RE: [ActiveDir] importance of gc._msdcs.mycompany.com A records?
Title: importance of gc._msdcs.mycompany.com A records? Mike, The quick answer is, A record is not required by AD. Its registered for other LDAP implementations that do not support SRV records in DNS. Here is some good reading: http://redmondmag.com/features/article.asp?EditorialsID=273 http://www.oucs.ox.ac.uk/windows/active/dns/index.xml?style=printable#Config_second -Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 29, 2006 4:58 PM To: ActiveDir@mail.activedir.org Cc: Finkel, Barry S. Subject: [ActiveDir] importance of gc._msdcs.mycompany.com A records? What is the importance of the gc._msdcs.mycompany.com A records? Environment: 1) Split DNS Unix Bind and AD integrated DNS 2) DCs use: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] RegisterDnsARecords=dword: to avoid registering the A domain record on our Unix DNS server, which will not accept them. This record is put in manually. This registry entry also prevents these failures to register from being written into the system event log. 3) Today my DNS admin noticed that the gc._msdcs.mycompany.com zone was not populated correctly, with hardly any of the current GCs listed. Some of the IPs that were listed havent been used for years. The GC A record for our current GCs obviously is not written because of #2. 4) If I check for enterprise GCs using a tool like replmon, all of the GCs show up. 5) There are no AD issues that we are aware of. So the question is what are these A records used for, if anything. It would appear in our scenario this zone is unused. Any thoughts/comments are appreciated! TIA! Mike Thommes
[ActiveDir] AD DNS along with Bind
Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest of the non-AD zones managed by Bind. Has anyone done something like this? There is a MS article (ID:255913) that talks about it however, it doesnt say what DNS should client point to? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DNS along with Bind
Mike, This is very detailed and clearly written. I appreciate it, say my thanks to your DNS guy! Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thommes, Michael M. Sent: Tuesday, May 23, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the Responsible person field has the correct e-mail address (with the @ replaced with .). In the Name Servers tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain A records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain A record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a hidden master. It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS Bible - DNS and BIND 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in DNS on Windows Server 2003. Both are O'Reilly books. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, May 23, 2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DNS along with Bind Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest of the non-AD zones managed by Bind. Has anyone done something like this? There is a MS article (ID:255913) that talks about
[ActiveDir] RDP Script
AD Gurus, I am trying to create a script that adds TS accounts for W2K AD domain. I have tried eolwtscom and wts_admin.dll with no luck. Iam lookingforsomething like this below but this one only works in 2003 server. http://www.microsoft.com/technet/scriptcenter/scripts/ts/users/tsusvb01.mspx "Const GUEST_ACCESS = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:" _ "{impersonationLevel=impersonate}!\\" strComputer "\root\cimv2") Set colItems = objWMIService.ExecQuery _ ("Select * from Win32_TSPermissionsSetting") For Each objItem in colItems errResult = objItem.AddAccount("fabrikam\bob", GUEST_ACCESS) Next" Can someone please help? Adeel
[ActiveDir] Extending AD Schema
AD Guys and Gals, Is there is a way to backout of AD Schema extension? We have a project that requires AD Schema extension. The vendor has a tool that will make changes in AD schema automatically. However, we are little conscious about it. Is it possible to export the current AD schema and then make extension. Would it be possible to import it back again? Can you guys/gals share your experience with schema extensions / updates? Thanks, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD - What to monitor?
AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Resolving SIDs
Justin, The only thing that I can think of is Sidtoname.exe. I dont think that you are looking for this however. Can you expand a little bit more on building user information based on SID? -Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Clay, Justin (ITS) Sent: Monday, March 06, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resolving SIDs I thought I remember seeing something recently about how to build some user information from a SID. Is this possible or am I dreaming? I don't mean resolving the SID against AD, I actually mean taking a lone SID and building some user information based on just the SID. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. attachment: winmail.dat
[ActiveDir] XP Slow Logon
AD Gurus, I have an weird problem for which I am not having any luck. Here you go: Only XP computers are experiencing very slow logons (upto 5+ minutes) to the domain. Windows 2000 professional computers dont have this problem. Now, this is mostly happening on remote sites without local DC so the authentication is taking place at another nearby site wiht a DC but there have been some reports that it happend on the sites with a local DC. Here is my environment: 1. DNS - BIND with dynamic AD zones. 2. AD - Win2K servers. There is a domain policy that forces asynchronous boot for XP. I have checked following but none helped: On user's machine: -Installed XP ServicePack2 -Disabled XP built-in firewall -A hotfix from M$ was installed as suggested by a post. -NIC card drivers were updated On AD: -Made sure that sites / subnets are defined properly -Enabled Always wait for the network at computer startup and logon in the GPO I have a feeling that its misconfigured DNS, anyone using BIND DNS with AD and having problem with XP? Is there any special configuration that needed to be change in the BIND? Any ideas? Regards, Adeel attachment: winmail.dat
[ActiveDir] Site Link Question
All, I have abouta few hub sites with 100+ site link. I found following from M$ website : Make sure that no site is directly connected to more than 20 other sitesThis condition can occur in large hub-and-spoke deployments where most sites are branch sites that communicate with a centralized hub site. If this condition exists and there are more than 20 site links from the hub site to branch sites, the hub site can be divided into multiple sites to provide additional bridgehead servers to handle the replication volume. In a site, a single bridgehead server is active per domain. If the site has more than 20 site links, the bridgehead servers can become overloaded. http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#EFAA Can someone please explain what steps do I need to take to divide the hub sites? Regards, Adeel
[ActiveDir] Site Links
AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel
[ActiveDir] AD Web Interface
AD Gurus, Anyone know of a web interface for somebasic AD administration preferably acheap or free solution. Basically, this webinterfacewill be provided to the heldesk to perform tasks like unlock account, move account, check group membershipetc. By googling arround I found PHP based AdLDAP http://adldap.sourceforge.netand I am able to make a web interface with it (that website designing hobby finally paid off)however, I found it to be very slowinthe production environment.Just wondering if anyone out there has had need for such tool. -Adeel
RE: [ActiveDir] NTFRS Problems - Solved
AD Experts, Thanks all for your input regarding the FRS issue listed below. We were able to get a safer solution out from MS to fix SysVol inconsistencies. Here it is: 1)Fix policies and scripts on the PDC, make sure everything is clean on the PDC 2)Stop FRS service on all other DCs 3)Start with the direct replicating partner of the PDC 4)Open up the registry and go to Hkey local machine, system, current control set, services, ntfrs, parameters, replica sets 5)Locate the guid which corresponds to the sysvol , click on the guid which corresponds to sysvol under cumulative replica sets ( which is just above replica sets) 6)Do a D2 on the burflags , restart FRS 7)Wait for some time as there are a lot of policies and scripts and it will take some time before everything gets replicated over 8)Once you have a 13516 in your FRS logs you can proceed to the next DC and go through step4 to step7 9)You might notice some warnings in FRS from other DCs but that's normal since FRS service is stopped on them This is a safer solution since only one server is replication FRS with PDC at a time. I applied this fix and it seems to have stablized SysVol. -Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Cliffe Sent: Wednesday, February 01, 2006 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTFRS Problems I can tell you that I used this KB as my guide to restore the SYSVOL state on one of our domains about 4 months ago and it worked just fine. http://support.microsoft.com/kb/315457/en-us If the journals on your DCs are inconsistent with each other, this may be the best way to correct it. Best advice is to ensure that there are no underlying replication issues first, otherwise you might just be wasting your time! -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Wednesday, February 01, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTFRS Problems Hello AD Experts, Recently, I noticed in-consistencies in Sysvol among my domain controllers and PDC while promoting a new replica DC in the domain and it stucked on sysvol after 145 out of 250 policies. To test further, I created a .txt file in the sysvol on PDC and it also didnt replicate to other DCs either. To make things even worse, the number of policies on PDC are not the same as in other DCs. After hours of troubleshooting and a phone call to M$, I was told by Microsoft to perform burflag authoritative (D4) restore on one Domain controller with good policy contents in Sysvol and non-authoritative (D2) restore on all the others. Having a luxury of a AD replica lab, I performed the operation in the lab environment but lost both the policies, scripts folders and now the servers dont even have Sysvols. I am not comfortable doing this operation in the production environment. Can anyone please share their experience with burflag restores? Any best practices? Is there another way that I can resolve this issue without perform burflag restore? Any ideas / suggestions are welcomed. Regards, Adeel ___ Adeel Ansari - Active Directory Admin. SLB Enterprise Services Houston, TX USA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
[ActiveDir] NTFRS Problems
Hello AD Experts, Recently, I noticed in-consistencies in Sysvol among my domain controllers and PDC while promoting a new replica DC in the domain and it stucked on sysvol after 145 out of 250 policies. To test further, I created a .txt file in the sysvol on PDC and it also didnt replicate to other DCs either. To make things even worse, the number of policies on PDC are not the same as in other DCs. After hours of troubleshooting and a phone call to M$, I was told by Microsoft to perform burflag authoritative (D4) restore on one Domain controller with good policy contents in Sysvol and non-authoritative (D2) restore on all the others. Having a luxury of a AD replica lab, I performed the operation in the lab environment but lost both the policies, scripts folders and now the servers dont even have Sysvols. I am not comfortable doing this operation in the production environment. Can anyone please share their experience with burflag restores? Any best practices? Is there another way that I can resolve this issue without perform burflag restore? Any ideas / suggestions are welcomed. Regards, Adeel ___ Adeel Ansari - Active Directory Admin. SLB Enterprise Services Houston, TX USA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/