DNS Recursive Queries vs Iterative Queries

DNS Recursive Queries vs Iterative Queries

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Published Nov 12, 2009 at 6:55 PM EST
Edits:
10/6/2010 12:31 AM EST – Added section “Non-Sequitar: Windows Cache Poisoning Settings and Recursion Settings.” This was in response to a discussion associating recursion and cache poisoning that I wanted to add to clear up.

 

The Definition Between Recursive and Iterative Queries Actually Depends on Context, Such as Which Machine is Asking the Query.

The reason why I mentioned this is because basically a recursive query means the machine sends the query, such as a client machine, or even a DC, to a DNS server for resolution, and the DNS server will resolve the query based either on a zone that has been confgured locally (in its Forward Lookup Zones or Reverse Lookup Zones), or from a Stub zone, Root Hints, General Forwarder or Conditional Forwarder.

Therefore, in summary, a recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries that it does not host the zone, to another DNS server, whether through a Stub, Conditonal or General Forwarder.

Interative queries is a request from a client that tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers, whether it has the zone configured or not. The process then relies on the client to continue the process possibly by using a referral where the DNS server supplying the client NS or A records of a DNS server that is closer to the namespace which may possibly provide the answer. However we don’t see that with the normal sense of the word, ‘query,’ when a client sends a request to a DNS server, which we are more familiar with. For the most part, the DNS resolver service on Windows clients are basically ‘stub resolvers’ that rely on a recursive-enabled DNS server to resolve queries it is not aware of. Of course you can create resolver scripts to preform an interative query.

However, with a recursion request from a client to a DNS server, which as I mentioned above, is what we normally think of using the term ‘query,’ the DNS server will do its best to resolve it, either by using Stubs, Conditional or General Forwarder, or Root Hints, which is essentially an interative query to the Root Hints to devolve the namespace from the TLD backwards (such as from “com” to the second level name, etc), or a query to a Forwarder, if configured with a Forwarder, which is essentially a recursion request because technically it’s not an iterative request, even though the server repeats (iterates or re-iterates) when trying to find the answer.

You can make nslookup perform an iterative query by using the “norecurse” option (set norecurse). In this situation the DNS server will give its best response, without looking elsewhere other than its cache or zones its authoritative for.

 

To go further…

The following quote is a non-Microsoft definition, but it still applies, no matter what DNS server service is used. The quote was taken from:
http://www.linuxjournal.com/article/4198

“Since the DNS server called ns.someisp.com isn’t authoritative for a zone called wiremonkeys.org and hasn’t recently communicated for any host that is authoritive for it, it begins a query of its own on the user’s behalf. The process of asking one or more queries in order to answer (resolve) other queries is called recursion.”

Does that make sense so far? 

So to further take it another step or to look at it in a different light…

Keep in mind, recursion is not necessarily resolution. The reasons is the process of following a chain of delegations from one set of content DNS servers to another, starting at some root servers, is termed “resolution”; as exemplified in section 6.3 of RFC 1034.  It is not termed “recursion”.  “Recursion” is something else. The official definition of “recursion” is the act of a server sending back-end queries (of _whatever_ sort) to another server. Both query resolution, where back-end queries are sent to content DNS servers, and forwarding, where back-end queries are sent to proxy DNS servers, are forms of recursion.

Therefore…

  • Resoluton can be provided many times from its own authoritative zones where no recursion involved.
  • A query can be resolved from its cache where no recursion involved (directly, because it’s in its cache).
  • By forwarding, with the forwardee doing the resolution where recursion is involved.
  • However if it forwards it out, it essentially becomes an interative query because it’s proxying the request elsewhere for the client, such as an indirect query for the client, but essentially this can be viewed as an recursive query by the DNS server itself acting as a recursive client.
  • Or DNS can perform the query resolution itself where recursion is involved. An example is when Forwarding is not enabled, and the DNS server uses the Root Hints, where essentially it’s querying the Roots in a recursive manner devolving the DNS name hierarchy from the TLD backwards.
  • And more…

 Got it?

I hope that was easy. Next week we’ll discuss helion particles (a-particle of the helium-3 nucleus) and their mass.

 

Non-Sequitar:  Windows Cache Poisoning Settings and Recursion Settings

Added 10/6/2010 – This stemmed from a discussion in the Microsoft forums when one was concerned with the Cache poisoning settings and recursion when the poster was told that it’s his recursion settings causing the false positive.

If you ever had an external security threat analysis performed and the results indicated that your DNS servers were open to DNS pollution and the fix was to disable recursion, this may not necessarily be necessary. This may not be an option in many scenarios, and it may not necessarily be the answer. Simply enable the “Secure cache against pollution” setting in DNS. Keep in mind, and to veer off topic for the moment, with Windows 2003 and newer,the  “Secure cache against pollution” is enabled by default. In Windows 2000, it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution for the most part, and not necessarily affect DNS performance at the same time keeping it secure based on current vulnerabilities.
 
If “Do not use recursion for this domain” is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.
 
If Disable recursion under the Advanced Tab is checked, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don’t want anyone else to use it as a DNS server to resolve outside names.
 
If this is an internal DNS server and not exposed to the internet, “Secure cache against pollution” is set, and it’s not offering public nameserver services for any public records, I think you will be find and would leave it alone using the default settings.

 

Related Links on Recursive and Iterative Queries

Recursive and Iterative Queries – With a recursive name query, the DNS client requires that the DNS server respond to the client […]:
http://technet.microsoft.com/en-us/library/cc961401.aspx

How DNS query works: Domain Name System(DNS)Jan 21, 2005 … As DNS servers process client queries using recursion or iteration, they discover and acquire a significant store of information about the …
http://technet.microsoft.com/en-us/library/cc775637(WS.10).aspx

Cool site with a scripted demo showing how it works and the differences between a recursive and interative query:
Recursive/Iterative Queries in DNS (Chapter 2)
http://media.pearsoncmg.com/aw/aw_kurose_network_2/applets/dns/dns.html

 

Ace Fekay

Active Directory DNS Domain Name Single Label Names

Active Directory DNS Domain Name Single label names

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Originally Compiled 3/2005

Active Directory DNS Domain Name Single Label Name scenarios are slowly disappearing the more IT admins understand what they are. However, there are installations that are still plagued by this condition, whatever the original cause was, whether lack of research, planning or simply understanding AD’s DNS requirements. This article introduces what a single label name domain name is, and what can be done about it.

FQDN

First, let’s discuss the FQDN. What is an FQDN?

It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

The reason this does not work with DNS, which Active Directory relies on.

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately tHe old NT4 style names are not hierachal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single lable name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? Most cases it’s due to lack of research on AD’s DNS requirements, or how it works, or it could have been a simple typo, yet costly typo, when originally upgrading from NT4 or promoting your new AD domain.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

 

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.
Period. Why? good question. It’s based on the fact DNS is hierachal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc, names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authorative for that TLD.Such as when looking up microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for microsoft.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

1.  The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.

2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).

3. As a temporary resort, you can use the patch/bandaid registry entry to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

 

Microsoft’s Stance on Single Label Name AD DNS domain names.

The following is Microsoft’s stance on Single Label Names by Microsoft engineer Alan Woods.

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

Ace Fekay

Configuring the Windows Time Service for Windows Server

Configuring the time service on the PDC Emulator FSMO role holder

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Compilation 9/12/2009
Edit: 9/23/2009    – Added additional links (indicated in the Related Links section).
Edit: 10/10/2009  – Added additional section called “Client To DC Time Sync”
Edit: 2/11/2010    – Added info about finding out which DC is the time source by using the w32tm /monitor command
Edit: 8/9/2010       – Added additional info in the troubleshooting section
Edit: 10/12/2010  – Added additional info about debugging and transferred PDC roles
Edit: 1/17/2011    – Added information about the Microsoft Mr Fix It script for a sure fire way to reset the time service (scroll down to “Microsoft Mr Fix It”)
Edit: 1/19/2011    – Added information regarding virutalizing domain controllers and the Time service. Scroll to the bottom of this blog.

 

Prelude

There is absolutely NO NEED TO TOUCH THE TIME SERVICE REGISTRY ENTRIES

I just wanted to make a statement regarding the time service registry entries. There really is NO need to modify the time service registry entries. The time service works by default, out of the box. The only thing that’s recommended to do, is synchronize the PDC Emulator in the forest root domain to a reliable outside source. That’s it.

I’m stating this because based on numerous public postings regarding corrupted time service settings due to attempts at changing registry entries because it was thought that’s how it’s done, is usually the culprit that corrupted the time service settings. The time service should only be configured using the w32tm utility.

If there are any problems with corrupted settings, and it’s not working properly, I would suggest to simply reset the time service itself (stated in the “To Reset the Time service” section below), by simply running the following commands:

If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:

1. On the DC that you’re experiencing issues with, run the following in a command prompt:

  •  net stop w32time
  •  w32tm /unregister
  •  w32tm /register
  •  net start w32time

2. On the Server in question (whether it’s the PDC Emulator or another server), run the following in a command prompt: 

  • “net time /setsntp: ” (Note the blank space prior to the end “)  [This tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.]
  • Restart the time service:  Net stop w32time && net start w32time

3. On the PDC Emulator run the following in a command prompt:

  • W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

4. On each DC that are not holding the PDC Emulator role, run the following in a command prompt:

  • w32tm /config /syncfromflags:domhier /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

5. This will take out any errors in the Event Viewer, if there are any.

.

The only real time that you may have to configure it is only with the assistance of Microsoft Support.

That said, the following shows how the service works by default, the caveats, things to consider, troubleshooting, as well as a link to MIcrosoft’s MrFixIt to fix it for you!

.

.

Time Service Background

Kerberos is the authentication method in an Active Directory infrastructure. There are three parts of the the authentication method between members in an AD infrastructure: 1) Client, 2) Server, and 3) the trusted third party, which is Kerberos. Kerberos uses time as a “salt” to insure that the authentication sequence cannot be used in a “replay” scenario by a prospective attacker. One of the basis of preventing a “replay” is that Kerberos has a five (5) minute time skew, meaning that if the client and server (whatever two machines are authenticating, whether DC to DC, member server to DC or client, or client to DC), if the clocks are off more than five (5) minutes, the authentication sequence fails. To insure that all clients’ clocks are within the five (5) minute skew, the time service must be synched across the infrastructure.

Clients get their time source from the DC that logged them on. That DC will get it’s time synched from the PDC Emulator in its domain. If its in a child, that PDC Emulator will get its time synched from the PDC Emulator in the forest root, which should be configured to an external time source. This simply works out-of-the-box other than configuring the PDC Emulator in the forest root domain to sync with an external time source. No other action is truly necessary. To alter the time registry settings, is inviting trouble and should only be done under guidance by Microsoft Support.

To find the DC that logged a client on, run the following. This is also the client’s time server.
echo %logonserver%

In a multi-site scenario, as long as AD Sites have been configured properly with their respective subnet objects assigned to the site, and the servers have been moved to their respective sites, the client machine’s logonserver will always be the time source. 

This all assumes that none of the DCs are not multihomed (or it may become part of more than one site which will cause an error, besides other issues), the AD DNS domain name is not a single label name (“domain” vs domain.something), and using only the internal DNS servers in ipconfig, otherwise it’s guaranteed to expect other problems to occur.

Time Service Domain Hierarchy

Time Convergence

This section was quoted from:

Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799

All client desktops select an authenticating domain controller (the domain controller returned by DSGetDCName()) as their time source. If this domain controller becomes unavailable, the client re-issues its request for a domain controller.

All member servers follow the same process.

All domain controllers in a domain make 3 queries for a DC:
1. A reliable time service (preferred) in the parent domain,
2. A reliable time service (required) in the current domain,
3. The PDC of the current domain. It will select one of these returned DCs as a time source.

The PDC Emulator FSMO role holder at the root of the forest is authoritative, and can be manually set to synchronize with an outside time source (such as the United States Naval Observatory).

WIndows Time Hierarchy

The following diagram shows the time hierarchy. Quoted from:

How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

 

Time Sync

Client to DC

How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042

The points below were quoted from the above link:

All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization

The following quote is on the time  algorithm in Windows 2000, which I haven’t seen any evidence that it has changed:
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
http://windowsitpro.com/article/articleid/8383/windows-time-synchronization-service.html

“When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller’s) time. If the target time is ahead of local (i.e., the client’s) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time. . . . “

Due to this 2 minute conversion, an authorative time server on the domain (PDC Emulator), acts a time client to an external time source, therefore you may see a lag between the time source’s time and the time on the server.

 

DC to DC Time Service Selection:

A DC will choose a PDC Emulator to sync up time. A child PDC Emulator will choose to sync up time with a parent root domain DC, and it can choose the parent PDC or any other DC in the parent root domain.

Therefore, don’t be alarmed if you are seeing a child domain DC syncying up with a Forest root DC, that’s normal. A child domain DC’s will sync with any domain controller in the forest root domain. It’s outlined in the following article in a diagram titled “Time Synchronization in an AD DS Hierarchy:”

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

 

Domain Controller TIme Source Queries and Score Determination

If having problems viewing the following image, please see the full-sized image at:
http://4ufq6a.blu.livefilestore.com/y1paVf9RvrfAXlM4dVk-bZvVivi0OBbK75AcXfvnEGz0RybJIkbGbRJ8NgoHGdThaEuIz3l2Z8ZBXw1KP7IuRENQR2iQvKhyCcC/Windows%20Time%20-%20Domain%20Controller%20Time%20Source%20Queries%20and%20Score%20Determination.jpg?psid=1

 

 

To set the Time Service in an Active Directory Infrastructure

Windows 2000

On the Windows 2000 PDC Emulator, run the following four commands:

C:\>net time /setsntp:Time.nrc.ca
The command completed successfully.

C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

C:\>w32tm -once
(W32time performs numerous commands to set the time)

C:\>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.

 

Windows 2003

On the DC holding the PDCEmulator FSMO Role (example showing a US government time source):

w32tm /config /manualpeerlist:time-a.nist.gov /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time

On other DCs (that are not the PDC Emulator):
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

 

Windows 2008

Please follow the registry entries instructions in the following Microsoft article on how to configure the Time Service in Windows 2008:

How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042

 

 

The PDC master must not be configured to synchronize with itself

This important section was quoted from:

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

For more information about why the PDC master must not be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)

If the PDC master is configured to synchronize with itself, the following events are logged in the System log:

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerName
Description: The time provider NtpClient cannot reach or is currently receiving invalid time data from NTP_server_IP_Address. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerName
Description: Time Provider NtpClient: No valid response has been received from manually configured peer NTP_server_IP_Address after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerName
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. For more information, see Help and Support Center at http://support.microsoft.com.

 

Transferring the PDC Emulator Role

If you have moved the Windows 2003 PDC Emulator role to another DC, or if you seized the role to another DC because the original PDC Emulator is no longer available, reset the time source and hierarchy:

On the new PDCEmulator (where ‘peers’ is an Internet time source such as time-a.nist.gov):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update

After that run the following on both DCs:
net stop w32time
net start w32time

The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41.

On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.

FYI, you need a reliable external time source, read the following link for a complete list of them around the internet:

The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable and easy to use NTP service for millions of clients without putting  strain on the big popular timeservers.
http://www.pool.ntp.org

 

The Net Time Command is Weak and Inaccurate with Certain Functions

DO NOT USE the “net time” command on Windows 2003 and later. It will create confusion with the time service. This command was meant for use with stand alone machines, and basically is a DOS command, and is pretty much useless in an AD environment.

The net time command is weak. It is a foreground application and is not reliable. It does not query what the local machine’s time service is set to use with the domain hierarchy. The net time command is similar to the nslookup command, where it uses its own query methods independent of the local machine.

For example, the following was quoted from:

Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp

“When you run NET TIME without the /domain option, the workstation will iterate through the list of time sources on the network, and contact the first one encountered. By default on an NT or 2000 network, only the PDC is a time source.

However, if Domain Time Server is installed on any machine, that machine also becomes a time source. Notice that the NET TIME client won’t use the nearest time source — it will use the first one found in the browser list. It also will not move on to the next source if the first one fails.”

Read more on the net time command and its limitations, in the following link. Scroll down to the heading “Problems with NET TIME”

Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp

Which server is my time source?

On a non-DC, you can run the following to see which DC logged you in. That DC wll be YOUR time source.

To confirm which server is being used as a time source, you can also run the following command:

w32tm /monitor

For example, I ran this on a non-PDC emulator DC, dc02.domain.local, in a domain with two DCs. You can see that it grabbed time from the PDC Emulator, which in this case is dc01.domain.local. It also states that dc01.domain.local got it’s time source from 192.5.41.41. You can see the offset between the two DCs is 0.0000651s (seconds), so no sync is required since it is under the 2 minute time sync tolerance.

c:\Documents and Settings\administrator>w32tm /monitor
dc01.domain.local *** PDC *** [192.168.80.10]:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from dc01.domain.local
        RefID: ntp1.usno.navy.mil [192.5.41.41]
dc02.domain.local [192.168.80.11]:
    ICMP: 0ms delay.
    NTP: +0.0000651s offset from dc01.domain.local
        RefID: dc01.domain.local [192.168.80.10]

 

 

Time Service skew: The Windows W32Time service is not as accurate or reliable as one thinks

Yes, this is true, and this statement is according to Microsoft (KB939322). The reason is the Windows time service is not reliable to synch time down to 1 or 2 seconds and such tolerances are beyond the design of the Windows time service. . It was primarily designed for loose synchronization to support Active Directory’s use of the Kerberos v5 protocol for authentication, which uses and relies on a maximum time skew of 5 minutes for it authentication ‘salt.’ However the Windows Time services is sufficient for this reason, however if you have apps that require sensitive transactional processing with timing down to the second (possibly SEC, banking, or other reasons), it is suggested to use a third party time service.

The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.

Regarding high accuracy, the following Microsoft’s position on this was quoted from:

Support boundary to configure the Windows Time service for high accuracy environments:
http://support.microsoft.com/kb/939322:

“We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:

  • Make the Kerberos version 5 authentication protocol work.
  • Provide loose sync time for client computers.
  • The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.”

 

The following passage was quoted from page 9 in the following Microsoft document.

The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc

“When the local clock offset has been determined, the following algorithm is used to adjust the time:  

  • If the local clock time of the client is behind the current time received from the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is more than three minutes ahead of the time on the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected. “

High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx

“This entry specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. “

Based on the article below, “If you change the MaxPollInterval and MinPollInterval local polling values for the Microsoft Windows Time service (W32time), the values are ignored. The service always polls at 17-minute intervals.”

Settings for minimizing periodic WAN traffic
http://support.microsoft.com/kb/819108

Configuring the MaxPollInterval

The passage below was quoted from:

Config\MaxPollInterval
http://technet.microsoft.com/en-us/library/cc739293(WS.10).aspx

“Specifies the longest interval (in units of 2n seconds, where n is the value of this entry) that is allowed for system polling. While the system does not request samples less frequently than this, a provider may refuse to produce samples when requested to do so.”

“Note: The time service itself is considered unsynchronized after 1.5 times the number of seconds specified by this entry have elapsed. The Network Time Protocol specifies that the maximum clock age is 86,400 seconds, so if the value of this entry is greater than 15, then peers will eventually ignore this server.”

So if changing it from the default of 15 to 14, the longest time interval is changed from 32,768 seconds (546.13 hours or 22.75 days), to 16,384 seconds (273 hours or 11.37 days).

 

 

Read more on this in the following links.

Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp

Support boundary to configure the Windows Time service for high accuracy environments
http://support.microsoft.com/kb/939322

 

Additional info regarding accuracy:

The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.” But Microsoft does give reference on third-party publishers of time and frequency software that can assist with those extreme high accuracy needs (NOTE: These are not Microsoft related or endorsed- just referenced)

http://tf.nist.gov/general/softwarelist.htm  (for software )
http://tf.nist.gov/timefreq/general/receiverlist.htm   (for hardware )

The following quoted from Windows Time Service Technical Reference (http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx):
“The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see

Microsoft Knowledge Base article 939322, Support boundary to configure the Windows Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459).”

High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx

 

Third Party Time Solutions

LANTIME M900 NTP Server : NTP Timeserver Platform for Customized Time and Frequency Synchronization Systems (hardware and software based solutions)
http://www.meinberg.de/english/sw/index.htm

What some folks have tried to reduce the skew based on the understanding that the Windows W32Time service does not have tight tolerances:

Time codes and testing the W32time service skew:
http://www.geisswerks.com/ryan/FAQS/timing.html

[ntp:questions] Re: Ntpd time offset threshold
Question: > The offset threhold is 128ms by default. I think it is a so large value.
> I want 1ms accuracy among all clients over LAN. So, do I have to set it to a
> smaller value? As for 1ms accuracy, set it to 0.5ms.
https://lists.ntp.org/pipermail/questions/2005-June/005711.html

Interesting third party forum and newsgroup thread quotes:

======
Following from:
Thread: Can time sync occur every 30 mins?
http://fixunix.com/ntp/67725-can-time-sync-occur-every-30-mins.html

> What is the maximum period value for:
> HKEY LOCAL
> MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\ Parameters\period
>
> I set it to 2880 for the time sync to occur ever 30mins (24x60x2), but
> the time only synchronises every 8 hours in event logs.
> Is it possible for it to sync more often than every 8 hours?
>
> SBS2000, NTP.
> Thanks
> Nick
>

You will have to ask Microsoft that question. It’s a Microsoft product.

There are two Windows builds of the reference implementation of ntpd;
either one should give you much better synchronization than W32TIME.
Ntpd will query its servers at intervals ranging between 64 seconds and
1024 seconds. The daemon adjusts the interval automatically to the best
value for current conditions.

See http://norloff.org/ntp/ or http://www.meinberg.de/english/sw/ntp.htm
The latter version comes with a Windows installer. I have not used
either version and so can’t tell you much about them except that either
should perform better than W32TIME!!!!

If you decide to try one of these, your should plan on configuring at
least four timeservers for best performance.

See http://ntp.isc.org/bin/view/Servers/WebHome for lists of publicly
available time servers and “rules of engagement”.

=>
Does anyone know whether Windows 2000 or Server 2003 is capable of
synchronising more often than every 8 hours, using w32time?

Thanks
Nick

===============

Typical performance is shown in the bottom 5 graphs here:
http://www.david-taylor.myby.co.uk/mrtg/daily_ntp.html

You can click on a graph to see weekly, monthly and yearly data

=>

> Does anyone know whether Windows 2000 or Server 2003 is capable of
> synchronising more often than every 8 hours, using w32time?

It is, but it is not simple to configure. Look in the list archives for
examples of conifguring the windows time service for use on public NTP
networks. Included there are links to Microsoft’s detailed
documentation on the Windows Time Service.

What are your requirements? Just to keep better time? Why once every
1/2 hour?

Generally, you’ll want to use a configuration command like this:

w32tm /config /manualpeerlist:”0.us.pool.ntp.org,0x8
1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8″ /syncfromflags:MANUAL
/update

That “,0x8” after each server tells Windows Time Service to choose the
best synchronization interval itself, based on the performance of your
clock and/orn network connection.

Also, please note that the windows time service only makes event log
entries when a new time srouce is selected, plus an informational entry
once every X hours. It will not make a log entry for “small
corrections”, even if they are more frequent. This logging behavior can
also be changed with registry entries or group policies (see Microsoft
documentation).,

============

 

 

Time Service Troubleshooting

Basic support issues I’ve seen usually regard if you’ve moved the PDC Emulator role in the forest root domain to another DC, possibly due to retiring an old DC or DC failure. In this case, all you really have to do is reset the time service on the new PDC Emulator so it is authorative for the domain/forest.

Other than that, the numerous other time service tech support issues I’ve seen are due to the administrators changing registry settings to tweak the service, however they’ve found that something is amiss, and now begin back tracking, asking what the registry entries do and their results if set to this setting or that setting, etc. IMHO, I don’t believe this is necessary. Basically the Time service works out-of-the-box. The PDC Emulator in the forest root domain is the ultimate time server source for the whole forest, and all other DCs, whether in the forest root or in child domains, or additional trees in the forest, will follow the hierarchy to sync time. Why does it work out-of-the-box? Because  the time services is extremely important for Kerberos. If the time clocks between a machine and a DC are skewed beyond the 5 minute tolerance, the authentication fails, so Microsoft made sure to make the time service work without any changes required. All you have to do is configure the PDC Emulator in the forest root domain to an outside time source, and you are DONE. That’s it. Altering the time service registry, unless directed by Microsoft support, are not required.

To reset the Time Service to use the new PDC Emulator

By default, all DCs that are not PDC Emulators, should be syncing time from the PDC Emulator.  If that isn’t the case then reset time on the DC in question using the following steps (which applies to workstations, as well).

In a command prompt. I know I said not to use this command, but this is the ONLY exception to run this command on a machine to reset the time service on a machine:

“net time /setsntp: ”   (Note the blank space prior to the end “)
Tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.

Then run the following:
net stop w32time && net start w32time

Client should now be part of the time domain heirarchy

One more possibility if the above procedure doesn’t work to reset it, you can run the following on the non-PDC Emulator:

w32tm /config /syncfromflags:domhier /reliable:no /update  –  (notice the “no” switch)
net stop w32time && net start w32time

The above is explained in:

Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx

Or you can run Mr FixIt:

To Fix it, Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

 

Debug Logging and more

If the dc is already pointing at the PDCe the PDCe should be getting its time externally (Although this won’t cause your problem).  You can run debug logging to track down the error. 

How to turn on debug logging in the Windows Time Service
http://support.microsoft.com/kb/816043/en-us

 

“Microsoft Mr. Fix It” Time Service Script

This script can be found in:

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

 To run Mr Fix It:

Keep in mind, all DCs in a domain will get their time source from its domain’s PDC Emulator. If you can’t straighten it out manually, let’s perform the following procedure, which includes running the Mr Fix It script:

1. Run a Fsmo Query  –  To find which DCs hold which FSMO roles and to determine which DC is the PDC Emulator
 netdom query fsmo

2. Run the  “Microsoft Mr Fix It” script in the above link by visiting it from each DC. You must visit it from each DC, or you can download the respective Mr Fix It Number whether for a PDC or non-PDC.

Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

The procedure is as follows:

On the new PDC Emulator AND on the non-PDC Emulators, go to http://support.microsoft.com/kb/816042. You will notice the “Microsoft Fix It” link. When you visit the link from the DC holding the PDC Emulator FSMO Role, it will show up as “Microsoft Fix It 50394,” and on the non-PDC Emulators, it will show up as “Microsoft Fix It 50395.”

Therefore:
On the PDC, go to http://support.microsoft.com/fixit/ and download Fixit 50394 (this is for the PDC)
On the BDC, go to http://support.microsoft.com/fixit/ and download Fixit 50395 (this is for non-PDCs)

When you run it will show:
Server1, 0x1 Server2, 0x1
Replace with
Time.nrc.ca, 0x1 time.nist.gov, 0x1

 

Or based on the script process, you can simply do it manually:

On the PDC Emulator, run the following in a command prompt:
W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
W32tm /resync /rediscover

This will take the errors out of Event Viewer. Then restart the time service:
Net stop w32time && net start w32time

On the non-PDC Emulator, run the following in a command prompt:
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover

This will take out any errors in the Event Viewer, if there are any. Then restart the time service:
Net stop w32time && net start w32time

 Registry Entries

You can query the registry keys with the following method:

c:\>reg query hklm\system\currentcontrolset\services\w32time\parameters
C:\> w32tm /dumpreg /subkey:parameters

 

To resync the service on a client machine:

 w32tm /resync
 w32tm /resync /rediscover

 

If some domain machines have problems

w32tm /config /syncfromflags:domhier /update

After that run:
net stop w32time
net start w32time

 

To Reset the Time Service:

If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

You should only have one server in the forest set as a reliable time source, so using the /reliable:yes command on anything other than the Forest Root PDC is not a good idea.

 

If getting EventID 1307 time:

A possible cause is that the “Authenticated Users” does not have read permission on the W32Time and Netlogon registry keys. Please check and correct the permission settings on the keys.

The keys are under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32Time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon

 

Related Troubleshooting links:

To Assist in troubleshooting time service issues on the PDC Emulator and other machines, use the following link:
Troubleshooting Windows Time Service Problems
http://technet.microsoft.com/en-us/library/bb727060.aspx

 

 

 

SNTP vs NTP

NTP and SNTP are both supported. Quoted from the Microsoft Technet Article, Windows Time Service and Internet Communications article, it states:

“Windows 2003 by default use NTP, whereas Windows 2000 used SNTP. SNTP isa  simplfied version of NTP. Windows 2003 and newer by default is set to NT5DS, which uses NTP. If SNTP is required on Windows 2003 or newer, the default NT5DS type must be changed to AllSync to accept NTP and SNTP time sources.”

Additonal Links referencing SNTP vs NTP:

Windows Time Service and Internet Communication
http://technet.microsoft.com/en-us/library/cc779145(WS.10).aspx

What is the difference between NTP and SNTP?
http://www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf

[PDF] NTP vs SNTP – What is the difference between NTP and SNTP?File Format: PDF/Adobe Acrobat – Quick View
whether NTP (i.e. full implementation NTP) is being used, or if SNTP is being used. The difference between NTP and SNTP is in the time synchronization …
www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf

What is NTP?
SNTP (Simple Network Time Protocol) is basically also NTP , but lacks some … HP-UX, Irix, Linux, NetBSD, SCO UNIX, OpenBSD, OSF/1, Solaris, System V.4. …
http://www.ntp.org/ntpfaq/NTP-s-def.htm

Based on the KB223184, since Type Nt5DS uses SNTP by default in Windows 2000, to force it to NTP, you can change a Windows 2000 server Type from SNTP to NTP by changing the time service “Type” in the reg from Nt5DS to NTP. However, I remember there were issues with that syncing up years ago. The reg entries are located in the following registry key and options for the “Type:”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Type : REG_SZ
Used to control how a computer synchronizes.
Nt5DS = synchronize to domain hierarchy [default]
NTP = synchronize to manually configured source
NoSync = do not synchronize time

Time Sync Frequency:

The following registry key controls how frequently the Windows Time service synchronizes:
The HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Period

65531, “DailySpecialSkew” – Sets synchronization to one time every 45 minutes until successful one time, then one time every day.
65532, “SpecialSkew” – Sets synchronization to one time every 45 minutes until successful three times, then one time every eight hours. This is the default setting.
65533, “Weekly” – Sets synchronization to one time every seven days.
65534, “Tridaily” – Sets synchronization to one time every three days.
65535, “BiDaily” – Sets synchronization to one time every two days.
0 – For NT5DS, the synchronization is one time every 45 minutes until successful three times, then one time every eight hours. For NTP, the synchronization is one time every 8 hours.
freq – freq stands for the number of times per day you want Windows Time service to synchronize. If want to use a value other than any one of those specified earlier, you must use this option.

 

Related links to the W32Time service registry entries:

Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

Registry entries for the W32Time service on Window 2000:
http://support.microsoft.com/kb/223184

Windows Time Service Tools and Settings using the w32time command. Includes Windows 2003 & 2003 R2 Time Service Registry Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

How to configure the Windows Time service against a large time offset
Basically this talks about the time service and how it keeps all machines in a domain hierarchy within 2 minutes of sync so Kerberos works.
http://support.microsoft.com/kb/884776

Configuring the Windows Time Service
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html

 

 

Failover Time Service

As for failover time source, the way it works, the time service will loop through each one starting with the first listed in the order they are listed until a time service response is received. It is suggested to use the actual IP addresses, or at least I suggest it, which is an old school thing I have because years ago, Windows 2000 had an issue with FQDNs, which was fixed with a hotfix, but I still use the IP address method.

Here’a an older KB that explains this (disregard the part about Windows 2000, because the service still operates in the same behavior:

W32Time client does not fail over to secondary NTP servers by FQDN
http://support.microsoft.com/kb/285641

w32tm /config /manualpeerlist:”MeinbergNTPdeviceIpAddressorFQDN  time-nw.nist.gov  0.pool.ntp.org ” /reliable:yes /update

Multiple Manualpeers configured

It’s recommended to use a first-level time source – Quoted from the link above (http://support.microsoft.com/kb/285641):

“There are two levels, or tiers, of Network Time Protocol (NTP) time servers that are available on the Internet. The NTP is defined in Request for Comments (RFC) 1305. The first-level time servers are primarily intended to act as source time servers for second-level time servers. The first-level time servers may also be capable of providing mission-critical time services. Some first-level time servers may have a restricted access policy.

Second-level time servers are intended for general SNTP time service needs. Second-level time servers usually enable public access. It is recommended that you use second-level time servers for normal SNTP time server configuration because they are usually located on a closer network that can produce faster updates.

It is recommended that you research any time server selection to ensure that it can meet your specific time server requirements.”

 

Domain Controllers HyperV and virtualization, and the Time Service

Regarding DC virtualization, please closely adhere to the following best practices:

    1) Do not use imaging software to take an image of the DC.
    2) Do not take or apply snapshots of the DC.
    3) Do not shut the Virtual Machine down and simply copy the virtual disk as a backup.
    4) If you have the ability to “discard changes” as you do if you are running “Virtual Server 2005 R2”, do not enable this type of setting on a DC Virtual Machine.
    5) Use NTBACKUP.EXE, WBADMIN.EXE, or any third party software that is available as long as it is certified to be AD-compatible to take system state backups.
    6) Only restore a system state to the DC or restore a full backup.
    7) Make at least one DC, the PDC Emulator in the forest root domain, a physical DC. The PDC is the default time service in the hierarchy and should not be virtualized.

For more information, please refer to:

DC’s and VM’s – Avoiding the Do-Over
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx

In addition, basically, running Domain Controllers in virtual machines requires special considerations (Time synch configuration included). I recommend reading the articles below. You will also want one Physical DC in the environment, but you can have the remaining DCs virtualized. It’s recommended to have the PDC as the physical DC.

Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx

Deployment Considerations for Virtualized Domain Controllers
http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspx

 

Virtualized DC Time service

For virtual machines that are configured as domain controllers, disable time synchronization with the host through Integration Services. Instead, accept the default Windows Time service (W32time) domain hierarchy time synchronization.

Host time synchronization makes it possible for guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.

W32Time, Windows Time, should run as LocalService in 2K8 R2 Domain Controllers. You can see the account used in Services.msc -> Windows Time -> Properties.

You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box.

How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems

How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems
http://www.sole.dk/post/how-to-configure-your-virtual-domain-controllers-and-avoid-simple-mistakes-with-resulting-big-problems/?p=387

 

 

 

Windows Time Service Related General Links

A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680

Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042

Jorge’s Time Service blogs:
Configuring and Managing the Windows Time Service, Parts 1 to 4:
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-1.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-2.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-3.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-4.aspx

Support boundary to configure the Windows Time service for high accuracy environments
http://support.micorosoft.com/kb/939322

Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799

Time Service:
http://support.microsoft.com/kb/216734

How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042

How to Configure an Authoritative Time Server in Windows Server 2008 (This article is based on Microsoft KB8164042, link provided above.)
http://www.articlesbase.com/operating-systems-articles/how-to-configure-an-authoritative-time-server-in-windows-server-2008-461336.html

Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx

A comprehensive list of the Simple Network Time Protocol (SNTP) time servers:
http://support.microsoft.com/kb/262680

Windows Time Service Tools and Settings (including w32time service, w32time registry entries), and how to use the w32tm commands)
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

How Windows Time Service Works. This article provides a good overall graphical and explanation of the Time Service in Windows
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

Network Time is off, not sure how to fix it
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/652e8200-fc4b-40c7-b579-a88d934df04d/

The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.
The following is quoted from page 9 in the following Microsoft document. The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc

How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

Configure a client computer for automatic domain time synchronization
Applies to Windows 7 & Windows 2008 R2 Time Service
http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx

Microsoft Videos on the Time Service
http://www.microsoft.com/showcase/en/us/search?phrase=w32time

Configuring the Time Service: Enabling the Debug Log
http://blogs.msdn.com/b/w32time/archive/2008/02/28/configuring-the-time-service-enabling-the-debug-log.aspx

Windows Time Service – The official Microsoft blog site for the Windows Time Service
By Ryan Sizemore,  7 Aug 2009 12:10 PM
http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx

==================================================================

Ace Fekay

Folder Redirection

Folder Redirection

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer

Edit: Updated – 7/22/08
Edit: Added Troubleshooting section and a Summary section – 10/12/2009.
Edit: Broken links fixed – 11/24/09
Edit: Updated 1/22/2011 with additional information and fixed a broken link
Edit: 6/27/2011 – Added two new links, one with screenshots
Edit: 10/28/2011 – DFS section about it not being recommended or supported with Redirection
===

 

Folder Redirection Background

I believe Folder Redirection with using Offline Files is a great solution for many environments. I have it implemented in all my customer sites for laptops and desktops. I usually just opt to redirect the My Documents folder, and possibly the desktop, but I do not redirect the Application Data, Start Menu because Start Menus may be different based on what’s installed on other machines they may log onto, and the Application Data folder can grow expoentially with unwanted or uneeded data, which will  be additional data to backup on the server and the additional overhead of data and backup capacities on the server. You know how large the application folder can get, and not always a good choice to implement redirection with. Keep that in mind when you implement this feature.

It allows all their data to be available no matter which machine they logon to, as well as when new machines are deployed. There are no worries about user data being lost or deleted if using re-imaging in an environment. Just make sure all users are instructed to put all their data into the My Documents folder, and if you choose to redirect the Destop, they can also save data to the desktop, but I would rather just redirect the My Documents folder.

Therefore, depending on whwhich folders you decide to redirect, a user will get their data no matter where they login. Enabling Offline Files as well, will provide an additional performance increase on the user side, as well as the ability to take machines off-site (such as laptops) and the folks will have their data no matter where they are. As I mentioned, I usually just implement Folder Redirection with the My Documents folder, and not the others,  All data with redirection configured, as well as offline files, are cached locally and only synch up at scheduled, manually set times, when logging on, or logging off. It vastly reduces client to server traffic.

 

Implementing Folder Redirection

There are a few things that need to be setup in place to make redirection work. If in a mixed Vista/XP environment, as many are going through right now, it may be a little challenging, but they can use the same home folder setting, but the user must stick with one OS or the other, not logon to an XP, then to a Vista, or things may get skewed. You may find other ways to implement it (whether using an AD group or not, etc), but I’ve found this method successful with my implementations.

1. The user accounts need to be in the OU the Redirection Policy will apply to. It doesn’t matter where the computer accounts are. This is because Redirection is a User based Policy.

2. More than likely, the Redirection policy is probably setup to apply to a group. Therefore, make sure the  user account is part of that group.

3. Only the internal DNS servers must show up in a machine’s IP properties.

4. They way I setup the shares, is create a root folder called Users. I share it out as Users$ and set share permissions to only System=FC and Domain Admins=FC.

5. Create child folders, one for each user. The share permissions for the user must be set to Full Control, or it won’t work. For example, for a user named Bill, I create a Bill folder, then share it out as Bill$, and set the share permissions to:
Domain Admins=FC
System=FC
Bill=FC.

6. The user MUST have FC for both the share and the NTFS permissions. Therefore, I set the NTFS permissions (the Security tab) to:
Domain Admins=FC
System=FC,
Bill=FC.

6. In the user’s AD properties, Profile tab, you want to configure a home folder, and this is assuming you want their stuff redirected to the home folder, such as clicking on G, H, or whatever letter, then configuring something like \\servername\%username%$ (the $ makes it hidden). Whether to hide it or not depends on corporate SOP. The %username% is a variable that will create the folder for you, but I usually do it manually, as in the previous steps.

7. Create an AD group, call it (for example), “My Docs Redirect Group.” Create the Redirect policy based on the group membership, for example the My Documents folder, should be redirected to \\servername\username$\. You can also create it as \\servername\username$\MyDocuments Documents, which I like because their data goes into a subfolder under the user folder as My Documents. This require additional testing on your part to make sure the respective data goes into the folders you’ve specified. However, many installations simply specify the Home folder, \\servername\username$, which is easy, and and it works well. I’ve been using this method myself (outlined in the next step), however, with this method, ALL of their documents wind up directly in the root of the home folder. However, this could be a little problematic with Vista. For more info on Vista and XP in a mixed environment, and problems that may occur, please read the links at the bottom of this article that will provide additional information on how to handle this issue.

8. In the My Documents policy setting, select “Advanced – Specify Location based on various User Groups. Add the AD group you just created. For the target folder location, Redirect to the Home Folder. After you click OK, it will display a UNC in the form of: \\%HOMESERVER%%HOMEPATH%. Under the settings tab, check the box that says Grant the user exclusive rights to My Docs. Also select to Move the Contents, as well as Leave the Folder in the new location when the policy is removed.

9. I usually create a logon bat script, place it in the NETLOGON share, and specify the script name in thier AD properties, to manually map the same drive letter specified under the Profile tab for the home folder to the home folder, such as with a command line of “net use h: \\servername\username$“.

It can also be done using VB and a logon script in their GPOs. The script normally does multiple other things as well. I’m just pointing out this portion of it. It is your choice of using VB, CMD or bat files when creating a script.

10. Enable Offline Use for the redirected My Documents.

11. Repeat for the other folders, if you choose to include them. I would set them to use subfolders, such as Application Data, so the data doesn’t get intermixed with the My Docs.

12. Link the GPO to the OU you want it to apply to. Keep in mind, it will not work until you add the users that you want it to apply to, to the My Docs Redirect Group, that you’ve created.

13. If you ever need to move the Users folder location to a new server, simply mirror the shared folders and permissions from the old server on the new server drive (no need to copy the data), and change the policy to point to the new UNC. Next time the user logs on, the data will be moved automatically. The larger the amount of data, the longer it will take. For example, one customer had a 10 GB home folder. It took about 20 minutes to move, however the user was able to work. Some of the files weren’t available immediately, but they eventually showed up.

Redirecting the Desktop, My Music, Application Data, etc

For the Desktop, what I suggest is to first create a ‘Desktop” folder under each user’s folder. Then enable Destop Redirection to a specific folder, make sure the My Documents Redirect Group is specified, (based on my procedure and locations above) and set the path to \\%username%$\user$\desktop.

One issue you may come across is if you do not select to redirect My Music, simply because you don’t want that sort of stuff on the server for multiple reasons (such as drive space on the server or backup media limitations), but some of the users wise up and figure out what’s going on, and they start saving their music in their My Docs folder, you can control that using Microsoft’s FSRM.

 

Storage Reports

FSRM – File Server Resource Manager
By using File Server Resource Manager, administrators can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports:
http://technet.microsoft.com/en-us/library/cc755603(WS.10).aspx

Folder Redirection with Terminal Services

Keep in mind, There’s no problem in using TS Roaming Profiles, but if you want users’ Documents and Desktops to work, you need to combine the feature with Folder Redirection on all the servers and workstations so all user folders are redirected to the same place. It’s recommended to not use Roaming Profiles because of the added complexity.

Profile and Folder Redirection In Windows 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection:
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

How To Configure Folder Redirection, Aug 22, 2007
How to use Group Policy to redirect the “Desktop”, “My Documents”, “Start Menu” and “Application Data” folders.
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

Terminal Service Administration and Folder RedirectionJ, un 6, 2006
If Remote Desktop for Administration is enabled on a server that’s running Windows Server 2003, then the server can not be configured to use …
http://www.msterminalservices.org/articles/Terminal-Service-Administration-File-Redirection.html

Using Folder Redirection with Terminal Server: Terminal Services, Mar 28, 2003
Folder Redirection allows users and administrators to redirect the path of a folder to a new location.
http://technet.microsoft.com/en-us/library/cc737867(WS.10).aspx

Best practices for Folder Redirection: Group Policy, Jan 21, 2005
In general, accept the default Folder Redirection settings. Logging off the terminal server causes copying to occur in the opposite …
http://technet.microsoft.com/en-us/library/cc739647(WS.10).aspx

Profile and Folder Redirection In Windows Server 2003, Mar 1, 2005 … For example, if you created a share named PROFILES on a server named TAZ, then the path to Brien’s profile … The actual folder redirection is done through the group policy. … Terminal Servers · Thin Client Servers …
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

Folder Redirection and Terminal Server Users : 
1 author 4 posts – Last post: Jun 1, 2004 – Archived from groups: microsoft.public.win2000.group_policy. We currently utilize folder redirection …
http://www.tomshardware.com/forum/218519-46-folder-redirection-terminal-server-users

You can also configure terminal services redirection manually in the registry:

reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v Personal /t reg_expand_sz /d “G:\MyDocs” /f

reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v Desktop /t reg_expand_sz /d “G:\Desktop” /f

reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders” /v AppData /t reg_expand_sz /d “G:\Application Data” /f

Removing Folder Redirection

How to stop Folder Redirection in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/888203

– Make sure you have a recent backup of the server where the redirected files are prior to making any changes. If you don’t, and this may be a good practice whether you do have a good backup or not, I would suggest to recover the files from the offline cache on the machine you want to remove from the Redirection GPO. You can do that by copying the files from the My Documents folder and any other redirected folders that are in the policy, to another location on the harddrive.  Make sure you do that prior to removing the machine from the GPO or from the domain, otherwise if there are any problems or if you have no backup, it’s may be impossible to recover them afterward.

– You will probably want to include other files from the machine that may not have been part of the Redirect policy, or even if they were, such as Favorites, Desktop items, Downloads folder, etc. One important file you may want to also copy is the Outlook nickname drop-down list file. That’s the names that show up in the drop-down lisoxt that shows up when you start typing something in the To:, Cc: and Bcc: boxes. It’s stored in a file called the <OutlookProfileName>.NK2 file and is located in:
C:\Documents and Settings\UserName\Application Data\Microsoft\Outlook

It can be copied from machine to machine. Just rename it to the Outlook profile name of the target machine.

If there are any PST files, you may want to copy them, as well. The default location is:
C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Outlook

– Use Group Policy to set folder redirection back to the default location, which is your profile folder on the PC. You can’t just remove the policy, because the folders will stay where they are. You need to redirect them back to where they were.

– Re-initialize the offline cache. Redirected folders by default are synchronized to be available offline. That’s the little arrow in the corner of the icon. Unfortunately Offline files in XP will keep trying to synchonize until you re-initialize it.

How to re-initialize the offline files cache and database
Provides two methods to re-initialize the offline files cache and database.
http://support.microsoft.com/kb/230738

– If you used the method to use a group to control Folder Redirection, Remove the user from the folder redirect group. If not, move the user out of the OU where Folder Redirection GPO is linked to.

 

Troubleshooting Folder Redirection

Is the workstation receiving the policy?

You can first run the gpresults.exe utility on the client side to determine if the GPO is being applied.

Then I would suggest to use the GPMC to create an RSOP for specifics, such as to look for any access denied issues, etc. If the GPO is being applied and there are no denials or other issues in the RSOP, then I would look into the user’s folder configuration, permissions, UNC path, etc, set in the GPO. If that doesn’t help, basically, enabling Userenv logging can assist in troubleshooting GPO problems, including Folder Redirection. 

Userenvlog

The Userenv.log contains verbose information about policy and profile processing. It also contains additional logs such as the gptext.txt log. This logs events for Group Policy Extensions such as for folder redirection. among other things. This file is located in c:\windows\debuguser mode and contains entries associated with the Userenv process. It is usually a fairly small text file since verbose logging is not enabled by default. You can find out more about the userenv.log in the following link.

Userenv and GPE logging: A great tool for debugging Group Policy Extensions
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1250007,00.html

Enable logging for Folder Redirection:

Locate the following subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Diagnostics.

Create a new Reg_DWORD entry called FdeployDebugLevel and set its value to 0x0f.

The log file is created in %windir%\Debug\Usermode\Fdeploy.log.

General issues with Folder Redirection?

Here’s a good article on reparing Folder Redirection:

Repair folder redirection and shares
http://technet.microsoft.com/en-us/library/dd440852(WS.10).aspx

Vista: Redirected Folders Changes The User’s Home Folder Name From the “User’s Name” to “Documents”

When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents
http://support.microsoft.com/kb/947222

Was the username changed in Active Directory?

You may need to make some adjustments. Take a look at the following articles for more information.

Folder Redirection Operation Is Unsuccessful When You Rename the User
http://support.microsoft.com/kb/827059

The folder redirection process fails on a computer that is running Windows Vista or Windows XP when you change the user name in Active Directory
http://support.microsoft.com/kb/953529

 Concurrent Logon Issue occurs when users logon to more than one workstation simultaneously

Some other things to keep in mind is if and when a user may logon to a different workstation while still logged on at another. This can cause an issue where if anything changes in their files from machine to machine, the ‘last man wins’ rule jumps into play. To prevent such a thing from occuring, you must instruct users to logon at one machine at a time.

If the users do not pay attention or disregard this guideline, you have a few of options at your disposal:

1.  Take a look at LimitLogon in the following links.

Microsoft releases LimitLogin v1.0. 16-Mar-05
http://windowsitpro.com/articles/index.cfm?articleid=83236

Utility Spotlight: Limit Login Attempts With LimitLoginEver needed to limit concurrent user logins in an Active Directory® domain? Ever wanted to keep track of information about every login in a domain?
http://technet.microsoft.com/en-us/magazine/2005.05.utilityspotlight.aspx

LimitLogin – Tool to limit and monitor concurrent logins in a …LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain. It can also keep track of all logins …
http://msmvps.com/blogs/javier/archive/2005/03/14/38557.aspx

2. The Windows 2000 Server Resource Kit has the Cconnect.exe tool to prevent users from logging on more than once. But no warning is displayed. They simply won’t be able to connect. More information can be found in the following link:

Limiting a user’s concurrent connections in Windows Server 2003 …Install the Windows 2000 Resource Kit tool named CConnect.exe on each client computer. This tool, together with an .adm file that is supplied by the tool, you can limit concurrent logins.
http://support.microsoft.com/kb/237282

3. Using the PsShutdown.exe and PsLoggedOn.exe freeware, originally included in the PSTools Suite from Sysinternals, which is now part of Microsoft. The PSTools can be downloaded free from Microsoft. With these two utilities, you can add some code in your logon script to prevent a user from logging on more than once. The code and instructions on how to use it, can be found at the following link.

How can I prevent users from logging on more than once, without using the Cconnect.exe Resource Kit Tool? 08-Dec-04
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

PsTools – The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, and much much more.
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Windows Sysinternals: Documentation, downloads and additional information on PSTools.
http://technet.microsoft.com/en-us/sysinternals/default.asp

 

EventID 510, Source = Folder Redirection:

“Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.”
You can enable Folder Redirection debug logging to help narrow down the issue:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\FdeployDebugLevel REG_DWORD value=oxf

Event ID 510, Source = Folder Redirection

Folder Redirection policy application never applied completely
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24558513.html

Folder Redirection encounters errors and redirection fails
“Folder Redirection, like Software Installation settings, can only be applied during computer startup or user logon. On computers running Windows XP with logon optimization enabled, this can mean that the user needs to log on more than once before the setting takes effect. “
http://technet.microsoft.com/en-us/library/cc781863(WS.10).aspx

How Folder Redirection Extension Works
“…Because background refresh is the default behavior in Windows XP, Folder Redirection and Software Installation might require as many as three logons to apply changes. “
http://technet.microsoft.com/en-us/library/cc787939(WS.10).aspx#w2k3tr_gpfdr_how_xokx

How Folder Redirection Works:
http://technet.microsoft.com/en-us/library/cc787939(WS.10).aspx

Security Considerations when Configuring Folder Redirection
http://technet.microsoft.com/en-us/library/cc775853(WS.10).aspx

Windows 7, roaming profiles, and waiting over a minute to logon (providing DNS configurations are correct):

Managing Roaming User Data Deployment Guide –
“Windows Trusted Platform Module Management Step-by-Step Guide …..
“At logon, Windows Vista typically waits 30 seconds for an active network, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless networks, it may take more time before the network connection becomes active. Enabling this policy allows Windows to wait up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or connect to the remote home folder if the logon occurred before the network connection became active.”
http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx

As shown in the above link, yhe 30 sec delay is “By Design”. Windows 7 & Windows Vista NLM (Network Location Management) Service running behind the user policy service, by default is set to wait for the network for 30 seconds, if a user has a Roaming User Profile or Remote Home Folder set in ADUC. In many cases, a 30 second logon may be unacceptable. This setting can be adjusted in a GPO.
 
Computer settings
   Policies
        Admin Template
             System
                   User Profiles
                        Set max wait time for the network if a user has a roaming user profile or remote home folder
 
Depending on your network, setting this time too short could result in the user not receiving the RUP or remote home folder.
 
One suggestion is if you want to keep a 7 – 10 second logon time, set the GPO to 1 sec, map the home folder with GPO Preferences and redirection takes care of the rest.

Profile Size Limits and Folder Redirection causing size limit reached error message

Do you have a GPO that limits the Profile Size? Have a look at the following KB article.

Error message may occur when you increase the maximum profile size
http://support.microsoft.com/kb/290324

Have you tried to clean up the profile on one computer to check if
notification goes away? (For example removing temporary internet files,
moving big files from my documents to network share deleting temporary files …)

From Mark D. MacLachlan:
For the benefit of others, you can eliminate the need to fix this manually on each PC by using the
following VBScript as a login script.

[code]
Dim WSHShell
Path = “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableProfileQuota”
Set WSHShell = CreateObject(“Wscript.Shell”)
WSHShell.RegWrite Path, 0, “REG_DWORD”
[/code]

In case of posted line wrapping, the line starting with “Path = ” ends
with “\EnableProfileQuota” so make sure they are one line in your script.

Folder Redirect Re-targeting

Change it in GPO as well as client side reg:

“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Documents” = “%HomeShare%%HomePath%Documents”
http://vistavitals.blogspot.com/2007/11/folder-redirection-misbehaves-after.html

 

Notes on Roaming Profiles – Removing Roaming Profiles

You can setup a Folder Redirection GPO testing it to a test OU and a test user account that already has a Roaming profile. Once Folder Redirection is in place, you can copy the data into the My

Docs folder to allow redirection to sync it to their home folder. Once that is in place and working, you can remove the roaming profile by using the Delprof or Remprof utility.

User Profile Deletion Utility (Delprof.exe) – For Windows XP and previous operating systems
http://www.microsoft.com/download/en/details.aspx?id=5405 

Delprof2 – User Profile Deletion Tool
The unofficial successor to Microsoft’s Delprof that works with Windows Vista and newer.
http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/

How To Delete User Profiles by Using the User Profile Deletion …
http://support.microsoft.com/kb/315411

BombProf – GUI Based Profile Management Utility
Windows Compatible – 2000\XP\2003\Vista\2008\7 & Citrix Compatible – Metaframe\Presentation Server\XenApp
Direct Download: http://www.ctrl-alt-del.com.au/files/BOMBProf.zip
(Part of the CAD Freeware Util Pack): http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm#Freeware 

RemProf – Command-line utility to delete local user profiles that are NOT in use when this command is executed.
Direct Download NT\2k\2k3 edition: http://www.ctrl-alt-del.com.au/files/RemProf.zip
Direct Download w2k8/win7 edition: http://www.ctrl-alt-del.com.au/files/RemProf08.zip
Part of the CAD Freeware Util Pack: http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm#Freeware  

Removing Roaming Profiles  (using delprof with example command line switches)
http://www.edugeek.net/forums/windows/16924-removing-roaming-profiles.html

How To Delete User Profiles by Using the User Profile Deletion

This website provides a short overview of the free Microsoft “Delprof” tool and the commercial “Remote Profile Cleaner” tool, inlcuding scripting examples. 
http://www.delprof.eu/ 

To delete the roaming profile folders at the server side, and this is assuming the roaming profiles location is in a different location (UNC path) than the redirected folders, first remove the roaming profile path specified in the AD user accuount. Then as an administrator, you’ll find that you won’t be able to delete the actual roaming profile folder that belongs to a user account. To perform this action, you’ll need to take ownership of the folder. Read more:

Roaming Profile Folders Do Not Allow Administrative Access
http://support.microsoft.com/kb/222043

Going from Roaming Profiles to Folder Redirection:

Roaming Profiles and Folder Redirection
http://webcache.googleusercontent.com/search?q=cache:UU6f-dPW3nIJ:thelazyadmin.com/blogs/thelazyadmin/archive/2005/05/15/Roaming-Profiles-and-Folder-Redirection.aspx+lazyadmin+folder+redirection&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com  

 

 

 

DFS and Folder Redirection

This is not supported nor recommended.

Microsoft’s Support Statement Around Replicated User Profile Data
http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx

Replicating User Profiles Between Sites (With or Without DFS) – Why it Should be Avoided
http://blogs.sepago.de/helge/2009/07/30/replicating-user-profiles-between-sites-with-or-without-dfs-why-it-should-be-avoided/

Roaming Profiles using DFS? – is it possible?
http://social.technet.microsoft.com/Forums/en-US/winserversetup/thread/af23abbc-2d35-4f92-a1c1-8068cdd74cd4/

 

Summary

– Make sure you have a recent backup of the server where the redirected files are prior to making any changes. If you don’t, and this may be a good practice whether you do have a good backup or not, I would suggest to recover the files from the offline cache on the machine you want to remove from the Redirection GPO. You can do that by copying the files from the My Documents folder and any other redirected folders that are in the policy, to another location on the harddrive.  Make sure you do that prior to removing the machine from the GPO or from the domain, otherwise if there are any problems or if you have no backup, it’s may be impossible to recover them afterward.

– You will probably want to include other files from the machine that may not have been part of the Redirect policy, or even if they were, such as Favorites, Desktop items, Downloads folder, etc.

If there are any PST files, you may want to copy them, as well. However, keep in mind, PST files, along with MDB and other database files, do not work well with Redirection. FYI, the default PST location is:
C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Outlook

One important file you may want to also copy is the Outlook nickname drop-down list file. That’s the names that show up in the drop-down list box that shows up when you start typing something in the To:, Cc: and Bcc: boxes. Many a user will claim this is their “Address Book.” However we all know it is not, but they’ve come to rely on this feature and will complain if missing in their new profile. This file can be copied from machine to machine. Just rename it to the Outlook profile name of the target machine. It’s stored in a file called the <OutlookProfileName>.NK2 file and is located in (depending on operating system version):

XP and Windows 2000:
c:\Documents and Settings\UserName\Application data\Microsoft\Outlook

Windows Vista:
C:\Users\UserName\AppData\Roaming\Microsoft\Outlook

If Vista was upgraded from Windows XP:
C:\Documents and Settings\UserName\AppData\Roaming\Microsoft\Outlook

– Use Group Policy to set folder redirection back to the default location, which is your profile folder on the PC. You can’t just remove the policy, because the folders will stay where they are. You need to redirect them back to where they were.

– Re-initialize the offline cache. Redirected folders by default are synchronized to be available offline. That’s the little arrow in the corner of the icon. Unfortunately Offline files in XP will keep trying to synchonize until you re-initialize it.

How to re-initialize the offline files cache and database
Provides two methods to re-initialize the offline files cache and database.
http://support.microsoft.com/kb/230738

– If you used the method to use a group to control Folder Redirection, Remove the user from the folder redirect group. If not, move the user out of the OU where Folder Redirection GPO is linked to.

 

Related Links

Implementing Folder Redirection using Group Policy
http://www.tech-faq.com/implementing-folder-redirection-using-group-policy.html

Folder Redirection (with a step by step video)
http://www.folderredirection.com/

Recommendations for Folder Redirection: Group Policy
http://technet.microsoft.com/en-us/library/cc785925(WS.10).aspx

Folder Redirection feature in Windows
http://support.microsoft.com/kb/232692

How To Configure Folder Redirection, Aug 22, 2007 … How to use Group Policy to redirect the “Desktop”, “My Documents”, “Start Menu” and “Application Data” folders.
www.msterminalservices.org/articles/Configure-Folder-Redirection.html

How to Configure Folder Redirection
http://technet.microsoft.com/en-us/library/cc782799.aspx

How To Configure Folder Redirection
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

User Profiles and Folder Redirection FAQ
http://www.microsoft.com/technet/community/en-us/management/manage_faq.mspx

Enabling the administrator to have access to redirected folders
http://support.microsoft.com/kb/288991

Folder Redirection in a mixed environment XP/Vista
http://www.gpanswers.com/community/viewtopic.php?t=2257

When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents
http://support.microsoft.com/kb/947222

Profile and Folder Redirection In Windows Server 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection:
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

Ace Fekay
==================================================================

Split Zone or no Split Zone – Can’t Access Internal Website with External Name

“How do I resolve my external website when my internal name is the same as my external name (split zone)?”

Or

“We are hosting our webserver internally, on our LAN, and internet users can access the website without problems, but when we are inside the office, we can’t access our domain name. This also applies to Exchange OWA.”

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Updated 7/30/2009


There can be multiple scenarios. Choose your scenario.

Scenario 1: The Internal and External Domain Names are the Same

Your internal domain name and external domain name the same, and the webserver is hosted externally.
This type of same name scenario is called a split zone.

To handle a split-zone,
There are two ways to get to your website:

  1. By http://www.yourdomain.com/, using ‘www’ in front of your domain name.
  2. By http://yourdomain.com/, without the ‘www’in front of the name.

1. The simplest way to allow your internal users to get to your external website is to simply create a “A” www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.

To create the ‘www’ record:
Open DNS console
Right-click your zone name, such as yourdomain.com, choose New Host Record
Type in www
Type in the IP address of the external website

2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an “A” ‘www’ record, I would suggest to create a delegation for ‘www’ to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your ‘www’ record.

Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)

How do you find the SOA for your public domain name? Use nslookup.

In a command prompt, type in nslookup, hit enter.
Then type in the following:
> set q=soa
> server 4.2.2.2
> typeInYourDomainNameHereWithoutTheWWW.com

Once you’ve found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.

 

So you don’t want to use the WWW in front of the URL?

This question has arisen numerous time in scenarios where the external and internal AD names are the same, and the webserver is being hosted internally or externally. I usually look at it as a politics driving this request, because it’s not that hard to type in www in front of domain.com

However, if you absolutely need it to resolce http://domain.com/ without the www in front of it, there is a way, but it’s a bit more complex and warrants an explanation.

If you are not running an Active Directory infrastructure:

The easy solution is to simply create a new, blank hostname record (as in step#1 above), but without typing a name for the hostname field, and you would simply type in the IP address of the website. This is called a blank domain name record, which allows the name to resolve without the ‘www’ in front of it.

However, if you are using Active Directory:

This ‘blank’ domain name record is actually used by the domain controllers in the domain. It’s a unique record that each and every domain controller registers this record under the zone in DNS with an IP address, without a hostname, which appears under your internal zone name as:

(same as parent)   A   x.x.x.x

This record that each DC registers, is actually called the “LdapIpAddress.” Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don’t mess with it please, or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you’ve created in Step#1 or #2 above. But this procedure must be performed on each DC.

Steps summarized:

  1.  
    1. Install IIS on EACH domain controller. This must be done on each DC.
    2. Create a www record under your domain.com.
    3. Give it the private, internal IP of the webserver, or if the webserver is external, give it the public IP address of the webserver. If you don’t know the external IP, see the nslookup steps below to find it.
    4. In the IIS console, default website properties, create a redirect, and redirect it to www.domain.com.
    5. This way when any one of your users type in http//domain.com, it will resolve to the www record you created in Step 2.

 

If your website is external, for the above, you need to use Nslookup to find your external webserver IP

c:\>nslookup
server 4.2.2.2          (use this command for nslookup to use an external DNS server to get your public webserverIP address)
www.domain.com

Note: Installing IIS on a Domain Controller has security implications:

Due to security reasons. I do not condone installing IIS on a DC. Normally with some of my customers, I simply tell them to use the www in fromt of the domain name. If it is a .com name, you can simply instruct them to type in domain in the URL, and then hit <CTRL> + <Enter>. This shortcut will automatically populate the www in front and the .com in the end.

Otherwise, if the boss demands to have it work with a www in front, (usually a political and not a technical requirement), then follow the above, but take note on the security implications.

Scenario 2: Different Internal and External but you are hosting the webserver internally

Your public domain name is different, and you are hosting your webserver internally.

In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.

To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.

  1. Create a new zone using your external domain name.
  2. Open DNS console.
  3. Click on Forward Lookup Zones.
  4. Right-click, choose new Zone, type in the name of the external domain name.
  5. Once created, right-click the zone you just created, choose New Host Record.
  6. Type in ‘www’ (without the quotes), and provide the internal Private IP address of your internal webserver.

If you want to access the site with http://domain.com/ (without the www), you would need to create a ‘blank’ host record.

How?
Right-click the zone name you just created, choose New Host Record.
Leave the name field blank, and provide the internal Private IP address of your internal webserver.

Scenario 3 : Different Internal & External Domain Name

If you have a different internal domain name and external domain name, and the website is hosted externally:
There’s nothing to do. Internet resolution will handle everything.

Don’t forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won’t work. Never use your ISP’s DNS servers anyway, or your router’s IP address as a DNS address in any internal machine’s IP properties. Otherwise, expect AD problems as well.

Don’t forget to configure a forwarder for more efficient internet name resolution. I’ve always used this as a best practice. It offloads internet name resolution to your ISP’s DNS addresses so your server doesn’t have to use the Root Hints to resolve external names.

Ace Fekay, MCT

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and UDP Service Ports Reservation Explained, and DNS Memory Leakage

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and Ports Reservation Explained

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer

Published 7/2009
Edits:
8/9/2010  – Added update links (see the bottom of this blog).
10/5/2010 – Added info about the DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003
10/7/2010 – Added link explaining how to debug the DNS process to determine if a leak is occuring

 

Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)

The DNS patch released in July, 2008, reserves 2500 ephemeral UDP service ports.

It is a security update to prevent spoofing. Attackers know that normally, without the update, a random ephemeral response port (service port), which a port is chosen randomly using UDP 1024 and above, is used in response to the querying client resolver. These response or service ports, are used by all Windows communications (not just DNS). An attacker may guess/randomize a port attack at DNS attempting to gain access to create records into the DNS Cache, by injecting records using specially crafted commands, therefore poisoning the DNS cache with records of their choosing, which will allow a remote attacker to redirect legitimate network traffic intended for systems on the Internet to the attacker’s own systems or elsewhere, of their choosing.

By pre-reserving the port, or creating a socket pool, as the DNS patch performs, reduces the chance of a randomization attack, which attackers are using against Windows and other major DNS services, to prevent Cache Poisoning.

 

DNS Increased Memory Consumption Due To The DNS Patch

When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the increased memory consumption that you may notice. I’ve noticed the following when I’ve looked at Task Manager before and after the DNS patch was installed (your mileage may vary):

dns.exe             Before            After
Mem usage     9,758K       36,232K
Peak Mem     10,208K       36,584K
Paged Pool           71K            798K
NP Pool                 17K         4,833K
Handles                238            5,217
Threads                  20                 20

 

If the RPC Endpoint Mapper Runs Out of Ports Due to the Patch

There can also be issues with various applications installed and running on a DNS server where the RPC Endpoint Mapper has run out of ports to use because all available ports are being consumed by the app. If this is the case, it could be that the system is running out of available ports for the RPC endpoint mapper to use.

Run “netstat -ano” in a command line. It should provide a listing of ports that are in use as well as the PID of the process that owns that port.  Possibly you’re running an application on this server that isn’t releasing ports when it’s done with them.  You can also extend the available ports used by RPC but I’d recommend looking into what’s consuming them first.

Take a look at the following article for more info on the Endpoint mapper:

839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/default.aspx?scid=kb;EN-US;839880

 

DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003

If your DNS server is experiencing a large amount of memory being consumed by the DNS process to the point it hangs the DNS service and it stops responding, it may be associated to hotfix 941672. If 941672 was installed on the DNS server,
there is a known memory leak issue in the DNS process associated with this hotfix. The issue has been fixed by installing hotfix patch 975830.

Please read more about it in the following link, where you can also request the hotfix.

The memory usage of the Dns.exe process keeps increasing after you install hotfix 941672 on a computer that is running Windows Server 2003 SP2 and that has the DNS server role installed
Article ID: 975830 – Last Review: October 27, 2009 – Revision: 1.0
http://support.microsoft.com/kb/975830/en-us

DNS Memory Consumption Related Discussion:
http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/bcf3ac92-3485-4a2d-9386-55f2dcbc78f8

If you feel that you need more information to determine if a DNS process leak is occuring, you can enable debug logging, and use the following link in conjunction with the symptoms explained in KB975830 to further analyze the issue. Read the following link for more info.

DNS: Monitoring Server
http://technet.microsoft.com/en-us/library/cc783975(WS.10).aspx

 

Windows 2008, 2008 R2, Vista and Windows 7 Emepheral Ports Have Changed

The default emepheral (Random service ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

Quoted from KB929851 (link posted below):

“To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”

Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (emepheral ports)
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/?kbid=929851

 

 

DNS Server Service Terminates Unexpectedly

Are you seeing the following error?

The DNS Server service terminated with the following error:
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.

Cause:
2500 is the default DNS Socket Pool Size value on Windows server 2008 R2. I suspect that for system steady reason BPA will always suggest to use system default settings, so this is the reason why it popped this prompt.

Meanwhile, could you verify the current value setting of registry key SocketPoolSize where under patch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters
Manually modify it to the value you want ,restart computer and check if this issue persist.

For more information please refer to the link below:

DNS Socket Pool – Windows 2008 R2
http://technet.microsoft.com/en-us/library/ee683907(WS.10).aspx

 

More info on the Microsoft DNS Cache Poisoning Vulnerability KB953230 patch and the DNS exploit issue is explained in the following links.

US-CERT Vulnerability – Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning.
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that …
https://www.kb.cert.org/vuls/id/800113

SecureWorks: DNS Cache Poisoning
The old problem of DNS cache poisoning has again reared its ugly head.
There are new attacks, which make DNS cache poisoning trivial to execute against …
http://www.secureworks.com/research/articles/dns-cache-poisoning

DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative …
Cache poisoning attacks – Variants – Prevention and mitigation
http://en.wikipedia.org/wiki/DNS_cache_poisoning

MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748

MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230

How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873

You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188

Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx

SBS Services failing after MS08-037 – KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx

 

Additional Updated LInks (added 8/9/2010):

[PDF] Windows DNS Server Cache PoisoningFile Format: PDF/Adobe Acrobat – Quick View
Microsoft Windows DNS Cache Poisoning. 6. ID. If it is not 7, it sends back a CNAME record for the next host name (i.e. a …
www.babilonics.com/files/Windows_DNS_Cache_Poisoning.pdf

==================================================================

Ace Fekay

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Revisions:

Original publication 3/2006
Recompiled 6/10/2010
Updated 12/9/2010
Updated 8/31/2014

Prologue

Ace here again. I’m cleaning up my blogs for technical and syntax errors. If you see anything that needs correction, please let me know.

Preface and Scope Of this Article

This blog explains how to use ADSI Edit to determine if duplicate zones exists in the AD database and to delete them.

When  using ADSI Edit, the duplicate zones show up in the partitions with names that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number. You will be checking EACH DC. When you find them, you will simply delete them. because they are useless and cause substantial problems.

This blog also explains how duplicate zones will appear to make zone records disappear.

Introduction to Duplicate Zones

Duplicate zones can cause numerous issues for the mere fact that the DNS zone that DNS is showing you on a specific DC may not have the latest up to date data. It literally may be missing data that you see on other DCs. If there are duplicate or conflicting zones, the zone data can’t replicate, resulting in each DC may have a different copy of the zone, which then results in unreliability and AD issues.

And to further complicate it, there are three different storage locations that AD can store AD integrated DNS zones – DomainDnsZones, ForestDnsZones, and the DomainNC partitions. You can read more on specifics in one of my other blogs:

DNS Zone Types Explained, Storage Locations in the AD database, and their Significance in Active Directory.
https://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/

Symptoms?

You may have a duplicate zone or a conflicting zone if a zone exists in both the Domain NC and/or in one of the Application Partitions. Some of the symptoms include:

  • Trying to change the replication scope, you receive an unusual error message stating, “The name limit for the local computer network adapter card was exceeded.”

DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

  • Event ID 4515
  • An admin may see the data on a different DC is not there and will manually create records.
  • Zone data is disappearing, or it appears to be. This can be caused by:
  • The data on each DC is different, and you are wondering why replication isn’t brining the zone data up to date, but it won’t because replication will either not occur or won’t occur if AD sees a duplicate.
  • Causes?

    • You’ve installed DNS on another DC and you don’t see the zone under DNS that is on the other DCs, so you manually created the AD zone because you didn’t have the patience to wait for replication to occur, which it would have automatically populated.
    • You’ve promoted a new DC in another site and didn’t have the patience to wait for the zone data to replicate.
    • Antivirus not configured to exclude AD communications (common cause).
    • At one time, or currently, the AD environment is a mixed Windows 2000/2003/2008 environment and DNS is installed on all operating system versions. On Windows 2000, if the zone is AD Integrated, it is in the DomainNC partition of the AD database, and should be set the same in Windows 2003’s or newer DC/DNS server to keep the zone data compatible and allow both operating system versions to be able to read and use them.
    • Someone must have attempted to change it in Windows 2003 or 2008 DNS to place the zone in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Windows 2003 application partitions, you then must insure the zone on the Windows 2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that’s done and AD replication has been given time to occur, you can go to the Windows 2003 or newer DNS and change the partition’s replication scope to one of the application partitions.
    • A new domain controller was promoted into the domain, and the administrator manually created the zone name in DNS. This causes a duplicate. The proper way was to simply install DNS, and allow AD replication to occur. The zone will auto-populate into DNS.

    I usually don’t want to assume someone’s deleting data. That’s would be the far end of the spectrum, especially if more than one DC is showing inconsistent zone data.

    I feel the best approach to find out which is occurring is to first find out if there is a duplicate zone. This is because auditing is time consuming, and you need to parse through all the events generated in the Event Security Logs. It’s easier to run ADSI Edit to find if there are duplicates. Once you’ve determined it’s not a duplicate zone issue, then you can move on to DNS auditing. If it is a duplicate zone issue, follow the procedure below to remove them.

    *

    AD Integrated Zones Storage Locations

    First, a quick review on the partitions. Hopefully you’ve taken a few moments to read my blog link that I posted above to understand the partitions. If not, I’ll just touch base on it here so you understand it and can relate to it. For specifics and the nitty gritty, read my other blog above.

    Windows 2000:

    the physical AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Configuration partitions replicate to all DCs in a forest.

    The DomainNC is specific only to the domain the DC belongs to. That’s where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain.

    When you create an AD Integrated zone in Windows 2000, it gets stored in the DomainNC. This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs.contoso.com zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

    Windows 2003 and newer:

    There were two additional storage locations added to the AD database for DNS storage use. These areas are called “partitions,” specifically the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000’s AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain’s DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs.contoso.com zone to all DCs in the forest. By default in Windows 2003, the _msdcs.contoso.com zone is stored in the ForestDnsZones application partition.

    Selecting the Replication Scope in Windows 2003 and newer:

    When selecting a zone replication scope in Win2003, in the zone’s properties, click on the “Change” button. Under that you will see 3 options:

    • “To all DNS servers in the AD forest example.com”  The top button. This option puts the zone is in the ForestDnsZones Application Partition. This setting will allow the zone data to replicate to all domain controllers to every domain in the forest, including if additional Trees exist in the forest.
    • “To all DNS servers in the AD domain example.com”  The middle button. This option means the zone is in the DomainDnsZones Application Partition. This setting allows the zone to be stored and replicated in the DomainDnsZones Application Partition in the specific domain that it exists in. This setting is not compatible with Windows 2000 domain controllers. If Windows 2000 domain controllers exist in the domain, then the bottom option (below) will need to be used.
    • “To all domain controllers in the AD domain example.com”  The bottom button. This option means the zone is in the DomainNC (Domain Name Context) portion of the actual AD database. This is only for Windows 2000 compatibility, that is if you have any Windows 2000 domain controllers in that specific domain you are administering.

    If you receive an Event ID 4015 or the following error, it may indicate there is a duplicate or conflicting zone that exists in the DomainNC, the DomainDnsZones Application partition and/or in the ForestDnsZones partition.

    DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

    *

    Non-AD Integrated Primary and Secondary Zones

    A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

    Now **IF** you did manually create a zone (whether intentionally or unknowingly) on one DC while it already existed on another DC, then you may have a duplicate.

    *

    Duplicate zone names will start with the letters,  “CNF…” or “InProgress…”

    If there is a duplicate, you can use either ntdsutil or ADSI Edit to take a look. I will outline in this article on how to use ADSI Edit to look for the duplicate.

    A duplicate zone name will appear in ADSI Edit that starts with an “In Progress….” or “CNF…” with a long GUID number after it.

    • The CNF…” means it’s in conflict due to a duplicate in the AD database.
    • The “In Progress….” means it is trying to replicate, but it can’t because there’s another identical zone name but with a different USN version number (USNs are used for replication control between DCs) on another domain controller, which also means there’s a duplicate zone.

    You can simply delete them, which will clean up the whole problem. Yep, a simple deletion. The “CNF” data is not used by AD, but yet it will conflict with the zone that is actually used, and needs to be deleted.

    But before doing anything about it just yet, let’s read on to explain more about this and what may have caused it.

    *

    Preventing Duplicate Zones

    AD Integrated Zones will auto-populate when adding replica domain controllers

    If an AD integrated zone exists on a DC, and the DNS service is install DNS on another DC in the domain or forest, depending on the replication scope, it will automatically appear on the new DNS installation without any interaction on your part. You may have to wait a certain period of time for it to populate depending on if the other DC is in the same AD Site or not, but it WILL AUTO-POPULATE.

    However, if you attempted to manually create the zone, believing that you need to do this to make the zone available on that DC, then you’ve just introduced a duplicate zone in the AD database. It doesn’t matter if the zone say originally exists in the DomainNC, and you manually create the zone on the other DC and put it into the DomainDnsZones application partition, AD will still recognize it in the AD database.

    Duplicate zones cause numerous AD communication and access problems.

    The point is, AD is smarter than you think. Let it do it’s thing.

    *

    An Example of what an AD Duplicate Zones looks like in ADSI Edit

    This image shows “In Progress…” entries. They need to be deleted.

    *

    Using ADSI Edit to look at  your AD Partitions

    This is a manual step by step. For a screenshot step by step, see the next section.

    This section assumes you have a little familiarity withe ADSI Edit. If not, I suggest to get yourself familiar with it once you’ve connected into the various partitions as outlined below. Be careful deleting anything, for once deleted, it’s a destructive process and basically it’s gone. There is no “Back Button” or “Undelete,” or “Undo”  button. To restore data, you will need to run an Authoritative Restore from your backup program restoring that specific object that was deleted.

    Determine if there are any duplicate zone.

    While in ADSI Edit, if you see the same exact named zone in multiple partitions, such as seeing the same zone name in the Domain NC (Name Container) Partition, in the DomainDnsZones App partition), and/or in the ForestDnsZones application partition, you have duplicate zones. If this is the case, then you must choose which zone you want to keep.

    I will select a DC that isn’t having a problem and delete the duplicates and conflicts off all other DCs.

    Multiple domains or multiple tree forest?

    If the AD forest is a multidomain forest with child domains and/or multiple trees, you must look at each domain’s DomainNC and DomainDnsZones partition, because each domain has one.

    To view the DomainNC Partition (Default Naming Context)

    • In ADSI Edit, rt-click ADSI Edit, choose “Connect To,” in the Connection Point click on “Well known Naming Context”, then in the drop-down box, select “Domain”.  If this is Windows 2003 or newer, this option shows up as “Default Naming Context”
    • Expand DomainNC or Default Naming Context, then expand your domain name. Drill down to CN=System. Under that you will see CN=MicrosoftDNS.
      You will see any zones that are in the DomainNC partition under the MicrosoftDNS folder.
    • If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!
    •  

    To view the ForestDnsZones Application Partition:

    [ForestDNSZones]

    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the console tree, right-click ADSI Edit, and then click “Connect To.”
    3. Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
      DC=ForestDNSZones, DC=contoso, DC=com
    4. In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
      Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    5. You should now be able to view the DNS records which exist in this DNS partition.

    If you see anything that starts with anIn Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

    To view the DomainDnsZones Application Partition

    [DomainDNSZones]

    1. Click Start, click Run, type adsiedit.msc, and then click OK.
    2. In the console tree, right-click ADSI Edit, and then click “Connect To.”
    3. Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.
    4. In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
      Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
    5. You should now be able to view the DNS records which exist in this DNS partition.

    If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

    *

    Procedure with Screenshots:

     

     

    .

    .

    .

    .

    .

    .

    .

    .

    *

    Procedure to Delete the Duplicate zones

    The easiest is to simply delete any duplicates you find in ADSI Edit. Choice #1, to delete them, can actually be safely done during production. Matter of fact, things may just start to work after you delete them! But Choice #2, which is a lengthy procedure, must be done during non-production hours.

    Choice #1 (Recommended)

    Just go into ADSI Edit and delete the duplicate zones you’ve found.

    You can do this during production, and frankly, I’ve done it with a large infrastructure during production hours without any problems. This is my personal choice as long as there are no true duplicate zones, that is if there are duplicate zones without seeing any zone names prefixed with either an “In Progress….” or “CNF…” with a long GUID number after, and you truly see a duplicate of your actual zone, such as a domain.com in any of the partitions, then you must perform Choice #2.

    Choice #2 (Not recommended)

    This is a multi-step process to first change the zone to a Standard Primary Zone, which removes it from the AD database, allow AD replication to complete, delete the duplicates, then change the zone to AD integrated, and allow AD replication to complete.

    • Choose only one DC to perform this action.
      • For example, if the duplicate is in the DomainDnsZones partition or DomainNC partition of a child domain, perform it only on a DC in that domain.
      • If the Duplicate is in the ForestDnsZones partition, you can choose any DC in the forest.
    • Right-click the zone name, Choose Properties.
    • Under the General  tab, click on the “Change” button next to the “Type” section.
    • Then uncheck the box that says “Store the zone in Active Directory (available only if the DNS servers is a domain controller.”
    • Click Ok, Don’t click Ok again just yet. Just click on Apply.
    • IMPORTANT – You must allow AD replication to occur to replicate the change to all DCs that are in the replication scope of the zone. If you have DCs in another AD Site and have replication schedule set for example, to 3 hours, then you must WAIT for 3 hours.
    • This action makes the zone a Standard Primary zone. This means it is now stored in the system32\dns\ZoneName.com.dns text file and is no longer in the AD database.
    • You can also force replication, as well.  If there are AD Sites configured, and the replication schedule on the Site Connection objects is say 3 hours, you can reduce the replication schedule on the Site Connection objects to the minimal time allowed, which is 15 minutes. Then force replication by choosing the partner DC’s NTDS Setting, right –click, and choose Replicate Now.
    • Once confirmed that replication has occurred, and refreshing the ADSI Edit window and seeing the zones no longer exist in any of the partitions, then you can now safely delete the duplicate zones.
    • Note: Just to be clear, you will be deleting any zone names that you find that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number after it.
    • Also Note: Deleting a zone is a destructive operation. Make sure you are only deleting duplicates!
  • Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
  • In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.
  • Change the zone back to AD Integrated into the Replication Scope it’s supposed to be in.
  • Once the duplicates have been deleted, once again, you MUST allow AD replication to occur. If you had changed the Replication Schedule on the Site Connection objects to quicken AD replication, you will want to reset them to their original setting.
  • *

    References

    DNS zone replication in Active Directory
    http://technet.microsoft.com/en-us/library/cc779655(WS.10).aspx

    Oops, our AD Integrated DNS zone’s are missing in Windows 2003!
    http://blogs.technet.com/b/networking/archive/2007/05/10/oops-our-ad-integrated-dns-zone-s-are-missing-in-windows-2003.aspx

    Directory Partitions:
    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

    kbAlertz- (867464) – Explains how to use ADSI Edit to resolve app partitions issues:
    http://www.kbalertz.com/kb_867464.aspx

    Event ID 4515 is logged in the DNS Server log in Windows Server 2003
    http://support.microsoft.com/kb/867464

    *

    Summary

    It seems like a lot of steps, but it really isn’t. Just read it over a few times to get familiar with the procedure. You may even want to change it into a numbered step by step list if you like. If you only have one DC, and one Site, then it’s much easier since you don’t have to mess with secondary zones or play with the site objects.

    I hope that helps!

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services
    Complete List of Technical Blogs and Videos: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This blog is provided AS-IS with no warranties or guarantees and confers no rights.

    Suggestions, Comments and Corrections are Welcomed!

    Exchange 2007 & Exchange 2010 UC/SAN Certificate

    Exchange 2007 & Exchange 2010 UC/SAN Certificate


    Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
      Microsoft Certified Trainer
      Microsoft MVP: Directory Services
      Active Directory, Exchange and Windows Infrastructure Engineer

    Original Creation Date: May, 2009, Posted Aug, 2009 – Edited on various dates, latest edit on 11/2/09.

    Edits:
    9/6/2009   – For syntax, and added SBS2008 SSL information on 9/6/2009 (as noted below with timestamp).
    9/19/2009  – Added additional SBS SSL certificate link (as noted below by timestamp).
    9/24/2009  – Added additional link (as noted below by timestamp).
    9/30/0209  – Added an Exchange certificate how-to step by step (as noted below by timestamp).
    10/14/2009 – Added info about adding a UC/SAN cert in Windows, added info about Exchange 2010, changed title to reflect Exchange 2010

     

    Preface

    This topic goes into understanding the differences between certificate requirements in Exchange 2007 than what you’re used to with previous Exchange versions.

    Getting a certificate for Exchange 2007 is a little different than Exchange 2003 or a simple website. Exchange 2007 requires a UC/SAN (Unified Communications – Subject Alternative Name). This type of cert supports multiple names, which Exchange 2007 requires, especially to include support for Outlook 2007 Autodiscover record.

     

    Exchange 2010

    If asking about Exchange 2010, it was changed so all of this is GUI based. You can actually use the steps outlined in this blog since the commands are the same, or just use the GUI. There’s more on Exchange 2010 at Digicert in their step by step with screenshots. They even created a video how-to:

    How to generate a CSR for Microsoft Exchange 2010
    http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

     

    Exchange 2007 Single Name certificate (not using a UC/SAN certificate)

    For SBS 2003 and SBS 2008 installations that decide to use a single name cert (just to get this out of the way before I get to the good stuff below)

    Yes, this can be done, but it will not work for the autodiscover feature. If the internal domain name is the same as the external, it will work find internally. That is kind of an exception to the rule. I just did this for one client, and everything’s working fine, OWA, Outlook and Windows Mobile devices. Just follow the rules to create the cert, but only put one name in it.

    However it is possible to use a single named SSL certificate, as was used in Exchange 2003 and basic web sites, however I’ve found with the UC/SAN cert that it accommodates Outlook 2007’s Outlook Anywhere and auto-connect features. You can read about using a single named, standard SSL certificate with SBS 2008 in the following links. Just keep in mind with SBS, you must use the wizards to set this up. If you have SBS, read the following, if not, please move on to the info below).

    SeanDaniel.com – Small Business Server and Other Technology: Installing a GoDaddy Standard SSL Certificate on SBS 2008:
    http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html

    (Edit: The following link was added 9/19/09 12:19AM EST)
    Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
    http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

    Edit: Added 9/30/09
    Error messages when you try to synchronize a Windows Mobile 5.0-based mobile device to Exchange Server 2003 on a Windows SBS 2003-based computer
    http://support.microsoft.com/kb/937635/en-us

    SBS 2008 – Introducing the Internet Address Management Wizard: Part 1 of 3
    http://blogs.technet.com/sbs/archive/2008/10/17/introducing-the-internet-address-management-wizard-part-1-of-3.aspx

    SBS 2008 – Introducing the Internet Address Management Wizard: Part 2 of 3
    http://blogs.technet.com/sbs/archive/2008/10/17/introducing-the-internet-address-management-wizard-part-2-of-3.aspx

    SBS 2008 – Introducing the Internet Address Management Wizard: Part 3 of 3 (has info about certs and autodiscover)
    http://blogs.technet.com/sbs/archive/2008/10/17/introducing-the-internet-address-management-wizard-part-3-of-3.aspx

     

    Windows Mobile Clients using ActiveSync

    Before going further, if you are not sure if your Exchange 2007 installation is setup properly for outside clients, whether they would be Outlook 2003, Outlook 2007, or Mobile handhelds using ActiveSync, please visit the following Microsoft Exchange Connectivity Test site. It will provide a report on where things fail if there are any issuess:

    Microsoft Exchange Server Remote Connectivity AnalyzerSelect the test you want to run.
    https://www.testexchangeconnectivity.com

     

    ActiveSync & iPhones

    Edit: Added 11/2/09

    How To Set Up iPhone Exchange ActiveSync
    http://blog.fosketts.net/2008/07/10/how-to-set-up-iphone-exchange-activesync

    If having difficulties, use the Exchange Server ActiveSync Web Administration Tool:
    Microsoft Exchange Server ActiveSync Web Administration Tool
    http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&DisplayLang=en

    iPhone 3G won’t Sync with Exchange in Windows Small Business Server General:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?&query=iPhone+3G+Sync+&lang=en&cr=&guid=&sloc=en-us&dg=microsoft.public.windows.server.sbs&p=1&tid=f66d2c49-2cae-426b-9c64-2e3a2c0bd267

     

    The little known and dreaded UCC/SAN Certificate

    The advantage and features of a UC/SAn cert is it allows you to create multiple names in the certificate. Note, this is not a wildcard certificate that will allow you to use any or an infinite number of names. Exchange 2007 does not work with such a certificate. It will, as mentioned, work with a single name certificate, if so desired to save money on the certificate prices, but I’ve found it beneficial to use a UC/SAN certificate for the multiple names that an Exchange server will use for clients.

    The four main names I recommend adding to the cert when creating the request file are:

    mail.company.com (the external FQDN name used to access OWA)
    autodiscover.company.com (used for Outlook 2007 Outlook Anywhere’s autoconnect feature)
    internalname.internaldomain.com (what Outlook Anywhere and DSProxy uses over RPC/HTTPS used to connect to Exchange)
    internalname (the NetBIOS name of the Exchange 2007 server)

    The internalname.internaldomain.com is what Outlook Anywhere and DSProxy uses over RPC/HTTPS that’s used to connect to Exchange 2007.

    The autodiscover.company.com is used by Outlook 2007’s Outlook Anywhere autoconfiguration feature.

    If you go to the following site, they offer complete instructions on how the request works along with a web-based tool to configure and create a certificate request command to be used in the Exchange Management Shell in Exchange 2007. I’ve found this feature very convenient.

    DigiCert’s Exchange 2007 CSR Tool
    https://www.digicert.com/easy-csr/exchange2007.htm

    Once it creates the command for you, you can use it to create the request in your Exchange 2007 server, then submit the request file to the certificate authority. You canfind a full step-by-step at the following link to a blog created by Simon Butler, aka Sembee, a Microsoft Exchange MVP. I highly recommend reading his article, in the following link.

    Exchange 2007 and SSL Certificates – Take 2, by Simon Butler, aka Sembee, a Microsoft Exchange MVP, This is a complete step-by-step. Sembee provides instructions on how to use Digicert’s wizard to create the request file with the names that you’ve chosen and pre-created in DNS, that you will need to generate the request command you will need in order to run in your Exchange Managment Shell, (by copying and pasting it from Digicert’s wizard into the Exchange Management Shell). When you receive the response back from Digicert (the cert itself), save it to as a text file, then use the Import-ExchangeCertificate command to import it into Exchange. Complete step-by-step:
    http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

    You can also use a third party GUI for PowerShell if you are not familiar or comfortable with PowerShell.

    Welcome to PowerGUI.org – a free community for PowerGUI, a graphical user interface and script editor for Microsoft Windows PowerShell!
    http://www.powergui.org/index.jspa

    Note – I’ve been using DigiCert to purchase this type of certificate for my customers. However, keep in mind, I am not trying to push this company’s certificate on anyone. I’ve just found it easy to use, especially with the wizard and the step-by-steps at their site, as well as less expensive than other CAs (certificate authorities), which may have other stipulations and requirements when requesting a UC/SAN certificate. It also works very well with Windows Mobile 5 and 6 without problems. Please check the other companies, such as Verisign, Thwate, InstanSSL, etc, to compare.

     

    How to add additional names to a SAN certificate in Windows

    Creating “Wildcard” Certificate Requests for IIS using the Windows Vista/Server 2008 Certificates MMC plugin
    http://blogs.msdn.com/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-the-windows-vista-server-2008-certificates-mmc-plugin.aspx

    UCC Certificates, IIS and GoDaddy.com
    http://blog.waldenl.com/2009/01/ucc-certificates-iis-and-godaddycom.html

     

    Things to consider choosing an internal AD DNS domain name if using Exchange 2007

    Please keep in mind, your name, company name, etc, whatever name you put on the cert (based on the domain name), a WHOIS on your domain name must have this exact information at the domain registrar when you registered your public domain name. If the names of your company and Administrative Contact are not the same, or any Contact information, they will not issue the certificate. This is a strict requirement by the certificate authorities. You can call them if more specific info about this.

    Be careful that the internal name, is a publicly registered name that may be regsitered to someone else. This means whatever name you;ve chosen for your internal AD DNS name, be aware of the TLD you’ve chosen. You do not want to choose one that is already in use by another entity. Reason is it will cause due confusion, and will create problems if you were to get an Exchange 2007 UC/SAN certificate and adding a name for the internal namespace on the certificate.

    If you choose a TLD for the internal AD domain name, make sure it just doesn’t happen to belong to someone else. This of course, may have been unintentional. A good example is if you’ve chosen your internal AD DNS name to be ksi.net, (because the three letters are abbreviations for your companyname), and when you attempted to use that name with a UC/SAN request, the CA responds that they can’t match your name to ksi.net. You come to find that ksi.net is an actualy public name that was registered by someone in Korea. So now you can’t use that name for the internal AD domain name and can’t use the names, such as your exchangename.ksi.net. Therefore you are faced wtih an internal AD domain name rename task.

    The point is, make sure your internal AD name is name is not registered by an actual entity other than you, or the CA will not approve it. In one sentence, please make sure never to use a internal domain with a suffix same as existing TLD (Top-level domain name such as com, net, edu, etc), unless you will register it as your own. One good example is if your external name is domain.com, register domain.net as well, and use that for the internal AD domain name. Whatever TLD you choose, make sure it does not exist as a current public name.

    Technically speaking, you can also use the same name for the internal domain and the external domain. However, this method is not recommended. You may encounter following possible issues that you may have to perform a domain rename in the future. Not something that one desires to do.

     

    Internal Domain Name naming guidelines summarized

    1. If you name the internal domain the same as your Internet public domain name, in some time domain internal client will get the domain external IP (resolved from external domain name). In the scenarios that you also have published Exchange Server to receive external mails, the issue will be much more complicated. A sample issue:

    Same Internal and External Domain Name
    http://techrepublic.com.com/5208-11190-0.html?forumID=40&threadID=181117

    2. Worse, if your internal AD DNS domain name is registered by others, the certificate request will never get approved by the CA.

     

    Guidelines for the Autodiscover record

    External DNS:
    In your public zone, create an ‘autodiscover’ record under the public domain name.

    Internal DNS:
    To alleviate errors with Outlook Anywhere, you can create a DNS Service Location (SRV) records to locate the Exchange Autodiscover service. If not, errors will generally happen when the SRV record for the domain for autodiscover is missing. In this issue that internal Outlook users receive the error, you may check whether the _autodiscover SRV record exists in the domain zone.

    The record looks like:

    _autodiscover._tcp.domain.local

     

    TLDs (Top Level Domain Names) – Be careful what you choose for your internal AD DNS domain name

    Generic top-level domains that you should be aware of when choosing an internal name. Just to be clear, if you choose any one of these as a TLD, I suggest to purchase the name at the registrar to avoid certificate issues.

    biz .com .info .name  .net  .org  .pro  .aero  .asia  .cat  .coop .edu 
    gov .int  .jobs  .mil .mobi  .museum   .tel  .travel

    Country-Code Top-Level Domains that you want to be careful choosing, especially if someone else owns it on the internet. You’ll never get the cert approved if it is owned by someone else, despite the argument that “it’s my internal domain name…”

    ac  .ad  .ae  .af  .ag  .ai  .al  .am  .an  .ao  .aq  .ar  .as  .at  .au 
    aw  .ax  .az  .ba  .bb  .bd  .be  .bf  .bg  .bh  .bi  .bj  .bm  .bn  .bo 
    br  .bs  .bt  .bw  .by  .bz  .ca  .cc  .cd  .cf  .cg  .ch  .ci  .ck  .cl 
    cm  .cn  .co  .cr  .cu  .cv  .cx  .cy  .cz  .de  .dj  .dk  .dm  .do  .dz 
    ec  .ee  .eg  .er  .es  .et  .eu  .fi  .fj  .fk  .fm  .fo  .fr  .ga  .gd 
    ge  .gf  .gg  .gh  .gi  .gl  .gm  .gn  .gp  .gq  .gr  .gs  .gt  .gu  .gw 
    gy  .hk  .hm  .hn  .hr  .ht  .hu  .id  .ie  .il  .im  .in  .io  .iq  .ir 
    is  .it  .je  .jm  .jo  .jp  .ke  .kg  .kh  .ki  .km  .kn  .kp  .kr  .kw 
    ky  .kz  .la  .lb  .lc  .li  .lk  .lr  .ls  .lt  .lu  .lv  .ly  .ma  .mc 
    me  .md  .mg  .mh  .mk  .ml  .mm  .mn  .mo  .mp  .mq  .mr  .ms  .mt  .mu 
    mv  .mw  .mx  .my  .mz  .na  .nc  .ne  .nf  .ng  .ni  .nl  .no  .np  .nr 
    nu  .nz  .om  .pa  .pe  .pf  .pg  .ph  .pk  .pl  .pn  .pr  .ps  .pt  .pw 
    py  .qa  .re  .ro  .rs  .ru  .rw  .sa  .sb  .sc  .sd  .se  .sg  .sh  .si 
    sk  .sl  .sm  .sn  .sr  .st  .sv  .sy  .sz  .tc  .td  .tf  .tg  .th  .tj 
    tk  .tl  .tm  .tn  .to  .tr  .tt  .tv  .tw  .tz  .ua  .ug  .uk  .us  .uy 
    uz  .va  .vc  .ve  .vg  .vi  .vn  .vu  .wf  .ws  .ye  .za  .zm  .zw

     

    Related Links and how-to articles

    A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
    http://support.microsoft.com/kb/940881/en-us

    Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007
    http://support.microsoft.com/kb/929395

    Certificates for Exchange (This is a CA site that I haven’t used, but thought to provide it)
    http://www.certificatesforexchange.com

    Unified Messaging Requires the Server Name in the SSL Certificate
    http://blog.sembee.co.uk/archive/2008/06/02/79.aspx

    Exchange 2007 with a Single Name SSL Certificate
    http://blog.sembee.co.uk/archive/2008/06/09/80.aspx

    More on SSL Certificates with Exchange 2007 – (supported uses)
    http://blog.sembee.co.uk/archive/2008/10/16/87.aspx

    Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: “The name of the security certificate is invalid or does not match the name of the site”
    http://support.microsoft.com/kb/940726/en-us

    Outlook 2007 and Exchange 2007 Certificate issue
    http://support.microsoft.com/kb/555842/en-us

    Exchange 2007 Autodiscover and Certificates:
    http://www.exchangeninjas.com/cascertificateconfig?page-version=1&date=20070509153511

    Error messages when you try to synchronize a Windows Mobile 5.0-based mobile device to Exchange Server 2003 on a Windows SBS 2003-based computer
    http://support.microsoft.com/kb/937635/en-us

    How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
    http://technet.microsoft.com/en-us/library/aa995942.aspx

    More on Exchange 2007 and certificates – with real world scenario
    http://msexchangeteam.com/archive/2007/07/02/445698.aspx

    Certificate error with Outlook 2007 clients to Exchange 2007 server
    http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22428066.html

    Exchange: Test-OutlookWebServices
    http://technet.microsoft.com/en-us/library/bb124509.aspx

     

    Default Self-Signed certificate use and generation

    Exchange 2007 certificate request and issue steps
    http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part4.html

    Exchange 2007 Autodiscover and certificates
    http://msexchangeteam.com/archive/2007/04/30/438249.aspx

    Exchange 2007 certificate generation command: New-ExchangeCertificate
    http://technet.microsoft.com/en-gb/library/aa998327.aspx

     

    Exchange 2007 Certificates How-To and Example

    This little tutorial is based on using DigiCert’s wizard to  help you request a cert. Not all CAs have such a wizard, but you can actually use their wizard to generate a request file that will be valid to use at any other CA.

    First, go to DigiCert’s site to generate a request file and command. Digicert’s wizard will help at the following link:

    DigiCert Exchange 2007 Certificate Request Wizard and
    https://www.digicert.com/easy-csr/exchange2007.htm

    The following is an example that DigiCert’s wizard will create for you:

    New-ExchangeCertificate -GenerateRequest -Path c:\mail_yourDomaname_com.csr -KeySize 2048 -SubjectName “c=US, s=DE, l=City, o=Company Name Inc, ou=Information Technology, cn=mail.yourDomainName.com” -DomainName mail.yourDomainName.com, autodiscover.yourDomainName.com, mail-mx-01.yourDomaname.local, mail-mx-01 -PrivateKeyExportable $True

    Then once the command is run, it creates the certificate request c:\mail_yourDomaname_com.csr. Open this file with Notepad.

    Copy and paste everything in the file, and paste it in the correct location following DigiCert’s instructions when filling out the forms.

    Once submitted, along with credit card info, etc, DigiCert will validate the company name that is requesting the certificate is actually the company name that the public domain name is registered to. They use a WHOIS search to check.

    You can use any one of the registrars’ WHOIS search feature to run it yourself. Run a WHOIS on your public name to insure that the name returned in the results matches the name of your company, including contact information.

    If your domain info is completely hidden, you may have to unhide it for them to validate it. If most of it is hidden, including all email address contacts, except the company name, they will at least use the company name as part of the validation. However to complete the validation, they will send an email to one of the following: admin@yourdomain.com, administrator@yourdomain.com, webmaster@yourdomain.com or postmaster@yourdomain.com. When you receive the email, simply agree to the terms, sign your name that you used in the request form, click submit. In about 10 minutes you will receive the actual certificate by email in a zip file.

    Once you’ve received the cert, open the zip file, and copy the CSR file to the C: drive. Then run the import command:

    Import-exchangecertificate –path c:\mail_trainwithksi_com.csr

    Thumbprint:
    [PS] C:\Windows\System32>Import-exchangecertificate -path c:\mail_yourDomainName_com.cer

    Thumbprint                                Services   Subject
    ———-                                ——–   ——-
    EF9CC2BD6546716ADA4AC744F8C30B65EC9C2D98  …..      CN=mail.yourDomainName.co…

    Now you can enable the cert for other uses, such as IMAP, POP, UM, IIS, and SMTP. To enable it for OWA, using the IIS option will take care of that.

    To run the command to enabled it for other services, you need the certificate thumbprint. To retrive the thumbprint:
    Get-Exchangecertificate

    You can combine the services into one command, once you have the correct thumbprint, with the following command:

    [PS] C:\Windows\System32>Enable-exchangecertificate -services IIS, SMTP, IMAP, POP -thumbprint EF9CC2BD6546716ADA4AC744F8C30B6D4C9C2D98

    Confirm
    Overwrite existing default SMTP certificate,
    ‘580C47D434EB3AEC0C6330037D1E77701313F654’ (expires 3/15/2010 1:17:43 AM), with
     certificate ‘EF9CC2BD6546716ADA4AC744F8C30B6D4C9C2D98’ (expires 10/4/2010
    7:59:59 PM)?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is “Y”):
    [PS] C:\Windows\System32>

    Once that is run, you can confirm that the certificate is being used for the services you requested by the following command:

    [PS] C:\Windows\System32>Get-Exchangecertificate

    Thumbprint                                Services   Subject
    ———-                                ——–   ——-
    EF9CC2BD6546716ADA4AC744F8C30B6D4C9C2D98  IP.WS      CN=mail.yoruDomain.c…
    580C47D434EB3AEC0C6330037D1E77701313F654  ….S      CN=mail-mx-01
    0459E4ADFFB68289325650740C009DB772D4E5FE  ….S      CN=mail-mx-01
    B91E0E815163FF9E677E771225005CC2273FF886  …..      CN=WMSvc-mail-mx-01

    Or you can simply connect to OWA externally using the FQDN. If it doesn’t prompt to trust the certificate, it worked.

    Ace Fekay
    ==================================================================

    DHCP, Dynamic DNS Updates , Scavenging, static entries & time stamps, the DnsUpdateProxy Group, and DHCP Name Protection

    DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, the DnsUpdateProxy Group, and DHCP Name Protection

    Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
      Microsoft Certified Trainer
      Microsoft MVP: Directory Services
      Active Directory, Exchange and Windows Infrastructure Engineer

    Compiled 4/2006, recompiled 7/2009, & 1/4/2010
    11/30/2011 – added DHCP credentials and DHCP/DNS tab properties screenshots.
    3/10/2012 – Added enabling DNS scavenging screenshots.
    8/22/2012 – Verified with a Microsoft enginner, we need to use the DnsUpdateProxy group and configure credentials to work, not one or the other. My blog has been corrected to reflect this. Also fixed missing screenshots
    8/3/2012 – Additional info about DHCP Name Protection and that it requires Credentials, DnsUpdateProxy, but more so to secure the DnsUpdateProxy group

     

     Topics Covered:

    1. Preface: Keep in Mind, the entiity that registers the record into DNS, owns the record
    2. Scavenging Defined
    3. DNS Timestamp and Scavenging (and info on the dnsTombstoned Attribute)
    4. Scavenging Refresh and No Refresh Settings Must be less than the DHCP Lease Period
    5. DHCP Conflict Detection
    6. DHCP Lease has a “pen” or “pencil” Icon
    7. Records & timestamps, and the lack of timestamps
    8. Related Links
    9.  

       

      Preface:

      Dynamic DNS Update Basics:

      1. By default, a Windows 2000 and newer statically configured machines will register their A record (hostname) and PTR (reverse entry) into DNS.
      2. If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow the machine itself to register its own A record, but DHCP will register its PTR (reverse entry) record.
      3. The entity that registers the record in DNS, owns the record.

      .

      Reference:

      How to configure DNS dynamic updates in Windows Server 2003.
      http://support.microsoft.com/kb/816592

      Using DNS servers with DHCP (Contains information on the DnsUpdateProxy group and its usage)
      http://technet.microsoft.com/en-us/library/cc787034 (WS.10).aspx

      .

      Caveat with the DHCP service out-of-the-box configuration

      The goal is to keep DNS clean without duplicate records.

      When a client shuts down, and later returns past the lease time, it may get a different IP address. With the default settings, a duplicate A record gets registered by DHCP with the client’s new IP. This is because the client will not update itself due to the current record in DNS is beyond the lease period. This happens even though DHCP registered the record. This is because DHCP doesn’t own the record, the client does, even though DHCP registered it.

      DHCP Option 081:

      The way to get around this is you can configure DHCP’s Option 081 to update the record for all client, no matter if the client asks or not. To configure DHCP Option 081, you must look at the DHCP server properties, under the DNS Tab in DHCP properties. Despite it being a DHCP Option, it’s not found in a DHCP server, scope or class option.

      .

      Overview to make this work:

      • DHCP must own the record, not the client. This is done by configuring DHCP to register all DHCP clients, whether the client supports Dynamic Updates or not.
        • As long as DHCP owns the record, can keep the records in the FLZ and RLZ up to date when the client renews its lease, same IP or different IP.
        • Otherwise you’ll see duplicate A and PTR records in DNS, whether scavenging is enabled or not.
      • Configure DHCP credentials by creating a plain-Jane, Domain User account. It doesn’t have to be an administrator account.
      • Add the DHCP Server object in Active Directory to the DnsUpdateProxy group.
      • In addition, I suggest to enable DNS scavenging to remove stale records, which will keep the zone clean.

      .

      How do we configure DHCP for this to work??

      Summary to Configure Credentials and add the DHCP server to the DnsUpdateProxy group.

      Windows 2008 R2 or newer:

      You have a new feature to prevent Name Squatting: DHCP Name Protection, you still need to configure Credentials and add the server to the DnsUpdateProxy group.

    10. Add the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group.
    11. Configure DHCP Credentials.
    12. Configure Name Protection.
    13. If DHCP is co-located on a Windows 2008 R2 DC, you must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0 

      Note: Configuring DHCP credentials AND using the DnsUpdateProxy group, and forcing DHCP to update all records, will also allow DHCP to register Win9x machines, as well as non-Windows machines, such as Linux, OSx (BIND based), and other Unix flavors, and update the records when they get renewed with a different IP.

    14. Scroll down to the Name Protection section for more specifics and references,

      For Windows 2008 and older:

      To force DHCP to own and control all records it updates into the DNS zone, there are two parts of the procedure:

      1. Add the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group.
      2. Configure DHCP Credentials. 

      .

      Step by Step procedure:

      Step 1: To add the DHCP server’s computer account to the DnsUpdateProxy Group  

      •  
        • In ADUC, add the DHCP server’s computer properties to the DnsUpdateProxy security group.

          • In ADUC, click on the Built-In container.
          • Scroll down to the DnsUpdateProxy group.
          • Right-click DnsUpdateProxy group, choose properties
          • Click ADD –  make sure that the search criteria is set to look for computer objects,
          • Either type in the DHCP server’s name and click Check Name or click on Advanced, then click on FIND, and scroll down to the DHCP server name.
          • Once you see the DHCP server’s computer object, highlight it
          • Click OK.

      Step 2: Force DHCP to register all records, Forward and PTR, whether a client machine can do it or not:

      See screenshots below to configure the Option 081 settings under DHCP properties, DNS tab

      Step 3: Configure other DHCP Options as needed

      Suggested basic DHCP options:

      • Set the Connection Specific Suffix DHCP Option 015 to the AD domain name (such as example.com).
      • Set Option 006 to only the internal DNS servers.
      • Option 003 to your router

      Step 4: Configure the zone for Secure Updates Only: 

      Credentials and the DnsUpdateProxy group will be used to register them.

      Step 5: Configure DHCP Credentials. Note – you can do this on 2008 R2 and newer, if you chose not to use .     

      •  
        •  
          • In AD, create and configure a dedicated Domain User account to use as credentials in DHCP.
          • The user account does not need any elevated rights, a normal user account is fine.
          • Choose a very strong password.
          • Set the password so it does not expire.

      Then configure DHCP with the credentials you created:

      For Windows 2003:

      • Open the DHCP Console:
      • Right-click the DHCP servername
      • Choose Properties.
      • Click the Credentials button
      • Provide the account’s credentials

      In Windows 2008 and 2008 R2:  

      • Select IP Scope
      • Choose Properties
      • Select the Advanced tab
      • Click the Credentials button
      • Provide the account’s credentials.

      For Windows 2000: 

      • It must be done with the Netsh command. Windows 2003 and newer can also be done with the Netsh command, if you desire.

       

       .

      Note and warning: about using the DnsProxyUpdate group on a DC

      • We normally shy away from adding a DC to the DnsProxyUpdate group, as it weakens security including the DC records if DHCP is on a DC. However, in many cases, there’s not much of a choice.
      • Windows 2008 R2 and newer gives you the option to use the DHCP Name Protection Feature, but as stated above, you still need to configure credentials and add the server to the DnsUpdateProxy group.
      • When DHCP is running on a Windows 2008 R2 domain controller, you must secure the DnsUpdateProxy group by running the following:
        dnscmd /config /OpenAclOnProxyUpdates 0

      .

      Note on older, pre-existing records in DNS:

      After configuring the above provedure, the credentials and DnsUpdateProxy group configuratuion will not update current or delete duplicate records. You must delete them manually to allow DHCP to take care of all new records moving forward.

      Also, it will allevaite another issue – If DHCP is on a DC, it will not overwrite the original host record for a machine getting a new lease with an IP previoulsy belonging to another host. 

      If there is a problem with PTRs getting updated even after configuring credentials, please see this article:

      DHCP server processes expired PTR resource records in Windows Server 2003
      http://support.microsoft.com/kb/837061

       .

      .

       

      Step by step screenshots:

      Windows 2003:

      .

      .

      .

      Windows 2008 & Windows 2008 R2:

      .

      .

      DHCP Name Protection

      If you have Windows 2008 R2, in addition to configuring the DNS tab to force registration, you still must configure credentials and add the server to the DnsUpdateProxy group. If DHCP is on a Windows 2008 R2 DC, to protect the DC when using the DnsUpdateProxy group, you must secure the group by running:

      dnscmd /config /OpenAclOnProxyUpdates 0

      Using  “DHCP Name Protection.” will register A and PTR record on behalf of a client, and will prevent a workstation (non-Windows) Name Squatting, meaning using a name that another machine (non-Windows or Windows) client that DHCP already registered , from registering it’s name. DHCP will give that duplicate named client an IP, but it will not register it into DNS. 

      Quoted from the following link:

      “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows® operating system. The use of Name Protection in the Windows Server® 2008 R2 operating system prevents name squatting by non-Windows-based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory® Domain Services (AD DS) can be used to reserve a name for a single user or computer.”

       DHCP Step-by-Step Guide: Demonstrate DHCP Name Protection
      “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows® operating system. The use of Name Protection in the Windows Server® 2008 R2 operating system prevents name squatting by non-Windows-based computers. “
      http://technet.microsoft.com/en-us/library/ee404786(v=ws.10).aspx

      Configuring DHCP Name Protection
      http://technet.microsoft.com/en-us/library/dd759188.aspx 

      DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv4 scope
      http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

      DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
      http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

      .

      To configure Name Protection:

      • Right-click IPv4, choose Properties
      • Click on the DNS tab
      • Click “Configure”
      • Check the box, “Enable Name Protection”

      You can optionally select it on IPv6, too. No harm done, whether you have IPv6 scopes or not.

      .

      You will notice that once you enable it:

      • Except the “Enable DNS Dynamic Updates according to the settings below,” checkbox, everything else under the DNS tab will be grayed out.
        • This is because the Name Protection feature takes over these functions, and will force register everything, so these settings are no longer used.
      • If you have multiple IPv4 scopes, once set at the IPv4 level, it will apply to all IPv4 scopes.
        • If you don’t want it to apply to all scopes, you can selectively disable the setting under each scope, or don’t enable it at the IPv4 level, and selectively enable it on a per scope basis.

      .

      Here’s a screenshot of where to enable it:

      .

      Screenshot of DNS Tab (which is actually Option 081), which grays out. This is because Name Protection took over these functions:

      .

      If you have multiple IPv4 scopes, once set at the IPv4 level, it will apply to all IPv4 scopes.

      .

      .

      Back to top of page>

      .

      .

      .

      Scavenging Defined

      .

      Misconceptions about Scavenging

      There are some misconceptions prompting fears that Scavenging will remove everything in your zone, includind servers. Please understand, the main thing that scavenging works on is the timestamp. If there is no timestamp, such as a manually created, static record, it will not get scavenged. Also, if all servers, including DCs, are automatically updating their own record, then there is no fear of losing their records, because for one, their records (timestamps) are current, therefore scavenging won’t touch them, and two, Windows Servers by default will update their records every 24 hours, with the exception of domain controllers at every 60 minutes. Therefore, even if they were to scavenge these records, assuming the time stamp has ever been reached, the machines will refresh themselves anyway!

      .

      DNS UPdate Interval is based on Operating System and WIndows Server Role:

      By default, statically configured clients and remote access clients that do not rely on the DHCP server for DNS registration, will re-register their A & PTR records dynamically and periodically every 24 hours. This applies to Windows 2000 Professional and all newer operating systems.
       
      For domain controllers, due to the importance of keeping up to date and accurate SRV and other records, the Netlogon service will attempt to update these records every 60 minutes.
       
      By default, on a computer that is running Windows XP/2003 or newer, the DefaultRegistrationRefreshInterval key value controls this (except Windows 2000, whichdoes not have this key but can be added), and is set by default to 1 day. This is true regardless of whether the computer is a client or a server, except domain controllers, which are every 60 minutes.
       
      You can use the following registry subkey to modify the update interval:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
       Data type: REG_DWORD
      Range: 0x0 – 0xFFFFFFFF seconds
      Default value: 0x15180 (86,400 seconds = 24 hours) for Windows 2000 Professional
      Default value: 0xE10 (3,600 seconds = 1 hour) for Windows 2000 Server and Windows Advanced Server
       Scope: Affects all adaptors
       
      This specifies the time interval between DNS update registration updates.
       
      The default Time To Live (TTL) value used for dynamic registrations is 20 minutes. You can use the following registry subkey to modify the TTL value:
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationTTL

      .

      In Summary:

      • Scavenging is a feature that will remove expired records based on their Timestamps.
      • Scavenging is not enabled by default.
      • Scavenging will NOT remove statically configured records, the ones you manually create unless you run dnscmd /AgeAllRecords, which will stamp them making them eligible for scavenging (more below on this). Without running this command, DNS will scavenge dynamically updated records that have reached their time stamp. To look at the time stamps of a record using Windows 2003 DNS, put the DNS console “view” in the menu to Advanced View, then look at the individual record properties, and you will see the time stamp. If using Windows 2008 or or newer, it will show up in the console as a separate column.

      .

      Scavenge Refresh and No Refresh vs DHCP Lease period

      Scavenging Refresh and No Refresh settings must be equal to or less than the lease period. For example, using  the default DHCP lease period of 8 days with a 7day scavenge setting, is perfect. If you lower the lease, you need to lower the scavenge settings. If you are using a 4 hour lease, well, that’s a tough one, because the lowest you can go with scavenging is 1 day, and may provide inconsistent results.

      And please bear in mind, as already stated, scavenging will not remove statically configured records, (the ones you’ve manually created). It will scavenge updated records that have reached their time stamp. However, if you run dnscmd /AgeAllRecords, it will timestamp all records, making them eligible for scavenging.More on this in the next section, Static records.

      To set aging and scavenging properties for a DNS server using the DNS Console:

      1. In the DNS console, right-click the DNS server name, and choose “Set Aging/Scavenging for All Zones.
      2. Select the Scavenge stale resource records check box.
      3. You can now either choose to set Scavenging for all zones, or choose No, and manually set each zone individually. I suggest setting it for all zones.
      4. It’s recommended to go with the defaults of 7 days. If you choose to change it, it should reflect and stay in line with DHCP’s lease times. Now I’ve never found anything specific stating this, but keeping the scavenge setting to the lease minus one day, ensures that records will be deleted one day before lease renewal so it will be deleted if that record were actually not in use by a client, and has expired. If still in use, it will go through the scavenging refresh period and scavenge lifetime until the next expiration time.
      5. Once you’ve set scavenging, all records that have a time stamp will be aged,  will get scavenged. This does not include static records, because static records do not have a time stamp.

       

      Excample of a dynamically created record:

       .

      Static Records:

      Static records will not get scavenged, since they have a 0 time stamp. When viewing a static record, it will show as the following:

      However, regarding static records, if you use force age all records using the dnscmd /AgeAllRecords. If the “Delete the record when it becomes stale” box was checked at time of the record creating, it will set a TimeStamp on it, which will make it eligible for scavenging. Therefore, if you have an static records, host, cnames, etc, they will get scavenged, and I advise to take inventory of your static entries if you run this command. I would suggest not to, and just allow scavenging to take it’s time to do its thing. Be PATIENT!!!!

       .

      You MUST BE PATIENT!!

       .

      Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 3 day scavenge period.

      Here’s a chart showing when events occur with a 3-day NoRefresh, 3 day Refresh, and 3 day Scavenging. (Graphics from Don’t Be Afraid of Scavening. You must be patient):

      If you look at the chart, based on scavenging settings of a 3 day NoRefresh and 3 day Refresh, then it becomes eligible for scavenging the day after these two pass, so it will be the 7th day. Then it waits for the next scavenge cycle (I kind of call it the garbage collection point), which is somewhere withing the next 72 hours (based on the NoRefresh). So based on this chart, starting at 1/1/2008, the record becomes eligible on 1/7/2008, then it’s deleted (scavenged) on, in this case, on 1/10/2008, at 6am during the next 72 hour scavenge cycle. The 72 hour scavenge cycle in this case, is based on the 3day scavenge setting..

      That was a total of about 10-11 days, but it could have happened, as you can see in the chart, anytime between the 10th day and the 14th day.

      .

      image

      .

      If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.

      .

      .

      AD Integrated zones – Where do you set it? – Enable it only on one server, and the timestamp will replicate with AD replication

      In summary, with using AD integrated zones, you just enable scavenging on one server, then the time stamp will replicate to other servers with the normal AD replication process. When AD integrated zones are involved, DNS uses an additional mechanism to control replicating the records’s time stamp behavior through the dnsTombstoned attribute.

      In addition, regarding enabling it on one server, Josh Jones [MSFT] quotes (in his blog, “Don’t be afraid of DNS Scavenging” ):

      “Although you can set every server hosting the zone to scavenge I recommend just having one. The logic for this is simple: If the one server fails to scavenge the world won’t end. You’ll have one place to look for the culprit and one set of logs to check. If on the other hand you have many servers set to scavenge you have many logs to check if scavenging fails. Worse yet, if things start disappearing unexpectedly you don’t want to go hopping from server to server looking for 2501 events.”

      For more specifics, and to not duplicate Josh Jones’ efforts, please read his blog for specific info – “Don’t be afraid of DNS Scavenging

      Don’t be afraid of DNS Scavenging, Josh Jones [MSFT], 19 Mar 2008 6:49 PM
      http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

      .

      AD Integrated Zones and Scavenging – How does it do it? It uses the AD attribute called, “dnsTombstoned”

      Good article by Guy Teverovsky [MSFT], explaining how AD handles scavenging with records in an AD integrated zone, as well as what happens if say a machine who’s record is marked as dnsTombstoned, but the machine is reinstalled, which now has a new SID, and how it can’t update the original record –  the original host record is not removed immediately:

      DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones, by Guy Teverovsky [MSFT], 23 Sep 2010
      http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

      .

      Other articles on Scavenging:

      Optimizing your network to keep your DNS squeaky clean
      http://blogs.technet.com/b/networking/archive/2009/02/09/optimizing-your-network-to-keep-your-dns-squeaky-clean.aspx

       .

      Enable Scavenging Screenshots

      Screenshots showing enabling scavenging with the default 7 Day NoRefresh, and 7 Day Refresh. Note that scavenging will not kick in until 1 day after these two periods combined, meaning 15 days later. And if you also notice, that after I enabled them, and ran dnscmd /AgeAllRecords, the static records still didn’t show as stamped. Eventually they will. That’s the “being patient” part.

      .

      1.
      https://qis15w.sn2.livefilestore.com/y1pK2oaDPwDuWcOKuruFE_mG60DX_JdOD9PUVuj8YEvK9bo-HK1WMPfHg3_smfglSU6RuKpxkxvZkP1mgb0AFJD_WZ-yUEOo6np/1.%20Set%20Aging-Scavenging%20for%20all%20zones.jpg?psid=1

      .

      2.
      https://qis15w.sn2.livefilestore.com/y1pjeNJXBaiplqSW8EK6KEbWLD7awc19PpsNJEF6S5456DDriVTJUvCAsIH6EbpHb6zu3at6n2jZVN9BuOMVbNZdJQCCzFYi5I8/2.%20Using%20default%207%20day%20scavenge%20settings.jpg?psid=1

      .

      3.
      https://qis15w.sn2.livefilestore.com/y1pBwESri4t7Ru2PHdykn2_lJm6yxE_QejQVUZP1ROdPqEnd6KenfqyHrYAtU8Vori8WyElUTu_3AjAPe6egZIyK6FuO_yRlJU8/3.%20Chose%20to%20apply%20this%20to%20all%20AD%20integrated%20zones.jpg?psid=1

      .

      4.
      https://qis15w.sn2.livefilestore.com/y1pXZk5kHkkl6EvfrcSprvdxp80i2WdPYaOy5M6uo98Gj5t1Heop_AR2cWXXaCof3yxQ6ORbxUBVAT1C_iDc9hUuymzdwZy2psz/4.%20%20You%20can%20see%20when%20scavenging%20will%20kick%20in%20-%201%20day%20after%20the%207%20day%20No-refresh%20and%207%20day%20Refresh%20period.jpg?psid=1

      .

      5.
      https://qis15w.sn2.livefilestore.com/y1pZdhGtBL_KWnpNMUTcSDkQWF21Ws8y_pkGvfQIZIp4GrHesAv-vl2uyrIhMu2MYm-3SyBa566R_ymHa9ja_ORyEce-cd2U09U/5.%20Set%20aging%20on%20contoso.com%20zone.jpg?psid=1

       .

      6.
      https://qis15w.sn2.livefilestore.com/y1pkkRp01cx-ArzkC6hZ9SW1L2QwKOYK6lWRN5hE0NywrwCKD4a3fNTiwKuWLDIAoM9x0pCK3Z1b5tEZYVICF9qOoSecKMytReK/6.%20DNS%20Server%20Properties%2C%20Advanced%20Tab%2C%20Checked%20Enable%20Automatic%20Scavenging%20of%20stale%20records.%20This%20basically%20turns%20it%20on.jpg?psid=1

      .

      7.
      https://qis15w.sn2.livefilestore.com/y1pInNfBbD8vssqF85PS8-Sgg-60yXVzmxA910iEz_yS2NlY5b8rRUJrr-KlP9dO79XdRksQvHmlrFCNz4FRWAjZmUDNjmguTq9/7.%20Ran%20dnscmd%20ageallrecords.jpg?psid=1

      Note of Caution: T\the only problem with running this command, is it will timestamp all static records making them eligible for scavenging. Therefore, you may NOT want to do this.

      .

      8.
      https://qis15w.sn2.livefilestore.com/y1pPWlVIC7sDUQkjxinOJhT0nEGJRi4Y_Gctkg_inp2g3ZiMJMSLM16uz_e7GQPEJ7zFqnx2T03n0eRnyZuF8m3Dudp0kdAPQfG/8.%20Restarted%20DNS%20%20although%20this%20is%20not%20necessary.jpg?psid=1

      .

      9.
      https://qis15w.sn2.livefilestore.com/y1pD3XxvDENwxCwEzOVPbngly9Hb29y3Dq1esQItYpXWif5wiBfdBDn19r-O1lGYzGYApi8gEjCb83BvJP9JRXCCXeW-tjzTZUQ/9.%20NYC-DC1%20still%20shows%20as%20static.jpg?psid=1

      Note on the screenshot below (quoted from Don’t Be Afraid of Scavening. You must be patient)::
      “The Scavenging Period is how often this particular server will attempt to scavenge. When a server scavenges it will log a DNS event 2501 to indicate how many records were scavenged. An event 2502 will be logged if no records were scavenged. Only one server is required to scavenge since the zone data is replicated to all servers hosting the zone.

      Tip: You can tell exactly when a server will attempt to scavenge by taking the timestamp on the most recent EventID 2501 & Event ID 2502 events and adding the Scavenging period to it.

      Image from: http://blogs.technet.com/blogfiles/networking/WindowsLiveWriter/DNSscavengingiseasy.Havingpatienceishar_C6E0/image_14.png

      .

      Moral of the story: Be Patient!!

       

       

      Back to top of page>

      DNS Time stamp and Scavenging

      If the record was manually created, it won’t show a time stamp, however, if the record was dynamically registered, it will show a time stamp. If you manually create a record, the checkbox will not be checked to scavenge, however if it was dynamically registered, it will be checked.
      As for the server entries (such as from a DC), if you allow auto registration, which is done by default, and it gets scavenged, it gets re-registered anyway by the DC’s Netlogon service (for the SRV, LdapIpAddress and GcIpAddress records) and the operating system (for the A and PTR records). Unless you are seeing something going on that is affecting your environment, the default settings work fine, at least they do for me for all of my customers and installations I’ve worked in that I’ve set scavenging and forced DHCP to own the records so it can update the records it had registered at lease refresh time.

      Regarding the Active Directory dnsTombstoned Attribute

      DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones
      Discuss the internal processing of DNS Scavenging.
      http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

      dnsTombstoned Records clean-up:
      Everyday at 2AM (non-configurable) the DNS server scans all DNS integrated zones in AD and determines whether the tombstoned record is ready to be deleted. The default retention time of the tombstoned records is 7 days. This value can be changed by the DsTombStoneinterval value (dnscmd w2k8r2dc01 /config /DsTombstoneInterval value) or by editing the registry under HKLM\CCS\Services\DNS\Parameters Value Name:DsTombstoneInterval

      Value Type: DWORD). The value is in seconds.

      At that point the DNS deletes the record.

      Back to top of page>

       

      Scavenging Refresh and No Refresh Settings Must be less than the DHCP Lease Period

      The scavenging period must be set less than the lease time. The way you have it currently set, you have two different settings but both are beyond the lease time. Due to both of these settings being different and beyond the lease time, is why you are getting inconsistencies, as I previously mentioned.

      For example: The 7 and 7 day intervals work hand in hand with a default DHCP lease time of 8 days. DHCP renewals are half the lease interval right, whcih is 4 days. If it doesn’t get renewed, then it waits until 87.5% of the lease time to renew, which is at the 7th day. If it doesn’t get renewed, then the lease is lost, and the DHCP client will attempt to get a new lease. Once the lease is lost at the 7th day, then if you left scavenging set to default, it will clean out that old lease entry from DNS in all zones it existed in.

      Therfore, if you have an 8 hour lease, you’ll need to set scavenging for 1 day, but that is not a recommended setting. It’s simply too low. Also an 8 hour lease tries to renew at 50% of the lease time, and if unsuccessful, at 87.5% of the lease time, which is at the 7th hour. Scavening needs to be set below that, but scavenging settings are in days, which is at 24 hours intervals, so there’s no possible way to set it below the lease time.

      Also, a lease time of 8 hours, or even 4 hours, as I’ve heard some admins have set it to, is really an aggressively short lease and can cause other problems elsewhere, such as with WINS and replication partners. I’ve seen errors in WINS in a partnership scenario where the data is constantly changing and WINS simply couldn’t keep up with the changes between partners.

      My suggestion is at least that if you want to keep an aggressively short lease, to at least make the lease period 2 days and scavenging 1 day.

      However, I’ve been in environments with the default 8 day lease and 7 day scavenging settings, along setting either using credentials so DHCP owns all records it updates, or using the DnsProxyUpdate group, and it works fine. If a laptop gets a record at 8am on a Monday, but unplugs and goes home and comes back on Thursday, the laptops will attempt to get the same lease. If the laptop doesn’t come back until Tuesday the following week, it will get a new lease and new IP, since DHCP owns the record, it simply updates it in DNS for the forward and reverse zones.

      To properly make it work using the DnsProxyUpdate group or using credentials, you must force DHCP to update ALL RECORDS, whether the client knows how to update or not or requests it or not (the bottom setting). This will force DHCP to own ALL records. If you do not set these settings, and the scavenging period is more than the lease, unexpected results will occur.

      Scenario: Choosing a Short DHCP Lease Time of 8 hours

      If you reduce the DHCP lease to 8 hours, a number of things can occur, such as increased AD Tombstoning of DNS entries, which will increase the AD NTDS.dit file size, as well as possibly an inconsistency with the records in DNS, as well as issues with WINS trying to keep up with the changes, which will be evident with WINS Event log error entries.

      Also keep in mind, with any DHCP client no matter what operating system, uses the DORA method, that is Discovery, Offer, Request, and Acknowledgement. The point in time a client will ask for a lease refresh is at the 50% mark, where it uses RA, or Request (for the current lease config it has), and Acknowledgment. If it can’t get it at the 50% mark after 3 attempts, it will wait until 7/8 of the lease time to broadcast out a refresh request until the end of the lease period. If it doesn’t get a renewal at the end of lease, the client machine removes the current config from its interface and has no IP.

      Therefore with an 8 hour lease, the refresh time is at 4 hours. That needs to be taken into account with additional traffic, and how DNS updates, as well as how WINS handles it with the contstant requests coming through.

      Regarding the WINS issue, I’ve seen this once at a customer site years ago. It’s always stuck to the back of my mind to keep this in mind when such a short lease is desired. I found  a default lease works fine, as long as scavenging is enabled (using default settings as well), including if the DHCP server is on a DC, adding the DHCP server to the DnsUpdateProxy group, or to alleviate the security issues with such as move, to rather supplying credentials for DHCP, so it owns all records it registers into DNS, in order so it can update the records as they change. Otherwise, expect issues to occur.

      (The following, which goes into much more detail of what is actually occuring, was compiled and posted by Chris Dent in the Microsoft DNS newsgroup.)


      Why would one choose 8 hours? Possibly to handle many laptops coming in and out of the network. So you would think a shorter lease time would work. However, keep in mind with any lease time, the point at which a client will ask for a lease refresh is at 50% of the lease time. Therefore, the client machine will asking for a refresh every four hours.

      This will result in a high rate of change in DNS, which may lead to a large number of tombstoned DNS entries. It would seem reasonable to reconsider the DHCP Lease duration, 8 hours is, after all, extremely short.

      Essentially you have:

      • The amount of AD Tombstoned Data is increasing because of Stale DNS records
      • The number of Stale DNS Records is high because of the (potential) rate of change of records in both Forward and Reverse Lookup
      • The rate of change must be somewhat proportional to changing leases in DHCP

      The DNS Record lifecycle:

      1. An A record is created (as a dnsNode in AD).
      2. When the Timestamp is no longer updated, and the Aging Intervals passes it’s aged setting, the A Record becomes Stale.
      3. Stale Records are removed from the active DNS system, and the AD dnsTombstoned attribute is set to TRUE.
      4. Tombstoned record exists for value of the DsTombstoneInterval attribute, which is 7 days by default.
      5. The DnsNode object is moved to the Deleted Objects for the length of time of the tombstoneLifetime attribute value.

      Note : The Active Directory Tombstone Lifetime is listed in the schema.ini and will be set during the promotion of the very first DC in the forest based on the Windows version used to install the first DC. This value does not change after upgrading all domain controllers to newer Windows versions or by changing the Domain or Forest Functional Levels. The entry in the schema.ini “tombstoneLifetime=<number of days>”  and can be changed. Therefore, this will tell you what the value is depending on what Windows operating system was used to install the very first domain controller in your infrastructure:

      • If the very first DC was installed using a Windows 2003 with integrated SP1 CD or newer, the Tombstone Lifetime Value is 120 days.
      • If the very first DC installed in the forest is Windows 2000 (any Service Pack), or Windows 2003 (pre-Windows 2003 SP1), the Tombstone LIfetime is 60 days.

      The values can be changed. Please read the following for information on how to change it:

      Active Directory Lingering Objects, Journal Wraps, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023
      (Scroll down to “Active Directory Tombstone Lifetime”)
      http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx 

      Therefore, you either need to reduce the rate of change by increasing the lease duration, or deal with the inaccuracy in DNS, by limiting the Aging and Scavenging settings, or deal with an increasing directory size to store all this additional data. The directory size should level out eventually, when you reach the point where the number of tombstoned records being flushed is equal to the number being created.

       

       

      Back to top of page>

      DHCP Conflict Detection

      When DHCP provides a lease to a client, it tries to determine if there are no conflicts with another machine using the IP, which may have been inadvertently configured with a static IP configuration not realizing the IP is withing the Lease Scope.

      DHCP uses pings for conflict detection.

      Enable address conflict detection
      http://technet.microsoft.com/en-us/library/cc737924(WS.10).aspx

      DHCP Best Practices
      Look for: “Use server-side conflict detection on DHCP servers only when it is needed”
      http://technet.microsoft.com/en-us/library/cc780311(WS.10).aspx

      DHCP Server Conflict Detection
      http://technet.microsoft.com/en-us/library/cc958918.aspx

      I’ve been asked a few times in the past if DHCP Conflict detection pings are the same as the pings when one uses a command prompt to ping a host. The answer to that is yes.

      To expand, the term “ping” is short for “Packet Internet Groper.” Pings are based on ICMP packets, just as you would ping an IP address, the DHCP server does the same to detect conflicts. It’s sumamrized in the following link by searching the sentence, “When conflict detection attempts are set, the DHCP server uses the Packet Internet Groper (ping) process …”

      DHCP Server Conflict Detection
      http://technet.microsoft.com/en-us/library/cc958918.aspx

      Specific info on the Ping command:

      Ping – General Summary
      http://en.wikipedia.org/wiki/Ping

      Internet Control Message Protocol – Technical Summary
      http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

      Back to top of page>

      DHCP Lease has a “pen” or “pencil” Icon

      If a record shows up in the DHCP Lease list with a pen icon, it means that a write is pending. If it doesn’t disappear, it may mean it is trying to register into a zone that does not exist on the DNS servers. This happens in cases where the client machine is not joined to the domain and has a missing or different Primary DNS Suffix than the zone in DNS.

      Registration can only occur into a zone that exists on DNS and that zone updates have been configured to allow updates.

      If this is the case, go into the client machine’s IP properties, and perform the following:

      • On the DNS tab in TCP/IP Advanced properties, clear the “Register this connection’s addresses in DNS”
      • Clear the  “Use this connection’s DNS suffix in DNS registration” check boxes,
      • The DHCP Server will fill these in for you and register using the domain name in Option 015.

      Reference:

      DHCP console icons reference
      http://technet.microsoft.com/en-us/library/cc784812(WS.10).aspx

      Back to top of page>

       

      Records & timestamps, and the lack of timestamps

      If the record was manually created, it won’t show a time stamp, however, if the record was dynamically registered, it will show a time stamp. My guess is the records you are referring to were manually created. If you manually create a record, the checkbox will not be checked to scavenge, however if it was dynamically registered, it will be checked.

      I just tested this with Windows 2003 DNS. When I had built a few servers for a customer and let them auto register, they had a timestamp and the scavenge checkbox was checked. For the records I manually created, such as internal www records, and others, they did not have a time stamp and were not checked to scavenge.

      Even if you allow auto registration, which I do by default, and it gets scavenged, it gets re-registered anyway by the OS. Unless you are seeing something going on that is affecting your environment, the default settings work fine, at least they do for me for all of my customers and installations I’ve worked in that I’ve set scavenging and forced DHCP to own the records so it can update the records it had registered at lease refresh time.

      Back to top of page>

       

      Related Links

      How to configure DNS dynamic updates in Windows Server 2003.
      http://support.microsoft.com/kb/816592

      Using DNS servers with DHCP (Contains information on the DnsUpdateProxy group and its usage)
      http://technet.microsoft.com/en-us/library/cc787034 (WS.10).aspx

      Using DNS Aging and Scavenging
      Aging and scavenging of stale resource records are features of Domain Name System (DNS) that are available when you deploy your server with primary zones.
      http://technet.microsoft.com/en-us/library/cc757041(WS.10).aspx

      Microsoft Enterprise Networking Team : Don’t be afraid of DNS, Mar 19, 2008
      DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.
      http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be- patient.aspx

      How DHCP Technology Works
      http://technet.microsoft.com/en-us/library/cc780760(WS.10).aspx

      From Ulf B. Simon Weidner:
      DHCP, DNS and the DNSUpdateProxy-Group
      I had a discussion in the Newsgroups lately about DHCP and the DNSUpdateProxy-Group which is used to write unsecured DNS-Entries to a DNS-Zone which only …
      http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx

      And from Kevin Goodnecht:
      Setting up DHCP for DNS registrations
      http://support.wftx.us/setting_up_dhcp_for_dns_registra.htm

      317590 – HOW TO Configure DNS Dynamic Update in Windows 2000 and DNSUpdateProxy Group:
      http://support.microsoft.com/kb=317590

      816592 – How to configure DNS dynamic updates in Windows Server 2003:
      http://support.microsoft.com/kb/816592

      Follow up discussion on the DNSUpdateProxy-Group:
      http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx
      ==================================================================

      Back to top of page>

       

       

      Comments, Corrections and Suggestions are Welcomed

      Ace Fekay

       

      Domain Rename With or Without Exchange

      Domain Rename With or Without Exchange

      Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
      Microsoft Certified Trainer
      Microsoft MVP: Directory Services
      Active Directory, Exchange and Windows Infrastructure Engineer


      Originally Published 4/2009
      Edits:
      3/3/2010   – General Syntax revision
      10/11/2010 – Added additional information regarding DNS names and underscores, and Exchange 2010

       

      Preface

      I thought to offer my notes on domain renames, since it appears to be a necessary evil in some cases that can confuse even the experienced admin. There are a number of reasons to rename a domain, such as:

      1. Single Label Name – The DNS Domain Name is a a single label, such as “DOMAIN” rather than the necessary minimal of “domain.com,” “domain.net,” “domain.local,” etc.

      2. Underscore in the DNS domain name – An underscore is an illegal DNS character, and AD relies on DNS.

      The internal domain name conflicts with a public domain name that belongs to someone else – This can hinder the abiilty to purchase a UC/SAN certificate for Exchange 2007 or 2010. See the following blog for more information on this issue:
      Exchange 2007 UC/SAN Certificate
      http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx

      3. Company Name Change

      4. Acquisition

      5. The admin is not happy with the DNS domain name – Ok, this is a lot of work just because you’re not happy. But so as it may be, some will do it because of this reason.

       

      I hope my notes are helpful with anyone facing this task. But as I said, I would rather perform, and recommend a migration to a fresh installation instead of a rename.

       

      Before we start

      Examples of applications that are incompatible with domain rename include but are not limited to the following products:

      • Microsoft Exchange 2000
      • Microsoft Exchange 2007
      • Microsoft Exchange 2010
      • Microsoft Internet Security and Acceleration (ISA) Server 2004
      • Microsoft Live Communications Server 2005
      • Microsoft Operations Manager 2005
      • Microsoft SharePoint Portal Server 2003
      • Microsoft Systems Management Server (SMS) 2003
      • Microsoft Office Communications Server 2007

       

      Are you sure you want to rename your domain?

      Ok, so are you sure you want to rename the domain? PLEASE Read up on it first in this link 

      How Domain Rename Works, Updated: June 3, 2010 :
      http://technet.microsoft.com/en-us/library/cc738208(WS.10).aspx

       

      Domain Rename Procedure Notes

      Prerequisites:

      1. The Domain and Forest functional levels must be set to minimal 2003. This means no Windows 2000 domain controllers can exist in the Forest.

      2. If Exchange 2000 or Exchange 2007 is installed, it is not supported. Exchange 2000 can be upgraded to Exchange 2003, however Exchange 2007 will need to be removed prior to the procedure. More info below on Exchange 2007.

      Once you’re met the prerequisites, you can now procede with the rename. I did not outline a step by step here, since there are numerous documents that exist outining the steps, but I wanted to consolidate specific links I thought will be helpful, including the Microsoft Technet Webcast, and Microsoft’s Step By Step Guide to implementing a domain rename.

      Support WebCast Microsoft Windows Server 2003 Implementing an Active Directory Domain Rename Operation:
      http://support.microsoft.com/kb/819145

      TechNet Support WebCast: Renaming domains when Microsoft Exchange Server 2003 is in the Active Directory
      http://support.microsoft.com/kb/838623

      Step-by-Step Guide to Implementing Domain Rename:
      http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2a2e2/domain-rename-procedure.doc

      TechRepublic Tutorial: RenDom helps you to rename a Windows .NET domain
      Workstations MUST be rebooted twice after a rename so they reflect the new NetBIOS name.
      http://articles.techrepublic.com.com/5100-10878_11-5031949.html

      Domain Rename Part 1 – Setup
      http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/06/07/Domain-Rename-Part-1-_2D00_-Setup.aspx

      Domain Rename Part 2 – Renaming
      http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/06/08/Domain-Rename-Part-2-_2D00_-Renaming.aspx

      Domain Rename Part 3 – Exchange 2003
      http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/06/09/Domain-Rename-Part-3-_2D00_-Exchange-2003.aspx

      [DOC] Download Details – Microsoft – Step-by-Step Guide to Implementing Domain Rename:
      http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2a2e2/domain-rename-procedure.doc

      How Domain Rename Works
      http://technet.microsoft.com/en-us/library/cc738208(WS.10).aspx

      Step-by-Step Guide to Implementing Domain Rename
      http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2a2e2/Domain-Rename-Procedure.doc
       
      Understanding How Domain Rename Works
      http://download.microsoft.com/download/9/6/5/965e6899-e086-4b3e-8ed6-516ea07ea225/Domain-Rename-Intro.doc
       
      Download: Windows Server 2003 Domain Rename Tools
      http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

       

      If a NetBIOS Name Change Was Chosen

      For Workstations and member servers to reflect the new name in the drop-down domain list selection box, they must be rebooted twice. The following paragraph was quoted from the Step By Step Guide at:

      Step-by-Step Guide to Implementing Domain Rename:
      http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2a2e2/domain-rename-procedure.doc

      “Reboot member computers. Reboot twice all member workstations, member servers,  and standalone servers (excluding domain controllers) that are running Windows 2000, Windows XP, and Windows Server 2003 Server family in the renamed domains in your forest. Rebooting twice ensures that each member computer learns of the domain name changes (LSA policy changes) and propagates them to all applications and services running on the member computer. Note that each computer must be restarted by logging into the computer and using the Shutdown/Restart administrative option. Computers must not be restarted by turning off the machine power and then turning it back on.”

       

      If a PKI infrastructure exist…

      The PKI infrastructure will need to be removed first prior to a domain rename:

      How to Manually Remove an Enterprise Windows Certificate Authority from Windows 2000/2003 Domain
      http://support.microsoft.com/kb/555151

      How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000
      http://support.microsoft.com/?id=889250

      HOWTO: Move a certificate authority to a new server running on a 2003 or 2008 CA, Standard or Enterprise
      http://directoryservicesconsulting.ca/index.php/2009/04/17/howto-move-a-certificate-authority-to-a-new-server-running-on-a-domain-controller/

      HOWTO: Move a certificate authority to a new server running on a domain controller (2003).
      http://support.microsoft.com/?id=555012

       

      Is Exchange In The Picture?

      Exchange 2000

      Exchange 2000 does not support a rename. Your main option is to upgrade Exchange 2000 to 2003. If you do not have the option to upgrade to Exchange 2003, SP1 (preferred SP2), you can Exmerge all of your mailboxes to PSTs, uninstall Exchange 2000, run the domain rename operation, then reinstall Exchange 2000, and use Exmerge to pump the mailboxes back in the user’s newly created mailbox accounts.

      Exchange 2003

      Exchange 2003 supports a rename. In order to support it, it must be minimally at SP1.

      Rename a Windows 2003 Forest with Exchange 2003 installed (if you don’t have Exchange, you can ignore the Exchange part in the tutorial)
      http://www.msexchange.org/tutorials/Domain-Rename.html

      Here’s what you need as well for Exchange 2003 renames:

      Supplemental steps for using the Exchange Server Domain Rename Fixup tool together with the Windows Server 2003 domain rename tools:
      http://support.microsoft.com/kb/842116/

      Exchange 2007 or Exchange 2010

      As of this writing, unfortunately, Exchange 2007 nor Exchagne 2010 support a domain rename. The choices are:

      1. Export your mailboxes and Public Folders to PST files, uninstall Exchange 2007, then rename the domain, then reinstall Exchange 2007. I know it is easier said then done, but that seems to be the only option at this time.
      2. Migrate to a fresh, pristine forest with the proper name.

      Your best bet is Option #2 – Simply create a new domain in a new forest with the correct name, install Exchange 2007, use ADMT to migrate the user accounts, then perform a move mailbox to move the mailboxes and Public Folders from the old to the new forest.

       

      Exchange 2007 and Exchange 2010 domain rename related Links

      Introduction to Administering Active Directory Domain Rename, Jul 9, 2010
      The domain rename operation is not supported in Microsoft Exchange Server 2007 or Exchange Server 2010. DNS domain rename is supported in Exchange 2003. However, renaming of the NetBIOS domain name is not supported in any version of Exchange Server.
      http://technet.microsoft.com/en-us/library/cc816848(WS.10).aspx

      If Exchange 2007 is in use, a domain rename is not supported:
      The Microsoft Exchange System Attendant service does not start on a computer that is running Exchange Server 2007 after you rename a Windows Server 2003 domain:
      http://support.microsoft.com/kb/925822

      Exchange 2007 and Domain Rename – You can’t perform a domain rename with Exchange 2007 is installed.
      http://theessentialexchange.com/blogs/michael/archive/2008/04/04/exchange-2007-and-domain-rename.aspx

      This article will show you how to use a temp domain with Exchange 2007 installed to move all of your mailboxes and PFs to this temp organization, then uninstall Exchange 2007, rename the domain, re-install Exchange 2007, then move the mailboxes and PFs back to the original organization:
      http://social.technet.microsoft.com/Forums/en-US/exchangesvrmigration/thread/31784c7f-beaa-4d83-b0ce-387a85431c94

       

      Related Links

      How to raise domain and forest functional levels in Widows Server
      […] The attribute is msDS-Behavior-Version on the CN=Partitions, CN=Configuration, DC=ForestRootDom, DC=tld object. Value of 0 or not set=mixed level forest […]
      http://support.microsoft.com/kb/322692

      Error messages encountered on renaming domain
      http://support.microsoft.com/kb/891370

      The following was quoted from:
      http://technet.microsoft.com/en-us/library/cc738208.aspx
      “Keep in mind after a rename procedure, the DC’s Primary DNS Suffix is not automatically changed to match the new domain name. You are required to change the Primary DNS Suffix to match the new name. In other words, unlike the names of member computers, the DNS names of domain controllers in a renamed domain will remain unchanged.  The domain controllers can be renamed in a separate step, using a special domain controller rename procedure, after the domain rename operation is complete. You must double-check ALL domain members to insure that their Primary DNS Suffix matches the new domain name.”

      The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows 2000
      http://support.microsoft.com/default.aspx?scid=kb;EN-US;257623

      Windows Server 2003 Active Directory Domain Rename Tools:
      http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx

       

      ===================

       

      Comments, suggestions and corrections are welcomed!

      Ace Fekay