DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

Ace Fekay again!!!!

Compiled 8/13/2018

I know everyone always has trouble with this topic, as in why doesn’t DNS failover on the client, especially that I set four or five DNS addresses on it??? Why!!!

Because it doesn’t work that way! And NO, it’s not a “Microsoft” client thing or server thing, it’s based on the client side resolver service defined as an industry standard that all manufacturer’s (Microsoft, Apple, Unix flavors, Android, etc) operating systems follow, including your phone.

Topics Covered

========================================

1. DNS & WINS Resolution Process

Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses the NetBIOS process. Legacy pre-Windows 2000 clients, such as Windows NT, Windows 98, Windows 95, Windows 3.1, DOS, etc, use the NetBIOS process FIRST if the queried name is less than 15 characters, and if not, it uses hostname (DNS) resolution. If is is shorter than 15, then it will use NetBIOS, but if it doesn’t get resolved using NetBIOS, only then will it use the DNS hostname resolution process.
 
If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it’s in. H-Node is default, but the order can be changed with a registry change. There are four NetBIOS Nodes:

B-Node – Broadcast ONLY
P-Node – NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node – Mixed NBNS and Broadcast, but uses WINS FIRST.

Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS (WINS enabled)

  1. Checks it’s own name.
  2. Local hostname (DNS client side resolver) cache
  3. HOSTS file
  4. DNS (this is where the search suffix comes in play if a single name query)
  5. NetBIOS name cache
  6. WINS
  7. Broadcast
  8. LMHOSTS

Windows 2000 and newer – If not using WINS:

  1. Checks it’s own name.
  2. Local hostname (DNS client side resolver) cache
  3. HOSTS file
  4. DNS (this is where the search suffix comes in play if a single name query)
  5. NetBIOS name cache
  6. Broadcast
  7. LMHOSTS

Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:

  1. Is name longer than 15 characters? If so, perform Hostname (DNS) resolution process. If not, continue…
  2. Checks it’s own name.
  3. NetBIOS name cache
  4. WINS
  5. Broadcast
  6. LMHOSTS files
  7. Local hostname (DNS client side resolver) cache
  8. HOSTS file
  9. DNS (this is where the search suffix comes in play if a single name query)

If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.

Regarding DirectSMB,

Quoted from Aiden Cao, MIcrosoft, 2/6/2012 in thread:
TechNet Thread question: “Netbios Session Service and SMB” 2/5/2012
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e03e2d52-0761-451a-91e8-40955172f460/

“Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines, with the only caveat with legacy apps that rely on NetBIOS.”

Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. DirectSMB uses TCP 445… Direct-hosted SMB’s cannot be disabled in Windows without disabling additional features…
http://support.microsoft.com/kb/204279

More on the client side resolver:

How DNS works, March 28, 2003
Client side process order, etc.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx#w2k3tr_dns_how_gaxc

How NetBIOS name resolution really works, By Robert L. Bogue, March 11, 2003
http://www.techrepublic.com/article/how-netbios-name-resolution-really-works/5034239

DNS Hostname Resolution Flowchart:

The following information was quoted from:
Chapter 7: Host Name Resolution
http://technet.microsoft.com/en-us/library/bb727005.aspx
(Image 1): http://technet.microsoft.com/en-us/library/Bb727005.chp7hn01_big(en-us,TechNet.10).gif

Second two images from this link:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
(Image 2): http://i.technet.microsoft.com/Cc940063.CNBC05(en-us,TechNet.10).gif
(Image 3) http://i.technet.microsoft.com/Cc940063.CNBC05B(en-us,TechNet.10).gif

Image1:

Image 2 & Image 3:

NetBIOS Name Resolution Process:

The following two images are quoted from:

Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

Resolution Process Related Links:

Hostname Resolution – Describes DNS domain name resolution
http://technet.microsoft.com/en-us/library/cc958812.aspx

NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/

Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

(This was Updated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)

Back to top of page>

========================================

2. Browser service without WINS across subnets

It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn’t say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but I’m not sure. I cannot find anything on the mechanism. I’m one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404

Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305

New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx

Windows 2008 – Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx

Back to top of page>

========================================

3. Do I need WINS?

That’s an extremely good question. The answer is it depends. It depends on what apps and services currently running that require NetBIOS name resolution support.

For example, unless it’s been recently changed, Symantec Backup Exec needs it to ‘browse’ for the agent in the network browse list. Therefore, Backup Exec currently uses NetBIOS to assemble a list of all machines on a network to allow you to backup up remote computers whether the agent is installed or not, and giving you the option to install the backup agent.

So it depends on what YOU have running.

For example, Some AV solutions, such as McAfee Enterprise, Symantec, and CA uses NetBIOS to “find” all machines on the network to allow you to rollout installations and administer.

Therefore, you must inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out.

And yes, keep in mind Exchange 2000/2003  and Outlook communications require WINS for certain functions, such as Calendaring. This was removed from Exchange 2007 and 2010, and uses a different mechanism.

Here are some relevant links:

Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391

Eileen Brown’s WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx

WINS dependencies in Exchange 2003 Server
Summary of Microsoft’s implimentation of WINS Windows Internet Name Service. How even Exchange 2003 makes NetBIOS calls. Implications for a routed network.
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

If you need WINS and want to learn how to install and configure it, please see the following:

WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx

WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx

Back to top of page>

========================================

4. Disabling the Browser service, NetBIOS

Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine. See section 3 above regarding apps that may be using or need NetBIOS support.

1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

What’s the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser … Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm

Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm

2. Leave that running. You need it. It works for all versions of NTLM.

NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication …
http://msdn.microsoft.com/en-us/library/ms925943.aspx

3. If you disable the TCP NetBIOS Helper, you will not be able to map any drives or printers using NetBIOS names or FQDN.

“Network Location Cannot be Reached” Error Message When You Try to … To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.

To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866

4. One big advise – do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you’ll get a slew of errors, and no DNS queries will get resolved.

No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to …
http://support.microsoft.com/kb/268674

Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates

This has changed in WIndows Vista, Windows 2008, Windows 7 and Windows 2008 R2 – It no longer uses the DHCP Client Services. It now uses the DNS Client Service.

 For Windows 2000/2003/XP, the DHCP Client Service is what performs the Dynamic DNS Update process. For Windows 2008/Vista/2008 R2/Windows 7 and all newer operating systems, it is now the DNS Client Service.

Specific details can be found in the following link:

Understanding Dynamic Update, Applies To: Windows Server 2008, Windows Server 2008 R2 (and changes to the DNS Update process from previous operating systems)
http://technet.microsoft.com/en-us/library/cc771255.aspx

Quoted from above article:

“The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, “Dynamic Updates in the Domain Name System.” 
The documentation after that indicates the DHCP CLient service, but please ignore that. There are a few of us in touch with the dev group about the documentation, and it wil be cleared up.
The point is the DHCP CLient service is no longer responsible for updates.

DHCP (Dynamic Host Configuration Protocol) Basics
http://support.microsoft.com/kb/169289

Back to top of page>

========================================

5. DNS Client side Resolver service Query Process

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

To summarize:

If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.

If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, and either restart the DHCP Client Service (on 2000/2003/XP), (ipconfig /flushdns), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

.

For specifics, the Microsoft DNS Whitepapers is a good start. Here’s more:

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

Technet Thread: “problem with secondary dns”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8fc4597c-d64e-4a87-9cfe-5fe159df5735/

.

Other references:

How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

286834 – DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Linux and Unix client resolver works pretty much the same:

That is correct, this behavior ALSO applies to Non-Microsoft operating system client side resolver, such as the Linux/Unix Client Side Resolver

Thread: Re: Complex DNS Resolver Question – DNS
http://fixunix.com/dns/220126-re-complex-dns-resolver-question.html

Quoted from the above link:
If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN
authoritatively.

Client Side Options If a DC goes down:

Run the following command line to fix this problem on your Active Directory clients by emptying the DC Locator cache (Replace “DomainName” with the Fully Qualified Domain Name (FQDN) of your Active Directory domain:
nltest /dsgetdc:DomainName /force

More on this:

Domain Controller Stickiness Prevention
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/06/24/domain-controller-stickiness-prevention.aspx

AD Clients Not Authenticating to its Local Site
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-local-site.aspx

Back to top of page>

========================================

6. DNS Forwarder Resolution and the Time Out Process

Information on how a DNS Forwarder time-out works with using multiple Forwarder:

Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client’s IP properties.

Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx

Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html

Quoted from above link:

“Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.

Now, if you check the box “Do not use recursion” the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.

I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server.”

Comment on Forwarders:

DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn’t have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it’s resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the ‘eligible resolvers list’ and then query the second one.

If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by “views” ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query.

Now – and this is an important “now,” if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar ‘HTTP 404 not found’ in the browser.

For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.

To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for ‘recursion available’ or ‘recursion not available’

So for all practical purposes, I never set more than two Forwarders, otherwise what’s the use? If the first two can’t resolve it, it probably is not resolvable anyway.

Back to top of page>

========================================

7. If one DC or DNS server goes down, why can’t I logon to the other DC or not use the second DNS address to find another DC?

Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there’s nobody there, did it crash?

Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP’s DNS, or the domain is a single label name
(‘domain’ versus the recommended minimum of ‘domain.com,’ domain.local,’ etc),
  other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.

As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.

It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. As stated above in section #5:

  • If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it STILL responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.
  • If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, or after you clear the client side cache (ipconfig /flushdns), or restart the DHCP Client Service (on 2000/2003/XP), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

.

To put it another way:

If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the ‘eligible resolvers list’ for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won’ even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.

Summary:

As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as ‘it’s not working’ because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can’t connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.

Or simply disable the DNS Client Side caching mechanism. It’s not suggested to do this due to performance and especially if you have many machines in the infrastructure. However for testing, you can give it a shot:

How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803

Back to top of page>

========================================

8. What happens with Exchange and Outlook when when DNS goes down?

Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:

Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570

But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, “If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?”

Also with Exchange involved, it becomes a little trickier. Keep in mind,  when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not ‘look’ for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it’s best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.

I’ve seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.

Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.

Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it’s been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on  Exchange.

I hope that makes sense.

Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.

Back to top of page>

========================================

9. Client side DNS Devolution on Windows 7 and Windows 2008 R2

Devolution is when the parent suffix is derived when there are child suffixes. For example, if in a machine is joined to a child domain “sales.test.com,” then  “test.com” is devolved from “sales.test.com.”
 
Therefore, if “fileserver1” is not resolved in “sales.test.com” the client side resolver service on a client (keep in mind, DCs are DNS clients, too), will attempt to resend the query with the parent suffix.
 
It is best to design your forest infrastructure with unique hostnames so if “fileserver1” doesn’t exist in a child, it doesn’t exist anywhere else. Having a computername called “fileserver1” in a child domain and another domain, is not a good practice, nor is it a best practice. Uniqueness is the key across a forest.

DNS Devolution
Published: October 21, 2009, Updated: July 7, 2010, Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx

Quoted:
Devolution is not enabled in Active Directory domains when the following conditions are true:
  1. A global suffix search list is configured using Group Policy.
  2.The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.

Back to top of page>

========================================

10. How does resolution work in a multi-domain forest (with child domains)?

If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.

Further, if you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down. The devolution to the upper hierarchal levels is limited to the forest root domain level in the forest.

For example, if you have a forest root of ad.domain.local, and you have a child domain called child.ad.domain.local, the client side resolver will limit devolution of it’s joined domain and to the forest root domain, and will not go any higher, and will not devolve or populate domain.local as a Search Suffix, since that domain name does not exist in the forest.

Therefore, if you have a DNS suffix search list, the resolver adds those DNS suffixes in order and does not try any other domain names. In this case, if you submit the unqualified name ‘Computer,’ the resolver queries in order for the following FQDNs:

  • hostname.domain.local
  • hostname.child.domain.local

Based on the example, below shows that such a client in this scenario will only devolve the following two, and not “domain.local,” as was previous to Vist/2008.

  • child.ad.domain.local
  • ad.domain.local

More info on this behavior:

Host Name Resolution Order
  http://support.microsoft.com/kb/172218/en-us  
 
  Configuring Query Settings:
  http://technet.microsoft.com/en-us/library/cc959339.aspx 

DNS client name resolution behavior in windows vista VS Windows XP
  http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx 
 
 

If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.


 

 Back to top of page>

========================================

11. Troubleshooting the Browser Service

Keep in mind, each subnet has it’s own master browser, and they work together with the WINS service using WINS, to enumerate an infrastructure wide browse list. If not using WINS, it uses broadcasts, but if you are in a multi-subnetted environment, and you want full browsing capabilities, it’s suggested to use WINS.

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master.

Good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propogation cycle in a multiple-segment domain environment.

And the default settings out-of-the-box, works fine, otherwise you’ll find yourself trying to change reg entries on multiple servers.

If you find workstations are becoming masters, are there any server operating systems on their subnets? If not, then a workstation will win as a master. If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

Some basic things to look for and use:

  1. Make sure the Computer Browser service is Started.
  2. Make sure NetBIOS is enabled on everything.
  3. On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available. In Windows 2008 and newer, the utility is already installed as part of the operating system files.

Multihomed DC?

Note: A multihomed DC is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. More info regarding multihoming and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Browser Troubleshooting Steps

If there are any antivirus software, it could block browser traffic. This of course is all assuming that the Computer browser service is running.
 
Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:

 browstat status

You should get a response similar to:

Browsing is active on domain.
  Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc. If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:

First run:

 browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste  the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:

 browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Back to top of page>

========================================

Related Links

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx 

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

ForwardingTimeout (registry settings)
http://technet.microsoft.com/en-us/library/cc940784.aspx

Appendix C: Windows Sockets and DNS Registry Parameters
For Resolver time out, see DNSQueryTimeouts
http://technet.microsoft.com/en-us/library/cc781532(WS.10).aspx

Change description of following to show its for NT4
SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

DNSQueryTimeouts  – How to control the client side resolver time out value in the registry)
http://technet.microsoft.com/en-gb/library/cc977482.aspx

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Back to top of page>

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Exchange or Office 365 Mailbox Dumpster Report

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script to enumerate what’s in the dumpster, that I’ve created to help my day to day tasks. I hope you find it helpful.

Scope

This script enumerates an Exchange or Office 365 Dumpster, Purges, and Versions folders.

Note:

  • Dumpster and Deletions Report provides Size Values for the mailbox
  • Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
    Does not apply to Mailusers” -ForegroundColor cyan
    *** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***

The ‘Recoverable Items’ folder contains the following subfolders

  1. Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
  2. Calendar Logging:  For Calendar diagnostic purposes

  3. Deletions
    : Recover Deleted Items or the ‘Dumpster'”
         This subfolder contains all items deleted from the Deleted Items folder.
  4. Versions:          If In-Place Hold or Litigation Hold is enabled:
    This subfolder contains the original and modified copies of the deleted items.”
  5. Purges:            If either Litigation Hold or single item recovery is enabled:”
    This subfolder contains all items that are hard deleted.

Script

I did not make this into a function, although it can easily be converted. To run it, for the $RecipientName variable, just enter the username, email address, displayName, or their sAMAccountName, and fire away.

“======================================================”
$RecipientName = “user’s email address, DisplayName, or sAMAccountName”
$RecipientDisplayName = (get-recipient $RecipientName).displayname

Optional (for reporting purposed):

$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

“======================================================” -ForegroundColor Cyan                   
  write-host “Dumpster and Deletions Report for ‘$RecipientDisplayName’ ($RecipientName) (Does not apply to Mailusers or Contacts):” “$(get-date)” -ForegroundColor Yellow
     Write-host “======================================================”
Write-host “Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.”  -ForegroundColor Cyan
     Write-Host “Does not apply to Mailusers” -ForegroundColor cyan
     Write-Host “*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***”  -ForegroundColor Red
     Write-Host “***”
     Write-host “The ‘Recoverable Items’ folder contains the following subfolders:” -ForegroundColor Yellow
     Write-Host ”   Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.”
     Write-Host ”   Calendar Logging:  For Calendar diagnostic purposes”
     Write-Host ”   Deletions:         Recover Deleted Items or the ‘Dumpster'”
     Write-host ”                      This subfolder contains all items deleted from the Deleted Items folder. “
     Write-Host ”   Versions:          If In-Place Hold or Litigation Hold is enabled:”
     Write-Host ”                      This subfolder contains the original and modified copies of the deleted items.”
     Write-Host ”   Purges:            If either Litigation Hold or single item recovery is enabled:”
     Write-host ”                      This subfolder contains all items that are hard deleted.”
     Write-host “======================================================” -ForegroundColor Cyan
Get-MailboxFolderStatistics $RecipientName -FolderScope RecoverableItems | ft Name,FolderAndSubfolderSize, @{name=”LitigationHoldEnabled”;expression={(Get-mailbox $RecipientName).LitigationHoldEnabled}} –a
##########################################################

Report Output

(Watch the word-wrap):

=================================================================================================
Dumpster and Deletions Report for ‘User DisplayName’ (SAP Legal Operations) (Does not apply to Mailusers): 03/27/2018 11:22:01
=================================================================================================
Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
Does not apply to Mailusers
*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***
***
The ‘Recoverable Items’ folder contains the following subfolders:
    Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
    Calendar Logging:  For Calendar diagnostic purposes
    Deletions:         Recover Deleted Items or the ‘Dumpster’
                       This subfolder contains all items deleted from the Deleted Items folder.
    Versions:          If In-Place Hold or Litigation Hold is enabled:
                       This subfolder contains the original and modified copies of the deleted items.
    Purges:            If either Litigation Hold or single item recovery is enabled:
                       This subfolder contains all items that are hard deleted.
=================================================================================================

Name              FolderAndSubfolderSize     LitigationHoldEnabled
—-              ———————-     ———————
Recoverable Items 1.32 MB (1,383,783 bytes)                  False
Calendar Logging  0 B (0 bytes)                              False
Deletions         1.196 MB (1,253,945 bytes)                 False
Purges            126.8 KB (129,838 bytes)                   False
Versions          0 B (0 bytes)                              False

Clear on the picture for a full view:

image

Summary

I hope this helps!

Published 3/27/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

What DNS Zone type should I use, a Stub, Conditional Forwarder, a Forwarder, or a Secondary Zone?? What’s the Difference??

By Ace Fekay
Originally Published 2012
Updated 3/20/2018

Intro

Ace again. DNS is a basic, yet important requirement that many still having problems wrapping their head around it.

Besides design, a huge part of DNS is understanding the differences between the zone types. Many have asked, when do I use a Stub zone, a Conditional Forwarder, or a Forwarder? Or better, what’s the difference?

I thought to put this simple comparison together compiled from past posts in the TechNet Forum.

Partner Organization DNS Resolution: What should I use, a Stub, Conditional Forwarder or Forwarder?

Secondary Zone

Secondary zones are read only copies “copied,” or “zone transferred” from a Master zone. This makes the zone data available locally (as read only, of course), instead of querying a DNS server across a WAN link. However, in many cases Secondaries are not used due to many limitations and security concerns, such as exposing all DNS zone data that a partner may not want to divulge.

In addition, Secondaries can’t be AD integrated, and the zone data is stored in a text file. So you would have to manually create a copy on all of your DNS servers.

Stub Zone

Organizations own their own AD zones. When business partners need to resolve data at a partner’s organization, there are a few options to support this requirement. Years ago, prior to Stub or Conditional Forwarders, there weren’t many options to handle this other than to use Secondary Zones and keep copies of each others zones via zone transfers.  While the solution worked well in regards to name resolution, it was not the best security-wise, due to trust level between partners, because zone data is fully exposed at the partner. This became a security concern because the partner is able to see all of their business partner’s records. When the zone was transferred to partners, who knows what they were doing with the information. If the information was made public, attackers would have a field day with all of the IPs for the networked devices.

When stub zones were made available, it became a solution to overcome this security issue. What is also beneficial about Stubs, is you can AD integrate them instead of manually creating a Stub on each individual DC. This way the zone will be available domain or forest-wide, depending on replication scope.

However, some may say due to the fact that the SOA records are included in the zone file, it may be a concern that the SOA and NS data is exposed. In such high security concerns, the better solution would be to use a Conditional forwarder.

Conditional Forwarder

This option is heavily used, and many look at them as the best regarding security concerns with zone data exposure, because no data is exposed. This option has worked very well in many environments.

With Conditional Forwarders, no information is being transerred and shared. The only thing you would need to know is one or more of your business partner’s DNS server IPs to configure it, and they don’t have to be the SOA, rather any DNS server that hosts the zone or that has a reference to the zone.

However, it does require open communication and let each other know when their DNS server IPs may change, because you must manually set them.

Windows 2003 introduced Conditional Forwarders, but it did not have the option to make it AD Integrated. If you have 10 DNS servers, you must create the Conditional Forwarder on each server manually. The AD integrated option was added to Windows 2008 or newer DNS servers, so you don’t have to manually create them on each DNS server. THis way the Conditional Forwarder will be available domain or forest-wide.

Parent-Child DNS Zone Delegation

Delegation can be used in a situation where a child domain host their own DNS zone.  Therefore in the forest root domain, you would create a delegation zone with the IPs of the DNS servers in the child domain.  This is normally performed when the child zone have their own administrators. It’s also useful they do not have access to “see” all of the forest root DNS records.

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

To add, this is a big stickler especially with migrating from on-premises to Office 365, where the SendAs permission is now changed, because the permission must be re-assigned to the EXO object, the entity actually sending-As the email as another, and not the on-premises AD object. This also discusses how to remove the original Automapped BL (backlink).

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of  nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

image

 

How to remove it?

First, establish your PowerShell session to Exchange onprem or your Office 365 tenant. If unsure how, see this:
https://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail  | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail  | ft Name, DisplayName, mail –A

 

Then remove the msexchDelegateLinkListBL orphaned backlink:

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName”  -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

 

============================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

 

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


Active Directory Flexible Authentication Secure Tunneling (FAST)

Let’s discuss Flexible Authentication Secure Tunneling (FAST).

This new feature implemented in the Windows Server 2012 KDC, provides protection against password-based dictionary attacks. FAST is an extra level of security above password lockout policies and works at the Kerberos authentication level.

What is FAST and Kerberos Armoring?

Sometimes referred to as one in the same, FAST provides offline dictionary attack prevention, that work around Kerberos errors being spoofed. If the Kerberos authentication sequence fails, authentication falls back to NTLM authentication, a less secure method.

FAST is defined by RFC 6113 and RFC 4851, to prevent spoofing Kerberos errors. FAST is also referred to as Kerberos Armoring. FAST provides a secured and protected channel to provide a protected channel between a domain-joined client and DC and involves the LSA (Local Security Authority), the Netlogon Service, and the KDC. FAST protects Kerberos pre-authentication data for the “AS_REQ” by using the LSK (randomly generated logon session key) from the TGT (Ticket Granting Ticket during the Kerberos authentication sequence) as a shared secret to fully encrypt Kerberos messages and sign all possible Kerberos errors. The shared secret provides an additional “salt” in the Kerberos authentication process. This results in increased processing time, but it does not change the Kerberos service ticket size. The shared secret provides DCs the ability to return Kerberos authentication errors, which in turn, protects against spoofing, man-in-the middle, and other attacks.

FAST and Windows Server 2008

Although Windows Server 2012 and newer domain controllers are required to support this feature, there are no requirements for the domain or forest functional levels to be at Windows Server 2012. Therefore, you can have Windows Server 2008 and Windows Server 2008 R2 domain controllers, with forest functional level on Windows Server 2008.

The only exception is if you are implementing claims across a forest trust.

FAST requirements

  • Functional levels must be at least Windows Server 2008.
  • For full support, Domain and Forest Functional Levels must be at Windows Server 2012, which means that all domain controllers must be at least Windows Server 2012.
  • The Active Directory Domain must support Claims Based Access Control (CBAC) and Kerberos Armoring policy for all Windows Server 2012 domain controllers.
  • CBAC is an authorization method granting or denying access based on an arbitrary authorization decision algorithm using data in claims.

Additional Reading on CBAC:
Authorization in Claims-Aware Web Applications and Services
http://msdn.microsoft.com/en-us/library/windowsazure/gg185915.aspx

The domain can be configured either to require Kerberos armoring, or use it upon request. This allows backward support for legacy clients.This can be enabled by using two Group Policy settings:

  • “Support CBAC and Kerberos armoring”
  • “All DCs can support CBAC and Require Kerberos Armoring”

Additional Reading

What’s New in Kerberos Authentication?
http://technet.microsoft.com/en-us/library/hh831747.aspx

The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)
http://tools.ietf.org/html/rfc4851

A Generalized Framework for Kerberos Pre-Authentication
http://tools.ietf.org/html/rfc6113

==================================================================

Summary

Stay tuned. This is part of a release of previously unreleased documentation.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Fine-Grained Password Policies User Interface in Windows 2012 R2 and Newer

Intro

Ace again! Let’s talk about FGPP!

When Active Directory was first introduced in Windows Server 2000, you can only create one password policy for the domain. That was configured in the Default Domain Policy. If you attempted to create a GPO linked to an OU with password policy settings, the Active Directory CSEs (Client Side Extensions – the client side DLLs that determine, download and run GPOs assigned to the computer or user) will ignore them.

FGGP Expanded Requirements

Therefore if an IT infrastructure design required a different password for different locations or users, the only option was to either create a password filter or create a separate child domain or a new Tree in the forest. Of course this came with design challenges, additional hardware and administrative overhead. For a number of years, this was a limitation that IT administrators had no real solution or alternative.

To provide a solution, Fine-Grained Password Policies (FGPPPs), were introduced in Windows Server 2008, continued in Windows 2008 R2. They provided administrators to create a Password Settings Policy (PSO) for a set of user accounts or groups and cannot be linked to GPOs, and the only way to create and administer PSOs and FGGPs are using low-level utilities, such as ADSI Edit.

Windows Server 2012 introduced a new GUI to ease creation and administration of PSOs and FGPPs. In this section, we will learn about the new FGPP and PSO features, and how to create administer them.

  • Why would we need an FGGP?
  • Understanding Password Settings Objects (PSOs)
  • What’s new in Windows 2012 FGGP?
  • PSO Resultant Set of Policies (RSOP)
  • What’s required to implement FGGPs? PowerShell and FGGPs

Why would we need a FGGP?

You can use fine-grained password policies to specify specific password policies in a single domain by applying different restrictions settings for password and account lockout policies to different sets of users and groups in a domain.

For example, you can apply stricter settings to privileged accounts such as administrator accounts, or executive accounts, and apply less strict settings to the accounts of other users. You can also create special password policies for accounts that get their passwords synchronized with other data sources or applications.

Understanding Password Settings Objects (PSOs)

Password Settings Objects (PSOs) have identical password settings as the password policy in a GPO. These settings include password length, complexity, account lockout, password minimum and maximum age, password history settings, PSO link, and Precedence.

PSOs are not linked to an OU. PSOs are applied users or groups. To help keep track of PSOs to an OU, for example, administrators can create an Active Directory group in an OU that is identically named as the group name.

With Windows Server 2008 and Windows Server 2008 R2, ADSI Edit (Active Directory Services Editor), a low level editor, is required to create, modify and apply PSOs to users or groups. ADSI Edit is akin to a “registry editor” that allows you to modify data in the various partitions in the AD database. Using ADSI Edit requires additional knowledge and skill level by an administrator to understand the various Active Directory database partitions and how to access them.

What’s new in Windows Server 2012 FGGPs?

In Windows Server 2012, creating and managing fine-grained password policy can now be performed using a user interface, the ADAC (Active Directory Administration Center), vastly improving ease of administration.

Administrators can now visually see a specific user’s resultant set of policies (RSOP), view and sort all password policies within a given domain, and manage individual password policies.

image

PSO Resultant Set of Policies (RSOP)

If a user or group has multiple PSOs linked to them, possibly because they are part of multiple Active Directory groups that have different PSOs, only one PSO can be applied. Therefore, the RSOP must be evaluated to insure the correct PSO is applied.

To determine and calculate the RSOP, each PSO has an additional attribute called the msDS-PasswordSettingsPrecedence.

The msDS-PasswordSettingsPrecedence attribute has an integer value of 1 or greater. The lower the value, the higher precedence it has. In a scenario where an AD group has two PSOs linked, with one of them having a value of 2, and the a value of 4, then the PSO with a value of 2 wins, and is applied to the AD group.

RSOP msDS-PasswordSettingsPrecedence Logic:

• A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to users.)

• If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.

• If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.

Additional reading on RSOP:

AD DS: Fine-Grained Password Policies
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

What’s required to implement FGGPs?

To point out, Fine-grained password policies can only be applied to global security groups and user objects (or inetOrgPerson objects, a specific attribute some third party applications may use, if they are used instead of user objects).

Requirements include:

  • Only members of the Domain Admins group can set fine-grained password policies, however, the tasks can be delegated to other users.
  • The domain functional level must be Windows Server 2008 or higher.
  • You must use the Windows Server 2012 version of ADAC (Active Directory Administrative Center) to administer fine-grained password policies through a graphical user interface.

Server Manager can be used to install the RSAT tools (Remote Server Administration Tools) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

  • You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage FGGPs.

PowerShell and FGGPs

PowerShell can also be used to create and manage FGGPs. For example, the command below will create the following settings:

  • • PSO Name: TestPswd
  • • Complexity: Enabled
  • • Lockout Duration: 30 Minutes
  • • Lockout Observation Windows: 30 Minutes
  • • Lockout Threshold: 0 Minutes
  • • MaxPasswordAge: 42 Days
  • • Minimum Password Age: 1 Day
  • • MinPasswordLength: 7 characters
  • • PasswordHistoryCount: 24 passwords remembered that you can’t use
  • • ProtectedFromAccidentalDeletion: Yes (prevents accidental deletion)
  • • Security Principal Applied to: AD Group called “group1”
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects group1
Additional Reading:

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

Introduction to Active Directory Administrative Center Enhancements (Level 100)
http://technet.microsoft.com/en-us/library/hh831702.aspx

Creating fine grained password policies through GUI Windows server 2012 “Server 8 beta”
Microsoft Technet, by Tamer Sherif Mahmoud, Team Blog of MCS
http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

============================================================

Summary

Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2][2] clip_image0043[2][2][2] clip_image0063[2][2][2] clip_image0083[2][2][2] clip_image0103[2][2][2] clip_image0123[2][2][2] clip_image0143[2][2][2] clip_image0163[2][2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

What is Cloud Computing?

Intro

Ace here again. This is part of my blog series on Azure and Cloud Computing

This is a short discussion about cloud computing, another aspect of Internet service providers offering to help companies reduce costs by practically eliminating hardware.

Service Providers and Services

In the past few years, many online service providers have gained momentum offering datacenter services to allow customers the ability to host services, applications, and operating systems. These service providers provide 24/7 availability and uptime monitoring, backups, disaster recovery, maintain application updates and provide full support.

As long as an employee has internet access, whether at the office or away, they can access these services and applications.

A Cloud Operating System does what a traditional operating system does – manage applications and hardware, but at the scope and scale of cloud computing, meaning the applications and hardware are operated and managed outside of a company’s network.

The foundations of the Cloud OS are Windows Server 2012 and Windows Azure, complemented by the full feature set of Microsoft technology solutions, such as SQL Server, System Center, Exchange Server, and Visual Studio. Together, these technologies provide a consistent platform for infrastructure, applications and data that can span your datacenter, service provider datacenters, and the Microsoft public cloud.

Public Clouds

Shared Public Cloud

A Shared Public Cloud provides the benefit of rapid implementation, massive scalability, and low cost of entry because multiple tenants share and absorb the overall costs reducing individual tenant costs.

It is delivered in a shared physical infrastructure where the architecture, customization, and degree of security are designed and managed by the hosting provider according to market-driven specifications.

Public clouds have weaker security due to their shared nature.

Dedicated Private Clouds

Dedicated Private clouds are similar to a Shared Public Cloud, except they are delivered on a dedicated physical infrastructure dedicated to a single organization.

Security, performance, and sometimes customization are better in the Dedicated Public Cloud than in the Shared Public Cloud. Its architecture and service levels are defined by the provider and the cost may be higher than that of the Shared Public Cloud.

Private Cloud

Dedicated Private clouds may be hosted by the organization itself at a co-location service where the organization owns all hardware and software, and provide their own full maintenance procedures including disaster recovery solutions, with the co-location only providing 24/7 power and internet connectivity guarantees, or they may be hosted by a cloud services provider, which provides all hardware and software and ensures that the cloud services are not shared with any other organization.

Private clouds are more than just large-scale hypervisor installation. They can use the Microsoft System Center 2012 management suite, which makes it possible to provide self-service delivery of services and applications.

Self-hosted Private Cloud

A Self-hosted Private Cloud provides the benefit of architectural and operational control utilizing the existing investment in people and equipment, and provides a dedicated on-premise environment that is internally designed, hosted, and managed.

Hosted Private Cloud

A Hosted Private Cloud is a dedicated environment that is internally designed, externally hosted, and externally managed. It blends the benefits of controlling the service and architectural design with the benefits of datacenter outsourcing.

Private Cloud Appliance

A Private Cloud Appliance is a dedicated environment that is purchased from a vendor and designed by that vendor, and are based on provider & market driven features and architectural control. They can be hosted internally or externally, and can be internally or externally managed. A Private Cloud Appliance benefits consumers by combining advantages of a predefined functional architecture, lower deployment risk with the benefits of internal security and control.

What does Windows 2012 R2 and Cloud OS Mean to Organizations?

It means organization can shift to efficiently manage datacenter resources as a whole, including networking, storage and computing. Organizations will be able to deliver and manage powerful apps that boost employee productivity providing faster access across private, hybrid (mixture of private & public clouds) and public clouds.

With Windows Server 2012 and newer, and System Center, an organization owns its own private cloud, and they can provide users a self-service portal to request their own multitier applications including web servers, database servers, and storage components.

Windows Server 2012 and the components of the System Center 2012 suite can be configured so service requests can be processed automatically, without requiring manual deployment of virtual machines and database server software.

Microsoft Private Cloud Fast Track

Microsoft Private Cloud Fast Track is a joint effort between Microsoft and its hardware partners to deliver pre-configured solutions that reduce the complexity and risk of implementing a private cloud, and provides and delivers flexibility and choice across a range of hardware vendor options technologies in pre-configured solutions.

For more information on Microsoft Private Cloud Fast Track, and the implementation deployment guide:

Microsoft Private Cloud Fast Track Information New and Improved, by Thomas W Shinder, MSFT, 7/27/2012
http://blogs.technet.com/b/privatecloud/archive/2012/07/27/microsoft-private-cloud-fast-track-information-new-and-improved.aspx

For a complete list of Reference Architecture for Private Cloud Documents:

Reference Architecture for Private Cloud
http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx

============================================================

Summary

Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2] clip_image0043[2][2] clip_image0063[2][2] clip_image0083[2][2] clip_image0103[2][2] clip_image0123[2][2] clip_image0143[2][2] clip_image0163[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

What is SaaS, PaaS, and IaaS?

Intro

Ace here again. With Azure gaining traction, and the whole “Cloud”computing buzzwords becoming a staple to every day life, I thought to bring some sunlight through and explain some of the offerings.

SaaS: Software as a Service

Software as a Service (SaaS) delivers business processes and applications, such as Sharepoint, CRM, collaboration, and e-mail, as standardized capabilities for a usage-based cost at an agreed, business-relevant SLA (service level agreement).

SaaS provides significant efficiencies in cost and delivery with minimal customization that represents a shift of operational risks from the consumer to the hosting provider. All infrastructure and IT operational functions are abstracted away from the consumer reducing consumer resource overhead.

The end user is the consumer, and benefits the most with SaaS with increased application uptime and performance.

PaaS: Platform as a Service

The most complex of the three, cloud platform services or “Platform as a Service,” (PaaS) delivers computational resources with an efficient and agile approach to operate scale-out applications in a predictable and cost-effective manner, through a platform, such as Windows Server 2012.

With PaaS, the application owner is the consumer. PaaS delivers application execution services, such as application runtime, storage, and integration, for applications written for a pre-specified development framework the consumer can build upon to develop, customize, and test applications. Deployment of applications is quick, simple, and cost-effective, eliminating the need to purchase underlying layers of hardware and operating systems.

PaaS is highly scalable. Consumers need not worry about platform upgrades or downtime due to maintenance.

Service levels and operational risks are shared because the consumer (customer) takes responsibility for the stability, architectural compliance, and overall operations of the application while the provider delivers the platform capability (including the network infrastructure and operational functions) at a predictable service level and cost.

One comparison between SaaS vs. PaaS is with PaaS, vendors still manage runtime, middleware, O/S, virtualization, hardware (servers & storage), and networking, but users manage applications and data. With SaaS, the users only control the software, not the platform the software is running on.

IaaS: Infrastructure as a Service

Cloud infrastructure services, known as “Infrastructure as a Service,” (IaaS), deliver computer infrastructure (such as a platform virtualization environment), storage, and networking.

IaaS abstracts hardware (server, storage, and network infrastructure) into a pool of computing, storage, and connectivity capabilities that are delivered as services for a usage-based (metered) cost. Its goal is to provide a flexible, standard, and virtualized operating environment that can become a foundation for PaaS and SaaS.

IaaS is usually seen to provide virtual server standardization by the hosting provider. The hosting provider manages virtualization and provides service level agreements (SLA) that cover the performance and availability of the virtualized infrastructure.

The consumer takes responsibility for configuration, operations, maintenance, updates, upgrades and support of the guest Operating System (OS), software, and Database (DB). Compute capabilities (such as performance, bandwidth, and storage access) are also standardized.

IaaS is an advanced state of IT maturity that has a high degree of automation, integrated-service management, and efficient use of resources.

The consumer can be the application owner and/or the IT department, and also provide middleware, application and operating system updates, upgrades and support. The benefit to the consumer is they can install any required platforms.

image

Click here for additional information

What does Windows 2012 R2 and Cloud OS Mean to Organizations?

It means organization can shift to efficiently manage datacenter resources as a whole, including networking, storage and computing. Organizations will be able to deliver and manage powerful apps that boost employee productivity providing faster access across private, hybrid (mixture of private & public clouds) and public clouds.

With Windows Server 2012 and System Center, an organization owns its own private cloud, and they can provide users a self-service portal to request their own multitier applications including web servers, database servers, and storage components.

Windows Server 2012 and the components of the System Center 2012 suite can be configured so service requests can be processed automatically, without requiring manual deployment of virtual machines and database server software.

Microsoft Private Cloud Fast Track

Microsoft Private Cloud Fast Track is a joint effort between Microsoft and its hardware partners to deliver pre-configured solutions that reduce the complexity and risk of implementing a private cloud, and provides and delivers flexibility and choice across a range of hardware vendor options technologies in pre-configured solutions.

For more information on Microsoft Private Cloud Fast Track, and the implementation deployment guide:

Microsoft Private Cloud Fast Track Information New and Improved, by Thomas W Shinder, MSFT, 7/27/2012
http://blogs.technet.com/b/privatecloud/archive/2012/07/27/microsoft-private-cloud-fast-track-information-new-and-improved.aspx

For a complete list of Reference Architecture for Private Cloud Documents:

Reference Architecture for Private Cloud
http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx

============================================================

Summary

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2] clip_image0043[2] clip_image0063[2] clip_image0083[2] clip_image0103[2] clip_image0123[2] clip_image0143[2] clip_image0163[2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory DNS Single Label Names

Intro

Hey everyone, Ace again. Let’s discuss this issue. I hardly see this issue any more, because it was a previously prevalent when Active Directory was introduced, since there were some confusion about AD domain naming, and many IT admins used NT4’s domain naming guidelines. Man of us are now familiar with AD’s naming convention, and have more than likely renamed or rebuilt their AD domains. However, there are still some installations with this issue. 

How did it happen? Many reasons, such as lack of research on AD’s DNS requirements, assumptions, or a simple typo when originally upgrading from NT4 or promoting your new AD domain. It doesn’t matter now, because you were brought here to find out what to do with it.

I hope you find this blog informative on this issue and what to do about it.

First, let’s discuss a little background on the necessary components at play…

FQDN

First, let’s discuss the FQDN. What is an FQDN? It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminiscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

Unfortunately, since this does not work with DNS, and Active Directory relies on DNS, therefore, it does not work with Active Directory. Stay with me. I’ll explain…

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately the old NT4 style names are not hierarchal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single label name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? As I said earlier, it doesn’t matter now, because you were brought here to find out what to do with it.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/kb/555040

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.

Period. Why? good question. It’s based on the fact DNS is hierarchal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc., names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc.). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authoritative for that TLD.Such as when looking up Microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for Microsoft.com zone.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

  1. The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.
  2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).
  3. As a temporary resort, you can use the patch or band aid registry fix to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

Single Label Names and being a better Internet Neighbor

The following was posted by Microsoft’s Alan Woods in 2004:

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles – Even though they seem old, they STILL APPLY!!!

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

============================================================

Summary

I hope this helps!

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Remote Server Administration for Windows 2012 R2

image

 

Prologue

Ace here again. This discusses remote administration. Simple, right? Maybe not!

Remote Server Administration for Windows 2012 R2

Server Manager in Windows Server® 2012 R2 can be used to perform various management tasks on remote servers. By default, remote management is enabled on Windows Server 2012 R2.You can add remote servers to the Server Manager Server pool in Windows Server 2012 R2 Server Manager.

Objectives

Discuss the following remote admin methods

  • What is Remote Management?
  • How to Enable and Disable Remote Management
  • Remote Management and Tools Commands
  • Server Manager
  • WinRM
  • PowerShell Remoting
  • Remote Desktop
  • Remote Server Administration Tools (RSAT)
  • SCONFIG

What is Remote Management?

Windows Server 2012 R2 provides the ability to remotely manage multiple servers with a number of methods. One of the newest features in Windows Server 2012 is the ability to use Server Manager for this task.

In addition to Windows Remote Management, you can also use Remote Shell and Remote Windows PowerShell to manage remote computers. This provides you the ability to locally load Windows PowerShell modules, such as Server Manager, and execute PowerShell cmdlets available in the loaded module on remote servers. This allows you the ability to run PowerShell commands and scripts. This works including when the script is only on the local server

Windows Remote Management (WinRM) is the Windows implementation of WS-Management, which is an industry standard, Web-based services based protocol. Windows runs the WinRM as a service under the same name, WinRM. WinRM provides secure local and remote communications for management applications and scripts.

In addition, Windows Remote Management is one of the components of the Windows Hardware Management features to allow secure local and remote Windows Server management across a firewall using standard Web service-based protocols.

If the server hardware has an optional, built-in Baseboard Management Controller (BMC) provided by the hardware vendor, you can also remotely manage a system even if the Windows operating system has not yet booted or has failed. This also allows access to the server’s BIOS.

A BMC is an option m provided by hardware vendors, that consists of a microcontroller and an independent network connection that you can communicate to if the server ever becomes offline.

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where firewalls may block DCOM communications, because WinRM uses the secure web-based port, TCP 443.

Additional Reading on WinRM:

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

Hardware Management Introduction (includes BMC information)
http://technet.microsoft.com/en-us/library/f550cac0-5344-41cb-8e89-6e5c93236886

.
 
How to Enable and Disable Remote Management

There are a number of methods to administer WinRM.

· Winrm.cmd – Command line tool that allows administrators to configure WinRM, get data, or manage resources. For syntax, you can run winrm /? for online help.

· Win-RM Scripting API – Allows you to create remote administration scripts that expose the WS-Management APIs and protocols.

· Winrs.exe –A command line tool to execute CMD commands on remote servers using WS-Management APIs. For example, to remotely get an ipconfig /all from a remote machine, you can run:
winrs –r:DC12.trimagna.com “ipconfig /all”;tasklist

You can also use the help command to see all possible options and syntax:
winrs –?

· IPMI and WMI Providers – The IPMI provider and drivers allow remote hardware management using BMC. These can be used programmatically.

· WMI Service – Using the WMI plug-in, WMI runs together with WinRM to provide data or control functions for remote management.

· WS-Management protocol – SOAP based protocol using XML messages. It is a web-based, firewall friendly protocol running across secure TCP 443 providing industry-standard interoperability to transfer and exchange management information.

Remote Management Tools and Commands

There are a number of ways to enable, disable and configure Remote Management.

Server Manager

To enable or disable Remote Management, in Server Manager Local Server node, click the text next to Remote Management icon.

WinRM Command

You can use the WinRM command to enable, disable, and configure Remote Management.

The syntax is:

WinRM OPERATION RESOURCE_URI [-SWITCH:VALUR [-SWITCH:VAKLUE] …] [@{KEY=VALUR [;KEP=VALUE]…}]

You can use the following to check the current Remote Management configuration and status:
winrm get winrm/config

Or you can run it remotely on another server using the WinRS command:
winrs –r:DC12-1.trimagna.com “winrm /config”;tasklist

To enable or disable Remote Management:
WinMR qc

When the WinRM qc command is run, it performs a number of steps to enable and configure the Remote Management service:

  1. Configures and changes the WinRM service from Manual to Automatic startup.
  2. Starts the WinRM service.
  3. Creates and configures a listener that will accept WinRM requests on any IP address.
  4. Creates a Windows Firewall exception for WS-Management traffic for the HTTP protocol.

If the Windows Firewall is disabled, you will see one of the following error messages:

  • WSManFault
  • Message
  • ProviderFault
  • WSManFault
  • Message = Unable to check the status of the firewall.
  • Error number: -2147023143 0x800706D9
  • There are no more endpoints available from the endpoint mapper.

To view the command syntax and options, you can run winrm -?

WinRM supports the following commands:

  • PUT
  • GET
  • ENUMERATION
  • INVOKE
WinRM Examples:

Start a service on a remote machine:
winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:DC12

Reboot a remote machine:
winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:FS1

Additional Reading on the WinRM commands:

An Introduction to WinRM Basics – From the EPS Windows Server Performance Team
http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

.

PowerShell Remoting

There a number of cmdlets that use WMI for remote administration. The cmdlets invoke a temporary connection the remote computer using WMI, runs the command, then closes the session.

These cmdlets do not use WS-Management based remoting, therefore the computer does not require to be configured for WS-Management nor does it have to meet the system requirement for WS-Management. Because they are not WS-Management service related, you can use the ComputerName parameter in any of these cmdlets

You can run the Invoke-Command cmdlets to run commands on other computers.

For example, to get a list of all services on a remote computer that are either running or stopped, you can run the following command
Invoke-Command –computername DC12 –scriptblock {get-service)

Or to see the status of a single service:
Invoke-Command –computername DC12 –scriptblock {get-service WinRm)

Additional Reading on Remote PowerShell:

Windows PowerShell Remoting – Complete list of commands
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx

.

 

Remote Server Administration Tools (RSAT) for Windows

Remote Server Administration Tools for Windows®  includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell® cmdlets and providers, and some command-line tools for managing roles and features that run on Windows Server 2012 R2.

.

SCONFIG

For Server Core, you can use the SCONFIG command and choosing Option #4, then choosing Option #1 to Enable Remote Management, or Option #2 to Disable Remote Management.

image

Additional Reading on WinRM tools

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

.

Remote Desktop

Remote Desktop has been used for a number of years, and it is the most common method to remotely administer a remote machine. To use Remote Desktop, it must be enabled first on the remote computer. To enable Remote Desktop on the full version of Windows Server 2012, perform the following steps”

  1. Open Server Manager
  2. Click the Local Server Node
  3. Click the “Disabled” status next to Remote Desktop.
  4. The System Properties page appears and is focused on the Remote tab.
  5. Under the Remote tab, select one of the following:
  1. Don’t allow connections to this computer – Default disabled.
  2. Allow connections only from Computers running:
  1. Checkbox: Allow Remote Desktop with Network Level Authentication – If you check this box, this setting enables and only allows secure connections from Remote Desktop clients that support network-level authentication.

image

You can also enable Remote Desktop on Sever Core using the SCONFIG command.

==================================================================

 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.