December 2022


Archive for DNS/DHCP

Remove References of a Failed DC/Domain Or Perform Metadata Cleanup

May 8th, 2011 by and tagged

I have found misconception regarding Metadata cleanup reading various forums & question, so I decided to write something which will be useful to help them understand, what is metadata cleanup & when it’s required to be run.

Consider, one of the DC which was serving as a PDC got crashed, what you did, you seized the FSMO role on the healthy DC as well as followed by transferring all other AD services like DNS/GC/DHCP etc on it. You thought you are done now, but here you skipped an important to remove/clean the crashed DC objects & its references from AD to inform that this DC is no more.

There is two types of demoting a DC one is normal demotion using DCPROMO other is forceful removal using DCPROMO /FORCEREMOVAL, which requires additional steps of metadata cleanup, but keep in mind, your first option should be always to try for graceful demotion, if it doesn’t work then only use force removal. If the server is crashed then there is no question of graceful demotion, because graceful can be used when on DC you can run dcpromo to remove AD, but if the DC is already crashed then metadata cleanup is the only option.

Metadata cleanup is process which is required to remove the failed DC from the domain which can’t be demoted gracefully. Do metadata cleanup removes all the entry from AD, the answer is NO, it doesn’t remove all the records from AD & from few places manual cleaning of those objects are required & one being DNS server. But, why it doesn’t remove all the records while I performed metadata cleanup following the steps. The reason is there is different aging/scavenging configuration defined on DNS to remove the entries from DNS when it becomes stale. When a system/DC is removed, the computer object is deleted from AD but not from AD database for later deletion in TSL(Tombstone Lifetime). In DNS each records has attribute called Dnstombstoned value which can be either True or False. When a host record is removed, its actually not removed but its Dnstombstoned attribute is set to true for later point of deletion using again/scavenging configured interval, so the records still exists in AD.

The places required to look after either using normal demotion or force demotion of a DC are below.

-Each & every sub folder inside _msdcs folder in DNS

-Name server tab in DNS

-Host records in DNS

-Server object under NTDS setting in AD sites & services.

-Open ADSIEDIT.MSC, connect to configuration partition

CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites.

Note: ADSIEDIT is a powerful tool to edit AD database objects & modification made is permanent, so if you are unsure what you are doing it, take System state backup & then modify from there as anything deleted from there will require system state backup to restore the deleted objects.

Metadata cleanup is made simple in windows 2008, which provides GUI interface, so if you got any DC running on windows 2008, you can use metadata cleanup from that DC, but it doesn’t matter which DC you choose the cleanup failed DC records.

Note: Once you perform the metadata cleanup of DC, don’t immediately reuse the same Hostname/IP of failed DC to configure it back to a new DC, because you have to allow changes to be replicated to all other domain controllers in the forest by allowing & waiting for at least one replication cycle to complete. But if you got few DC’s & good bandwidth, you can force the replication using repadmin /syncall /Aped

E switch will force the replication between all the dc’s in the forest & there might be extra traffic generation during business hours, so use it at COB(Close of Business) hours.

Few Questions:

-Do metadata cleanup is required on all the DC or from particular DC?

The answer is No & NO.

-Metatdata cleanup removes all the records from AD?

The answer is no & never. There is no such tool from Microsoft which removes all the records of failed DC.

-Metadata cleanup is also required post normal demotion of DC?

The answer is no, as its only used for removing failed domain controller which can’t be removed gracefully.

-Metadata cleanup is required for removing member server?

The answer is no, its only required for Domain controller.

Related link for Metadata cleanup in windows 2003

Metadata cleanup in windows 2008

I have posted the below article at Technet Wiki too, below is the link.


Posted in Directory Services, DNS/DHCP | 14 Comments »

Configuring DNS in child domain

April 9th, 2011 by and tagged ,

I have seen people through various forums/blogs getting confused : how to configure DNS server in child domain for Parent’s domain name resolutions?  The confusion is, should it point to itself for DNS server address or parent DNS server for name resolution of parent & child domain both? In order to make the life easier & remove the confusion, i thought of coming up with the article on my blog.

Firstly, understand that DNS is the backbone of AD & most of the issues we face in our environment is because of the improper configuration of DNS server.  In few posts, i saw people using Public IP as the DNS address or ISP’s DNS address directly configured into their servers/domain systems NIC for preferred DNS server address, which is absolutely wrong & the reason is, when DNS lookup is performed against the local resource records in the domain, first it queries local host file in your system located in inside “etc” folder, if it can’t locate anything configured there, it looks for preferred DNS server IP in NIC. If NIC’s preferred DNS address is configured with public IP or ISP’s IP, it will forward the query directly to that public IP for local domain name resolution & the query will be performed, before it is says request timed-out. The reason is that, your local domain & its records exists in your local DNS server. How a DNS server hosted outside your domain can even come to know existent of any such private domain without any record in its DNS server? From security perspective, its a big passage for attacker to penetrate your infrastructure & attack your network for access.

Public DNS server’s IP has to be configured into Forwarder Tab of your local DNS server. If you have multiple DNS server running in your domain, configure all of the local DNS server forwarder to have this Public DNS IP address, but make sure you obtain this public DNS server address from your ISP & you are not using anything like or, since these are not the authoritative DNS server for your domain through which query has to pass for name resolution. The query for external domain name resolution has to pass through your ISP’s DNS server. Using or any other public IP directly in your DC/servers as a preferred DNS or alternate DNS server is going to pose a security threat for the environment.

Question: How do I set up DNS for a child domain?

Answer: To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.

Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment.

Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain

Note: Ignore the version of OS, its applicable for all the windows OS as concept for DNS has not been changed.


Posted in Directory Services, DNS/DHCP, Exchange | 2 Comments »

Friday Mail Sack Directory Services by NedPyle(Technical Lead in Microsoft)

March 25th, 2011 by and tagged ,

Presuming, many of you know & its for them who don’t know, NedPyle(Technical Lead in Microsoft) shares his knowledge base on DS at every Friday known as Friday Mail sack questions/answer, which gives us best opportunity to learn about DS in depth & clear the doubts/myths related Directory services. It occurs on every Friday(if he is not on leave or any other reason)shares plethora of interesting concepts & facts on Directory services.

If you are eager to know the working, concepts, design, bugs etc. related to Directory services, keep an eye on Friday mail sack as well as NedPyle’s Blog on below link. I can say firmly it cleared lot of my doubts & enhanced my DS concept, if you wish to learn, do take a look or add it to your favorite space or use RSS feed, its worth reading & your time.

Its a great initiative by Ned & DS team. Kudos to Ned & his team for the great work.

Take a look at his latest session on Dcdiag.

Friday Mail Sack


Posted in Directory Services, DNS/DHCP, Exchange, OS/Certificates, SCCM/SCOM | No Comments »

DNS recommendations from Microsoft

March 8th, 2011 by and tagged

Many forum/post, often i see a question, how to configure DNS in my domain controller, is primary point to itself or secondary DNS server, is it OK to configure loopback IP & what are the best practices etc.

I would not cover everything, leave for the below link to answer for you. Few things, i would like to mention

  • NEVER use public IP configured directly in the NIC either of the DC or clients.
  • Public IP(ISP DNS) used for external domain name resolution,should always be configured in Forwarder of DNS servers.

NedPyle from Microsoft has got recommended & best practices for DNS. So next time you aare confused or looking for best practices follow the below link.


Posted in Directory Services, DNS/DHCP, Exchange | 4 Comments »

DNS Scavenging And Auditing concepts

February 8th, 2011 by and tagged , ,

Scavenging is the important process for removal of stale records from DNS to keep it healthy & fit. Lot of people have doubts, whether it has to be enabled or not & find themselves in confused situation what is exactly scavenging & how it works.

I have seen a question, if i create a  static records(created a record manually) will the static record is also be eligible for scavenging, the answer is no. The reason is when you create a static record the box in front to Delete this record when it becomes stale is unchecked(shown in figure), which is not the case with automatic record creation process.

When any machine is disjoint from domain, its record is not been deleted instantly, but the  dnsTombstoned attribute is changed to TRUE & it is deleted from the DNS server in-memory cache. The scavenging process starts at 2AM everyday & compares the dnsTombstoned value is set for deletion or not.

How to enable auditing of records creation, modification or deletion in DNS?

The above reason will suffice, the dns records are not deleted immediately but dnsTombstoned attribute is changed either True or False for later deletion. So, if you plan to join the system into domain which is immediately been removed, you need to delete the records manually along with manually deleting computer object from ADUC to join the system into domain or wait for few hours to be done.Take a look at below link to know more.


Posted in DNS/DHCP | No Comments »

Loopback Group Policy Explained

November 11th, 2010 by and tagged ,

Loopback group policy are used to apply user configuration settings on the computer. The loopback policy comes to rescue when you want to apply users configuration settings to the computer irrespective of what what users are login to the particular system.There is two mode basically one is Replace and other Merge mode.  When you select replace mode in the loopback GPO, computer and user configuration configured in that OU will be applied irrespective of the which OU user belongs to and what user configuration GPO has defined in that OU. When you select Merge mode, user and computer configuration configured in the loopback GPO as well as user configuration GPO for the user belongs to the different OU will be applied. In case of conflict user configuration from the loopback GPO will win.

Loopback policy is very effective GPO setting, but it requires proper understanding & planning,before it can be implemented in the live environment. I always believe without proper understand or something new to be tried has to go via lab testing else your production environment will become testing environment and can cause serious business loss to the clients. For testing,create a independent lab which can be either using virtual PC or VMware software. Always, test the GPO before applying to the production because reverting the changes requires time and may not be as simple as applying.

Additional references to help you better understand.


Posted in Directory Services, DNS/DHCP, Group Policy | No Comments »