Active Directory Inside Out (5 of 10): DNS Features and Configuration
November 12, 2004
**Please note:****Portions of this transcript have been edited for clarity
Introduction
MJMurphy (Moderator):
Welcome everyone! This is the fifth in a series of 10 chats, Active Directory Inside Out! These chats are scheduled along with the AD webcast series (see link below in related links). The principal focus of today's chat will be AD Integration with DNS their functionality and relationships.
I'm Michael J. Murphy a TechNet Events Presenter. I live in the Northeast and deliver live TechNet Events in New York and New Jersey. I am also hosting the AD webcast series, Active Directory Inside Out!
Shawn (Moderator):
This chat has now begun! My name is Shawn Travers, a TechNet Presenter out of the MidAmerica District, and I will be moderating this chat today. We are ready for your questions on Active Directory in Windows 2000 and Windows 2003.
I want to thank everyone who is joining us today, especially those who have been watching the corresponding webcast series located at https://www.microsoft.com/seminar/events/default.mspx.
Mike Brannigan MSFT (Expert):
Hi I'm Mike Brannigan, I'm an Enterprise Strategy and Senior Consultant, specializing in Active Directory and Windows Platforms (2000, XP, Server 2003 and others past and future) in the Windows Platform Infrastructure Delivery Group.
Start of Chat
Mike Brannigan MSFT (Expert):
Q: I have been having AD replication problems for the past couple of weeks. I have 2 DCs on the domain, both Server 2003. RA-01 is GC/DC and can replicate to the other domains in the forest. RA-02 is the messed up DC and cannot replicate to anyone else.
A: Have a look at Troubleshooting replication: https://technet2.microsoft.com/windowsserver/en/library/8dd5dd9e-d163-4260-bc9d-3286af55bad31033.mspx?mfr=true
Blain Barton - MSFT (Expert):
Hello everyone, I’m Blain Barton, an IT Pro Evangelist and TechNet Presenter for Gulf States, residing in sunny Florida. I’ve been with Microsoft going on 12 years now and learn something new every day! I hope to point you to some great references and get you answers to your questions. Welcome to today’s chat on Active Directory and DNS dependencies.
Chris Avis [MSFT] (Expert):
Good Day everyone! My name is Chris Avis and I am a Technology Specialist for Microsoft. Please submit you DNS questions and we will be happy to help out!
Charles (Expert):
Hi. My name is Charles Wilson. I am a Technical Lead for the PSS Active Directory Services Team and I live in Las Colinas, Texas.
Shawn (Moderator):
Rich H, if you want to include all of that information, just continue to re-select the "Submit a question" radio button.
Start of Chat
Chris Avis [MSFT] (Expert):
Q: Hi I have an Active Directory question for one of the experts.
A: Go right ahead and ask!
Chris Avis [MSFT] (Expert):
Q: I have been having a lot of problems getting Windows NT PCs and sometimes 2000 PCs to join a domain over a VPN. The problem does not appear to be just the line speed, since I can join fine over a 56K frame-relay.
A: Good Day Caleb! To join the domain, you must have proper DNS information. Make sure the VPN Clients have DNS Name resolution to the DC's on the remote network. You can assign the DNS manually to the connection properties to help make sure this happens. Then, once connected, ping the DC by name. If there is any more than a 2 second pause, you probably have a DNS name resolution issue to resolve.
Chris Avis [MSFT] (Expert):
Q: Most of these VPN's have been over DSL or radio (breezeCom). Speeds are 256K-1MB. I have tried setting DNS to out WINS server, locking the IP addresses and setting the domain. No luck. The Domain is a Windows 2000 forest.
A: Since this is a DNS chat session, I don't want to troubleshoot beyond that. However, if the suggestion I provided does not resolve, feel fdee to email me at chrisavi@microsoft.com to continue.
Mike Brannigan MSFT (Expert):
Q: I assume that I am going to have to depromote RA-02, cleanup, and repromote per https://support.microsoft.com/default.aspx?scid=kb;en-us;332199 and https://support.microsoft.com/default.aspx?scid=kb;en-us;216498.
A: That may be a good idea as that DC does appear to be causing issues. If you can DCPROMO it out of the domain, ensure you clean up if you need to as the replication if broken may not properly handle the removal so you may need to use the metadats clean-up. Be careful if this server is doing anything for your Exchange infrastructure. It is just a DC then go for the demotion option may be the fastest solution.
After you do the demotion do the usual checks to ensure your domain is consistent such as checking replmon etc
Blain Barton - MSFT (Expert):
Q: What kind of features I will miss if I do not raise Functional level to Windows 2003, while all DCs are WS03?
A: Thank you for the question. Although this is not really a DNS AD question for this chat, take a look at the functional levels document link at: https://technet2.microsoft.com/windowsserver/en/library/74d58697-970a-45db-9139-ebcd3db051181033.mspx?mfr=true
Chris Avis [MSFT] (Expert):
Links to Windows Server 2003 DNS FAQ - https://support.microsoft.com/default.aspx?scid=kb;en-us;291382
Chris Avis [MSFT] (Expert):
Link - How to Integrate Windows 2003 DNS with an Existing DNS Infrastructure -- https://support.microsoft.com/default.aspx?scid=kb;en-us;323417
Blain Barton - MSFT (Expert):
Q: I'm running exchange 5.5 sp4 on a 2003 AD network on 2003 Interim Domain Function Level. Can I bump my functional level up to 2003 without it affecting my exchange server?
A: Even though this is a question on Exchange and not related to DNS and AD, check out the link at: https://technet2.microsoft.com/windowsserver/en/library/74d58697-970a-45db-9139-ebcd3db051181033.mspx?mfr=true
Shawn (Moderator):
Q: yes, it is a member server
A: Thanks.
Charles (Expert):
Q: I'm running exchange 5.5 sp4 on a 2003 AD network on 2003 Interim Domain Function Level. Can I bump my functional level up to 2003 without it affecting my exchange server?
A: Hi Matty. I will assume that your Exchange Server is running on a server that is not a domain controller. If that is the case changing the functional level to Windows 2003 should have no impact on how Exchange performs.
Chris Avis [MSFT] (Expert):
Q: There does seem to be a resolution problem, but the 2000 PCs almost never have any issues. I only have real trouble with the NT PCs. (We are planning to eliminate these within a few months). The DNS queries appear to timeout.
A: for the NT Clients, you should also set up NetBIOS resolution if possible. NT boxes locate DC's via NetBIOS (WINS or the LMHOSTS file) You can also assign a WINS server in the Connectoid properties.
Mike Brannigan MSFT (Expert):
Q: If we demote/promote the DC, which is the Exchange server, will we lose some Exchange data?
A: Yes you will - so DO NOT demote the DC without uninstalling Exchange after you backup all the Exchange data stores.
The get the DC back in the domain and reinstall Exchange and recover the Exchange config and databases from that backup.
Chris Avis [MSFT] (Expert):
Q: We only have a single Exchange server. What I'm not certain of is what Exchange info is stored in the AD.
A: Practically ALL Exchange information is stored in AD. Some exchange Service information is also stored in the Metabase as Exchange utilizes IIS for the SMTP/PO3 and other services. If you are wishing to Demote a DC and Exchange is on that machine, you should do the following - Perform a System State backup to Backup AD. Perform a backup of the Exchange Data *or* move all the Exchange Data (MDBDATA Directory) to a safe location. If you have a second DC, then the Exchange Data will be retained in AD by the other DC's. You then uninstall Exchange, Demote, promote, re-install Exchange, Restore the Exchange Data.
Chris Avis [MSFT] (Expert):
Q: My DNS queries outside of my network are slow (ie yahoo.com and others). My ISP thinks I'm crazy, tells me it is an internal problem. I have two DCs running DNS on my network (gigabit ether). I can do nslookups to the DCs quickly. Am I missing something
A: Well.....first, the DC's should point to themselves for DNS. All internal LAN clients should point to your Microsoft DNS Server for resolution as well. You then want to make sure you have configured DNS to use Forwarders so that when your local DNS can not resolve they will forward requests to another server. To configure forwarders, see the following article -- https://support.microsoft.com/default.aspx?scid=kb;en-us;323380 and https://support.microsoft.com/default.aspx?scid=kb;en-us;814591
Mike Brannigan MSFT (Expert):
Q: Thank you for the advise. I have also looked at articles which suggest changing a reg key: HKLM\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner . Is this advised, or should I forget it and simply demote?
A: That is a possible temporary fix to put in. You can do that - reboot the server - let replication complete - check the replmon and event logs then once you are happy, remove the key and reboot - then check replication again.
Mike Brannigan MSFT (Expert):
Q: I want to do a practice disaster recovery of my DNS server on my test bench. I can easily restore DNS if it is a standard DNS zone. But if a zone is AD- enabled, I don't know how to restore it? I am thinking about moving all my zones back to standard...
A: In Server 2003 the DNS integrated zones are held in an application partition. You can authoritatively restore that as part of an AD restore. Or for simplicity for testing you could go back to file based zones - but you ideally should leave them in AD and practice the restore using a system state backup of the AD.
Blain Barton - MSFT (Expert):
Q: We can't sort any columns or view properties of any contacts under the "Custom Recipients" container in AD anymore. All other containers still allow us to do this. I've been searching the web for about two hours now and see nothing on this. Any ideas?
A: Can you tell me where the container is and what version of Exchange and AD are you working with. Please provide more details, thank you.
Chris Avis [MSFT] (Expert):
Q: I am going to get rid of WINS since all my clients are XP. However, if I still would like to use \\ComputerNameXP\C$, does it require WINS since it is a NetBios name resolution. Without WINS, can I still browse Microsoft Windows Network?
A: Only if you have a routed network. NetBIOS name resolution is broadcast based and can resolve names on a local subnet. But unless you configure routers to pass those broadcast, the broadcast will end at the router. It is *NOT* recommended to open the router up either as it will increase network traffic greatly. You can implement LMHOSTS files instead of WINS in a routed network but that becomes labor intensive very quickly.
Mike Brannigan MSFT (Expert):
Q: So, if I attempt to force a replication by the reg hack, I may be able to save data on the bad DC, but I will still need to demote/promote to fix the root cause. Is this basically correct?
A: OK - with this reg edit you may be able to get all the DCs synched an talking together again. Once this is done your DCs and the AD should be consistent and you should confirm this good state using the usual troubleshooting approach. Once this is done you can remove the reg and then the system should continue to operate correctly. You will then not need to do the dcpromo in and out.
Blain Barton - MSFT (Expert):
Q: How can I get rid of my winmgmt.exe program error?
A: working on it
Mike Brannigan MSFT (Expert):
Q: We have a clean, standard W2K Forest (8 DCs/3 domains+root). The DCs handle DNS. Are there any 'Gotchas' or 'Watch-for' items if we do an in-place upgrade to W2003 that might not be clear in the docs? (No Exchange server).
A: A lot of what you are looking for as regards upgrade paths and guidance for ordering etc is covered in the Windows Server 2003 Deployment Resource Kit
See Windows Server Deployment Resource Kit: https://technet2.microsoft.com/windowsserver/en/library/8b17196a-71cb-4b0e-a412-7b826d39c87d1033.mspx?mfr=true
Downloadable copies of ALL the books at: https://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx
This is usually a fairly straight forward process. As regards DNS you may need to be aware of how to move the 2000 AD integrated zone to the application partitions used by Server 2003
See HOW TO: Reconfigure an _msdcs Subdomain to a Forest-wide DNS Application Directory Partition When You Upgrade from Windows 2000 to Windows Server 2003: https://support.microsoft.com/?id=817470
Chris Avis [MSFT] (Expert):
Q: Our servers are w2k - are there any advantages for having dns ad-enabled? I only think of disadvantages. I think restoring a system state on a recovery computer with wildly different hardware would be complex?
A: If DNS is AD integrated then ALL DC's will have the DNS data stored in their local copy of AD. Instead of replicating individual ZONE files, you simply replicate DNS "zones" in AD instead. This could be problematic in the case of a catastrophic failure where the hardware is different. But DNS would be the least of your issues in that case as well. If you rebuild the server and mnake it a DNS Server then it can easily replicate DNS info back from other DC's once it is configured.
Charles (Expert):
Q: We have a clean, standard W2K Forest (8 DCs/3 domains+root). The DCs handle DNS. Are there any 'Gotchas' or 'Watch-for' items if we do an in-place upgrade to W2003 that might not be clear in the docs? (No Exchange server).
A: Hi Caleb. From a DNS perspective it should be no problem whether it is AD integrated or uses zone files. To speak about the upgrade process itself, you will want to be patient after running adprep /forest prep on your schema master. You will want to insure that end to end replication has occurred before running /domainprep on the infrastructure master in each domain. Also the documentation might recommend to disconnect the schema master before running /forestprep but what you will want to do is disable outbound replication using repadmin. Also note that a lot of features are not implemented until you raise the forest functional level to Windows 2003. Here is a link that you may want to review. https://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/default.mspx
Chris Avis [MSFT] (Expert):
Q: I have a question in regards to logging into a win 200 pro workstation as an admin, and not being able to access local users and groups
A: I don't see how this is DNS related so you should hold this question to another chat or Webcast. Or, feel free to email me at chrisavi@microsoft.com
Mike Brannigan MSFT (Expert):
Q: I have a question in regards to logging into a win 200 pro workstation as an admin, and not being able to access local users and groups
A: If your machine is a member of a domain the Users applet in Control Panels disabled - BUT you can still access the local accounts and groups via the Computer Management applet in Administrative Tools.
Chris Avis [MSFT] (Expert):
Q: I am going to get rid of WINS since all my clients are XP. However, if I still would like to use \\ComputerNameXP\C$, does it require WINS since it is a NetBios name resolution. Without WINS, can I still browse Microsoft Windows Network?
A: Only if you have a routed network. NetBIOS name resolution is broadcast based and can resolve names on a local subnet. But unless you configure routers to pass these broadcast, the broadcast will end at the router. It is *NOT* recommended to open the router up either as it will increase network traffic greatly. You can implement LMHOSTS files instead of WINS in a routed network but that becomes labor intensive very quickly.
Blain Barton - MSFT (Expert):
Q: Is there anything other suggestions someone may have as to get rid of my program error winmgmt.exe which I get every 10-15 seconds?
A: These were the only links I could find on the topic: https://support.microsoft.com/default.aspx?scid=kb;en-us;828047 and https://support.microsoft.com/default.aspx?scid=kb;en-us;296725 and https://support.microsoft.com/default.aspx?scid=kb;en-us;830075
Chris Avis [MSFT] (Expert):
Only 5 minutes left! Post your questions! using the "Submit a Question" radio button!
Mike Brannigan MSFT (Expert):
Q: I already upgraded a NT4 member to Win2003 Srv and I demoted a BDC to amember server and will upgrade it tomorrow. I still have my PDC as NT4 Srv, why can't I just upgrade it to Win2003 Srv ?
A: In an NT 4.0 environment you will need to upgrade the PDC first, to upgrade the Domain to an Active Directory environment. Once this is done you can then tackle each of the existing BDCs. Your server that you have "brutally" depromoted (not supported) may be an issue. If possible you should just reinstall that particular server.
MJMurphy (Moderator):
Ladies and Gentlemen, I'd like to thank you all for your participation today that concludes today's AD and DNS chat. Send feedback on today's chat to TNmgr@microsoft.com or MJMurphy@microsoft.com. Thanks and see you next week!
Mike Brannigan MSFT (Expert):
Q: Mike: We were TOLD to use UPromote by MS reps. This is to be part of a *very* large Tree
A: OK - but it is not the best way to remove a BDC from the domain. Ideally you should rebuild the OS on NT 4.0 if you need to get a BDC out of the domain.
Blain Barton - MSFT (Expert):
Thank you for working with me on this chat, take care, Blain
Mike Brannigan MSFT (Expert):
Q: There are 8000+ users on this campus alone. I am just one small office with a NT4 Domain to be a prt of the AD Forest
A: OK - so you need to upgrade the PDC in that small domain to Server 2003 - see the Deployment Resource Kit - the links to it are above.
Chris Avis [MSFT] (Expert):
Q: I have a windows 2000 server and desktops XP professional with the service pack 2, when I turn on the computer and need log on, the machine is very slowly loading the personals settings but If I don’t connect to the network its faster
A: Good Day Lucho! Check your DNS Settings. It is very common for the DNS Settings to be incorrect and this will cause Logons/Logoffs to be extended. Make sure the DNS on the Client Machines is set to the IP address of your Windows DNS Server so they can contact it for Windows Processes. If you have your clients pointing to an ISP, the ISP has no idea about your DNS network and so it will have to fail over before resolving locally.
Shawn (Moderator):
Well, I want to thank everyone for joining us today, and we loved all the great questions! This chat has now ended, but if you think of additional questions during the next week, please come back for next week's chat at the same time. You can get more information here. https://www.microsoft.com/technet/community/chats/default.mspx. We will take the remaining questions in queue, but unfortunately will not have time to take any additional questions after those.
Chris Avis [MSFT] (Expert):
Q: Bonjour! Can anyone tell me why my computer disconnects after 20 mins whilst listening to WMP if no activity is sensed? I have checked my power options and all have been changed to never shut down to save power. On dial up as no broadband available. Cushty
A: When you say disconnects, are you referring to disconnect form a network? If so, Windows has a built in function to drop connections after 20 minutes of no activity to free up resources. You can adjust this in the properties of a DUN or VPN connectiod.
Chris Avis [MSFT] (Expert):
Thank you all for the wonnermous questions today! Please check at https://www.microsoft.com/chats for upcoming chat sessions! Have a Great Day!
Chris Avis [MSFT] (Expert):
Thanks again!