DNS Scavenging

Similar Messages

• Are my DNS scavenging settings correct? Server 2008 r2

  hi
  i cant seem to get my DNS scavenging to work correctly.
  i have inherited the network from another network admin who has left.
  Scavenging is enabled on the server 
  when i went into the
  dnscmd /zoneinfo domain.com
  , it never returned a DNS scavenging server, think this was because a domain controller was removed serveral years ago and that was set as the scavenger perhaps? not sure. 
  so i ran the command
  dnscmd /ZoneResetScavengeServers domain.com 192.168.1.194
  This added a new scavenging server but still cant get scavanging to work these are my settings do they look correct?
  i noticed directory partition is set to AD-legacy is this correct some of the screenshots i have seen online show this as AD-Domain not AD-legacy can anyone compare with there settings that function and let me know?
  Any suggestions would be highly appreciated. 
  Thank you
  Gordon

  AD-Legacy means they aren't in an application partition, which didn't come until after 2003, so I'm guessing this domain was built originally as Windows 2000 and then been upgraded.  Nothing to worry about.
  I have never done this but you can change this via dnscmd and the switch zonechangedirectorypartition
  As far as scavenging, it takes 14 days for this to kick in.  How long have you waited since you reconfigured the settings?
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• DNS Scavenging - Which Record are scavenged?

  I am about to enable scavenging in a domain that has never had scavenging enabled properly.  There are hundreds of records with old time stamps.  We have done our due diligence in researching records to disable deleting the old record if it has
  an old time stamp.  Previous admin's would let a server grab a DHCP server and then static IP the DHCP address.
  I know that Event ID 2501 will give me a summary of how many records were scavenged.  I seem to remember that (its been a while since I have been in a mess like this), there is a way to get a list/log of the records that were scavenged.  I hope
  we have all the records set, but I the first scavenging period may be painful.
  Is there a way to get a list of each record that was scavenged?

  You might want to setup DHCP credentials and add the DHCP server to the DnsUpdateProxy group. This way it will update the IP of the host instead of creating another one.
  And you really don't want to go below 24 hours with a lease, because technically scavenging is in multiple of days. And you must set the scavenging NOREFRESH and REFRESH values
  combined to be equal or greater than the DHCP Lease length.
  DHCP DNS Update summary:
  - Configure DHCP Credentials.
    The credentials only need to be a plain-Jane, non-administrator, user account.
    But give it a really strong password.
  - Set DHCP to update everything, whether the clients can or cannot.
  - Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
  - Add the DHCP server(s) computer account to the Active Directory,  Built-In DnsUpdateProxy security group.
    Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group.
    For example, some folks believe that the DNS servers or other DCs not be
    running DHCP should be in it.
    They must be removed or it won't work.
    Make sure that NO user accounts are in that group, either.
    (I hope that's crystal clear - you would be surprised how many
    will respond asking if the DHCP credentials should be in this group.)
  - On Windows 2008 R2 or newer, DISABLE Name Protection.
  - If DHCP is co-located on a Windows 2008 R2, Windows 2012, Windows 2012 R2,
   or NEWER DC, you can and must secure the DnsUpdateProxy group by running
   the following command:
    dnscmd /config /OpenAclOnProxyUpdates 0
  - Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
  - Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
  More info:
  This blog covers the following:
  DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
  Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
  http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/
  I also recommend reviewing the discussion in the link below:
  Technet thread: "DNS Scavenging "
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/334973fd-52b4-49fc-b1d8-9403a9481392/dns-scavenging
  Some other things to keep in mind with registration and ownership to help eliminate duplicate DNS host records registered by DHCP:
  =====================================================
  1. By default, Windows 2000 and newer statically configured machines will
  register their own A record (hostname) and PTR (reverse entry) into DNS.
  2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow
  the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
  (reverse entry) record.
  3. If Windows 2008/Vista, or newer, the DHCP server always registers and updates client information in DNS.
     Note: "This is a modified configuration supported for DHCP servers
           running Windows Server 2008 and DHCP clients. In this mode,
           the DHCP server always performs updates of the client's FQDN,
           leased IP address information, and both its host (A) and
           pointer (PTR) resource records, regardless of whether the
           client has requested to perform its own updates."
           Quoted from, and more info on this, see:
  http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx
  4. The entity that registers the record in DNS, owns the record.
     Note "With secure dynamic update, only the computers and users you specify
          in an ACL can create or modify dnsNode objects within the zone.
          By default, the ACL gives Create permission to all members of the
          Authenticated User group, the group of all authenticated computers
          and users in an Active Directory forest. This means that any
          authenticated user or computer can create a new object in the zone.
          Also by default, the creator owns the new object and is given full control of it."
          Quoted from, and more info on this:
  http://technet.microsoft.com/en-us/library/cc961412.aspx
  =====================================================
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Enabling DNS scavenging on several hundred servers

  I have several hundred servers in my domain. 582 to be exact. The last AD administrator left DNS scavenging disabled on all the AD intergrated domain controllers. Now they want to enable scavenging on all DCs. We are having issues with stale records. WHat
  I need to know if there is a way to enable scavenging on all the DCs without having to go to each one and right click and selct the "Scavenge stale resource recors" check box.
  I would like to use either a script or command line and use PSexec.
  thanks

  Hi,
  Based on my research, you can run “psexec
  \\computername cmd” tolaunches
  an interactive command prompt on that DNS server.
  Then you can run “dnscmd <ServerName> /Config /ScavengingInterval < 0x1-0xFFFFFFFF>/DefaultAgingState <1>/DefaultNoRefreshInterval < 0x1-0xFFFFFFFF>/DefaultRefreshInterval < 0x1-0xFFFFFFFF>” to enable scavenge on the DNS server.
  More information:
  Set Aging and Scavenging Properties for the DNS Server
  Dnscmd Syntax
  Best regards,
  Susie

• Domain requirements for DNS scavenging

  Hello, what is minimum domain functional level and forest level to enable automatic dns scavenging and aging ? Ours is Windows 2003 currently.  Do we have to be on windows 2008 domain level to enable it ?
   I am not getting any straight answer to my question online so i am checking on forums here.

  Looks like it should
  check out this link
  Aging and scavenging in 2003
  [BTW always good to upgrade to newer versions]

• DNS Scavenging Powershell v4 Remove-NetTCPIP

  Hi all I am trying to remove unwanted IP from a simple  text file list
  $list = gc "c:\list.txt"
  $list
  172.10.20.1
  172.10.20.2
  172.10.20.3
  Get-Content $list | foreach {$list in $lists} | Remove-NetIPAddress
  At line:1 char:36
  + Get-Content $list | foreach {$list in $lists} | Remove-NetIPAddress
  +                                    ~~
  Unexpected token 'in' in expression or statement.
      + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
      + FullyQualifiedErrorId : UnexpectedToken
  Anyone ideas please ?
  Yasar

  The CmdLet is not for managing files. It is used to remove unneeded address from adapters.
  See:
  https://technet.microsoft.com/library/c3a0b677-f2f9-40c3-9a6b-b72aa292b721%28v=wps.630%29.aspx?f=255&MSPPError=-2147217396
  Get-Content $list | %{Remove-NetIPAddress -IPAddress $_ }
  This will remove the address from all adapters.
  ¯\_(ツ)_/¯

• Server 2012 not auto-registering with 2003 DNS

  Hope somebody can help with this, it's driving me mad.
  I have about 600 VMs, all Windows Server of various versions from 2000 (I know...) to 2012. My Active Directory and DNS runs on Server 2003. Two of the six DCs (the DNS servers) are physical.
  The problem I have is that a handful of 2012 VMs seem to stop registering in DNS. Most 2012 VMs are fine, and all the non-2012 VMs are fine. So based on that I think it's more to do with something being wrong with these few VMs rather than the
  DNS servers. It's always the same servers that have the problem. It causes grief because once the DNS scavenge happens the servers get removed and then nobody can contact them by name.
  The "quick fix" is to run ipconfig /registerdns on the problem servers, whereupon they put themselves back into DNS again but don't update the registration. So eventually they just get scavenged out again.
  I'm wondering if it's something to do with how the VMs were created. Some but not all 2012 VMs were created from a VMware template and customised via vCenter. I've checked some of the servers for duplicate objectSid and objectGUID in Active Directory but
  so far they're all different. There's nothing particularly obvious in the event logs on these servers, aside from saying they're failing to register IPv6 PTR records (which is correct, should probably turn IPv6 off...) but I don't think that'd cause IP4v A
  record registration to fail?
  Any suggestions? Thanks very much in advance.

  Hello, thanks for the reply.
  Yes the "Register this connection's addresses in DNS" box is indeed ticked. I tried un-ticking and re-ticking it to see if that kicked it back into life on one server but it made no difference.
  Some of the servers that had the problem now seem fine, and are updating the DNS registrations daily and have been for over a month. Others seem to update for a period of time, maybe a couple of days, maybe a few weeks, and then stop. Others only update
  when I do the ipconfig /registerdns.
  Power Management is enabled, though these are Server operating systems, so I'd like to hope they wouldn't do anything as daft as shutting down the NIC (especially when they're trying to talk over it). However this must be a default setting as it's enabled
  on all the VMs I've checked, and the vast majority are working fine. I'm going to try disabling it on one of the problem servers but I'm not terribly hopeful it'll kick it back into normal operation - unless you can point me towards a KB article or something?
  I'd enabled the DNS Client Operational event log on some of the problem servers but to the untrained eye it doesn't contain anything terribly useful (I've yet to find out what the various return code and option values mean).

• DNS disaster and how can stop it for future

  Hi
  Last week, I found lots of static records were deleted automatically from DNS server console which cuased lots of P1 in my environment.
  I found some below envents before the time when issue occurred.
  I want  to know why DNS randomely Host reocrds were deleted automatically. Even opned case with MS but could not get anything from MS that why this was happened.
  finally we resotred the DNS zones from backup tool and after restoring everythying was working fine.
  please see some below events:
  =================
  Log Name:      Directory Service
  Source:        NTDS ISAM
  Date:          12/29/2013 12:01:00 AM
  Event ID:      2001
  Task Category: (16)
  Level:         Information
  Keywords:      Classic
  User:          N/A
  Computer:      DC101.prise.med.org
  Description:
  NTDS (528) NTDSA: Shadow copy instance 31 freeze started.
  =
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          12/29/2013 12:05:22 AM
  Event ID:      2094
  Task Category: Replication
  Level:         Warning
  Keywords:      Classic
  User:          ANONYMOUS LOGON
  Computer:      DC101.prise.med.org
  Description:
  Performance warning: replication was delayed while applying changes to the following object. If this message occurs frequently, it indicates that the replication is occurring slowly and that the server may have difficulty keeping up with changes.
  Object DN: CN=1 All Workstations_resultset_0_0\0ADEL:b6a014b6-ef00-459b-ae1e-f948bb38af2f,CN=Deleted Objects,DC=prise,DC=med,DC=org
  Object GUID: b6a014b6-ef00-459b-ae1e-f948bb38af2f
  Partition DN: DC=prise,DC=med,DC=org
  Server: 1cdbccca-a84c-4095-ba55-1504137ef9c5._msdcs.med.org
  Elapsed Time (secs): 17
  User Action
  A common reason for seeing this delay is that this object is especially large, either in the size of its values, or in the number of values. You should first consider whether the application can be changed to reduce the amount of data stored on the object,
  or the number of values.  If this is a large group or distribution list, you might consider raising the forest functional level to Windows Server 2003 or greater, since this will enable replication to work more efficiently. You should evaluate whether
  the server platform provides sufficient performance in terms of memory and processing power. Finally, you may want to consider tuning the Active Directory Domain Services database by moving the database and logs to separate disk partitions.
  If you wish to change the warning limit, the registry key is included below. A value of zero will disable the check.
  Additional Data
  Warning Limit (secs): 10
  Limit Registry Key: System\CurrentControlSet\Services\NTDS\Parameters\Replicator maximum wait for update object (secs)
  =======
  Log Name:      Directory Service
  Source:        NTDS ISAM
  Date:          12/29/2013 12:36:03 AM
  Event ID:      510
  Task Category: Performance
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      DC101.prise.med.org
  Description:
  NTDS (528) NTDSA: A request to write to the file "D:\Windows\NTDS\ntds.dit" at offset 1731624960 (0x0000000067368000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (62 seconds) to be serviced by the OS. In addition, 6 other
  I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 160409 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance
  diagnosing the problem.
  ====
  Log Name:      Directory Service
  Source:        NTDS ISAM
  Date:          12/31/2013 12:57:49 AM
  Event ID:      509
  Task Category: Performance
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      DC101.prise.med.org
  Description:
  NTDS (528) NTDSA: A request to read from the file "D:\Windows\NTDS\ntds.dit" at offset 967688192 (0x0000000039adc000) for 16384 (0x00004000) bytes succeeded, but took an abnormally long time (107 seconds) to be serviced by the OS. In addition, 7 other
  I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 1328 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance
  diagnosing the problem.
  =
  Log Name:      Directory Service
  Source:        NTDS ISAM
  Date:          12/31/2013 12:59:14 AM
  Event ID:      510
  Task Category: Performance
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      DC101.prise.med.org
  Description:
  NTDS (528) NTDSA: A request to write to the file "D:\Windows\NTDS\ntds.dit" at offset 978018304 (0x000000003a4b6000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (84 seconds) to be serviced by the OS. In addition, 148 other
  I/O requests to this file have also taken an abnormally long time to be serviced since the last message regarding this problem was posted 84 seconds ago. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance
  diagnosing the problem.
  ==
  Log Name:      File Replication Service
  Source:        NtFrs
  Date:          12/30/2013 7:08:20 AM
  Event ID:      13508
  Task Category: None
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      DC101.prise.med.org
  Description:
  The File Replication Service is having trouble enabling replication from  DC110 to DC101 for d:\windows\sysvol\domain using the DNS name DC110.prise.med.org. FRS will keep retrying.
   Following are some of the reasons you would see this warning.
   [1] FRS can not correctly resolve the DNS name SHINFRPEMDC110.prise.med.org from this computer.
   [2] FRS is not running on  MDC110.prise.med.org.
   [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
   This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

  Did you ever run dnscmd /ageallrecords, if yes, it will enable aging & scavenging on the static records too by setting the timestamps value on it. I would also suggest to review the below two article.
  http://blogs.technet.com/b/askpfeplat/archive/2013/10/12/who-moved-the-dns-cheese-auditing-for-ad-integrated-dns-zone-and-record-deletions.aspx
  http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Is DNS record scavening turned on by default?

  when setting up DNS on a windows 2008 server, is DNS scavenging turned on by default?....
  thanks
  sid

  Hi,
  You can refer the following article to auditing the DNS entry deleted reason:
  Tracking DNS Record Deletion
  http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• DNS records removal

  Hello all,
  I need your help, I just got a list of decommissioned servers in my domain and asked me to removed dns entries as these are being decommissioned.. Please let me know if any document is available which I can follow without any issues.. Is this safe to go
  directly on DC and remove all the records in forward and reverse lookupzones for the mentioned server say xyz.contoso.com and IP x.y.v.z

  Hello,
  for automatic configuration please follow
  http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
  http://blogs.technet.com/b/networking/archive/2009/02/09/optimizing-your-network-to-keep-your-dns-squeaky-clean.aspx
  If you are sure that the machines are not longer exist you could also safely delete the records manually.
  Keep in mind that DCshave multiple records in the DNS folder structure and normallythe records should be removed when correctly demoting a DC.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• What will be scavenged?

  I have set up aging on one of the zones, i did not set up scavenging on the server yet.
  The date "this zone can be scavended after" already passed, but i can't see any events recording that a record is ready for scavenging.
  How can i see what will be scavenged, when i will enable scavenging on the server? Is there any comand line tool for that?

  Hi Bartosz,
  stale records will be scavenged. This means DNS records which are not in use anymore (like when you have removed a computer account from AD, or your physical server got flooded or on fire and you replace it with a new one, but old FQDN/DNS record is still
  in the zone).
  It is possible to get informed on what records are going stale, using Power Shell, but you would have to download DNS Management module. This way you will know which records will be scavenged:
  How Aging and Scavenging Works
  Please check this blog article, under My best practices:
  DNS Scavenging
  The procedure is designed for maximum safety.
  Please click on Propose As Answer or to mark this post as and helpful for other people. This posting is provided AS-IS with no warranties, and confers no rights.

• Unable to apply GPO on 209 clients (RPC Issues)

  I am in the process of cross forest DC migration with an environment of 400 users, first I have configured the GPO to add the dns suffix search domains to the
  current clients of the old domain however upon applying policy I get The RPC server is unavailable or RPC was cancelled or access denied sometimes.
  I have checked the domains (4) health , replication and all looks very well. 
  I connected to one of the clients that has an issue to make sure these clients are joined to the domain and using the proper DNS list. then checked if the domain
  has the correct hostname as it appears in the domain and everything looked fine.
  I disabled Kaspersky firewall on the client and disabled Windows firewall client but still the same issue occur .
  When trying to connect to any of these clients with hostname to browse to the C$ folder it gives an error, I also tried with the FQDN and had the same problem
  but with IP it connects fine.
  I checked the RPC service, Computer browser service to see if they are running and they were running. 
  I am attaching screenshots of the GPO policy and the error that appears when trying to browse to the client folder C$ with hostname or fqdn. 
  I have tried the following but it didn't fix anything.. I hope someone could help point me out to the right direction
  Checked DNS (Servers and clients)
  Checked relative services (Netbios, RPC, Computer browser ..etc)
  Checked firewall (Kaspersky and windows) and closed them both.
  Checked connected DC on clients and pointed clients to different DCs  to check if it'll solve the problem.
  Checking DCs replication and health using DCdiag /v 
  Ran nltest.exe /sc_verify:domain.local and returned success ... 
  I am attaching 
  On one of the clients that have the issues I have also find this error on the event viewer. 
  This computer was not able to setup secure session with a domain controller in domain domain.local due to the folliowing "there are currently no logon servers available to service the logon request.
  The weird thing is that the client have no issues and can logon to his computer which is a domain member without any issues. 
  thanks
  Mohammed JH

  Hi Vivian, 
  I found the problem, it was due to duplicated hostnames on the DNS for all these problematic clients! The DNS scavenging seems it's not working .. I would appreciate if you could assist me on how to troubleshoot the scavenging.
  I have already applied the following checks
  1- Checked the refresh and no refresh interval (both were 7 days and I changed them to 1 hour) 
  2- Restarted DNS.
  3- Set DNS to automatic scavenging of stale records.
  Still no sign of items are being deleted? 
  I would appreciate your help
  thanks
  Mohammed JH

• New 2012 R2 domain - xp clients cannot join or print

  I just migrated a 2003  domain to 2012 R2.   Things were working ok & then XP clients became AD stupid.
  Steps I took:
  Added a VM 2012 R2 DC to the domain.  Server had DNS installed.  Ran dcdiag & bpa and resolved any issues. 
  About a week later I moved all roles over to the VM DC.
  Tore down one of the NT2003 DCs (not VM) and rebuit it as a 2012 R2 DC w/DNS.  Ran dcdiag & bpa and resolved any issues.   Had problems with DNS scavenging removing some static records.  readded records & made sure the  "Delete
  record when it becomes stale" was unchecked on all static records (all fwd & rev zones).
  Moved all roles from the VM DC to the hardware DC.
  After a week I tore down the 2nd (& last) nt2003 DC (not VM) and rebuilt it as a 2012 R2 DC w/DNS.  Ran dcdiag/bpa and fixed any issues.  Also ran it on the other DCs.
  Removed the VM 2012 R2 DC from the domain (demote, remove features, remove from domain, power off, delete VM).
  Everything seems to be working fine.  dcdiags look clean, event logs seem good.
  Bump forest/domain to 2012 R2 native.
  Then, a few days later,  it goes bad.  I (after hours) install all accumulated updates on both DCs.  Reboot both.
  Next AM a user calls.  Her thin client cannot connect to the terminal services server.  DNS has deleted its dns record, even though the delete when stale was unchecked.  :|  So I readd the static record and turn off scavenging. 
  Problem solved.
  Next call s from a XP user (we have XP, Win 7, and thin clients).  She cannot print.  Printers show "cannot connect".  Try various things to no avail.  Check Win 7 boxes and they're working fine & printers are connected. 
  Note that the XP & Win7 boxes all pull their DHCP address from the same dhcp server/scope.
  Review error logs and run dcdiag.  There are several somewhat esoteric errors.  After several hours or tail chasing I decide to take a more scorched earth tack.  I demote the 2nd DC and remove AD & DNS from it. After demotion and role
  removal I check AD and it still shows the DC.  I remove the now just a server from the domain.  Clean up DNS & AD removing all traces.  This takes a while as I have to run variuos scripts (tahnk you google) to ensure AD is clean.
  Run dcdiag and resolve issues.  Even a detailed dcdiag comes out clean.  Replication tests show the old server is now forgotten.
  Check XP boxes and they still show printers as "cannot connect".
  Remove a XP PC from the domain.  Try to rejoin and I get a error.  Rename it and still get the error.  I can ping, nslookup, etc and they return the correct IP.
  I've tried the simple change the join a domain in system properties.  That gives a somewht non descript error.  The network identification wizard seemed to find the domain but didn't work.  As it was trying to find the PC in AD, I went ahead
  and added it via AD users& Computer console.  Run the wizard and it tells me it found the record in AD.  It then says "a domain controller for the domain [ourdomain] could not be contacted."  !?  Yet the prior screen it told
  me it had found the record for the PC on the DC.
  nslookup for ourdomain.local as well as dcname.ourdomain.local resolve correctly.  Tried chenging the PC to static - no change.  Rename the old win 2012 R2 dc (now just a server outside the domain), reboot, and the try to rejoin the domain. 
  Works flawlessly.
  BTW - We're running tcpip w/o netbios over tcpip.
  So basically my XP boxes cannot use AD printers and cannot join the domain.  IDK if they're picking up gp updates (I'll check in the AM), but I suspect they're not.
  Short of buying a truckload of Win 7 licenses and reloading OSs, what can I do to fix this?
  Details on the XP box error (fyi - I did a record to record comparison to a Win 2008 domain's SRV records and they look identical (except, fo course, the domain& server names)) :
  The domain name [ourdomain] might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.
  If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
  The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain [ourdomain]:
  The error was: "DNS name does not exist."
  (error code 0x0000232B RCODE_NAME_ERROR)
  The query was for the SRV record for _ldap._tcp.dc._msdcs.[ourdomain]
  Common causes of this error include the following:
  - The DNS SRV record is not registered in DNS.
  - One or more of the following zones do not include delegation to its child zone:
  [ourdomain]
  . (the root zone)
  For information about correcting this problem, click Help.
  dcdiag /test:dns results
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = Domctl1
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\DOMCTL1
        Starting test: Connectivity
           ......................... DOMCTL1 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\DOMCTL1
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... DOMCTL1 passed test DNS
     Running partition tests on : DomainDnsZones
     Running partition tests on : ForestDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : [ourdomain]
     Running enterprise tests on : [ourdomain].local
        Starting test: DNS
           Test results for domain controllers:
              DC: Domctl1.[ourdomain].local
              Domain: [ourdomain].local
                 TEST: Dynamic update (Dyn)
                    Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local
                 Domctl1                      PASS PASS PASS PASS WARN PASS n/a
           ......................... [ourdomain].local passed test DNS

  I see the following errors:
  "TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing
  connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period
  to elapse between successive connections from a given local endpoint to a given remote endpoint."
  Please read that: http://social.technet.microsoft.com/Forums/windowsserver/en-US/d770e9fd-53a2-4ae9-99b3-2754c4564592/tcpip-connection-issue-on-windows-server-2008-sp2?forum=winserverPN
  "DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID      b70 (C:\Windows\system32\dcdiag.exe)."
  As you can see, it is pointing to 8.8.8.8. You need to make sure that public DNS servers are configured as forwarders and not in IP setting of your DCs. Better if you could use your ISP DNS servers as public ones instead of 8.8.8.8.
  Please read this Wiki article for recommendations about IP settings: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
  "               TEST: Dynamic update (Dyn)
                    Test record dcdiag-test-record added successfully in zone [ourdomain].local
                    Warning: Failed to delete the test record dcdiag-test-record in zone [ourdomain].local
                    [Error details: 9505 (Type: Win32 - Description: Unsecured DNS packet.)]
  Here, you need to make sure that only secure DNS updates are allowed if you would like to secure dynamic updates. This is detailed in here:http://social.technet.microsoft.com/wiki/contents/articles/21984.how-to-secure-dns-updates-on-microsoft-dns-servers.aspx
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Binding Macs to AD

  So I now have an OD master and replica server bound to Active Directory. We had some issues with DNS scavenging and binding the Macs. It appears scavenging has taken place and removed the records for the Mac servers. There are still bound as I can login with AD credentials. Cannot access either server via ARD. Is it as simple as just recreating the DNS records for the Mac servers?

  What do your system and AD logs say when you try and login?
  That'll give you a clue.

• DHCP server lease duration reporting

  I have a network team that controls their own scopes however we are responsible for the DHCP services and DNS. (i know it's a nightmare)
  Anyways, they go in and create new scopes all the time and they are always different with lease durations and other options.
  I need a way to export all scopes and all of their options along with lease duration to be able to identify which scopes have the 3 days lease duration and which ones have the 8 day duration, so that we can standardize and get the DNS scavenging on the correct
  and safe interval.

  Hi,
  Or you can use the following simple PowerShell cmdlet to export the DHCP scope, then check the detail lease time:
  Export-DhcpServer –ComputerName win2k8r2-dhcp.corp.contoso.com -Leases -File C:\export\dhcpexp.xml –verbose
  The related article:
  Migrating existing DHCP Server deployment to Windows Server 2012 DHCP Failover
  http://blogs.technet.com/b/teamdhcp/archive/2012/09/11/migrating-existing-dhcp-server-deployment-to-windows-server-2012-dhcp-failover.aspx
  How to export DHCP scopes list?
  http://blogs.technet.com/b/csstwplatform/archive/2009/04/29/how-to-export-dhcp-scopes-list.aspx
  Migrating existing DHCP Server deployment to Windows Server 2012 DHCP Failover
  http://blogs.technet.com/b/teamdhcp/archive/2012/09/11/migrating-existing-dhcp-server-deployment-to-windows-server-2012-dhcp-failover.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.