The case of the missing domain controller…

I wanted to talk about an issue today that I see with a great deal of regularity.  Statically setting an external or public DNS (Domain Name System) server in the DNS client settings of a machine that is joined to an Active Directory domain.

external-dns-server

In the above picture we have the Active Directory domain controller as the Preferred DNS server.  However we also have one of the Google public DNS servers as the Alternate DNS server.  At first look, it appears this might be a good idea.  If the Active Directory domain controller goes down, this PC can still resolve names on the Internet. However there is a significant disadvantage to setting up the DNS client in this way.  To understand this disadvantage, we must first understand how the DNS name resolution process works in Windows.

When a Windows system, either client or server, needs to resolve a name it goes through the following process.*

  1. The client checks to see if the name queried is its own.
  2. The client queries the DNS client resolver cache.  Any entries from the hosts file are preloaded to the resolver cache.
  3. Domain Name System (DNS) servers are queried.
  4. If the name is still not resolved, the NetBIOS name resolution sequence is used.

*I have omitted WINS from the process as it is rarely used anymore.

Let’s dive a little deeper into bullet point two.  There are two important takeaways for the DNS client cache.  The first is the time limit a record or lack thereof is cached.  This is typically referred to as TTL (Time To Live).  A positive answer is cached for its TTL or 24 hours whichever is less.  A negative response, that is when the record does not exist or cannot be found, is cached for 5 minutes.  The second takeaway is that clearing the cache can only be achieved by restating the DNS client service, running ipconfig /flushdns or restarting the client.

Now on to bullet point three and our example above.  The Windows DNS client will use the Preferred DNS server first.  If that server fails to respond, even just for a second, the Windows DNS client will switch over to the Alternate DNS server.  The Windows DNS client will not switch back to the Preferred DNS server unless the alternate fails to respond.  In the case of a public DNS server this is unlikely to happen.  If the Windows DNS client does get “stuck” on the alternate server there are three ways to get it to switch back; restart the DNS client service, restart the computer, or modify the DNS client configuration.

So now we have a better understanding of how DNS name resolution and the Windows DNS client work.  Let’s go over why public DNS servers should not be used.  In most environments there will be DNS timeouts on occasion.  As we now understand a DNS timeout can cause the DNS client to switch to the next DNS server in the list.  If the DNS client switches to a public DNS server then queries for internal resources, such as domain controller service records, or other systems on the LAN (Local Area Network), will fail.  So the bottom line here is that using an external DNS server in the DNS client settings can and usually will cause unpredictable behavior.

One final thought.  The default configuration of the Microsoft DNS server will allow Internet names to be resolved.  This is accomplished using root hints.  If a public DNS server must be used for Internet queries, then a DNS forwarder can be added in the DNS server configuration.

I hope you found this article informative.  If you have anything to add or see something that needs a correction, please leave a comment below.

 

 

 

 

 

 

 

 

 

 

Advertisements

We couldn’t create a new partition or locate an existing one.

Good afternoon.  I ran into an issue today I have seen quite a few times.  I had a customer that was trying to load Windows 2012 on a server.  No matter what he tried he would always receive the same error.

“We couldn’t create a new partition or locate an existing one.”
partition error.png

At first glance it might seem like there is an issue with the disk.  That is not the case though.  The problem has to do with the boot priority as setup in the BIOS of the system.  In this case my customer had a Dell server with an SD card.  He had ordered the server with ESXi loaded on the SD card.  Therefore Dell had put the SD card at the top of the boot priority when it was configured at the factory.  The raid controller was second in the boot priority.  The reason this is a problem is that Windows setup needs to create or use an existing partition on the first device in the boot priority.  Compounding the issue is that, when using the setup, Windows can only be loaded on a fixed disk.  Therefore the error is due to the inability to create a system reserved partition for the boot loader files.

Keep in mind this issue can happen on any system that has more than one entry in the boot priority.  For instance, I have also seen this problem when there were multiple hard disk controllers in a server and the wrong one is at the top of the list.

The fix is quite simple.  Go into the bios and change the boot priority to put the device that will have Windows loaded on it at the top.

I hope you have found this article informative.  If you have anything to add, please use the comments section below.

Why are my computers not showing up on the Network in Windows explorer?

I ran across an interesting issue this morning.  I had a customer who was not able to browse for computers on most of his workstations and servers.  The problem seemed to start within the last two weeks.

I checked the workstation, DNS client, network list, and network location awareness services.  They were all running.  The problem turned out to be the Function Discovery Resource Publication service.  This service was not started and was set to manual.  Without this service the computer will not advertise itself and will not be able to discover other computers on the network.

So if no computers are showing in Network in Windows Explorer check the Function Discovery Resource Publication service and verify it is running.  I would also recommend setting it to Automatic start so that everything works correctly after a reboot.

I hope this article has been informative.  If you have anything to add, please use the comments section below.

Where are my file shares?

Good morning.  I ran into an issue I see from time to time in support.  One of my customers was unable to find where his shares were located on the filesystem.  The solution is quite easy to solve with a single command.

Net Share

Running that command will display all shares on the server including hidden and administrative shares along with their paths.  This command will work in any version of Windows and does not require elevation.

I hope you found this article informative.  If you have anything to add, please do so by adding a comment below.

Outlook 2016 and Exchange 2010

Good morning.  It is another fine day in support.  I wanted to share an issue that I have seen a couple of times and want to have it handy for future reference.  I had a customer with an SBS (Small Business Server) 2011 install.  He was adding in Outlook 2016 clients, but could not get any of them to connect with autodiscover.  One key piece of information in this case is that Outlook 2010 and 2013 clients work fine.  With this in mind I checked Google.  I found quite a few articles pointing to disabling MAPI/HTTP.  This should not keep Outlook 2016 from connecting as it will drop down to RPC/HTTP.

In the end I setup an Outlook profile with IMAP.  I was then able to get into Outlook and run an autodiscover test.  When I ran the test I was able to get the error code from the server.  Here is what I saw:

Attempting URL https://myserver.mydomain.com/autodiscover/autodiscover.xml found through SCP
Autodiscover to https://myserver.mydomain.com/autodiscover/autodiscover.xml starting
GetLastError=2147954402; httpStatus=0.

Autodiscover then proceeded to try the default path and failed.  I did a search on this error code and found the following Microsoft article.  My customer was running the latest version of Outlook though.  I ended up doing the workaround at the bottom.  Here it is.

  1. Open Registry Editor.
  2. Locate and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type ExcludeHttpsRootDomain, and then press Enter.
  5. On the Edit menu, click Modify, type 1 in the Value data box, and then click OK.
  6. Exit Registry Editor.

Outlook immediately worked after this, and much faster.

I hope this article has been informative.  If you have anything to add or just want to comment, please do so below.

Why is my network profile stuck on Public?

Good morning.  A quick tip for today on an issue I run into from time to time.  I have seen a lot of Windows machines in my time.  One of the problems that I run into on a fairly regular basis is network communication issues.  A possible cause for these issues can be due to the Windows firewall being too restrictive.  That is what we are going to discuss today in this post.

Before we get into how to fix the network profile, let’s first discuss why the network profile even matters.  To do that we need to talk about the Windows firewall a little.  The Windows firewall provides a barrier between the Windows operating system and the network(s) to which it is attached.  It has 2 or 3 distinct profiles that it will operate in.  Whether it has 2 or 3 depends on if the system is joined to an Active Directory domain.  Each These 3 profiles are as follows:

  • Public – Windows assumes it is directly connected to the Internet or is on an unsafe or unfamiliar network.  This profile is the most restrictive and blocks most incoming traffic.
  • Private – Windows assumes this network is isolated from the Internet and is considered mostly safe.  This profile allows more traffic than the public profile, but some services are still blocked by default.
  • Domain – Windows assumes the network is trusted.  This profile is the least restrictive and by default allows most known services through.

As you probably already guessed the profile used by the Windows firewall correlates directly with the network profile assigned to the network adapter.  So if your network profile shows Public you can bet that almost all services will not work.

Now that we know about the profiles and what they do, how can we change the network profile.  If this were a client operating system like Windows 8/8.1/10 then it would be easy, just go into Network and Sharing Center and change the profile.  On a server operating system, for instance Windows Server 2012/2012R2/2016, the option to change the profile is not there.  That is, unless you count the side pop-out asking if you want to discover computers on the network.  Clicking yes on that pop-out will put the network profile into private.  Clicking no will put it into public.

If you clicked no, there is still hope.  There is a PowerShell command that can be used to set the network profile; Set-NetConnectionProfile.  Here is the command I use to quickly change the mode of all network cards in a system.

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

This will set all network cards to Private profile.

If you need to set just one network card, you will need to know the interface index.  To find this run the following command.

Get-NetConnectionProfile | FT Name,InterfaceAlias,InterfaceIndex -a

This will give a table of all the network adapters in the server with their names and indexes.  You can then run the following command to set a single network adapter

Set-NetConnectionProfile -InterfaceIndex <index number> -NetworkCategory Private

I hope you found this article helpful.  If you have anything to add or just want to leave a comment, please do so below.

 

Exchange Shell and the missing child domain

Good morning.  Today I wanted to post a couple of quick one line PowerShell commands for Exchange 2010.  I used both of these today and they are invaluable in certain situations.

The first command is used to load local Exchange Shell.  Normally you don’t want to do this, but I had issues with RBAC (Role Based Access Control) that prevented doing anything in Exchange Shell or Exchange Management Console.

  1. Run a PowerShell command as Administrator
  2. Run: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

 

The second command is very useful in multi-domain exchange forests.  For instance if multiple user accounts are in a child domain, but Exchange is in the parent domain, and you need to move the mailboxes.
Here is the command without setting the AD server setting parameter:
Get-Mailbox -Database “Mailbox Database” -Domaincontroller DC.child.domain.com | New-MoveRequest -TargetDatabase “New Database” -Domaincontroller DC.child.domain.com

Here is the command to change the behavior of Exchange Shell to mimic Exchange Management Console:
Set-AdServerSettings -ViewEntireForest $True

And the resulting command to move mailboxes as above:
Get-Mailbox -Database “Mailbox Database” | New-MoveRequest -TargetDatabase “New Database”

 

I hope you have found this article informative.  If you have any comments or suggestions, please leave them below.