• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 339
  • Last Modified:

Windows 2008 Replication Issue?

Hi Team,

This is my first post, so I'm a bit of a newbie around here, but I'll try and do my best to conform to what is needed to answer my question.

Ok, some background:

I have been setting up a new network for work in a test environment. Currently we operate on a Windows 2003 environment.

So considering that MS is discontinuing support for Windows XP, and to stop our own staff upgrading to Windows 7 without authorisation (we work at an IT company with lax standards, and poor group policy)

I am now setting up 3 domain controllers based on Windows 2008 Enterprise Edition.

1 of these will be based in Auckland, NZ, with a site-to-site link to Wellington, NZ. This isn't a problem, I have already completed this phase in trial and test environments, works a treat. Horrible to setup, a Secure IPsec link. But done.

So taking the 3 servers back to the test environment, I have configured our routers to simulate the AKL-WGN environment.

Everything is working fine... here is the configuration:

2 DCS:

192.168.0.16
192.168.0.18

1 AKL DC
10.20.0.10

Setting up Windows 2008 has been pretty much a nightmare, I'm not sure wether this is because I'm using 2 different subnets or it's generally a bitch? But on first installs I spent literally hours fixing event log issues.

So, at this stage, I have a few questions that need to be answered.

1. Why do we have _msdcs under our main domain zone when we have an _msdcs zone? Is this needed or just provided for backwards compatibilty? If we are no longer going to have any ex-win7 clients, is it neccassary? This is not answered anywhere I could see, in fact the reverse, which caused me to delete the main zone and headaches. Lets get some resolval in this area that addresses both those who are doing a win7 only environment and vice versa.

2. I love this new Group Policy Preferences area that has been 'acquired' by Microsoft but really, does it work?! I spent alot of time yesturday to install all our printers on server01 and then spent the same amount of time to setup GPP. Only to find that any test user logging in gets a "Printer Name Invalid" in the event log. I changed the name/share name to be really short. No Dice. Dosn't work, I looked up this problem, and can not get it to work, Shall I resort back to Powershell or Bat scripts?

3. On my File server, which I'm setting up at the same time. So this is server 4. When I click on any link in the start menu, I am asked by Windows that this is an Unsigned Publisher. Yes you might think this is simple. Which it is, because I have set network wide policy to use the same damn server it is complaining about!! I have done the Zone assignment setting that most articles advise to do! But on this particular server, it still complains. I joined a laptop to the domain today and it had no problems, shall I just ignore this servers' problem or could it be a start to a bigger problem? lol

Anyway team, I hope ya can help me. And if anymore Info is needed. Let me know.

-David

3.
0
zarok
Asked:
zarok
5 Solutions
 
zarokAuthor Commented:
opps i actually forgot to post the replication - DCDIAG status

  Starting test: NetLogons
     [C3PO] User credentials does not have permission to perform this
     operation.
     The account used for this test must have network logon privileges
     for this machine's domain.
     ......................... C3PO failed test NetLogons


This an interesting problem. Does this actually mean anything? Weird, I login with an account that is a member of a Super Group i created which is a member of Ent Admins, DNS admins, Domain Admins etc etc
0
 
ABCStoreCommented:
To answer you DGDIAG question - right-click on CMD and select "Run as Administrator" even though you're logged in as Administrator.

Also, use Print Management to publish printers via GP.

And please, leave DNS alone...
0
 
zarokAuthor Commented:
Print Management?

and DNS is fine. I've been a DNS manager for years. All DNS is fine between all servers. The only issue i'm asking about regarding DNS is why we have _msdcs under the main zone when we have a new _msdcs zone?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
zarokAuthor Commented:
um yeh dude, that explains what _msdcs is used for. It dosn't answer my question. Which is.. Why Do we have a _msdcs delegation under the main domain.com when we have a _msdcs zone anyway?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The _msdcs zone is used for hosting the SRV records of your domain. Services include PDC, GC's, Sites, Kerberos, ldap etc. As stated above, if it is there and wasn't before then it has a purpose. DNS should be fine being AD Integrated and not much to configure.

Here is also a guide for mapping printers using preferences...
http://blogs.technet.com/b/grouppolicy/archive/2009/06/24/gp-preferences-set-a-default-printer.aspx

Hope this helps!
0
 
TheGeezer2010Commented:
Well this part explains very clearly why you have two _msdcs zones, just read Windows 2008 instead of 2003 :-

 For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers.

If you install a new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called _msdcs.&ltforest name&gt on the DNS server. This zone is configured to store its records in a forestwide application directory partition, ForestDNSZones, which is replicated to every DC in the forest that runs the DNS service. This replication makes the zone highly available anywhere in the forest.
0
 
zarokAuthor Commented:
Thanks for your post Spec01 but I think you have also misread my original question.

Please note *I am not disputing what _msdcs is for*

If you are not a Windows 2008 server experienced personal, please not post.

I am asking why there is a subdomain delegated _msdcs??
0
 
zarokAuthor Commented:
Yay, thanks TheGeezer2010, i'll read :)
0
 
zarokAuthor Commented:
hmm thats true TheGeezer2010, but still dosnt answer the question.. Are we safe to say the subdomain _msdcs is no longer needed in a windows 7 environment?
0
 
TheGeezer2010Commented:
If I was not an experienced Windows 2008 expert I would not even try to answer your question. The bolded part of the article answers your question exactly.
If you are going to have this attitude when people give up their time for free to help YOU with your issues, I will not be doing so in future.
0
 
zarokAuthor Commented:
Geezer go back and read properly. I said Spec01. Not you.
0
 
TheGeezer2010Commented:
Ah sorry about that - last day of the premier league transfer window stress !!
0
 
zarokAuthor Commented:
Soz you got offended by anything? - I'm just trying to sort out this problem. So lets do this aye?
This is what this site is about.. sorting out problems.

So we have one of the issues above.. _msdcs?

To delete or not? on a Windows 2008/win7 environment.
0
 
zarokAuthor Commented:
all good Geezer  :D
0
 
TheGeezer2010Commented:
DO NOT DELETE IT !!!
0
 
zarokAuthor Commented:
Im not going to delete, but why?

No articles on the net say why, MS dosn't have any reason for the delegation except backwards compatibilty///

Whats the point? DNS is simple.. _msdcs goes to _msdcs.domain.com not
sub . com

What the hell is the point of this ?
0
 
TheGeezer2010Commented:
They are related directly to the replication partitions. When you have AD integrated DNS it uses the replication for DNS as well as AD objects. There are different partitions and depending on where your objects (in this case DNS Zones) are located, they will be replicated either Forest-wide (Configuration partition) or Domain-wide (Domain Partition). In the case od AD-integrated DNS, you set this up when you run DCPROMO (although it can also be done at a later stage), and it appears as options shown in this article. Depending on the option chosen will decree where the _msdcs zone is stored :-

http://technet.microsoft.com/en-us/library/cc772101.aspx

Hope this now explains the process a bit more clearly, and why you should not delete any of the zones.
0
 
zarokAuthor Commented:
thanks TheGeezer2010, I already knew all this information. It really dosn't solve the single question of Shall I delete _msdcs or not?

Which has been the question from the start! I love the amounts of dodcumentation, but seriously I have already read all that, and If you read it too, you would come to the same conclusion.
0
 
zarokAuthor Commented:
Have you actually put what you say into practise? It dosnt work.
0
 
TheGeezer2010Commented:
Well if you delete the subfolder under the domain, your clients will not be able to find any AD published services on the domain. I think that answers the question ?
0
 
zarokAuthor Commented:
Re-reading your statement "replicated either Forest-wide (Configuration partition) or Domain-wide (Domain Partition)." I can now see why there is the subdomain. Sorry I missed this vital info.

Under the subdomain there is only 1 glue record which points to my PDC. Should there be all 3 DC's in there or is this correct?
0
 
zarokAuthor Commented:
*I'll put the other 2 questions in seperate questions each, Thanks TheGeezer2010, this way I can assign you the points for the DNS issue.

If you can advise me on my final post above that would be grand, as I'm not 100% sure on which glue records should be under the subdomain.

Ta!
0
 
zarokAuthor Commented:
After now doing another Windows 2008 migration, and bumping into simular problems again. This issue with 2008 replication, is a new obstacle for Windows 2003 admins.

In this instance, I migrated a 2003 32bit DC to 2008 64bit.

Symtpons:

After DC Promo, You will find everything works fine for a few hours to 24 hours, then it all goes south.

The new DC hung on 'Applying Computer Settings' and locks up.

Resolution:

Use the other DC or member to RPC and set the DNS Service to Manual. Hard Restart the new DC. This let's AD to get out of the 'Deadlock bug' and startup.

Cause:

Unlike previous Windows 2003 best practices for DNS on the Network Adapters, Windows 2008 is very strict on reduncancy, and they have configured AD for such. Local DNS will wait for AD to start, AD will wait for DNS to start, and this will go on. Unless you have the local network adapter set with another local AD DNS Address, you might find yourself waiting for an hour or so for Windows 2008 to start.

Best Practice:

Set your 1st DNS choice to another DC DNS address.
Set your 2nd DNS choice to your local.

After experimenting further with the delegated _msdcs

* Set glue records for all your DC's as nameservers under the delegated _mscdcs folder.

From experience there has been no replication issues since.
0
 
zarokAuthor Commented:
The reason, is because, basically I was after why the _msdcs delegation exists and does it need to exist in a Windows 2008 forest only solution?

I think I was confused at the start, but Ghezzer helped out and pointed to reference. However this reference explained what it is used for, which I already knew. The question was, does this delegation need to exist in a Windows 2008 / Windows 7 environment, with forrest wide replication. After this, he gave up.

I spose, the answer is answered by experimention. No the delegation is not needed for forrrest wide replication. Do you want errors in your event log however? no.

This then lead me to the other issues, it appeared, the whoole time, I had an Adapter DNS pointing ONLY to itself. This is a big no-no in Windows 2008.
 

and not sure how to apply the points here!
0
 
zarokAuthor Commented:
_alias99

That is not very nice of you to post that on my profile! I have since learned after this post and learning how to post and work through things. you have just slamed a new user.

I think I will now cancel my paying membership.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now