Thanks for the info Steve - I'm just catching up with some of the ActiveDir posts and this one caught my attention since I've previously ran into a related issue with one of my customers.
After we had switched the DNS zones to store the DNS data in the DNS app partitions, we had some waky issues when promoting new 2003 DCs via IFM - the newly promoted DCs happily recreated the DNS app partitions and caused havok in the respecive domains... Prior to SP1, dcpromo from IFM does not create the app partitions which causes this issue to occur. SP1 finally does allow to copy the app partitions using dcpromo with IFM. Now I see SP1 has added some other changes that affect DNS - I was unaware of the one you describe below (I agree though that the change makes a lot of sense). But I would say this also changes the "best practises" on how you should configure DCs for using DNS resolvers. Prior to 2003 SP1, you'd point any DC to use itself as the primary DNS resolver and then use another well reachable DNS server/DC as the secondary resolver. This was mainly used for any DC other than root-domain DCs, althought the "island problem" has been resolved in 2003 so even root-DCs could use themselves as primary DNS resolvers. If DCs now wait for initial replication to occur prior to loading the DNS zone, this would certainly have an impact on DC and DNS availability after a DC reboot - especially in remote or branch office sites which are often configured with fairly small replication windows. Thus I'd certainly revert the previous "best practise" statment for DNS configuration on DCs, so that DCs now use another well reachable DNS server/DC as the primary DNS resolver and only use themselves as secondary... Do you concur with this statement? Thanks, Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Montag, 20. März 2006 18:21 To: [email protected] Subject: RE: [ActiveDir] DNS Server will not Start So there is a reason that this occurs and I am one of the people responsible for the change in behavior, I did not write the code but did track down the cause and worked to rectify it after a customer took an outage because of it. As others have stated using that registry key can be dangerous and there is a reason that DNS now waits until initial sync before loading a zone and will continue to retry loading the zones after initial sync is performed. So why do we now check for initial sync. Well it turns out that there are situations where DNS will recreate containers and records when it does not find them locally. When this occurs these changes can replicate out and cause conflicts in the Directory which can cause the entire DNS structure to appear to go away and cause havoc in the environment. It is also the reason that we often see replication storms with respect to the SOA record. So in SP1 and actually a hotfix before SP1 we now require an initial sync to ensure that we have the up to date zone information before loading it. The errors are benign and are there to inform you why the zone/zones have not loaded but the DNS server will continue to wait and once the initial sync is complete will then load the zones. This is here to protect you and while it does slow down loading the zones is an important trade off for system stability. The following link has a description of the fix that made this change: http://support.microsoft.com/kb/836534/en-us. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y Sent: Sunday, March 19, 2006 9:32 PM To: [email protected] Subject: Re: [ActiveDir] DNS Server will not Start Ofcourse it is a work around to the real issue. I suppose I should have added that to my first email. Also, while digging it up my emails a little further, here is the snippet that I was given that: This registry key value controls if it should do initial synchronization with other domain controller when it starts up. If it is 0, it won't synchronize with other domain controllers during startup. ----- Now, if there are replication or other issues with the Domain Controller[s], ofcourse using the key will only take you as far as logging on to the machine, if at all, but not any further with resolving the real issues of the machine. So yes Joe, you are very correct that there are probably bigger issues with the environment and the domain controller itself to actually cause the problem, and definately something to be looked at. -Umer. On 3/19/06, joe <[EMAIL PROTECTED]> wrote: > I would have to agree with David's statement. > > Umer, if the DC is overly busy, it isn't a reason to start disabling > things that protect it so that it starts up. You get all of the stuff > off of it or build it up so that the crap doesn't slow it down so much. > > When a DC comes back up, it needs to figure out where it is at in > relation to everything else in its world in case someone asks it > something important that it is supposed to be relatively authoritive > for. This registry key says don't do that check, just assume > everything is fine. If you have one DC in your forest, this is safe, otherwise, it very well may not be. > > I don't think there is any public documentation for that key, at least > I don't recall seeing any. I also don't think I ever saw it up on > Premier. I would wonder how someone got ahold of it as it really > probably shouldn't be given out by PSS that much. The only time I > recall seeing it anywhere is in the source code file that documents > all of the NTDS registry keys. There are other publicly undocumented > keys that will work too but are also quite bad unless you really have a strong understanding of what it is they do and why. > > Overall it sounds like there are at least a baker's dozen of issues > with the configuration of the DCs at that location and they need to be > worked through and whomever has made the decisions to load the kitchen > sink needs to be sat down and had a discussion with concerning the > relative importance of DCs to everything else in the forest. > > joe > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Adner > Sent: Sunday, March 19, 2006 6:49 PM > To: [email protected] > Subject: RE: [ActiveDir] DNS Server will not Start > > Setting that Registry value is not the answer. You're disabling a > safety mechanism in AD. Don't change random Registry values in AD > unless you know what they're used for. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Sunday, March 19, 2006 5:22 PM > > To: [email protected] > > Subject: RE: [ActiveDir] DNS Server will not Start > > > > Many thanks for this - I spent all weekend looking for a resolution > > and the PSS answer was ignore it or cross reference DNS > > > > I will give this a go. > > > > Mark > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y > > Sent: 19 March 2006 23:08 > > To: [email protected] > > Subject: Re: [ActiveDir] DNS Server will not Start > > > > Add the following key. > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters > > Type = DWORD > > Key = Repl Perform Initial Synchronizations Value = 0 > > > > This will take care of your issue. :) > > > > > > > > On 3/19/06, Mark Parris <[EMAIL PROTECTED]> wrote: > > > I have since discovered it is a 4015 error which is one of > > those catch > > > 22 errors. > > > > > > I (They) have AD integrated DNS zones - Active Directory needs to > > > start to load the zones but the zones don't start until DNS starts > > > which is after > > AD > > > - Bah!!!!. Eventually (With endured patience) DNS starts > > and the zones > > load > > > and normal service is resumed. > > > > > > On "most" servers I have ever encountered this is a non event as > > > the > > servers > > > are very fast and not over loaded and they never register a > > 4015 error > > > - > > but > > > each server that has this issue (they are not mine - I am > > just fixing > > > and > > > advising) runs > > > > > > 1, a domain controller > > > 2, DNS server > > > 3, DHCP Server > > > 4, RIS server > > > 5, Symantec AV (with no exclusions) 6, File and Print duties 7, > > > and some app called SQL 2000 hosting several databases > > > > > > They only have 1GB of RAM and I have seen cold honey run faster. > > > > > > I know to resolve the issue I can cross point DNS - I am > > just waiting > > > to > > see > > > what the company wants to do. > > > > > > I want to leave the DNS configuration as is - just as > > another example > > > of > > why > > > they should add more RAM and buy more servers. > > > > > > Many thanks > > > > > > Mark > > > > > > ________________________________________ > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Al > > > Mulnick > > > Sent: 19 March 2006 21:58 > > > To: [email protected] > > > Subject: [Norton AntiSpam] Re: [ActiveDir] DNS Server will not > > > Start > > > > > > Also, what's in the DNS, System, and Security event logs (assuming > > > auditing)? > > > On 3/18/06, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: > > > MY first thought was missing service dependency of DNS on > > AD, but my > > > DCs don't have one either. > > > > > > Is there any commonality between the servers? > > > > > > -g > > > > > > ________________________________________ > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark > > > Parris > > > Sent: Saturday, March 18, 2006 7:39 AM > > > To: [email protected] > > > Subject: [ActiveDir] DNS Server will not Start > > > > > > All, > > > Another question from me, I have several Windows Server > > 2003 SP1 DC's > > > that all run AD integrated DNS when I reboot these servers the DNS > > > Server does not load the DNS zones - it just starts and > > then has a red > > > X in the server name when you check on it. I restart DNS and it > > > functions correctly > > loading > > > all zones and the DC can function. You cannot logon until > > DNS has been > > > restarted via another server. > > > Does anyone have any idea as to what could be causing this? > > The event > > > logs do not reveal much at all. > > > Mark > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > -- > > "Ambition is a dream with a V8 engine." ~ Elvis Presley > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- "Ambition is a dream with a V8 engine." ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
