New DNS and AD DS BPA’s released (or: the most accurate list of DNS recommendations you will ever find from Microsoft)

New DNS and AD DS BPA’s released (or: the most accurate list of DNS recommendations you will ever find from Microsoft)

  • Comments 20
  • Likes

Hi folks, Ned here again. We’ve released another wave of Best Practices Analyzer rules for Windows Server 2008 / R2, and if you care about Directory Services you care about these:

AD DS rules update

Info: Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Download: Rules Update for Active Directory Domain Services Best Practice Analyzer for Windows Server 2008 R2 x64 Editions (KB980360)

This update BPA for Active Directory Domain Services include seven rules changes and updates, some of which are well known but a few that are not.

DNS Analyzer 2.0

Operation Info: Best Practices Analyzer for Domain Name System – Ops
Configuration info: Best Practices Analyzer for Domain Name System - Config
Download: Microsoft DNS (Domain Name System) Model for Microsoft Baseline Configuration Analyzer 2.0

Remember when – a few weeks back – I wrote about recommended DNS configuration and I promised more info? Well here it is, in all its glory. Despite what you might have heard, misheard, remembered, or argued about, this is the official recommended list, written by the Product Group and appended/vetted/munged by Support. Which includes:

Awww yeaaaahhh… just memorize that and you’ll win any "Microsoft recommended DNS" bar bets you can imagine. That’s the cool thing about this ongoing BPA project: not only do you get a tool that will check your work in later OS versions, but the valid documentation gets centralized.

- Ned “Arren hates cowboys” Pyle

  • why doesn't it run on w2k8 standart edition? I don't understand this..

  • Awesome!  ...literally just in time for our internal meeting on this very topic.  Thanks for the follow-up on the topic as promised Ned!

  • Thankfully the DNS BPA didn't return much on our servers... however, I'm a little bothered by the one error that it is returning.

    I can see the _msdcs Zone on the servers, and everything looks ok from the AD side too.  We really aren't having any known issues, but I would imagine access to that zone would be pretty noticeable.  I'm a little reluctant to go through all of the steps listed just based on the results of the BPA.  Any thoughts/suggestions?

  • Hi,

    Evren - I'm looking into this now.

    Sgrinker - Before tackling the steps make sure you are checking more closely into your DS, System, and DNS event logs. Also use DCDIAG to test and see what its view is. It's always possibole that the new BPA is making a mistake based on some rare config, but it's also possible that you really do have an issue that is not easily surfacing to the naked eye or based on symptoms (domains can still function without msdcs, just not efficiently).

  • Hi Evren - I also just installed on Standard without issues. It's just wrong info on the download page, it works fine. I'll see about getting that updated.

    Next time don't be so trusting... :-P

  • Hi sgrinker - and I just confirmed that there's no automatic (i.e. buggy :-P) flagging like you got; mine passed muster just fine, so the BPA is working fine on the face of things.

  • Hmmm...  thanks again Ned.  It looks like the patch for was possibly pushed to the servers last night.  After the reboot I am seeing DNS-Server-Service event ID 4004 and 4015.  Again we haven't had any reports of issues today, but based on this I'm going to keep digging just to be sure.

  • It might be IPv6 related, as dcdiag /test:dns does return a missing AAAA records under _msdcs.   We don't use IPv6 here currently, so I wonder if the BPA is just showing the error due to the missing AAAA record?  Ned, I imagine you have IPv6 enabled in the location you tested?

  • I built an environment for this test, since I needed to see about Standard edition. That means my server was newly loaded from a sysprep image and DCPROMO was of the 'next next next' variety. :) I didn't configure IPv6 in any way, only IPv4. I am therefore registering Ipv6 only through the default ISATAP mechanism. I get four Quad A warnings too, these would be expected. Which ones do you see?

    You may also want to stop messing around with me and chat with our Networking team through their blog or a case. :-D

  • I'm getting the same Quad A warnings here.  Thanks, but I think I'm good for now.  :)  I'm not exactly ready to justify the $250 per incident based on a message from the BPA utility.  Everything else that I've checked comes back healthy.  If we start getting reports of strange things going on though, that is definitely the first direction I'll be heading.  Thanks for the help and feedback just to verify what I'm seeing over here from the new utility!  For now I'll leave you alone.  ;)

  • If there is anyone out there that actually cares yet :)  I'm fairly certain that I found the problem.  The _msdcs zone is a sub-zone of our primary domain, as the domain has been upgraded from 2000 to 2003 to now 2008 over the years.  The BPA appears to be looking for a root/forest bases _msdcs zone, or at least is looking for NS records within the _msdcs zone.  Based on our configuration the sub-zone doesn't have the NS records.  For anyone that is insterested in more information...

  • Oh, why the DNS PBA utilizes the old framework and does not nicely plug-in into Server Manager like other Server Role BPAs?

  • Awesome catch sgrinker! A good example of being punished for being an early adopter... :)

  • Hi Artem,

    You are thinking of Win2008 R2 I believe. Win2008 does not allow BPA to plug into server manager anywhere to my knowledge. The Win2008 R2 BPA will be updated later this year to include these new rules in its existing DNS BPA so that experience will stay consistent.

  • Yep, I'm talking about R2. So, it turns out that for R2 there's no need to separately download and install “Microsoft DNS (Domain Name System) Model for Microsoft Baseline Configuration Analyzer 2.0” (MBCA-based) from your link in the post? The same checks are performed by the “Native” Server Manager-based BPA. Correct?