Remove an Old DC and Introduce a New DC with the Same Name and IP Address

Remove an old DC and Introduce a new DC with the Same Name and IP Address

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication: 10/9/2010
Edited 10/19/2010 – Added an additional step in case you are introducting a new 2008 or 2008 R2 DC into a 2003 environment

Applies to Windows 2000, 2003, 2003 R2, 2008, 2008 R2

Preface

This question has arisen time to time in the Microsoft Public NNTP Newsgroups and Microsoft Social Forums. I’ve put together a set of steps over the years. Each time I post the steps, I’ve found I’ve needed to refine it, or explain certain steps. As time’s gone by, and questions have arisen on some of the steps, I’ve tried to add that information intot the steps. This procedure has grown to the point where I believe I’ve covered most of what’s involved and needed in most scenarios.

Comments, suggestions and corrections are more than welcomed. If I’ve missed something, based on your feedback, I will promptly add them to the list.

Scenario:

6 DCs, 2 in SiteA, 4 in SiteB
One of the DCs in SiteA will be replaced with a DC with the same name and IP.
DHCP installed and needs to be migrated to new DC.
All DCs are DNS servers.
All DCs are GCs.

Basic Steps are:

1. If this you are replacing the DC with new hardware but keeping with your current Windows 2003 DCs and not introducing a Windows 2008 or WIndows 2008 R2 DC into the environment, you can skip this step and go to Step 2.

Otherwise, if you are introducing a 2008 or 2008 R2 DC into your current 2003 environment, please see the following links (one has a step by step with screenshots). You must await replication if you need to do this step. To quicken replication after this step, do Step #2, then Step #12.

Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm

2. Optional – Drop the default intrasite DC to DC notification time from the default 5 minutes to 30 seconds. I normally don’t do this change and simply wait around 10 minutes. This is part of what you can call the “patience” factor. If you want to force the intrasite intervals, here how.

There are two settings you can change, the notification interval, which is 5 minutes by default, and the time to pause between notifications, which is 30 seconds by default. If you want, you can alter the notification interval down to 30 seconds, but leave the time to pause as default, since that’s fine. 

Keep in mind, this is a registery setting change. Remember to have a backup prior to this, as well as export the portion of the registry you’re modifying so you have a copy of it.

You can use the following article to show you how to change these settings.

How to Modify the Default Intra-Site Domain Controller Replication …This article describes how to modify the default intra-site domain controller replication interval.
http://support.microsoft.com/kb/214678

3. If you have a number of locations and you’ve defined and created AD Sites to optimize replication and logon/authentication traffic, you would want to drop intersite link replication interval to 15 minutes. That’s performed in AD Sites & Service on the Site Connector’s properties. The following shows you how.

How to change the interSite Replication Interval (with screenshots):
http://windowspeople.com/index2.php?option=com_content&task=emailform&id=159&itemid=1

4. Make sure all of your DCs (this site and all other sites, whether a single domain or multi-domain forest) are all GCs. Making all DCs GCs alleviates the IM-GC conflict as well as provides better GC availability for services that use it such as for the logon and other processes, etc, especially services that use it heavily such as Exchange.

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, check the Global Catalog checkbox
Check each DC in the site to make sure they are all GCs

5. Install the new server. Get the machine up to date with the latest SP, hotfixes and updates.

6. If this is Windows 2003, copy the i386 folder to C: drive. Integrate the latest SP into the i386 folder. If this is 2008, 2008 R2, or newer, it’s not necessary, and you can skip this step.

This step helps if adding new Windows 2003 services through Add/Remove Windows Components. Simply point to this folder for the source files, and you won’t need to re-run the SP to get the new services up to date.

Example: C:\SP2\i386\update\update /s:C:\ (this command assumes the i386 is on C: drive. If it’s under another folder, you must specify the parent folder after the /s switch.

How to integrate Windows XP Service Pack 2 files into the Windows XP installation folder
(Same exact steps for Windows 2003)
http://support.microsoft.com/kb/900871

7. Set new server to use the other DC in SiteA as DNS and WINS.

If WINS is installed, you’ll need to migrate it to another server.   Read more in this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419

8. Change the DC’s DNS settings on the DC another DC in the same Site.

9. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.

If Exchange is installed on the DC, this introduces a  huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following for more information:

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

10. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.

How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q

11. Transfer FSMO roles to another DC in the same Site, or to a DC of your choosing, preferrably in the same site.

How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504

How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690

Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm

12. Run dcpromo and demote the DC choosing this is not the last DC in the domain. Then Restart.

Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx

Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx

13. Allow replication to occur. If your site links are still default (180 min), wait at least 3 hours, otherwise wait about 20 minutes if you had previously changed it to 15 minutes (first step). You can also force replication using repadmin if you want:

Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)

Also, to check replication status:

To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”

Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”

Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx

You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

14. Rename the now demoted DC to something else, or keep it unplugged.

15. Check DNS to make sure it’s references (LdapIpAddres and GC) are gone.

16. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)

17. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.

18. Rename the new server to the old DC’s name.

19. Change the new server’s IP to the old DC’s IP.

20. Run dcpromo. Select to install DNS (if not already installed).  Then Restart.

How do I install Active Directory on my Windows Server 2003 server?
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

How to Install Active Directory on Windows Server 200, 3May 19, 2005
http://technet.microsoft.com/en-us/…/aa998088(EXCHG.65).aspx

When you run Dcpromo.exe to create a replica domain controller …When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe: Error message 1 Error …
http://support.microsoft.com/kb/232070

If you are introducing a newer Operating System version, you’ll need to run ADPREP:

Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm

21. Allow it to come up. Wait about 5 – 10 minutes after it has restarted and logged in.

22. Check DNS to make sure that the LdapIpAddress registered and a Nameserver entry was created.

23. Go into AD Sites and Services and make sure you see the new DC in your Site and there are connection objects to another DC that the KCC created.

24. While in AD Sites and Services, make it a GC. It’s the preferred method now to make all DCs GCs in an infrastructure, whether there is one domain or multiple domains in the forest. This will alleviate the well-known Infrastructre Master and Global Catalog contention issue.

Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox

25. Run ipconfig /registerdns, restart netlogon service. Wait 5-10 minutes, then check DNS for the _gc._msdcs.OTEC-DC.domain.com records to see if it registered as a GC. If it’s not there yet, wait a few more minutes. Be patient. Hit F5 to refresh the console until you see it.

26. Check ADUC, look in the Domain Controllers OU for the new DC’s entry.

27. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.

28. If any Forwarders were configured in DNS, you will need to manually re-enter them.

29. If applicable, revert back any and all changes you made earlier regarding Site replication settings and intrasite DC to DC settings.

30. If you haven’t done so already, go have a cold or hot beverage of your choosing. You should be good to go.

 

 

All Comments, Suggestions or Corrections are welcomed!
Ace Fekay

Remove a Current Operational Domain Controller from Active Directory

Remove a Current Operational Domain Controller from Active Directory

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication: 10/9/2010
Updated 12/27/2011 – added time service configuration info.

 

Preface

I’ve written this blog because this question has come up numerous times in the forums, newsgroups, and from colleagues. There are other very well qualified blogs, posts and tech articles on these steps. I thought to outline the steps with adding links for each appropriate step to explain how to do it if one is not sure of the steps.

Keep in mind, you can’t simply unplug a DC and be done with it, such as you could do in the Windows NT4 days. There are numerous ramifications involved with a domain controller in the AD database and AD functionality. Other DCs will still think it’s there and will try to replicate to it because it’s still in the AD database. You must remove it properly.

Now if the domain controller has been unplugged and offline for more than the tombstone lifetime, (60 days for Windows 2000, Windows 2003 SP0, or 180 days for Windows 2003 SP1 and all newer operating systems), you will need to run a Metadata Cleanup to remove the DC. This is due to the scavenging period that AD will keep deleted objects or objects that have not been in communication with such as a domain controller.

If I’ve omitted any basic or necessary steps, please do comment and let me know. All comments and suggestions are welcome!

 

If the DC has been unplugged for more than the Tombstone Lifetime

If the case is that it’s been unplugged for longer than the tombstone with Windows 2003 or newer, you can either run a simple dcpromo /forceremoval to remove AD off the DC, or reinstall the DC from scratch. Either way, you will need to run a Metadata Cleanup procedure.

Restart the DC OFF the network
On this DC, run “DCPROMO /FORCEREMOVAL”
Run the Metadata Cleanup procedure to remove it’s reference on a current DC
If you want to reintroduce the old DC, you can simply promote the old DC back to a DC

Once you’ve done the above, run the Metadata Cleanup Procedure. Here are some links to guide you

How to remove data in Active Directory after an unsuccessful Domain Controller Promotion
http://support.microsoft.com/kb/216498

Clean up server metadata: Active Directory, Mar 2, 2005
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Script to run Metadata Cleanup Procedure:
Script to Remove Active Directory Domain Controller Metadata
Microsoft: The Scripting Guys, Published on 8/10/2009
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Delete Failed DCs from Active Directory
This link put together by Dan Petri, includes screen shots.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

 

To remove a Current Operational DC under the Tombstone Lifetime, the Basis steps are

Reminder: Do this during off-production hours. This will allow time for changes to replicate in the AD and DNS infrastructure prior to users logging on the next production day.

1. Change the DNS addresses on the DC to point to an existing DC/DNS server in the same AD Site. If no other DCs in the Site, choose a DC in another Site with a fast link.

2. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.

How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q

3. If WINS is installed, you’ll need to migrate it to another server. Read more in this link:

How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419

4. Disable the Global Catalog service from the domain controller.

Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox

5. If this domain controller currently holds one or more FSMO operations master roles, transfer the operations master roles to another domain controller before demoting it. You can allow dcpromo to automatically transfer the roles, however, they may transfer to a DC that you may not want to transfer the roles to. This is why this is suggested in order to allow you to transfer the roles to a specific DC.

How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504

How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690

Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm

6. If you transfer the PDC Emulator FSMO role to the new DC, you will need to configure the time service on the new PDC.

On the new PDCEmulator:           (Note: ‘peers’ is an Internet time source such as time-a.nist.gov or time.windows.com):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update

After that run the following on all DCs:
net stop w32time
net start w32time

The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41. Check http://www.pool.ntp.org for time servers in your own locale.

On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source to the new PDC Emulator.

For more Windows Tims Service specifics and troublshooting, check the following:

Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

7. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.

If Exchange is installed on the DC, this introduces a huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following or more information:

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

8. Run dcpromo. Choose this DC is not the last DC in the domain. Allow it to restart. If not sure how or options to choose, read the following links.

Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx

Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2     
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx

9. Go to an existing DC and check DNS to make sure it’s references (LdapIpAddres and GC) are gone.

Check _gc._msdcs.domain.com
If exists, delete the old reference.

Check the domain.com zone
If an entry for “(same as parent) A <oldIpAddress>” exists, delete it.

10. Check the domain.com and the _msdcs.domain.com zones for the NS (nameserver) records to make sure it no longer exists. If it still shows:

Right-click the zone properties
Choose Nameserver tab
Highlight the old entry
Choose Delete. Ok the message that pops up asking are you sure you want to delete it

11. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)

12. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.

13. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.

14. Go have a cold or hot beverage of your choosing. You should be good to go.

 

All comments, corrections and suggestions are welcome!

Ace Fekay

Complete Step by Step to Remove an Orphaned Domain Controller

Complete Step by Step to Remove an Orphaned Domain controller

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Published 10/5/2010
Revamped  11/3/2010 – Changed the steps to make more sense and easier to follow

 

Preface

I think at this time you’re probably thinking, “What, another blog on how to remove an Orphaned DC?” I know. There are many out there, and I commend all the ones I’ve read. I thought to put together a complete step by step with all the little nuances that are involved with links and explanations. If I’ve forgotten any, I do hope someone is kind of enough to post a comment indicating, or even if I’ve made a mistake. I would do the same. 

In a nutshell, I wrote this is in response to questions that have come up numerous times in the AD NNTP newsgroups and Microsoft Social Forums. The question isn’t usually asked directly, because in some cases some may not have realized these steps are required, rather how to remove an orphaned DC is normally a response after diagnosing a specific DC or replication issue, such as not being able to introduce a new DC with the same name as a failed one, or a DC was lost and there are numerous Event log replication errors, as well as DCDIAG and other errors, to something simple as having ran the procedure but may have forgotten a step or two.

To point out, many of the steps were taken from the following link, but I’ve extrapolated the steps and added additional information, links, and explanations.

How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846

 

Should I repair the DC or simply dump it and create a new one?

Good question. In many cases, whenever a DC is lost, the easiest and simplest way is to simply dump the machine, cleanup AD and rebuild it using the same name. Compared to doing a restore, this is the simplest procedure and will save wasted time, because it’s much faster. HOwever, just to add, if any application  or service is installed on the DC, it adds a compexity, especially if Exchange was installed on it. Needless to say, which many are aware of or already have heard, it’s recommended to never install Exchange on a DC. See the next section where I posted a link that explains this in greater detail.

Of course the decision to dump the failed DC and rebuild a new one with the same name is a sound and proven popular decision, however this it’s assumed there are no applications or major services installed and running, or files to be restored on the DC. Normally we do not recommend installing additional apps or services, other than DNS, WINS and/or DHCP. If there are, then of course the apps, services, files, etc, must be reinstalled, reconfigured, or restored.

Was Exchange on the DC?

As mentioned in the Preface , one thing I like to point out that if Exchange is on a DC, well, besides not wanting to reiterate that this is not a recommended option nonetheless, hopefully you have a full backup of the Exchange Information Store and the DC System State, because both would have to be restored. Hopefully as well you have two separate backups of each and not together in the same backup job, otherwise you may find the Exchange backup is useless to restore. More about Exchange on a DC in the following link. It’s not a DC/Exchange restore link, rather it explains why you wouldn’t want to install Exchange on a DC and the ramifications, as long as it’s not SBS, which is designed to allow Exchange on it. Read more if this applies to your scenario:

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

 

Were there any applications or services installed?

Was DHCP installed?

If you don’t have a backup that you can retrieve the DHCP database, your best bet is to reinstall DHCP services and start from scratch. If you do have a backup and can restore the DHCP files, follow this link:

How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
 http://support.microsoft.com/kb/325473

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q

Was WINS installed?

If you don’t have a backup that you can retrieve the WINS database, your best bet is to reinstall WINS services and start from scratch. If the WINS server had a partner, you can possibly use that to reinitiate the database. If you do have a backup and can restore the WINS files, follow this link:

How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419

Was DNS installed?

No worries as long as the zones were AD Integrated. They’ll just replicate over from another DC automatically. No need to manually create the zones. If you do try to manually create the zones and they are AD Integrated, you’ll introduce a duplicate zone issue in the AD database, which is another topic to clean them up.

Any other applications or services installed?

Dep[ending on the application or service installed, hopefully you’ll have either a backup that you can retrieve the files, or you’ll have to reinstall. For any third party application, you’ll need to refer to the documentation or contact the vendor for assistance.

Basic High-Level steps

1. Run a Metadata Cleanup
2. Remove the old computer in “Active Directory Sites and Services.”
3. Remove old DNS and WINS records of the orphaned Domain Controller.
4. If Windows 2000, use “ADSIEdit” to remove old computer records from the Active Directory.
5. Force Active Directory replication

 

 

Steps Broken Down with a Low-Level Description

1. Make sure at least one of the current live DCs is a GC. It’s actually recommended to make all DCs GCs, whether in a single domain or multi-domain forest. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.

Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

Enable or disable a global catalog: Active Directory
Jan 21, 2005 … Select the Global Catalog check box to enable the global catalog, or clear the check box to disable the global catalog. …
http://technet.microsoft.com/en-us/library/cc758330(WS.10).aspx

How to create or move a global catalog in Windows Server 2003 (same in 2008 & 2008 R2)
http://support.microsoft.com/kb/313994

 

2. Use the following knowledgebase to run a Metadata Cleanup to remove common Domain Controller objects and settings from Active Directory.

A. For Windows 2003

NTDSUTIL in 2003 and newer automatically removes the Computer Account and FRS Objects from Active Directory, but if you like, you can still use these steps to insure the objects were removed.

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

 

B. For  Windows 2000, you must use ADISEdit  to remove the Computer Account and the FRS Object from Active Directory.

 Use ADSIEdit to delete the computer account. To do this, follow these steps:   

  1.  
    1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
    4. Expand OU=Domain Controllers.
    5. Right-click CN=domain controller name, and then click Delete.

If you receive the “DSA object cannot be deleted” error message when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.

 Use ADSIEdit to delete the FRS member object. To do this, follow these steps:   

  1.  
    1.  
      1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
      2. Expand the Domain NC container.
      3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
      4. Expand CN=System.
      5. Expand CN=File Replication Service.
      6. Expand CN=Domain System Volume (SYSVOL share).
      7. Right-click the domain controller you are removing, and then click Delete.

 

C. For Windows 2008 and WIndows 2008 R2:

It’s all GUI based in 2008 and 2008 R2. However, you’ll still want to follow the rest of the steps to seize FSMOs, force replication, checking DNS & WINS, etc.

Cleanup Server Metadata Windows 2008 (GUI Based)
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Active Directory Metadata Cleanup (For Windows 2008 or newer – with screen shots)
By Meinolf Weber, MVP
http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

 

Optional Script For Windows 2000, 2003,  2008, and 2008 R2

If you don’t like to use the command line tools, you can use a script that was developed to do this part for you:

You can also use Microsoft’s Script written specifically to run a Metadata Cleanup if reluctant to use ntdsutil in a command line:
Remove Active Directory Domain Controller Metadata (Microsoft) – Applies to all Windows Server Versions (2000, 2003, 2003 R2, 2008, 2008 R2, SBS 2003 & SBS 2008)
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3

 

3. If the failed DC held any of the FSMO Roles, you need to seize the FSMO to alternative Domain Controller

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801

 

4. If the failed DC held the PDC Emulator Role, you need to configure a new authoritative timeserver in the domain. The first link is my blog with complete steps. It was compiled using the following two Microsoft KBs, among other links.

Configuring the Windows Time Service for Windows Server
Scroll down to the section “Transferring the PDC Emulator Role”
Published by acefekay on Sep 18, 2009 at 8:14 PM  3050  1 
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

How to configure an authoritative timerver in Windows 2000
http://support.microsoft.com/kb/216734
 
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042

 

5. Remove old computer account by using “Active Directory Sites and Services” tool.

Open Active Directory Sites and Services
Expand the Sites folder
Select the site the old DC was in
Expand Servers
Delete the old DC name

 

6. Remove any old WINS records of the orphaned Domain Controller from the WINS database. If there are WINS replication partners, when you delete them, choose the “Tombstone” option.

Deletion of WINS Database Records
If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS …
http://technet.microsoft.com/en-us/library/cc959263.aspx

Deleting and tombstoning records: Windows Internet Name Service (WINS)
Jan 21, 2005 … If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are …
http://technet.microsoft.com/en-us/library/cc782886(WS.10).aspx

 

7. Force Active Directory replication by using “Repadmin.exe” tool.

Repadmin examples:

Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)

Also, to check replication status:

To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”

Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”

You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

Repadmin: More info as well as explanations on the specific repadmin switches

Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx

Using Repadmin.exe to troubleshoot Active Directory replication
http://support.microsoft.com/kb/229896/

Initiating Replication Between Active Directory Direct Replication Partners
Written for Windows 2000, but works for Windows 2003, 2008 and 2008 R2
This article shows how to use repadmin and the necessary switches to force replication between specific or all partners in the infrastructure
http://support.microsoft.com/kb/232072

Troubleshooting replication
Updated: April 4, 2008
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc755349(WS.10).aspx

Repadmin
Updated: July 13, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008
http://technet.microsoft.com/en-us/library/cc770963(WS.10).aspx

Repadmin: Microsoft Technical Whitepaper (download link):
http://www.microsoft.com/downloads/details.aspx?familyid=c6054092-ee1e-4b57-b175-5aabde591c5f&displaylang=en

 

 8. Go through DNS with a fined-toothed comb to delete all references for the old DC. You’ll need to delete records such as such as SRV, host, LdapIPddress, and GcIpAddress.

Drill down into every record under both domain.local and _msdcs.domain.local.

Under the domain.local zone:

Delete the A (host record) for the failed DC
Delete the LdapIpAddress: Under domain.local, you will see a record such as (same as parent)  A  192.168.1.10 (using this IP as an example). Delete it.
Delete any reference in the DomainDnsZones. If the DomainDnsZones folder exists, expand it. Check and delete any reference to the failed DC’s FQDN and IP address.
Delete any reference in the ForestDnsZones. If the ForestDnsZones folder exists, expand it. Check and delete any reference to the old DC’s FQDN and IP address.

To make sure all records are gone, fully expand each folder under the domain.local zone, and delete any references you see such as for the kerberos and ldap SRV references. The subfolders are:

_sites
_tcp
_udp
domaindnszones
forestdnszones

Under the _msdcs.domain.local zone:

Delete the GcIpAddress: Click on the _gc._msdcs.domain.local folder. Delete the IP Address for the old DC.
Delete the DC’s GUID ALIAS: Click on _msdcs.domain.local. You will see an ALIAS record with a long GUID number as the name pointing to the old DC’s FQDN. Delete it.

To make sure all records are gone, fully expand each subfolder under the _msdcs.domain.local zone. Make sure you do not see any references to the failed DC. If so, please delete them. The subfolders are:

dc
domains
gc
pdc

9. Delete the NameServer reference in all DNS zones’ properties, Nameserver tab.

Right-click DNS server name, properties
Nameserver Tab
Remove the old DC FQDN and/or IP
Repeat for every zone that exists

10. Run a DNSLINT report. Make sure the old DC is no longer listed anywhere in DNS. If it still does, go back to Steps #8 and #9.

Here are some links to understand how to use it.

Dnslint Overview: Domain Name System(DNS)
Prior to the development of DNSLint, the nslookup utility was frequently …
http://technet.microsoft.com/en-us/library/cc736981(WS.10).aspx

Support WebCast: Microsoft Windows: Using the DNSLint Utility
http://support.microsoft.com/?id=329982

Description of the DNSLint utility
Dec 3, 2007 … DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
http://support.microsoft.com/kb/321045

How to use DNSLint to troubleshoot Active Directory replication issues
This article describes how to use the DNSLint utility to troubleshoot Active …
http://support.microsoft.com/kb/321046

 

 

Manually altering a DC to turn it into a non-DC

Last but not least, years ago before the /forceremoval switch, when a DC could not be removed yet wanting to keep the machine intact after demotion, there was a method posted the steps to manually rip out the pieces that make a DC a DC. FWIW, here they are:

 

14 easy manual steps to make a DC a non-DC

Some have posted this as 12 steps, 13 steps or 14 steps. They are the same steps. Some have combined multiple tasks, but they are the same.

Keep in mind, unless it was changed, this is not supported by Microsoft. I believe there was a KB on it at one time, but I don’t have the KB#. If you follow this, keep in mind, this posting is AS-IS and offers no guarantees and confers no rights from Microsoft or myself. Here are a couple of links explaining the steps, as well as the steps posted below.

This was archived at this site from an old Newsgroup post I made back in 3/11/2003:
http://www.pcreview.co.uk/forums/manually-remove-ad-t1448839p2.html

Remove failed DC from AD manually… Never been easier (step by step with screen shots)
Unlike Windows 2000 and 2003, Windows 2008 & Windows 2008 R2 have new GUI tools to remove a failed DC from the AD database.
http://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/

 

1) On another DC in the domain run NTDSUTIL to move the FSMO’s, er seize them! DOH. (If this is the only DC, then don’t worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don’t worry about it for now, but configure it correctly before promoting it to a new DC).
3) Make sure working DC is also a GC. (If just one DC, don’t worry about it).
4) Boot corrupted DC into DSRM, edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from LanmanNT to ServerNT. This key dictates if the machine is a DC or just a server. ServerNT means it’s not a DC.
5) Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,). Reboot.
12) Make sure that DNS is configured with the new domain name and updates  set to YES.
13) Run DCPROMO to create a new domain or join the domain/tree/forest again.
14) Reboot

Comments, suggestions and corrections are welcomed! 

Ace Fekay

Global Catalog and FSMO Infrastructure Master Relationship

Global Catalog and FSMO Infrastructure Master Relationship

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication: 10/1/2010

 

Overview

In a multi-domain forest, there are multiple factors that must be taken into account in the design from how to design the DNS resolving infrastructure (centralized or decentralized), to how to decide what to do with your Global Catalogs and the FSMO Role Infrastructure Master relationship. There are more factors, of course, but this blog focuses on the GC/IM relationship.

Because there are more than one domain in the forest, it is HIGHLY recommended to have a minimum two DCs in for each domain. The reason is two-fold, one because of redundancy, the other is because of the IM role conflict on a GC in a multidomain forest. If you are going to have a GC at the child domain, especially if it is in a remote location, just keep in mind of this required rule. On one of the DCs in each domain you will make one of the DCs a GC, and move the Infrastructure Master role from the GC to the non-GC. This is functional basics of domain design and FSMO role placement and the way this specific role works, or rather doesn’t work it is a GC.

 

Make All DCs GCs

Then again, it’s now commonly recommended to just make all DCs in a forest a GC, no matter how the DNS resolving infrastructure is designed. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.

Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

 

More info on the Infrastructure Master and Global Catalog relationship

As a whole, the IM updates references from other domains. What it basically does is updates “phantoms” in its own domain for the objects. The phantoms are actually “pointers” or references to the objects in the other domains. The phantoms are based on the following identities of the other domain’s objects of members in another domain’s objects. The reason why it doesn’t pull in attributes such as the MemberOf or MemberIs, is because it’s added work on the local domain’s DC. Therefore it uses the phantoms as a pointer to query a DC in the other domain during activity when you request the object from the other domain, such as when adding a user or group to a local group in the domain in question.

Distinguished name of the object
Object GUID
Object SID

So they are basically the values that ‘point’ to the reference, and not necessarily using a MemberOf or MemberIs attribute.

An example

1) User1 (DomainA) is a member of Group1 (DomainB)
This means that when viewing membership of Group1, you should be able to see User1 there.

2) User1 in DomainA gets renamed to User2

3) This change gets replicated to all GCs across the forest

4) IM in DomainB detects that its phantom for User1 is out of date, updates it, and replicates the update to all other DCs in DomainB

This means that when viewing membership of Group1, you should be able to see User2. Without the IM, Group1 would still list User1 as its member.

 

 

Active Directory Sites

Also with the multiple locations, I suggest to create AD sites that correspond to each subnet. To do that, follow this article’s steps:

Step-by-Step Guide to Active Directory Sites and Services
http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml

[DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile Format: Microsoft Word – View as HTML
Creating a site link between two or more sites is a way to influence replication topology. By creating a site link, you provide Active Directory with …
http://filedb.experts-exchange.com/incoming/2008/08_w35/53729/Active-Directory-Sites-and-Servi.doc

 

 

DNS SRV AD Site Registration

Once you create your sites, to push the DCs to register them sooner then waiting for the default time.

On the child DC, delete the system32\config\netlogon.dns and netlogon.bak files. Then  run:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

Make sure the DC’s A record, the LdapIpAddress record, which is the “same as parent” record that should show the child DC’s IP,  and the SRV data is showing up in the nl.linakorg.local zone. Check the Sites configuration to make sure the respective DCs in the child domain show up correctly. Check in the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that you made GCs show up.

 

Summary

It’s now commonly recommended to simply make all DCs GCs so you don’t have to worry about the GC-IM conflict.

 

Related Links

In the meantime, please read the following links for more info. The first link explains what I summarized in more detail, which hopefully will give you a better understanding.

Phantoms, tombstones and the infrastructure master role conflict with a global catalog
http://support.microsoft.com/kb/248047

Infrastructure Education:
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591

Global Catalog vs. Infrastructure Master
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

Phantoms, tombstones and the infrastructure master role conflict with a global catalog in a multi-domain forest, however in a single domain forest, all DCs are recommended to be GCs.
http://support.microsoft.com/kb/248047

FSMO placement and optimization on Active Directory domain controllers:
http://support.microsoft.com/kb/223346

Infrastructure Master Education:
“Global catalog and infrastructure master role conflicts only when there are more than one Domain in the Frost. We don’t need to worry about single Domain situation.” – Mervyn Zhang, MSFT
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591

Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):
http://support.microsoft.com/kb/197132

 

Ace Fekay

Any comments or corrections are welcome

DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest

DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication: 10/1/2010

Edits:
10/4/2010  – Added a variation of the decentralized option. Even though it’s not really used in the industry as far as I know, yet it;s another option.
10/14/2010 – Changed Title to reflect the content of the material
9/22/2011 – Added info on configuring DNS to create a new tree in an existing forest

 

Overview

In an Active Directory forest with more than one domain,  there are a number of choices on how to design the DNS resolving infrastructure.

This is basically a summary of how to design a DNS infrastructure to handle parent and child domains. Keep in mind, with any DNS design, you must insure that everything in the forest can resolve any name and resource everywhere in the forest.

There are a number of ways to do this, but it comes down to two basic designs: Centralized and Decentralized.

Centralized

In a centralized mode, simply setting the parent zone to forest wide replication, install DNS on any DC, whether in the parent or in the child, and the zone will be available everywhere. When a child resource (DC, member server, client, etc), registers, a child folder for the child domain name will be created under the parent zone name in DNS. All records for the child will be populated into this folder. In this design, child resources can simply use their own local DNS servers and the zone is availablle, as well as all other child domains.

Decentralized with a Parent-Child Delegation

Other designs involving decentralization, such as with global infrastructure where there may be local legal regulations involved, you may want to allow them to handle their own DNS servers and their own zones. In such a decentralized model, the parent zone is set to domain-wide replication, and the child zones are delgated to the DC/DNS servers in the child domains.

Decentralized but all Child Domain Resources only use the Forest Root DNS Servers

I haven’t seen this design scenario in the field as of yet, rather see it more in a classroom or lab setup, but it’s another option, yet not recommended. Basically the same as the above but without a delegation. All child domain resources will only use the root’s DNS servers. However in such a design, if the child domains are across WAN links, if the WAN link goes down, the whole child domain will be useless until it’s up again.

 

How to create a DNS Parent-Child Delegation

By default, the parent.com zone’s Replication scope is set to domain-wide. This is the middle button in the zone’s replication scope properties that says “All DNS Servers in the Domain”. This means it is only available to the parent.com’s DC/DNS servers, and not to any of the child domain’s DC/DNS servers. So if you were to set the child domain DCs to use themselves as DNS, they will not find their own zone.

To overcome that, as mentioned above, you have two basic parent-child design choices:

.

1. Centralized – No delegation

If you want to use themselves for DNS in the parent and child domains, and to simplify it, you can change the parent.com zone’s Replication scope to Forest DNS Servers.

This way the zone will be available to all DC/DNS servers in the whole forest. The following link shows how to check and/or change replication scopes, that is if this is the desired design based on your company’s requirements.

How to change replication scopes:
http://technet.microsoft.com/en-us/library/cc784148.aspx

.

2. Decentralized – Parent-Child DNS Delegation

If you want the child domain’s admins to have control of their own resources, including DNS for their own domain, you can delegate the child zone to the child domain’s DC/DNS servers. To do this, you would first create a child zone under the child zone’s DC/DNS servers called child.parent.com. Then in the parent domain’s DNS server, right click parent.com, choose New Delegation, type in ‘child’ (without the quotes), and provide the child domain’s DC/DNS servers names and IP addresses. Do not change the parent zone’s Replication scope, assuming it’s still set to the default domain-wide replication scope.

Then in the child domain’s DC/DNS servers, configure a forwarder to the parent domain’s DC/DNS servers. The following link has info for you to read up on concerning these steps.

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain:
http://support.microsoft.com/kb/255248

.

Specific information regarding how to configure Child domain delegation and DNS configuration

Assuming you have the parent AD domain (the forest root) and zone already created and functional, and you’ve already ran dcpromo on a machine to make it a child domain DC.

  1. When you first run dcpromo to create the first child domain DC, you’ll want it to use the forest root domain’s DNS server to simplify things and get the ball rolling. This will allow it to register into a subfolder (the child zone) under the parent zone.
  2. Make sure the parent DCs are only using their own DNS servers in their IP properties. If they show the local loopback, 127.0.0.1, which is what dcpromo puts in there, change it to the actual IP addresses. Do the same with the child DCs for now, meaning they are using the forest root domain DCs for DNS for the time being.
  3. Make sure the replication scope on the parent domain’s zone, we’ll call domain.com, is set to Domain wide (the middle button). This puts it in the DomainDnsZones application partition for the parent domain. If set to Forest wide (the top button), it will cause a major issue with delegation. This is because of the delegation design. You don’t want the zone forest wide in a parent-child delegation.
  4. Create a zone on the child domain DC/DNS server. For this example, we’ll call it child.domain.com. The replication scope should be set to the domain-wide in the child domain, which of course once again, is the middle button which puts it into the DomainDnsZones app partition.
  5. Reverse zone – This is optional, but recommended. Create a reverse zones on the parent for each subnet in the parent domain’s location, and set the replication scope to DomainWide (the middle button). DO NOT create a delegation for this zone.
  6. Create a reverse zone on the parent for the child domain’s location, and set the replication scope to DomainWide (the middle button). Create a delegation for this zone to the child.
  7. Make sure the zones all allow updates, whether Secure Only, or Secure and Unsecure.

.

Follow the steps in the following article to create the delegation:

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain:
http://support.microsoft.com/kb/255248

Make sure you configure a forwarder from the child DNS servers to the parent DNS, and then optionally, but recommend, a forwarder from the parent to your ISP’s DNS.

Change the DNS IPs on the child DCs to use their own DC’s as their DNS servers.

Since there is more than one domain, it is HIGHLY recommended to have a minimum two DCs in for each domain. The reason is two-fold, one because of redundancy, the other is because of the IM role conflict on a GC in a multidomain forest. If you are going to have a GC at the child domain, especially if it is in a remote location, just keep in mind of this required rule. On one of the DCs in each domain you will make one of the DCs a GC, and move the Infrastructure Master role from the GC to the non-GC. This is functional basics of domain design and FSMO role placement and the way this specific role works, or rather doesn’t work it is a GC.

Then again, it’s now recommended to just make all DCs in a forest a GC, no matter how the DNS resolving infrastructure is designed. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.

Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

.

.

Simple Step by Step to create a Parent-Child DNS Delegation:

If not sure about the above section, or you’ve found it too complicated to follow, try the following steps:

  1. Open DNS on one of the DCs in the forest root domain.
  2. Expand your domain.com zone
  3. Right click the domain name, choose New Delegation
  4. Type in the child domain name, such as “child1” and not the FQDN (such as child1.domain.com)
  5. You will notice the bottom part of the window will now show the FQDN based on the child name you typed.
  6. Click Next
  7. Now type in two of the DNS servers IP addresses for the Nameservers of the child domain.
  8. Click through until done.
  9. Make sure the child domain DCs and all machines in the child domain, are only using the DC/DNS servers in that child domain and no other domains.

Video tutorial to create a Parent-Child Delegation:
http://www.youtube.com/watch?v=CoIQ8agsTpk

How to create a zone delegation in a Windows 2008 DNS server:
http://www.youtube.com/watch?v=CoIQ8agsTpk 

.

 Now create a Condition Forwarder on the child domain DNS to the Forest Root domain’s DNS servers.

Windows 2008: Create a Conditional Forwarder video:
http://www.youtube.com/watch?v=BVxqpuB9y7o 

Windows 2003: Create Conditional Forwarder vide (scroll upto timeline 3:00, where he shows how to create a conditional forwarder)
http://www.youtube.com/watch?v=w2a-0RPfKx4 

Your done!

.

.

Creating Search Suffixes

Keep in mind, with additional child domains or trees, you may need to configure Search Suffixes for each child to resolve names in other child domains. This can be set using a GPO, location can be found in:

Using GPOs to configure DNS Search Suffixes

At this time Win2k3 DHCP cannot assign a DNS suffix search list. That said,
you can assign a connection specific DNS suffix (option 015), which is added
to the search list. But, you can assign only one DNS suffix per client.

There is a GPO that assigns a custom DNS suffix search list to XP and Win2k3 clients which can be assigned by Win2k DCs if you upgrade the GPOs using a Win2k3 or XP client.

If you have Windows 2000, this option does not exist in a GPO. You must upgrade to at least Windows 2003 to have this option.

Upgrading Windows 2000 Group Policy for Windows XP:
http://support.microsoft.com/KB/307900

After the GPOs have been upgraded, expand the Group policy to here to apply
the custom search list.
Computer Configuration
   -Administrative templates
         -Network
               -DNS Client

Manually adding suffixes

If you have one Suffix to add:

  • Go into NIC properties,
  • IP4 Properties
  • Advanced
  • DNS tab
  • In the box that says “DNS SUffix for this connection:” type in the suffix
  • Click ok
  • No restart required

If you have more than one Suffix to add:

  • Go into NIC properties,
  • IP4 Properties
  • Advanced
  • DNS tab
  • Click on the Radio Button that says, “Append theses DNS Suffixes (in order):”
  • Click Add, and type in the suffix
  • Click Add for each one, and type it in
  • Click ok
  • No restart required

 

Devolution

In some designs and scenarios, you may want to kill the devolution tickbox, have a look at this article:
http://www.insidetheregistry.com/regdatabase/viewvalue.asp?valueid=320

It refers to the registry key controlled by GPO – this will over-ride the standard internal registry setting at:
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\UseDomainNameDevolution

You could also use populate the regkey by script if you didn’t want to pull in the extra ADMX GPO template… and this will force your client to JUST resolve hosts on internal.domain.com or whichever zone you want. For example:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“SearchList”=”domain1.com,domain2.com”


Or use the command:
reg add HKLM\system\currentcontrolset\services\tcpip\parameters /v “SearchList” /d “domain1.com,domain2.com” /f

The key thing to observe with manually creating a suffix lists, (from KB275553, link provided below), is that if you distribute a suffix list then it blocks devolution and use of primary or connection-specific suffixes… so write that list carefully!

How to configure a domain suffix search list on the Domain Name System clients
http://support.microsoft.com/?id=275553

Using DHCP Option 015 To Populate the Connection Specific Suffix (just for the interface that’s getting a DHCP IP address)

I would like to point out that DHCP 015 Option is the “Connection Specific Suffix.” This means that the connection that receives a DHCP config from DHCP, will get this suffix as the Search Suffix.

Just to illustrate what I mean, you can test it by setting a suffix in Option 015 that’s different than the domain’s zone name. First, if the AD domain’s zone name is ‘domain.com,’ then the Primary DNS Suffix become ‘domain.com’ when you join the machine to the domain. The default Search Suffix becomes the default Search Suffix. Now in DHCP Option 015, configure ‘domain1.com’ as the connection specific suffix. Now go to the workstation and run a /release and /renew. You will now see the suffix you configured in 015 in addition to the machine’s default.

So if you are trying to simply add one additional suffix, this will work for your DHCP clients. However, if you’re trying to add more than one additional suffix, and/or if you have numerous statically configured machines (such as servers), then a GPO will be the better alternative, which Tiger and JM already suggested.

 

More info on Search Suffixes:

How to configure a domain suffix search list on the Domain Name System clients (Windows 2000)
http://support.microsoft.com/kb/275553

New group policies for DNS in Windows Server 2003 (and newer)
http://support.microsoft.com/kb/294785

Manage DNS suffix configuration through Group Policy
http://blogs.techrepublic.com.com/datacenter/?p=266

Manually Configuring Query Settings in NIC properties (Search Suffixes)
http://technet.microsoft.com/en-us/library/cc959339.aspx

 .

.

Configuring DNS to Create a New Tree in an Existing Forest

 

1. Create the zone for the new tree, on the forest root’s DNS server. Configure the zone’s replication scope Forest Wide.

2. Point DNS on the new machine prior to promoting it, to the existing forest root DNS server that you just created the zone on in step# 1.

3. Promote the machine introducting a new tree.

4. After the machine has been promoted, and the necessary records have been created, install DNS on the new server.

5. Walk away for about 30 minutes and allow the zone to auto-populate through replication. DO NOT MANUALLY CREATE the zone or any other zone. It will do so automatically through AD replication.

Your next steps depends on your DNS Design choice whether you want to keep the zone replicated forest wide to all DCs in all domains, or just in the new tree’s domain. The choice comes down to whether you ahve centralized administration or decentralized administration. See the above to help make your decision.

If you’ve chosen to keep the zone in the DomainDnsZones (“All DNS servers in the Domain <New Tree’s Domain.local> zone (the middle button), follow these steps:

6. Once it’s replicated, open DNS console on the new domain controller in the new tree. Right click the zone name, properties, then change the Replication Scope in the tree’s domain name zone’s properties to the “All DNS servers in the domain <newtreeName.local> zone. This is the middle button. This puts it in the DomainDnsZones replication scope in the new tree’s Domain. This will also remove it from the ForestDnsZones partition.

7. Once again, wait for about 30 mintues and allow replication to occur. You can test to see if replication has completed by going back to the forest root’s DNS server, refresh the console. If you see the new tree’s domain name zone disappear, then it has completed. Go back to the new tree’s DC’s DNS server console and hit the refresh button.

8. Go back to the forest root DNS server. You can now create the stub zone on the original forest root DNS pointing to it. Set the stub zone to DomainDnsZones.

9. Create a Conditional forwarder from the new tree DNS server to the forest root DNS server. You can also opt to create a Stub zone (preferrable) to the forest root DNS server and AD integrate the stub zone in DomainDnsZones so it will be available on the new tree domain.

10. Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.

.
 

If you’ve chosen to keep the zone in the ForestDnsZones Partition choosing “All DNS servers in the Forest” (the top button), do the following:

Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.

 .

.

Summary

There are a number of ways to design DNS in an infrastructure. Which is the best one? It all depends on your design specs, requirements, local legal regulations, or simply if you want a centralized or decentralized design.

 

Ace Fekay

All comments or corrections are welcomed.

Event ID 1054

Original publication: 8/12/2010
Edited: 8/30/2014

 

Prologue

Ace here again. This was an older blog that I’ve revamped. I’ve been going through my blogs to clean them up, syntax, accuracy, etc. If anyone sees any discrepancies, please let me know.

There are a number of reasons this event may occur, no matter which Source Name its related to. One of the main reasons this behavior may occur is if the address for the configured preferred DNS server unreachable. One of the first things to do is check www.eventID.net’s link to see if it applies to your scenario:
http://eventid.net/display.asp?eventid=1054

Summary of possibilities:

1. Using a DNS address that doesn’t have the AD zone data. Make sure the only DNS addresses on the NIC are the internal DC/DNS servers. Remove the ISP’s or the router’s as a DNS address. They do not have AD’s zone data that is required for AD to function properly.

Active Directory’s Reliance on DNS, and why you should never use an ISP’s DNS address or your router as a DNS address
Published by acefekay on Aug 17, 2009 at 7:35 PM
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

2. Multihomed DCs. If the DC is multihomed, numerous issues can result, too long to list. See the following for more info:

Multihomed DCs with DNS, RRAS, and/or PPPoE adapters
Published by acefekay on Aug 17, 2009 at 9:29 PM
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

3. AD DNS Domain Name is a Single Label Name. The name has no TLD, such as “domain” rather than domain.net, domain.local, etc. This can cause numerous problems, too lengthy to list. It also causes Windows XP SP3 and newer operating systems to fail the ability to resolve DNS names properly. See the following link for more information.

Active Directory DNS Domain Name Single Label Names
Published by acefekay on Nov 12, 2009 at 6:25 PM
http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

4. There are unknown LdapIpAddress entries. This is the “same as parent” name under the zone. There should only be one for each DC in the domain. If there are others, it will cause numerous issues with AD, GPOs, DFS, and other AD functions.

5. Multiple A records for the DC. Make sure there is only one IP address for each DC. If not, it falls under the multihomed DC issue in #2.

6. Multiple GcIpAddresses. Check the _gc_msdsc.yourDomain.local record to make sure there is only one entry for each GC. If there are multiples for one GC, that will cause problems, and falls under the multihomed DC issue in #2.

7. Unknown NS names in the zone. Go into each zone properties (yourDomain.local and _msdcs.yourDomain.local), Nameservers tab, and make sure only your DC/DNS servers show up.  If there are others, please remove them. This tab indicates which NS and SOA is for the zones, and if any unkown servers are listed, the client machine may be trying to query for them during resolution and registration, and will cause problems.

8. AMD Opeteron CPUs are known to cause issues. One poster in the Microsoft forums reported EventID 1054 issue on a Dell T105 (circa 2010) with Dual Core Opterons. It was found the AMD Opeteron processor has timing issue. From previous reports, Microsoft supposedly fixed it in Windows 2003 SP2, but something may have changed in recent AMD core releases causing it again. One key test was to ping the server’s own IP. If you receive negative ping times, timing is skewed. A reboot fixes it for a while but then it drifts and EventID 1054 resume.

There are AMD processor patches that you can find at AMD’s website. Another workaround is to add the “/usepmtimer” switch to boot.ini. KB895980 provides more specifics about this issue.

Programs that use the QueryPerformanceCounter function may perform poorly in Windows Server 2000, in Windows Server 2003, and in Windows XP
http://support.microsoft.com/?id=895980

9. Make sure time is configured properly. You never know, this is one that many do not think about that can cause many issues, which may or may not possibly cause EventID 1054 errors, but it would not hurt to make sure the time service is operating properly. See the following link for more information:

Configuring the Windows Time Service for Windows Server
Published by acefekay on Sep 18, 2009 at 8:14 PM
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

 

Steps to help narrow down this issue:

Let’s start by using nslookup to see if you get the proper resonse when querying for LDAP SRV records.

1. Type nslookup, and then press ENTER.
2. Type set q=all, and then press ENTER.
3. Type _ldap._tcp.dc._msdcs.domain.com and then press ENTER.

You will be looking for the domain controllers to respond to this query. If they do not, then we need to look at your SRV records as well as whether any of the above summarized causes are contributing to the non-DC responses, such as using an ISP’s DNS, the router, multihomed DCs, single label name, etc.

More possible causes:

In addition, These errors may occur because link status fluctuates as the network adapter (also known as the network interface card, or NIC) driver initializes and as the network adapter hardware negotiates a link with the network infrastructure. The Group Policy application stack executes before the negotiation process is completed and can fail because of the absence of a valid link.

*

Possible Resolutions:

Resolution 1:

To resolve problem related to link status fluctuation use the steps in 239924 –
“How to disable Media Sensing for TCP/IP in Windows” at
http://support.microsoft.com/?id=239924 .

To prevent your network adapter from detecting the link state:

  1. Open Registry Editor (Regedt32.exe).
  2. Go to the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  3. Add the following registry value:
    Value Name: DisableDHCPMediaSense
    Data Type: REG_DWORD -Boolean
    Value Data Range: 0, 1 (False, True) Default: 0 (False)

Resolution 2:

Contact the vendor of the network card or visit their web site to obtain updated
drivers for the Gigabit NIC.

Examples of NICs known to exhibit this issue:
– Broadcom Gigabit Adapter
– Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
– Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
– Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
– Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC

Resolution 3:

A sever may have a Dual Port NIC or multiple NIC’s with one port or NIC set to
Disabled. The disabled port or NIC should not be at the top of the binding order
in the Network Advance Properties.

  1. Click Start, point to Settings, and then click “Network and Dial-up
    Connection”.
  2. On the Advanced menu, click “Advanced Settings”.
  3. On the “Adapters and Bindings” tab, in the connections list, select the NIC that
    the clients use to connect to the server and move it to the top of the list.

Resolution 4:

Disabling spanning tree on the switches (Cisco Catalyst)

Note: STP=Spanning Tree Protocol. Turning off STP can cause issues in your network
if a loop ever develops. If you are running a Cisco Series switch or any other
switch that runs Spanning Tree, it is best to leave spanning tree turned on, but
enable PORTFAST on all the ports except uplink and fiber trunks. (I.E any ports
that aren’t connected to a workstation directly should not have it enabled, ports
that do go directly to a workstation or computer should have it turned on.)
PORTFAST eliminates the 50 second waiting period that STP has, but allows you to
keep the functionality of STP.
 

*

References:

326152 PRB: Cannot Connect to Domain Controller and Cannot Apply Group Policy
http://support.microsoft.com/kb/326152

298656 Event ID 1054 Is Logged in the Application Event Log
http://support.microsoft.com/kb/324174/en-us

239924 How to Disable Media Sense for TCP/IP in Windows
http://support.microsoft.com/kb/239924

*

Summary

I hope this helps to track down the cause of an Event ID 1054.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This blog is provided AS-IS with no warranties or guarantees and confers no rights.

DNS and Subnet Priortization & DNS Round Robin

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication Date: 5/28/2010

Edited 6/4/2010 – Included information regarding Windows 2003 and newer Subnet Priortization only defaults to Class C subnets. If you have any subnets other than a Class C in the environment, Subnet Priortization may not work as expected due to this reason. I included a separate section explaining this in further detail, and how to set a DNS server to take this into acccount, which of course must be set on all DNS servers in the environment.
Edited 8/9/2010 – Added information about Windows Vista, Windows 7, Windows 2008 and WIndows 2008 R2 and their differences with XP and 2000 regarding how they handle Subnet Priortization, which they handle a bit differently, and how to make it work.

DNS and Subnet Priortization & DNS Round Robin – Which one Supercedes?

This has been a question that arises from time to time. I thought to provide some information on how it works to understand what is at play with these two DNS features.

Preface on Subnet Priortization and Round Robin:

Subnet priortization works by default. No other action is required. If you have multiple identical A records, then Round Robin will supercede.
 
If Round Robin is not needed, it can be disabled in order to take full advantage of Subnet Priortization, otherwise, Round Robin will superceded.

In scenarios involving ISA Enterprise, because ISA Enterprise is AD enabled, you can either publish the ISA records in AD, and if AD SItes are configured, the client site will be used first by the AD client side extension disregarding Round Robin and Subnet Priortization, unless there were multiple records in each AD Site.

Some have asked regarding if an ISA Array will work. It is possible to configure an ISA Array with multiple ISA Enterprise servers which will share their web cache, however this will nothelp Subnet Priortization or Round Robin, since the Array is considered as a single logical entity and published as such.

Nslookup is a good tool to test Round Robin, and will give you a general response purely based on DNS, but the results are as expected in a non-AD Site scenario, since it can’t test AD Sites responses.
 
You can also create an IE GPO for each Site. In the GPO, you would state the Proxy address for them to use.

Subnet Priortization and Round Robin Logic:

Keep in mind, Subnet Priortization and Round Robin work hand in hand, however, not necessarily so if an AD Site aware service is querying (such as the client side GetDcList function). If there are more than on in the same subnet, Round Robin will kick in, which DNS performs.
 
If there are more than one record, DNS will re-order the response with an IP that is in the same client subnet.
 
However, if Round Robin and Subnet Priortization is enabled, Round Robin wins.

If you do not want this default action to occur, that is you want to use Subnet Priortization, and AD Sites are not involved, you will need to disable Round Robin, otherwise, if both Round Robin and Subnet Prioritization are enabled, the server rotates among the A resource records. You may wish to check how it works if you disable the round robin if you have multiple separate subnets and you want a client to respond to a subnet closest to it’s own subnet.

The following passage on the specific logic was quoted from:
Configuring Subnet Prioritization
http://technet.microsoft.com/en-us/library/cc961422.aspx
 
[Begin Quote]
============

  • If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
  • The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.
  • If Enable round robin is deselected and the value of LocalNetPriority is 1:
  • The server returns the records in local net priority order. It does not rotate among available addresses.
  • If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
  • The server rotates among the available records in the order in which the records were added to the database.
  • If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default):
  • The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

============
[/End Quote]

Subnet Priortization and Round Robin Example:

The following example was quoted from:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

[Begin Quote]
===
For example, suppose there are three Web servers that all host the Web
page for www.reskit.com and they are all located on different subnets.
The DNS name server for the network contains the following resource records:
 
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.18.64.33

When a Windows XP Professional–based
computer’s DNS resolver (client) receives a response to the query for
the A record of www.reskit.com, it returns A records in order,
starting with the IP addresses from subnets to which the computer is
directly connected.

For example, if a computer with the IP address
172.17.64.93 is queried for www.reskit.com, the resolver returns the
resource records in the following order:
 
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.18.64.33

Subnet prioritization prevents the
resolver from choosing the first IP address returned in the DNS query
and using the DNS server’s round robin feature (defined in RFC 1794.)
With round robin enabled, the server rotates the order of resource
records returned when multiple A resource records exist for a queried
DNS domain name.

Thus, in the example described earlier, if a user
queried for www.reskit.com, the name server replies to the first
client request by ordering the addresses as follows:
 
172.16.64.11
172.17.64.22
172.18.64.33

It replies to the second client request by ordering the addresses as follows:
 
172.17.64.22
172.18.64.33
172.16.64.11

It replies to the third client request by ordering the addresses as follows:
 
172.18.64.33
172.16.64.11
172.17.64.22
 
With round robin enabled, if clients are configured to use the first
IP address in the list that they receive, different clients will use
different IP addresses, thus balancing the load among multiple network
resources with the same name. However, if the resolvers are configured
for subnet prioritization, the resolvers reorder the list to favor IP
addresses from networks to which they are directly connected, reducing
the effectiveness of the round robin feature.
 
Although subnet prioritization does reduce network traffic across
subnets, in some cases you might prefer to have the round robin
feature work as described in RFC 1794. If so, you can disable the
subnet prioritization feature on your clients by adding the registry
entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in
the following registry subkey:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DnsCache\ Parameters
 
[…]
===========
[/End Quote]

 

 Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet

Yep, that’s correct! We need to note and keep in mind, Windows 2003 and newer, will automatically assume it’s a Class C subnet, well more accurately, it’s set by default to look for a Class C subnet. If the environment is anything other than a Class C, all DNS servers must be configured with the correct mask used.

The process involves understanding a little binary math. We need to take into account by defining the Hosts part of the mask that is relative for netmask ordering for the subnet in the environment, otherwise DNS will not reorder it correctly and expected results will be incorrect when testing the feature.

This can be accomplished with the DNSCMD command.

For example, using DNSCMD to set the default settings for a 255.255.255.0 subnet, is:
Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF

For anything other than a Class C, we need to alter the “/LocalNetPriorityNetMask” value to the environment’s subnet.

The last two characters in the value used for a Class C subnet (“0x000000FF”) is “FF.” This indicates the number of hosts bits (opposite of what some may think when looking at a mask in binary). Therefore the last two digits in the value is actually Hex. Hex FF, converted to Binary, is actually equal to 1111 1111, which is equal to “FF” in Hex.

Taking that into account, we can view a simple table with the base Class subnets:

For the base Classes, the values are:

Netmask  LocalPriorityNet
255.255.255.0      0x000000ff
255.255.0.0         0x0000ffff
255.0.0.0             0x00ffffff

To set it for something other than the default classes, such as for example a /22 (255.255.252.0 or 11111111.11111111.11111100.00000000), we see there are 10 bits for the hosts. Now change only the 0’s to 1’s and you get 1111111111. Convert that to hex, and you get 3FF. Therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

Another example, if you have a /27 (255.255.255.224 or 11111111.11111111.11111111.11100000), convert the 0’s to 1’s –> 11111, convert that as a binary number to Hex, and we get 1F, therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x0000001F

Keep in mind, whatever the setting is, it MUST be set on ALL DNS servers in the environment.

Table: NetMasks broken down by CIDR to the necessary LocalPriorityNet Value
Note: Of course, some of the values can’t be used in the table, but I created the table to show all possible binary values.

NetMask                Binary                                                   CIDR    Comments                     LocalPriorityNet Value

255.255.255.255   11111111.11111111.11111111.11111111    /32      Host (single addr)          0x00000000
255.255.255.254   11111111.11111111.11111111.11111110    /31      Unuseable                     0x00000001
255.255.255.252   11111111.11111111.11111111.11111100    /30      2  useable                     0x00000003
255.255.255.248   11111111.11111111.11111111.11111000    /29      6  useable                     0x00000007
255.255.255.240   11111111.11111111.11111111.11110000    /28     14  useable                    0x0000000F
255.255.255.224   11111111.11111111.11111111.11100000    /27     30  useable                    0x0000001F
255.255.255.192   11111111.11111111.11111111.11000000    /26     62  useable                    0x0000003F
255.255.255.128   11111111.11111111.11111111.10000000    /25     126  useable                  0x0000007F
255.255.255.0       11111111.11111111.11111111.00000000    /24     “Class C” 254 useable   0x000000ff

255.255.254.0      11111111.11111111.11111110.00000000    /23       2  Class C’s                   0x000001FF
255.255.252.0      11111111.11111111.11111100.00000000    /22       4  Class C’s                   0x000003FF 
255.255.248.0      11111111.11111111.11111000.00000000    /21       8  Class C’s                   0x000007FF
255.255.240.0      11111111.11111111.11110000.00000000    /20      16  Class C’s                  0x00000FFF
255.255.224.0      11111111.11111111.11100000.00000000    /19      32  Class C’s                  0x00001FFF
255.255.192.0      11111111.11111111.11000000.00000000    /18      64  Class C’s                  0x00003FFF
255.255.128.0      11111111.11111111.10000000.00000000    /17     128  Class C’s                 0x00007FFF
255.255.0.0          11111111.11111111.00000000.00000000    /16      “Class B”                          0x0000ffff
    
255.254.0.0          11111111.11111110.00000000.00000000    /15      2  Class B’s                    0x0001FFFF
255.252.0.0          11111111.11111100.00000000.00000000    /14      4  Class B’s                    0x0003FFFF
255.248.0.0          11111111.11111000.00000000.00000000    /13      8  Class B’s                    0x0007FFFF
255.240.0.0          11111111.11110000.00000000.00000000    /12     16  Class B’s                  0x000FFFFF
255.224.0.0          11111111.11100000.00000000.00000000    /11     32  Class B’s                  0x001FFFFF
255.192.0.0          11111111.11000000.00000000.00000000    /10     64  Class B’s                  0x003FFFFF
255.128.0.0          11111111.10000000.00000000.00000000    /9      128  Class B’s                 0x007FFFFF
255.0.0.0              11111111.00000000.00000000.00000000    /8       “Class A”                          0x00ffffff
 
254.0.0.0              11111110.00000000.00000000.00000000    /7                                               0x01FFFFFF
252.0.0.0              11111100.00000000.00000000.00000000    /6                                               0x03FFFFFF
248.0.0.0              11111000.00000000.00000000.00000000    /5                                               0x07FFFFFF
240.0.0.0              11110000.00000000.00000000.00000000    /4                                               0x0FFFFFFF
224.0.0.0              11100000.00000000.00000000.00000000    /3                                               0x1FFFFFFF
192.0.0.0              11000000.00000000.00000000.00000000    /2                                               0x3FFFFFFF
128.0.0.0              10000000.00000000.00000000.00000000    /1                                               0x7FFFFFFF
0.0.0.0                  00000000.00000000.00000000.00000000    /0    IP subnet definition         0xFFFFFFFF

You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF Dnscmd.exe command to restore Windows Server 2003 settings to the default settings.

More info on this value and setting:

Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS
http://support.microsoft.com/kb/842197

 

Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems

Windows Vista, Windows 7 and Windows 2008 behaves a bit differently, than XP or 2000. With Windows Vista, Windows 7 and Windows 2008 and Windows 2008 R2, it changes the way it handles Subnet Priortization a bit. Here’s more info, and keep in mind in mind it doesn’t mention Windows 7 or WIndows 2008 R2 directly, unless Microsoft updates the KB, but it applies to Windows 7 and WIndows 2008 R2 and future operating systems:

Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default
http://support.microsoft.com/kb/968920

Please check the following registry entry. This key with a value of 1, will disable NetMaskOrdering. Is it enabled?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD = OverrideDefaultAddressSelection
Value data: = 1

DNS Round Robin and Destination IP address selection (talks about differences with Vista and 2008 non R2)
http://blogs.technet.com/b/networking/archive/2009/04/17/dns-round-robin-and-destination-ip-address-selection.aspx

However, AD Sites should prevail in an AD environment. An AD client’s GetDcList functions will use Sites to determine which DC or GC to communicate with.

Therefore, basically:

Set the registry entry to 0 and the newer operating systems will behave like the older operating systems. If you leave the entry blank, such as the default with no entry, it results in the same effect as an entry equal to 1, that means no subnet mask preference.

To see the subnet mask ordering work on a Windows 7 client, you need to set up the following entry :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 
DWORD = OverrideDefaultAddressSelection 
Value data: = 0

Summary:

If Active Directory Sites Are Involved with AD Aware Services:

AD Sites provide two basic things: Logon & Authentication control to
limit the auth request to only a GC/DC in it’s own site, and
replication traffic control between Sites. Replication is compressed
in Site to Site communications. Good for the WAN link. AD enabled apps
also use AD Sites.
 
You would first create a new Site giving it a unique Site Name. Then
create an IP Subnet Object that represents the subnet or subnets of
the location (you may and can create multiple IP SUbnet Objects if
needed), then associate the IP Subnet to the Site Name.
 
In the Site link, you will notice the default replication period is 3
hours. You can chop that down to as low as 15 minutes. You can’t go
lower, because that is the max time allotted for all DCs within a site
to be able to replicate changes between each other. If DCs are added,
the KCC jumps in and re-evaluates the intra site connection objects
between DCs to optimize and keep within the 15 minute alotment.
 
A standalone would rely simply on DNS’ ability to provide responses
either as Subnet prioritized, or Round Robin.
 
However, with AD Sites, and this works for AD enabled services and
entities (such as Exchange, client machines, etc). So AD aware apps
and services adds an extra twist and can be used to your advantage.
That was why I was asking if you are using ISA. ISA can be published
into AD, and set by GPO. This way a client in SiteA will always use
the ISA in SiteA.
 
However, if standalone servers are in use, and  you can disable Round Robin.

 

References

Optimizing DNS – This article shows a brief description of and numerous How-To’s regarding DNS parameter configuration settings and how to change them.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, as well as Windows 2008 and Windows 2008 R2.
http://technet.microsoft.com/en-us/library/cc757837(WS.10).aspx

Ace Fekay

Should I Disable IPv6? No…

12/11/2014 – Ace here again. I’ve revamped this blog bringing it up to date, but you know what, there was nothing really to change, because guess what? It’s not recommended to disable IPv6. Period.

I hope you find this helpful.

Preface

This topic has been discussed numerous times. Previously in this article I wrote:

There are known issues regarding IPv6 affecting communications in certain scenarios, such as with errors when using Outlook Anywhere such as to fix an Exchange 2007 running on WIndows 2008 when there is a DC NSPI port 6004 communication issue.

Read the link in the “Related Links” section below for more information on this issue. Therefore, to eliminate communications issues regarding whether this is a factor or not, it is recommended to disable IPv6 in registry on the Exchange server, as well as on the domain controllers, or any server for that matter, especially if there are no plans in using IPv6. For the same reasons, it is also recommended to disable the RSS TCP Chimney Offload feature on the same servers.

IPv6 provides a robust means for IP addressing that offers additional information in the IP address. However, if the current network does not have the necessary supporting hardware to support it, such as a router, nor if IPv6 is currently in use, some say it’s additional overhead on the machine, which many have claimed, including myself in the past, to recommend disabling it. There is also an incompatibility with using IPv6 with UNC paths, such as mapping a drive using an IPv6 address, but I don’t think that’s relevent to the context of this article.

However, things have changed

The only time to disable IPv6 is with the above scenario using Exchange 2007 on a Windows 2008 server. At no other time should you disable IPv6. It must be kept enabled, or it will break many features in Windows. Read the next section…

 

Should I Disable IPv6? Nope

.

When I originally wrote this article, my original recommendations to disable IPv6 were based on a problem I found back in 2008 with an Exchange 2007 installation on Windows 2008 and DSAccess communications to a Windows 2008 DC/GC. I couldn’t figure out what was causing it. I finally called Microsot PSS. After some digging around, the support engineer recommended disabling IPv6, which he said was causing the issue. It actually fixed the communications problem. He referenced an article explaining the issue:

The installation of the Exchange Server 2007 Hub Transport role may be unsuccessful on a Windows Server 2008-based computer
http://support.microsoft.com/?kbid=952842

However, that article has been retired and is no longer available. Microsoft is now recommending to keep IPv6 enabled. You can read more about it in this article, which I highly suggest reading it:

The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Basically, Joseph Davies in the above article, said (quoted directly from the article):

The Argument against Disabling IPv6

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.

.

Ipconfig /all shows IPv6 “::1” Loopback address as the First DNS Entry

In some cases, there may be some issues with IPv6 because it is the default protocol. When you run an ipconfig /all, you may find that the IPv6 “::1” Loopback address shows up as a DNS address when you run an ipconfig /all. Because it’s at the top of the DNS addresses, some say it slows down resolution because the resolver is trying to use an IPv6 address to resolve it first before attempting to resolve the IPv4 address.

Who cares. Leave it alone. What harm is it doing? Just because it doesn’t look right?

Well, if you really want to remove the ::1, you can, although to me, it’s really a cosmetic thing when running nslookup. If it will make you feel warm and fuzzy not to see it, and rather see the IPv4 address, you can remove it using the following steps.

.

You can delete the “::1” IPv6 loopback address by the following method.

Run an ipconfig /all. Determine the “Local Area Connection” name. In the example below, I used “Local Area Connection” for the interface name:

netsh interface ipv6 delete dnsserver “Local Area Connection” ::1

You can add it back in, if you like: 

netsh interface ipv6 add dnsserver “Local Area Connection” ::1

.

For more info on the netsh command reference for Windows 2008 & 2008 R2, see the following. For command info on IPv6, click on “Netsh Command for Interface IPv4 and IPv6,” then click on ” Netsh commands for Interface IPv6.” :

Netsh Command Reference
(Comprehensive Command Reference) – Updated: July 2, 2009 – Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
http://technet.microsoft.com/en-us/library/cc754516(WS.10).aspx

.

Originally, I illustrated in this blog to do it in the following fashion from a previous post (provided below), however this appears to not work for some. I suggest running the method above.

You can eliminate that from showing up on that specific interface. One way to do that is to find the IDX# of the interface by running:

netsh interface ipv6 show interfaces

Once you’ve identified the IDX# for that interface, you can delete it on that specific interface by running:

netsh interface ipv6 delete dnsserver name=”IDX#” address=::1

You’ll find resolution will be quicker, as well as not getting that familiar nslookup initialization error message saying it “can’t find server…”

Originally posted in:

Windows 2008 R2 with AD integerated DNS
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29b204fd-fabc-4715-9891-95eb86bd1d32/?prof=required

.

.

Windows 2008 R2, and Windows 7 will use IPv6 as the first preferred protocol.

In my opinion, if you just leave things as default, things will work fine.

However, for whatever reason you want to alter these settings, whether real or imagined, that is your choice.

That disclaimer out of the way, if you still need to force the TCP stack to use IPv4 first instead of IPv6, you can do so in the registry. The following procedure in this section was quoted from the following Microsoft KB article:

How to disable IP version 6 (IPv6) or its specific components in Windows 7, in Windows Vista, in Windows Server 2008 R2, and in Windows Server 2008
http://support.microsoft.com/kb/929852

.

To force the system to use IPv4 first, before IPv6

The key you are looking for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents. If it doesn’t exist, you have to created it.

Or if you do not want to do this manual procedure, you can now use the Microsoft “Mr Fix It” script to automatically do it for you. The scripts are in the KB929852 article above.

  1. In Registry Editor, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

  2. Double-click DisabledComponents to modify the DisabledComponents entry.
    Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:
    1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    2. Type DisabledComponents, and then press ENTER.
    3. Double-click DisabledComponents.
  3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.

.

.

Again, do not disable IPv6

However, if you still need to disable IPv6, the following steps show how To Disable IPv6 on 2008 (non-SBS 2008), Vista or Windows 7.

Note: You can now use the Microsoft “Mr Fix It” script to automatically disable it, see:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
http://support.microsoft.com/kb/929852

You can also do it manually: The following steps are from:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
http://support.microsoft.com/kb/929852

The installation of the Exchange Server 2007 Hub Transport role is unsuccessful on a Windows Server 2008-based computer
(This article is no longer available. It originally recommended to disable IPv6 to overcome Exchagne 2007 installed on Windows 2008 (not 2008 R2) that have DSAccess NSPI to GC Communications issues.)
http://support.microsoft.com/?id=952842

Paul Berg also has a good article on disabling IPv6, too:
Disabling IPv6 on Windows 2008 or Vista
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

 

  1. Uncheck IPv6 in NIC properties
  2. Uncheck the two LinkLayer Topology Discovery components
  3. Then Navigate to:
  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
    • In the details pane, click New, and then click DWORD (32-bit) Value.
    • Type in DisabledComponents , and then press ENTER.
    • Double-click DisabledComponents,
    • Type 0xffffffff in Hexadecimal.
    • It should look like this if you’ve entered it correctly:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
      • “DisabledComponents”=dword:ffffffff

.

Or more specifically, and with a complete list of values this key supports:

 

In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

  1. Double-click DisabledComponents to modify the DisabledComponents entry.

    Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:

    1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    2. Type DisabledComponents, and then press ENTER.
    3. Double-click DisabledComponents.
  2. Type any one of the following values in the Value data: field to configure the IPv6 protocol to the desired state, and then click OK:
    1. Type 0 to enable all IPv6 components. (Windows default setting)
    2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface.
    3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.
    4. Type 0x10 to disable IPv6 on all nontunnel interfaces (on both LAN and Point-to-Point Protocol [PPP] interfaces).
    5. Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo.
    6. Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.

.

Disabling IPv6 on SBS 2008 & 2011

Don’t do it. But if you must, to disable IPv6 on SBS 2008 is slightly different.

Read the reasons why, and the instructions in the following link, but as noted above, it’s no longer recommended to disable IPv6.

Issues After Disabling IPv6 on Your NIC on SBS 2008
http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx

.

.

Related Links

TCP Chimney and RSS Features May Cause Slow File Transfers or Cause Connectivity Problems:
http://msmvps.com/blogs/acefekay/archive/2009/08/20/tcp-chimney-and-rss-features-may-cause-slow-file-transfers-or-cause-connectivity-problems.aspx

.

.

==================================================================

Summary

I hope this helps!

Original Publication Date: 11/1/2011
Updated 12/11/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262[2][2] clip_image00462[2][2] clip_image00662[2][2] clip_image00862[2][2] clip_image01062[2][2] clip_image01262[2][2] clip_image01462[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

How to Subnet

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original publication: 3/2002, Updated 5/2010

=======================================================================

Subnetting

Background – Why I Published This Blog

There are many tutorials on the internet providing subnetting guidelines. I tried to provide a simple, 15 minute tutorial that I use teaching a class on how to subnet. At the requests of some of my students, I created a blog with the steps involved. This is a simple tutorial providing a quick and easy way to understand how to subnet.

 

What is subnetting?

Subnetting is the process of dividing up a network ID into more or less IP addresses based on what’s needed for a network solution.

In the early 1990’s, it was realized that the number of public IPs in the 32 bit address space was finite, and dwindling as companies snatched them up. Some companies have huge blocks (Class A or /8 ranges) that provide over 16 million IP addresses. That was wastefull, especially if a company doesn’t have a need for that many. Private IP addressing wasn’t as prevalent as it is today. Public IPs were used, but because the number of public IPs were finite, we had to find a way to break down a range in order to offer less than a whole range for what a customer may need. Why give them 254 IP addresses when they need say, 20 IP addresses? That was sure wasteful as well.

In Feb, 1996, RFC1918 was introduced to address the wastefulness, and provide a means to break down a network using a private IP range, instead of wasting public IPs in a private network.

RFC1918 – Address Allocation for Private Internets
http://www.faqs.org/rfcs/rfc1918.html

RFC 1918 is in wide use today. It’s so widely used, that even with the advent of IPv6 to provide a logirithmically more number of IPs for the public ranges, it has not been widely adopted. This is because the private ranges provide more than enough for an internal private range. However, there are numerous advantages of using IPv6, besides many more IPs than IPv4 can handle, there is also routing information in the IP. However, as mentioned, it has not been widely adopted, upto the date of this publication.

Quick overview:

When I worked for a VAR (Value Added Reseller) in the mid 1990’s, I learned how to subnet with the method below from a tech that worked at UUNet. UUNet at that time, was our primary go-to company to resell an Internet solution for our customers. Since we were VARs, we offered a complete soup to nuts solution for our customers selling the Pick MDBMS solution. Pick Systems is no longer around, and there are other companies selling and supporting the basic Pick solution. The point is, at that time, only public IP addresses were offered for internal use. Therefore we needed to make sure we didn’t give out more than what was neccessary in order to not waste the dwindling number of IPs on the internet. Once we’ve come up with an MDBMS solution for the customer, we then addressed their internet requirements. Once a solution is in place, we needed to figure out how many hosts (computers, servers, the internal router address, etc) will be connected to the internet or their internal network. Once we have the total, then we figured out that subnet mask was required to support the number of hosts on the internal network.

Quick Example: Customer needs only 20 IP addresses

Let’s start off with a quick example before getting into how to break it down. For example, if you have a customer that needs 20 IP addresses, you only really want to give them 20 IP addresses and no more.

To achieve this, requires a basic understanding of the process. If you provide an IP range a 255.255.255.0 subnet mask, you are telling the computer that its IP address is one of 254 IP addresses on the network. Why is that? Because the “.0” on the end of the mask is the number of hosts the mask supports, or basically says there are 254 usable IPs in that mask. The “255” portion of a mask are the number of networks. If you break down a mask of 255.255.255.0 into its corresponding bits, it would look like this:

11111111.11111111.11111111.00000000

There are eight zeros to the right of the 1’s. If you take 2^8 (2x2x2x2x2x2x2x2), it equals to 256. That’s how many IP’s it will handle. The more zeros, the more IPs it will handle, the less zeros, the less IPs. Using the inverse, the more “1’s” in the mask, the more networks, and the less “1’s” in the mask, the less networks.

You can look at it as using a slide rule. If you put the focus on the slide in between the zero and the one, you can move it left to right. If you move the ruler to the right, it gives you more networks, but less IPs, and move it to the left, it gives you more IPs but less networks.

So the case in point, if the customer only needs 20 IPs, we don’t need a mask with eight “0’s” in it. We need less.

How many less? Good question. Convert the number 20 into binary. You will get 10100. You are not really concerned with what the actual result is, but the number of digits in the binary answer. In this answer, there are 5 digits. Therefore, that is how many “0’s” you need in the right portion of the mask. That will support the 20 IP addresses the customer needs. You say it will suppport more? Yes, that’s correct. Actually, five “0’s” will support 32 IP addresses. If we tried to give it four “0’s” it will only support 16 IP addresses (14 usable).

 

Scenario: A customer needs 50 IP Addresses

put 50 into the calc and find out it’s binary equivalent.

50 is equal to 110010
All we really need of this answer is the # of bits
which in this case, it’s  6 bits

So now we can put together a mask
Remember that the network bits are on the left and the host bits are to the right.

So we’ll take the 6 bits, since they represent the hosts, and put them to the right.
 
For the remainder of the byte (or the octet), we’ll buffer it with 1’s to the left.

Which comes out to be in this case:
11000000

We’ll now convert 11000000 to decimal (calculator or manual, whatever you
perfer):

11000000 = 192

So now we have a working mask:
255.255.255.11000000

Which is equal to:
255.255.255.192

Now we need to determine the IP ranges.

We’ll go back to the mask:
11000000

Now we need to find the Delta.

To do that we’ll look at the binary column of the first significant bit (1)
to the left of the zeros. Which in our mask, it winds up being in the 64 column.

128 64 32 16 8  4  2  1
——————————–
  1    1   0   0   0  0  0  0
 
The second bit above is the first significant bit (a “1”) to the left of the zeroes. It’s in the 64 column.
 
So we now have our Delta, which is equal to 64.

Then we’ll map out a series using the Delta, starting with 0.

0
64
128
192

We’ll now determine a IP range that is not being used, and we’ll apply that
IP range to this map.

From iventory, we look for a range that has not yet been assigned to a customer. We found this one below to assign for this customer:
142.155.53.0

Applying the IP range to the series, we find that we now have 4 IP subnets. Notice that the 64 and subsequent multiples, are actually the starting point of the next range. So

the end IP address based on the Delta, is the Delta minus 1. So the first range is 0 to 63, the second range is 64 to 127, etc. Here they are layed out below. You can do this

with ANY range, it doesn’t matter what range you use.

142.155.53.0  to  142.155.53.63
142.155.53.64 to 142.155.53.127
142.155.53.128 to 142.155.53.191
142.155.53.192 to 142.155.53.255

So now we choose one of the ranges to give to our customers.
We’ll choose the first range:
142.155.53.0  to  142.155.53.63

And we’ll tell our customers that their actual usable IP range will be from:

142.155.53.1 to 142.155.53.62,

which winds up being 62 IP addresses. Always keep in mind, the router needs an IP, after all, how would they get off the network if they didn’t have a router?

Will this take care of the customer’s requirements?
Yes, with plenty of leftover.
Now, just to test whether a machine on one range communicate with another, we’ll use
the “Anding” process.

We’ll choose a source host of 142.155.53.12 to communicate to 142.155.53.90 on these two networks..
 
We’ll “AND” the source IP and the source mask of 255.255.255.192 then we’ll
compare the result to the “ANDING” of the destination IP and source mask

10001110.10011011.00110101.00001100 Source 142.155.53.12=
11111111.11111111.11111111.11000000 Source MASK
___________________________________
10001110.10011011.00110101.00000000 = Result of Anding the above two.

10001110.10011011.00110101.01011010 Destination 142.155.53.90
11111111.11111111.11111111.11000000 Source Mask
___________________________________
10001110.10011011.00110101.01000000 = Results of Anding the above two.
 
Are the results equal???
No, they are not, so therefore, we can state in order for the source machine IP to communicate with the destination IP in this case, we need a router between them.
 
 

Determine the # of Networks Required in a Scenario

The above was done based on the number of IPs the customer needed. Now let’s turn it around in a different scenario and determine the # of networks required in a scenario.

If a customer has 800 machines per location and they have about 30
locations, and they will be adding about 20 more locations in the next year
or so, what IP range can I give them and what mask will handle this?
Also state how many IP address that this mask will handle.

In this case, the # of networks (locations) are important and will be the
bases of this problem.

Now add 20 + 30 = 50 networks.

We’ll take the 50 and comvert to binary:
110010

Convert this to all 1’s = 111111
this is the # of network bits, so we’ll need to put this on the left in the
mask:

11111111.11111111.11111111.11111100

This will not work because the two “0’s” cannot handle 800 hosts.

So we’ll move the mask in by one octet into the third octet so it becomes a class B mask.
11111111.11111111.11111100.00000000

Which equals to:
255.255.252.0

Now we will select an IP range out of inventory: 131.107.0.0, and break it down into it’s cooresponding subnets:

131.107.0.0 to 131.107.3.255
131.107.4.0 to 131.107.7.255
131.107.8.0 to 131.107.11.255
131.107.12.0 to 131.107.15.255
131.107.16.0 to 131.107.19.255
131.107.20.0 to 131.107.23.255
131.107.24.0 to 131.107.27.255
ETC, up to 64 ranges

In this list, the total number of IPs per range = 10 bits, which is 1024 IPs (1022 usable).
And the total number of networks = 6 bits, which is 64 subnets.
 
 

===========================================
Another example with a different number of IPs required:
===========================================

Classful is easy to understand because it directly relates to the IP
address. Classless is soley based on the bits. Matter of fact, the bits
directly relate to a classful IP anyway. It’s easy to learn once you
understand what the bits are all about. Like this:

Example of Class C Mask:
255.255.255.0
Change that to bits:
11111111.11111111.11111111.00000000

So you can see there are 24 bits in the mask, (which takes up the left 3
octets) which is the network side. The host side is always 0’s.

In that case, the 8 0’s says this mask can handle 254 hosts or IPs. That’s
alot if someone doesn;’t need that many and is wasteful.

So say a customer only needs 20 IP addresses for their network

We’ll take the 20 and translate that to binary, which equals 10100. Not
concerned with the results, but rather how manybits are in the results,
which in this case is 5 bits.

So we’ll change the mask to handle 5 bits (which is called subnetting:), so
then it looks like this:
11111111.11111111.11111111.11100000
Which equals to (use your calculator to plug in 11100000 and change it to
decimal):
255.255.255.224

So now there are 27 bits in the network side, and only 5 in the hosts side.

So the 3 octets of the network are still 24, but the last octet is chopped,
which we call subnetted. So the subnet portion is 3 bits. Make sense so far?

The 5 bits on the hosts side in binary (if all were 1’s), translates to a
maximum of 32 in decimal, so it means this mask can only handle 32 hosts,
but you can’t use the first or the last, so it really handles 30, but then
the router takes up one, so it really will handle 29 machines.

Now look at the subnetted bits, the 3 bits. That tells you how many little
networks of 30 hosts there are. 2 bits translates to 8 in decimal, so now
you just created 8 mini networks of 30 IPs each.

What are the IP address start and stop points you ask? Good question.

Look at the first significant bit in the last octet: It’s the “1” left of
the zeroes, and is in the 32 spot in binary.

The bits are as such:
128 64 32 16 8 4 2 1

So that first “1” is in the 32 spot. That is what we call our “Delta” in
this case.

So we’ll chart it out:
0
32
64
96
128
160
192
224

So let’s plug in an IP range, say 192.168.5.0
 
The first range will be:
192.168.5.0 to 192.168.5.31
192.168.5.32 to 192.168.5.63
192.168.5.64 to 192.168.5.95
192.168.5.96 to 192.168.5.127
192.168.5.128 to 192.168.5.159
192.168.5.160 to 192.168.5.191
192.168.5.191 to 192.168.5.223
192.168.5.224 to 192.168.5.255
 
So there are 8 usuable ranges.

Make sense?

Keep in mind, with this mask, if a machine, 192.168.5.20/27 or
255.255.255.224 tries to communicate with a machine, 192.168.5.42/27 or
255.255.255.224, you’ll need a router because they are on different
networks. That is because the mask defines the network it’s on and how many IPs it can
handle.

This was a simple example. This can be used too for the third octet. If you
want to have say 900 hosts, it will be equal to 1110000100, which is 10
bits, and the mask would look like this:
11111111.11111111.11111100.00000000

Which is equal to:
255.255.252.0

See what I mean? The rest is up to you!

Just apply this to what that article is talking about.

 

Related Links

Subnetwork
http://en.wikipedia.org/wiki/Subnetwork

Google Search: “IP subnetting history”
http://www.google.com/search?q=ip+subnetting+history&hl=en&rls=com.microsoft:en-us:IE-SearchBox&tbs=tl:1&tbo=u&ei=FJn2S5_zCIGBlAfJjPHPCg&sa=X&oi=timeline_result&ct=title&resnum=11&ved=0CE4Q5wIwCg

Request for Comments: RFC 1918 – Address Allocation for Private Internets, Network Working Group, 1996
http://www.faqs.org/rfcs/rfc1918.html
Describes address allocation for private internets. The allocation permits full network layer connectivity among all hosts inside an enterprise as well as among all public hosts of different enterprises

IP Subnetting, A Graphical Approach – Part 1
http://www.youtube.com/watch?v=ZLy2_luEkVY

IP Subnetting, A Graphical Approach – Part 2
http://www.youtube.com/watch?v=jeV6BbcbSbQ

Subnetting Part 1
http://www.youtube.com/watch?v=XFB33GKQdOs&feature=related

 

Configuring Hosted Exchange 2003 – High Level Steps

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Publishded 2/20/2010

Preface

I compiled this blog in response to questions regarding how to setup Hosted Exchange on 2003. I have not yet compiled one for Exchange 2007, which I will be writing soon enough. The steps outlined are high level steps, and it’s assumed you are familiar with how to configure the actual low-level steps and tools required. If you are not sure about specifics of a step, you can simply search for how to do it, or contact me, and I’ll search and provide links or addendum this blog with the steps and how-tos.

I hope you find it helpful.

Test AD domain name:
exchangehosting.local
Exchange 2003 SP1:
======================
Created multiple Recipient Policies for:
CompanyB.com
The only SMTP address (other than the X.400 address) is:
@CompanyB.com
LDAP Filter to search the Company Name, which is set in the user AD properties, which must be added when each user is created, to:
CompanyB-UserAccount

CompanyA.com
The only SMTP address (other than the X.400 address) is:
@CompanyA.com
LDAP Filter to search the Company Name, which is set in the user AD properties, which must be added when each user is created, to:
CompanyA-UserAccount
======================
Created an OU for each company name. The current ones for the test are:
CompanyA.com
CompanyB.com
In each OU, created a Universal Security Group for the respective company, and only added all users in the company to them. The two

current groups for the test are:
Enmedia.Net Members
CompanyA.com Members
======================
In AD Domains and Trusts:
Created additional UPN suffixes to match the respective customer domain names.
@CompanyA.com
@CompanyB.com
======================
In AD, two users were created, one for each company under their respective OUs:
CompanyB-UserAccount\P@ssw0rd
Email address and UPN is “CompanyB-UserAccount@CompanyB.com
CompanyA-UserAccount\P@ssw0rd
Email address and UPN is “CompanyA-UserAccount@CompanyA.com
======================
Created multiple GALs, one for each company:
Default Global Address List
 – Denied FC from all Universal Security Groups. All other permissions are left default.
CompanyB GAL
 – Denied FC from all Universal Security Groups except the CompanyB.com Members Universal Security Group, and given List and Read
CompanyA GAL
 – Denied FC from all Universal Security Groups except the CompanyA.com Members Universal Security Group, and given List and Read
======================
In DNS, two zones were created:
CompanyB.com
A host record was created called “mail” so customers can access their email and OWA as follows:
FQDN: mail.CompanyB.com
OWA: https://mail.CompanyB.com\exchange

CompanyA.com
A host record was created called “mail” so customers can access their email and OWA as follows:
FQDN: mail.CompanyA.com
OWA: https://mail.CompanyA.com\exchange
======================
In order to allow SSL to function properly for each website created for each customer (required by RPC/HHTPS and recommended for OWA

access) will require an individual IP address and not based on “All Unassigned” in the website properties.
In NIC properties, an IP address was added for each customer domain expected to be used.
Keep in mind in a production environment, this is not recommended on a DC, and therefore a member server is required for Exchange. If multiple IPs are configured on a DC, expect AD problems and issues.
======================
Certificate Services were installed under Add/Remove, Windows Components.
======================
To create multiple HTTP/SMTP domains for OWA and RPC/HTTPS access, multiple HTTP virtual servers were needed to be created:
– In ESM, under Protocols\HTTP, right-click, new HTTP Virtual Server.
– created two virtual servers:
   – CompanyA
   – CompanyB
For each virtual server created, the SMTP domain which it is responsible for must be secified. The system gets this information from the

Recipient Policy SMTP suffixes created.
 – Ensure in ESM, under the HTTP\website properties, in the Exchange Path selection, that “Mailboxes for SMTP domain” is selected.
 – Click on Modify, select the respective SMTP domain name. 

Once the virtual servers have been created, then open IIS.
 – If already open, hit the refresh button.
 – The two domains you created will now show up.
 – However, you will only see one subfolder called “Exchweb” under each respective virtual directory that was created.
 – Next to the IP address, if not already done so, ensure the respective IP has been selected.
 – Click on Advanced, Under the

OWA and RPC/HTTPS will require an “Exchange” virtual folder to be created:
 – Rt-click the new website created, select New, then virtual directory.
 – Provide “Exchange” for the name
 – Copy all property settings from the default “Exchange” subfolder’s properties under the Default Website.

We will now need an SSL cert. To acquire a publicly recognized SSL cert, contact www.verisign.com or www.digicert.com (my preference), and follow the steps they provide. Otherwise, for this test, we will use an SSL certificate provided by our own private CA (Certificate Authority).
======================
 
To get an SSL cert from our private CA:
 – Under the Directory Services Tab, click on Server Certificate
 – Select to request a new certificate and select to send it directly to the local Certificate Authority.
 – Select the defaults for the rest of the requested information, except fo the hostheader, which you want to select the respective website hostheader name that customers will be using to access OWA and RPC/HTTPS. For example, the CompanyA website’s FQDN and hostheader name will be set to mail.CompanyA.com.
 -Click Finish to complete the certificate wizard
 – While still under the Directory Service tab, Under the Secure Communications section, click on on “Edit”.
 – Select “Require Secure Channel”.
 – For the test, 128 bit requirements was not selected.
 – Click ok, and apply to ALL subfolders.
 – If this is the default website, which only be used for adminstrative purposes for OWA and other functions, you MUST de-select the

“EXADMIN” virtual website (subfolder).
 – Repeat for each website.
 – In each website properties, under Web Site tab, click on Advanced, Web Site tab, select an IP for the website,  – click apply.
Restart IIS.

======================

In ESM:
 – Create an Storage Group called “Customer Group 1”.
 – Create a Mailbox store in each group for each customer. A Storage Group will handle 5 stores/customers, since only 5 stores can be created per storage group.
 – Set mailbox limits per store as per the customer’s SLA.
 – In AD, move the users to their respective company’s mailbox store.

======================

Enable Forms Based Authentication to test:
 – Goto ESM, Protocols, HTTP, right-click, properties, Settings tab, click on forms based authentication.
 – In IE, connect to each company’s OWA FQDN.
 – For CompanyA-UserAccount, use:    “https://mail.CompanyA.com/exchange
 – The Forms Authentication page will appear.
 – Username: CompanyA-UserAccount
 – Password: P@ssw0rd
 – Mailbox will open.

======================

For RPC/HTTPS:
 
– IN ESM, Protocols, for each virtual HTTP website, properties, uncheck Forms Based Adminstration.

======================

Each Company needs an Offline Address Book:
In ESM, create additional address books for each company and name them appropriately and associate the newly created address book with the respective company GAL.

======================

Each Company requires their own Address Lists independent of other companies.
How To Use Address Lists to Organize Recipients in Exchange 2003
http://support.microsoft.com/?id=319213

======================

Set a Search point for address book queries for each company. This will be based on OUs.
See http://support.microsoft.com/?id=272197
1. Start the ADSIEdit snap-in, and then click Connect To on the Action menu.
2. Click Domain NC.
3. Click a computer or domain to connect to, or click OK to use the domain or server that you are logged into, and then click OK to accept these settings
In this example, use ASPHosting.com.
4. Click DC=ASPHosting, dc=COM.
5. Locate and click the Customer1.com organizational unit, and then right-click the user to which you want to set viewing restrictions.
6. Click msExchQueryBaseDN in the Select a property to view box. 
7. Copy the LDAP address that represents that user’s organizational unit in the Edit attribute box. For example, ou=customer1, DC=ASPhosting, dc=COM, or ou=CompanyA.com,dc=exchangehosting,dc=local
8. Click Set, and then click OK.  
======================

Related Links

Shared Hosting with Exchange 2003 (Part 1 &2), Jul 20, 2004 … Active Directory and Exchange allows you to provide service to more … the need to build a separate domain / forest for each hosted company. … After setting up the group it is also important to configure it to use the …
http://www.msexchange.org/tutorials/Shared_Hosting_Exchange_2003_Part1.html
 
TechNet Support WebCast: Welcome to Hosted Exchange 2003Discusses Windows-based Hosting, including Hosted Exchange 2003, a Microsoft solution. Tells how Hosted Exchange 2003 helps service providers offer flexible …
http://support.microsoft.com/kb/887284