Domain Controllers that are DNS servers DNS Client settings

Similar Messages

• How to safely change the domain controllers that Exchange use from Out-Of-Site into the In-Site ?

  Hi Folks,
  I'd like to know what's the best way to edit the Exchange Server 2007 entry
  In-Site entries and removing the entries from Out-Of-Site safely without causing any downtime or problem with the workstations ?
  From the MSExchange ADAccess Event ID 2080, I can see that the Domain Controllers that is currently used by Exchange Servers is all on the
  In-Site lists which I need to decommission due to office building migration and downsizing, the workstations remain in the same building only the servers must go.
  Current configuration:
  Exchange Servers AD Site: HQ1 (for all roles)
  Workstations AD Site: HQ1
  Proposed configuration:
  Exchange Servers AD Site: Prod-DC1 (for all roles)
  Workstations AD Site: HQ1
  Thanks.
  /* Server Support Specialist */

  Hi,
  Steve's clarification is right.
  From your description, you want to change the DC used by Exchange server. If I have misunderstood your concern, please let me know.
  Please make sure the following things before setting the DC for Exchange:
  1. New DC has its own IP in its TCP/IP as primary DNS server.
  2. New DC is global catalog.
  3. New DC has correct DNS settings in the MSDC folder.
  4. Restart the Exchange active directory topology discovery service and watch the event viewer, there should be an event that discover both domain controllers. If this happens, then turn off the old DC.
  Besides, topology information will remain in the system attendant service for 15 min, so the time to switch to the new one is about 15 minutes.
  Hope my clarification is helpful.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support
  Amy,
  The Exchange Server has been rebooted couple of times but yes, all of the In-Site AD servers are still on not rebooted yet.
  So in this case do you suggest me to demote the oldDC and turn off all of the In-Site DC/GC first and then reboot Exchange Server after wards one by one ?
  /* Server Support Specialist */

• I need to be able to find domain controllers that have been removed from the domain but never demoted

  I need to find domain controllers that have been removed but never demoted.
  Here's the story...
  I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
  for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
  Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
  something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
  machines.
  You can see this may be a gargantuan task, but I need to be able to make it easier on 
  myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
  Appreciate any help I can get…

  Hi,
  Thanks for posting in the forum.
  Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
  How to remove completely orphaned Domain Controller
  http://support.microsoft.com/kb/555846
  Complete Step by Step to Remove an Orphaned Domain controller
  http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
  Metadata Cleanup of a Domain controller
  http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
  Here is a similar thread as reference, hope it helps.
  Remove References of a Failed DC/Domain
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• DNS -- DHCP vs Client Settings

  Does setting DNS Server and a Search Domain in System Preferences>>Network on a client machine override the settings set via the DHCP service on the server?
  The clients are set to DHCP and the main AD authentication server is down and they're not going on to find the backup servers.
  Thanks for any help you can give.

  Yes it does.

• EoMPLS on 6500s that are vtp servers

  I need layer 2 from DC to DC and Im in the home stretch and it wont let me do the vlan I need because my cats are vtp servers.
  Is there a way to use an extended vlan number for the sub-interface encapsulation and trick my standard vlan number to traverse that VC?
  I have the VC up and working on as if it was vlan 1199 and I really need it to be 199
  interface GigabitEthernet11/8
  description Gig Link
  bandwidth 1000000
  ip address 10.61.3.1 255.255.255.252
  tag-switching ip
  interface GigabitEthernet11/8.199
  encapsulation dot1Q 1199 <----will not accept normal vlan range
  xconnect 10.61.254.3 199 encapsulation mpls
  WIL_CR_Core-1A# show mpls l2transport vc                           
  Local intf     Local circuit        Dest address    VC ID      Status   
  Gi11/8.199     Eth VLAN 1199        10.61.254.3     199        UP       
  WIL_CR_Core-1A#
  any creative workaround would be greatly appreciated.

  each 7304 connects to an MPLS cloud via an ATM interface (OC3) and I actually have MPLS working but I cannot get the l2 vc up. Core - 7304 - mpls cloud - 7304 - core
  G0 - 7304 - atm 4/0
  I believe its due to placement of the sub interface, but options are limited.
  interface GigabitEthernet0
  description ### Uplink ###
  ip address 10.61.90.5 255.255.255.0
  ip policy route-map Wookie
  negotiation auto
  mpls ip
  interface GigabitEthernet0.199
  encapsulation dot1Q 199
  mpls ip
  xconnect 10.60.254.142 199 encapsulation mpls
  DAY_CR_WR01#show mpls ldp neighbor
      Peer LDP Ident: 10.60.254.142:0; Local LDP Ident 10.61.254.4:0
          TCP connection: 10.60.254.142.646 - 10.61.254.4.43776
          State: Oper; Msgs sent/rcvd: 8642/8681; Downstream
          Up time: 5d00h
          LDP discovery sources:
            Tunnel66, Src IP addr: 10.60.66.1
            Tunnel67, Src IP addr: 10.60.67.1
          Addresses bound to peer LDP Ident:
            10.60.1.54      10.60.11.1      68.136.12.158   12.113.14.14   
            10.60.254.142   10.60.254.242   10.60.66.1      10.60.67.1     
  DAY_CR_WR01#show mpls l2 sum
  Destination address: 10.60.254.142, total number of vc: 1
    0 unknown, 0 up, 1 down, 0 admin down, 0 recovering
  DAY_CR_WR01#show mpls l2 vc detail
  Local interface: Gi0.199 up, line protocol up, Eth VLAN 199 up
    Destination address: 10.60.254.142, VC ID: 199, VC status: down
      Output interface: none, imposed label stack {}
      Preferred path: not configured 
      Default path: no route
      No adjacency
    Create time: 02:14:02, last status change time: 01:12:47
    Signaling protocol: LDP, peer 10.60.254.142:0 up
      MPLS VC labels: local 229, remote 236
      Group ID: local 0, remote 0
      MTU: local 1500, remote 1500
      Remote interface description:
    Sequencing: receive disabled, send disabled
    VC statistics:
      packet totals: receive 0, send 0
      byte totals:   receive 0, send 0
      packet drops:  receive 0, seq error 0, send 0
  DAY_CR_WR01#

• Do I still remote Domain Controllers.....

  We currently have remote sites, with Domain Controllers which are also Global Catalogue servers.
  We are still running as Windows 2000 Native…(Long Story).
  We are planning to remove the remote DC’s as most of their functions as a file server has been removed, and we are wondering if there is any need any more for the remote locations to have a Windows Domain Controller.
  The clients will shortly be running Windows 7, and we are thinking of setting up printing on a local Windows 7 machine, along with a share for roaming profiles.
  Is this a good idea or are we missing something…

  From
  http://technet.microsoft.com/en-us/library/cc978016.aspx
  Automatic Site Coverage
  There is not necessarily a domain controller in every site. For various reasons, it is possible that no domain controller exists for a particular domain at the local site. By default, each domain controller checks all sites in the forest and then checks
  the replication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This process ensures
  that every site has a domain controller that is defined by default for every domain in the forest, even if a site does not contain a domain controller for that domain. The domain controllers that are published in DNS are those from the closest site (as defined
  by the replication topology.
  For example, given one domain and three sites, a domain controller for that domain might be located in two of the sites, but there might be no domain controller for the domain in the third site. Replication to the domain that does not have a domain controller
  in the third site might be too expensive in terms of cost or replication latency. To ensure that a domain controller can be located in the site closest to a client computer, if not the same site, Windows 2000 automatically attempts to register a domain
  controller in every site. The algorithm that is used to accomplish automatic site coverage determines how one site can "cover" another site when no domain controller exists in the second site.

• Domain Controller Ratio to Lync servers

  For Lync 2013/2010, is there some formula that dictates the number of domain controllers that are required for each FE/pool? I see that Exchange 2013 has a requirement that for every 8 mbx servers, one DC is needed.
  This could potentially be dealing with 100K users.
  Thanks,
  Chris
  Christian Frank

  I have not come across any Lync documentation specifying a number of Front Ends limit to a DC. Usually a DC per site is the only mentioned requirement. Thats not what you are after though. I would assume that if Exchange were deployed with the numbers you
  have stated that Lync would be quite happy with that. 
  In any event, I don't think you are going to get a straightforward answer as scoping DC's come into play. So it all depends on a huge number of variables. You probably alredy see this but I'll add it anyway
  http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Configuring airport DNS servers

  I use an airport extreme base station which connects to the internet via an ethernet DSL connection. The airport TCP/IP settings are DHCP. The DNS servers, however, show 192.168.1.1 and not the DNS settings of the DSL. As a result the internet connection on my MacBook Pro is patchy at best with some pages that open and images not showing up. The only way I resolve this is by manually setting the DNS servers in my settings on the laptop. I have tried manually setting the DNS configuration on my Airport but for some reason this does not broadcast to all the computers in my house. The DNS settings that do appear on computers are the standard 192.168.1.1 and not the actual DNS. I cannot seem to figure out why the airport is doing this. Any suggestions would be appreciated.

  I am also wondering if it is possible to turn DNS relay off on an Airport Extreme or Airport Express. I am using the latest firmware on both devices, 7.6.1 and they are the latest model.
  Regarding your question about DNS servers; the IP address that shows in your device as a DNS server is the Airport Extreme LAN IP address. DNS queries will be sent to that device, and the DNS settings which it uses will be used to look domain names up.
  So, for now, put the DNS server addresses you'd like to use on your Airport Extreme. This is done through the Airport Utility, under Internet > Internet Options.
  Also, as a final note, try the ' namebench ' program to find the best DNS servers available. It helped me choose ipv4 dns servers and I'm noticing a difference in loading times.

• URGENT!! Demoted SBS server and now no other Domain Controllers are functioning

  Last night we were demoting a 2003 SBS in a domain. We have 3 other domain controllers that were online and appeared to be functional. All were shown in Sites and Services as GC. However, after demoting the SBS server, our other Domain controllers are not
  functioning as GCs or as DCs.
  I can get into Sites and Services if I let it fail when it tries to connect to the domain and then tell it to connect to the specific domain controller. But then things don't look quite right. I can't see all the tabs when I drill down to NTDS Settings and
  go to properties. The only tabs that show up are Security and Attribute Editor. Same thing with ADUC, I only get some of the tabs. It is like only half of AD is there.
  I need some urgent help if anyone can assist.

  Hi,
  In order to identify the cause, I suggest you run
  DCDiag command on a Domain Controller, and post out the results for troubleshooting:
  Dcdiag
  http://technet.microsoft.com/en-us/library/cc731968.aspx
  What does DCDIAG actually… do?
  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx
  Best Regards,
  Amy Wang

• Replace win2008r2 domain controllers with win2012r2

  My environment: Single win2008 r2 forest w/3 win2008r2 domains
   I need to replace the 2 root domain controllers (that also run DNS & WINS) with new hardware and was considering installing them as Win2012R2. 
  I have no plans to upgrade the DC’s in the 2 Win2008r2 child domains.
  Since there will be schema changes, are there any concerns with having the root DC’s be win2012R2 and the child domains win2008r2?
  Thanks

  Thanks for both answers. 
  My main concern are the oddball 3rd party apps, some of which still run on win2003 servers.  Even if the vendor/developer confirm their apps are compatible with win2012 domain controllers, my internal programmers are still nervous.  It took me
  months to convince them it was ok to upgrade the domain & forest functional levels to win2008r2.
  Again Thanks

• Windows 2012 Domain Controllers and RC4

  We are using Qualysguard as our vulnerability scanner, and we are getting QID 38601, "SSL/TLS use of weak RC4 cipher". While we have created a GPO to disable RC4 on the 2008/2012 servers, we have 4 Domain Controllers that we haven't included in
  the GPO yet. I'm wondering if disabling RC4 on 2012 Domain Controllers will cause problems that I'm not forseeing right now.
  Does someone out there have any knowledge of this through experience or otherwise?
  Thanks in advance.

   
  Hi,
  As far as I know, disable RC4 cipher usage in SSL/TLS wouldn’t affect Kerberos related services on Domain Controller, since Key Distribution Center (KDC) just use the available encryption type to encrypt tickets that requested from our clients with
  RC4_HMAC_NT.
  More information for you:
  Disabling RC4 Cipher KB2868725 relation to Kerberos
  https://social.technet.microsoft.com/Forums/sqlserver/en-US/836eba80-a070-486d-98b2-69b6325cb40e/disabling-rc4-cipher-kb2868725-relation-to-kerberos?forum=winserversecurity
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• APs going to controllers that have AP Fallback disabled- maddening

  Adding a new 8510 HA Pair to an existing large environment. The 8510s are up with management addresses, and AP fallback is disabled. Basically, these are controllers that are being configured as time allows and so need to be on the wire. Typically, disabling AP fallback is all that's needed to keep the APs away while working on a WLC. These 8510s have been sitting there for a week, and last night out of the blue one of them took on like 150 APs (is licensed for 1000) from a few different controllers in a very random feeling event. Since the APs hit a controller that wasn't properly configured, lots of clients were dead in the water. 
  Did something change in 8.0.100 code or the 8510 that makes "AP fallback disabled" not effective? Is there any more positive way of keeping APs off of a controller that's a work in progress other than ACLs and putting them on different networks, etc? Seems reasonable to be able to just turn off  a controller's willingness to take APs...
  Thoughts?
  Lee

  Hi Lee,
  Typically, disabling AP fallback is all that's needed to keep the APs away while working on a WLC.
  On which WLC you disable AP fallback. If it is on new 8510,it simply mean if AP (previosly registered to a different WLC as primary) fail over to new 8510 when primary WLC unavailable, then AP won't fallback to its primary controller even if Primary WLC came back.
  http://mrncciew.com/2013/04/07/ap-failover/
  Is there any more positive way of keeping APs off of a controller that's a work in progress other than ACLs and putting them on different networks, etc?
  You can enable "Securiry->AP Policies->Authorize MIC APs against auth-list or AAA" on your  new 8510. In this way unless you add AP ethernet MAC address onto the auth-list, no AP will be able to register to your WLC.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Patching Domain controllers on different days. Can this cause issues

  You fellas are awesome. Thanks for the peace of mind. 

  We have a few domain controllers that need to be patched. 2 for one of our locations and 2 for the other. They are both on different subnets however they do replicate AD information. My plan were to patch the two domain controllers tonight for one of our locations. Then patch the others on a different night for the other locations. My question is will this cause any replication issues since the two DCs would have different updates and service packs? I remember having this issue with exchange when I did this but Exchange was in a DAG which the AD boxes arent. Any replies are much appreciated. 
  This topic first appeared in the Spiceworks Community

• How do you setup a server to use multiple DNS servers that are not connect to each other?

  Is there a way to setup a server that connects to two different domains to use the proper DNS server for name resolution?
  Let say there are two DCs: serverA.subdomaina.domain.com and serverB.subdoamainb.domain.com.  The domains are independent and not connected.  Now you need a common server that is connected to both and need to resolve names from both
  domains.
  Is this possible?
  I have setup a server in a workgroup.  One NIC has the subdomaina.domain.com connection specific suffix and the other nic has the subdomainb.domain.com.  Each NIC has the DNS server listed for the domain it is connected to.
  This configuration will resolve FQDNs of one domain but not the other.  This I believe is due to the fact the server only querys one DNS server and doesn't try the other DNS server.
  Is there any way to make the server try another DNS server, if the first one doesn't have the entry?

  Hi,
  Thank you for posting in Windows Server Forum.
  Here adding to the words of “Tim”, a forwarder is a DNS server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. You can also forward queries according to specific domain names using conditional forwarders.
  A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. You can refer information regarding forwarders and how to configure from beneath link.
  Understanding forwarders
  http://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspx
  Configure a DNS Server to Use Forwarders
  http://technet.microsoft.com/en-us/library/cc754941.aspx
  Hope it helps!
  Regards.

• Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012

  Hi
  We have installed Direct Access 2012 as one server installation:
  - Two network cards. First one in DMZ and second one in internal network
  - Two consecutive IP addresses configured in DMZ because of Teredo
  - PKI because of Win7 Clients IPSec
  - Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
  - DA-servers are VMWare virtual machines 
  One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
  but problem is DNS. If we still try to use DA-server as DNS there comes error message below
  None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
  NLB? 
  Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
  Then tried to ping detected address => General failure
  NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be. 
  Any clues how to fix this?
  ~ Jukka ~

  Hi,
  Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various
  paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.