Monthly Archives: March 2012

Best practices for DNS settings on DC and domain members.

The following information explains the Best practices for DNS client settings on Domain Controller and Domain Member.

Domain controller with DNS installed:
On a domain controller that also acts as a DNS server, recommended that you configure the domain controller’s DNS client settings according to these specifications:

IP configuration on domain controller:

  • In single DC/DNS in a domain environment,  DC / DNS server points to its private IP address (not to loopback 127.x.x.) as preferred DNS server in TCP/IP property.
  • If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.
  • Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
  • IPv6 should not be disabled on DC’s NIC card. Set it to “obtain IPV6 address automatically” and “obtain DNS server address automatically”
  • If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
  • Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP settings of DC.

How to set/view the NIC bind order in Windows

IP configuration on domain member:

  • Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
  • Do not set public DNS server in TCP/IP setting of domain member.

Once you are done with above, run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC.

Quick note: MULTIHOMED domain controller is not recommended, it always results in multiple problems.

  • Being a VPN Server and even simply running RRAS makes it multi-homed.
  • Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

Active Directory Communication Fails on Multihomed Domain Controllers;en-us;272294

Symptoms of Multihomed Browsers;EN-US;191611



Active Directory Metadata Cleanup, What is that?

The following information explains Active Directory Metadata Cleanup process, What is it & why its required?

Metadata cleanup is the process which removes the failed Domain Controller’s object from Active Directory.

When it’s required?
Metadata cleanup is required when you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed, or you cannot demote the domain controller gracefully or DC has been failed /crashed due to hardware failure.

When you are performing any mentioned step above, you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the DCPROMO wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed DCPROMO attempt might leave these objects in place.

The effects of leaving such remains inside the Active Directory may vary, but one thing is sure, whenever you’ll try to re-install the server with the same computer name and try to promote it to become a Domain Controller, you will fail because the DCPROMO process will still find the old object and therefore will refuse to re-create the objects for the new-old server.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object this process is called metadata cleanup.

As a part of metadata you need to perform below procedures:
Perform metadata cleanup.
Manually remove the failed DC object from the site & Services.
Manually remove the computer object from the domain controller container in ADUC.
Manually remove the failed DC entries (NS, A, PTR, Etc records) from DNS console.

Note:  At least one healthy DC is required from where you can perform metadata cleanup.

Perform Metadata Cleanup steps using below articles:
Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2

Clean Up Server Metadata Windows Server 2008 and higher

The Local System Account

The following information and links explains about the The Local System Account.

What is NT Authority\System (Local System) account?
Is it a part of Authenticated Users ?? 
Service running in local system account. Will it be able to access the AD/GP objects which are only accessible to Authentticated users?

The  Local System account is a powerful account that has full access to the computer. The actual name of the account is NT AUTHORITY\System. The Local System account does not have any rights to access the network. When network access is necessary, Local System uses the account Domain\computername$.

Additional note:
With the release of Windows Server 2003, two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

Read the below articles for more information:

Reference thread