time service should only be configured using the w32tm utility.

If there are any problems with corrupted settings, and it’s not working properly, I would suggest to simply reset the time service itself (stated in the “To Reset the Time service” section below), by simply running the following commands:

If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:

1. On the DC that you’re experiencing issues with, run the following in a command prompt:

  •  net stop w32time
  •  w32tm /unregister
  •  w32tm /register
  •  net start w32time

2. On the Server in question (whether it’s the PDC Emulator or another server), run the following in a command prompt: 

  • “net time /setsntp: ” (Note the blank space prior to the end “)  [This tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.]
  • Restart the time service:  Net stop w32time && net start w32time

3. On the PDC Emulator run the following in a command prompt:

  • W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

4. On each DC that are not holding the PDC Emulator role, run the following in a command prompt:

  • w32tm /config /syncfromflags:domhier /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

5. This will take out any errors in the Event Viewer, if there are any.

.

The only real time that you may have to configure it is only with the assistance of Microsoft Support.

That said, the following shows how the service works by default, the caveats, things to consider, troubleshooting, as well as a link to MIcrosoft’s MrFixIt to fix it for you!

.

.

Time Service Background

Kerberos is the authentication method in an Active Directory infrastructure. There are three parts of the the authentication method between members in an AD infrastructure: 1) Client, 2) Server, and 3) the trusted third party, which is Kerberos. Kerberos uses time as a “salt” to insure that the authentication sequence cannot be used in a “replay” scenario by a prospective attacker. One of the basis of preventing a “replay” is that Kerberos has a five (5) minute time skew, meaning that if the client and server (whatever two machines are authenticating, whether DC to DC, member server to DC or client, or client to DC), if the clocks are off more than five (5) minutes, the authentication sequence fails. To insure that all clients’ clocks are within the five (5) minute skew, the time service must be synched across the infrastructure.

Clients get their time source from the DC that logged them on. That DC will get it’s time synched from the PDC Emulator in its domain. If its in a child, that PDC Emulator will get its time synched from the PDC Emulator in the forest root, which should be configured to an external time source. This simply works out-of-the-box other than configuring the PDC Emulator in the forest root domain to sync with an external time source. No other action is truly necessary. To alter the time registry settings, is inviting trouble and should only be done under guidance by Microsoft Support.

To find the DC that logged a client on, run the following. This is also the client’s time server.
echo %logonserver%

In a multi-site scenario, as long as AD Sites have been configured properly with their respective subnet objects assigned to the site, and the servers have been moved to their respective sites, the client machine’s logonserver will always be the time source. 

This all assumes that none of the DCs are not multihomed (or it may become part of more than one site which will cause an error, besides other issues), the AD DNS domain name is not a single label name (“domain” vs domain.something), and using only the internal DNS servers in ipconfig, otherwise it’s guaranteed to expect other problems to occur.

Time Service Domain Hierarchy

Time Convergence

This section was quoted from:

Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799

All client desktops select an authenticating domain controller (the domain controller returned by DSGetDCName()) as their time source. If this domain controller becomes unavailable, the client re-issues its request for a domain controller.

All member servers follow the same process.

All domain controllers in a domain make 3 queries for a DC:
1. A reliable time service (preferred) in the parent domain,
2. A reliable time service (required) in the current domain,
3. The PDC of the current domain. It will select one of these returned DCs as a time source.

The PDC Emulator FSMO role holder at the root of the forest is authoritative, and can be manually set to synchronize with an outside time source (such as the United States Naval Observatory).

WIndows Time Hierarchy

The following diagram shows the time hierarchy. Quoted from:

How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

 

Time Sync

Client to DC

How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042

The points below were quoted from the above link:

All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization

The following quote is on the time  algorithm in Windows 2000, which I haven’t seen any evidence that it has changed:
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
http://windowsitpro.com/article/articleid/8383/windows-time-synchronization-service.html

“When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller’s) time. If the target time is ahead of local (i.e., the client’s) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time. . . . “

Due to this 2 minute conversion, an authorative time server on the domain (PDC Emulator), acts a time client to an external time source, therefore you may see a lag between the time source’s time and the time on the server.

 

DC to DC Time Service Selection:

A DC will choose a PDC Emulator to sync up time. A child PDC Emulator will choose to sync up time with a parent root domain DC, and it can choose the parent PDC or any other DC in the parent root domain.

Therefore, don’t be alarmed if you are seeing a child domain DC syncying up with a Forest root DC, that’s normal. A child domain DC’s will sync with any domain controller in the forest root domain. It’s outlined in the following article in a diagram titled “Time Synchronization in an AD DS Hierarchy:”

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

 

Domain Controller TIme Source Queries and Score Determination

If having problems viewing the following image, please see the full-sized image at:
http://4ufq6a.blu.livefilestore.com/y1paVf9RvrfAXlM4dVk-bZvVivi0OBbK75AcXfvnEGz0RybJIkbGbRJ8NgoHGdThaEuIz3l2Z8ZBXw1KP7IuRENQR2iQvKhyCcC/Windows%20Time%20-%20Domain%20Controller%20Time%20Source%20Queries%20and%20Score%20Determination.jpg?psid=1

 

 

To set the Time Service in an Active Directory Infrastructure

Windows 2000

On the Windows 2000 PDC Emulator, run the following four commands:

C:\>net time /setsntp:Time.nrc.ca
The command completed successfully.

C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

C:\>w32tm -once
(W32time performs numerous commands to set the time)

C:\>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.

 

Windows 2003

On the DC holding the PDCEmulator FSMO Role (example showing a US government time source):

w32tm /config /manualpeerlist:time-a.nist.gov /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time

On other DCs (that are not the PDC Emulator):
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

 

Windows 2008

Please follow the registry entries instructions in the following Microsoft article on how to configure the Time Service in Windows 2008:

How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042

 

 

The PDC master must not be configured to synchronize with itself

This important section was quoted from:

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

For more information about why the PDC master must not be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)

If the PDC master is configured to synchronize with itself, the following events are logged in the System log:

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerName
Description: The time provider NtpClient cannot reach or is currently receiving invalid time data from NTP_server_IP_Address. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerName
Description: Time Provider NtpClient: No valid response has been received from manually configured peer NTP_server_IP_Address after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerName
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. For more information, see Help and Support Center at http://support.microsoft.com.

 

Transferring the PDC Emulator Role

If you have moved the Windows 2003 PDC Emulator role to another DC, or if you seized the role to another DC because the original PDC Emulator is no longer available, reset the time source and hierarchy:

On the new PDCEmulator (where ‘peers’ is an Internet time source such as time-a.nist.gov):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update

After that run the following on both DCs:
net stop w32time
net start w32time

The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41.

On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.

FYI, you need a reliable external time source, read the following link for a complete list of them around the internet:

The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable and easy to use NTP service for millions of clients without putting  strain on the big popular timeservers.
http://www.pool.ntp.org

 

The Net Time Command is Weak and Inaccurate with Certain Functions

DO NOT USE the “net time” command on Windows 2003 and later. It will create confusion with the time service. This command was meant for use with stand alone machines, and basically is a DOS command, and is pretty much useless in an AD environment.

The net time command is weak. It is a foreground application and is not reliable. It does not query what the local machine’s time service is set to use with the domain hierarchy. The net time command is similar to the nslookup command, where it uses its own query methods independent of the local machine.

For example, the following was quoted from:

Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp

“When you run NET TIME without the /domain option, the workstation will iterate through the list of time sources on the network, and contact the first one encountered. By default on an NT or 2000 network, only the PDC is a time source.

However, if Domain Time Server is installed on any machine, that machine also becomes a time source. Notice that the NET TIME client won’t use the nearest time source — it will use the first one found in the browser list. It also will not move on to the next source if the first one fails.”

Read more on the net time command and its limitations, in the following link. Scroll down to the heading “Problems with NET TIME”

Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp

Which server is my time source?

On a non-DC, you can run the following to see which DC logged you in. That DC wll be YOUR time source.

To confirm which server is being used as a time source, you can also run the following command:

w32tm /monitor

For example, I ran this on a non-PDC emulator DC, dc02.domain.local, in a domain with two DCs. You can see that it grabbed time from the PDC Emulator, which in this case is dc01.domain.local. It also states that dc01.domain.local got it’s time source from 192.5.41.41. You can see the offset between the two DCs is 0.0000651s (seconds), so no sync is required since it is under the 2 minute time sync tolerance.

c:\Documents and Settings\administrator>w32tm /monitor
dc01.domain.local *** PDC *** [192.168.80.10]:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from dc01.domain.local
        RefID: ntp1.usno.navy.mil [192.5.41.41]
dc02.domain.local [192.168.80.11]:
    ICMP: 0ms delay.
    NTP: +0.0000651s offset from dc01.domain.local
        RefID: dc01.domain.local [192.168.80.10]

 

 

Time Service skew: The Windows W32Time service is not as accurate or reliable as one thinks

Yes, this is true, and this statement is according to Microsoft (KB939322). The reason is the Windows time service is not reliable to synch time down to 1 or 2 seconds and such tolerances are beyond the design of the Windows time service. . It was primarily designed for loose synchronization to support Active Directory’s use of the Kerberos v5 protocol for authentication, which uses and relies on a maximum time skew of 5 minutes for it authentication ‘salt.’ However the Windows Time services is sufficient for this reason, however if you have apps that require sensitive transactional processing with timing down to the second (possibly SEC, banking, or other reasons), it is suggested to use a third party time service.

The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.

Regarding high accuracy, the following Microsoft’s position on this was quoted from:

Support boundary to configure the Windows Time service for high accuracy environments:
http://support.microsoft.com/kb/939322:

“We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:

  • Make the Kerberos version 5 authentication protocol work.
  • Provide loose sync time for client computers.
  • The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.”

 

The following passage was quoted from page 9 in the following Microsoft document.

The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc

“When the local clock offset has been determined, the following algorithm is used to adjust the time:  

  • If the local clock time of the client is behind the current time received from the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is more than three minutes ahead of the time on the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected. “

High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx

“This entry specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. “

Based on the article below, “If you change the MaxPollInterval and MinPollInterval local polling values for the Microsoft Windows Time service (W32time), the values are ignored. The service always polls at 17-minute intervals.”

Settings for minimizing periodic WAN traffic
http://support.microsoft.com/kb/819108

Configuring the MaxPollInterval

The passage below was quoted from:

Config\MaxPollInterval
http://technet.microsoft.com/en-us/library/cc739293(WS.10).aspx

“Specifies the longest interval (in units of 2n seconds, where n is the value of this entry) that is allowed for system polling. While the system does not request samples less frequently than this, a provider may refuse to produce samples when requested to do so.”

“Note: The time service itself is considered unsynchronized after 1.5 times the number of seconds specified by this entry have elapsed. The Network Time Protocol specifies that the maximum clock age is 86,400 seconds, so if the value of this entry is greater than 15, then peers will eventually ignore this server.”

So if changing it from the default of 15 to 14, the longest time interval is changed from 32,768 seconds (546.13 hours or 22.75 days), to 16,384 seconds (273 hours or 11.37 days).

 

 

Read more on this in the following links.

Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp

Support boundary to configure the Windows Time service for high accuracy environments
http://support.microsoft.com/kb/939322

 

Additional info regarding accuracy:

The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.” But Microsoft does give reference on third-party publishers of time and frequency software that can assist with those extreme high accuracy needs (NOTE: These are not Microsoft related or endorsed- just referenced)

http://tf.nist.gov/general/softwarelist.htm  (for software )
http://tf.nist.gov/timefreq/general/receiverlist.htm   (for hardware )

The following quoted from Windows Time Service Technical Reference (http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx):
“The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see

Microsoft Knowledge Base article 939322, Support boundary to configure the Windows Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459).”

High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx

 

Third Party Time Solutions

LANTIME M900 NTP Server : NTP Timeserver Platform for Customized Time and Frequency Synchronization Systems (hardware and software based solutions)
http://www.meinberg.de/english/sw/index.htm

What some folks have tried to reduce the skew based on the understanding that the Windows W32Time service does not have tight tolerances:

Time codes and testing the W32time service skew:
http://www.geisswerks.com/ryan/FAQS/timing.html

[ntp:questions] Re: Ntpd time offset threshold
Question: > The offset threhold is 128ms by default. I think it is a so large value.
> I want 1ms accuracy among all clients over LAN. So, do I have to set it to a
> smaller value? As for 1ms accuracy, set it to 0.5ms.
https://lists.ntp.org/pipermail/questions/2005-June/005711.html

Interesting third party forum and newsgroup thread quotes:

======
Following from:
Thread: Can time sync occur every 30 mins?
http://fixunix.com/ntp/67725-can-time-sync-occur-every-30-mins.html

> What is the maximum period value for:
> HKEY LOCAL
> MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\ Parameters\period
>
> I set it to 2880 for the time sync to occur ever 30mins (24x60x2), but
> the time only synchronises every 8 hours in event logs.
> Is it possible for it to sync more often than every 8 hours?
>
> SBS2000, NTP.
> Thanks
> Nick
>

You will have to ask Microsoft that question. It’s a Microsoft product.

There are two Windows builds of the reference implementation of ntpd;
either one should give you much better synchronization than W32TIME.
Ntpd will query its servers at intervals ranging between 64 seconds and
1024 seconds. The daemon adjusts the interval automatically to the best
value for current conditions.

See http://norloff.org/ntp/ or http://www.meinberg.de/english/sw/ntp.htm
The latter version comes with a Windows installer. I have not used
either version and so can’t tell you much about them except that either
should perform better than W32TIME!!!!

If you decide to try one of these, your should plan on configuring at
least four timeservers for best performance.

See http://ntp.isc.org/bin/view/Servers/WebHome for lists of publicly
available time servers and “rules of engagement”.

=>
Does anyone know whether Windows 2000 or Server 2003 is capable of
synchronising more often than every 8 hours, using w32time?

Thanks
Nick

===============

Typical performance is shown in the bottom 5 graphs here:
http://www.david-taylor.myby.co.uk/mrtg/daily_ntp.html

You can click on a graph to see weekly, monthly and yearly data

=>

> Does anyone know whether Windows 2000 or Server 2003 is capable of
> synchronising more often than every 8 hours, using w32time?

It is, but it is not simple to configure. Look in the list archives for
examples of conifguring the windows time service for use on public NTP
networks. Included there are links to Microsoft’s detailed
documentation on the Windows Time Service.

What are your requirements? Just to keep better time? Why once every
1/2 hour?

Generally, you’ll want to use a configuration command like this:

w32tm /config /manualpeerlist:”0.us.pool.ntp.org,0x8
1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8″ /syncfromflags:MANUAL
/update

That “,0x8” after each server tells Windows Time Service to choose the
best synchronization interval itself, based on the performance of your
clock and/orn network connection.

Also, please note that the windows time service only makes event log
entries when a new time srouce is selected, plus an informational entry
once every X hours. It will not make a log entry for “small
corrections”, even if they are more frequent. This logging behavior can
also be changed with registry entries or group policies (see Microsoft
documentation).,

============

 

 

Time Service Troubleshooting

Basic support issues I’ve seen usually regard if you’ve moved the PDC Emulator role in the forest root domain to another DC, possibly due to retiring an old DC or DC failure. In this case, all you really have to do is reset the time service on the new PDC Emulator so it is authorative for the domain/forest.

Other than that, the numerous other time service tech support issues I’ve seen are due to the administrators changing registry settings to tweak the service, however they’ve found that something is amiss, and now begin back tracking, asking what the registry entries do and their results if set to this setting or that setting, etc. IMHO, I don’t believe this is necessary. Basically the Time service works out-of-the-box. The PDC Emulator in the forest root domain is the ultimate time server source for the whole forest, and all other DCs, whether in the forest root or in child domains, or additional trees in the forest, will follow the hierarchy to sync time. Why does it work out-of-the-box? Because  the time services is extremely important for Kerberos. If the time clocks between a machine and a DC are skewed beyond the 5 minute tolerance, the authentication fails, so Microsoft made sure to make the time service work without any changes required. All you have to do is configure the PDC Emulator in the forest root domain to an outside time source, and you are DONE. That’s it. Altering the time service registry, unless directed by Microsoft support, are not required.

To reset the Time Service to use the new PDC Emulator

By default, all DCs that are not PDC Emulators, should be syncing time from the PDC Emulator.  If that isn’t the case then reset time on the DC in question using the following steps (which applies to workstations, as well).

In a command prompt. I know I said not to use this command, but this is the ONLY exception to run this command on a machine to reset the time service on a machine:

“net time /setsntp: ”   (Note the blank space prior to the end “)
Tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.

Then run the following:
net stop w32time && net start w32time

Client should now be part of the time domain heirarchy

One more possibility if the above procedure doesn’t work to reset it, you can run the following on the non-PDC Emulator:

w32tm /config /syncfromflags:domhier /reliable:no /update  –  (notice the “no” switch)
net stop w32time && net start w32time

The above is explained in:

Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx

Or you can run Mr FixIt:

To Fix it, Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

 

Debug Logging and more

If the dc is already pointing at the PDCe the PDCe should be getting its time externally (Although this won’t cause your problem).  You can run debug logging to track down the error. 

How to turn on debug logging in the Windows Time Service
http://support.microsoft.com/kb/816043/en-us

 

“Microsoft Mr. Fix It” Time Service Script

This script can be found in:

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

 To run Mr Fix It:

Keep in mind, all DCs in a domain will get their time source from its domain’s PDC Emulator. If you can’t straighten it out manually, let’s perform the following procedure, which includes running the Mr Fix It script:

1. Run a Fsmo Query  –  To find which DCs hold which FSMO roles and to determine which DC is the PDC Emulator
 netdom query fsmo

2. Run the  “Microsoft Mr Fix It” script in the above link by visiting it from each DC. You must visit it from each DC, or you can download the respective Mr Fix It Number whether for a PDC or non-PDC.

Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

The procedure is as follows:

On the new PDC Emulator AND on the non-PDC Emulators, go to http://support.microsoft.com/kb/816042. You will notice the “Microsoft Fix It” link. When you visit the link from the DC holding the PDC Emulator FSMO Role, it will show up as “Microsoft Fix It 50394,” and on the non-PDC Emulators, it will show up as “Microsoft Fix It 50395.”

Therefore:
On the PDC, go to http://support.microsoft.com/fixit/ and download Fixit 50394 (this is for the PDC)
On the BDC, go to http://support.microsoft.com/fixit/ and download Fixit 50395 (this is for non-PDCs)

When you run it will show:
Server1, 0x1 Server2, 0x1
Replace with
Time.nrc.ca, 0x1 time.nist.gov, 0x1

 

Or based on the script process, you can simply do it manually:

On the PDC Emulator, run the following in a command prompt:
W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
W32tm /resync /rediscover

This will take the errors out of Event Viewer. Then restart the time service:
Net stop w32time && net start w32time

On the non-PDC Emulator, run the following in a command prompt:
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover

This will take out any errors in the Event Viewer, if there are any. Then restart the time service:
Net stop w32time && net start w32time

 Registry Entries

You can query the registry keys with the following method:

c:\>reg query hklm\system\currentcontrolset\services\w32time\parameters
C:\> w32tm /dumpreg /subkey:parameters

 

To resync the service on a client machine:

 w32tm /resync
 w32tm /resync /rediscover

 

If some domain machines have problems

w32tm /config /syncfromflags:domhier /update

After that run:
net stop w32time
net start w32time

 

To Reset the Time Service:

If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

You should only have one server in the forest set as a reliable time source, so using the /reliable:yes command on anything other than the Forest Root PDC is not a good idea.

 

If getting EventID 1307 time:

A possible cause is that the “Authenticated Users” does not have read permission on the W32Time and Netlogon registry keys. Please check and correct the permission settings on the keys.

The keys are under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32Time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon

 

Related Troubleshooting links:

To Assist in troubleshooting time service issues on the PDC Emulator and other machines, use the following link:
Troubleshooting Windows Time Service Problems
http://technet.microsoft.com/en-us/library/bb727060.aspx

 

 

 

SNTP vs NTP

NTP and SNTP are both supported. Quoted from the Microsoft Technet Article, Windows Time Service and Internet Communications article, it states:

“Windows 2003 by default use NTP, whereas Windows 2000 used SNTP. SNTP isa  simplfied version of NTP. Windows 2003 and newer by default is set to NT5DS, which uses NTP. If SNTP is required on Windows 2003 or newer, the default NT5DS type must be changed to AllSync to accept NTP and SNTP time sources.”

Additonal Links referencing SNTP vs NTP:

Windows Time Service and Internet Communication
http://technet.microsoft.com/en-us/library/cc779145(WS.10).aspx

What is the difference between NTP and SNTP?
http://www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf

[PDF] NTP vs SNTP – What is the difference between NTP and SNTP?File Format: PDF/Adobe Acrobat – Quick View
whether NTP (i.e. full implementation NTP) is being used, or if SNTP is being used. The difference between NTP and SNTP is in the time synchronization …
www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf

What is NTP?
SNTP (Simple Network Time Protocol) is basically also NTP , but lacks some … HP-UX, Irix, Linux, NetBSD, SCO UNIX, OpenBSD, OSF/1, Solaris, System V.4. …
http://www.ntp.org/ntpfaq/NTP-s-def.htm

Based on the KB223184, since Type Nt5DS uses SNTP by default in Windows 2000, to force it to NTP, you can change a Windows 2000 server Type from SNTP to NTP by changing the time service “Type” in the reg from Nt5DS to NTP. However, I remember there were issues with that syncing up years ago. The reg entries are located in the following registry key and options for the “Type:”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Type : REG_SZ
Used to control how a computer synchronizes.
Nt5DS = synchronize to domain hierarchy [default]
NTP = synchronize to manually configured source
NoSync = do not synchronize time

Time Sync Frequency:

The following registry key controls how frequently the Windows Time service synchronizes:
The HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Period

65531, “DailySpecialSkew” – Sets synchronization to one time every 45 minutes until successful one time, then one time every day.
65532, “SpecialSkew” – Sets synchronization to one time every 45 minutes until successful three times, then one time every eight hours. This is the default setting.
65533, “Weekly” – Sets synchronization to one time every seven days.
65534, “Tridaily” – Sets synchronization to one time every three days.
65535, “BiDaily” – Sets synchronization to one time every two days.
0 – For NT5DS, the synchronization is one time every 45 minutes until successful three times, then one time every eight hours. For NTP, the synchronization is one time every 8 hours.
freq – freq stands for the number of times per day you want Windows Time service to synchronize. If want to use a value other than any one of those specified earlier, you must use this option.

 

Related links to the W32Time service registry entries:

Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

Registry entries for the W32Time service on Window 2000:
http://support.microsoft.com/kb/223184

Windows Time Service Tools and Settings using the w32time command. Includes Windows 2003 & 2003 R2 Time Service Registry Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

How to configure the Windows Time service against a large time offset
Basically this talks about the time service and how it keeps all machines in a domain hierarchy within 2 minutes of sync so Kerberos works.
http://support.microsoft.com/kb/884776

Configuring the Windows Time Service
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html

 

 

Failover Time Service

As for failover time source, the way it works, the time service will loop through each one starting with the first listed in the order they are listed until a time service response is received. It is suggested to use the actual IP addresses, or at least I suggest it, which is an old school thing I have because years ago, Windows 2000 had an issue with FQDNs, which was fixed with a hotfix, but I still use the IP address method.

Here’a an older KB that explains this (disregard the part about Windows 2000, because the service still operates in the same behavior:

W32Time client does not fail over to secondary NTP servers by FQDN
http://support.microsoft.com/kb/285641

w32tm /config /manualpeerlist:”MeinbergNTPdeviceIpAddressorFQDN  time-nw.nist.gov  0.pool.ntp.org ” /reliable:yes /update

Multiple Manualpeers configured

It’s recommended to use a first-level time source – Quoted from the link above (http://support.microsoft.com/kb/285641):

“There are two levels, or tiers, of Network Time Protocol (NTP) time servers that are available on the Internet. The NTP is defined in Request for Comments (RFC) 1305. The first-level time servers are primarily intended to act as source time servers for second-level time servers. The first-level time servers may also be capable of providing mission-critical time services. Some first-level time servers may have a restricted access policy.

Second-level time servers are intended for general SNTP time service needs. Second-level time servers usually enable public access. It is recommended that you use second-level time servers for normal SNTP time server configuration because they are usually located on a closer network that can produce faster updates.

It is recommended that you research any time server selection to ensure that it can meet your specific time server requirements.”

 

Domain Controllers HyperV and virtualization, and the Time Service

Regarding DC virtualization, please closely adhere to the following best practices:

    1) Do not use imaging software to take an image of the DC.
    2) Do not take or apply snapshots of the DC.
    3) Do not shut the Virtual Machine down and simply copy the virtual disk as a backup.
    4) If you have the ability to “discard changes” as you do if you are running “Virtual Server 2005 R2”, do not enable this type of setting on a DC Virtual Machine.
    5) Use NTBACKUP.EXE, WBADMIN.EXE, or any third party software that is available as long as it is certified to be AD-compatible to take system state backups.
    6) Only restore a system state to the DC or restore a full backup.
    7) Make at least one DC, the PDC Emulator in the forest root domain, a physical DC. The PDC is the default time service in the hierarchy and should not be virtualized.

For more information, please refer to:

DC’s and VM’s – Avoiding the Do-Over
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx

In addition, basically, running Domain Controllers in virtual machines requires special considerations (Time synch configuration included). I recommend reading the articles below. You will also want one Physical DC in the environment, but you can have the remaining DCs virtualized. It’s recommended to have the PDC as the physical DC.

Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx

Deployment Considerations for Virtualized Domain Controllers
http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspx

 

Virtualized DC Time service

For virtual machines that are configured as domain controllers, disable time synchronization with the host through Integration Services. Instead, accept the default Windows Time service (W32time) domain hierarchy time synchronization.

Host time synchronization makes it possible for guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.

W32Time, Windows Time, should run as LocalService in 2K8 R2 Domain Controllers. You can see the account used in Services.msc -> Windows Time -> Properties.

You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box.

How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems

How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems
http://www.sole.dk/post/how-to-configure-your-virtual-domain-controllers-and-avoid-simple-mistakes-with-resulting-big-problems/?p=387

 

 

 

Windows Time Service Related General Links

A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680

Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

Jorge’s Time Service blogs:
Configuring and Managing the Windows Time Service, Parts 1 to 4:
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-1.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-2.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-3.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-4.aspx

Support boundary to configure the Windows Time service for high accuracy environments
http://support.micorosoft.com/kb/939322

Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799

Time Service:
http://support.microsoft.com/kb/216734

How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042

How to Configure an Authoritative Time Server in Windows Server 2008 (This article is based on Microsoft KB8164042, link provided above.)
http://www.articlesbase.com/operating-systems-articles/how-to-configure-an-authoritative-time-server-in-windows-server-2008-461336.html

Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx

A comprehensive list of the Simple Network Time Protocol (SNTP) time servers:
http://support.microsoft.com/kb/262680

Windows Time Service Tools and Settings (including w32time service, w32time registry entries), and how to use the w32tm commands)
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

How Windows Time Service Works. This article provides a good overall graphical and explanation of the Time Service in Windows
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

Network Time is off, not sure how to fix it
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/652e8200-fc4b-40c7-b579-a88d934df04d/

The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.
The following is quoted from page 9 in the following Microsoft document. The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc

How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

Configure a client computer for automatic domain time synchronization
Applies to Windows 7 & Windows 2008 R2 Time Service
http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx

Microsoft Videos on the Time Service
http://www.microsoft.com/showcase/en/us/search?phrase=w32time

Configuring the Time Service: Enabling the Debug Log
http://blogs.msdn.com/b/w32time/archive/2008/02/28/configuring-the-time-service-enabling-the-debug-log.aspx

Windows Time Service – The official Microsoft blog site for the Windows Time Service
By Ryan Sizemore,  7 Aug 2009 12:10 PM
http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx

==================================================================

Ace Fekay

Folder Redirection

Folder Redirection

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer

Edit: Updated – 7/22/08
Edit: Added Troubleshooting section and a Summary section – 10/12/2009.
Edit: Broken links fixed – 11/24/09
Edit: Updated 1/22/2011 with additional information and fixed a broken link
Edit: 6/27/2011 – Added two new links, one with screenshots
Edit: 10/28/2011 – DFS section about it not being recommended or supported with Redirection
===

 

Folder Redirection Background

I believe Folder Redirection with using Offline Files is a great solution for many environments. I have it implemented in all my customer sites for laptops and desktops. I usually just opt to redirect the My Documents folder, and possibly the desktop, but I do not redirect the Application Data, Start Menu because Start Menus may be different based on what’s installed on other machines they may log onto, and the Application Data folder can grow expoentially with unwanted or uneeded data, which will  be additional data to backup on the server and the additional overhead of data and backup capacities on the server. You know how large the application folder can get, and not always a good choice to implement redirection with. Keep that in mind when you implement this feature.

It allows all their data to be available no matter which machine they logon to, as well as when new machines are deployed. There are no worries about user data being lost or deleted if using re-imaging in an environment. Just make sure all users are instructed to put all their data into the My Documents folder, and if you choose to redirect the Destop, they can also save data to the desktop, but I would rather just redirect the My Documents folder.

Therefore, depending on whwhich folders you decide to redirect, a user will get their data no matter where they login. Enabling Offline Files as well, will provide an additional performance increase on the user side, as well as the ability to take machines off-site (such as laptops) and the folks will have their data no matter where they are. As I mentioned, I usually just implement Folder Redirection with the My Documents folder, and not the others,  All data with redirection configured, as well as offline files, are cached locally and only synch up at scheduled, manually set times, when logging on, or logging off. It vastly reduces client to server traffic.

 

Implementing Folder Redirection

There are a few things that need to be setup in place to make redirection work. If in a mixed Vista/XP environment, as many are going through right now, it may be a little challenging, but they can use the same home folder setting, but the user must stick with one OS or the other, not logon to an XP, then to a Vista, or things may get skewed. You may find other ways to implement it (whether using an AD group or not, etc), but I’ve found this method successful with my implementations.

1. The user accounts need to be in the OU the Redirection Policy will apply to. It doesn’t matter where the computer accounts are. This is because Redirection is a User based Policy.

2. More than likely, the Redirection policy is probably setup to apply to a group. Therefore, make sure the  user account is part of that group.

3. Only the internal DNS servers must show up in a machine’s IP properties.

4. They way I setup the shares, is create a root folder called Users. I share it out as Users$ and set share permissions to only System=FC and Domain Admins=FC.

5. Create child folders, one for each user. The share permissions for the user must be set to Full Control, or it won’t work. For example, for a user named Bill, I create a Bill folder, then share it out as Bill$, and set the share permissions to:
Domain Admins=FC
System=FC
Bill=FC.

6. The user MUST have FC for both the share and the NTFS permissions. Therefore, I set the NTFS permissions (the Security tab) to:
Domain Admins=FC
System=FC,
Bill=FC.

6. In the user’s AD properties, Profile tab, you want to configure a home folder, and this is assuming you want their stuff redirected to the home folder, such as clicking on G, H, or whatever letter, then configuring something like \\servername\%username%$ (the $ makes it hidden). Whether to hide it or not depends on corporate SOP. The %username% is a variable that will create the folder for you, but I usually do it manually, as in the previous steps.

7. Create an AD group, call it (for example), “My Docs Redirect Group.” Create the Redirect policy based on the group membership, for example the My Documents folder, should be redirected to \\servername\username$\. You can also create it as \\servername\username$\MyDocuments Documents, which I like because their data goes into a subfolder under the user folder as My Documents. This require additional testing on your part to make sure the respective data goes into the folders you’ve specified. However, many installations simply specify the Home folder, \\servername\username$, which is easy, and and it works well. I’ve been using this method myself (outlined in the next step), however, with this method, ALL of their documents wind up directly in the root of the home folder. However, this could be a little problematic with Vista. For more info on Vista and XP in a mixed environment, and problems that may occur, please read the links at the bottom of this article that will provide additional information on how to handle this issue.

8. In the My Documents policy setting, select “Advanced – Specify Location based on various User Groups. Add the AD group you just created. For the target folder location, Redirect to the Home Folder. After you click OK, it will display a UNC in the form of: \\%HOMESERVER%%HOMEPATH%. Under the settings tab, check the box that says Grant the user exclusive rights to My Docs. Also select to Move the Contents, as well as Leave the Folder in the new location when the policy is removed.

9. I usually create a logon bat script, place it in the NETLOGON share, and specify the script name in thier AD properties, to manually map the same drive letter specified under the Profile tab for the home folder to the home folder, such as with a command line of “net use h: \\servername\username$“.

It can also be done using VB and a logon script in their GPOs. The script normally does multiple other things as well. I’m just pointing out this portion of it. It is your choice of using VB, CMD or bat files when creating a script.

10. Enable Offline Use for the redirected My Documents.

11. Repeat for the other folders, if you choose to include them. I would set them to use subfolders, such as Application Data, so the data doesn’t get intermixed with the My Docs.

12. Link the GPO to the OU you want it to apply to. Keep in mind, it will not work until you add the users that you want it to apply to, to the My Docs Redirect Group, that you’ve created.

13. If you ever need to move the Users folder location to a new server, simply mirror the shared folders and permissions from the old server on the new server drive (no need to copy the data), and change the policy to point to the new UNC. Next time the user logs on, the data will be moved automatically. The larger the amount of data, the longer it will take. For example, one customer had a 10 GB home folder. It took about 20 minutes to move, however the user was able to work. Some of the files weren’t available immediately, but they eventually showed up.

Redirecting the Desktop, My Music, Application Data, etc

For the Desktop, what I suggest is to first create a ‘Desktop” folder under each user’s folder. Then enable Destop Redirection to a specific folder, make sure the My Documents Redirect Group is specified, (based on my procedure and locations above) and set the path to \\%username%$\user$\desktop.

One issue you may come across is if you do not select to redirect My Music, simply because you don’t want that sort of stuff on the server for multiple reasons (such as drive space on the server or backup media limitations), but some of the users wise up and figure out what’s going on, and they start saving their music in their My Docs folder, you can control that using Microsoft’s FSRM.

 

Storage Reports

FSRM – File Server Resource Manager
By using File Server Resource Manager, administrators can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports:
http://technet.microsoft.com/en-us/library/cc755603(WS.10).aspx

Folder Redirection with Terminal Services

Keep in mind, There’s no problem in using TS Roaming Profiles, but if you want users’ Documents and Desktops to work, you need to combine the feature with Folder Redirection on all the servers and workstations so all user folders are redirected to the same place. It’s recommended to not use Roaming Profiles because of the added complexity.

Profile and Folder Redirection In Windows 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection:
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

How To Configure Folder Redirection, Aug 22, 2007
How to use Group Policy to redirect the “Desktop”, “My Documents”, “Start Menu” and “Application Data” folders.
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

Terminal Service Administration and Folder RedirectionJ, un 6, 2006
If Remote Desktop for Administration is enabled on a server that’s running Windows Server 2003, then the server can not be configured to use …
http://www.msterminalservices.org/articles/Terminal-Service-Administration-File-Redirection.html

Using Folder Redirection with Terminal Server: Terminal Services, Mar 28, 2003
Folder Redirection allows users and administrators to redirect the path of a folder to a new location.
http://technet.microsoft.com/en-us/library/cc737867(WS.10).aspx

Best practices for Folder Redirection: Group Policy, Jan 21, 2005
In general, accept the default Folder Redirection settings. Logging off the terminal server causes copying to occur in the opposite …
http://technet.microsoft.com/en-us/library/cc739647(WS.10).aspx

Profile and Folder Redirection In Windows Server 2003, Mar 1, 2005 … For example, if you created a share named PROFILES on a server named TAZ, then the path to Brien’s profile … The actual folder redirection is done through the group policy. … Terminal Servers · Thin Client Servers …
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

Folder Redirection and Terminal Server Users : 
1 author 4 posts – Last post: Jun 1, 2004 – Archived from groups: microsoft.public.win2000.group_policy. We currently utilize folder redirection …
http://www.tomshardware.com/forum/218519-46-folder-redirection-terminal-server-users

You can also configure terminal services redirection manually in the registry:

reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v Personal /t reg_expand_sz /d “G:\MyDocs” /f

reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v Desktop /t reg_expand_sz /d “G:\Desktop” /f

reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v AppData /t reg_expand_sz /d “G:\Application Data” /f

Removing Folder Redirection

How to stop Folder Redirection in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/888203

– Make sure you have a recent backup of the server where the redirected files are prior to making any changes. If you don’t, and this may be a good practice whether you do have a good backup or not, I would suggest to recover the files from the offline cache on the machine you want to remove from the Redirection GPO. You can do that by copying the files from the My Documents folder and any other redirected folders that are in the policy, to another location on the harddrive.  Make sure you do that prior to removing the machine from the GPO or from the domain, otherwise if there are any problems or if you have no backup, it’s may be impossible to recover them afterward.

– You will probably want to include other files from the machine that may not have been part of the Redirect policy, or even if they were, such as Favorites, Desktop items, Downloads folder, etc. One important file you may want to also copy is the Outlook nickname drop-down list file. That’s the names that show up in the drop-down lisoxt that shows up when you start typing something in the To:, Cc: and Bcc: boxes. It’s stored in a file called the <OutlookProfileName>.NK2 file and is located in:
C:\Documents and Settings\UserName\Application Data\Microsoft\Outlook

It can be copied from machine to machine. Just rename it to the Outlook profile name of the target machine.

If there are any PST files, you may want to copy them, as well. The default location is:
C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Outlook

– Use Group Policy to set folder redirection back to the default location, which is your profile folder on the PC. You can’t just remove the policy, because the folders will stay where they are. You need to redirect them back to where they were.

– Re-initialize the offline cache. Redirected folders by default are synchronized to be available offline. That’s the little arrow in the corner of the icon. Unfortunately Offline files in XP will keep trying to synchonize until you re-initialize it.

How to re-initialize the offline files cache and database
Provides two methods to re-initialize the offline files cache and database.
http://support.microsoft.com/kb/230738

– If you used the method to use a group to control Folder Redirection, Remove the user from the folder redirect group. If not, move the user out of the OU where Folder Redirection GPO is linked to.

 

Troubleshooting Folder Redirection

Is the workstation receiving the policy?

You can first run the gpresults.exe utility on the client side to determine if the GPO is being applied.

Then I would suggest to use the GPMC to create an RSOP for specifics, such as to look for any access denied issues, etc. If the GPO is being applied and there are no denials or other issues in the RSOP, then I would look into the user’s folder configuration, permissions, UNC path, etc, set in the GPO. If that doesn’t help, basically, enabling Userenv logging can assist in troubleshooting GPO problems, including Folder Redirection. 

Userenvlog

The Userenv.log contains verbose information about policy and profile processing. It also contains additional logs such as the gptext.txt log. This logs events for Group Policy Extensions such as for folder redirection. among other things. This file is located in c:\windows\debuguser mode and contains entries associated with the Userenv process. It is usually a fairly small text file since verbose logging is not enabled by default. You can find out more about the userenv.log in the following link.

Userenv and GPE logging: A great tool for debugging Group Policy Extensions
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1250007,00.html

Enable logging for Folder Redirection:

Locate the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Diagnostics.

Create a new Reg_DWORD entry called FdeployDebugLevel and set its value to 0x0f.

The log file is created in %windir%\Debug\Usermode\Fdeploy.log.

General issues with Folder Redirection?

Here’s a good article on reparing Folder Redirection:

Repair folder redirection and shares
http://technet.microsoft.com/en-us/library/dd440852(WS.10).aspx

Vista: Redirected Folders Changes The User’s Home Folder Name From the “User’s Name” to “Documents”

When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents
http://support.microsoft.com/kb/947222

Was the username changed in Active Directory?

You may need to make some adjustments. Take a look at the following articles for more information.

Folder Redirection Operation Is Unsuccessful When You Rename the User
http://support.microsoft.com/kb/827059

The folder redirection process fails on a computer that is running Windows Vista or Windows XP when you change the user name in Active Directory
http://support.microsoft.com/kb/953529

 Concurrent Logon Issue occurs when users logon to more than one workstation simultaneously

Some other things to keep in mind is if and when a user may logon to a different workstation while still logged on at another. This can cause an issue where if anything changes in their files from machine to machine, the ‘last man wins’ rule jumps into play. To prevent such a thing from occuring, you must instruct users to logon at one machine at a time.

If the users do not pay attention or disregard this guideline, you have a few of options at your disposal:

1.  Take a look at LimitLogon in the following links.

Microsoft releases LimitLogin v1.0. 16-Mar-05
http://windowsitpro.com/articles/index.cfm?articleid=83236

Utility Spotlight: Limit Login Attempts With LimitLoginEver needed to limit concurrent user logins in an Active Directory® domain? Ever wanted to keep track of information about every login in a domain?
http://technet.microsoft.com/en-us/magazine/2005.05.utilityspotlight.aspx

LimitLogin – Tool to limit and monitor concurrent logins in a …LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain. It can also keep track of all logins …
http://msmvps.com/blogs/javier/archive/2005/03/14/38557.aspx

2. The Windows 2000 Server Resource Kit has the Cconnect.exe tool to prevent users from logging on more than once. But no warning is displayed. They simply won’t be able to connect. More information can be found in the following link:

Limiting a user’s concurrent connections in Windows Server 2003 …Install the Windows 2000 Resource Kit tool named CConnect.exe on each client computer. This tool, together with an .adm file that is supplied by the tool, you can limit concurrent logins.
http://support.microsoft.com/kb/237282

3. Using the PsShutdown.exe and PsLoggedOn.exe freeware, originally included in the PSTools Suite from Sysinternals, which is now part of Microsoft. The PSTools can be downloaded free from Microsoft. With these two utilities, you can add some code in your logon script to prevent a user from logging on more than once. The code and instructions on how to use it, can be found at the following link.

How can I prevent users from logging on more than once, without using the Cconnect.exe Resource Kit Tool? 08-Dec-04
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

PsTools – The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, and much much more.
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Windows Sysinternals: Documentation, downloads and additional information on PSTools.
http://technet.microsoft.com/en-us/sysinternals/default.asp

 

EventID 510, Source = Folder Redirection:

“Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.”
You can enable Folder Redirection debug logging to help narrow down the issue:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\FdeployDebugLevel REG_DWORD value=oxf

Event ID 510, Source = Folder Redirection

Folder Redirection policy application never applied completely
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24558513.html

Folder Redirection encounters errors and redirection fails
“Folder Redirection, like Software Installation settings, can only be applied during computer startup or user logon. On computers running Windows XP with logon optimization enabled, this can mean that the user needs to log on more than once before the setting takes effect. “
http://technet.microsoft.com/en-us/library/cc781863(WS.10).aspx

How Folder Redirection Extension Works
“…Because background refresh is the default behavior in Windows XP, Folder Redirection and Software Installation might require as many as three logons to apply changes. “
http://technet.microsoft.com/en-us/library/cc787939(WS.10).aspx#w2k3tr_gpfdr_how_xokx

How Folder Redirection Works:
http://technet.microsoft.com/en-us/library/cc787939(WS.10).aspx

Security Considerations when Configuring Folder Redirection
http://technet.microsoft.com/en-us/library/cc775853(WS.10).aspx

Windows 7, roaming profiles, and waiting over a minute to logon (providing DNS configurations are correct):

Managing Roaming User Data Deployment Guide –
“Windows Trusted Platform Module Management Step-by-Step Guide …..
“At logon, Windows Vista typically waits 30 seconds for an active network, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless networks, it may take more time before the network connection becomes active. Enabling this policy allows Windows to wait up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or connect to the remote home folder if the logon occurred before the network connection became active.”
http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx

As shown in the above link, yhe 30 sec delay is “By Design”. Windows 7 & Windows Vista NLM (Network Location Management) Service running behind the user policy service, by default is set to wait for the network for 30 seconds, if a user has a Roaming User Profile or Remote Home Folder set in ADUC. In many cases, a 30 second logon may be unacceptable. This setting can be adjusted in a GPO.
 
Computer settings
   Policies
        Admin Template
             System
                   User Profiles
                        Set max wait time for the network if a user has a roaming user profile or remote home folder
 
Depending on your network, setting this time too short could result in the user not receiving the RUP or remote home folder.
 
One suggestion is if you want to keep a 7 – 10 second logon time, set the GPO to 1 sec, map the home folder with GPO Preferences and redirection takes care of the rest.

Profile Size Limits and Folder Redirection causing size limit reached error message

Do you have a GPO that limits the Profile Size? Have a look at the following KB article.

Error message may occur when you increase the maximum profile size
http://support.microsoft.com/kb/290324

Have you tried to clean up the profile on one computer to check if
notification goes away? (For example removing temporary internet files,
moving big files from my documents to network share deleting temporary files …)

From Mark D. MacLachlan:
For the benefit of others, you can eliminate the need to fix this manually on each PC by using the
following VBScript as a login script.

[code]
Dim WSHShell
Path = “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableProfileQuota”
Set WSHShell = CreateObject(“Wscript.Shell”)
WSHShell.RegWrite Path, 0, “REG_DWORD”
[/code]

In case of posted line wrapping, the line starting with “Path = ” ends
with “\EnableProfileQuota” so make sure they are one line in your script.

Folder Redirect Re-targeting

Change it in GPO as well as client side reg:

“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Documents” = “%HomeShare%%HomePath%Documents”
http://vistavitals.blogspot.com/2007/11/folder-redirection-misbehaves-after.html

 

Notes on Roaming Profiles – Removing Roaming Profiles

You can setup a Folder Redirection GPO testing it to a test OU and a test user account that already has a Roaming profile. Once Folder Redirection is in place, you can copy the data into the My

Docs folder to allow redirection to sync it to their home folder. Once that is in place and working, you can remove the roaming profile by using the Delprof or Remprof utility.

User Profile Deletion Utility (Delprof.exe) – For Windows XP and previous operating systems
http://www.microsoft.com/download/en/details.aspx?id=5405 

Delprof2 – User Profile Deletion Tool
The unofficial successor to Microsoft’s Delprof that works with Windows Vista and newer.
http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/

How To Delete User Profiles by Using the User Profile Deletion …
http://support.microsoft.com/kb/315411

BombProf – GUI Based Profile Management Utility
Windows Compatible – 2000\XP\2003\Vista\2008\7 & Citrix Compatible – Metaframe\Presentation Server\XenApp
Direct Download: http://www.ctrl-alt-del.com.au/files/BOMBProf.zip
(Part of the CAD Freeware Util Pack): http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm#Freeware 

RemProf – Command-line utility to delete local user profiles that are NOT in use when this command is executed.
Direct Download NT\2k\2k3 edition: http://www.ctrl-alt-del.com.au/files/RemProf.zip
Direct Download w2k8/win7 edition: http://www.ctrl-alt-del.com.au/files/RemProf08.zip
Part of the CAD Freeware Util Pack: http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm#Freeware  

Removing Roaming Profiles  (using delprof with example command line switches)
http://www.edugeek.net/forums/windows/16924-removing-roaming-profiles.html

How To Delete User Profiles by Using the User Profile Deletion

This website provides a short overview of the free Microsoft “Delprof” tool and the commercial “Remote Profile Cleaner” tool, inlcuding scripting examples. 
http://www.delprof.eu/ 

To delete the roaming profile folders at the server side, and this is assuming the roaming profiles location is in a different location (UNC path) than the redirected folders, first remove the roaming profile path specified in the AD user accuount. Then as an administrator, you’ll find that you won’t be able to delete the actual roaming profile folder that belongs to a user account. To perform this action, you’ll need to take ownership of the folder. Read more:

Roaming Profile Folders Do Not Allow Administrative Access
http://support.microsoft.com/kb/222043

Going from Roaming Profiles to Folder Redirection:

Roaming Profiles and Folder Redirection
http://webcache.googleusercontent.com/search?q=cache:UU6f-dPW3nIJ:thelazyadmin.com/blogs/thelazyadmin/archive/2005/05/15/Roaming-Profiles-and-Folder-Redirection.aspx+lazyadmin+folder+redirection&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com  

 

 

 

DFS and Folder Redirection

This is not supported nor recommended.

Microsoft’s Support Statement Around Replicated User Profile Data
http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx

Replicating User Profiles Between Sites (With or Without DFS) – Why it Should be Avoided
http://blogs.sepago.de/helge/2009/07/30/replicating-user-profiles-between-sites-with-or-without-dfs-why-it-should-be-avoided/

Roaming Profiles using DFS? – is it possible?
http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/af23abbc-2d35-4f92-a1c1-8068cdd74cd4/

 

Summary

– Make sure you have a recent backup of the server where the redirected files are prior to making any changes. If you don’t, and this may be a good practice whether you do have a good backup or not, I would suggest to recover the files from the offline cache on the machine you want to remove from the Redirection GPO. You can do that by copying the files from the My Documents folder and any other redirected folders that are in the policy, to another location on the harddrive.  Make sure you do that prior to removing the machine from the GPO or from the domain, otherwise if there are any problems or if you have no backup, it’s may be impossible to recover them afterward.

– You will probably want to include other files from the machine that may not have been part of the Redirect policy, or even if they were, such as Favorites, Desktop items, Downloads folder, etc.

If there are any PST files, you may want to copy them, as well. However, keep in mind, PST files, along with MDB and other database files, do not work well with Redirection. FYI, the default PST location is:
C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Outlook

One important file you may want to also copy is the Outlook nickname drop-down list file. That’s the names that show up in the drop-down list box that shows up when you start typing something in the To:, Cc: and Bcc: boxes. Many a user will claim this is their “Address Book.” However we all know it is not, but they’ve come to rely on this feature and will complain if missing in their new profile. This file can be copied from machine to machine. Just rename it to the Outlook profile name of the target machine. It’s stored in a file called the <OutlookProfileName>.NK2 file and is located in (depending on operating system version):

XP and Windows 2000:
c:\Documents and Settings\UserName\Application data\Microsoft\Outlook

Windows Vista:
C:\Users\UserName\AppData\Roaming\Microsoft\Outlook

If Vista was upgraded from Windows XP:
C:\Documents and Settings\UserName\AppData\Roaming\Microsoft\Outlook

– Use Group Policy to set folder redirection back to the default location, which is your profile folder on the PC. You can’t just remove the policy, because the folders will stay where they are. You need to redirect them back to where they were.

– Re-initialize the offline cache. Redirected folders by default are synchronized to be available offline. That’s the little arrow in the corner of the icon. Unfortunately Offline files in XP will keep trying to synchonize until you re-initialize it.

How to re-initialize the offline files cache and database
Provides two methods to re-initialize the offline files cache and database.
http://support.microsoft.com/kb/230738

– If you used the method to use a group to control Folder Redirection, Remove the user from the folder redirect group. If not, move the user out of the OU where Folder Redirection GPO is linked to.

 

Related Links

Implementing Folder Redirection using Group Policy
http://www.tech-faq.com/implementing-folder-redirection-using-group-policy.html

Folder Redirection (with a step by step video)
http://www.folderredirection.com/

Recommendations for Folder Redirection: Group Policy
http://technet.microsoft.com/en-us/library/cc785925(WS.10).aspx

Folder Redirection feature in Windows
http://support.microsoft.com/kb/232692

How To Configure Folder Redirection, Aug 22, 2007 … How to use Group Policy to redirect the “Desktop”, “My Documents”, “Start Menu” and “Application Data” folders.
www.msterminalservices.org/articles/Configure-Folder-Redirection.html

How to Configure Folder Redirection
http://technet.microsoft.com/en-us/library/cc782799.aspx

How To Configure Folder Redirection
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

User Profiles and Folder Redirection FAQ
http://www.microsoft.com/technet/community/en-us/management/manage_faq.mspx

Enabling the administrator to have access to redirected folders
http://support.microsoft.com/kb/288991

Folder Redirection in a mixed environment XP/Vista
http://www.gpanswers.com/community/viewtopic.php?t=2257

When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents
http://support.microsoft.com/kb/947222

Profile and Folder Redirection In Windows Server 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection:
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

Ace Fekay
==================================================================

What’s in an Active Directory DNS Name? Choosing the Same As Your Public Domain Name, a ".net" Version of Your Public Name, or ".local"

Original publication 5/2005
Updated 5/2010
Updated 10/15/2010 – Provided a link to my blog with a How-To deal with DNS and the name chosen, and Exchange 2007 & 2010 UC/SAN certificate considerations
Updated 10/21/2014 – Reflect changes by the certificate companies that no longer support .Local or any other non-public TLD.

IMPORTANT Note: UCC/SAN “.Local” and other private TLDs will no longer be supported

When you choose an internal name, it won’t matter, because you now must configure Exchange’s internet URLs to be identical as the external URLs to support your UCC/SAN certificate.

On the bright side, this will help with configuring clients internally and externally with the same name anyway. I’ve always configured my customer Exchange CAS URLs with the same name because of this reason.

More info:

Global changes in legislation regarding SAN SSL Certificates
http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

 

Topics Covered:

  1. Preface: AD Design Considerations

  2. Scenario 1 – Same Name as your external name (Split-Zone)

  3. Scenario 2 – Sub domain name of the public domain name

  4. Scenario 3 – Choosing a TLD Variation of your Public Domain, such as the “.net” version of it

  5. Scenario 4 – Choosing a private TLD such as “.local”

  6. Exchange 2007 & 2010 UC/SAN certificate considerations

  7. Related Links

 

 

==================================================================

Preface: AD Design Considerations

Should I choose the same AD DNS domain name as my external public domain name (also called split-zone), choose a sub domain name of my public name, or should I choose a completely different name such as .local or .net?

I must say this is a classic question that has arisen on numerous occasions starting with the beginning days of AD.

Choosing a name for your internal AD DNS domain name can be based on a number of things, whether technical or political, or previous administrative experience. This has been highly discussed (not debated) in the past.

Whatever decision you make for an AD DNS FQDN domain name, just understand the ramifications. Actually I’m not going to try to get into any sort of debate, for there is really nothing to debate, nor help someone decide on what is ‘right’ or ‘wrong’ but rather just state the ramifications and implications of a name that you do decide on and how to get around them, no matter what the decision was based on.

 

Discussion on what name to choose

This discussion was between myself and Todd J. Heron, MVP, during the Summer of 2003.

Classic question:

“Which are the advantages of naming my domain with domain.com rather than domain.local? I have a domain.com registered for my Company that i use for my e-mail and Site Internet.”

There are different answers to this classic question and while these answers ultimately depend upon company preference, much of the direction will be based upon administrator experience.  The three basic scenarios outlined below are the most commonly given answers to the question, sometimes altogether and sometimes not.   Some company networks use a combination of these scenarios.  When explaining it to a relative beginner asking the question, many responses omit explanatory detail about all the scenarios, for fear of causing more confusion.

All three approaches will have to take both security and the end-user experience into perspective.  This perspective is colored by company size, budget, and experience of personnel running Active Directory and the network infrastructure (mostly with respect to DNS and VPN).  No one approach should be considered the best solution under all circumstances.  For any host name that you wish to have access from both your internal network and from the external Internet you need scenario 1, although it is the most DNS-intensive over time.   If you do not select this option and go with scenario 2, 3 or 4, consideration will have to be given to the fact that company end-users will need to be trained on using different names under different circumstances (based on where they are (at work, on the road or at home).

Since our discussion, I’ve expanded the Scenarios to include considerations when obtaining an Exchange 2007 or 2010 UC/SAN certificate. The certificate authorities will check all of the names for their registered owner. If you choose an internal name that just happens to be a real public domain name that you weren’t aware of, and owned by someone else, the certificate authorities will reject the certificate request. See Scenario 3 for more information.

 

==================================================================

Scenario 1 – Same Name as your external name (Split-Zone)

Choosing the same name internal/external (spilt-zone, or split-brain, whatever you want to call it) has the most administrative overhead. Why chosen?

Either because a misunderstanding of the pros/cons, political, or for ease of use.

Pros:

1. Their email address is their logon name. Easier to remember.

2.  Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.

3.  Short namespace.  Users don’t have to type in (or see) a long domain name when accessing company resources either internally or externally.  Names are “pretty”.

Cons:

1. Administrative overhead. If trying to get to your externally hosted website, it won’t resolve because a DNS server will not forward or resolve outside for what a zone that it hosts. You can overcome resolving the www.domain.com dilemma by using a delegation. Right-click your zone, new delegation, type in ‘www’ and provide the public SOAs for the name server(s). This way it will send the resolution request to the SOA and resolve that way. As for http://domain.com, that is difficult and would instruct all users to only use www.domain.com. This is because of the LdapIpAddress, the record that shows up as (same as parent), which EACH domain controller registers. So if you type http://domain.com, you will round robin between the DCs. To overcome that, on EACH DC, install IIS, then under the default website properties, redirect it to www.domain.com and let the delegation handle it.

Now if you were to be using SharePoint services, or something else that connects to the default website (no sub folders or virtual directories), then it becomes a problem. I know numerous installations setup with this and have operated fine for years.

2. Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.

3.  Any changes made to the public DNS zone (such as the addition or removal of an important IP host such as a web server, mail server, or VPN server) must added manually to the internal AD/DNS zone if internal users will be accessing these hosts from inside the network perimeter (a common circumstance).

4.  VPN resolution is problematic at best.  Company users accessing the network from the Internet will easily be able to reach IP hosts in the public DNS zone but will not easily reach internal company resources inside the network perimeter without special (and manual) workarounds such as maintaining hosts files on their machines (which must be manually updated as well every time there is a change to an important IP host in the public zone), entering internal host data on the public zone (such as for printers, SRV records for DCs, member server hosts, etc.), which exposes what internal hosts exist, or they must use special VPN software (usually expensive), such as Cisco, Netscreen, etc., which is more secure and reliable anyway.

For further reading on this scenario:
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon-common-server-names.html

With a Split-Zone, You may los the ability to access your website or other resources:

If you choose the same name, and you can’t access your internal website, or an external resource with the same name, you need to understand how to handle this with DNS. Read the following for specifics and a how-to.

Split Zone or no Split Zone – Can’t Access Internal Website with External Name
Published by AceFekay on Sep 4, 2009 at 12:11 AM  1278  0
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

 

==================================================================

Scenario 2 – Sub domain name of the public domain name

Choosing a child name or delegated sub domain name of the public zone.

Examples:  Name such as ‘ad.domain.com’, or ‘corp.microsoft.com’. The AD DNS domain name namespace starts at corp.domain.com and has nothing to do with the domain.com zone.

Pros:

1. Minimal administrative overhead.

2. Forwarding will work.

3. The NetBIOS name will be ‘AD’ or ‘CORP’, depending on what you chose and what the users will see in the three-line legacy security logon box.

4.  Like Scenario 1, this method also isolates the internal company network but note this at the same time is also a disadvantage (see below).

5. Better than Scenario 1, internal company (Active Directory) clients can resolve external resources in the public DNS zone easily, once proper DNS name resolution mechanism such as forwarding, secondary zones, or delegation zones are set up.

6. Better than Scenario 1, DNS records for the public DNS zone do not need to be manually duplicated into the internal AD/DNS zone.

7. Better than Scenario 1, VPN clients accessing the internal company network from the Internet can easily navigate into the internal subdomain. It is very reliable as long as the VPN stays connected.

Cons:

1. Confusion on users if they decide on using their UPN.

2.  While there is security in an isolated subdomain, there is potential for exposure to outside attack.  The potential for exposure of internal company resources to the outside world, lies mainly in the fact that because when the public zone DNS servers receives a query for subdomain.externaldnsname.com, they will return the addresses of the internal DNS servers which will then provide answers to that query.

3. Longer DNS namespace.  This may not look appealing (or “pretty”) to the end-users.

4. Security. We are assuming that we can only access the internal servers thru a VPN and assuming they are in a private subnet, they won;’t be accessible. Also assuming to secure the VPN with an L2TP/IPSec solution and not just a quick PPTP connection. If this is all so, we can assume it is secure and not accessible from the outside world.

The scenario is the recommendation from the Windows Server 2003 Deployment Guide.  It states to the external registered name and take a sub zone from that as  the DNS name for the Forest Root Domain:
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/default.asp

 

==================================================================

Scenario 3 – Choosing a TLD Variation of your Public Domain, such as “.net”

Example: Public domain name is domain.com, and you choose “domain.net” as your public name.

This choice has been made by many companies.

Pros:

1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.

2. Prevents name space conflicts with external domain name. No one else owns it on the internet.

3. Forwarding works.

Cons

1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).

2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.

3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accommodate anti-spam, SPF, and RBL software.

4. Obtaining a UC/SAN certificate for Exchange 2007 & 2010 may be a challenge if you haven’t registered the “.net” version of your public domain name. This is because the Certificate Authorities will check all names in the UC/SAN cert you are requesting, including Exchange’s internal FQDN in the certificate request. This is used by the AutoDiscover feature in Exchange 2007 and 2010 and needs to be in the certificate. Read more on it here:

Exchange 2007 & Exchange 2010 UC/SAN Certificate
http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx

==================================================================

Scenario 4 – Choosing a private TLD such as “.local”

Note: UCC/SAN “.Local” and other private TLDs will no longer be supported

When you choose an internal name, it won’t matter, because you can configure Exchange’s internet URLs to be identical as the external URLs. This will help with configuring clients internally and externally with the same name.

More info:

Global changes in legislation regarding SAN SSL Certificates
http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

Choosing a private name

Choosing a different TLD: Choosing a private TLD, such as domain.local, domain.corp, domain.abc, etc. This option is easy for either beginners or the expert, because it’s the easiest to implement primarily because it prevents name space conflicts from the very beginning with the public domain and requires no further action on your part with that respect.

The only caveat is that you must configure Exchange URLs to the external URLs to support the certificate requirements.

Pros:

1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.

2. Prevents name space conflicts with external domain name. No one else owns it on the internet.

3. Forwarding works.

Cons

1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).

2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.

3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accommodate anti-spam, SPF, and RBL software.

4. You won’t have any problems obtaining an Exchange 2007 & 2010 UC/SAN certificate since the internal name is not a public name and there’s nothing to check registration-wise by the Certificate Authorities when requesting the certificate with the internal Exchange FQDN.

 

==================================================================

Exchange 2007, 2010 and 2013 UC/SAN certificate considerations

More things to consider concerning the internal AD DNS domain name and if using Exchange 2007

If you choose a TLD, be sure to not choose one that is already in use by another entity. Reason is it will cause due confusion, and will create problems if you were to get an Exchange 2007 UCC/SAN certificate and adding a name for the internal namespace on the certificate. Here are some existing TLDs that you do not want to choose if the name does not belong to your entity:

So it would be a bad choice for the complications that will arise, if you name the internal domain is registered by others.

As far as choosing what name to use internally, there are pros and cons of using your public TLD (whether the same namespace or not), or a private TLD. I prefer a private TLD. You also have to take into consideration if you will be using Exchange 2007 and expect to purchase a UC/SAN certificate. This type of cert has multiple names, and the internal Exchange server’s private FQDN will be part of it. So for instance, your company is called “A Big Company”, and your external name is abc.com. You decide to make your internal name abc.net. However you never purchased abc.net from the registrar, and someone else did. So the Exchange server internal name is exchange.abc.net. In such a case, the CA will not approve it because A Big Company is not the registered owner of abc.net at the registrar (when you do a WHOIS) and is owned by someone else.

Technically speaking, you can also use the same name for the internal domain and the external domain. Just understand the ramifications. You may encounter the following possible issues that you may have to perform a domain rename in the future.

1.  If the internal domain name that you chose is the same as your Internet public domain name, internal clients may get the domain external IP but routers and firewalls will not respond from an internal request to the external interface. Some refer to this as a U-Turn, and firewalls, routers and NATs cannot handle U-Turns for port forwarded services.

2. Worse, if the internal name you chose was registered by another entity.

Generic top-level domains:

biz .com .info .name  .net  .org  .pro  .aero  .asia  .cat  .coop .edu 
gov .int  .jobs  .mil .mobi  .museum   .tel  .travel

Country-Code Top-Level Domains

You must be careful choosing, especially if someone else owns it on the internet. You’ll never get the cert approved if it is owned by someone else, despite the argument that “it’s my internal domain name…”

ac  .ad  .ae  .af  .ag  .ai  .al  .am  .an  .ao  .aq  .ar  .as  .at  .au 
aw  .ax  .az  .ba  .bb  .bd  .be  .bf  .bg  .bh  .bi  .bj  .bm  .bn  .bo 
br  .bs  .bt  .bw  .by  .bz  .ca  .cc  .cd  .cf  .cg  .ch  .ci  .ck  .cl 
cm  .cn  .co  .cr  .cu  .cv  .cx  .cy  .cz  .de  .dj  .dk  .dm  .do  .dz 
ec  .ee  .eg  .er  .es  .et  .eu  .fi  .fj  .fk  .fm  .fo  .fr  .ga  .gd 
ge  .gf  .gg  .gh  .gi  .gl  .gm  .gn  .gp  .gq  .gr  .gs  .gt  .gu  .gw 
gy  .hk  .hm  .hn  .hr  .ht  .hu  .id  .ie  .il  .im  .in  .io  .iq  .ir 
is  .it  .je  .jm  .jo  .jp  .ke  .kg  .kh  .ki  .km  .kn  .kp  .kr  .kw 
ky  .kz  .la  .lb  .lc  .li  .lk  .lr  .ls  .lt  .lu  .lv  .ly  .ma  .mc 
me  .md  .mg  .mh  .mk  .ml  .mm  .mn  .mo  .mp  .mq  .mr  .ms  .mt  .mu 
mv  .mw  .mx  .my  .mz  .na  .nc  .ne  .nf  .ng  .ni  .nl  .no  .np  .nr 
nu  .nz  .om  .pa  .pe  .pf  .pg  .ph  .pk  .pl  .pn  .pr  .ps  .pt  .pw 
py  .qa  .re  .ro  .rs  .ru  .rw  .sa  .sb  .sc  .sd  .se  .sg  .sh  .si 
sk  .sl  .sm  .sn  .sr  .st  .sv  .sy  .sz  .tc  .td  .tf  .tg  .th  .tj 
tk  .tl  .tm  .tn  .to  .tr  .tt  .tv  .tw  .tz  .ua  .ug  .uk  .us  .uy 
uz  .va  .vc  .ve  .vg  .vi  .vn  .vu  .wf  .ws  .ye  .za  .zm  .zw

 

 

==================================================================

Related Links

For a broad overview of this topic, read some of the links below.

Creating Internal and External Domains
http://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx

DNS Namespace Planning
http://support.microsoft.com/default.aspx?scid=kb;en-us;254680

Assigning the Forest Root Domain Name:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbc_logi_kqxm.asp

 

=================================================================

Summary

I hope this helps in your endeavor.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

 

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Suggestions, comments and corrections welcomed!

Split Zone or no Split Zone – Can’t Access Internal Website with External Name

“How do I resolve my external website when my internal name is the same as my external name (split zone)?”

Or

“We are hosting our webserver internally, on our LAN, and internet users can access the website without problems, but when we are inside the office, we can’t access our domain name. This also applies to Exchange OWA.”

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Updated 7/30/2009


There can be multiple scenarios. Choose your scenario.

Scenario 1: The Internal and External Domain Names are the Same

Your internal domain name and external domain name the same, and the webserver is hosted externally.
This type of same name scenario is called a split zone.

To handle a split-zone,
There are two ways to get to your website:

  1. By http://www.yourdomain.com/, using ‘www’ in front of your domain name.
  2. By http://yourdomain.com/, without the ‘www’in front of the name.

1. The simplest way to allow your internal users to get to your external website is to simply create a “A” www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.

To create the ‘www’ record:
Open DNS console
Right-click your zone name, such as yourdomain.com, choose New Host Record
Type in www
Type in the IP address of the external website

2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an “A” ‘www’ record, I would suggest to create a delegation for ‘www’ to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your ‘www’ record.

Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)

How do you find the SOA for your public domain name? Use nslookup.

In a command prompt, type in nslookup, hit enter.
Then type in the following:
> set q=soa
> server 4.2.2.2
> typeInYourDomainNameHereWithoutTheWWW.com

Once you’ve found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.

 

So you don’t want to use the WWW in front of the URL?

This question has arisen numerous time in scenarios where the external and internal AD names are the same, and the webserver is being hosted internally or externally. I usually look at it as a politics driving this request, because it’s not that hard to type in www in front of domain.com

However, if you absolutely need it to resolce http://domain.com/ without the www in front of it, there is a way, but it’s a bit more complex and warrants an explanation.

If you are not running an Active Directory infrastructure:

The easy solution is to simply create a new, blank hostname record (as in step#1 above), but without typing a name for the hostname field, and you would simply type in the IP address of the website. This is called a blank domain name record, which allows the name to resolve without the ‘www’ in front of it.

However, if you are using Active Directory:

This ‘blank’ domain name record is actually used by the domain controllers in the domain. It’s a unique record that each and every domain controller registers this record under the zone in DNS with an IP address, without a hostname, which appears under your internal zone name as:

(same as parent)   A   x.x.x.x

This record that each DC registers, is actually called the “LdapIpAddress.” Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don’t mess with it please, or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you’ve created in Step#1 or #2 above. But this procedure must be performed on each DC.

Steps summarized:

  1.  
    1. Install IIS on EACH domain controller. This must be done on each DC.
    2. Create a www record under your domain.com.
    3. Give it the private, internal IP of the webserver, or if the webserver is external, give it the public IP address of the webserver. If you don’t know the external IP, see the nslookup steps below to find it.
    4. In the IIS console, default website properties, create a redirect, and redirect it to www.domain.com.
    5. This way when any one of your users type in http//domain.com, it will resolve to the www record you created in Step 2.

 

If your website is external, for the above, you need to use Nslookup to find your external webserver IP

c:\>nslookup
server 4.2.2.2          (use this command for nslookup to use an external DNS server to get your public webserverIP address)
www.domain.com

Note: Installing IIS on a Domain Controller has security implications:

Due to security reasons. I do not condone installing IIS on a DC. Normally with some of my customers, I simply tell them to use the www in fromt of the domain name. If it is a .com name, you can simply instruct them to type in domain in the URL, and then hit <CTRL> + <Enter>. This shortcut will automatically populate the www in front and the .com in the end.

Otherwise, if the boss demands to have it work with a www in front, (usually a political and not a technical requirement), then follow the above, but take note on the security implications.

Scenario 2: Different Internal and External but you are hosting the webserver internally

Your public domain name is different, and you are hosting your webserver internally.

In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.

To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.

  1. Create a new zone using your external domain name.
  2. Open DNS console.
  3. Click on Forward Lookup Zones.
  4. Right-click, choose new Zone, type in the name of the external domain name.
  5. Once created, right-click the zone you just created, choose New Host Record.
  6. Type in ‘www’ (without the quotes), and provide the internal Private IP address of your internal webserver.

If you want to access the site with http://domain.com/ (without the www), you would need to create a ‘blank’ host record.

How?
Right-click the zone name you just created, choose New Host Record.
Leave the name field blank, and provide the internal Private IP address of your internal webserver.

Scenario 3 : Different Internal & External Domain Name

If you have a different internal domain name and external domain name, and the website is hosted externally:
There’s nothing to do. Internet resolution will handle everything.

Don’t forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won’t work. Never use your ISP’s DNS servers anyway, or your router’s IP address as a DNS address in any internal machine’s IP properties. Otherwise, expect AD problems as well.

Don’t forget to configure a forwarder for more efficient internet name resolution. I’ve always used this as a best practice. It offloads internet name resolution to your ISP’s DNS addresses so your server doesn’t have to use the Root Hints to resolve external names.

Ace Fekay, MCT

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and UDP Service Ports Reservation Explained, and DNS Memory Leakage

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and Ports Reservation Explained

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer

Published 7/2009
Edits:
8/9/2010  – Added update links (see the bottom of this blog).
10/5/2010 – Added info about the DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003
10/7/2010 – Added link explaining how to debug the DNS process to determine if a leak is occuring

 

Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)

The DNS patch released in July, 2008, reserves 2500 ephemeral UDP service ports.

It is a security update to prevent spoofing. Attackers know that normally, without the update, a random ephemeral response port (service port), which a port is chosen randomly using UDP 1024 and above, is used in response to the querying client resolver. These response or service ports, are used by all Windows communications (not just DNS). An attacker may guess/randomize a port attack at DNS attempting to gain access to create records into the DNS Cache, by injecting records using specially crafted commands, therefore poisoning the DNS cache with records of their choosing, which will allow a remote attacker to redirect legitimate network traffic intended for systems on the Internet to the attacker’s own systems or elsewhere, of their choosing.

By pre-reserving the port, or creating a socket pool, as the DNS patch performs, reduces the chance of a randomization attack, which attackers are using against Windows and other major DNS services, to prevent Cache Poisoning.

 

DNS Increased Memory Consumption Due To The DNS Patch

When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the increased memory consumption that you may notice. I’ve noticed the following when I’ve looked at Task Manager before and after the DNS patch was installed (your mileage may vary):

dns.exe             Before            After
Mem usage     9,758K       36,232K
Peak Mem     10,208K       36,584K
Paged Pool           71K            798K
NP Pool                 17K         4,833K
Handles                238            5,217
Threads                  20                 20

 

If the RPC Endpoint Mapper Runs Out of Ports Due to the Patch

There can also be issues with various applications installed and running on a DNS server where the RPC Endpoint Mapper has run out of ports to use because all available ports are being consumed by the app. If this is the case, it could be that the system is running out of available ports for the RPC endpoint mapper to use.

Run “netstat -ano” in a command line. It should provide a listing of ports that are in use as well as the PID of the process that owns that port.  Possibly you’re running an application on this server that isn’t releasing ports when it’s done with them.  You can also extend the available ports used by RPC but I’d recommend looking into what’s consuming them first.

Take a look at the following article for more info on the Endpoint mapper:

839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/default.aspx?scid=kb;EN-US;839880

 

DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003

If your DNS server is experiencing a large amount of memory being consumed by the DNS process to the point it hangs the DNS service and it stops responding, it may be associated to hotfix 941672. If 941672 was installed on the DNS server,
there is a known memory leak issue in the DNS process associated with this hotfix. The issue has been fixed by installing hotfix patch 975830.

Please read more about it in the following link, where you can also request the hotfix.

The memory usage of the Dns.exe process keeps increasing after you install hotfix 941672 on a computer that is running Windows Server 2003 SP2 and that has the DNS server role installed
Article ID: 975830 – Last Review: October 27, 2009 – Revision: 1.0
http://support.microsoft.com/kb/975830/en-us

DNS Memory Consumption Related Discussion:
http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/bcf3ac92-3485-4a2d-9386-55f2dcbc78f8

If you feel that you need more information to determine if a DNS process leak is occuring, you can enable debug logging, and use the following link in conjunction with the symptoms explained in KB975830 to further analyze the issue. Read the following link for more info.

DNS: Monitoring Server
http://technet.microsoft.com/en-us/library/cc783975(WS.10).aspx

 

Windows 2008, 2008 R2, Vista and Windows 7 Emepheral Ports Have Changed

The default emepheral (Random service ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

Quoted from KB929851 (link posted below):

“To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”

Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (emepheral ports)
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/?kbid=929851

 

 

DNS Server Service Terminates Unexpectedly

Are you seeing the following error?

The DNS Server service terminated with the following error:
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.

Cause:
2500 is the default DNS Socket Pool Size value on Windows server 2008 R2. I suspect that for system steady reason BPA will always suggest to use system default settings, so this is the reason why it popped this prompt.

Meanwhile, could you verify the current value setting of registry key SocketPoolSize where under patch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters
Manually modify it to the value you want ,restart computer and check if this issue persist.

For more information please refer to the link below:

DNS Socket Pool – Windows 2008 R2
http://technet.microsoft.com/en-us/library/ee683907(WS.10).aspx

 

More info on the Microsoft DNS Cache Poisoning Vulnerability KB953230 patch and the DNS exploit issue is explained in the following links.

US-CERT Vulnerability – Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning.
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that …
https://www.kb.cert.org/vuls/id/800113

SecureWorks: DNS Cache Poisoning
The old problem of DNS cache poisoning has again reared its ugly head.
There are new attacks, which make DNS cache poisoning trivial to execute against …
http://www.secureworks.com/research/articles/dns-cache-poisoning

DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative …
Cache poisoning attacks – Variants – Prevention and mitigation
http://en.wikipedia.org/wiki/DNS_cache_poisoning

MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748

MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230

How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873

You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188

Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx

SBS Services failing after MS08-037 – KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx

 

Additional Updated LInks (added 8/9/2010):

[PDF] Windows DNS Server Cache PoisoningFile Format: PDF/Adobe Acrobat – Quick View
Microsoft Windows DNS Cache Poisoning. 6. ID. If it is not 7, it sends back a CNAME record for the next host name (i.e. a …
www.babilonics.com/files/Windows_DNS_Cache_Poisoning.pdf

==================================================================

Ace Fekay

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Revisions:

Original publication 3/2006
Recompiled 6/10/2010
Updated 12/9/2010
Updated 8/31/2014

Prologue

Ace here again. I’m cleaning up my blogs for technical and syntax errors. If you see anything that needs correction, please let me know.

Preface and Scope Of this Article

This blog explains how to use ADSI Edit to determine if duplicate zones exists in the AD database and to delete them.

When  using ADSI Edit, the duplicate zones show up in the partitions with names that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number. You will be checking EACH DC. When you find them, you will simply delete them. because they are useless and cause substantial problems.

This blog also explains how duplicate zones will appear to make zone records disappear.

Introduction to Duplicate Zones

Duplicate zones can cause numerous issues for the mere fact that the DNS zone that DNS is showing you on a specific DC may not have the latest up to date data. It literally may be missing data that you see on other DCs. If there are duplicate or conflicting zones, the zone data can’t replicate, resulting in each DC may have a different copy of the zone, which then results in unreliability and AD issues.

And to further complicate it, there are three different storage locations that AD can store AD integrated DNS zones – DomainDnsZones, ForestDnsZones, and the DomainNC partitions. You can read more on specifics in one of my other blogs:

DNS Zone Types Explained, Storage Locations in the AD database, and their Significance in Active Directory.
https://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/

Symptoms?

You may have a duplicate zone or a conflicting zone if a zone exists in both the Domain NC and/or in one of the Application Partitions. Some of the symptoms include:

  • Trying to change the replication scope, you receive an unusual error message stating, “The name limit for the local computer network adapter card was exceeded.”

DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

  • Event ID 4515
  • An admin may see the data on a different DC is not there and will manually create records.
  • Zone data is disappearing, or it appears to be. This can be caused by:
  • The data on each DC is different, and you are wondering why replication isn’t brining the zone data up to date, but it won’t because replication will either not occur or won’t occur if AD sees a duplicate.
  • Causes?

    • You’ve installed DNS on another DC and you don’t see the zone under DNS that is on the other DCs, so you manually created the AD zone because you didn’t have the patience to wait for replication to occur, which it would have automatically populated.
    • You’ve promoted a new DC in another site and didn’t have the patience to wait for the zone data to replicate.
    • Antivirus not configured to exclude AD communications (common cause).
    • At one time, or currently, the AD environment is a mixed Windows 2000/2003/2008 environment and DNS is installed on all operating system versions. On Windows 2000, if the zone is AD Integrated, it is in the DomainNC partition of the AD database, and should be set the same in Windows 2003’s or newer DC/DNS server to keep the zone data compatible and allow both operating system versions to be able to read and use them.
    • Someone must have attempted to change it in Windows 2003 or 2008 DNS to place the zone in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Windows 2003 application partitions, you then must insure the zone on the Windows 2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that’s done and AD replication has been given time to occur, you can go to the Windows 2003 or newer DNS and change the partition’s replication scope to one of the application partitions.
    • A new domain controller was promoted into the domain, and the administrator manually created the zone name in DNS. This causes a duplicate. The proper way was to simply install DNS, and allow AD replication to occur. The zone will auto-populate into DNS.

    I usually don’t want to assume someone’s deleting data. That’s would be the far end of the spectrum, especially if more than one DC is showing inconsistent zone data.

    I feel the best approach to find out which is occurring is to first find out if there is a duplicate zone. This is because auditing is time consuming, and you need to parse through all the events generated in the Event Security Logs. It’s easier to run ADSI Edit to find if there are duplicates. Once you’ve determined it’s not a duplicate zone issue, then you can move on to DNS auditing. If it is a duplicate zone issue, follow the procedure below to remove them.

    *

    AD Integrated Zones Storage Locations

    First, a quick review on the partitions. Hopefully you’ve taken a few moments to read my blog link that I posted above to understand the partitions. If not, I’ll just touch base on it here so you understand it and can relate to it. For specifics and the nitty gritty, read my other blog above.

    Windows 2000:

    the physical AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Configuration partitions replicate to all DCs in a forest.

    The DomainNC is specific only to the domain the DC belongs to. That’s where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain.

    When you create an AD Integrated zone in Windows 2000, it gets stored in the DomainNC. This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs.contoso.com zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

    Windows 2003 and newer:

    There were two additional storage locations added to the AD database for DNS storage use. These areas are called “partitions,” specifically the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000’s AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain’s DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs.contoso.com zone to all DCs in the forest. By default in Windows 2003, the _msdcs.contoso.com zone is stored in the ForestDnsZones application partition.

    Selecting the Replication Scope in Windows 2003 and newer:

    When selecting a zone replication scope in Win2003, in the zone’s properties, click on the “Change” button. Under that you will see 3 options:

    • “To all DNS servers in the AD forest example.com”  The top button. This option puts the zone is in the ForestDnsZones Application Partition. This setting will allow the zone data to replicate to all domain controllers to every domain in the forest, including if additional Trees exist in the forest.
    • “To all DNS servers in the AD domain example.com”  The middle button. This option means the zone is in the DomainDnsZones Application Partition. This setting allows the zone to be stored and replicated in the DomainDnsZones Application Partition in the specific domain that it exists in. This setting is not compatible with Windows 2000 domain controllers. If Windows 2000 domain controllers exist in the domain, then the bottom option (below) will need to be used.
    • “To all domain controllers in the AD domain example.com”  The bottom button. This option means the zone is in the DomainNC (Domain Name Context) portion of the actual AD database. This is only for Windows 2000 compatibility, that is if you have any Windows 2000 domain controllers in that specific domain you are administering.

    If you receive an Event ID 4015 or the following error, it may indicate there is a duplicate or conflicting zone that exists in the DomainNC, the DomainDnsZones Application partition and/or in the ForestDnsZones partition.

    DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

    *

    Non-AD Integrated Primary and Secondary Zones

    A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

    Now **IF** you did manually create a zone (whether intentionally or unknowingly) on one DC while it already existed on another DC, then you may have a duplicate.

    *

    Duplicate zone names will start with the letters,  “CNF…” or “InProgress…”

    If there is a duplicate, you can use either ntdsutil or ADSI Edit to take a look. I will outline in this article on how to use ADSI Edit to look for the duplicate.

    A duplicate zone name will appear in ADSI Edit that starts with an “In Progress….” or “CNF…” with a long GUID number after it.

    • The CNF…” means it’s in conflict due to a duplicate in the AD database.
    • The “In Progress….” means it is trying to replicate, but it can’t because there’s another identical zone name but with a different USN version number (USNs are used for replication control between DCs) on another domain controller, which also means there’s a duplicate zone.

    You can simply delete them, which will clean up the whole problem. Yep, a simple deletion. The “CNF” data is not used by AD, but yet it will conflict with the zone that is actually used, and needs to be deleted.

    But before doing anything about it just yet, let’s read on to explain more about this and what may have caused it.

    *

    Preventing Duplicate Zones

    AD Integrated Zones will auto-populate when adding replica domain controllers

    If an AD integrated zone exists on a DC, and the DNS service is install DNS on another DC in the domain or forest, depending on the replication scope, it will automatically appear on the new DNS installation without any interaction on your part. You may have to wait a certain period of time for it to populate depending on if the other DC is in the same AD Site or not, but it WILL AUTO-POPULATE.

    However, if you attempted to manually create the zone, believing that you need to do this to make the zone available on that DC, then you’ve just introduced a duplicate zone in the AD database. It doesn’t matter if the zone say originally exists in the DomainNC, and you manually create the zone on the other DC and put it into the DomainDnsZones application partition, AD will still recognize it in the AD database.

    Duplicate zones cause numerous AD communication and access problems.

    The point is, AD is smarter than you think. Let it do it’s thing.

    *

    An Example of what an AD Duplicate Zones looks like in ADSI Edit

    This image shows “In Progress…” entries. They need to be deleted.

    *

    Using ADSI Edit to look at  your AD Partitions

    This is a manual step by step. For a screenshot step by step, see the next section.

    This section assumes you have a little familiarity withe ADSI Edit. If not, I suggest to get yourself familiar with it once you’ve connected into the various partitions as outlined below. Be careful deleting anything, for once deleted, it’s a destructive process and basically it’s gone. There is no “Back Button” or “Undelete,” or “Undo”  button. To restore data, you will need to run an Authoritative Restore from your backup program restoring that specific object that was deleted.

    Determine if there are any duplicate zone.

    While in ADSI Edit, if you see the same exact named zone in multiple partitions, such as seeing the same zone name in the Domain NC (Name Container) Partition, in the DomainDnsZones App partition), and/or in the ForestDnsZones application partition, you have duplicate zones. If this is the case, then you must choose which zone you want to keep.

    I will select a DC that isn’t having a problem and delete the duplicates and conflicts off all other DCs.

    Multiple domains or multiple tree forest?

    If the AD forest is a multidomain forest with child domains and/or multiple trees, you must look at each domain’s DomainNC and DomainDnsZones partition, because each domain has one.

    To view the DomainNC Partition (Default Naming Context)

    • In ADSI Edit, rt-click ADSI Edit, choose “Connect To,” in the Connection Point click on “Well known Naming Context”, then in the drop-down box, select “Domain”.  If this is Windows 2003 or newer, this option shows up as “Default Naming Context”
    • Expand DomainNC or Default Naming Context, then expand your domain name. Drill down to CN=System. Under that you will see CN=MicrosoftDNS.
      You will see any zones that are in the DomainNC partition under the MicrosoftDNS folder.
    • If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!
    •  

    To view the ForestDnsZones Application Partition:

    [ForestDNSZones]

    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the console tree, right-click ADSI Edit, and then click “Connect To.”
    3. Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
      DC=ForestDNSZones, DC=contoso, DC=com
    4. In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
      Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    5. You should now be able to view the DNS records which exist in this DNS partition.

    If you see anything that starts with anIn Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

    To view the DomainDnsZones Application Partition

    [DomainDNSZones]

    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the console tree, right-click ADSI Edit, and then click “Connect To.”
    3. Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.
    4. In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
      Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    5. You should now be able to view the DNS records which exist in this DNS partition.

    If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

    *

    Procedure with Screenshots:

     

     

    .

    .

    .

    .

    .

    .

    .

    .

    *

    Procedure to Delete the Duplicate zones

    The easiest is to simply delete any duplicates you find in ADSI Edit. Choice #1, to delete them, can actually be safely done during production. Matter of fact, things may just start to work after you delete them! But Choice #2, which is a lengthy procedure, must be done during non-production hours.

    Choice #1 (Recommended)

    Just go into ADSI Edit and delete the duplicate zones you’ve found.

    You can do this during production, and frankly, I’ve done it with a large infrastructure during production hours without any problems. This is my personal choice as long as there are no true duplicate zones, that is if there are duplicate zones without seeing any zone names prefixed with either an “In Progress….” or “CNF…” with a long GUID number after, and you truly see a duplicate of your actual zone, such as a domain.com in any of the partitions, then you must perform Choice #2.

    Choice #2 (Not recommended)

    This is a multi-step process to first change the zone to a Standard Primary Zone, which removes it from the AD database, allow AD replication to complete, delete the duplicates, then change the zone to AD integrated, and allow AD replication to complete.

    • Choose only one DC to perform this action.
      • For example, if the duplicate is in the DomainDnsZones partition or DomainNC partition of a child domain, perform it only on a DC in that domain.
      • If the Duplicate is in the ForestDnsZones partition, you can choose any DC in the forest.
    • Right-click the zone name, Choose Properties.
    • Under the General  tab, click on the “Change” button next to the “Type” section.
    • Then uncheck the box that says “Store the zone in Active Directory (available only if the DNS servers is a domain controller.”
    • Click Ok, Don’t click Ok again just yet. Just click on Apply.
    • IMPORTANT – You must allow AD replication to occur to replicate the change to all DCs that are in the replication scope of the zone. If you have DCs in another AD Site and have replication schedule set for example, to 3 hours, then you must WAIT for 3 hours.
    • This action makes the zone a Standard Primary zone. This means it is now stored in the system32\dns\ZoneName.com.dns text file and is no longer in the AD database.
    • You can also force replication, as well.  If there are AD Sites configured, and the replication schedule on the Site Connection objects is say 3 hours, you can reduce the replication schedule on the Site Connection objects to the minimal time allowed, which is 15 minutes. Then force replication by choosing the partner DC’s NTDS Setting, right –click, and choose Replicate Now.
    • Once confirmed that replication has occurred, and refreshing the ADSI Edit window and seeing the zones no longer exist in any of the partitions, then you can now safely delete the duplicate zones.
    • Note: Just to be clear, you will be deleting any zone names that you find that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number after it.
    • Also Note: Deleting a zone is a destructive operation. Make sure you are only deleting duplicates!
  • Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
  • In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.
  • Change the zone back to AD Integrated into the Replication Scope it’s supposed to be in.
  • Once the duplicates have been deleted, once again, you MUST allow AD replication to occur. If you had changed the Replication Schedule on the Site Connection objects to quicken AD replication, you will want to reset them to their original setting.
  • *

    References

    DNS zone replication in Active Directory
    http://technet.microsoft.com/en-us/library/cc779655(WS.10).aspx

    Oops, our AD Integrated DNS zone’s are missing in Windows 2003!
    http://blogs.technet.com/b/networking/archive/2007/05/10/oops-our-ad-integrated-dns-zone-s-are-missing-in-windows-2003.aspx

    Directory Partitions:
    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

    kbAlertz- (867464) – Explains how to use ADSI Edit to resolve app partitions issues:
    http://www.kbalertz.com/kb_867464.aspx

    Event ID 4515 is logged in the DNS Server log in Windows Server 2003
    http://support.microsoft.com/kb/867464

    *

    Summary

    It seems like a lot of steps, but it really isn’t. Just read it over a few times to get familiar with the procedure. You may even want to change it into a numbered step by step list if you like. If you only have one DC, and one Site, then it’s much easier since you don’t have to mess with secondary zones or play with the site objects.

    I hope that helps!

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services
    Complete List of Technical Blogs and Videos: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This blog is provided AS-IS with no warranties or guarantees and confers no rights.

    Suggestions, Comments and Corrections are Welcomed!