DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

Ace Fekay again!!!!

Compiled 8/13/2018

I know everyone always has trouble with this topic, as in why doesn’t DNS failover on the client, especially that I set four or five DNS addresses on it??? Why!!!

Because it doesn’t work that way! And NO, it’s not a “Microsoft” client thing or server thing, it’s based on the client side resolver service defined as an industry standard that all manufacturer’s (Microsoft, Apple, Unix flavors, Android, etc) operating systems follow, including your phone.

Topics Covered

========================================

1. DNS & WINS Resolution Process

Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses the NetBIOS process. Legacy pre-Windows 2000 clients, such as Windows NT, Windows 98, Windows 95, Windows 3.1, DOS, etc, use the NetBIOS process FIRST if the queried name is less than 15 characters, and if not, it uses hostname (DNS) resolution. If is is shorter than 15, then it will use NetBIOS, but if it doesn’t get resolved using NetBIOS, only then will it use the DNS hostname resolution process.
 
If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it’s in. H-Node is default, but the order can be changed with a registry change. There are four NetBIOS Nodes:

B-Node – Broadcast ONLY
P-Node – NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node – Mixed NBNS and Broadcast, but uses WINS FIRST.

Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS (WINS enabled)

  1. Checks it’s own name.
  2. Local hostname (DNS client side resolver) cache
  3. HOSTS file
  4. DNS (this is where the search suffix comes in play if a single name query)
  5. NetBIOS name cache
  6. WINS
  7. Broadcast
  8. LMHOSTS

Windows 2000 and newer – If not using WINS:

  1. Checks it’s own name.
  2. Local hostname (DNS client side resolver) cache
  3. HOSTS file
  4. DNS (this is where the search suffix comes in play if a single name query)
  5. NetBIOS name cache
  6. Broadcast
  7. LMHOSTS

Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:

  1. Is name longer than 15 characters? If so, perform Hostname (DNS) resolution process. If not, continue…
  2. Checks it’s own name.
  3. NetBIOS name cache
  4. WINS
  5. Broadcast
  6. LMHOSTS files
  7. Local hostname (DNS client side resolver) cache
  8. HOSTS file
  9. DNS (this is where the search suffix comes in play if a single name query)

If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.

Regarding DirectSMB,

Quoted from Aiden Cao, MIcrosoft, 2/6/2012 in thread:
TechNet Thread question: “Netbios Session Service and SMB” 2/5/2012
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e03e2d52-0761-451a-91e8-40955172f460/

“Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines, with the only caveat with legacy apps that rely on NetBIOS.”

Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. DirectSMB uses TCP 445… Direct-hosted SMB’s cannot be disabled in Windows without disabling additional features…
http://support.microsoft.com/kb/204279

More on the client side resolver:

How DNS works, March 28, 2003
Client side process order, etc.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx#w2k3tr_dns_how_gaxc

How NetBIOS name resolution really works, By Robert L. Bogue, March 11, 2003
http://www.techrepublic.com/article/how-netbios-name-resolution-really-works/5034239

DNS Hostname Resolution Flowchart:

The following information was quoted from:
Chapter 7: Host Name Resolution
http://technet.microsoft.com/en-us/library/bb727005.aspx
(Image 1): http://technet.microsoft.com/en-us/library/Bb727005.chp7hn01_big(en-us,TechNet.10).gif

Second two images from this link:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
(Image 2): http://i.technet.microsoft.com/Cc940063.CNBC05(en-us,TechNet.10).gif
(Image 3) http://i.technet.microsoft.com/Cc940063.CNBC05B(en-us,TechNet.10).gif

Image1:

Image 2 & Image 3:

NetBIOS Name Resolution Process:

The following two images are quoted from:

Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

Resolution Process Related Links:

Hostname Resolution – Describes DNS domain name resolution
http://technet.microsoft.com/en-us/library/cc958812.aspx

NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/

Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

(This was Updated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)

Back to top of page>

========================================

2. Browser service without WINS across subnets

It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn’t say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but I’m not sure. I cannot find anything on the mechanism. I’m one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404

Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305

New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx

Windows 2008 – Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx

Back to top of page>

========================================

3. Do I need WINS?

That’s an extremely good question. The answer is it depends. It depends on what apps and services currently running that require NetBIOS name resolution support.

For example, unless it’s been recently changed, Symantec Backup Exec needs it to ‘browse’ for the agent in the network browse list. Therefore, Backup Exec currently uses NetBIOS to assemble a list of all machines on a network to allow you to backup up remote computers whether the agent is installed or not, and giving you the option to install the backup agent.

So it depends on what YOU have running.

For example, Some AV solutions, such as McAfee Enterprise, Symantec, and CA uses NetBIOS to “find” all machines on the network to allow you to rollout installations and administer.

Therefore, you must inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out.

And yes, keep in mind Exchange 2000/2003  and Outlook communications require WINS for certain functions, such as Calendaring. This was removed from Exchange 2007 and 2010, and uses a different mechanism.

Here are some relevant links:

Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391

Eileen Brown’s WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx

WINS dependencies in Exchange 2003 Server
Summary of Microsoft’s implimentation of WINS Windows Internet Name Service. How even Exchange 2003 makes NetBIOS calls. Implications for a routed network.
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

If you need WINS and want to learn how to install and configure it, please see the following:

WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx

WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx

Back to top of page>

========================================

4. Disabling the Browser service, NetBIOS

Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine. See section 3 above regarding apps that may be using or need NetBIOS support.

1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

What’s the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser … Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm

Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm

2. Leave that running. You need it. It works for all versions of NTLM.

NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication …
http://msdn.microsoft.com/en-us/library/ms925943.aspx

3. If you disable the TCP NetBIOS Helper, you will not be able to map any drives or printers using NetBIOS names or FQDN.

“Network Location Cannot be Reached” Error Message When You Try to … To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.

To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866

4. One big advise – do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you’ll get a slew of errors, and no DNS queries will get resolved.

No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to …
http://support.microsoft.com/kb/268674

Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates

This has changed in WIndows Vista, Windows 2008, Windows 7 and Windows 2008 R2 – It no longer uses the DHCP Client Services. It now uses the DNS Client Service.

 For Windows 2000/2003/XP, the DHCP Client Service is what performs the Dynamic DNS Update process. For Windows 2008/Vista/2008 R2/Windows 7 and all newer operating systems, it is now the DNS Client Service.

Specific details can be found in the following link:

Understanding Dynamic Update, Applies To: Windows Server 2008, Windows Server 2008 R2 (and changes to the DNS Update process from previous operating systems)
http://technet.microsoft.com/en-us/library/cc771255.aspx

Quoted from above article:

“The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, “Dynamic Updates in the Domain Name System.” 
The documentation after that indicates the DHCP CLient service, but please ignore that. There are a few of us in touch with the dev group about the documentation, and it wil be cleared up.
The point is the DHCP CLient service is no longer responsible for updates.

DHCP (Dynamic Host Configuration Protocol) Basics
http://support.microsoft.com/kb/169289

Back to top of page>

========================================

5. DNS Client side Resolver service Query Process

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

To summarize:

If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.

If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, and either restart the DHCP Client Service (on 2000/2003/XP), (ipconfig /flushdns), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

.

For specifics, the Microsoft DNS Whitepapers is a good start. Here’s more:

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

Technet Thread: “problem with secondary dns”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8fc4597c-d64e-4a87-9cfe-5fe159df5735/

.

Other references:

How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

286834 – DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Linux and Unix client resolver works pretty much the same:

That is correct, this behavior ALSO applies to Non-Microsoft operating system client side resolver, such as the Linux/Unix Client Side Resolver

Thread: Re: Complex DNS Resolver Question – DNS
http://fixunix.com/dns/220126-re-complex-dns-resolver-question.html

Quoted from the above link:
If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN
authoritatively.

Client Side Options If a DC goes down:

Run the following command line to fix this problem on your Active Directory clients by emptying the DC Locator cache (Replace “DomainName” with the Fully Qualified Domain Name (FQDN) of your Active Directory domain:
nltest /dsgetdc:DomainName /force

More on this:

Domain Controller Stickiness Prevention
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/06/24/domain-controller-stickiness-prevention.aspx

AD Clients Not Authenticating to its Local Site
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-local-site.aspx

Back to top of page>

========================================

6. DNS Forwarder Resolution and the Time Out Process

Information on how a DNS Forwarder time-out works with using multiple Forwarder:

Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client’s IP properties.

Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx

Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html

Quoted from above link:

“Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.

Now, if you check the box “Do not use recursion” the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.

I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server.”

Comment on Forwarders:

DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn’t have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it’s resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the ‘eligible resolvers list’ and then query the second one.

If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by “views” ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query.

Now – and this is an important “now,” if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar ‘HTTP 404 not found’ in the browser.

For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.

To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for ‘recursion available’ or ‘recursion not available’

So for all practical purposes, I never set more than two Forwarders, otherwise what’s the use? If the first two can’t resolve it, it probably is not resolvable anyway.

Back to top of page>

========================================

7. If one DC or DNS server goes down, why can’t I logon to the other DC or not use the second DNS address to find another DC?

Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there’s nobody there, did it crash?

Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP’s DNS, or the domain is a single label name
(‘domain’ versus the recommended minimum of ‘domain.com,’ domain.local,’ etc),
  other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.

As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.

It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. As stated above in section #5:

  • If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it STILL responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.
  • If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, or after you clear the client side cache (ipconfig /flushdns), or restart the DHCP Client Service (on 2000/2003/XP), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

.

To put it another way:

If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the ‘eligible resolvers list’ for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won’ even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.

Summary:

As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as ‘it’s not working’ because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can’t connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.

Or simply disable the DNS Client Side caching mechanism. It’s not suggested to do this due to performance and especially if you have many machines in the infrastructure. However for testing, you can give it a shot:

How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803

Back to top of page>

========================================

8. What happens with Exchange and Outlook when when DNS goes down?

Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:

Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570

But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, “If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?”

Also with Exchange involved, it becomes a little trickier. Keep in mind,  when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not ‘look’ for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it’s best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.

I’ve seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.

Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.

Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it’s been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on  Exchange.

I hope that makes sense.

Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.

Back to top of page>

========================================

9. Client side DNS Devolution on Windows 7 and Windows 2008 R2

Devolution is when the parent suffix is derived when there are child suffixes. For example, if in a machine is joined to a child domain “sales.test.com,” then  “test.com” is devolved from “sales.test.com.”
 
Therefore, if “fileserver1” is not resolved in “sales.test.com” the client side resolver service on a client (keep in mind, DCs are DNS clients, too), will attempt to resend the query with the parent suffix.
 
It is best to design your forest infrastructure with unique hostnames so if “fileserver1” doesn’t exist in a child, it doesn’t exist anywhere else. Having a computername called “fileserver1” in a child domain and another domain, is not a good practice, nor is it a best practice. Uniqueness is the key across a forest.

DNS Devolution
Published: October 21, 2009, Updated: July 7, 2010, Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx

Quoted:
Devolution is not enabled in Active Directory domains when the following conditions are true:
  1. A global suffix search list is configured using Group Policy.
  2.The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.

Back to top of page>

========================================

10. How does resolution work in a multi-domain forest (with child domains)?

If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.

Further, if you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down. The devolution to the upper hierarchal levels is limited to the forest root domain level in the forest.

For example, if you have a forest root of ad.domain.local, and you have a child domain called child.ad.domain.local, the client side resolver will limit devolution of it’s joined domain and to the forest root domain, and will not go any higher, and will not devolve or populate domain.local as a Search Suffix, since that domain name does not exist in the forest.

Therefore, if you have a DNS suffix search list, the resolver adds those DNS suffixes in order and does not try any other domain names. In this case, if you submit the unqualified name ‘Computer,’ the resolver queries in order for the following FQDNs:

  • hostname.domain.local
  • hostname.child.domain.local

Based on the example, below shows that such a client in this scenario will only devolve the following two, and not “domain.local,” as was previous to Vist/2008.

  • child.ad.domain.local
  • ad.domain.local

More info on this behavior:

Host Name Resolution Order
  http://support.microsoft.com/kb/172218/en-us  
 
  Configuring Query Settings:
  http://technet.microsoft.com/en-us/library/cc959339.aspx 

DNS client name resolution behavior in windows vista VS Windows XP
  http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx 
 
 

If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.


 

 Back to top of page>

========================================

11. Troubleshooting the Browser Service

Keep in mind, each subnet has it’s own master browser, and they work together with the WINS service using WINS, to enumerate an infrastructure wide browse list. If not using WINS, it uses broadcasts, but if you are in a multi-subnetted environment, and you want full browsing capabilities, it’s suggested to use WINS.

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master.

Good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propogation cycle in a multiple-segment domain environment.

And the default settings out-of-the-box, works fine, otherwise you’ll find yourself trying to change reg entries on multiple servers.

If you find workstations are becoming masters, are there any server operating systems on their subnets? If not, then a workstation will win as a master. If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

Some basic things to look for and use:

  1. Make sure the Computer Browser service is Started.
  2. Make sure NetBIOS is enabled on everything.
  3. On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available. In Windows 2008 and newer, the utility is already installed as part of the operating system files.

Multihomed DC?

Note: A multihomed DC is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. More info regarding multihoming and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Browser Troubleshooting Steps

If there are any antivirus software, it could block browser traffic. This of course is all assuming that the Computer browser service is running.
 
Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:

 browstat status

You should get a response similar to:

Browsing is active on domain.
  Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc. If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:

First run:

 browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste  the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:

 browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Back to top of page>

========================================

Related Links

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx 

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

ForwardingTimeout (registry settings)
http://technet.microsoft.com/en-us/library/cc940784.aspx

Appendix C: Windows Sockets and DNS Registry Parameters
For Resolver time out, see DNSQueryTimeouts
http://technet.microsoft.com/en-us/library/cc781532(WS.10).aspx

Change description of following to show its for NT4
SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

DNSQueryTimeouts  – How to control the client side resolver time out value in the registry)
http://technet.microsoft.com/en-gb/library/cc977482.aspx

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Back to top of page>

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Why do we ask for an ipconfig /all, when we try to help diagnose AD issues?

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

Ace here again. Yea, I had to post a blog about this because many people ask, why do you want that? Just for the IP address??

Nope. Not just for the IP.

Good question.

There is quite a bit of information that an ipconfig /all provides us configuration data as a precursor for a diagnosis. Sometimes the ipconfig /all results will help us fix it, but not always.

Many admins are reluctant to provide this sort of information citing security reasons.

In some cases, I sympathize and agree, but in many cases, security really isn’t much of a concern, because for one, your internal IP range is a private range, and two, you can substitute your actual internal domain name with something more generic, such as substituting “microsoft.local” with “mydomain.local. You should also substitute your DC names using something generic, such as dc-01. dc-02, etc. But definitely keep track of the substituted DC names if we have additional questions regarding them.

Let’s take a look at each value in an ipconfig /all

Believe it or not, the results of an ipconfig /all has numerous information that helps us get an inside view of a DC’s basic network configuration, as well as basic service configuration.

Let’s break it down:

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : company-dc-01  

  • Name is under 15 characters – good for NetBIOS compatibility. Not a huge concern for many compani
  • Possibly indicates more than one DC based on the –01 portion of the name

Primary Dns Suffix  . . . . . . . : company.com 

  • The AD DNS Domain name is not a single label name.
  • In some cases, we’ll also ask for the name in ADUC. If the name in ADUC does no match this name, then it’s a Disjointed Namespace condition).
  • Node Type . . . . . . . . . . . . : Hybrid   

    • If Hybrid is set, it tells me that WINS is in use.
    • Hybrid mode, specifically 0x8 (as you would set a WINS server Hybrid mode in DHCP Option 046), tells the client side resolver to use WINS first when attempting to resolve a single name query, and if it can’t resolve it, to then try a broadcast to resolve it. Of course, this is only after DNS resolution fails, since DNS is used first anyway, where the client side resolver will suffix the Search Suffix when attempting to resolve it as a DNS hostname query.
    • If the Node Type is set to “Unknown,” then no big deal. It just means that WINS is not being used, and the resolver service will use broadcast for a  single name resolution.
    • IP Routing Enabled. . . . . . . . : No

      • Means RRAS is not installed
      • If set to Yes, it means RRAS is installed, and it will interfere with AD communications on this DC. 
         

      WINS Proxy Enabled. . . . . . . . : No  

      • On a DC, “No” is what we want to see.
      • If set to Yes, then it means “Enable broadcast name resolution” is checked under General tab in RRAS properties.
        • If this is set to Yes, and there is only one NIC. it could mean either:
        • RRAS is installed only for VPN use
        • RRAS was disabled, but the setting stuck
      • Either way, if it is set to Yes, it will cause problems with AD communications.

      DNS Suffix Search List. . . . . . : company.com

      • This is what the client side resolver will use when attempting to resolve a single name query. For example, if I run nslookup against a single name such as computer1, the resolver will suffix company.com to it, resulting in a query of computer1.company.com.
      • If there are multiple domains in the forest, such as a parent and child domain, or multiple child domains, then each domain must be configured with a search suffix for all other domains in order to be able to resolve everything in the forest. This is also true for additional Trees in the forest.
      • The company.com in this example, was devolved from the Primary DNS Suffix.
        • If the Primary DNS suffix has multiple levels, such as Chicago.ad.company.com, then the resolver will devolve it to show search suffixes of chicago.ad.company.com, ad.company.com, and company.com.
        • However, if ad.company.com is the parent root domain, if using Windows 2008 or newer, it will only devolve to ad.company.com. Windows 2000 and 2003 devolved all levels, which led to some confusion.

      Ethernet adapter Team 1:

      • Obviously this interface is a team.

      Connection-specific DNS Suffix  . :

      • If this is a DHCP client, and DHCP Option 015 is configured with a domain suffix, then it will populate this value. It’s used for a specific interface that gets this configuration, such as if it is a wireless, then that value will populate the wireless connection, but not the wired connection, and will be used as suffix for identification and DNS registration only for that interface, but it is not used as a search suffix.

      Description . . . . . . . . . . . : BASP Virtual Adapter

      • This is the vendor brand name of the adapter

      Physical Address. . . . . . . . . : 00-18-8B-47-F0-D1

      • This is the MAC address of this adapter or Team.

      DHCP Enabled. . . . . . . . . . . : No

      • This means the NIC has a static configuration.

      IP address, mask and subnet

         IP Address. . . . . . . . . . . . : 192.168.80.10
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 192.168.80.1

      • In the above three values, we make sure the IP address and mask are on the same subnet as an ipconfig /all of another machine, if one was provided. You would be surprised how many times we’ve seen subnets mis-configured with an incorrect subnet mask. 

      DNS Servers . . . . . . . . . . . : 192.168.80.5
                                                      192.168.80.10

      • What we look for with DNS address, is only to specify the internal DNS servers hosting the AD zone. If an external DNS addresses are specified, or your router’s DNS address is specified (for example, 192.168.80.1), then you should expect to see numerous problems. This is because your machine is sending the external DNS servers or your router a query whenever it tries to login, authenticate, find domain resources, etc. The external DNS servers or your router, does not have an answer when queried for internal resources. It’s the same as me asking the first person I see walking by out front of my house, “Where’s that beer that was in my refrigerator last night?” Besides the person not having an answer, he’ll probably give me a funny or dirty look. Your DNS server and DC won’t give you a funny look, but you’ll probably get some sort of error and your machine will fail to find your AD domain.
      • The addresses you see listed in this example are showing that it is pointing to a partner DC as the first entry, and itself as the second entry.
        • You may also find in some configuration the loopback as the second entry. This is ok, too. DCPROMO puts in the loopback. Matter of fact, if you were to run the AD BPA, one of the things it looks for is the loopback as the second entry. You can leave it there if you like, or you can change it to the IP of itself, but if you do, just ignore the BPA’s warnings, if you were to run it again.

      Primary WINS Server . . . . . . . : 192.168.80.10

      • This tells me the server is running WINS. Why? Because it is pointing to itself, as it should be for a WINS server.
      • If a WINS server is pointing to any other WINS servers, it will cause numerous problems with WINS record ownership.

      NetBIOS over Tcpip. . . . . . . . : Enabled

      • Of course this one is obvious. But here’s one for you. If you have NetBIOS disabled, but you are using WINS, what’s the point??

      Do I need NetBIOS?

      By Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
      Microsoft Certified Trainer
      Microsoft MVP: Directory Services
      Active Directory, Exchange and Windows Infrastructure Engineer
      www.delcocomputerconsulting.com

      Do you need NetBIOS? That Depends …

      Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

      With Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. That’s because Windows 2000 and newer will try to connect simultaneously over NetBIOS (port 139) and DirectSMB (port 445). If no response from the target on 445, it reverts back to 139. This offers legacy support for NetBIOS based apps.  That is why if you disable NetBIOS on a server, it will still connect to other servers, but any NetBIOS based apps that require connectivity to that server will fail.

      If you run a netstat -a, you can see port 445. It may even define it as Microsoft-DS, which means Microsoft DirectSMB. I know Vista doesn’t, but Windows 2003 will.

      What’s TCP port 445 used for in Windows 2000/XP?
      http://www.petri.co.il/what’s_port_445_in_w2k_xp_2003.htm

      Quick Brief on NetBIOS and Those Noisy Broadcasts

      Any machine that is NetBIOS capable (Windows, or Unix/Linux machines with SAMBA installed), will participate in a NetBIOS environment and with the browser service. Any NetBIOS capable machine will broadcast their NetBIOS computer name every 60 seconds, “Hey, my computer name is Computer1, and my IP address is <enterIP>, and I am offering the Workstation Service and Server Service on such and such workgroup and/or domain.”

      WINS is a NetBIOS name to IP database. It’s a flat database with no hierarchal structure – simply one name to one IP. It’s similar to DNS, but DNS is hierarchal (child3.child2.child1.domain.com, etc.).

      When you install WINS and configure all machines to use WINS, then the NetBIOS aware processes and functions will recognize there is a WINS server configured, and instead of broadcasting every 60 seconds, it simply registers its name and related services to the WINS database instead of repeatedly broadcasting, or simply put, it shuts up yelling out its name every 60 seconds.

      Without WINS, it’s like a grade school cafeteria with all the background chatter, conversation, etc. With WINS, think of it as the kids in the cafeteria quietly enter their names, thoughts into a database and the other kids can read the database, so there is no more noise. Kind of like if every kid were to be yelling back and forth using Facebook using a table or smartphone in front of them, instead of peeping one word.

      Therefore, WINS literally quiets the network. Period. But all machines must be configured with WINS to make this happen.

      When a WINS enabled client needs to resolve a name, it really tries to resolve it first by DNS (hostname resolution process), and if only that doesn’t work, only then does it query WINS. If WINS isn’t configured, it would have used broadcast to find it, and if WINS doesn’t have the name entered in the database, it will use broadcast to find it.

      The Computer Browser services enumerates and assembles the Browse List (the neighborhood) using Broadcasts. If WINS is configured, it will use the WINS database to assemble the browse list. This is why without WINS, the browse service can only assemble the local subnet, since NetBIOS does not travers across subnets. WINS provides multi-subnet support for NetBIOS resolution as well as enterprise-wide browse list so any machine anywhere in a network can browse to a machine anywhere else in a network, such as a machine in NY can browse to a machine in San Fran.

      Joining a machine to the domain.

      Yep, you need it to join a machine.

      Windows 7 or Windows Server 2008 R2 domain join displays error “Changing the Primary Domain DNS name of this computer to “” failed….”
      http://support.microsoft.com/kb/2018583

      Network and Printer Browsing

      The only complaints I’ve heard is losing network and printer browsing capabilities across subnets, since the browser service compiles the browse list from broadcasts, but broadcasts do not traverse routers to reduce excessive traffic across WAN links.However, I can’t substantiate the complaints, since all small to medium sized installations I’ve worked with kept NetBIOS enabled and used WINS.

      Then again, you can use AD printer publishing for that feature and search AD for printers (when you share a printer, there’s a checkbox to publish it in AD).

      WINS

      Your best bet for smooth sailing with multi-subnet browsing and to support legacy apps is to use WINS.

      WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
      http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

      Legacy Apps Require NetBIOS

      So the biggest caveat is with legacy apps that rely on NetBIOS. For example, SEP and McAfee ePO uses the browser service, not DirectSMB, and they will fail with central control, updates, etc.

      If you disable NetBIOS over TCP/IP, it causes functionality issues with ePO 4.x
      https://kc.mcafee.com/corporate/index?page=content&id=KB76756&cat=CORP_EPOLICY_ORCHESTRATOR&actp=LIST

      Environmental requirements for agent deployment from the ePO 4.x server
      https://kc.mcafee.com/corporate/index?page=content&id=KB56386

      Same with Backup Exec and backup agents. There are many other apps that require NetBIOS functionality.

      What I can say is that some legacy applications and services still require WINS that AD DirectSMB doesn’t support, some of these apps include, but not limited to are:

      • Exchange 2003 with certain Outlook features
      • McAfee Enterprise ePolicy Orchestrator
      • Symantec Endpoint Protection
      • Symantec Backup Exec
      • Computer Associates AV
      • SQL
      • Mapped Drives
      • Printer sharing (not published in AD)
      • and many more….

      Exchange 2000/2003 Need NetBIOS

      Yea, I know this is the day and age of Windows 2012 and Exchange 2013, but believe it or not, there are still installations out there that are running legacy operating systems and Exchange, so I had to throw this in there.

      Exchange 2000/2003require NetBIOS is Exchange 2003 for Outlook-Exchange Free/Busy communications.

      WINS is still required with both Exchange 2000 and 2003
      Aug 8, 2005 … See why Exchange needs WINS and how you can get a WINS server up and running and configure Exchange to use it. …
      http://articles.techrepublic.com.com/5100-10878_11-5820760.html

      WINS and Exchange 2003 Server Dependencies:
      I had been laboring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong. However, what I now believe …
      http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

      Exchange Server 2003 and Exchange 2000 Server require NetBIOS name …
      You may have to use NetBIOS name resolution across different subnets for the … The following Exchange functionality still depends on WINS name resolution: …
      http://support.microsoft.com/kb/837391

      So you have to ask yourself, what else are you running?

      Search Suffixes

      Search Suffixes are used to facilitate single name resolution. As long as the search suffix is properly configured for your infrastructure, you should be ok.

      Configuring DNS Search Suffixes
      http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx

      Suggestions, Corrections, & Comments are welcomed.

      Ace Fekay

      So you want to change your IP range?

      By Ace Fekay, MCT, Microsoft MVP Directory Services

      So you are looking at a major IP migration from a public range to a private range and not simply extending the current scopes, or you simply want to change the current IP range.

      One good reason to change the internal IP range, is the current range matches many of the retail box store router default IP subnets, such as from Linksys, Netgear, etc. The identical subnets cause issues when users at home are using VPN to the company network. If the subnets are identical, routing won’t work, therefore they are never able to connect.

      Depending on the size of the infrastructure, changing the IP range can either be easy, or pretty involved and will have a major undertaking on your hands. Let’s see…

       

      First come up with an IP Range

      Come up with a plan that includes an IP range for all servers and static set hosts, as well as an IP range for each floor, building, etc., depending on the scope of this project, and the subnets currently in place.

      You could use the same subnet for the whole building, which makes it easier to deal with, but not necessarily as efficient with network traffic, and especially if the number of hosts is so large (into the thousands), it becomes a rather large subnet broadcast domain. Also with one big subnets, you are reducing the ability to create efficient AD Sites appropriately.

      For example, if one were to choose one subnet for a large building with 3000 users, you could use one subnet, such as 10.10.0.0/16, which will give you 65,000 IPs:

      If you want to keep with the separate subnets for each floor, which is ideal, of course considering if you have layer 3 VLAN capable switches, that may be your better bet. Some may think it complicates matters with DHCP and routing, but looking at the network efficiency, I think it’s a better bet.

      For example, if you have multiple subnets or buildings with less than 4000 total hosts (servers, users, printers, etc.), a good example is the following breakdown, which will give you 4096 hosts for each subnet (and this is just an example – your mileage may vary):

      • 10.10.0.0/20   (10.10.0.0 – 10.10.15.255)
      • 10.10.16.0/20 (10.10.16.0 – 10.10.31.255)
      • 10.10.32.0/20 (10.10.32.0 – 10.10.47.255)
      • 10.10.48.0/20 (10.10.48.0 – 10.10.63.255)
      • etc

       

      Procedure (steps are not in stone)

      1. Inventory all applications that have been configured with hardcoded IP addresses in their configuration, then change the IPs to the new IPs.
      2. Ask users to shutdown all workstations.
      3. Change the DC/DNS server’s’ IP addresses.
      1. In NIC properties, change it to the new IP address.
      2. In NIC properties, change the DNS IP addresses to the new IP.
      3. Re-register the DCs in DNS so it re-creates new records.
      1. ipconfig /all
      2. restart netlogon service
    • Reference: Change the static IP address of a domain controller
      http://technet.microsoft.com/en-us/library/cc758579(WS.10).aspx
    • Check DNS:
      1. Server properties, Nameservers tab, insure the new IPs are listed.
      2. Remove the old ones and re-enter if needed.
      3. Check DNS zones – Make sure all old IP references are manually removed if the registration process above does not overwrite the old ones, which it should.
      4. Check the GC records (located in gc. _msdcs.domain.local).
      5. Check the LdapIpAddress records – the “same as parent” A records that each DC registers.
    • Create a new reverse zone for the planned IP subnets. Make sure updates are allowed.
      1. Delete the old reverse zone.
      2. In lieu of deleting and recreating the reverse zones, if you’re energetic:
      1. Change the AD integrated reverse zone to a Primary Standard zone (this takes it out of AD and puts it into a text file in system32\dns.
      2. Open the system32\dns\zoneName.dns file, and change all the IPs in the zone file, save it, reload the zone. You should see all the new IPs
      3. Then change it back to AD integrated again.
    • Change the DHCP Server’s scope.
      1. You will need to delete and re-create the scope from scratch.
      2. If you have Scope Options recreate the Scope Options.
      3. If you have Server Options, simply change the IP addresses they point to.
      1. If using WINS, change DHCP Option 044 to the new IP address of the WINS server.
      2. Option 003 is the router
      3. Option 006 is for DNS addresses
    • If using Windows RRAS for VPN, and you are using a static IP pool, change the pool to a range in the new IP range.
      1. If using any other VPN solution, likewise.
      2. If using a Relay Agent or IP Helper, change the IP it’s pointing to.
    • If using RRAS for NAT, change the configuration to the new internal interface’s IP.
    • Change all of your other servers’ IPs.
      1. Run ipconfig /registerdns
    • Change any static hosts, including printer cards, and other IP static entries.
      1. Restart the printers to take effect.
    • With Windows machines, start them up.
      1. If they haven’t been shut down, then run ipconfig /registerdns on each.
    • Make sure the above works, AD is functional, the DCs and servers can get to the printers, etc.
    • You can run tests such as for Windows 2000 – 2008 R2, dcdiag /v /fix, and if Windows 2003 and older, run netdiag /v /fix.
    • Check Event logs for any errors.
    • Change the internal IP of the router.
    • Recreate port-mappings (port translations) on the firewall, if required.
    •  

      Do Multiple Internal Subnets exist?

      1. If using multiple internal subnets that you are currently connected to, change the static route entries on the edge firewall/router to insure communications work to the other subnets. The same on their end.
      2. Once again, check event logs for any errors.
      3. Test internet connectivity from your DCs and servers.
      4. DHCP – Take note of exclusions, reservations, SuperScopes, etc. Delete all scopes.
      5. Create a new big scope, or multiples if you had separate scopes, Superscopes, etc.
      6. Test DHCP by firing up a couple of workstations, logons, internet connectivity, printers, resource access, etc.
      7. Once again, check event logs for any errors.

      I’m sure I may have missed a few steps and only briefed over others, but it should give you a good start and a guideline, because every infrastructure is different and unique.

       

      Comments, corrections and suggestions are welcomed.

      Troubleshooting the Browser Service

      By Ace Fekay, MCT, MVP
      10/1/2012

      Preamble:

      Keep in mind, each subnet has it’s own master browser, and if you are using WINS, the master browser works together with the WINS service to enumerate an infrastructure wide browse list.

      If not using WINS, it uses broadcasts, however, you’ll only see what’s on your own subnet, because NetBIOS broadcasts are more than likely blocked by routers, which is default, and many routers don’t allow NetBIOS broadcast across subnets to be enabled.

      And if you are in a multi-subnetted environment, and you want full browsing capabilities, to get around routers blocking NetBIOS broadcasts, it’s suggested to use WINS.

      And the default WINS settings out-of-the-box, work fine, as long as you set up DHCP WINS options correctly. There is no need to adjust WINS’ registry parameters, otherwise you’ll find yourself trying to change registry entries on multiple servers and mis-keying something. Here’s more info on configuring WINS:

      WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
      http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

       

      Preferably install at least one server OS on each subnet:

      If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

      If you find workstations are becoming masters, that means there are no server operating systems on those subnets, in such cases, the workstation will win Master Browser election.

      And I realize in many large infrastructures, it would be nearly impossible to put a server operating system on each subnet. However, as long as there is a desktop using the latest client operating system that is always up and running 24/7, that will do the trick.

      If a newer client OS were to be introduced, then it would start a master browser election, and win the election (OS version and server role is a factor in the election process). And any machine that someone clicks on Network Neighborhood or clicks a Browse button somewhere, would invoke an election, but if a desktop is running on the subnet 24/7, it will win the election, since it’s already up and running.

      If you don’t want any other client machine to win the election and were to opt for only that one machine, you can set a registry entry using a GPO to disable participating in the browse list for all the machines in the subnet other than the client machine you chose to keep up and running 24/7:

      Set the client machine of your choosing to:
      Emulator MaintainServerList=Yes, IsDomainMaster=True

      All other clients on the subnet, set it to:
      MaintainServerList=Auto,IsDomainMaster=False

      I’m not saying this is a perfect solution, but it’s something to consider. Otherwise, if no specific machine is up and running 24/7 on any given subnet, the browse list will be rebuilt each time everyone shuts down, then brings their machines up in the morning, and the cycle starts from scratch to rebuild the list of machines on that subnet.

       

      Third Party Devices Participating in the Browser Service

      I would like to point out that if you have any 3rd party devices, such as a Seagate BlackArmor NAS, it will jump in on the election process and may win, which in case will snafu your browse list. I had one of those devices at a customer site last year causing numerous problems with the browse list, which in turned snowballed to cause problems with Symantec BackupExec, and other services that rely on browsing.

      After some troubleshooting, I found that the BlackArmor NAS was consistently winning the election causing the problems. I couldn’t find anything specific on how to disable browser service participation on the device. It has the latest firmware. I contacted Seagate, and they said they couldn’t help me to disable the device’s ability to participate in the Browser Service.

      I finally moved it on to its own VLAN so it can be king of itself on that subnet, so to speak. I gave it it’s own island. Smile

       

      Browse List Propagation:

      We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master. A good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propagation cycle in a multiple-segment domain environment.

       

      When to Troubleshoot

      Below are the generic troubleshooting steps I used to troubleshoot the browser service that helped me find out the BlackArmor device was the culprit.

      If you are seeing problems with the browser service, such as computers disappearing from the browse list, whether the cause is a third party device, Unix/Linux machine running Samba, or simply based on the infrastructure’s design, it might be a good idea to start troubleshooting to find the culprit.

       

      Prepare to Troubleshoot:

      • Make sure the Computer Browser service is Started. Make sure NetBIOS is enabled on al machines.
      • On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the "browstat" utility available.
      • With Windows 2008 and newer, the utility is already installed as part of the operating system files.
      • If there are any antivirus software, third party firewalls, or firewall rules between locations blocking WINS traffic (TCP 42), it could block browser traffic, too. This of course, assumes the Computer browser service is running.

       

      Firewall blocks – Test it with PortQry

      You can use the Portqry.exe utility to test if the Browser, SMB, WINS and the ephemeral (service response) ports are permitted.

      • Browser: UDP 137/138, TCP 139
      • SMB: TCP 445
      • WINS: TCP 42
      • Ephemeral (Service Response Ports): Varies depending on OS:
      • Windows 2000/2003/XP: TCP/UDP 1024-5000
      • Windows 2008/Vista and newer: TCP/UDP 49152-65535

      Description of the Portqry.exe command-line utility
      http://support.microsoft.com/kb/310099

      Active Directory Firewall Ports – Let’s Try To Make This Simple
      http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

       

      Multihomed DCs:

      And if you have any multihomed DCs, among numerous other problems, that is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a "Multihomed Browser" scenario. I suggest to disable one of the interfaces.

      More info regarding multihoming DCs and why not to do it:

      Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
      http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

       

      Troubleshooting Steps:

      Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

      To check current status of the browse service on the domain, run:
      browstat status

      You should get a response similar to:
      Browsing is active on domain.
      Master browser name is: <serverName>

      Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc.

      If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

      To find the current browse master on a segment, you’ll have to find the TransportID:
      First run:

      browstat getmaster \device\netbt_el59x1 <domainname>

      It will error out because the "netbt_el59x1" probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

      browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

      Force an election by running:
      browstat elect \device\netbt_ieepro1 <domainname>

      Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting "Access Denied" when trying to browse.

       

      Reference:

      Troubleshooting the Microsoft Browser Services:
      http://support.microsoft.com/kb/188305

       

      Comments, corrections and suggestions are welcomed.
      Ace Fekay