Hi
Wook,
Thanks for the additional details! I've been
chasing my tail on this issue for about about a week now. Is it too simplistic
to think these problems could be avoided if service dependencies were
used?
Mike
Thommes
-----Original Message-----
From: Lee, Wook [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 2:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Potential DNS issues after applying MS04-011Just to clarify a bit, there is a race condition when the DC boots where netlogon starts before some other services, e.g. the KDC, are available. Netlogon thinks the DC no longer hosts those services and deregisters the corresponding SRV records. If the deregistration fails for some reason, then the SRV records stay around until scavenging deletes them but if DDNS is working correctly, the deregistration occurs right away.This doesn't always happen since it all depends on the timing of netlogon startup versus the other services on DCS in your environment. If netlogon is restarted after the DC is fully up and running, the restart will trigger netlogon to correctly register all of its SRV records including any that might have been deregistered at boot time. Any monitoring tools that check for the presence of SRV records should catch this problem.I've been told that if this problem is endemic to your Windows 2000 forest, you will find that over time, some DCs start to become overloaded while others sit idle. This is because as the SRV records are removed, only those DCs that still have valid SRV records registered will be targeted for use.My understanding is that this problem only affects Windows 2000 DCs though at any service pack level with MS04-011 installed. Windows 2003 DCs do not experience this problem with or without MS04-011.Wook
From: Grillenmeier, Guido
Sent: Thu 5/13/2004 11:24 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Potential DNS issues after applying MS04-011Want all of you to be aware of the following - this Q-Article lists known issues with MS04-011: http://support.microsoft.com/default.aspx?scid=kb;en-us;835732But, I hope MS will update that Q-article very soon, as there is another very uncool issue with MS04-011, which causes issues with Windows 2000 DCs and DNS. Some DC´s may no longer register their DNS entries correctly on restart. Sometimes the issue won't be apparent immediately, but it will become an issue once scavenging deletes the old records in DSN.
I have just verified this to be an issue at one of my customer - I know that the following DNS entries can be affected, which basically means that user's can't authenticate to the box, it won't be registered as a GC etc.:
_GC
_KERBEROS
_KPASSWD
You can verify that these entries are not being registered for specific DCs by checking their netlogon.dns file in the c:\%systemdir%\system32\config folder and obviously by checking for the existance of the service records in DNS.There is a hot fix to correct this specific problem - customers can request it via KB 841395, it went live on Tuesday. The problem has to do with a timing issue in the startup of netlogon (starts up before some of the other services are ready and thus doesn't thing this machine provides certain services). As a temporary workaround after the DC/GC comes up one needs to stop and start netlogon./Guido
