What DNS Zone type should I use, a Stub, Conditional Forwarder, a Forwarder, or a Secondary Zone?? What’s the Difference??

By Ace Fekay
Originally Published 2012
Updated 3/20/2018

Intro

Ace again. DNS is a basic, yet important requirement that many still having problems wrapping their head around it.

Besides design, a huge part of DNS is understanding the differences between the zone types. Many have asked, when do I use a Stub zone, a Conditional Forwarder, or a Forwarder? Or better, what’s the difference?

I thought to put this simple comparison together compiled from past posts in the TechNet Forum.

Partner Organization DNS Resolution: What should I use, a Stub, Conditional Forwarder or Forwarder?

Secondary Zone

Secondary zones are read only copies “copied,” or “zone transferred” from a Master zone. This makes the zone data available locally (as read only, of course), instead of querying a DNS server across a WAN link. However, in many cases Secondaries are not used due to many limitations and security concerns, such as exposing all DNS zone data that a partner may not want to divulge.

In addition, Secondaries can’t be AD integrated, and the zone data is stored in a text file. So you would have to manually create a copy on all of your DNS servers.

Stub Zone

Organizations own their own AD zones. When business partners need to resolve data at a partner’s organization, there are a few options to support this requirement. Years ago, prior to Stub or Conditional Forwarders, there weren’t many options to handle this other than to use Secondary Zones and keep copies of each others zones via zone transfers. While the solution worked well in regards to name resolution, it was not the best security-wise, due to trust level between partners, because zone data is fully exposed at the partner. This became a security concern because the partner is able to see all of their business partner’s records. When the zone was transferred to partners, who knows what they were doing with the information. If the information was made public, attackers would have a field day with all of the IPs for the networked devices.

When stub zones were made available, it became a solution to overcome this security issue. What is also beneficial about Stubs, is you can AD integrate them instead of manually creating a Stub on each individual DC. This way the zone will be available domain or forest-wide, depending on replication scope.

However, some may say due to the fact that the SOA records are included in the zone file, it may be a concern that the SOA and NS data is exposed. In such high security concerns, the better solution would be to use a Conditional forwarder.

Conditional Forwarder

This option is heavily used, and many look at them as the best regarding security concerns with zone data exposure, because no data is exposed. This option has worked very well in many environments.

With Conditional Forwarders, no information is being transerred and shared. The only thing you would need to know is one or more of your business partner’s DNS server IPs to configure it, and they don’t have to be the SOA, rather any DNS server that hosts the zone or that has a reference to the zone.

However, it does require open communication and let each other know when their DNS server IPs may change, because you must manually set them.

Windows 2003 introduced Conditional Forwarders, but it did not have the option to make it AD Integrated. If you have 10 DNS servers, you must create the Conditional Forwarder on each server manually. The AD integrated option was added to Windows 2008 or newer DNS servers, so you don’t have to manually create them on each DNS server. THis way the Conditional Forwarder will be available domain or forest-wide.

Parent-Child DNS Zone Delegation

Delegation can be used in a situation where a child domain host their own DNS zone. Therefore in the forest root domain, you would create a delegation zone with the IPs of the DNS servers in the child domain. This is normally performed when the child zone have their own administrators. It’s also useful they do not have access to “see” all of the forest root DNS records.

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

July 26, 2014July 26, 2014

Event ID 5774

In general, these events indicates that the machine is unable to register its records with the DNS server Sleeping half-moon it’s configured.

Possible causes:

An ISP’s DNS server, or the router’s IP address, is set to be used as a DNS server in NIC properties.
The AD zone is configured to not allow dynamic updates.
If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic.
Altered default security settings on the zone.
Altered default security settings in AD.
Altered default security settings on C: drive or C:\Windows folder.
Antivirus not configured to allow domain communications and services exceptions. See the antivirus vendor documentation on how to configure DCs for exclusions.
If the zone is set to Secure Only, possible Kerberos authentication errors will prevent registration. Causes of Kerberos errors can be numerous including misconfigured time service and antivirus exclusion, using an ISP’s DNS, third party installed firewalls or AV, and more.

Note on Firewalls

Active Directory communications require over 29 ports to be allowed, plus the ephemeral ports, and differ among operating system versions:

Windows 2003, Windows XP and older: UDP 1024 – 5000
Windows 2008, Windows Vista, & newer: UDP 49152 – 65536

DNS updates require TCP 53 & UDP 53, not just TCP 53.
It can be extremely challenging to configure a firewall for AD communications/ General rule of thumb is to just allow all traffic between locations.

Here’s a good list of the ports:

Active Directory Firewall Ports – Let’s Try To Make This Simple (RODC, too)
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

If you need to control the ports AD uses across a firewall:

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html
http://www.pbbergs.com/windows/articles.htm

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553

You can run the following tests on AD to ensure there are no errors:

DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
Netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
ntfrsutl ds domain.com > c:\sysvol.log

Possible solutions:

On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.
The following registry value is incorrect: “SiteCoverage” under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
This value typically should equal the domain name.
You can try to flip the zone types to reset default settings.
1. Change the zone type from Active Directory integrated to “Standard Primary”, then stop & start DNS.
2. Then stop & start the netlogon service on the child DC & verify that the records are registered.
3. If verified, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Event log errors when the netlogon service is stopped & started.
Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s not pointing to the ISPs DNS server).
Verify if there is no manually created CNAME, A or other record) for the same hostname. If there is, it will prevent the DCs from dynamically registering its host and you need to remove the manually created record.
In a Parent – Child delegated scenario, and Event ID 5774 was logged on the domain controllers in the child domain:
    Setup:
    On the parent DNS servers, there is a delegation for the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
    Cause and Fix:
    On the Security tab in the delegations, check if “Authenticated Users” is missing.
    Added “Authenticated Users” and enabled Full Control.

References:

Domain Controller Generates a Netlogon Error Event ID 5774
http://support.microsoft.com/?id=284963

A DNS Update is recorded as failed: Event ID 5774, 1196, or 1578
This problem occurs when you use a third-party server application for DNS resolution. This includes SCCM causing false alarms, and cluster resources not initiating using a third party DNS server.
Hotfix available for Windows Server 2008 R2 or Windows 7.
http://support.microsoft.com/kb/977158

Event ID: 5774 Source: NETLOGON
http://eventid.net/display.asp?eventid=5774&eventno=353&source=NETLOGON&phase=1

Other References:

Technet thread: “Event 5774, NETLOGON” Friday, November 20, 2009
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Technet thread: “Netlogon event 5774” Tuesday, February 01, 2011
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/cf5c1e9e-dccb-45e2-9f14-144f8ba1f838/

================================================

Summary

I hope this helps with figuring out and fixing an Event ID 5774.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

November 10, 2013

How to Create a Delegated Subnet Reverse Zone

You really, really want to host your public DNS records? If you do, you may also want to host your public IP range, instead of having to call your ISP every time you need a reverse (PTR) entry created or updated.

The key thing is setting the NS records in your zone file to the nameservers that are authorative for the zone based on ARIN and remove all iterations of your own nameservers.

Follow the syntax to create the delegated subnetted zone by using the syntax for “Child subnetted reverse lookup zone file” in the following article. But you must keep in mind, this MUST be done using a Standard Primary zone, so if it’s an AD Integrated zone, you must revert it to a Standard Primary zone so you can work on the zone files. Once you’re done you can change it back to AD Integrated, if you so desire.

How to configure a subnetted reverse lookup zone on Windows NT, Windows 2000, or Windows Server 2003
http://support.microsoft.com/kb/174419

Let’s try this example:

IP Subnet example: 192.168.10.160/27 (or 255.255.255.224)
IP Subnet Range: 192.168.10.160 to 192.168.10.191

If you take a look at that KB article I posted, it shows the exact steps needed to create it. That’s how I did it!

Let’s see if I can do it for your subnet range. I am not guaranteeing it will work, because it’s also reliant on how your ISP has it delegated.

Your IP subnet, 192.168.10.173 /255.255.255.224, indicates it is part of a range starting with 192.168.10.160 to 192.168.10.191, which give you 32 addresses in the range, 30 usable, assuming one is of course the router (gateway), which makes it 29 usable IPs.

Therefore, if this range was delegated to you, then the key IP to look at, which actually “Describes” the network block, as 192.168.10.160/27 or 192.168.10.160/255.255.255.224.

Based on the above:

Let’s run through the steps…

Ask the ISP to delegate the subnetted zone, 192.168.10.160/27 to your hostname servers (you need two of them).
Then to create the zone name, we must base it on your subnet starting IP and the subnet bit count.
The IP subnet is 192.168.10.160/27
          The starting IP of this subnet = 192.168.10.160
          The bit count of this subnet = 27
Therefore the syntax will be:
          <SubnetStartIP>-<SubnetBits>.10.168.192-in-addr.arpa
           OR
          160-27.10.168.192.in-addr.arpa.dns zone
Based on that, create an ARPA (reverse) zone called 160-27.10.168.192.in-addr.arpa.dns zone.
Then save it as a Standard Primary Zone (not an AD Integrated zone).
Stop the DNS Server Service – In the DNS console, right click the server name, choose Stop.
Then go into the file (system32\dns folder), and change all NS iterations from your server.InternalDomainName.com to the ISP’s. such as ns.ISP’sAuthorativeServer.com.
(Please read the KB article for more information on how the zone file should be configured.)
Save the file.
Then Start the DNS Service – In the DNS console, right click the server name, choose Start.
Then right-click the zone, choose Reload.
Then right-click the zone, properties, Nameserver tab, remove your own server as an NS record only keeping the authorative server.
Create a PTR record, such as for 192.168.10.173, under the zone, and call it whatever you want, such as ace.WhateveYourZoneNameIs.com.

Test it

Run nslookup or DIG to test a query to 192.168.10.173 internally and trying it using an external public nameserver.

If it doesn’t work, go through the above steps again. Follow the syntax EXACTLY.
If it does work, pour yourself a cold one.

References:

Technet Thread: “How to setup a Reverse lookup zone on windows 2008 server with IP address 65.19.134.173 and subnetmask 255.255.255.224.”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/7c81a129-efa2-4b88-80bb-591c4119beb4/

Thread title: “Reverse DNS smaller than /24 (v4)”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4147e8fe-43d8-4eff-a890-a0e1e31a96ea/#bd664835-05b3-4d53-9b08-d845b177d9d2

By Ace Fekay

Comments are welcomed.

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor
   www.delcocomputerconsulting.com

April 30, 2013May 10, 2013

DNS Zone Types Explained, and their Significance in Active Directory

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

Revisions

Original publication 4/30/2013

Prelude

Ace here again. I thought to touch base on DNS zones, and more so, focus on what AD integrated zones are and how they work. This blog almost mimics my class lecture on this topic. Check back for updates periodically, which I will notate with a timestamp above with whatever I’ve added or modified.

This topic was also briefly discussed in the following Microsoft Technet forum thread:
Technet thread: “Secondary Zones?”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c1b0f3ac-c8af-4f4e-a5bc-23d034c85400

AD Integrated Zones AD Database Storage Locations

First up is a background on the various parts of the Active Directory database and what gets stored in them. This will help understand where DNS data is stored as I discuss it later in this blog.

The Active Directory Data Store (the AD database):

There are three possible storage locations for DNS zone storage in the Active Directory database:

DomainNC – This was the only available location with Windows 2000. This replicates to all DCs only in a specific domain.
DomainDnsZones partition – Introduced in Windows 2003 and used in all newer operating systems. This replicates to all DCs only in a specific domain in the forest.
ForestDnsZones partition. This replicates to all DCs in the forest.

You can see how not all partitions are replicated forest wide. It depends on the partition:

Ok, Now the DNS Basics:

A Secondary is a read-only copy
A Secondary zone stores it’s data in a text file (by default in the system32\dns folder)
A Secondary gets a copy of the zone data from the Primary
A Primary is the writeable copy
A Primary stores it’s zone data in a text file (by default in the system32\dns folder)
There can only be one Primary, but as many Secondary zones as you want.
You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.
AD integrated zones do NOT need zone transfers to be allowed (see below for specifics)

Active directory Integrated Zones changes this a bit:

AD Integrated zones are similar to Primary zones, however their data is stored as binary data in the actual AD database and not as a text file. The specific place in the AD database depends on the DC’s operating system version and replication scope, which means what “logical” part of the physical AD database it’s stored in, which will affect which DCs in the forest it will replicate to.

The “only one Primary Zone” rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 difference logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy.
The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
Each DC that hosts the zone can “write” to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create the Secondary on will automatically change it to AD integrated, since it “sees” it in the AD database. In some cases, if this is forced or done incorrectly, it can lead to duplicate or conflicting zones in the AD database, which is problematic until fixed.

And if you install DNS on another DC, the zone data will *automatically* appear because DNS will recognize the data in the AD database. AD integrated zones can also act as a Primary zone for secondary zones, whether they are on Windows machines, BIND (on Unix) or any other name brand.

Remember, AD integrated zones still follow the RFCs, but have more features.

Duplicate or Conflicting zones?

Since I touched based on duplicate and conflicting zones, you may want to check if they exist in your AD database. You have to check each partition, and if you have more than one domain, you have to check the DomainDnsZones and DomainNC of each domain. You may even have to check it on multiple DCs in various AD Sites to see if they all “see” the same copy or different copies. You would be surprised what I’ve seen with AD replication problems and seeing different DCs “seeing” something different in its own database. This issue also manifests as a symptom in more than just a DNS problem, where you create a user on one DC and it never replicates to another DC.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Primary Standard Zone, Secondary Standard Zones & Zone Transfers

Zone transfers allow you to create a read only copy (a Secondary zone) on another DNS server, that will pull a copy (transfers) from the read/writable zone (the Primary zone).

Primary and Secondary zones store their data as text files.

On a Windows machine, the zone files can be found in the \system32\dns folder with a file name such as “domain.com.dns”. You can have numerous read only copies, but there can only be one read/write of that zone.

Please keep in mind, the authoritative DNS server listed in the registrar for a public domain name (zone) does not have to be a Primary, it’s just the host nameserver listed as authoritative. It can get it’s data from a Primary that is not listed, hence the writable copy is actually hidden and protected from public access.

Do I need Zone transfers Allowed for AD Integrated Zones if I do not have Secondaries Zones?

The short answer: NOPE.

The reason is that the term “AD Integrated” means the zone is stored in the AD database, and the zone will replicate to other domain controllers within the same replication scope (domain-wide or forest-wide) automatically as part of the AD replication process.

By default, AD integrated zones are configured to not allow zone transfers.

Allowing zone transfers is an option provided to support non-DC DNS servers, BIND or any other name brand DNS server that you want to allow zone transfers to a secondary on those servers.

Rotating SOA

Additional security options of AD integrated zones, is one of the feature of AD integrated zones, as well as the fact that there can be more than one Primary zone copy of it. This is because all DNS servers that host the zone in a domain or forest has the ability to be a writable copies and becomes the actual “start of authority” (SOA) of that zone when a specific DC/DNS accepts a write operation, such as a client machine registering, or the DC itself updating its SRV records.

For example, if a DC updates it’s SRV and other records at the default 60 minute interval (all other machines register every 24 hours), it will update its data into the DNS server listed as the first DNS address in the network card. This server now writes it into DNS and NOW becomes the SOA of the zone. That data is replicated to other DC/DNS servers with default AD replication. Now all other DC/DNS servers will see the change.

To further explain, since the zone is AD integrated, each and every DC in the replication scope of the zone, can accept changes, due to an AD integrated zone’s Multi-Master Primary Zone features. Based on the definition of what an SOA is, that is being the DNS server that’s authoritative to accept writes, therefore, whichever DC/DNS accepted a change to the zone, that specific DC/DNS will become the SOA for that moment in time. Then when the next DC/DNS that accepts a change, it will now become the new SOA. The SOA constantly changing in an AD environment is accepted, and default behavior.

That is why you can watch the SOA name on AD integrated zones change. The data is replicated automatically as part of the AD replication process because it is stored in the AD database.

Active Directory-integrated DNS zone serial number behavior (SOA default behavior)
http://support.microsoft.com/kb/282826

References

Configure AD Integrated Zones
(When converting to AD integrated zones)
Quoted: “Only primary zones can be stored in the directory. If a zone is configured on other domain controllers as a secondary zone, these zones will be converted to primary zones when you convert the zone to AD integrated. This is because the multimaster replication model of Active Directory removes the need for secondary zones when a zone is stored in Active Directory. Conversion of the zone from secondary to primary will occur when AD DS is restarted.”
http://technet.microsoft.com/en-us/library/ee649181(v=ws.10)

Understanding DNS Zones
http://www.tech-faq.com/understanding-dns-zones.html

Understanding stub zones: Domain Name System(DNS)
Jan 21, 2005 – The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary …
http://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspx

March 12, 2013November 8, 2013

AD & Dynamic DNS Updates Registration Rules of engagement

Keep in mind, for the most part it automatically works “out of the box” without much administrative overhead.

Original Compilation: 11/19/2012
Updated: 9/5/2013

Prologue

What I’ve tried to do is accumulate all pertinent information about configuring dynamic DNS registration in an AD environment. I hope I haven’t missed anything, and that I’ve explained each numbered bullet point well enough and removed all ambiguity, to fully understand each point.

And yes, this blog is regarding an AD environment. If you have a non-AD environment with a Windows DNS server that you want your computers to register, please read the following blog:

DNS Dynamic Updates in a Workgroup
https://blogs.msmvps.com/acefekay/2013/06/12/dns-dynamic-updates-in-a-workgroup/

===

Summary

The machine’s DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone. No others.
a. DHCP Option 006 MUST only be the internal DNS server(s) you want to use, otherwise if using an ISP’s DNS or your router, expect undesired results.
The Primary DNS Suffix on the machine MUST match the zone name in DNS.
1. For joined machines, this is default.
2. For non-joined machines, the Primary DNS Suffix must be manually configured or scripted.
If using DHCP Option 015 (Connection Specific Suffix), it must match the zone name and have “Use This Connection’s DNS Suffix in DNS Registration” along with “Register This Connection’s Addresses in DNS” checked in the NIC’s IPv4, Advanced, DNS tab.
1. For additional information on how to configure updates in a workgroup:
  DNS Dynamic Updates in a Workgroup
  https://blogs.msmvps.com/acefekay/2013/06/12/dns-dynamic-updates-in-a-workgroup/
The Zone must be configured to allow updates.
For AD Integrated Zones where you have it configured for “Secure and Unsecure Updates:
1. If the machine’s network card DNS address entries have been statically configured:
  – They must only point to the internal DNS servers that host the AD zone or to servers that have a reference to the zone (such as stubs, secondary zones, conditional forwarders, or forwarders)
  – It must be joined to the domain in order to authenticate using Kerberos to update.
2. If statically configured and not joined to the domain, the client can’t update its record if the zone is set to Secure Only.
3. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.
For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.
If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.
1. Read the following for more info:
  Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, management interfaces, backup interfaces, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure a DC with registry mods:
  http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
If the zone is single label name, such as ‘domain’ instead of the proper minimal format of ‘domain.com,’ ‘domain.net,’ etc., it will NOT update.
The client will “look” for the SOA of the zone when it attempts registration. If the SOA is not available or resolvable, it won’t register. Keep in mind with AD integrated zones the SOA rotates among the DCs because of the multimaster feature. This is default and expected behavior, but if there are any DCs that have any problems, and the client resolved the SOA to that DC, it may not accept the update.
The zone in DNS must NOT be a single lable name, such as “DOMAIN” instead of the required minimum of two hierarchal levels such as domain.com, domain.local, domain.me, domain.you, etc. Single label name zones are problematic, do not conform to the DNS RFC, and causes excessive internet traffic to the Root Servers when DNS tries to resolve a single label name query, such as querying for computername.domain – in such a query, the domain name is actually treated as a TLD. ISC has made a note of the excessive traffic generated by Microsoft DNS servers configured with a single label name in 2004 with Microsoft, which in turn disabled the ability for Microsoft DNS in Windows 2000 SP4 and newer to resolve single label names without a registry band aid. More info on this:
1. Active Directory DNS Domain Name Single Label Names – Problematic
  Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM 641 0
  http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx
For Windows 2008 and all newer operating systems, IPv6 must not be disabled. If disabled, it will cause other problems:
The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
Quoted by Joseph Davies, MSFT:
“IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. “Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.”
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
1. Arguments against disabling IPv6
  Demoire, [MSFT], 24 Nov 2010 12:37 AM
  http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx
2. IPv6 for Microsoft Windows: Frequently Asked Questions
  (Basically Microsoft is saying in this KB article to not disable IPv6)
  http://technet.microsoft.com/en-us/network/cc987595.aspx

Full explanation:

Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs. the minimal requirement of “domain.com.” “domain.local,” etc).
The Primary DNS Suffix MUST matches the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Connection Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.
AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.
You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them.
1. Do not use your ISP’s, an external DNS address, your router as a DNS address
2. Do not use any DNS that does not have a copy of the AD zone.
3. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution.
The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).
The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.
1. This means that you must NOT use an external DNS in any machine’s IP property in an AD environment.
2. You can’t mix internal and external DNS server. This is because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm may still pick the incorrect DNS to query. Based on how the algorithm works, it will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.
3. There is a registry entry to cut the query to 0 TTL (normally this is not necessary, but I’m posting it as a reference).
  1. The DNS Client service does not revert to using the first server …The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers …
    http://support.microsoft.com/kb/286834
4. The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to all Operating Systems, too)
  http://support.microsoft.com/kb/320760
5. For more info, please read the following on the client side resolver service:
  DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
  http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
If using DHCP, DHCP server must only be referencing the same exact DNS
server(s) in it’s own IP properties in order for it to ‘force’ (if you set
that setting) registration into DNS. Otherwise, how would it know which DNS
to send the DNS registration request data to?
If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the proper format of “example.com” and/or any child of that format, such as “child1.example.com”, then we have a real big problem. DNS will not allow registration into a single label domain name.
This is for two reasons:
1. It’s not the proper hierarchal format. DNS is
  hierarchal, but a single label name has no hierarchy.
  It’s just a single name
2. Registration attempts causes major Internet queries
             to the Root servers. Why? Because it thinks the
             single label name, such as “EXAMPLE”, is a TLD
            (Top Level Domain), such as “com”, “net”, etc. It
            will now try to find what Root name server out there
            handles that TLD. In the end it comes back to itself
           and then attempts to register. Unfortunately it doe NOT
           ask itself first for the mere reason it thinks it’s a TLD.
3. Quoted from Alan Woods, Microsoft, 2004:
  “Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?”
4. The above also *especially* applies to Windows Vista, Windows 7, &, 2008, 2008 R2, Windows 2012, and newer.
‘Register this connection’s address” on the client is not enabled under the NIC’s IP properties, DNS tab.
Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the domain.
With Windows 2000, 2003 and XP, the “DHCP client” Service is not running. In Windows 2008, Windows Vista and all newer operating systems, it’s now the DNS Client Service.
1. This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.
2. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
  http://support.microsoft.com/?id=264539
You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:
1. DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
  Published by acefekay on Aug 20, 2009 at 10:36 AM 3758 2
  http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

What will stop AD SRV registration:

Any DNS server referenced in TCP/IP properties that does not host the AD zone name, or does not have a reference to the internal AD zones name.
1. External DNS servers do not host or have a reference, therefore must NOT be used.
2. AD Domain machines must never be pointed at an external (ISP) DNS server or even use an ISP DNS server as an “Alternate DNS server” because they do not host the internal AD zone, or have a reference to it.
  1. Only use internal DNS servers when part of an Active Directory domain. Active Directory’s Reliance on DNS, and why you should never use an ISP’s DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx
Are any services disabled such as the DHCP Client service or the DNS Client Service? They are required services, whether the machine is static or DHCP.
1. No DNS registration functions if DHCP Client Service Is Not Running (2000/2003/XP only)
  http://support.microsoft.com/?id=268674
2. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
  http://support.microsoft.com/?id=264539
3. For all Windows 2008, Windows Vista and all newer operating systems, it’s the DNS Client Service.
The AD/DNS zone not configured to allow dynamic updates.
Make sure ‘Register this connection’s address” in DNS is enabled under TCP/IP properties.
Missing or incorrect “Primary DNS suffix” or “Connection-specific DNS suffix” of the domain to which the machine belongs.
1. I one of these are incorrect, the client side service cannot find the correct zone to register into. If missing or incorrect, it is called a Disjointed Domain Namespace.
Is the firewall service enabled? (disable it).
Were the default C: drive permissions altered and was a hotfix installed a recently?
1. “Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC”
  http://support.microsoft.com/kb/909444
2. For more info about this issue, see:
  http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx
If the zone is set to Secure Updates Only, the computer may not have authenticated to the domain (which can be due to DNS misconfiguration or DNS server problem), which of course causes more problems than just DNS registration.
Is the File and Print services enabled?
1. It must be enabled.
Microsoft Client Services enabled?
1. If not, it must be enabled.
Is DNS service listening on the private LAN interface?
1. Check under the Interfaces tab under DNS server properties in the DNS console.
More than one NIC on a client?
1. The wrong one may be registering.
Updates allowed on the zone?
1. This is an obvious one.
Primary DNS suffix matches the zone name in DNS and the AD domain name?
1. If not, then it won’t register into the zone.
Was Zone Alarm ever installed on these machines?
1. If so, ZA leaves SYS files and other remnants that continue to block traffic.
Any Event log errors?
Was a Registry entry configured to stop registration?
1. 246804 – How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
  http://support.microsoft.com/?id=246804
Spyware or something else such as DotNetDns installed on it?
1. Download the free tool at www.malwarebytes.com and run a malware scan.
2. Download the free Malicious Software Scanner from Microsoft and run a scan
3. Download TrendMicro HouseCall free scan tool and run it.
Single Label Domain Name?
1. Active Directory DNS Domain Name Single Label Names – Problematic – And this applies to any DNS zone name, not just AD.
  Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM 641 0
  http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx
Netlogon and DFS services must be started.
Malware or virus altering network services preventing it from registering.
1. Some sort of firewall in place, whether the Windows firewall disabling File and Print Services, or a 3rd party firewall, which many AV programs now have built in and must be adjusted to allow this sort of traffic and exclude the NTDS and SYSVOL folders.
2. If Windows Firewall, run the following to see what settings are enabled:
  netsh firewall show config
Is IPv6 disabled? That will stop registration.
1. Enable it.
Do any duplicate AD integrated zones exist in the AD database?
1. This will cause major problems. Any duplicates found must be deleted. The cause must also be determined to eliminate it from occurring again.
2. Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
  Published by acefekay on Sep 2, 2009 at 2:34 PM 7748 2
  http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Were imaged machines cloned without the image being Sysprepped first?
1. If not, duplicate SIDs will cause machines to fail authentication to register into the zone.

Suggestions, Comments, Corrections are welcomed.

November 28, 2012

AD Upgrade Checklist and Procedure

AD migration checklist and procedure:
Technet Thread: "Migrating from AD 2003 to AD 2008 R2:"
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/906266b9-62c9-462f-b16e-3b801c7e2fc3/

Here’s a quick summary from:
Transitioning your Active Directory to Windows Server 2008 R2
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx

ADPREP

Run adprep with the following switches.
If you are running it on a 32 bit machine, use the adprep32.exe version.

adprep /forestprep
adprep /domainprep /gpprep      Run after the foresprep and in each domain on the IM Role (enable Resultant Set of Policy (RSOP) Planning Mode functionality)
adprep /domainprep              Run after the forestprep and in each domain
adprep /rodcprep                Run on the DNM Role. Optional only if you expect to install an RODC.

You can also use the /wssg switch so you can get a detailed result code instead of a 0 for success, or 1 for an error.

Alllow replication time. Go get a cup of coffee, cold refreshment, or a beer.

Then check your schema version:

repadmin /showattr * "cn=schema,cn=configuration,dc=domain,dc=tld" /atts:objectVersion

Run it on all DCs. You can use PSEXEC – Microsoft Technet to remotely run it in a command prompt, or create a script.

When all your Domain Controllers report Schema version 47, you’re good to go. If not, check the event logs and the C:\Windows\Debug\Adprep\Logs\adprep.log.

More info if needed:
Troubleshooting ADPREP Errors
http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

Then raise the Domain Functional Level.

This adds two features:
1. Authentication Mechanism Assurance – Type of authentication is added to the user’s Kerb ticket.
2. Automatic SPN Management – Allows the use of Managed Service Accounts (MSAs) instead of Domain User accounts to run a service under.
Allow a bit of time to replicate. Go get a cup of coffee, a beer, whatever.

Then raise the Forest Functional Level.

This basically adds one thing:
1. The ability to enable the new Active Directory Recycle Bin feature.

If you want to enable it, go to Start, Programs AD Powershell, then run:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=tld’ -Scope ForestOrConfigurationSet -Target ‘domain.local’

Allow replication time, too. Go get another beer.

Run the AD BPA

1. Server Manager, expand the Roles node
2. Select the Active Directory Domain Services role.
3. Scroll down to the Best Practice Analyzer section.
4. Click on the Scan This Role link on the right hand side.

Windows Server 2008 R2 Upgrade Paths
http://technet.microsoft.com/en-us/library/dd979563(WS.10).aspx

How to upgrade Windows Server 2003 R2 to Windows Server 2008 on a computer that includes a Baseboard Management Controller and a root-enumerated IPMI device
http://support.microsoft.com/kb/953224

Ace Fekay

Corrections, suggestions, & comments are welcomed

November 28, 2012November 28, 2012

Install a Replica DC with DNS AD Integrated Zones

This blog provides an overview to add an additional replica DC in the same domain. This assumes the operating system versions are the same and you are not upgrading to a newer operating system version or upgrading Active Directory.

If you are upgrading your AD domain, please see this:
Install a replica DC with DNS AD Integrated Zones

If you have multiple sites, read this article:
Best Practices for Adding Domain Controllers in Remote Sites:
http://technet2.microsoft.com/windowsserver/en/library/6405bc5f-b8bf-449e-b11a-f116d22f858a1033.mspx?mfr=true

Here’s a good article on promoting a machine to a DC and other factors:
How do I install Active Directory on my Windows Server 2003 server?:
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

IF you have not done so, then install DNS. For assistance, read this article:
How To Install and Configure DNS Server in Windows Server 2003:
http://support.microsoft.com/kb/814591

Assuming the current zone is AD integrated, DO NOTHING ELSE.
Do NOT create it manually or you will cause numerous problems and headaches.
Sit there and wait. Go to lunch. Upon return, you will find the zone has
automatically populated. Because AD integrated zones are in the actual AD
database, it will automatically replicate to the new machine by the default
AD replication process. There is really nothing else to configure on this
part, that is assuming the zone is already AD integrated. Is it AD
integrated? If so, what scope is it set to on both machines?

More information on DNS AD Integrated Replication Scopes:
http://technet2.microsoft.com/windowsserver/en/library/6c0515cf-1719-4bf4-a3c0-7e3514cef6581033.mspx?mfr=true

More detailed information on how to change AD Integrated DNS zone replication Scopes:
http://technet2.microsoft.com/windowsserver/en/library/e9defcdc-f4e5-43cd-9147-104f9b9d015a1033.mspx?mfr=true

If there is a problem where you cannot change the scope, read this:
You cannot change the replication scope of an Active Directory integrated DNS zone in Windows Server 2003
http://support.microsoft.com/kb/842560

Change the ip properties of this DC to use one of the other DCs as the first
entry, the second as itself. That;s it for this part. I fnot sure how,
follow this article:
825036 – Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036

Go into DNS properties, configure a Forwarder to your ISP’s DNS. If not sure
how, this article will show you:
Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
http://technet.microsoft.com/en-us/library/cc754941.aspx

HOW TO Configure DNS for Internet Access in Windows Server 2003 (forwarding) :
http://support.microsoft.com/?id=323380

Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
http://technet.microsoft.com/en-us/library/cc754941.aspx

WINS

If you have a multi-segmented infrastructure (remote locations), install WINS.
This is done in Add/Remove, Windows Components, Network Services, click on WINS.
For assistance, read these article:

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx

If using Windows 2003, when you install WINS, make sure you are using an SP2 integrated i386 source. With Windows 2008 and newer, it’s not necessary. The following will assist with Windows 2003:
How to slipstream SP2 into the i386 folder (good for XP, 2000 and 2003):
http://www.theeldergeek.com/slipstreamed_xpsp2_cd.htm

On the WINS server itself, go to IP properties, Advanced, WINS tab, ONLY point the WINS
address of itself to itself ONLY. Do not add any other WINS addresses. For assistance, see this article:
WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx

This assumes you will be configuring RRAS properties to get client IPs from Windows DHCP and not a manual range or from your firewall/perimeter router (such as your Comcast, Linksys, etc., router).

Once that is done, in DHCP, change the WINS address to the new server in DHCP Option 046. Make sure you have DHCP Option 044 set to 0x8.

•DHCP Option 044: IpAddressOfYourWINSserver
•DHCP Option 046: 0x8

If not sure how to do the above, please read this article:
DHCP Options Not Set by SBS Setup (this is good for SBS and WIndows Server 2003, 2008, 2000, etc):
http://support.microsoft.com/kb/218636

FSMO roles

If you say the other DCs are that unreliable, transfer all the FSMO roles to
this new server.If not sure how, follow this article:
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

If you are not sure which server to set a FSMO role, read this:
FSMO placement and optimization on Active Directory domain controllers:
http://support.microsoft.com/kb/223346

Make this DC a GC. If you need assistance: follow this article:
http://technet2.microsoft.com/windowsserver/en/library/93ffc6d8-e4c9-4a5b-8b4c-7d426bcba5a11033.mspx?mfr=true

Matter of fact, make all DCs a GC. More on this:

Global Catalog and FSMO Infrastructure Master Relationship
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 1:05 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/global-catalog-and-fsmo-infrastructure-master-relationship.aspx

Phantoms, tombstones and the infrastructure master.
The GC role will conflict with a global catalog in a multi-domain forest. To overcome this conflict, all DCs are recommended to be GCs.
http://support.microsoft.com/kb/248047

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs"
This is the recommendations by AD Microsoft engineers, AD MVPs, and other engineers.
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

Ace Fekay

Suggestions, comments, corrections, etc, are all welcomed.

November 19, 2012November 28, 2012

AD & Dynamic DNS Updates Registration Rules of engagement

Keep in mind, for the most part it automatically works "out of the box" without much administrative overhead.

Original Compilation: 11/19/2012

===

Summary

1. The machine’s DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone. No others.
a. DHCP Option 006 MUST only be the internal DNS server(s) you want to use, otherwise if using an ISP’s DNS or your router, expect undesired results.

2. The Primary DNS Suffix on the machine MUST match the zone name in DNS.
a. For joined machines, this is default.
b. For non-joined machines, it must be manually configured or scripted.

3. If using DHCP Option 015 (Connection Specific Suffix), it must match the zone name and have "Use This Connection’s DNS Suffix in DNS Registration" along with "Register This Connection’s Addresses in DNS" checked in the NIC’s IPv4, Advanced, DNS tab.

4. The Zone must be configured to allow updates.

5. For AD Integrated Zones and Secure Only Updates:
   a. If the machine’s DNS is statically configured:
      – It must only point to the internal DNS
      – It must be joined to the domain in order to authenticate using Kerberos to update.
   b. If statically configured and not joined to the domain, the client can’t update if the zone is set to Secure Only.
   c. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.

6. For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.

7. If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.

8. If the zone is single label name, such as ‘domain’ instead of the proper minimal format of ‘domain.com,’ ‘domain.net,’ etc., it will NOT update.

9. The client will "look" for the SOA of the zone when it attempts registration. If the SOA is not available or resolvable, it won’t register. Keep in mind with AD integrated zones the SOA rotates among the DCs because of the multimaster feature. This is default and expected behavior, but if there are any DCs that have any problems, and the client resolved the SOA to that DC, it may not accept the update.

10. The zone in DNS must NOT be a single lable name, such as "DOMAIN" instead of the required minimum of two hierarchal levels such as domain.com, domain.local, domain.me, domain.you, etc. Single label name zones are problematic, do not conform to the DNS RFC, and causes excessive internet traffic to the Root Servers when DNS tries to resolve a single label name query, such as querying for computername.domain – in such a query, the domain name is actually treated as a TLD. ISC has made a note of the excessive traffic generated by Microsoft DNS servers configured with a single label name in 2004 with Microsoft, which in turn disabled the ability for Microsoft DNS in Windows 2000 SP4 and newer to resolve single label names without a registry band aid. More info on this:

Active Directory DNS Domain Name Single Label Names – Problematic
Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM 641 0
http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

11. For Windows 2008 and all newer operating systems, IPv6 must not be disabled. If disabled, it will cause other problems:
The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
Quoted by Joseph Davies, MSFT:
"IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. "Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be."
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Arguments against disabling IPv6
Demoire, [MSFT], 24 Nov 2010 12:37 AM
http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx

Full explanation:

1. Active Directory’s DNS Domain Name is NOT a single label name ("DOMAIN" vs. the minimal requirement of "domain.com." "domain.local," etc).

2. The Primary DNS Suffix MUST matches the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Connection Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.

3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.

4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them. Do not use your ISP’s, an external DNS address, your router as a DNS address, or any other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution. .

5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).

6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.

This means that you must NOT use an external DNS in any machine’s IP property in an AD environment. You can’t mix them either. That’s because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm can still have trouble asking the correct DNS server. It will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.

This is the reg entry to cut the query to 0 TTL (normally this is not necessary, but I’m posting it as a reference).

The DNS Client service does not revert to using the first server …The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers …
http://support.microsoft.com/kb/286834

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to all Operating Systems, too)
http://support.microsoft.com/kb/320760

For more info, please read the following on the client side resolver service:

DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.

8. If using DHCP, DHCP server must only be referencing the same exact DNS
server(s) in it’s own IP properties in order for it to ‘force’ (if you set
that setting) registration into DNS. Otherwise, how would it know which DNS
to send the reg data to?

9. If the AD DNS Domain name is a single label name, such as "EXAMPLE", and not the proper format of "example.com" and/or any child of that format, such as "child1.example.com", then we have a real big problem. DNS will not allow registration into a single label domain name.
This is for two reasons:
       1. It’s not the proper hierarchal format. DNS is
           hierarchal, but a single label name has no hierarchy.
           It’s just a single name.
       2. Registration attempts causes major Internet queries
           to the Root servers. Why? Because it thinks the
           single label name, such as "EXAMPLE", is a TLD
          (Top Level Domain), such as "com", "net", etc. It
          will now try to find what Root name server out there
          handles that TLD. In the end it comes back to itself
         and then attempts to register. Unfortunately it doe NOT
         ask itself first for the mere reason it thinks it’s a TLD.

(Quoted from Alan Woods, Microsoft, 2004):
"Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?"

The above also *especially* applies to Windows Vista, Windows 7, &, 2008, 2008 R2, Windows 2012, and newer.

10. ‘Register this connection’s address" on the client is not enabled under the NIC’s IP properties, DNS tab.

11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the domain.

12. With Windows 2000, 2003 and XP, the "DHCP client" Service is not running. In Windows 2008, Windows Vista and all newer operating systems, it’s now the DNS Client Service. This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.

Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
http://support.microsoft.com/?id=264539

13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:

DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
Published by acefekay on Aug 20, 2009 at 10:36 AM 3758 2
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

What will stop AD SRV registration:

1) External DNS servers are configured under TCP/IP properties. Only use internal DNS servers when part of an Active Directory domain. AD Domain machines must ever be pointed at an external (ISP) DNS server or even use an ISP DNS server as an "Alternate DNS server".

2. Are any services disabled such as the DHCP Client service? (it’s required).

No DNS registration functions if DHCP Client Service Is Not Running (2000/2003/XP only)
http://support.microsoft.com/?id=268674

Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
http://support.microsoft.com/?id=264539

For all Windows 2008, Windows Vista and all newer operating systems, it’s the DNS Client Service.

3. The AD/DNS zone not configured to allow dynamic updates.

4. Make sure ‘Register this connection’s address" in DNS is enabled under TCP/IP properties.

5. Missing or incorrect "Primary DNS suffix" or "Connection-specific DNS suffix" of the domain to which the machine belongs. With a missing/incorrect DNS suffix a machine cannot find the correct zone to register in. If missing or incorrect, it is called a Disjoined Domain Name.

6. Is the firewall service enabled? (disable it).

7. Were the default C: drive permissions altered and was a hotfix installed a recently?

"Systems that have changed the default Access Control List permissions on the
%windir%\registration directory may experience various problems after you
install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC"
http://support.microsoft.com/kb/909444

For more info about this issue, see:
http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx

8. If using Secure Updates: Not authenticated to the domain (which can be due to DNS misconfiguration or DNS server problem)

9. Is the File and Print services enabled?

10. Microsoft Client Services enabled?

11. Is DNS listening on the private LAN interface?

12. More than one NIC?

13. Updates allowed on the zone?

14. Primary DNS suffix matches the zone name in DNS and the AD domain name?

15. Was Zone Alarm ever installed on these machines?

16. Any Event log errors?

17. Was a Registry entry configured to stop registration?
246804 – How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
http://support.microsoft.com/?id=246804

18. Spyware or something else such as DotNetDns installed on it?

19. Single Label Domain Name?

20. Netlogon and DFS services are started.

21. Malware or virus altering network services preventing it from registering.

22. Some sort of firewall in place, whether the Windows firewall disabling File and Print Services, or a 3rd party firewall, which many AV programs now have built in and must be adjusted to allow this sort of traffic and exclude the NTDS and SYSVOL folders. If Windows Firewall, run the following to see what settings are enabled:
netsh firewall show config

23. Is IPv6 disabled? That will stop registration. Enable it.

Suggestions, Comments, Corrections are welcomed.

Ace Fekay, MCT, MVP Directory Services

August 12, 2010August 30, 2014

Event ID 1054

Original publication: 8/12/2010
Edited: 8/30/2014

Prologue

Ace here again. This was an older blog that I’ve revamped. I’ve been going through my blogs to clean them up, syntax, accuracy, etc. If anyone sees any discrepancies, please let me know.

There are a number of reasons this event may occur, no matter which Source Name its related to. One of the main reasons this behavior may occur is if the address for the configured preferred DNS server unreachable. One of the first things to do is check www.eventID.net’s link to see if it applies to your scenario:
http://eventid.net/display.asp?eventid=1054

Summary of possibilities:

1. Using a DNS address that doesn’t have the AD zone data. Make sure the only DNS addresses on the NIC are the internal DC/DNS servers. Remove the ISP’s or the router’s as a DNS address. They do not have AD’s zone data that is required for AD to function properly.

Active Directory’s Reliance on DNS, and why you should never use an ISP’s DNS address or your router as a DNS address
Published by acefekay on Aug 17, 2009 at 7:35 PM
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

2. Multihomed DCs. If the DC is multihomed, numerous issues can result, too long to list. See the following for more info:

Multihomed DCs with DNS, RRAS, and/or PPPoE adapters
Published by acefekay on Aug 17, 2009 at 9:29 PM
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

3. AD DNS Domain Name is a Single Label Name. The name has no TLD, such as “domain” rather than domain.net, domain.local, etc. This can cause numerous problems, too lengthy to list. It also causes Windows XP SP3 and newer operating systems to fail the ability to resolve DNS names properly. See the following link for more information.

Active Directory DNS Domain Name Single Label Names
Published by acefekay on Nov 12, 2009 at 6:25 PM
http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

4. There are unknown LdapIpAddress entries. This is the “same as parent” name under the zone. There should only be one for each DC in the domain. If there are others, it will cause numerous issues with AD, GPOs, DFS, and other AD functions.

5. Multiple A records for the DC. Make sure there is only one IP address for each DC. If not, it falls under the multihomed DC issue in #2.

6. Multiple GcIpAddresses. Check the _gc_msdsc.yourDomain.local record to make sure there is only one entry for each GC. If there are multiples for one GC, that will cause problems, and falls under the multihomed DC issue in #2.

7. Unknown NS names in the zone. Go into each zone properties (yourDomain.local and _msdcs.yourDomain.local), Nameservers tab, and make sure only your DC/DNS servers show up. If there are others, please remove them. This tab indicates which NS and SOA is for the zones, and if any unkown servers are listed, the client machine may be trying to query for them during resolution and registration, and will cause problems.

8. AMD Opeteron CPUs are known to cause issues. One poster in the Microsoft forums reported EventID 1054 issue on a Dell T105 (circa 2010) with Dual Core Opterons. It was found the AMD Opeteron processor has timing issue. From previous reports, Microsoft supposedly fixed it in Windows 2003 SP2, but something may have changed in recent AMD core releases causing it again. One key test was to ping the server’s own IP. If you receive negative ping times, timing is skewed. A reboot fixes it for a while but then it drifts and EventID 1054 resume.

There are AMD processor patches that you can find at AMD’s website. Another workaround is to add the “/usepmtimer” switch to boot.ini. KB895980 provides more specifics about this issue.

Programs that use the QueryPerformanceCounter function may perform poorly in Windows Server 2000, in Windows Server 2003, and in Windows XP
http://support.microsoft.com/?id=895980

9. Make sure time is configured properly. You never know, this is one that many do not think about that can cause many issues, which may or may not possibly cause EventID 1054 errors, but it would not hurt to make sure the time service is operating properly. See the following link for more information:

Configuring the Windows Time Service for Windows Server
Published by acefekay on Sep 18, 2009 at 8:14 PM
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

Steps to help narrow down this issue:

Let’s start by using nslookup to see if you get the proper resonse when querying for LDAP SRV records.

1. Type nslookup, and then press ENTER.
2. Type set q=all, and then press ENTER.
3. Type _ldap._tcp.dc._msdcs.domain.com and then press ENTER.

You will be looking for the domain controllers to respond to this query. If they do not, then we need to look at your SRV records as well as whether any of the above summarized causes are contributing to the non-DC responses, such as using an ISP’s DNS, the router, multihomed DCs, single label name, etc.

More possible causes:

In addition, These errors may occur because link status fluctuates as the network adapter (also known as the network interface card, or NIC) driver initializes and as the network adapter hardware negotiates a link with the network infrastructure. The Group Policy application stack executes before the negotiation process is completed and can fail because of the absence of a valid link.

Possible Resolutions:

Resolution 1:

To resolve problem related to link status fluctuation use the steps in 239924 –
“How to disable Media Sensing for TCP/IP in Windows” at
http://support.microsoft.com/?id=239924 .

To prevent your network adapter from detecting the link state:

Open Registry Editor (Regedt32.exe).
Go to the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Add the following registry value:
Value Name: DisableDHCPMediaSense
Data Type: REG_DWORD -Boolean
Value Data Range: 0, 1 (False, True) Default: 0 (False)

Resolution 2:

Contact the vendor of the network card or visit their web site to obtain updated
drivers for the Gigabit NIC.

Examples of NICs known to exhibit this issue:
– Broadcom Gigabit Adapter
– Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
– Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
– Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
– Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC

Resolution 3:

A sever may have a Dual Port NIC or multiple NIC’s with one port or NIC set to
Disabled. The disabled port or NIC should not be at the top of the binding order
in the Network Advance Properties.

Click Start, point to Settings, and then click “Network and Dial-up
Connection”.
On the Advanced menu, click “Advanced Settings”.
On the “Adapters and Bindings” tab, in the connections list, select the NIC that
the clients use to connect to the server and move it to the top of the list.

Resolution 4:

Disabling spanning tree on the switches (Cisco Catalyst)

Note: STP=Spanning Tree Protocol. Turning off STP can cause issues in your network
if a loop ever develops. If you are running a Cisco Series switch or any other
switch that runs Spanning Tree, it is best to leave spanning tree turned on, but
enable PORTFAST on all the ports except uplink and fiber trunks. (I.E any ports
that aren’t connected to a workstation directly should not have it enabled, ports
that do go directly to a workstation or computer should have it turned on.)
PORTFAST eliminates the 50 second waiting period that STP has, but allows you to
keep the functionality of STP.

References:

326152 PRB: Cannot Connect to Domain Controller and Cannot Apply Group Policy
http://support.microsoft.com/kb/326152

298656 Event ID 1054 Is Logged in the Application Event Log
http://support.microsoft.com/kb/324174/en-us

239924 How to Disable Media Sense for TCP/IP in Windows
http://support.microsoft.com/kb/239924

Summary

I hope this helps to track down the cause of an Event ID 1054.

This blog is provided AS-IS with no warranties or guarantees and confers no rights.

September 2, 2009September 2, 2014

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Revisions:

Original publication 3/2006
Recompiled 6/10/2010
Updated 12/9/2010
Updated 8/31/2014
—

Prologue

Ace here again. I’m cleaning up my blogs for technical and syntax errors. If you see anything that needs correction, please let me know.

Preface and Scope Of this Article

This blog explains how to use ADSI Edit to determine if duplicate zones exists in the AD database and to delete them.

When using ADSI Edit, the duplicate zones show up in the partitions with names that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number. You will be checking EACH DC. When you find them, you will simply delete them. because they are useless and cause substantial problems.

This blog also explains how duplicate zones will appear to make zone records disappear.

Introduction to Duplicate Zones

Duplicate zones can cause numerous issues for the mere fact that the DNS zone that DNS is showing you on a specific DC may not have the latest up to date data. It literally may be missing data that you see on other DCs. If there are duplicate or conflicting zones, the zone data can’t replicate, resulting in each DC may have a different copy of the zone, which then results in unreliability and AD issues.

And to further complicate it, there are three different storage locations that AD can store AD integrated DNS zones – DomainDnsZones, ForestDnsZones, and the DomainNC partitions. You can read more on specifics in one of my other blogs:

DNS Zone Types Explained, Storage Locations in the AD database, and their Significance in Active Directory.
https://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/

Symptoms?

You may have a duplicate zone or a conflicting zone if a zone exists in both the Domain NC and/or in one of the Application Partitions. Some of the symptoms include:

Trying to change the replication scope, you receive an unusual error message stating, “The name limit for the local computer network adapter card was exceeded.”

Event ID 4515
An admin may see the data on a different DC is not there and will manually create records.
Zone data is disappearing, or it appears to be. This can be caused by:

Someone is intentionally or unintentionally deleting the data (usually unlikely but can occur). If you think someone is deleting zone data, enable auditing.
DNS Records Disappearing and DNS Auditing
http://msmvps.com/blogs/acefekay/archive/2010/12/09/dns-records-disappearing-and-dns-auditing.aspx

The data on each DC is different, and you are wondering why replication isn’t brining the zone data up to date, but it won’t because replication will either not occur or won’t occur if AD sees a duplicate.

Causes?

You’ve installed DNS on another DC and you don’t see the zone under DNS that is on the other DCs, so you manually created the AD zone because you didn’t have the patience to wait for replication to occur, which it would have automatically populated.
You’ve promoted a new DC in another site and didn’t have the patience to wait for the zone data to replicate.
Antivirus not configured to exclude AD communications (common cause).
At one time, or currently, the AD environment is a mixed Windows 2000/2003/2008 environment and DNS is installed on all operating system versions. On Windows 2000, if the zone is AD Integrated, it is in the DomainNC partition of the AD database, and should be set the same in Windows 2003’s or newer DC/DNS server to keep the zone data compatible and allow both operating system versions to be able to read and use them.
Someone must have attempted to change it in Windows 2003 or 2008 DNS to place the zone in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Windows 2003 application partitions, you then must insure the zone on the Windows 2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that’s done and AD replication has been given time to occur, you can go to the Windows 2003 or newer DNS and change the partition’s replication scope to one of the application partitions.
A new domain controller was promoted into the domain, and the administrator manually created the zone name in DNS. This causes a duplicate. The proper way was to simply install DNS, and allow AD replication to occur. The zone will auto-populate into DNS.

I usually don’t want to assume someone’s deleting data. That’s would be the far end of the spectrum, especially if more than one DC is showing inconsistent zone data.

I feel the best approach to find out which is occurring is to first find out if there is a duplicate zone. This is because auditing is time consuming, and you need to parse through all the events generated in the Event Security Logs. It’s easier to run ADSI Edit to find if there are duplicates. Once you’ve determined it’s not a duplicate zone issue, then you can move on to DNS auditing. If it is a duplicate zone issue, follow the procedure below to remove them.

AD Integrated Zones Storage Locations

First, a quick review on the partitions. Hopefully you’ve taken a few moments to read my blog link that I posted above to understand the partitions. If not, I’ll just touch base on it here so you understand it and can relate to it. For specifics and the nitty gritty, read my other blog above.

Windows 2000:

the physical AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Configuration partitions replicate to all DCs in a forest.

The DomainNC is specific only to the domain the DC belongs to. That’s where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain.

When you create an AD Integrated zone in Windows 2000, it gets stored in the DomainNC. This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs.contoso.com zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

Windows 2003 and newer:

There were two additional storage locations added to the AD database for DNS storage use. These areas are called “partitions,” specifically the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000’s AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain’s DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs.contoso.com zone to all DCs in the forest. By default in Windows 2003, the _msdcs.contoso.com zone is stored in the ForestDnsZones application partition.

Selecting the Replication Scope in Windows 2003 and newer:

When selecting a zone replication scope in Win2003, in the zone’s properties, click on the “Change” button. Under that you will see 3 options:

“To all DNS servers in the AD forest example.com” The top button. This option puts the zone is in the ForestDnsZones Application Partition. This setting will allow the zone data to replicate to all domain controllers to every domain in the forest, including if additional Trees exist in the forest.
“To all DNS servers in the AD domain example.com” The middle button. This option means the zone is in the DomainDnsZones Application Partition. This setting allows the zone to be stored and replicated in the DomainDnsZones Application Partition in the specific domain that it exists in. This setting is not compatible with Windows 2000 domain controllers. If Windows 2000 domain controllers exist in the domain, then the bottom option (below) will need to be used.
“To all domain controllers in the AD domain example.com” The bottom button. This option means the zone is in the DomainNC (Domain Name Context) portion of the actual AD database. This is only for Windows 2000 compatibility, that is if you have any Windows 2000 domain controllers in that specific domain you are administering.

If you receive an Event ID 4015 or the following error, it may indicate there is a duplicate or conflicting zone that exists in the DomainNC, the DomainDnsZones Application partition and/or in the ForestDnsZones partition.

DNS Duplicate zone - Scope Replication error - The Replication scope could not be set- The name limit for the local computer network adapter was exceeded.

*

Non-AD Integrated Primary and Secondary Zones

A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

Now **IF** you did manually create a zone (whether intentionally or unknowingly) on one DC while it already existed on another DC, then you may have a duplicate.

Duplicate zone names will start with the letters, “CNF…” or “InProgress…”

If there is a duplicate, you can use either ntdsutil or ADSI Edit to take a look. I will outline in this article on how to use ADSI Edit to look for the duplicate.

A duplicate zone name will appear in ADSI Edit that starts with an “In Progress….” or “CNF…” with a long GUID number after it.

The “CNF…” means it’s in conflict due to a duplicate in the AD database.
The “In Progress….” means it is trying to replicate, but it can’t because there’s another identical zone name but with a different USN version number (USNs are used for replication control between DCs) on another domain controller, which also means there’s a duplicate zone.

You can simply delete them, which will clean up the whole problem. Yep, a simple deletion. The “CNF” data is not used by AD, but yet it will conflict with the zone that is actually used, and needs to be deleted.

But before doing anything about it just yet, let’s read on to explain more about this and what may have caused it.

Preventing Duplicate Zones

AD Integrated Zones will auto-populate when adding replica domain controllers

If an AD integrated zone exists on a DC, and the DNS service is install DNS on another DC in the domain or forest, depending on the replication scope, it will automatically appear on the new DNS installation without any interaction on your part. You may have to wait a certain period of time for it to populate depending on if the other DC is in the same AD Site or not, but it WILL AUTO-POPULATE.

However, if you attempted to manually create the zone, believing that you need to do this to make the zone available on that DC, then you’ve just introduced a duplicate zone in the AD database. It doesn’t matter if the zone say originally exists in the DomainNC, and you manually create the zone on the other DC and put it into the DomainDnsZones application partition, AD will still recognize it in the AD database.

Duplicate zones cause numerous AD communication and access problems.

The point is, AD is smarter than you think. Let it do it’s thing.

An Example of what an AD Duplicate Zones looks like in ADSI Edit

This image shows “In Progress…” entries. They need to be deleted.

Using ADSI Edit to look at your AD Partitions

This is a manual step by step. For a screenshot step by step, see the next section.

This section assumes you have a little familiarity withe ADSI Edit. If not, I suggest to get yourself familiar with it once you’ve connected into the various partitions as outlined below. Be careful deleting anything, for once deleted, it’s a destructive process and basically it’s gone. There is no “Back Button” or “Undelete,” or “Undo” button. To restore data, you will need to run an Authoritative Restore from your backup program restoring that specific object that was deleted.

Determine if there are any duplicate zone.

While in ADSI Edit, if you see the same exact named zone in multiple partitions, such as seeing the same zone name in the Domain NC (Name Container) Partition, in the DomainDnsZones App partition), and/or in the ForestDnsZones application partition, you have duplicate zones. If this is the case, then you must choose which zone you want to keep.

I will select a DC that isn’t having a problem and delete the duplicates and conflicts off all other DCs.

Multiple domains or multiple tree forest?

If the AD forest is a multidomain forest with child domains and/or multiple trees, you must look at each domain’s DomainNC and DomainDnsZones partition, because each domain has one.

To view the DomainNC Partition (Default Naming Context)

In ADSI Edit, rt-click ADSI Edit, choose “Connect To,” in the Connection Point click on “Well known Naming Context”, then in the drop-down box, select “Domain”. If this is Windows 2003 or newer, this option shows up as “Default Naming Context”
Expand DomainNC or Default Naming Context, then expand your domain name. Drill down to CN=System. Under that you will see CN=MicrosoftDNS.
You will see any zones that are in the DomainNC partition under the MicrosoftDNS folder.
If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

To view the ForestDnsZones Application Partition:

[ForestDNSZones]

Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click “Connect To.”
Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
DC=ForestDNSZones, DC=contoso, DC=com
In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
You should now be able to view the DNS records which exist in this DNS partition.

If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

To view the DomainDnsZones Application Partition

[DomainDNSZones]

Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click “Connect To.”
Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.
In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
Double-click CN=MicrosoftDNS, and click the zone (contoso.com).
You should now be able to view the DNS records which exist in this DNS partition.

If you see anything that starts with an “In Progress….” or “CNF…” with a long GUID number after it, that’s a duplicate zone. Delete them!

Procedure with Screenshots:

Procedure to Delete the Duplicate zones

The easiest is to simply delete any duplicates you find in ADSI Edit. Choice #1, to delete them, can actually be safely done during production. Matter of fact, things may just start to work after you delete them! But Choice #2, which is a lengthy procedure, must be done during non-production hours.

Choice #1 (Recommended)

Just go into ADSI Edit and delete the duplicate zones you’ve found.

You can do this during production, and frankly, I’ve done it with a large infrastructure during production hours without any problems. This is my personal choice as long as there are no true duplicate zones, that is if there are duplicate zones without seeing any zone names prefixed with either an “In Progress….” or “CNF…” with a long GUID number after, and you truly see a duplicate of your actual zone, such as a domain.com in any of the partitions, then you must perform Choice #2.

Choice #2 (Not recommended)

This is a multi-step process to first change the zone to a Standard Primary Zone, which removes it from the AD database, allow AD replication to complete, delete the duplicates, then change the zone to AD integrated, and allow AD replication to complete.

Choose only one DC to perform this action.
- For example, if the duplicate is in the DomainDnsZones partition or DomainNC partition of a child domain, perform it only on a DC in that domain.
- If the Duplicate is in the ForestDnsZones partition, you can choose any DC in the forest.
Right-click the zone name, Choose Properties.
Under the General tab, click on the “Change” button next to the “Type” section.
Then uncheck the box that says “Store the zone in Active Directory (available only if the DNS servers is a domain controller.”
Click Ok, Don’t click Ok again just yet. Just click on Apply.
IMPORTANT – You must allow AD replication to occur to replicate the change to all DCs that are in the replication scope of the zone. If you have DCs in another AD Site and have replication schedule set for example, to 3 hours, then you must WAIT for 3 hours.
This action makes the zone a Standard Primary zone. This means it is now stored in the system32\dns\ZoneName.com.dns text file and is no longer in the AD database.
You can also force replication, as well. If there are AD Sites configured, and the replication schedule on the Site Connection objects is say 3 hours, you can reduce the replication schedule on the Site Connection objects to the minimal time allowed, which is 15 minutes. Then force replication by choosing the partner DC’s NTDS Setting, right –click, and choose Replicate Now.
Once confirmed that replication has occurred, and refreshing the ADSI Edit window and seeing the zones no longer exist in any of the partitions, then you can now safely delete the duplicate zones.

Note: Just to be clear, you will be deleting any zone names that you find that are prefixed with an “In Progress….” or “CNF…” and suffixed with a long GUID number after it.
Also Note: Deleting a zone is a destructive operation. Make sure you are only deleting duplicates!

Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.

Change the zone back to AD Integrated into the Replication Scope it’s supposed to be in.

Once the duplicates have been deleted, once again, you MUST allow AD replication to occur. If you had changed the Replication Schedule on the Site Connection objects to quicken AD replication, you will want to reset them to their original setting.

References

DNS zone replication in Active Directory
http://technet.microsoft.com/en-us/library/cc779655(WS.10).aspx

Oops, our AD Integrated DNS zone’s are missing in Windows 2003!
http://blogs.technet.com/b/networking/archive/2007/05/10/oops-our-ad-integrated-dns-zone-s-are-missing-in-windows-2003.aspx

Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) – Explains how to use ADSI Edit to resolve app partitions issues:
http://www.kbalertz.com/kb_867464.aspx

Event ID 4515 is logged in the DNS Server log in Windows Server 2003
http://support.microsoft.com/kb/867464

Summary

It seems like a lot of steps, but it really isn’t. Just read it over a few times to get familiar with the procedure. You may even want to change it into a numbered step by step list if you like. If you only have one DC, and one Site, then it’s much easier since you don’t have to mess with secondary zones or play with the site objects.

I hope that helps!

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs and Videos: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This blog is provided AS-IS with no warranties or guarantees and confers no rights.

Suggestions, Comments and Corrections are Welcomed!

Intro

Partner Organization DNS Resolution: What should I use, a Stub, Conditional Forwarder or Forwarder?

Secondary Zone

Stub Zone

Conditional Forwarder

Parent-Child DNS Zone Delegation

Summary

Possible causes:

Note on Firewalls

If you need to control the ports AD uses across a firewall:

You can run the following tests on AD to ensure there are no errors:

Possible solutions:

Other References:

Summary

Let’s try this example:

Based on the above:

Test it

References:

By Ace Fekay

Revisions

Prelude

AD Integrated Zones AD Database Storage Locations

The Active Directory Data Store (the AD database):

Ok, Now the DNS Basics:

Active directory Integrated Zones changes this a bit:

Duplicate or Conflicting zones?

Primary Standard Zone, Secondary Standard Zones & Zone Transfers

Do I need Zone transfers Allowed for AD Integrated Zones if I do not have Secondaries Zones?

Rotating SOA

References

Prologue

Summary

Full explanation:

What will stop AD SRV registration:

Suggestions, Comments, Corrections are welcomed.

ADPREP

Then check your schema version:

Then raise the Domain Functional Level.

Then raise the Forest Functional Level.

Run the AD BPA

Ace Fekay

WINS

FSMO roles

Matter of fact, make all DCs a GC. More on this:

Ace Fekay

Summary

Full explanation:

What will stop AD SRV registration:

Suggestions, Comments, Corrections are welcomed.

Original publication: 8/12/2010Edited: 8/30/2014

Prologue

Summary of possibilities:

Steps to help narrow down this issue:

More possible causes:

Possible Resolutions:

Resolution 1:

Resolution 2:

Resolution 3:

Resolution 4:

References:

Summary

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

Revisions:

Prologue

Preface and Scope Of this Article

Introduction to Duplicate Zones

Symptoms?

Causes?

AD Integrated Zones Storage Locations

Windows 2000:

Windows 2003 and newer:

Selecting the Replication Scope in Windows 2003 and newer:

*

Non-AD Integrated Primary and Secondary Zones

Duplicate zone names will start with the letters, “CNF…” or “InProgress…”

Preventing Duplicate Zones

An Example of what an AD Duplicate Zones looks like in ADSI Edit

Using ADSI Edit to look at your AD Partitions

Determine if there are any duplicate zone.

Multiple domains or multiple tree forest?

Original publication: 8/12/2010
Edited: 8/30/2014