Two DNS Records with same IP Address. Aging and Scavenging problems with DHCP Lease duration !!

Aging and Scavenging is very crucial and important for Active Directory Integrated zone, it should be carefully planned and configured. We recently faced a problem when a System Admin reported to me having two DNS records having the same IP address in the DNS Active Directory Integrated zone.

The first thing that came to my mind was to check the Scavenging settings however they both (Refresh and Non-Refresh) seem to be fine compared to the DHCP release time. Always remember that the main rule for this setting is that the Non-Refresh Interval + Refresh Interval should be greater than the DHCP release time. You can tweak it depending on your network, IPs availability and how busy is your network with computers in and out but always keep in mind this main equation.

The second thing to check was the DHCP scope properties and specifically the DNS Tab. Upon checking this setting i noticed that Dynamically Update DNS only if requested by DHCP clients is selected as shown below.

It should be noted that with this above setting, only if the client initiate a request to renew or release by maybe using the ipconfig /release command, then the DNS record will be updated or removed from the DNS zone. As per Microsoft Support advice, in most circumstances, the DHCP client won't initiate the DHCP release request (The client is just removed from the network) and the DHCP and DNS integrated zone won't notice that this client is removed and they still think that this client is online.

After the DHCP lease duration ends, the DHCP server will get this IP back and another client may get this same IP and register itself with the same IP. Now remember the main equation we mentioned earlier, since the Aging and Scavenging time didn't end (They are greater than the DHCP lease), the result will be two records with the same IP address in the DNS zone.

The Solution to this issue is to ensure the DNS record is deleted once the Lease time is reached, we need to change the setting in the image above (Scope Properties - DNS) to Always Dynamically update DNS A and PTR Records.

After changing this setting you will need to restart both DHCP server and DNS server services.


Reference Link:

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Read More

WMI Unhealthy on 2008R2 Domain Controllers - WBEM_E_QUOTA_VIOLATION

Windows Management Instrumentation (WMI) is a key core windows management technology. It provides a consistent approach to carry day to day management operations with programming or scripting languages.

I recently started getting WMI failures on daily basis on my 2008R2 domain controllers accompanied by several scripts failure and DNS performance degradation.

Also I noticed that the Configuration Manager SCCM evaluation rules on this domain controller failed and SCCM is reporting errors. The policy Request date on the SCCM is few hours back and it will never report back to SCCM till the DC/Server is rebooted.

Troubleshooting Steps:

1. I started by running the WMI diagnosis tool from http://www.microsoft.com/en-us/download/details.aspx?id=7684
2. The WMI diag log file reported WBEM_E_QUOTA_VIOLATION as follows:

.5265 16:34:02 (0) ** 981 error(s) 0x8004106C - (WBEM_E_QUOTA_VIOLATION) WMI is taking up too much memory

.5266 16:34:02 (0) ** => This error is typically due to the following major reasons:

.5267 16:34:02 (0) **    - The requested WMI operation is extremely costly in terms of resources and

.5268 16:34:02 (0) **      the WMI provider handling this operation has exceeded the authorized limits.

 3.  tried later to check whether the basic WMI function is working by running the below test:

1.     From Elevated Command Prompt type Run wbemtest, connect the namespace root\cimv2

2.     Click Query… and enter the following query “Select * from Win32_ComputerSystem”

3.     This test failed and the following error was reported.

0x80041017 Facility: WMI  Description: Invalid Query

1   4. I tried fixing and rebuilding the WMI Repository as follows:

• Disable and stop the WMI service. sc config winmgmt start= disabled and net stop winmgmt
• At a command prompt (cmd), change to the WBEM folder. cd %windir%\system32\wbem
• Rename the repository folder. rename repository repository.old
• Re-enable the WMI service. sc config winmgmt start= auto
• Run the following command to manually recompile all of the default WMI .mof files and .mfl files
• cd %windir%\system32\wbem
• for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s

The only way to get around this issue was to manually reboot the server. After Rebooting the server, it works for  few hours without a problem then the failures start again. One thing else to be noticed is that the WMIPRVSE.exe process is consuming huge amount of memory during this problem.

Resolution Steps:

1. Increased the "MemoryPerHost” value to 1 GB (1073741824), by default it should be 536870912 which means 512 MB as per attached article

Memory and Handle Quotas in the WMI Provider Service

http://blogs.technet.com/b/askperf/archive/2008/09/16/memory-and-handle-quotas-in-the-wmi-provider-service.aspx

2. Install the following WMI fixes

KB Article Number (s) : 2705357  

Language: All (Global)  

Platform: x64  

Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix399300/7600/free/447586_intl_x64_zip.exe)

KB Article Number (s) : 2692929  

Language: All (Global)  

Platform: x64  

Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix395847/7600/free/446374_intl_x64_zip.exe)

KB Article Number (s) : 2617858  

Language: All (Global)  

Platform: x64  

Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix384504/7600/free/437954_intl_x64_zip.exe)

KB Article Number (s) : 2465990  

Language: All (Global)  

Platform: x64  

Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix354372/7600/free/425609_intl_x64_zip.exe)

KB Article Number (s) : 2492536  

Language: All (Global)  

Platform: x64  

Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix360823/7600/free/429002_intl_x64_zip.exe)

For a list of suggested WMI hotfixes on different windows platform, please check this blog which is maintained and updated regularly.

http://blogs.technet.com/b/askperf/archive/2011/08/05/suggested-hotfixes-for-wmi-related-issue-on-windows-platforms.aspx

Read More

Error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device

I Purchased few weeks ago the Microsoft Surface Pro tablet, its a very nice production tablet that really enables remote users to run their production applications and workloads. There are still some room of improvement to get promoted as the number one choice of tablets for business users. From my point of view the three main things that need improvement are the Battery Life, 3G/4G connectivity option and better Camera.

Surface Pro comes with windows 8 Professional which is very nice and allows you to join your corporate network however it lacks a great feature which is Direct Access ! So I decided to turn it to fully productive device and install windows Enterprise on it. Its very simple as if you are building a new normal fresh computer.

I formatted the Surface drive however I kept the recovery image (for any future need), after finishing Windows Enterprise I installed the latest Surface Pro Firmware and Driver Pack http://www.microsoft.com/en-eg/download/details.aspx?id=38826

Finally I got my DirectAccess working on my Surface. That was really an exciting moment. Th next challenge was joining my domain MBAM/Bitlocker policy. Our MBAM / Bitlocker policy requires the use of a PIN while booting the computer. When the MBAM encryption wizard started I got the error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device and by checking the event viewer the following details were provided as per attached image

To Fix this issue we need to change/enable few settings in the Surface Local Policy.

Note: In order to use the Pre-authentication you need to have a Keyboard attached to the surface during the boot, You may use the Surface Touch/Type Keyboard or any external Keyboard connected to the USB port.

1. Type GPEDIT.MSC in the Run bar to access the local Group Policy Editor
2. Drill down to Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives
3. Enable both "Require Additional Authentication at Startup" and "Enable use of BitLocker authentication requiring preboot keyboard input" - Check below image.

After that restart the Bitlocker Management Client Service to kick in back the MBAM wizard which should complete normally without any problem. 







Read More

DHCP Superscope Keeps reverting back after Deletion

I passed by this experience after the deletion of a DHCP superscope where the Superscope reverts back after the DHCP server is rebooted or after the restart of the DHCP service. To properly remove a DHCP Superscope, you can perform any of the following methods:

1.      Right click on the Superscope and click delete. It’s safe and won't have any impact on the Sub-scopes under this DHCP superscope. In fact you will receive a message that confirms the deletion without impacting or deleting any child scopes as per attached below.

2.      One other way is to deactivate the sub-scopes (under your DHCP Superscope), move these scopes and then activate them. After all sub-scopes are moved, the DHCP superscope was removed/deleted automatically.

DHCP Technical Documentation:

• How DHCP Technology Works:  http://technet.microsoft.com/en-us/library/cc780760(WS.10).aspx 
• DHCP Superscopes: http://technet.microsoft.com/en-us/library/cc757614%28v=WS.10%29.aspx

Read More

The Active Directory integrated DNS zone _msdcs.domain.com was not found

Error Reported in Event Viewer or DNS Best Practices Analyzer.

"The Active Directory integrated DNS zone _msdcs.domain.com was not found"

This error might appear in environments and domains that were already built back in the days of windows 2000 or Windows 2003. By default, before windows server 2003 SP1, there was no independent _msdcs.domain.com zone in the DNS console. When the domain was originally created under Windows 2000 or Windows 2003, there was only a _msdcs folder under the domain.com zone which could also provide the resolution for _msdcs.domain.com zone. After windows server 2003 SP1, when you create a zone such as domain1.com, there is an independent _msdcs.domain1.com zone which is the delegation of the original _msdcs folder. This _msdcs will highly benefit the DNS replication.

What is the _msdcs Zone?

According to Microsoft documentation/definition:

“Microsoft-specific subdomain enables location of domain controllers that have specific roles in the Active Directory domain or forest. Resource records for the DNS root domain of a new Active Directory forest are stored in a _msdcs zone instead of a subdomain, and that zone is stored in the forest-wide application directory partition.”

This Zone will host only DNS SRV records that are registered by Microsoft-based services as well as the globally unique identifier (GUID) for all domains in the forest and a list of GC servers in your forest/domain.


DNS support for AD guide
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

The Steps needed to resolve these issues are as follows:

1.     Manually created _msdcs.domain.com zone

·         Open DNS console, right-click “Forward Lookup Zones”, click “New Zone”, manually create new zone _msdcs.Domain.com, please select primary zone and check “Store the zone in Active Directory” on the page of Zone Type.

2.     After that, please check if _ msdcs.Domain.com has been created and the records are correct. If not continue with the next step.

3.     Create a delegated _msdcs zone under the domain.com and delegate it to the _msdcs.domain.com zone. Right-click “Domain.com”, click “New Delegation”, please type _msdcs in the Delegated domain text box

4.     Click Add button to type DNS server’s IP address.

5.     Stop and restart NETLOGON and DNS Service.

Read More

Troubleshooting Event ID 1058, Group Policy gpt.ini

Event ID: 1058
Source: Group Policy

"The Processing of Group Policy failed. Windows attempted to read the file \\domain\sysvol\domain\policies\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\gpt.ini from a domain controller and was not successful."

I passed by this error lately with several environments running Windows 2008 or 2008R2 Domain controllers. The key element in resolving this issue is to determine which group policy is causing this problem.

When you install GPMC you get a sample folder full of very useful scripts that make use of GPMC COM interfaces, The Script we are looking for is the DumpGPOInfo.wsf. For some reason Windows 2008 doesn’t include this folder and you will have to download it manually from the following link

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14536

After downloading and installing the Sample scripts, use the above mentioned file to get the name of the GPO generating the above error.

Cscript DumpGPOInfo.wsf {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

This will give you the friendly name of the GPO.

You may delete, rename……….etc the GPO from the Group Policy Management Console. In my case I just enabled/disabled one setting and it worked fine and I was able to recreate the GPT.ini file back.

Read More