Best Practice AV set up on SAP Servers
Hi,
Has anyone come across or aware of any best practice guidelines for AV setup on SAP servers, for example, which files/drives should you exclude and configuration tuning/reg-edits required. We have McAfee as our standard AV and we do use the HIPS component.
Thanks,
Martin
My best advise is:
Don't run AV on a database server but rather reconfigure the local/a firewall so that only those ports are open which are necessary to run the SAP application.
Excluding files may help a bit but neverless, as soon as the AV scanner is installed it will hook up to the filesystem layer and slowing down (maybe not significantly) I/O. I've seen weird side effects in upgrades and patch installations due to an enabled scanner although the database files and executables were excluded from scanning.
If you're urged to run Windows servers then I would put them in a separate network segment with a firewall in front and enable only the necessary SAP ports (and printing ports). This has a number of advantages:
- nasty RPC bugs can't be exploited because RPC to the SAP system should be disabled
- there's no need to reboot the Windows machines on every "Microsoft patch day"
A virus scanner adds, especially for production database systems, an indeterministic risc to the business.
Markus
Similar Messages
-
Could you please share your best practices for setting up a new Windows Server 2012 r2 Hyper-V Virtualized AD DC, that will be running on a new WinSrv 2012 r2 host server. (This
will be for a brand new network setup, new forest, domain, etc.)
Specifically, your best practices regarding:
the sizing of non virtual and virtual volumes/partitions/drives,
the use of sysvol, logs, & data volumes/drives on hosts & guests,
RAID levels for the host and the guest(s),
IDE vs SCSI and drivers both non virtual and virtual and the booting there of,
disk caching settings on both host and guests.
Thanks so much for any information you can share.A bit of non essential additional info:
We are small to midrange school district who, after close to 20 years on Novell networks, have decided to design and create a new Microsoft network and migrate all of our data and services
over to the new infrastructure . We are planning on rolling out 2012 r2 servers with as much Hyper-v virtualization as possible.
During the last few weeks we have been able to find most of the information we need to undergo this project, and most of the information was pretty solid with little ambiguity, except for
information regarding virtualizing the DCs, which as been a bit inconsistent.
Yes, we have read all the documents that most of these posts tend point to, but found some, if not most are still are referring to performing this under Srvr 2008 r2, and haven’t really
seen all that much on Srvr2012 r2.
We have read these and others:
Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100),
Virtualized Domain Controller Technical Reference (Level 300),
Virtualized Domain Controller Cloning Test Guidance for Application Vendors,
Support for using Hyper-V Replica for virtualized domain controllers.
Again, thanks for any information, best practices, cookie cutter or otherwise that you can share.
Chas. -
What is the best practice for setting up warehouse inventory for oil & gas tank farm
Hi, i want to know the best practice for setting up warehouse inventory for oil & gas tank farm. SAP has these levels for inventory management in warehouse environment: warehouse-aisle-shelf-bin. To me the bin seems to be the central location for inventory. So do i set up each oil tank as a bin location?
Hi,
Please refer below link:
https://help.sap.com/saphelp_sbo900/helpdata/EN/ad/4f233a7b864c7cbe2b57ad09246adb/content.htm
SAP Business One 9.0 Training - Feb 6, 2013 - Warehouse Bins - YouTube
Thanks & Regards,
Nagarajan -
Best practice identifying ERT modules with SAP / IS-Utilities
Hi everybody,
I'm looking for the best practice identifying ERT modules with SAP / IS-Utilities (electricity).
Here's the physical device set up :
The ERT modules are internal to the electricity meter. They're integrated into a multi purpose electronic circuit. So they can't be remove physically as a separate device.
The ERT modules are used to transmit data from the meter to a radio frequency receiver (handheld or drive-by). The main data that is transmitted is the consumption reading. So the receiver stores the ERT module number and the reading value.
They may be one or more ERT modules in a single meter, and each ERT module transmit his own specific consumption reading (energy reading, demand reading, etc...).
Each ERT module has is own manufacturer number.
My issue is :
To find a way to identify in IS-U the ERT module within the meter's register group (or somewhere else???) in order to relate each register to his ERT module number.
The purpose of all this is to create reading orders with the ERT module number following for each register.
This way we can match, using a unique key, each reading order and his corresponding reading value uploaded from the radio frequency receiver (handheld or drive-by).
Thanks for your help and ideas on best practice.Hi,
1) The system (application) environment of BI (what is integrated in it - e. g. within the portal, there is a storage for unstructured information like documents or virtual rooms for collaboration between departments - and what does it make)
Document management from RSA1 transaction of BI helps to attach any unstructured documents at specific level in BI.
2) How does development in BI works (development environment, coding, debugging, building, deployment and test) and what is used stronger (ABAP or ABAP OO)? Here, I don't mean how to write ABAP or ABAP OO programs, only the infrastructure from development to transport to a target system
BI has got a separate tool and GUI to perform all the Extract, Transform and load related activities. ABAP is part of BI but you don't need much extensive ABAP learning. Basic ABAP is sufficient to write routines and extractors.
3) How is a BI system to configure as default after installation?
May be a BASIS person can help you out here about the configuration but this is not the job of BI person.
4) Good guides (e/books) to learn ABAP and ABAP OO (as far as possible oriented on the practive)
You can search for SAM Series learn ABAP in 24 days book. This book is sufficient to learn the ABAP required for working in BI.
But except ABAP you will have to completly learn the BI system to work efficiently.
Regards,
Durgesh. -
Best practices for setting up projects
We recently adopted using Captivate for our WBT modules.
As a former Flash and Director user, I can say it’s
fast and does some great things. Doesn’t play so nice with
others on different occasions, but I’m learning. This forum
has been a great source for search and read on specific topics.
I’m trying to understand best practices for using this
product. We’ve had some problems with file size and
incorporating audio and video into our projects. Fortunately, the
forum has helped a lot with that. What I haven’t found a lot
of information on is good or better ways to set up individual
files, use multiple files and publish projects. We’ve decided
to go the route of putting standalones on our Intranet. My gut says
yuck, but for our situation I have yet to find a better way.
My question for discussion, then is: what are some best
practices for setting up individual files, using multiple files and
publishing projects? Any references or input on this would be
appreciated.Hi,
Here are some of my suggestions:
1) Set up a style guide for all your standard slides. Eg.
Title slide, Index slide, chapter slide, end slide, screen capture,
non-screen capture, quizzes etc. This makes life a lot easier.
2) Create your own buttons and captions. The standard ones
are pretty ordinary, and it's hard to get a slick looking style
happening with the standard captions. They are pretty easy to
create (search for add print button to learn how to create
buttons). There should instructions on how to customise captions
somewhere on this forum. Customising means that you can also use
words, symbols, colours unique to your organisation.
3) Google elearning providers. Most use captivate and will
allow you to open samples or temporarily view selected modules.
This will give you great insight on what not to do and some good
ideas on what works well.
4) Timings: Using the above research, I got others to
complete the sample modules to get a feel for timings. The results
were clear, 10 mins good, 15 mins okay, 20 mins kind of okay, 30
mins bad, bad, bad. It's truly better to have a learner complete
2-3 short modules in 30 mins than one big monster. The other
benefit is that shorter files equal smaller size.
5) Narration: It's best to narrate each slide individually
(particularly for screen capture slides). You are more likely to
get it right on the first take, it's easier to edit and you don't
have to re-record the whole thing if you need to update it in
future. To get a slicker effect, use at least two voices: one male,
one female and use slightly different accents.
6) Screen capture slides: If you are recording filling out
long window based databse pages where the compulsory fields are
marked (eg. with a red asterisk) - you don't need to show how to
fill out every field. It's much easier for the learner (and you) to
show how to fill out the first few fields, then fade the screen
capture out, fade the end of the form in with the instructions on
what to do next. This will reduce your file size. In one of my
forms, this meant the removal of about 18 slides!
7) Auto captions: they are verbose (eg. 'Click on Print
Button' instead of 'Click Print'; 'Select the Print Preview item'
instead of 'Select Print Preview'). You have to edit them.
8) PC training syntax: Buttons and hyperlinks should normally
be 'click'; selections from drop down boxes or file lists are
normally 'select': Captivate sometimes mixes them up. Instructions
should always be written in the correct order: eg. Good: Click
'File', Select 'Print Preview'; Bad: Select 'Print Preview' from
the 'File Menu'. Button names, hyperlinks, selections are normally
written in bold
9) Instruction syntax: should always be written in an active
voice: eg. 'Click Options to open the printer menu' instead of
'When the Options button is clicked on, the printer menu will open'
10) Break all modules into chapters. Frame each chapter with
a chapter slide. It's also a good idea to show the Index page
before each chapter slide with a progress indicator (I use an
animated arrow to flash next to the name of the next chapter), I
use a start button rather a 'next' button for the start of each
chapter. You should always have a module overview with the purpose
of the course and a summary slide which states what was covered and
they have complete the module.
11) Put a transparent click button somewhere on each slide.
Set the properties of the click box to take the learner back to the
start of the current chapter by pressing F2. This allows them to
jump back to the start of their chapter at any time. You can also
do a similar thing on the index pages which jumps them to another
chapter.
12) Recording video capture: best to do it at normal speed
and be concious of where your mouse is. Minimise your clicks. Most
people (until they start working with captivate) are sloppy with
their mouse and you end up with lots of unnecessarily slides that
you have to delete out. The speed will default to how you recorded
it and this will reduce the amount of time you spend on changing
timings.
13) Captions: My rule of thumb is minimum of 4 seconds - and
longer depending on the amount of words. Eg. Click 'Print Preview'
is 4 seconds, a paragraph is longer. If you creating knowledge
based modules, make the timing long (eg. 2-3 minutes) and put in a
next button so that the learner can click when they are ready.
Also, narration means the slides will normally be slightly longer.
14) Be creative: Capitvate is desk bound. There are some
learners that just don't respond no matter how interactive
Captivate can be. Incorporate non-captivate and desk free
activities. Eg. As part of our OHS module, there is an activity
where the learner has to print off the floor plan, and then wander
around the floor marking on th emap key items such as: fire exits;
first aid kit, broom and mop cupboard, stationary cupboard, etc.
Good luck! -
Best practiceS for setting up Macs on Network
Greetings.
We have six Macs on our Windows Server network; three iMacs and three laptops. We have set up all the machines and they are joined to the Active Directory. In the past, we have always created local users on the machines and then "browsed" to the server shares and mounted the them. We've learned things have improved/changed over the years and we're just now realizing we can probably have the machines set up to work better. So, I have a couple of questions for "best practices" when setting up each of the machines.
1. Since we’re in a network environment, should we not set up “local logins/users” and instead have users login using their AD login? It seems having a local account creates some conflicts with the server since upgrading to lion.
2. Should we set the computer to not ask for a “list of users” and instead ask for a username and password for logins?
3. For the user that uses the machine most often, they can still customize their desktop when they use an AD login, correct?
4. Should we set up Mobile User Accounts? What exactly does this do?
Any other advice on how we should best be setting up the clients for our environment to make sure we are following best practices would be great!
Thanks for any help!
JayGreetings.
We have six Macs on our Windows Server network; three iMacs and three laptops. We have set up all the machines and they are joined to the Active Directory. In the past, we have always created local users on the machines and then "browsed" to the server shares and mounted the them. We've learned things have improved/changed over the years and we're just now realizing we can probably have the machines set up to work better. So, I have a couple of questions for "best practices" when setting up each of the machines.
1. Since we’re in a network environment, should we not set up “local logins/users” and instead have users login using their AD login? It seems having a local account creates some conflicts with the server since upgrading to lion.
2. Should we set the computer to not ask for a “list of users” and instead ask for a username and password for logins?
3. For the user that uses the machine most often, they can still customize their desktop when they use an AD login, correct?
4. Should we set up Mobile User Accounts? What exactly does this do?
Any other advice on how we should best be setting up the clients for our environment to make sure we are following best practices would be great!
Thanks for any help!
Jay -
Best practice for setting or detecting screen size?
Hi All,
Trying to determine a best practice for setting or detecting the screen size. For playbook and iOS, I can set them. But for Android, the number of devices is too large so I'd rather detect. My first choice is to use the stage.stageHeight and stage.stageWidth. This works fine if I set my stage properties with standard meta data:
[SWF(height="320", width="480", frameRate="64", backgroundColor="#010101")]
However, if I use the application descriptor file to set the stage dimentions (as suggested by Christian Cantrell here http://www.adobe.com/devnet/flash/articles/authoring_for_multiple_screen_sizes.html)
<initialWindow>
<aspectRatio>landscape</aspectRatio>
<autoOrients>false</autoOrients>
<width>320</width>
<height>480</height>
<fullScreen>true</fullScreen>
</initialWindow>
Then the stage.stageHeight and stage.stageWidth are not the correct numbers when my main class is added to the stage. Sometime after the main class is added to the stage, then those numbers are fine. Is there an event I can wait for to know that the stage.stageHeight and stage.stageWidth are correct?
Thanks in advance!Hi Lee,
Thanks for the quick response! However, for some reason the heightPercent & widthPercent metadata tags are not working as expected for me.
I have a wrapper class that I target for compiling, WagErgApplePhone.as where I've got my metadata
[SWF(heightPercent="100%", widthPercent="100%", frameRate="64", backgroundColor="#010101")]
sets some stage properties
stage.quality=StageQuality.LOW;
stage.scaleMode = StageScaleMode.NO_SCALE;
stage.align = StageAlign.TOP_LEFT;
and instantiates my main class
var main:Main = new Main();
addChild(main);
my main class constructor even waits for the stage
public function Main(){
if (stage) init();
else addEventListener(Event.ADDED_TO_STAGE, init);
in my init function, stage.stageHeight traces out as 375 (expecting 320).
i have a function which is called via a button press event by the user, and stage.stageHeight traces out correctly (320) there. that's what makes me think that if i wait long enough, i can get the correct stageHeight before init/drawing. but i'm not sure what event to listen for, or if there's another trick.
if i use Capabilities.screenResolutionX and Capabilities.screenResolutionY the correct values are provided for mobile, but these values are not useful for the desktop and web version of the app. if there's no other solution, i'll execute different code depending on platform.
again, for reference, my app descriptor:
<initialWindow>
<aspectRatio>landscape</aspectRatio>
<autoOrients>false</autoOrients>
<width>320</width>
<height>480</height>
<content>bin-iOS/WagErgApplePhone.swf</content>
<title>WAG ERG</title>
<fullScreen>true</fullScreen>
<renderMode>cpu</renderMode>
</initialWindow>
looking forward to any other ideas to try out & thanks so much for your thoughts! if you want to really dig in, this is an opensource project at code.google.com/p/wag-erg/ -
Best practice for highly available management / publishing servers
I am testing a highly available appv 5.0 environment, which will deploy appv packages to a Xenapp farm. I have two SQL 2012 servers configured as an availability group for the backend, and two publishing / management servers for the front end.
What is the best practice to configure the publishing / management servers for high availability? Should I configure them as an NLB cluster, which I have tested and does seem to work, or should I just use the GPO to configure the clients to use both
publishing servers, which I have also tested and appears to work?
Thanks,
Patrick SullivanIn App-V 5.0 the Management and Publishing Servers are hosted in IIS, so use the same approach for HA as you would any web application.
If NLB is all that's available to you, then use that; otherwise I would recommend a proper load balancing solution such as Citrix NetScaler or KEMP LoadManager.
Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
answer your question). This can be beneficial to other community members reading the thread.
This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
Twitter:
@stealthpuppy | Blog:
stealthpuppy.com |
The Definitive Guide to Delivering Microsoft Office with App-V -
Best practice to set up the user authorization
Dear expert,
I have a question regarding the user authorization access. I've attend the BOE training but I'm still blur in term of user authorization planning. Currently, I have around 50 named users that need to access the BOE server. But the certain user will be restricted to access to certain folders or reports. May I know what is the best practice to set up the user authorization access? Should I set up first in the development machine and once its firm, then I migrate it to production machine..or is there any steps that I need to follow...?
Really appreciate if you can let me know on what should I look into first before set up the authorization. Is there any doccument that I can referring to..?
Thanks & Regards,
-Syahida-Create User Group for each folder (for eg. Sales/Marketing etc) and also based on the type of access you want to provide.
Like Sales VOD/ Sales View/Sales Schedule, and add users to the User Group based on the type of rights you want to provide them. Then add the User Group to respective report folders.
First deploy it in the Development environment, once you have everything finalized then you can replicate the same to QA and Prod environment by migration. Also make sure that in Development environment developers will have full control to develop/add reports to folders, you have to restrict that in QA & Prod environment. -
Best practice for the Update of SAP GRC CC Rule Set
Hi GRC experts,
We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
Which is a best practice for accomplish our goal?
Many thanks in advance. Best regards,
ImanolHi Simon and Amir
My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
Connie -
Best practices for setting up users on a small office network?
Hello,
I am setting up a small office and am wondering what the best practices/steps are to setup/manage the admin, user logins and sharing privileges for the below setup:
Users: 5 users on new iMacs (x3) and upgraded G4s (x2)
Video Editing Suite: Want to connect a new iMac and a Mac Pro, on an open login (multiple users)
All machines are to be able to connect to the network, peripherals and external hard drive. Also, I would like to setup drop boxes as well to easily share files between the computers (I was thinking of using the external harddrive for this).
Thank you,Hi,
Thanks for your posting.
When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
For more and detail information, please refer to:
Best Practices for Adding Domain Controllers in Remote Sites
http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
Regards.
Vivian Wang -
Best Practice for setting systems up in SMSY
Good afternoon - I want to cleanup our SMSY information and I am looking for some best practice advice on this. We started with an ERP 6.0 dual-stack system. So I created a logical component Z_ECC under "SAP ERP" --> "SAP ECC Server" and I assigned all of my various instances (Dev, QA, Train, Prod) to this logical component. We then applied Enhancement Package 4 to these systems. I see under logical components there is an entry for "SAP ERP ENHANCE PACKAGE". Now that we are on EhP4, should I create a different logical component for my ERP 6.0 EhP4 systems? I see in logical components under "SAP ERP ENHANCE PACKAGE" there are entries for the different products that can be updated to EhP4, such as "ABAP Technology for ERP EHP4", "Central Applications", ... "Utilities/Waste&Recycl./Telco". If I am supposed to change the logical component to something based on EhP4, which should I choose?
The reason that this is important is that when I go to Maintenance Optimizer, I need to ensure that my version information is correct so that I am presented with all of the available patches for the parts that I have installed.
My Solution Manager system is 7.01 SPS 26. The ERP systems are ECC 6.0 EhP4 SPS 7.
Any assistance is appreciated!
Regards,
Blair ToweHello Blair,
In this case you have to assign products EHP 4 for ERP 6 and SAP ERP 6 for your system in SMSY.
You will then have 2 entries in SMSY, one under each product, the main instance for EHP 4 for ERP 6 must be central applications and the one for SAP ERP 6 is SAP ECC SERVER.
This way your system should be correctly configured to use the MOPZ.
Unfortunately I'm not aware of a guide explaining these details.
Some times the System Landscape guide at service.sap.com/diagnostics can be very useful. See also note 987835.
Hope it can help.
Regards,
Daniel.
Edited by: Daniel Nicol on May 24, 2011 10:36 PM -
Networking "best practice" for setting up a farm
Hi all.
We would like to set an OracleVM farm, and I have a question about "best practice" for
configuring the network. Some background:
- The hardware I have is comprised of machines with 4 gig-eth NICs each.
- The storage will be coming primarily from a backend NAS appliance (Netapp, FWIW).
- We have already allocated a separate VLAN for management.
- We would like to have HA capable VMs using OCFS2 (on top of NFS.)
I'm trying to decide between 2 possible configurations. The first would keep physical separation
between the mgt/storage networks and the DomU networks. The second would just trunk
everything together across all 4 NICs, something like:
Config 1:
- eth0 - management/cluster-interconnect
- eth1 - storage
- eth2/eth3 => bond0 - 8021q trunked, bonded interfaces for DomUs
Config 2:
- eth0/1/2/3 => bond0
Do people have experience or recommendation about the best configuration?
I'm attracted to the first option (perhaps naively) because CI/storage would benefit
from dedicated bandwidth and this configuration might also be more secure.
Regards,
Robert.user1070509 wrote:
Option #4 (802.3ad) looks promising, but I don't know if this can be made to work across
separate switches.It can, if your switches support cross-switch trunking. Essentially, 802.3ad (also known as LACP or EtherChannel on Cisco devices) requires your switch to be properly configured to allow trunking across the interfaces used for the bond. I know that the high-end Cisco and Juniper switches do support LACP across multiple switches. In the Cisco world, this is called MEC (Multichassis EtherChannel).
If you're using low-end commodity-grade gear, you'll probably need to use active/passive bonds if you want to span switches. Alternatively, you could use one of the balance algorithms for some bandwitch increase. You'd have to run your own testing to determine which algorithm is best suited for your workload.
The Linux Foundation's Net:Bonding article has some great information on bonding in general, particularly on the various bonding methods for high availability:
http://www.linuxfoundation.org/en/Net:Bonding -
Best practices of BO/BW SSO SAP Authentication transports
Hi Friends,
We are going to integrate BW system with BO (SAP authentication). All the queries are built through BICS connections. And we have various reporting tools to implement SSO SAP authentication (Webi,Crystal,Dashboard.Design studio…etc)
As per the process there are certain activities which has to be performed at BW level
e.g -- BW Roles creation (PFCG---Crystal role enablement) and assigning to BO users
Once it is created in BW , we have to do integration at BO level( in CMC application) by selecting authentication and roles import followed by ……Groups..Users…folder and access level...
My question here is
Transports of BW objects for BO SSO (SAP) authentication (such as roles created for Users, Keystore certificate, uploads). Will these objects be transported by BW team or they will be separately downloading or uploading the certificate in different systems (like QAS ...PROD….)
And at BO level, once I integrate BO SSO, Do I need to do manual integration in QAS and Production system as well or it can be transported with promotion management of BO tool
Will these SSO(SAP) authentication can be applied to all tools in BI Launchpad such as (Design studio,Webi,Web application,Crystal….etc) as all users are required to have SSO to all BO tool
Regarding LUMIRA tool , Can we do SSO authentication
Please share your thoughts and experience.
I t would be great if I get BO administration best practices document for BW BO SSO and Users and Group management in CMC for implementing
Thanks in advanceHi ,
Please find my answers below:
1. The roles will be created in BW and should automatically appear in BO CMC Authentication SAP roles, if there is a connectivity setup between BO and BW irrespective of the SSO.The roles are transported by the BW security team.
2. Every environement will have a unique connection to the corresponding SAP BW environment.For example SAP BW DEV will be mapped to BO DEV, SAP BW PROD will be mapped to BO PROD.So these settings cannot be migrated through Promotion Management.
3.This authentication can be applied to all tools , the SSO does not depend on the tool ,it depends on the integration between two systems which in this case are BO and SAP BW
As mentioned earlier, after integration all tools can have SSO
You can refer to a lot of help documents on this site which will help you to setup the integration between SAP BW AND SAP BO.
Kind Regards,
Priyanka -
2K8 - Best practice for setting the DNS server list on a DC/DNS server for an interface
We have been referencing the article
"DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers"
http://technet.microsoft.com/en-us/library/dd378900%28WS.10%29.aspx but there are some parts that are a bit confusing. In particular is this statement
"The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain
controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller.
The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.”
The paragraph switches from using the term "its own IP address" to "loopback" address. This is confusing becasuse technically they are not the same. Loppback addresses are 127.0.0.1 through 127.255.255.255. The resolution section then
goes on and adds the "loopback address" 127.0.0.1 to the list of DNS servers for each interface.
In the past we always setup DCs to use their own IP address as the primary DNS server, not 127.0.0.1. Based on my experience and reading the article I am under the impression we could use the following setup.
Primary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Tertiary DNS: 127.0.0.1
I guess the secondary and tertiary addresses could be swapped based on the article. Is there a document that provides clearer guidance on how to setup the DNS server list properly on Windows 2008 R2 DC/DNS servers? I have seen some other discussions
that talk about the pros and cons of using another DC/DNS as the Primary. MS should have clear guidance on this somewhere.Actually, my suggestion, which seems to be the mostly agreed method, is:
Primary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Tertiary DNS: empty
The tertiary more than likely won't be hit, (besides it being superfluous and the list will reset back to the first one) due to the client side resolver algorithm time out process, as I mentioned earlier. Here's a full explanation on how
it works and why:
This article discusses:
WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
The DNS Client Side Resolver algorithm.
If one DC or DNS goes down, does a client logon to another DC?
DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
Client side resolution process chart
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-
logon-to-another-dc-and-dns-forwarders-algorithm.aspx
DNS
Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx
The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
I agree with this proposed solution as well:
Primary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Tertiary DNS: empty
One thing to note, in this configuration the Best Practice Analyzer will throw the error:
The network adapter Local Area Connection 2 does not list the loopback IP address as a DNS server, or it is configured as the first entry.
Even if you add the loopback address as a Tertiary DNS address the error will still appear. The only way I've seen this error eliminated is to add the loopback address as the second entry in DNS, so:
Primary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Secondary DNS: 127.0.0.1
Tertiary DNS: empty
I'm not comfortable not having the local DC/DNS address listed so I'm going with the solution Ace offers.
Opinion?
Maybe you are looking for
-
Hi All, I have a purchase order in which I have two vendors one for material supply and other freight vendor which I go and maintain at the condition level. Now I have to make payment to the freight vendor. I go on to do a MIRO for payment processing
-
Failed to locate content SCCM 2012 SP1
Hi, I am trying to deploy Firefox but have not been succesfull so far. I keep getting "failed to located content" when I try to install it from a workstation. Any idea on where I can start looking to troubleshoot this?
-
I click firefox and get BING--want to get rid of Bing--How
How can I get rid of BING? Don't want it-won't use it. If this problem doesn't go away I will return to E.
-
[svn] 4699: Changed clipping in TextBox and TextGraphic.as
Revision: 4699 Author: [email protected] Date: 2009-01-27 15:57:02 -0800 (Tue, 27 Jan 2009) Log Message: Changed clipping in TextBox and TextGraphic.as TextFlowComposer no longer relies on TextLineFactory.createTextLinesFromTextFlow() returning an 'o
-
That serial number is invalid even serial number is genuine
That serial number is invalid even serial number is genuine