Blog - Title

February, 2009

  • Headache Prevention: Install Hotfix 953317 to Prevent DNS Records from Disappearing from Secondary DNS Zones on Windows Server 2008 SP1

    Craig here. We’ve had some nasty cases related to this bug, so it seemed prudent to do our best to increase the awareness of this issue. In a nutshell, the DNS Server service in Windows Server 2008 has a bug that can result in a large number of DNS records disappearing. When those records go missing, you will start seeing problems with anything that depends on name resolution, which in an Active Directory environment is pretty much everything. Note this hotfix only applies to standard secondary zones. Active Directory-integrated zones are not affected by this issue because they use AD replication, not zone transfers, to stay synchronized.

    For this reason, we recommend that you take a look at the following KB article and consider applying the hotfix to your environment.

    953317 A primary DNS zone file may not transfer to the secondary DNS servers in Windows Server 2008
    http://support.microsoft.com/kb/953317

    If you are hitting this issue, you may see the following event logged:

    Event Type: Error
    Event Source: DNS
    Event Category: None
    Event ID: 6527
    Date: 8/21/2008
    Time: 3:20:34 PM
    User: N/A
    Computer: Server01.contoso.com
    Description: Zone contoso.com expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.

    The problem is specific to Windows Server 2008 SP1 (meaning the original release of Windows Server 2008). The 953317 hotfix version of DNS.EXE is 6.0.6001.22218. The problem may occur on both secondary DNS servers that were upgraded from Windows Server 2003 and also new installs of Windows Server 2008. For this issue to reproduce, a master server must be hit with enough changes that it cannot service an IXFR request, and so will respond to IXFR with an AXFR.

    What you will see is that most of the records in the DNS zone will appear to have disappeared, expired, or been deleted. The zone itself continues to exist but virtually all records in the zone are deleted except for the Start of Authority (SOA) records. Often a handful of host “A” records will also remain present in the zone.

    Because DNS servers affected by this condition continue to host a copy of the zone, they will continue to respond to queries from clients. The typical response returned by DNS servers with deleted zone contents is that the record queried do not exist (this assumes that the DNS server role is otherwise functional) in the zone. Windows clients will continue to direct queries to responsive DNS servers instead of failing over to an alternate DNS server that hosts a complete copy of the zone.

    Keywords: Windows Server 2008 secondary master primary zone transfer zone axfr ixfr incremental zone transfer full zone transfer delete deleted disappear disappeared missing expired expire

    - Craig Landis

  • “Configure slow-link mode” policy on Vista for Offline Files

    Hi, Gary from DS here and I am going to discuss the “Configure slow-link mode” policy on Vista with Offline Files.

    How is slow link determined by Windows Vista?

    Offline Files measures the speed of a link based on the packet latency between the client and the target server. This is reported by the network driver and TCP stack and is then used to compute the throughput to the server for comparison with the configured throughput and/or latency policy configuration. You might think that the NLA service (Network Location Awareness) service would be used in this, but that is not the case.

    The original released version of Windows Vista only took into account outbound traffic, which means that share might remain online longer than expected. Windows Vista SP1 further improves this feature by taking into account both the inbound and outbound traffic. Out of those two, values it takes the smaller of them when determining if a transition to slow link is needed.

    The “Configure slow-link mode” policy MUST be configured in order for anything to be considered slow. By default, nothing is considered slow automatically.

    Configuring the policy

    The policy itself is pretty easy to configure, but the example text can be a bit confusing. I have seen a few cases where these have been defined incorrectly. The policy is located in the following path of the Group Policy Editor as shown below:

    image

    image

    Computer Configuration\Administrative Templates\Network\Offline Files

    Say you are configuring the slow link policy and you want \\server\share to be offline with an acceptable latency of 50 milliseconds, you would fill in the boxes as shown below:

    image

    Support for wildcards (*)

    As the screen shot sample of the policy above suggests, there is some limited support for wildcards within the policy for determining what to consider for slow link detection. The matching algorithm is pretty simple and separates the path into 5 different parts (Server, Share, Directories, Filename, and Extension):

    \\servername\share\dir1\dir2\file.ext
    | SRV       | SH  | DIR | F | E     |

    SRV = Server Name
    SH = Share name
    DIR = Directory name
    F = File name
    E = File Extension

    The wildcard character ‘*’ can be specified for one or more of the parts in which the wildcard means “anything is matched”. The following rules apply to the matching:

    • If a path contains a trailing *, then the remaining parts are matched automatically.
    • When the directories part contains a *, all remaining directory parts are automatically matched.
    • The * does not support partial matching. Example: \\server\share\mydir* would not match \\server\share\mydirectories as it would be explicitly looking for “mydir*” in the path.

    With these rules there is some flexibility with regards to setting up matching patterns. In my experience so far and because Offline Files doesn’t take individual files offline it is best to match the share or DFS link that will be considered for slow link transition. In testing the following patterns had these results:

    Pattern

    Result

    *

    Matches everything that would be made available offline

    \\server\*

    Matches any share on the server that is made available offline

    \\server\share
    \\server\share\*

    Matches any files/folders under the share. Would be equivalent to \\server\share\*\*.*

    For a DFS Namespace that has the following structure and you want to have:

    \\contoso.com\dfsroot

    \Site1\Users – Link to a target that contains user’s data
    \Site2\Users – Link to a target that contains user’s data

    Pattern

    Result

    \\contoso.com\dfsroot
    \\contoso.com\dfsroot\*

    Matches anything in the namespace

    \\contoso.com\dfsroot\site1\users

    No matching and anything below that would be taken offline

    \\contoso.com\dfsroot\*\users

    Matches both of the following links:

    \\contoso.com\dfsroot\site1\users
    \\contoso.com\dfsroot\site2\users

    \\contoso.com\dfsroot\site1\users\*.*

    Is supposed to be similar to the one just above, but didn’t take the link offline as expected

    \\contoso.com\dfsroot\site*\*

    Does not work because the * is not used with partial matching

    \\contoso.com\dfsroot\*\users\*

    The first * is used so users matches a directories entry in the evaluation and would be ignored. This didn’t work in my testing, but is supposed to match \\contoso.com\dfsroot\* or \\contoso.com\dfsroot\*\*.* pattern.

    To quickly summarize, the slow link is determined by network packet latency and is compared with the configured policies. This policy must be configured for anything to automatically transition to offline. Also, there is basic support for wildcard matching that could help in fine tuning slow link settings for specific paths, instead of having to have multiple entries or multiple policies. A better understanding of how that works will help make that easier.

    - Gary ‘Always Online’ Mudgett

  • New Directory Services KB Articles 2/1-2/7

    New KB articles related to Directory Services for the week of 2/1-2/7.

    Number

    Title

    967336

    A newly promoted Windows 2008 domain controller may fail to advertise after completion of DCpromo

    967539

    Cannot configure ACL to the drive root using icacls.exe

    961515

    The subject name of a computer certificate that is issued by a Windows Server 2003-based server is set to the user principal name (UPN) of the computer account after you apply hotfix 943089

    935834

    How to enable LDAP signing in Windows Server 2008

    967332

    You cannot add V2 or V3 templates after an inplace upgrade was performed using Windows Server 2008 enterprise CA

    959606

    You find that the Drive Maps node is still available even though you disable it by using Group Policy

    967482

    Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

    967623

    You receive a Key Distribution Center "Event ID: 29" event message on a Windows Server 2008-based domain controller

    967542

    Adding Server Features or Roles in Server 2008 may take a very long time

    960151

    Error message when you try to access a network drive that is mapped to a DFS shared folder on a client computer that is running Windows Vista or Windows Server 2008: "Error: Location is not available"

    961477

    On a Windows Vista-based computer or on a Windows Server 2008-based computer, when you use Windows Explorer to view offline files in Remote Storage, the files are recalled

    967531

    Error message when installing Windows Server 2008 Remote Server Administration Tools on Windows Vista SP1: "The update does not apply to your system"

    967475

    How to disable the TCP autotuning diagnostic tool

  • HOW TO: Export the Configuration Container in ADAM & AD LDS Using LDIFDE

    Hi, Russell here. I’m a member of the Microsoft Texas Directory Services Team. I specialize in all things LDAP, with particular focus on 3rd Party LDAP Client interop, ADAM & AD LDS, Directory Service Schemas, Indexing, and LDAP Query Performance Tuning.

    We recently had a customer who had "inherited" an ADAM infrastructure. He called concerning replication failures between ADAM instances. Trouble was, he had no documentation explaining the configuration. Fortunately, AD LDS and ADAM have many tools to help you sort out the confusion after the fact. One of them is LDIFDE, which is the MS version of a tool that imports and exports in the LDAP Data Interchange Format (LDIF) RFC2849 Spec.

    To assist the customer, we asked for an LDIFDE export of his ADAM Configuration Partition to view the ADAM NTDS Settings Objects and Site configurations.

    Problem - The command line help leaves a bit to be desired. While export mode of operation is the default for ldifde, we did not require a full output of all ADAM Partitions, #1; nor would the macro expansion feature give us the desired results, #2:

    1. LDIFDE -m -f output.ldf

    2. LDIFDE -f export.ldif -c "#configurationNamingContext" "cn=configuration,dc=x"

    Complicating matters, if the machine is in a domain, the export will occur from the first DC to respond, not ADAM if ADAM is listening on any port other than 389. See the fine print at the end.

    To obtain just the Configuration Container for analysis, we'll need to supply LDIFDE more information:

    •  -d Specifies the Root Container of our search & export
    • -s Specifies the Server we want to connect to. Localhost can be used if running locally on ADAM
    •  -t Specifies the ADAM port you want to connect to (Use dsdiag.exe “List Instances” sub-command to determine the port if not known)
    •  -f Specifies the file name where you want to write the output of the export

    Order is important. Use the -d switch first, then the server, port, and an output file name.

    Example:

    LDIFDE -d CN=Configuration,CN={43B6F689-F8B3-47B5-BB75-5B56BB5A55} –s  localhost -t 50000 -f ServerConfig.ldif


    NOTES – CN=GUID is from a sample machine. Each configuration container will have a unique GUID. Replica members will share this GUID. Possible errors you might encounter when syntax is incorrect:

    "The default naming context cannot be found. Using NULL as a search base."
    "No entries found."

    Fine Print on the above error - This is actually an issue with LDIFDE & ADAM interop, in that ADAM does not populate the defaultNamingContext in RootDSE by default. The error shows that you connected to ADAM RootDSE, but without a search base, nothing gets exported.

    Hasta luego,

    -Russell “SpaniardR2” Despain

  • How to Hide User Information When Computer is Locked

    Hi, this is Amit from the Directory Services team and I am going to discuss a Group Policy setting which is now available in XP SP3 & 2003 SP2.

    Whenever we logon to a Windows workstation, we always see a previously logged on user; we might want to remove that because of Security Reasons. We already have a KB Article for this 324740.

    Ever wonder if we can hide Domain\Username details, when computer is locked? After all, users can still look at the actual username, Domain Name etc. being used (see below).

    image

    If you want to hide these details, then you can configure this using a GPO setting:

    Interactive Logon: Display User Information when the session is locked.

    This setting is available at the following location:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

    This setting has three options when you enable it:

    • User display name, domain and user names (Value = 0x1)
    • User display name only (Value = 0x2)
    • Do not display user information (Value =0x3)

    By choosing the third option, you are not displaying DOMAIN\Username details when the machine is locked (see below).

    image

    Once the policy is applied, it will create a registry key “DontDisplayLockedUserId” with a value of 3 at the following location :

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    When you try to login back on the locked machine, it will not show the user name who is logged on. So you have to provide your username again along with the password.

    Note: - This group policy is only available via the group policy editor XP SP3 & 2003 SP2; however it can also be directly applied by editing the registry to XP SP2, Windows Vista & Windows Server 2008 computers.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
    REG_DWORD: DontDisplayLockedUserId

    We are aware of this issue that this setting is currently not available on Windows Vista & Windows Server 2008.

    You can also refer to KB837022 which talks about hot fix for MSGINA.DLL .

    You cannot change the display behavior of the user display name and of the user ID when a Windows XP-based computer resumes from the locked state.

    If you want to learn more about Group Policy and play around with other settings, check out the following links:

    Group Policy Resources on TechNet

    Download Group Policy Settings Reference for Windows Vista

    Download Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1

    www.gpoguy.com This site has helpful videos, articles, and tools to help you work with Group Policy.  Check that site out regardless, beta or not. It’s got a lot of good information for every level of GP knowledge

    - Amit Khanna

  • New Directory Services KB Articles 1/25-1/31

    New KB articles related to Directory Services for the week of 1/25-1/31.

    Number

    Title

    958612

    Citrix ICA clients are not disconnected from a Windows Server 2008 terminal server as expected when the grace period has expired and a terminal license server is not configured

    959488

    The logon process may take a long time when you try to log on to a Windows Vista-based or Windows Server 2008-based computer