BEST PRACTICES FOR TROUBLESHOOTING AD REPLICATION 203 the settings, you will need to make sure that the changes are replicated to the other domain controllers that are acting as partners. Running ADLB without using the /commit parameter will allow the administrator to view the set- tings that ADLB would like to put into effect. When specifying the bridgehead server that you are running ADLB against, you can use the hostname or the NetBIOS name of the server, depending on the name resolution methods that your network supports. To view the changes for the bridgehead server rosebud.zyort.lcl within the Chicago site, you would enter the command: adlb /server:rosebud /site:Chicago The output will detail the connections and changes that ADLB would make if the /commit param- eter were specified. The ADLB utility can be used by any user who has loaded it from the Windows Server 2003 Resource Kit tools. However, if you want to allow ADLB to make the changes to your replication topology, you need to have Enterprise Admin privileges. If you want to view the changes that ADLB is recommending, but you want to print them out instead of viewing them at a command prompt, you can specify a log file by using the /log parameter and specifying the path to the log file. You can also view additional performance statistics that ADLB uses to make its recommendations by including the /perf parameter. If you are running your domain within the Windows Server 2003 functional level, you can stagger the replication schedule by using the /stagger parameter. This will allow you to stagger the updates for each of the directory partitions so that they are not sent at the same time. The command to create a log file that will allow you to view the performance statistics and rec- ommendations of ADLB when it is set to stagger settings would look like the following command: adlb /rosebud.zygort.lcl /site:Chicago /log:d:\logfiles\adlbtest.log /stagger /perf The /stagger option will not modify the connection objects of bridgehead servers in remote sites; you will need to run the utility on each bridgehead server. If you have administrative rights on the remote bridgehead server, and you have Terminal Services configured for administrative use, you can open a session and run the utility. Otherwise, you will have to work in conjunction with an admin- istrator for the remote site. Best Practices for Troubleshooting AD Replication If your domain controllers are not replicating objects correctly, users will not be able to gain access to the objects that they need, and may fail to log on at all. The following are tips that you should keep in mind when troubleshooting replication issues. ◆ Use the tool you are most familiar with when troubleshooting replication problems. ◆ Verify the replication topology to make sure all of the domain controllers from all sites are interconnected. ◆ Urgent replication, such as account lockouts, will occur within the site, but will not be repli- cated to other sites until the site link allows it to replicate. Use RepAdmin to force the change. ◆ Create connection objects between domain controllers that hold FSMO roles and the servers that will act as their backup if the FSMO role holder fails. Make sure replication is occurring between the two servers. 4305book.fm Page 203 Wednesday, July 14, 2004 5:13 PM 204 CHAPTER 13 TROUBLESHOOTING ACTIVE DIRECTORY REPLICATION Next Up As we leave Active Directory replication troubleshooting behind, we are going to start looking at DNS. It is one of the technologies that are vital if any type of Active Directory functions are going to be performed. Without DNS, Active Directory replication will not work, and Active Directory will not function at all. The following chapter will introduce you to the new technologies that are available to Windows DNS servers and the tools that you can use to manage and maintain the DNS service. 4305book.fm Page 204 Wednesday, July 14, 2004 5:13 PM chapter 14 Maintaining DNS There are many ways to configure your operating systems to perform the tasks that you need them to perform; however, there is one thing that you can’t escape: you have to have DNS in place for Active Directory to function. It is true that you can install Active Directory without DNS installed; however, before the directory service will run, you will need to make sure that you have implemented DNS within the organization. Active Directory does not care whether you are running DNS on a Windows-based server or a UNIX system. As long as DNS supports Service Locator (SRV) records, Active Directory will use it. In Chapter 3, “Domain Name System Design,” we looked at the design options that are available when you plan your Active Directory infrastructure. In this chapter, we are going to discuss trouble- shooting and maintaining the DNS infrastructure for your forest. Microsoft has introduced several new options for name resolution, and it is in your best interest to understand how each of the tech- nologies are used so that you can maintain an efficient DNS solution for Active Directory. DNS Resolution Methods DNS servers provide name resolution for the DNS zones for which they are authoritative. If a DNS server is not authoritative for a zone, the server should provide the client with an alternative method of resolution. A typical DNS server will host root hints that identify the root DNS servers for the Internet. When the server is not authoritative for a zone and the name that the client is sending the query for has not already been resolved, the DNS server will send an iterative query to one of the root DNS servers. The root DNS server will in turn return an address for a name server that can get the DNS server closer to a DNS server that is authoritative for the zone. If at any time during the iterative pro- cess a DNS server has already resolved the name of the host, the address for the host is returned and the client is given a response to its query. The name cache on the DNS server and the client are updated so that they can respond with an immediate response to subsequent queries. For those DNS servers that sit within your organization’s internal network, you may not want them to host the root hints. Some organizations will not allow the internal DNS servers to be acces- sible from external clients. Those servers typically will not have the root hints installed, so another method of resolution must be configured. Within Windows 2000 DNS servers, you can configure 4305book.fm Page 205 Wednesday, July 14, 2004 5:13 PM 206 CHAPTER 14 MAINTAINING DNS standard forwarders to send resolution requests to other DNS servers. This was a great improvement over Windows NT DNS, which was a very limited DNS service. In Windows NT DNS, if you wanted to allow name resolution for another zone, you had to create a secondary zone for the zone in question and transfer the records from a master DNS server or use a delegation record to redirect queries to DNS servers that are authoritative for zones within the same namespace. Windows Server 2003 addresses the limitations of simply having standard forwarders by allowing an administrator to configure conditional forwarders and stub zones. Each of these technologies has its advantages as well as disadvantages within your DNS infrastructure. Knowing when to use each one will allow you to use your DNS service efficiently. Each of the options is summarized in the fol- lowing sections. Standard Forwarder A standard forwarder will forward unresolved queries to another DNS sever. A standard forwarder can have multiple DNS servers listed within the DNS server list, and the forwarder will send queries to each one in order, but only if the higher priority DNS server can- not be contacted. Figure 14.1 shows an example of a DNS server’s forwarder list. On a Windows 2000 DNS server, the only entry that is available is the standard forwarder entry titled All Other DNS Domains. On a Windows Server 2003 DNS server, conditional forwarders can be also be configured. Conditional Forwarder The conditional forwarder sends queries to DNS servers based on the domain name that is included in the query. Windows Server 2003 introduced the ability to con- figure conditional forwarders. Figure 14.2 shows a DNS server configured to use conditional for- warders. When conditional forwarders are used, they are used prior to a standard forwarder. Stub Zone Stub zones are new to Windows DNS, being introduced with Windows Server 2003. A stub zone acts about the same way as a delegation record, but it automates the process of populating the zone information. With a delegation record, the administrator is responsible for identifying the DNS servers that are authoritative for the zone. If those servers change, the DNS administrator will have to change the delegation record accordingly. Stub zones, on the other hand, will retrieve a list of the authoritative DNS servers as they change. As the administrator adds the stub zone, the zone’s SOA record is loaded by the stub zone, and the NS and A records for each of the DNS servers that are identified as name servers for the zone are loaded into the stub zone. Secondary Zone A secondary zone loads all of the records from the zone so that the queries for records within the zone can be resolved by the DNS server hosting the secondary zone. The records for the zone are transferred from a master server, which can hold the primary zone or another secondary zone. Delegation Records Even though delegation records have been used within DNS servers for many years, they are still alive and kicking. For administrators who want to delegate the respon- sibility of maintaining a subdomain, they can create a delegation record that directs a query to be sent to a DNS server that is authoritative for the subdomain. A delegation record appears within the zone as a gray icon, as seen in Figure 14.3. 4305book.fm Page 206 Wednesday, July 14, 2004 5:13 PM DNS RESOLUTION METHODS 207 Figure 14.1 Standard forwarder Figure 14.2 Conditional forwarder When a query is sent to a DNS server, it will first attempt to resolve the query from its name cache. If the query cannot be resolved from the name cache, the zones that are configured on the DNS server are checked in an attempt to have the DNS server resolve the query. Each of the primary, secondary, and stub zones are checked. If a zone contains a delegation record to the zone in question, the DNS server will respond with the address of a DNS server that is authoritative for the zone. If the stub zone is used for the zone in question, the stub zone will return the IP address of a DNS server that is authoritative for the domain. 4305book.fm Page 207 Wednesday, July 14, 2004 5:13 PM 208 CHAPTER 14 MAINTAINING DNS Figure 14.3 Delegation record If the zone is not listed on the domain controller, the server will then take advantage of the con- ditional forwarders, standard forwarders, and root hints. The server will first check the conditional forwarders. If conditional forwarders are not configured for the zone in question, the standard for- warder is used. If conditional and standard forwarders are not configured, the root hints will be used. If the server is not configured with root hints, then the DNS server will return a response specifying that the host cannot be located. Note Note that if the server hosts a zone within its database, it cannot use a conditional or standard forwarder, nor will the server use the root hints to perform any additional lookups for that hosted zone. Root Domain SRV Record High Availability Windows 2000 DNS servers that host Active Directory–integrated zones hold the records for the zone as Active Directory objects. In a Windows 2000–based domain, when you create an Active Directory–integrated zone, the zone data is stored within the domain partition and is replicated to every domain controller within the domain. In a large domain with several domain controllers, where some of those domain controllers are in remote sites, you may not want to replicate the zone infor- mation throughout the organization. Windows Server 2003–based Active Directory–integrated zones are not required to be stored within the domain partition. A new partition type, known as the application partition , can be used to store an Active Directory–integrated zone. An application partition can be stored on any domain controller that is a DNS server within the domain or the forest, or you can create an application partition that is stored on domain controllers that you decide will host the zone. 4305book.fm Page 208 Wednesday, July 14, 2004 5:13 PM ROOT DOMAIN SRV RECORD HIGH AVAILABILITY 209 Note For more information on creating application partitions, see the section “Active Directory Application Mode” later in this chapter. If you are upgrading your Windows 2000–based Active Directory to Windows Server 2003, and you want to make sure that the SRV records that are registered by domain controllers are available to hosts within all of the domains within the forest, you will have to make a couple of changes to the _msdcs subdomain. In Windows 2000–based domains, if the _msdcs subdomain is to be made available on DNS serv- ers within other domains, a new zone must be created for the _msdcs zone. A delegation record will be created to point to the zone, and then a secondary zone will be used within the other domains’ DNS servers. With the advent of the forest-wide application partition, an administrator now has the ability to use Active Directory–integrated zones within every domain in the forest. To do so, the _msdcs zone is cre- ated as an Active Directory–integrated primary zone with a forest-wide scope, as seen in Figure 14.4. The administrator will still need to make sure that a delegation record is created so that the zone can be located when the DNS server receives a query for it. If the administrator has already created the zone as a standard primary zone, the zone only needs to be converted to Active Directory–integrated. Figure 14.4 _msdcs with a forest-wide scope 4305book.fm Page 209 Wednesday, July 14, 2004 5:13 PM 210 CHAPTER 14 MAINTAINING DNS Tip If your forest root domain is installed using Windows Server 2003, the _msdcs zone is created as a forest-wide Active Directory–integrated zone for you and you do not have to reconfigure the zone. Limitations abound, and you will need to make sure that your infrastructure can handle the option you choose. For instance, if a firewall blocks TCP port 53, a stub zone will not be able to transfer the zone data. In that case, a delegation record or a forwarder can be configured instead. Active Directory Application Mode Active Directory Application Mode (ADAM), or application partitions as they are often called , can be used to control where application data is replicated through the forest. You can create partitions that are replicated to all domain controllers or specific domain controllers. Where DNS is concerned, application partitions can be used to host the zone data for Active Directory–integrated zone instead of using the domain partition. Windows Server 2003 will create the application partition for you if you are using domain-wide or forest-wide scopes. There is one other scope option, to replicate to spe- cific domain controllers. In order to control the replication to specific domain controllers within the forest, you must create your own application partition and add replicas, which will be made part of the replication scope. In order to create an application partition, you will need to use the NTDSUtil tool. This tool will allow you to create and delete application partitions as well as control where the replicas will be held. As seen in Figure 14.5, you can create an application partition by following these steps: Figure 14.5 Creating an applica- tion partition 1. Start NTDSUtil , and enter the command domain management . 2. At the domain management: prompt, enter the command connections to take you to the server connections: prompt. 3. From the server connections: prompt, connect to the server you want to create the applica- tion partition by using the command connect to server servername and then type quit to go back to the domain management: prompt. 4305book.fm Page 210 Wednesday, July 14, 2004 5:13 PM ACTIVE DIRECTORY APPLICATION MODE 211 4. At the domain management: prompt, type create NC Partition_FQDN servername . Note When you add the application partition using this command, Partition_FQDN will be in the form DC= partitionname ,DC= domainname ,DC= TLDname . Note If you are adding the application partition to the system to which you are currently connected, you can use NULL instead of the server’s DNS name. After you have added the application partition, you can assign replicas to domain controllers within the forest by performing Steps 1 through 3 and then entering the command add NC replica Partition_FQDN servername , as seen in Figure 14.6. Figure 14.6 Adding a replica of the application parti- tion to a domain controller After the replicas are added, the domain controllers that host the replicas of the application parti- tion are the only servers that will participate in replication for the partition. If you want to remove a replica, you can follow Steps 1 through 3 and then enter the command remove NC Partition_FQDN servername . After all of the replicas have been removed, you can remove the application partition com- pletely by performing Steps 1 through 3 and then entering the command Delete NC Partition_FQDN . You can determine whether the application partition was created by using one of two methods. The first one is to use the DNScmd tool to verify that the application partition exists. To do so, open a com- mand prompt and enter the command dnscmd domain_controller_name /directorypartitioninfo application_partition_name , as seen in Figure 14.7. When using this command, you do not have to use the fully qualified LDAP name of the domain controller or the application partition, but you should use the fully qualified DNS name of each. Using this command will also allow you to see which domain controllers hold replicas of the application partition. The other method is to open the properties of an Active Directory–integrated zone and click the Change button next to the Active Directory–integrated zone replication scope. Click the radio button marked To All Domain Controllers Specified In The Scope Of The Following Active Directory Par- tition, as seen in Figure 14.8. If the application partition appears in the pulldown list, the partition has been created. 4305book.fm Page 211 Wednesday, July 14, 2004 5:13 PM 212 CHAPTER 14 MAINTAINING DNS Figure 14.7 Using DNSCmd to verify the creation of an application partition Figure 14.8 Application parti- tion being chosen to host records for an Active Directory– integrated zone Diagnostic Tools DNS has been around for a long time, and there are several tools that you can use when attempting to troubleshoot name resolution problems. The standard TCP/IP tools, such as ping and tracert , will allow you to troubleshoot some basic issues; however, if you want to troubleshoot the DNS server and the zones within, you will want to use the nslookup command. Using nslookup will allow you to determine if records have been registered and whether the DNS server is responding to queries correctly. Nslookup runs in two modes, interactive and noninteractive. In interactive mode, you can continue issuing commands against the DNS server. In noninteractive mode, you issue individual commands against the server. To determine if the SRV records for the domain have registered, you can issue the following com- mands at a command prompt: 1. Type nslookup to enter interactive mode. 2. At the > prompt, type ls -t SRV domainname . If you are trying to view the SRV records for the domain zygort.lcl , you should enter the com- mand ls -t SRV _msdcs.zygort.lcl . Figure 14.9 is an example of the output that you would receive. 4305book.fm Page 212 Wednesday, July 14, 2004 5:13 PM [...]... server BEST PRACTICES FOR MAINTAINING DNS Figure 14.11 Debug Logging tab of DNS properties Best Practices for Maintaining DNS DNS is the lifeblood of your Active Directory infrastructure Without it, not only will your clients be unable to find the domain controllers, but the domain controllers will not be able to perform replication of the Active Directory objects, the FRS will not function, and several... that you can use to make sure FRS is working correctly and how to get it back into an operational state if it is not chapter15 Troubleshooting the File Replication Service In Chapter 13, Troubleshooting Active Directory Replication,” we discussed Active Directory replication issues In Chapter 14, “Maintaining DNS,” we looked at DNS maintenance and troubleshooting Both of these chapters are a good preview... perform its duties FRS also relies on Active Directory replication to be working so that the Active Directory objects that make up GPOs are replicated among the domain controllers Active Directory s domain partition replication topology is used when determining the replication topology for FRS Doing so will allow you to update both the Active Directory object and Sysvol objects that correspond to one... plague Active Directory infrastructures, we will move on to another troublesome issue, logon failures Several things can cause logon failures within an Active Directory environment Understanding what causes most logon failures is in your best interest Once you have a good handle on the symptoms of the most common failures, you will be able to pinpoint problems easily and resolve them quickly 2 27 chapter16... want a functional Active Directory infrastructure With all of the different types of Active Directory environments that exist, you will need to make sure that you are choosing the correct method of name resolution to suit your needs At the same time, you’ll need to make sure you understand how each of the options works so that you can troubleshoot and repair Another part of your Active Directory infrastructure... account properties within Active Directory Figure 16.6 shows the password policy screen that appears when you click the Domain Password Policy button from the Additional Account Info property page shown in Figure 16 .7 To install acctinfo.dll, you will need to type regsvr32 acctinfo.dll at a command prompt or from the Run line You will need to close and reopen Active Directory Users and Computers for the... to become an expert on FRS and in a large Active Directory infrastructure you should have a team that is—you will want to study this file This file includes complete details as to how FRS works, best practices for supporting FRS, troubleshooting tips, and a complete list of events that are registered to the Event Viewer as FRS events occur 225 226 CHAPTER 15 TROUBLESHOOTING THE FILE REPLICATION SERVICE... interaction between the domain controllers and the PDC emulator To enable NetLogon logging, you will need to open a command prompt and enter the command nltest /dbflag:0x2080ffff This will create a log file within the systemroot\Debug directory called netlogon.log Tip After running the nltest command to enable NetLogon logging, if the netlogon.log file does not exist, stop and restart the NetLogon service ... chapter16 Troubleshooting Logon Failures Nothing is more frustrating for users than to attempt to log on first thing on a Monday morning, only to receive an error Immediately their work week is off to a bad start, and they are on their way to having a bad day Troubleshooting is your realm, so it’s up to you to determine what is causing the problem and set things back on track Within an Active Directory. .. this new property page Figure 16.6 Domain Password Policy 2 37 238 CHAPTER 16 TROUBLESHOOTING LOGON FAILURES Figure 16 .7 Property page added by acctinfo.dll EventCombMT This tool will search through the event logs on several systems looking for events that you have specified The default events that the tool will search for are 529, 644, 675 , 676 , and 681 You can add additional Event IDs if you know which . technologies that are vital if any type of Active Directory functions are going to be performed. Without DNS, Active Directory replication will not work, and Active Directory will not function at all in two modes, interactive and noninteractive. In interactive mode, you can continue issuing commands against the DNS server. In noninteractive mode, you issue individual commands against the. DNS servers that host Active Directory integrated zones hold the records for the zone as Active Directory objects. In a Windows 2000–based domain, when you create an Active Directory integrated