AD & Dynamic DNS Updates Registration Rules of engagement

Keep in mind, for the most part it automatically works “out of the box” without much administrative overhead.

Original Compilation: 11/19/2012
Updated: 9/5/2013

Prologue

What I’ve tried to do is accumulate all pertinent information about configuring dynamic DNS registration in an AD environment. I hope I haven’t missed anything, and that I’ve explained each numbered bullet point well enough and removed all ambiguity, to fully understand each point.

And yes, this blog is regarding an AD environment. If you have a non-AD environment with a Windows DNS server that you want your computers to register, please read the following blog:

DNS Dynamic Updates in a Workgroup
https://blogs.msmvps.com/acefekay/2013/06/12/dns-dynamic-updates-in-a-workgroup/

 

===

Summary

  1. The machine’s DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone. No others.
        a. DHCP Option 006 MUST only be the internal DNS server(s) you want to use, otherwise if using an ISP’s DNS or your router, expect undesired results.
  2. The Primary DNS Suffix on the machine MUST match the zone name in DNS.
    1. For joined machines, this is default. 
    2. For non-joined machines, the Primary DNS Suffix must be manually configured or scripted.
  3. If using DHCP Option 015 (Connection Specific Suffix), it must match the zone name and have “Use This Connection’s DNS Suffix in DNS Registration” along with “Register This Connection’s Addresses in DNS” checked in the NIC’s IPv4, Advanced, DNS tab.
    1. For additional information on how to configure updates in a workgroup:
      DNS Dynamic Updates in a Workgroup
      https://blogs.msmvps.com/acefekay/2013/06/12/dns-dynamic-updates-in-a-workgroup/
  4. The Zone must be configured to allow updates.
  5. For AD Integrated Zones where you have it configured for “Secure and Unsecure Updates:
    1. If the machine’s network card DNS address entries have been statically configured:
            – They must only point to the internal DNS servers that host the AD zone or to servers that have a reference to the zone (such as stubs, secondary zones, conditional forwarders, or forwarders)
            – It must be joined to the domain in order to authenticate using Kerberos to update.
    2. If statically configured and not joined to the domain, the client can’t update its record if the zone is set to Secure Only. 
    3. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.
  6. For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.
  7. If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.
    1. Read the following for more info:
      Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, management interfaces, backup interfaces, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure a DC with registry mods:
      http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
  8. If the zone is single label name, such as ‘domain’ instead of the proper minimal format of ‘domain.com,’ ‘domain.net,’ etc., it will NOT update.
  9. The client will “look” for the SOA of the zone when it attempts registration. If the SOA is not available or resolvable, it won’t register. Keep in mind with AD integrated zones the SOA rotates among the DCs because of the multimaster feature. This is default and expected behavior, but if there are any DCs that have any problems, and the client resolved the SOA to that DC, it may not accept the update.
  10. The zone in DNS must NOT be a single lable name, such as “DOMAIN” instead of the required minimum of two hierarchal levels such as domain.com, domain.local, domain.me, domain.you, etc. Single label name zones are problematic, do not conform to the DNS RFC, and causes excessive internet traffic to the Root Servers when DNS tries to resolve a single label name query, such as querying for computername.domain – in such a query, the domain name is actually treated as a TLD. ISC has made a note of the excessive traffic generated by Microsoft DNS servers configured with a single label name in 2004 with Microsoft, which in turn disabled the ability for Microsoft DNS in Windows 2000 SP4 and newer to resolve single label names without a registry band aid. More info on this:
    1. Active Directory DNS Domain Name Single Label Names – Problematic
      Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM  641  0
      http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx
  11. For Windows 2008 and all newer operating systems, IPv6 must not be disabled. If disabled, it will cause other problems:
    The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
    Quoted by Joseph Davies, MSFT:
    “IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. “Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.”
    http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
    1. Arguments against disabling IPv6
      Demoire, [MSFT], 24 Nov 2010 12:37 AM
      http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx
    2. IPv6 for Microsoft Windows: Frequently Asked Questions
      (Basically Microsoft is saying in this KB article to not disable IPv6)
      http://technet.microsoft.com/en-us/network/cc987595.aspx

 

Full explanation:

  1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs. the minimal requirement of “domain.com.” “domain.local,” etc).
  2. The Primary DNS Suffix MUST matches the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Connection Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.
  3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.
  4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them.
    1. Do not use your ISP’s, an external DNS address, your router as a DNS address
    2. Do not use any DNS that does not have a copy of the AD zone.
    3. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution.
  5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).
  6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.
    1. This means that you must NOT use an external DNS in any machine’s IP property in an AD environment.
    2. You can’t mix internal and external DNS server. This is because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm may still pick the incorrect DNS to query. Based on how the algorithm works, it will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.
    3. There is a registry entry to cut the query to 0 TTL (normally this is not necessary, but I’m posting it as a reference).
      1. The DNS Client service does not revert to using the first server …The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers …
        http://support.microsoft.com/kb/286834
    4. The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to all Operating Systems, too)
       http://support.microsoft.com/kb/320760
    5. For more info, please read the following on the client side resolver service:
      DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
      http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
  7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
  8. If using DHCP, DHCP server must only be referencing the same exact DNS
    server(s) in it’s own IP properties in order for it to ‘force’ (if you set
    that setting) registration into DNS. Otherwise, how would it know which DNS
    to send the DNS registration request data to?
  9. If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the proper format of “example.com” and/or any child of that format, such as “child1.example.com”, then we have a real big problem. DNS will not allow registration into a single label domain name.
    This is for two reasons:
    1. It’s not the proper hierarchal format. DNS is
                 hierarchal, but a single label name has no hierarchy.
                 It’s just a single name
    2. Registration attempts causes major Internet queries
                 to the Root servers. Why? Because it thinks the
                 single label name, such as “EXAMPLE”, is a TLD
                (Top Level Domain), such as “com”, “net”, etc. It
                will now try to find what Root name server out there
                handles that TLD. In the end it comes back to itself
               and then attempts to register. Unfortunately it doe NOT
               ask itself first for the mere reason it thinks it’s a TLD.
    3. Quoted from Alan Woods, Microsoft, 2004:
      “Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?”
    4. The above also *especially* applies to Windows Vista, Windows 7, &, 2008, 2008 R2, Windows 2012, and newer.
  10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP properties, DNS tab.
  11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the domain.
  12. With Windows 2000, 2003 and XP, the “DHCP client” Service is not running.  In Windows 2008, Windows Vista and all newer operating systems, it’s now the DNS Client Service.
    1. This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.
    2. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
      http://support.microsoft.com/?id=264539
  13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:
    1. DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
      Published by acefekay on Aug 20, 2009 at 10:36 AM  3758  2 
      http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

 

What will stop AD SRV registration:

  1. Any DNS server referenced in TCP/IP properties that does not host the AD zone name, or does not have a reference to the internal AD zones name.
    1. External DNS servers do not host or have a reference, therefore must NOT be used.
    2. AD Domain machines must never be pointed at an external (ISP) DNS server or even use an ISP DNS server as an “Alternate DNS server” because they do not host the internal AD zone, or have a reference to it.
      1. Only use internal DNS servers when part of an Active Directory domain. Active Directory’s Reliance on DNS, and why you should never use an ISP’s DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
        http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx
  2. Are any services disabled such as the DHCP Client service or the DNS Client Service? They are required services, whether the machine is static or DHCP.
    1. No DNS registration functions if DHCP Client Service Is Not Running (2000/2003/XP only)
      http://support.microsoft.com/?id=268674
    2. Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
      http://support.microsoft.com/?id=264539
    3. For all Windows 2008, Windows Vista and all newer operating systems, it’s the DNS Client Service.
  3. The AD/DNS zone not configured to allow dynamic updates.
  4. Make sure ‘Register this connection’s address” in DNS is enabled under TCP/IP properties.
  5. Missing or incorrect “Primary DNS suffix” or “Connection-specific DNS suffix” of the domain to which the machine belongs. 
    1. I one of these are incorrect, the client side service cannot find the correct zone to register into. If missing or incorrect, it is called a Disjointed Domain Namespace.
  6. Is the firewall service enabled? (disable it).
  7. Were the default C: drive permissions altered and was a hotfix installed a recently?
    1. “Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC”
      http://support.microsoft.com/kb/909444
    2. For more info about this issue, see:
      http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx
  8. If the zone is set to Secure Updates Only, the computer may not have authenticated to the domain (which can be due to DNS misconfiguration or DNS server problem), which of course causes more problems than just DNS  registration.
  9. Is the File and Print services enabled?
    1. It must be enabled.
  10. Microsoft Client Services enabled?
    1. If not,  it must be enabled.
  11. Is DNS service listening on the private LAN interface?
    1. Check under the Interfaces tab under DNS server properties in the DNS console.
  12. More than one NIC on a client?
    1. The wrong one may be registering.
  13. Updates allowed on the zone?
    1. This is an obvious one.
  14. Primary DNS suffix matches the zone name in DNS and the AD domain name?
    1. If not, then it won’t register into the zone.
  15. Was Zone Alarm ever installed on these machines?
    1. If so, ZA leaves SYS files and other remnants that continue to block traffic.
  16. Any Event log errors?
  17. Was a Registry entry configured to stop registration?
    1. 246804 – How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
      http://support.microsoft.com/?id=246804
  18. Spyware or something else such as DotNetDns installed on it?
    1. Download the free tool at www.malwarebytes.com and run a malware scan.
    2. Download the free Malicious Software Scanner from Microsoft and run a scan
    3. Download TrendMicro HouseCall free scan tool and run it.
  19. Single Label Domain Name?
    1. Active Directory DNS Domain Name Single Label Names – Problematic – And this applies to any DNS zone name, not just AD.
      Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM  641  0
      http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx
  20. Netlogon and DFS services must be started.
  21. Malware or virus altering network services preventing it from registering.
    1. Some sort of firewall in place, whether the Windows firewall disabling File and Print Services, or a 3rd party firewall, which many AV programs now have built in and must be adjusted to allow this sort of traffic and exclude the NTDS and SYSVOL folders.
    2. If Windows Firewall, run the following to see what settings are enabled:
      netsh firewall show config
  22. Is IPv6 disabled? That will stop registration.
    1. Enable it.
  23. Do any duplicate AD integrated zones exist in the AD database?
    1. This will cause major problems. Any duplicates found must be deleted. The cause must also be determined to eliminate it from occurring again.
    2. Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
      Published by acefekay on Sep 2, 2009 at 2:34 PM  7748  2
      http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
  24. Were imaged machines cloned without the image being Sysprepped first? 
    1. If not, duplicate SIDs will cause machines to fail authentication to register into the zone.

 

Suggestions, Comments, Corrections are welcomed.

Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor
   www.delcocomputerconsulting.com

Troubleshooting the Browser Service

By Ace Fekay, , MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

v2

 

Preamble:

Each subnet has it’s own master browser, and if you are using WINS, the master browser works together with the WINS service to enumerate an infrastructure wide browse list.

If not using WINS, it uses broadcasts, however, you’ll only see what’s on your own subnet, because NetBIOS broadcasts are more than likely blocked by routers, which is default, and many routers don’t allow NetBIOS broadcast across subnets to be enabled.

If you are in a multi-subnetted environment, and you want full browsing capabilities, to get around routers blocking NetBIOS broadcasts, it’s suggested to use WINS.

And the default WINS settings out-of-the-box, work fine, as long as you set up DHCP WINS options correctly. There is no need to adjust WINS’ registry parameters, otherwise you’ll find yourself trying to change registry entries on multiple servers and mis-keying something. Here’s more info on configuring WINS:

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

If you’ve just upgraded your PDC from Windows 2003 to Windows 2008 or Newer

The Computer Browser service on Windows 2008 and newer is disabled by default. If you want the PDC Emulator to do it’s job as the Master Browser and not have some workstation win the election (read below what that means), then I suggest to set it to Automatic and start it. Otherwise, browsing will not work properly and you’ll be chasing a ghost trying to figure out why. I usually just enable it on all of my DCs. More info in the following link:

NetBIOS browsing across subnets may fail after upgrading to Windows Server 2008
http://blogs.technet.com/b/networking/archive/2008/07/25/netbios-browsing-across-subnets-may-fail-after-upgrading-to-windows-server-2008.aspx

Preferably install at least one server OS on each subnet:

If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

And as mentioned, if you just upgraded the PDC emulator to 2008 or newer, set the Computer Browser service to Automatic and start it.

If you find workstations are becoming masters, that means there are no server operating systems on those subnets, in such cases, the workstation will win Master Browser election.

And I realize in many large infrastructures, it would be nearly impossible to put a server operating system on each subnet. However, as long as there is a desktop using the latest client operating system that is always up and running 24/7, that will do the trick.

If a newer client OS were to be introduced, then it would start a master browser election, and win the election (OS version and server role is a factor in the election process). And any machine that someone clicks on Network Neighborhood or clicks a Browse button somewhere, would invoke an election, but if a desktop is running on the subnet 24/7, it will win the election, since it’s already up and running.

If you don’t want any other client machine to win the election and were to opt for only that one machine, you can set a registry entry using a GPO to disable participating in the browse list for all the machines in the subnet other than the client machine you chose to keep up and running 24/7:

Set the client machine of your choosing to:
Emulator MaintainServerList=Yes, IsDomainMaster=True

All other clients on the subnet, set it to:
MaintainServerList=Auto,IsDomainMaster=False

I’m not saying this is a perfect solution, but it’s something to consider. Otherwise, if no specific machine is up and running 24/7 on any given subnet, the browse list will be rebuilt each time everyone shuts down, then brings their machines up in the morning, and the cycle starts from scratch to rebuild the list of machines on that subnet.

 

Third Party Devices Participating in the Browser Service

I would like to point out that if you have any 3rd party devices, such as a Seagate BlackArmor NAS, it will jump in on the election process and may win, which in case will snafu your browse list. I had one of those devices at a customer site last year causing numerous problems with the browse list, which in turned snowballed to cause problems with Symantec BackupExec, and other services that rely on browsing.

After some troubleshooting, I found that the BlackArmor NAS was consistently winning the election causing the problems. I couldn’t find anything specific on how to disable browser service participation on the device. It has the latest firmware. I contacted Seagate, and they said they couldn’t help me to disable the device’s ability to participate in the Browser Service.

I finally moved it on to its own VLAN so it can be king of itself on that subnet, so to speak. I gave it it’s own island. Smile

 

Browse List Propagation:

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master. A good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propagation cycle in a multiple-segment domain environment.

 

When to Troubleshoot

Below are the generic troubleshooting steps I used to troubleshoot the browser service that helped me find out the BlackArmor device was the culprit.

If you are seeing problems with the browser service, such as computers disappearing from the browse list, whether the cause is a third party device, Unix/Linux machine running Samba, or simply based on the infrastructure’s design, it might be a good idea to start troubleshooting to find the culprit.

 

Prepare to Troubleshoot:

  • Make sure the Computer Browser service is Started. Make sure NetBIOS is enabled on al machines.
  • On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available.
  • With Windows 2008 and newer, the utility is already installed as part of the operating system files.
  • If there are any antivirus software, third party firewalls, or firewall rules between locations blocking WINS traffic (TCP 42), it could block browser traffic, too. This of course, assumes the Computer browser service is running.

 

Firewall blocks – Test it with PortQry

You can use the Portqry.exe utility to test if the Browser, SMB, WINS and the ephemeral (service response) ports are permitted.

  • Browser: UDP 137/138, TCP 139
  • SMB: TCP 445
  • WINS: TCP 42
  • Ephemeral (Service Response Ports): Varies depending on OS:
    • Windows 2000/2003/XP: TCP/UDP 1024-5000
    • Windows 2008/Vista and newer: TCP/UDP 49152-65535

Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099

Active Directory Firewall Ports – Let’s Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

 

Multihomed DCs:

And if you have any multihomed DCs, among numerous other problems, that is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. I suggest to disable one of the interfaces.

More info regarding multihoming DCs and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

 

Troubleshooting Steps:

Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:
browstat status

You should get a response similar to:
Browsing is active on domain.
Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc.

If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:
First run:

browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:
browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.

 

Master Browser Election Process

I know, most of you probably wondered what the order of who would be the winner during a Master Browser election. The winner of a browse master election process is based on operating system version and role. It’s also based on each subnet.

So if a Windows XP client is on a subnet by itself, then yes, it may become an MB if nothing else beats it.

And if a Windows Server 2008 R2 DC is on subnet 192.168.50.0/24 and on subnet 192.168.30.0/24 there are only a bunch of Windows XP and 2000 computers, then the XP will win.

If the DC is multihomed, then that will definitely throw a wrench into it. Do NOT multihome your DC. Really, believe me, you don’t want to do it.

The following list shows the order of precedence of which operating system will win. And keep in mind, it’s subnet specific.

1. DC – PDC Emulator (no matter what OS)
2. DC – Non-PDC Emulator (no matter what OS)
3. Windows Server 2012
4. Windows 8
5. Windows Server 2008 R2
6. Windows 7
7. Windows Server 2008
8. Windows Vista
9. Windows Server 2003 R2
10. Windows Server 2003
11. Windows XP
12. Windows Server 2000
13. Windows 2000 Pro
14. Windows NT 4.0
15. Windows ME
16. Windows 98
17. Windows 95
18. Windows for Workgroups 3.11
19. Windows 3.1 with NDIS
20. DOS

 

Reference:

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Browser Elections
http://technet.microsoft.com/en-us/library/cc959896.aspx 

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001?wa=wsignin1.0

==============================================================

Summary

Updated 10/18/2014

I hope this helps! I’m sure I may have missed something. Comments and suggestions are welcomed.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

AD Site Design and Auto Site Link Bridging, or Bridge All Site Links (BASL)

By Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007, 2010 & 2013, Exchange 2013, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer

Updated 12/12/2013

Preface

Ace here again with something I really would like to discuss, since this topic comes up from time to time.

To properly designed an AD multi-site infrastructure, there are a few things that need to be taken into account. I won’t bore you with all the background techno babble, rather I’m going to discuss a no-nonsense, get down to business on why you need to either keep Auto Site Link Bridging enabled, or why you need to disable it, both of which depends on your physical routed topology design.

AD Sites

First, a basic understanding of Active Directory Sites is important to understand before I go further.

Some of the biggest questions I hear about AD Sites are:

  • What are AD Sites?
  • What are AD Sites for?
  • Why can’t I create an AD Site without a domain controller in the Site?

These are all valid questions. A little research will usually result in an answer, but you may have to dig through piles of technical details to get to it. Let’s address each one:

What are AD Sites?

An AD Site defines a highly-connected, physical network locations in Active Directory. We define them by IP subnet or subnets. And yes, you can have multiple subnets that are highly-connected by routers within a location. In some cases, for example, if you have a very high-speed backbone, such as an OC-1 (51.84Mbps or higher), between locations, you can put all those subnets in one AD Site. However, in many cases, we probably don’t want to do that. Hang in there, I’ll be getting to that in a few minutes.

What are AD Sites for?

AD sites are basically used for two things:

  1. To facilitate service localization. In simple English, this means to control logon and authentication traffic to DCs in a specific location, or Site. After all, we don’t want a client in NYC to pick a DC in Seattle, Japan, or somewhere else, to send its logon or authentication request (such as when accessing a folder), do we? Nope. The client side DC Locator process will find a DC in its own Site by using the client’s IP address.
  2. To manage DC replication traffic. In simple English, this means to control DC replication traffic across WAN links between the bridgeheads (the DCs in a Site that communicate with DCs in other Sites). By default, replication between Sites are compressed down to 15% of total traffic. And with Sites, we can control frequency of replication, and when we’re allowing it to happen.’

Why can’t I create an AD Site without a DC in the Site?

Good question. If you look at what AD Sites are for, then it should be pretty obvious that you need a DC in it. After all, if there is no DC in it, and a client picks a Site based on its IP subnet, then looks for a DC, it won’t find any, will it? Nope, so it may wind up randomly picking a DC in another location, such as that DC in Seattle or Japan.

DC Locator Process

I don’t want to dwell on this, but I will briefly mention it because this is part of the reason why we want to create AD Sites anyway.

There is a process that a client uses to pick a DC. Here’s a quick view of how a client picks a DC. I should add a #9 to the list in a scenario when no DC exists in the Site, then it uses Automatic Site Coverage, and this ONLY if you created an IP Site link to another Site that you want the DCs to cover that site.

If you didn’t create an IP Site link for a Site that has no DCs, then it will pretty much become a random process, sort of, by using other factors, such as subnet netmask ordering and Round Robin. If you want to read up on this subject, here are two good TechNet Forum discussions on it:

Briefly, here are the DC Locator process steps, and these steps were directly quoted from How Domain Controllers Are Located in Windows XP

  1. Client does a DNS search for DC’s in _LDAP._TCP.dc._msdcs.domainname
  2. DNS server returns list of DC’s.
  3. Client sends an LDAP ping to a DC asking for the site it is in based on the clients IP address (IP address ONLY! The client’s subnet is NOT known to the DC).
  4. DC returns…
    1. The client’s site or the site that’s associated with the subnet that most matches the client’s IP (determined by comparing just the client’s IP to the subnet-to-site table Netlogon builds at startup).
    2. The site that the current domain controller is in.
    3. A flag (DSClosestFlag=0 or 1) that indicates if the current DC is in the site closest to the client.
  5. The client decides whether to use the current DC or to look for a closer option.
    1. Client uses the current DC if it’s in the client’s site or in the site closest to the client as indicated by DSClosestFlag reported by the DC.
    2. If DSClosestFlag indicates the current DC is not the closest, the client does a site specific DNS query to: _LDAP._TCP.sitename._sites.domainname (_LDAP or whatever service you happen to be looking for) and uses a returned domain controller.

Brief overview:

For a full-sized image, click on the images.

Let me point out again, that if there are no DCs in a Site, then Automatic Site Coverage will take over.

To me, it’s a process to “find” a DC that will authenticate a user in a Site without a DC. However, my take on it is I would rather associate the location’s subnet to a current Site so as to not make the client go through this process. Besides, there may be scenarios that not having a DC in a Site can directly affect directory enabled applications and services such as DFS site referrals, SCCM or Exchange with it’s high dependency on GCs and DSAccess.

Here’s the DC Locator process, directly quoted from the Technet article, “How DNS Support for Active Directory Works:”

  1. Build a list of target sites — sites that have no domain controllers for this domain (the domain of the current domain controller).
  2. Build a list of candidate sites — sites that have domain controllers for this domain.
  3. For every target site, follow these steps:
    1. Build a list of candidate sites of which this domain is a member. (If none, do nothing.)
    2. Of these, build a list of sites that have the lowest site link cost to the target site. (If none, do nothing.)
    3. If more than one, break ties (reduce this list to one candidate site) by choosing the site with the largest number of domain controllers.
    4. If more than one, break ties by choosing the site that is first alphabetically.
    5. Register target-site-specific SRV records for the domain controllers for this domain in the selected site.

If there are no DCs in a Site, you can use PowerShell to figure out which DC in which Site will be picked. If you like, you can further read up on the commands used to figure this out in Sean Ivey’s blog:

Sites Sites Everywhere…, By Sean Ivey, Microsoft DS PFE
http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx

So wouldn’t you want your clients to pick a DC in its own Site?

Moving forward, do we really want a client to pick a DC in some other site or go through the Automatic Site Coverage process? Would you want that? I ‘m sure you already know the answer to that.

Therefore, if you have a location that have no DCs, then simply create an IP subnet object, and associate the subnet object to an existing AD Site that you want those users to use. In this case, you may base your own pick on a site linked by the fastest WAN link, or the only WAN link.

And if there are any subnets that are not associated with an AD site, then any DC is game to authenticate a client, as seen in the process above. To check for clients which subnets are not configured to AD Sites & Services, among other things, enable Netlogon logging, and check the system32\config\netlogon.log file. Here’s more info:

Enabling debug logging for the Net Logon service, Last Review: May 3, 2011 – Revision: 11.0, Applies to: all operating systems.
 http://support.microsoft.com/kb/109626

Auto Site Link Bridging

This now brings us to bridging, what it is, etc.

Within an AD Site, the KCC (Knowledge Consistency Checker) will automatically assume that all DCs can directly reach each other, and create Intrasite replication partnerships between the DCs in the Site. The one point that I want to be clear about that no matter how many DCs are in a Site, and there can be hundreds of DCs in a Site, the KCC will make sure that the  partnerships created are done so that all DCs in a Site will have an updated replication set for any changes by any of the DCs in the site, within 15 minutes. If you add a new DC to the Site, the KCC jumps in and evaluates the new guy and adds it so it gets updated data from other DCs under 15 minutes. How does it do that? It follows a set algorithm, but that is beyond this discussion.

When there are multiple Sites, and more specifically three or more Sites, and keeping in mind that by default AD automatically assumes that all the Sites have direct physically connectivity and communications between each other. This means you can literally ping a DC from in any Site to any other Site.

Here’s where the ISTG (Intersite Topology Generator) kicks in. The ISTG is a component of the KCC. It evaluates the overall topology, and builds connection objects between servers in each of the sites to enable Intersite replication— DC replication between sites.

Here’s a fully routed infrastructure, For the full-sized image, click here.

 

If remote sites cannot directly communicate with each other and only to the hub site

However, if your physical network topology is designed where each site does not have direct communications with each other, and you leave all the default “Auto Site Link Bridge” setting enabled as is, then lots of things will go wrong, such as replication problems, duplicate AD integrated zones, and more … keep reading. But I won’t address duplicate zones. You can click the link in the previous sentence for more on that.

If the network topology was a hub and spoke and BASL wasn’t disabled and individual sites links between the hub and each site weren’t created until recently, then there may be replication problems. This is a whole different subject. What I can say, besides checking to see if there are duplicate zones, as I mentioned in the previous paragraph, I would also run the Active Directory Replication Status Tool to check replication status. It will provide a report, and anything amiss will show up in Red. Pretty cool tool. Download it here:

Download The Active Directory Replication Status Tool (ADREPLSTATUS):
   http://www.microsoft.com/en-us/download/details.aspx?id=30005
     Note: This tool requires .Net Framework 4. If it’s not installed, download and install it:
       Microsoft .NET Framework 4 (Web Installer)
       http://www.microsoft.com/en-us/download/details.aspx?id=17851

Remember, by default, the KCC assumes all sites can directly communicate, therefore it will create partnerships between Bridgeheads in all sites. And any DC in a site can automatically become a bridgehead.

So if corporate headquarters is in NYC, and you have three remote locations, Miami, Chicago and Seattle, and direct communications does not exist, meaning that each remote location can only communicate with headquarters, and IP routing has not been configured between the remote locations, and the KCC creates a connection object (partnership) between a DC in Miami and a DC in Seattle, what will happen?

Since they can’t directly communicate, then replication fails. And if the Seattle partnership is the only connection object Miami may have, but Seattle happens to have one to NYC, and keeping in mind, replication is a PULL request, then Seattle will receive replication from NYC, but Miami can’t pull anything from Seattle, because there is no direct or indirect communications. So Miami winds up being in a secluded island.

In Miami’s DC’s view, it thinks no one wants to talk to it, so it will complain (you will see multiple event log errors) that others having replicated with it. And according to the DCs in the other sites, they will all think the same thing about Miami.

So who’s right? Of course, they all are. If the lack of replication goes beyond the AD Tombstone, then Miami would need to be demoted. Then again, you can’t even do that because it doesn’t have direct communications with its partner. Then if it does pick a DC in headquarters to demote, you will see an error stating that the headquarters DC already thinks the DC no longer exists. In the case of trying to demote it, or even forcedemoting it beyond the Tombstone, then your only option is to unplug it, run a metadata cleanup and re-promote it. But wait, then the same thing will occur if you don’t disable BASL.

So is it right that we do the same thing over and over and expect different results? Nope. Let’s configure AD to make sure it will not happen again, by disabling BASL.

Here’s a non-fully routed infrastructure. For the full-sized image, click here.

Disable BASL

Simply put, what we need to do is disable BASL (Bridge All Site Links) in a non-fully routed infrastructure to tell the KCC to only partner DCs across a specific site link.

Yes, that means you also have to create specific IP site links between headquarters in NYC to each site, as the image above shows.

And even if you have 20 sites all fully routed EXCEPT for one of them, then the same thing goes. You must disable it all because of that one site, otherwise the KCC will partner with a DC that it may not have direct communications with.

How to disable BASL. For the full-sized image, click here.

Summary

If you want to make sure your AD infrastructure is properly purring along and doing its job, then by all means let’s design it properly, make the necessary modifications, and other changes, to get it going in the right direction.

Oh, and you can’t forget to bone up on your DNS knowledge and how it supports AD. All Sites get registered in DNS by the netlogon service. Read more:

How DNS Support for Active Directory Works
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

And to understand the DNS SRV records registered by a DC’s Netlogon service, read Sean Dubey’s blog, with DNS SRV records examples, once again, I refer you to Sean Ivey’s blog:

Sites Sites Everywhere…, By Sean Ivey, Microsoft DS PFE
http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx

References

Designing the Site Topology
http://technet.microsoft.com/en-us/library/cc787284(WS.10).aspx

Detailed branch office deployment guide (downloadable doc)
http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en

Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/library/bb727085.aspx

You may want to take a look at the design IPD guide (Infrastructure Planning and Design) for AD – Download Details: IPD guide for Active Directory Domain Services – version 1.0
http://www.microsoft.com/en-us/download/details.aspx?id=732

Download the complete Infrastructure Planning and Design (IPD) Guide Series v2.0 including links for AD IPD, SCCM IPD, and more.
http://technet.microsoft.com/en-us/library/cc196387.aspx

Comments & Corrections are welcomed.

Ace Fekay

Event ID 1054

Original publication: 8/12/2010
Edited: 8/30/2014

 

Prologue

Ace here again. This was an older blog that I’ve revamped. I’ve been going through my blogs to clean them up, syntax, accuracy, etc. If anyone sees any discrepancies, please let me know.

There are a number of reasons this event may occur, no matter which Source Name its related to. One of the main reasons this behavior may occur is if the address for the configured preferred DNS server unreachable. One of the first things to do is check www.eventID.net’s link to see if it applies to your scenario:
http://eventid.net/display.asp?eventid=1054

Summary of possibilities:

1. Using a DNS address that doesn’t have the AD zone data. Make sure the only DNS addresses on the NIC are the internal DC/DNS servers. Remove the ISP’s or the router’s as a DNS address. They do not have AD’s zone data that is required for AD to function properly.

Active Directory’s Reliance on DNS, and why you should never use an ISP’s DNS address or your router as a DNS address
Published by acefekay on Aug 17, 2009 at 7:35 PM
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

2. Multihomed DCs. If the DC is multihomed, numerous issues can result, too long to list. See the following for more info:

Multihomed DCs with DNS, RRAS, and/or PPPoE adapters
Published by acefekay on Aug 17, 2009 at 9:29 PM
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

3. AD DNS Domain Name is a Single Label Name. The name has no TLD, such as “domain” rather than domain.net, domain.local, etc. This can cause numerous problems, too lengthy to list. It also causes Windows XP SP3 and newer operating systems to fail the ability to resolve DNS names properly. See the following link for more information.

Active Directory DNS Domain Name Single Label Names
Published by acefekay on Nov 12, 2009 at 6:25 PM
http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

4. There are unknown LdapIpAddress entries. This is the “same as parent” name under the zone. There should only be one for each DC in the domain. If there are others, it will cause numerous issues with AD, GPOs, DFS, and other AD functions.

5. Multiple A records for the DC. Make sure there is only one IP address for each DC. If not, it falls under the multihomed DC issue in #2.

6. Multiple GcIpAddresses. Check the _gc_msdsc.yourDomain.local record to make sure there is only one entry for each GC. If there are multiples for one GC, that will cause problems, and falls under the multihomed DC issue in #2.

7. Unknown NS names in the zone. Go into each zone properties (yourDomain.local and _msdcs.yourDomain.local), Nameservers tab, and make sure only your DC/DNS servers show up.  If there are others, please remove them. This tab indicates which NS and SOA is for the zones, and if any unkown servers are listed, the client machine may be trying to query for them during resolution and registration, and will cause problems.

8. AMD Opeteron CPUs are known to cause issues. One poster in the Microsoft forums reported EventID 1054 issue on a Dell T105 (circa 2010) with Dual Core Opterons. It was found the AMD Opeteron processor has timing issue. From previous reports, Microsoft supposedly fixed it in Windows 2003 SP2, but something may have changed in recent AMD core releases causing it again. One key test was to ping the server’s own IP. If you receive negative ping times, timing is skewed. A reboot fixes it for a while but then it drifts and EventID 1054 resume.

There are AMD processor patches that you can find at AMD’s website. Another workaround is to add the “/usepmtimer” switch to boot.ini. KB895980 provides more specifics about this issue.

Programs that use the QueryPerformanceCounter function may perform poorly in Windows Server 2000, in Windows Server 2003, and in Windows XP
http://support.microsoft.com/?id=895980

9. Make sure time is configured properly. You never know, this is one that many do not think about that can cause many issues, which may or may not possibly cause EventID 1054 errors, but it would not hurt to make sure the time service is operating properly. See the following link for more information:

Configuring the Windows Time Service for Windows Server
Published by acefekay on Sep 18, 2009 at 8:14 PM
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

 

Steps to help narrow down this issue:

Let’s start by using nslookup to see if you get the proper resonse when querying for LDAP SRV records.

1. Type nslookup, and then press ENTER.
2. Type set q=all, and then press ENTER.
3. Type _ldap._tcp.dc._msdcs.domain.com and then press ENTER.

You will be looking for the domain controllers to respond to this query. If they do not, then we need to look at your SRV records as well as whether any of the above summarized causes are contributing to the non-DC responses, such as using an ISP’s DNS, the router, multihomed DCs, single label name, etc.

More possible causes:

In addition, These errors may occur because link status fluctuates as the network adapter (also known as the network interface card, or NIC) driver initializes and as the network adapter hardware negotiates a link with the network infrastructure. The Group Policy application stack executes before the negotiation process is completed and can fail because of the absence of a valid link.

*

Possible Resolutions:

Resolution 1:

To resolve problem related to link status fluctuation use the steps in 239924 –
“How to disable Media Sensing for TCP/IP in Windows” at
http://support.microsoft.com/?id=239924 .

To prevent your network adapter from detecting the link state:

  1. Open Registry Editor (Regedt32.exe).
  2. Go to the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  3. Add the following registry value:
    Value Name: DisableDHCPMediaSense
    Data Type: REG_DWORD -Boolean
    Value Data Range: 0, 1 (False, True) Default: 0 (False)

Resolution 2:

Contact the vendor of the network card or visit their web site to obtain updated
drivers for the Gigabit NIC.

Examples of NICs known to exhibit this issue:
– Broadcom Gigabit Adapter
– Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
– Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
– Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
– Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC

Resolution 3:

A sever may have a Dual Port NIC or multiple NIC’s with one port or NIC set to
Disabled. The disabled port or NIC should not be at the top of the binding order
in the Network Advance Properties.

  1. Click Start, point to Settings, and then click “Network and Dial-up
    Connection”.
  2. On the Advanced menu, click “Advanced Settings”.
  3. On the “Adapters and Bindings” tab, in the connections list, select the NIC that
    the clients use to connect to the server and move it to the top of the list.

Resolution 4:

Disabling spanning tree on the switches (Cisco Catalyst)

Note: STP=Spanning Tree Protocol. Turning off STP can cause issues in your network
if a loop ever develops. If you are running a Cisco Series switch or any other
switch that runs Spanning Tree, it is best to leave spanning tree turned on, but
enable PORTFAST on all the ports except uplink and fiber trunks. (I.E any ports
that aren’t connected to a workstation directly should not have it enabled, ports
that do go directly to a workstation or computer should have it turned on.)
PORTFAST eliminates the 50 second waiting period that STP has, but allows you to
keep the functionality of STP.
 

*

References:

326152 PRB: Cannot Connect to Domain Controller and Cannot Apply Group Policy
http://support.microsoft.com/kb/326152

298656 Event ID 1054 Is Logged in the Application Event Log
http://support.microsoft.com/kb/324174/en-us

239924 How to Disable Media Sense for TCP/IP in Windows
http://support.microsoft.com/kb/239924

*

Summary

I hope this helps to track down the cause of an Event ID 1054.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This blog is provided AS-IS with no warranties or guarantees and confers no rights.