Scavenging question

Pete · Apr 14, 2004

I have just recently enabled scavenging on my zone and all the DNS servers I
have in my AD intergrated enviorment. I have several A records for legacy
systems that dont exist anymore. I have hundreds of users who use Terminal
Server Clients to connect to a server that has changed its name. So until I
can get to the desktops of these users I need these entries to stay in DNS.

My question is how can I make sure that these entries will not be scavenged
since they will be unable to up date themselves? What would be your
recommendation on a long term solution?

Thank you,

Pedro

Herb Martin · Apr 14, 2004

Pete said:
I have just recently enabled scavenging on my zone and all the DNS servers I
have in my AD intergrated enviorment. I have several A records for legacy
systems that dont exist anymore. I have hundreds of users who use Terminal
Server Clients to connect to a server that has changed its name. So until I
can get to the desktops of these users I need these entries to stay in DNS.

My question is how can I make sure that these entries will not be scavenged
since they will be unable to up date themselves? What would be your
recommendation on a long term solution?

First, most people mess up when the try to mess with
scavenging.

MAKE SURE you leave LONG scavenging and refresh
intervals (weeks).

Second, only "dynamic" entries get scavenged, not your
manual entries.

Pete · Apr 14, 2004

Herb,

Thanks for your reply. I´ll tell you what happened on my first round of
scavenging.

1. Some manually entered A records were scavenged.
2. No CNAME records were scavenged.

Why do you discourage the use of scavenging? I am trying to rule out DNS as
a problem I am having with a few (3 or 4) XP clients I have that take ten
minutes to log in every Monday after they have been turned off for a few
days.

Pete · Apr 14, 2004

ERRATA

Herb,

You were absolutely correct about dynamic entries being the only ones
deleted. The original A records for the legacy machines were still there
after these many months. Since they were unable to refresh themselves they
were scavenged in the first round.

However that leads me to my next question. If you don´t have scavenging
enabled and a machine dies and has a A record in DNS, how much time needs to
pass before it disapeers from the database of records?

Thanks again,

Pedro

Pete · Apr 14, 2004

ERRATA to the ERRATA

Sorry. But come to think of it the A records for the legacy machines WERE
manually created and were scavenged. I thought they might have been the
original and dynamically created records but they could not be since the
legacy machines had entirely different IPs.

So sorry to muddle things up.

Ace Fekay [MVP] · Apr 15, 2004

In

Pete said:
ERRATA to the ERRATA

Sorry. But come to think of it the A records for the legacy machines
WERE manually created and were scavenged. I thought they might have
been the original and dynamically created records but they could not
be since the legacy machines had entirely different IPs.

So sorry to muddle things up.

Hmm... replying to oneself... try some decaf! :-)

Just kidding... about scavenging, here's some info from a previous post that
I hope will help to scanenge the old records.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run the following command to timestamp all records (including manually
added records): dnscmd /AgeAllRecords example.com @ /tree /f

This will age all records so after you run the above command,

--Uncheck "Delete this record when it becomes stale" for records you
want to keep.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

Herb Martin · Apr 15, 2004

1. Some manually entered A records were scavenged.

Doesn't happen. If it did they would ALL be removed.
There is no expiration time on the manual records (or it's
set to forever.)

Why do you discourage the use of scavenging?

I didn't say that. I said that most people mess it up, especially
by trying to set it too short. And scavenging doesn't help most
networks much.

Days are not to short; think in WEEKS.

So rather than discouraging scavening, I just don't encourage it;
and I recommend SERIOUS caution.

I am trying to rule out DNS as
a problem I am having with a few (3 or 4) XP clients I have that take ten
minutes to log in every Monday after they have been turned off for a few
days.

You are right it is likely a DNS issue -- but it isn't helped by
scavenging, maybe hurt. Check these:

1) DNS is dynamic
2) All DNS servers are replicating ***
3) All clients must specify ONLY the internal (dynamic) DNS
servers on their NIC properties
4) DCs are clients TOO!!!! (see #3 above)

If you change 1, 2, or 3 -- restart the NetLogon service on each
DC.

*** If you use AD Integrated DNS on multiple DNS servers
and mess up the AD replication then you have a "catch 22": you
cannot replicate DNS because it is dependent on AD which
needs DNS etc.

Run DCDiag on EVERY DC, send output to a file and search for
FAIL, WARN, ERROR. Fix those or post here.

Pete · Apr 15, 2004

Herb,

Thank you for your help. I have confirmed that:

1) DNS is dynamic
2) All DNS servers are replicating
3) All clients specify ONLY the internal (dynamic) DNS servers on their NIC
properties.

I have since disabled scavenging because the XP clients that are shut off
for more than a day (which is the TTL for DNS correct?) are still taking a
very long time to log on. Even after the cleaning up of the DNS database. So
my next step will be to do a packet capture of a machne with the problem
during login. Why would this only affect XP cleints? Win2k clients have no
problems.

I ran DCdiag on the two domain controllers in the Madrid offices (where we
are having problems). Here is the error on the first one:

There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... MADAODC01 passed test frssysvol
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 04/15/2004 13:19:28
Event String: Driver HP LaserJet 1200 Series PCL 6 required for
An Error Event occured. EventID: 0x00000452
Time Generated: 04/15/2004 13:19:28
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 04/15/2004 13:19:29
Event String: Driver Xerox WorkCentre 24 PCL 6 required for
An Error Event occured. EventID: 0x00000452
Time Generated: 04/15/2004 13:19:29
Event String: The printer could not be installed.
......................... MADAODC01 failed test systemlog

and this on the other DC:

Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 04/15/2004 13:22:21
Event String: Driver HP LaserJet 1200 Series PCL 6 required for
An Error Event occured. EventID: 0x00000452
Time Generated: 04/15/2004 13:22:21
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 04/15/2004 13:22:23
Event String: Driver HP LaserJet 4050 Series PCL 6 required for
An Error Event occured. EventID: 0x00000452
Time Generated: 04/15/2004 13:22:23
Event String: The printer could not be installed.
......................... MADRID2AS failed test systemlog

Other than that they passed all the other tests.This is driving me nuts but
I really appreciate your help.

Pedro

Herb Martin · Apr 16, 2004

Pete said:
Herb,

Thank you for your help. I have confirmed that:

1) DNS is dynamic
2) All DNS servers are replicating
3) All clients specify ONLY the internal (dynamic) DNS servers on their NIC
properties.

Clients include DCs, right? (ALL have ONLY the internal DNS.)

Double check any machines with two NICs (sometimes DHCP or someone
puts a wrong value there.)

I have since disabled scavenging because the XP clients that are shut off
for more than a day (which is the TTL for DNS correct?)

First, the TTL for DNS is settable on each zone as a default and can
be overwritten by the DNS server on each resource record, but it has
nothing to do with scavenging periods. It's about how long "others"
should cache this zone's records..... (like other DNS servers and
clients -- as of Win2000, clients do DNS caching too by default.)

This also implies (but doesn't mean or prove) that you might have
been making one of those mistakes with scavenging that concerned
me -- default is 7 days "NO-refresh" PLUS 7 days "refresh" PLUS
the scavenging "period" is 7 days so records usually get scavenged
after 14+(0 to 7) days.

You definitely don't want the clients getting scavenged between
normal disappearances on the net with a reappearance. So set it
longer than that if you ever use it again.

are still taking a very long time to log on.
Even after the cleaning up of the DNS database. So

This is NOT related to a need to scavenge.

Think about it, even with a LOT of records the DNS server probably
caches the whole list anyway.

What happens when you use NSLookup or another DNS test tool?

Both implicitly (letting it pick the 'default' DNS server) and explicitly
where you pick the "correct" or another DNS server...?

If DNS is really the problem due to slow response you would need
to add MORE SERVERS.

(There are only about 13 backbone Internet serves -- the most
heavily hit servers in the world in terms of REQUESTS (not data
size) -- and they do just fine. They're really HOT machines but
the Internet is really big too.)

my next step will be to do a packet capture of a machine with the problem
during login. Why would this only affect XP clients? Win2k clients have no
problems.

Sounds good. Most people wait TOO LONG before doing that.

Why? I still think you have them pointed at the wrong or a misconfigured
DNS server (really.)

I ran DCdiag on the two domain controllers in the Madrid offices (where we
are having problems). Here is the error on the first one:

The one's that worry me are the Sysvol ones -- that might account
for slow logons if the GPOs cannot be fetched. You might have
to "DCPromo cycle" that DC if you cannot fix it.

Those LaserJet errors are likely irrelevant, but you should maybe
LOOK at the System, DNS, and AD logs on each DC or DNS
server.

Also a LOT of GPOs (more than 10) will make logon slow.
Also a GPO that installs software (or tries to) each time.

Pete · Apr 16, 2004

Herb,

Thank you so much for your good advice.

The DCs in Madrid pont to themselves for DNS and use forwarders for Internet
use. Clients recieve all DNS information via DHCP so in that way XP clients
and Win2k clients use the same configuration yet behave dfiferently. This is
what puzzles me.

NSLOOKUPs funtion as they should on all clients once they get logged on.

I inherited this setup and so what was done to the default domain policy is
still a mystery. But my gut is telling me this is the real problem I have a
Microsoft tool that sets the default domain GPO back to its original setting
but have never heard of anyone using it before. It is called DCGPOFIX. Ever
heard of it? Sounds too good to be true and God knows what it might do.

You mentioned DCpromo cycling my two DCs here. What do you mean by that? You
mean like in the NT days when you promoted and demoted DCs? Wouldn´t they
always grab a copy of AD from another DC anyway?

As soon as I get a hub I will do my packet capture and let you now how this
all pans out.

All the best,

Pedro

Alex Zhang · Apr 16, 2004

Hello Pedro,

I think that "DCpromo cycling" mentioned by Herb means "Demote your DCs and
then promote them".

If you have another DC, you can transfer FSMO to that DC, clean install the
original DC, promote it to a new DC, the AD information will be replaced to
this new DC automatically.

If you do not have other DCs now, you need promote a new DC for backup and
transfer the FSMO to the new DC, and then clean install the original DC,
promote it to a DC again. You can refer to the following article on how to
transfer FSMO roles.

For more information you may browse the following web sites:

255690.KB.EN-US HOW TO: View and Transfer FSMO Roles in the Graphical User
Interface
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255690

255504.KB.EN-US: Using Ntdsutil.exe to Seize or Transfer the FSMO Roles to
a Domain
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255504

293421.KB.EN-US Domain Controllers Continue to Use Global Catalog Server
After It Has
http://support.microsoft.com/default.aspx?scid=KB;EN-US;293421

295419.KB.EN-US XADM: How to Move the Global Catalog Role to Another Domain
Controller
http://support.microsoft.com/default.aspx?scid=KB;EN-US;295419

I hope this information proves helpful to you.

If you have any questions or concerns, please do not hesitate to let me
know. I am happy to be of assistance.

Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "Pete" <[email protected]>
| From: "Pete" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
| Subject: Re: Scavenging question
| Date: Fri, 16 Apr 2004 09:22:14 +0200
| Lines: 170
| Organization: Aspro Ocio
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.dns
| NNTP-Posting-Host: 212.49.167.241
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:38357
| X-Tomcat-NG: microsoft.public.win2000.dns
|
| Herb,
|
| Thank you so much for your good advice.
|
| The DCs in Madrid pont to themselves for DNS and use forwarders for
Internet
| use. Clients recieve all DNS information via DHCP so in that way XP
clients
| and Win2k clients use the same configuration yet behave dfiferently. This
is
| what puzzles me.
|
| NSLOOKUPs funtion as they should on all clients once they get logged on.
|
| I inherited this setup and so what was done to the default domain policy
is
| still a mystery. But my gut is telling me this is the real problem I
have a
| Microsoft tool that sets the default domain GPO back to its original
setting
| but have never heard of anyone using it before. It is called DCGPOFIX.
Ever
| heard of it? Sounds too good to be true and God knows what it might do.
|
| You mentioned DCpromo cycling my two DCs here. What do you mean by that?
You
| mean like in the NT days when you promoted and demoted DCs? Wouldn´t they
| always grab a copy of AD from another DC anyway?
|
| As soon as I get a hub I will do my packet capture and let you now how
this
| all pans out.
|
| All the best,
|
| Pedro
|
|
|
|
| | > | > > Herb,
| > >
| > > Thank you for your help. I have confirmed that:
| > >
| > > 1) DNS is dynamic
| > > 2) All DNS servers are replicating
| > > 3) All clients specify ONLY the internal (dynamic) DNS servers on
their
| > NIC
| > > properties.
| >
| > Clients include DCs, right? (ALL have ONLY the internal DNS.)
| >
| > Double check any machines with two NICs (sometimes DHCP or someone
| > puts a wrong value there.)
| >
| > > I have since disabled scavenging because the XP clients that are shut
| off
| > > for more than a day (which is the TTL for DNS correct?)
| >
| > First, the TTL for DNS is settable on each zone as a default and can
| > be overwritten by the DNS server on each resource record, but it has
| > nothing to do with scavenging periods. It's about how long "others"
| > should cache this zone's records..... (like other DNS servers and
| > clients -- as of Win2000, clients do DNS caching too by default.)
| >
| > This also implies (but doesn't mean or prove) that you might have
| > been making one of those mistakes with scavenging that concerned
| > me -- default is 7 days "NO-refresh" PLUS 7 days "refresh" PLUS
| > the scavenging "period" is 7 days so records usually get scavenged
| > after 14+(0 to 7) days.
| >
| > You definitely don't want the clients getting scavenged between
| > normal disappearances on the net with a reappearance. So set it
| > longer than that if you ever use it again.
| >
| > > are still taking a very long time to log on.
| > > Even after the cleaning up of the DNS database. So
| >
| > This is NOT related to a need to scavenge.
| >
| > Think about it, even with a LOT of records the DNS server probably
| > caches the whole list anyway.
| >
| > What happens when you use NSLookup or another DNS test tool?
| >
| > Both implicitly (letting it pick the 'default' DNS server) and
explicitly
| > where you pick the "correct" or another DNS server...?
| >
| > If DNS is really the problem due to slow response you would need
| > to add MORE SERVERS.
| >
| > (There are only about 13 backbone Internet serves -- the most
| > heavily hit servers in the world in terms of REQUESTS (not data
| > size) -- and they do just fine. They're really HOT machines but
| > the Internet is really big too.)
| >
| > > my next step will be to do a packet capture of a machine with the
| problem
| > > during login. Why would this only affect XP clients? Win2k clients
have
| no
| > > problems.
| >
| > Sounds good. Most people wait TOO LONG before doing that.
| >
| > Why? I still think you have them pointed at the wrong or a
misconfigured
| > DNS server (really.)
| >
| > > I ran DCdiag on the two domain controllers in the Madrid offices
(where
| we
| > > are having problems). Here is the error on the first one:
| > >
| >
| > The one's that worry me are the Sysvol ones -- that might account
| > for slow logons if the GPOs cannot be fetched. You might have
| > to "DCPromo cycle" that DC if you cannot fix it.
| >
| > Those LaserJet errors are likely irrelevant, but you should maybe
| > LOOK at the System, DNS, and AD logs on each DC or DNS
| > server.
| >
| > Also a LOT of GPOs (more than 10) will make logon slow.
| > Also a GPO that installs software (or tries to) each time.
| >
| > --
| > Herb Martin
| > >
| > > There are errors after the SYSVOL has been shared.
| > > The SYSVOL can prevent the AD from starting.
| > > ......................... MADAODC01 passed test frssysvol
| > > Starting test: systemlog
| > > An Error Event occured. EventID: 0x00000457
| > > Time Generated: 04/15/2004 13:19:28
| > > Event String: Driver HP LaserJet 1200 Series PCL 6 required for
| > > An Error Event occured. EventID: 0x00000452
| > > Time Generated: 04/15/2004 13:19:28
| > > Event String: The printer could not be installed.
| > > An Error Event occured. EventID: 0x00000457
| > > Time Generated: 04/15/2004 13:19:29
| > > Event String: Driver Xerox WorkCentre 24 PCL 6 required for
| > > An Error Event occured. EventID: 0x00000452
| > > Time Generated: 04/15/2004 13:19:29
| > > Event String: The printer could not be installed.
| > > ......................... MADAODC01 failed test systemlog
| > >
| > > and this on the other DC:
| > >
| > >
| > > Starting test: systemlog
| > > An Error Event occured. EventID: 0x00000457
| > > Time Generated: 04/15/2004 13:22:21
| > > Event String: Driver HP LaserJet 1200 Series PCL 6 required for
| > > An Error Event occured. EventID: 0x00000452
| > > Time Generated: 04/15/2004 13:22:21
| > > Event String: The printer could not be installed.
| > > An Error Event occured. EventID: 0x00000457
| > > Time Generated: 04/15/2004 13:22:23
| > > Event String: Driver HP LaserJet 4050 Series PCL 6 required for
| > > An Error Event occured. EventID: 0x00000452
| > > Time Generated: 04/15/2004 13:22:23
| > > Event String: The printer could not be installed.
| > > ......................... MADRID2AS failed test systemlog
| > >
| > >
| > > Other than that they passed all the other tests.This is driving me
nuts
| > but
| > > I really appreciate your help.
| > >
| > >
| > > Pedro
| > >
| > >
| >
| >
|
|
|

Herb Martin · Apr 16, 2004

NSLOOKUPs funtion as they should on all clients once they get logged on.

I inherited this setup and so what was done to the default domain policy is
still a mystery. But my gut is telling me this is the real problem I have a
Microsoft tool that sets the default domain GPO back to its original setting
but have never heard of anyone using it before. It is called DCGPOFIX. Ever
heard of it? Sounds too good to be true and God knows what it might do.

Yes, and I was going to suggest that you CONSIDER it. If
the system is a mess and you have no idea what is in the
default policy it might make sense to reset -- of course you
may lose some "essential setting" so consider the implications
carefully.

The nslookup (correct) results pretty much eliminate or at least
argue against DNS.

I lean towards the Sysvol or GPO issues now.

You mentioned DCpromo cycling my two DCs here. What do you mean by that? You
mean like in the NT days when you promoted and demoted DCs? Wouldn´t they
always grab a copy of AD from another DC anyway?

Yes, and yes. (Except that in NT, once a DC, always a DC.)

But your question is exactly the point (get new copy) though.
If you AD or Sysvol is screwed up on only one DC, you cycle
that one to get a new copy.

As soon as I get a hub I will do my packet capture and let you now how this
all pans out.

You could just run NetMon on a DC, or better perhaps to
download Ethereal or Windump.

Herb Martin · Apr 16, 2004

I think that "DCpromo cycling" mentioned by Herb means "Demote your DCs
and

then promote them".

I meant just the DC(s) that had SysVol errors, etc.

If you have another DC, you can transfer FSMO to that DC, clean install the
original DC, promote it to a new DC, the AD information will be replaced to
this new DC automatically.

Seldom necessary to re-install the OS. I almost
never do this. It's a choice though.

Pete · Apr 16, 2004

According to MS DCGPOFIX is only for use on 2003. Its not very clear anyway
so I am going to stay clear of it. I have read KBAs 267553 and 226243 which
tell you how to reset security settings and user rights in the Default
Domain policy. The articles talk about the GptTmpl.inf file and how to
modify it. This partcluar file in my case is enormous and the articles only
mention touching about 20 lines of it. Our file has hundreds of File System
entries as well as hundreds of Registry entries.

Questions.

1. By defualt does the GptTmpl.inf file have File System and Registry
entries?
2. How would I go about getting rid of all the entries if I decided they
were of no use?

The packet capture is tough. I can see it took 4 mins to get to Windows
update. Before that though there was tons (TCP, SMB,NBSS) of traffice to and
from tcp ports 445, 1059. Also triaffic to and from tcp ports 1068, 1066 to
19226. There was a few Tree Disconnect Requests and Requests. Whatever they
are. I would love to read article on what happens at the network level of an
XP client from the moment I do a Crtl+Alt+Del until I can see the desktop.
If anyone knows of one I would apreciate it.

I will keep digging,

Al the best,

Pedro

Pedro

Herb Martin · Apr 17, 2004

Questions.

1. By defualt does the GptTmpl.inf file have File System and Registry
entries?
2. How would I go about getting rid of all the entries if I decided they
were of no use?

I have no direct idea...I too would have to hack through it.

The packet capture is tough. I can see it took 4 mins to get to Windows
update. Before that though there was tons (TCP, SMB,NBSS) of traffice to and
from tcp ports 445, 1059. Also triaffic to and from tcp ports 1068, 1066

to

Sounds like you confirmed that DNS is not the problem.

The packet capture is tough. I can see it took 4 mins to get to Windows
update. Before that though there was tons (TCP, SMB,NBSS) of traffice to and
from tcp ports 445, 1059. Also triaffic to and from tcp ports 1068, 1066 to
19226. There was a few Tree Disconnect Requests and Requests. Whatever they
are. I would love to read article on what happens at the network level of an
XP client from the moment I do a Crtl+Alt+Del until I can see the desktop.
If anyone knows of one I would apreciate it.

I believe it is in Technet or MSDC somewhere. It certainly used
to be there for NT.

Try searching on performance planning for logon DC traffic.
(Seems it was described in an article about performance
because it gave the size and types of all packets.)

Alex Zhang · Apr 27, 2004

Pete · May 4, 2004

In the end when we renamed the GptTmpl.inf file XP users were connecting
like a charm. What I thought was a DNS problem was a AD problem.

Thanks to everyone who helped me figure this out.

Pete

Jack Wang [MSFT] · May 11, 2004

You are welcome! If you have any questions in the future, please don't
hesitate to post in the newsgroup. Have a great day!

Sincerely,
Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
Microsoft Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "Pete" <[email protected]>
| From: "Pete" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Scavenging question
| Date: Tue, 4 May 2004 17:34:47 +0200
| Lines: 420
| Organization: Aspro Ocio
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.dns
| NNTP-Posting-Host: 212.49.167.241
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
..phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.dns:39408
| X-Tomcat-NG: microsoft.public.win2000.dns
|
| In the end when we renamed the GptTmpl.inf file XP users were connecting
| like a charm. What I thought was a DNS problem was a AD problem.
|
| Thanks to everyone who helped me figure this out.
|
| Pete
|
|
|
| | > Hi Pedro,
| >
| > Thank you for your reply.
| >
| > I have replied you in the other thread. For your convenience, I have
| > included it as follows. If you have further concern, feel free to reply
to
| > the other thread.
| >
| > ===========
| > By default, there are Registry entries in the GptTmpl.inf file. However
| > there are only a few entries, not hundreds of them. It is because you
| > inherited an installation.
| >
| > To completely reset the user rights to the default settings, you could
| > rename the GptTmpl.inf file, and then create a new GptTmpl.inf file with
| > the default user-rights information in the KB 267553. You can copy and
| then
| > paste the appropriate section into the new GptTmpl.inf file.
| >
| > In addition, I attached a .zip file in that post. You could use this
tool
| > to achieve the same goal.
| >
| > Some related information:
| >
| > Group Policy Storage
| >
|
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dse
| > c_pol_cxxv.asp
| > ===========
| >
| > If you have any concerns, please let me know.
| >
| > Have a nice day!
| >
| > Thanks and regards,
| >
| > Alex Zhang
| > Microsoft Partner Online Support
| > Get Secure! - <www.microsoft.com/security>
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "Herb Martin" <[email protected]>
| > | References: <[email protected]>
| > <[email protected]>
| > <[email protected]>
| > <[email protected]>
| > <#[email protected]>
| > <[email protected]>
| > <#[email protected]>
| > <[email protected]>
| > <[email protected]>
| > | Subject: Re: Scavenging question
| > | Date: Fri, 16 Apr 2004 22:13:02 -0500
| > | Lines: 290
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.0
| > | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.win2000.dns
| > | NNTP-Posting-Host: cs6625203-102.austin.rr.com 66.25.203.102
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
| > phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.dns:38790
| > | X-Tomcat-NG: microsoft.public.win2000.dns
| > |
| > | > Questions.
| > | >
| > | > 1. By defualt does the GptTmpl.inf file have File System and
Registry
| > | > entries?
| > | > 2. How would I go about getting rid of all the entries if I decided
| they
| > | > were of no use?
| > |
| > | I have no direct idea...I too would have to hack through it.
| > |
| > | > The packet capture is tough. I can see it took 4 mins to get to
| Windows
| > | > update. Before that though there was tons (TCP, SMB,NBSS) of
traffice
| to
| > | and
| > | > from tcp ports 445, 1059. Also triaffic to and from tcp ports 1068,
| 1066
| > | to
| > |
| > | Sounds like you confirmed that DNS is not the problem.
| > |
| > | > The packet capture is tough. I can see it took 4 mins to get to
| Windows
| > | > update. Before that though there was tons (TCP, SMB,NBSS) of
traffice
| to
| > | and
| > | > from tcp ports 445, 1059. Also triaffic to and from tcp ports 1068,
| 1066
| > | to
| > | > 19226. There was a few Tree Disconnect Requests and Requests.
Whatever
| > | they
| > | > are. I would love to read article on what happens at the network
level
| > of
| > | an
| > | > XP client from the moment I do a Crtl+Alt+Del until I can see the
| > desktop.
| > | > If anyone knows of one I would apreciate it.
| > |
| > | I believe it is in Technet or MSDC somewhere. It certainly used
| > | to be there for NT.
| > |
| > | Try searching on performance planning for logon DC traffic.
| > | (Seems it was described in an article about performance
| > | because it gave the size and types of all packets.)
| > |
| > | --
| > | Herb Martin
| > | | > | > According to MS DCGPOFIX is only for use on 2003. Its not very
clear
| > | anyway
| > | > so I am going to stay clear of it. I have read KBAs 267553 and
226243
| > | which
| > | > tell you how to reset security settings and user rights in the
Default
| > | > Domain policy. The articles talk about the GptTmpl.inf file and how
to
| > | > modify it. This partcluar file in my case is enormous and the
articles
| > | only
| > | > mention touching about 20 lines of it. Our file has hundreds of File
| > | System
| > | > entries as well as hundreds of Registry entries.
| > | >
| > | >
| > | >
| > | > I will keep digging,
| > | >
| > | > Al the best,
| > | >
| > | > Pedro
| > | >
| > | > Pedro
| > | > | > | > > > NSLOOKUPs funtion as they should on all clients once they get
| logged
| > | on.
| > | > > >
| > | > > > I inherited this setup and so what was done to the default
domain
| > | policy
| > | > > is
| > | > > > still a mystery. But my gut is telling me this is the real
problem
| > I
| > | > have
| > | > > a
| > | > > > Microsoft tool that sets the default domain GPO back to its
| original
| > | > > setting
| > | > > > but have never heard of anyone using it before. It is called
| > DCGPOFIX.
| > | > > Ever
| > | > > > heard of it? Sounds too good to be true and God knows what it
| might
| > | do.
| > | > >
| > | > > Yes, and I was going to suggest that you CONSIDER it. If
| > | > > the system is a mess and you have no idea what is in the
| > | > > default policy it might make sense to reset -- of course you
| > | > > may lose some "essential setting" so consider the implications
| > | > > carefully.
| > | > >
| > | > > The nslookup (correct) results pretty much eliminate or at least
| > | > > argue against DNS.
| > | > >
| > | > > I lean towards the Sysvol or GPO issues now.
| > | > >
| > | > > > You mentioned DCpromo cycling my two DCs here. What do you mean
by
| > | that?
| > | > > You
| > | > > > mean like in the NT days when you promoted and demoted DCs?
| Wouldn´t
| > | > they
| > | > > > always grab a copy of AD from another DC anyway?
| > | > >
| > | > > Yes, and yes. (Except that in NT, once a DC, always a DC.)
| > | > >
| > | > > But your question is exactly the point (get new copy) though.
| > | > > If you AD or Sysvol is screwed up on only one DC, you cycle
| > | > > that one to get a new copy.
| > | > >
| > | > > > As soon as I get a hub I will do my packet capture and let you
now
| > how
| > | > > this
| > | > > > all pans out.
| > | > >
| > | > > You could just run NetMon on a DC, or better perhaps to
| > | > > download Ethereal or Windump.
| > | > >
| > | > > --
| > | > > Herb Martin
| > | > > | > | > > > Herb,
| > | > > >
| > | > > > Thank you so much for your good advice.
| > | > > >
| > | > > > The DCs in Madrid pont to themselves for DNS and use forwarders
| for
| > | > > Internet
| > | > > > use. Clients recieve all DNS information via DHCP so in that way
| XP
| > | > > clients
| > | > > > and Win2k clients use the same configuration yet behave
| dfiferently.
| > | > This
| > | > > is
| > | > > > what puzzles me.
| > | > > >
| > | > > >
| > | > > > All the best,
| > | > > >
| > | > > > Pedro
| > | > > >
| > | > > >
| > | > > >
| > | > > >
| > | > > > | > | > > > > | > | > > > > > Herb,
| > | > > > > >
| > | > > > > > Thank you for your help. I have confirmed that:
| > | > > > > >
| > | > > > > > 1) DNS is dynamic
| > | > > > > > 2) All DNS servers are replicating
| > | > > > > > 3) All clients specify ONLY the internal (dynamic) DNS
| servers
| > on
| > | > > their
| > | > > > > NIC
| > | > > > > > properties.
| > | > > > >
| > | > > > > Clients include DCs, right? (ALL have ONLY the internal DNS.)
| > | > > > >
| > | > > > > Double check any machines with two NICs (sometimes DHCP or
| someone
| > | > > > > puts a wrong value there.)
| > | > > > >
| > | > > > > > I have since disabled scavenging because the XP clients that
| are
| > | > shut
| > | > > > off
| > | > > > > > for more than a day (which is the TTL for DNS correct?)
| > | > > > >
| > | > > > > First, the TTL for DNS is settable on each zone as a default
and
| > can
| > | > > > > be overwritten by the DNS server on each resource record, but
it
| > has
| > | > > > > nothing to do with scavenging periods. It's about how long
| > "others"
| > | > > > > should cache this zone's records..... (like other DNS servers
| and
| > | > > > > clients -- as of Win2000, clients do DNS caching too by
| default.)
| > | > > > >
| > | > > > > This also implies (but doesn't mean or prove) that you might
| have
| > | > > > > been making one of those mistakes with scavenging that
concerned
| > | > > > > me -- default is 7 days "NO-refresh" PLUS 7 days "refresh"
PLUS
| > | > > > > the scavenging "period" is 7 days so records usually get
| scavenged
| > | > > > > after 14+(0 to 7) days.
| > | > > > >
| > | > > > > You definitely don't want the clients getting scavenged
between
| > | > > > > normal disappearances on the net with a reappearance. So set
it
| > | > > > > longer than that if you ever use it again.
| > | > > > >
| > | > > > > > are still taking a very long time to log on.
| > | > > > > > Even after the cleaning up of the DNS database. So
| > | > > > >
| > | > > > > This is NOT related to a need to scavenge.
| > | > > > >
| > | > > > > Think about it, even with a LOT of records the DNS server
| probably
| > | > > > > caches the whole list anyway.
| > | > > > >
| > | > > > > What happens when you use NSLookup or another DNS test tool?
| > | > > > >
| > | > > > > Both implicitly (letting it pick the 'default' DNS server) and
| > | > > explicitly
| > | > > > > where you pick the "correct" or another DNS server...?
| > | > > > >
| > | > > > > If DNS is really the problem due to slow response you would
need
| > | > > > > to add MORE SERVERS.
| > | > > > >
| > | > > > > (There are only about 13 backbone Internet serves -- the most
| > | > > > > heavily hit servers in the world in terms of REQUESTS (not
data
| > | > > > > size) -- and they do just fine. They're really HOT machines
but
| > | > > > > the Internet is really big too.)
| > | > > > >
| > | > > > > > my next step will be to do a packet capture of a machine
with
| > the
| > | > > > problem
| > | > > > > > during login. Why would this only affect XP clients? Win2k
| > clients
| > | > > have
| > | > > > no
| > | > > > > > problems.
| > | > > > >
| > | > > > > Sounds good. Most people wait TOO LONG before doing that.
| > | > > > >
| > | > > > > Why? I still think you have them pointed at the wrong or a
| > | > > misconfigured
| > | > > > > DNS server (really.)
| > | > > > >
| > | > > > > > I ran DCdiag on the two domain controllers in the Madrid
| offices
| > | > > (where
| > | > > > we
| > | > > > > > are having problems). Here is the error on the first one:
| > | > > > > >
| > | > > > >
| > | > > > > The one's that worry me are the Sysvol ones -- that might
| account
| > | > > > > for slow logons if the GPOs cannot be fetched. You might have
| > | > > > > to "DCPromo cycle" that DC if you cannot fix it.
| > | > > > >
| > | > > > > Those LaserJet errors are likely irrelevant, but you should
| maybe
| > | > > > > LOOK at the System, DNS, and AD logs on each DC or DNS
| > | > > > > server.
| > | > > > >
| > | > > > > Also a LOT of GPOs (more than 10) will make logon slow.
| > | > > > > Also a GPO that installs software (or tries to) each time.
| > | > > > >
| > | > > > > --
| > | > > > > Herb Martin
| > | > > > > >
| > | > > > > > There are errors after the SYSVOL has been shared.
| > | > > > > > The SYSVOL can prevent the AD from starting.
| > | > > > > > ......................... MADAODC01 passed test frssysvol
| > | > > > > > Starting test: systemlog
| > | > > > > > An Error Event occured. EventID: 0x00000457
| > | > > > > > Time Generated: 04/15/2004 13:19:28
| > | > > > > > Event String: Driver HP LaserJet 1200 Series PCL 6
| > required
| > | > for
| > | > > > > > An Error Event occured. EventID: 0x00000452
| > | > > > > > Time Generated: 04/15/2004 13:19:28
| > | > > > > > Event String: The printer could not be installed.
| > | > > > > > An Error Event occured. EventID: 0x00000457
| > | > > > > > Time Generated: 04/15/2004 13:19:29
| > | > > > > > Event String: Driver Xerox WorkCentre 24 PCL 6
required
| > for
| > | > > > > > An Error Event occured. EventID: 0x00000452
| > | > > > > > Time Generated: 04/15/2004 13:19:29
| > | > > > > > Event String: The printer could not be installed.
| > | > > > > > ......................... MADAODC01 failed test systemlog
| > | > > > > >
| > | > > > > > and this on the other DC:
| > | > > > > >
| > | > > > > >
| > | > > > > > Starting test: systemlog
| > | > > > > > An Error Event occured. EventID: 0x00000457
| > | > > > > > Time Generated: 04/15/2004 13:22:21
| > | > > > > > Event String: Driver HP LaserJet 1200 Series PCL 6
| > required
| > | > for
| > | > > > > > An Error Event occured. EventID: 0x00000452
| > | > > > > > Time Generated: 04/15/2004 13:22:21
| > | > > > > > Event String: The printer could not be installed.
| > | > > > > > An Error Event occured. EventID: 0x00000457
| > | > > > > > Time Generated: 04/15/2004 13:22:23
| > | > > > > > Event String: Driver HP LaserJet 4050 Series PCL 6
| > required
| > | > for
| > | > > > > > An Error Event occured. EventID: 0x00000452
| > | > > > > > Time Generated: 04/15/2004 13:22:23
| > | > > > > > Event String: The printer could not be installed.
| > | > > > > > ......................... MADRID2AS failed test systemlog
| > | > > > > >
| > | > > > > >
| > | > > > > > Other than that they passed all the other tests.This is
| driving
| > me
| > | > > nuts
| > | > > > > but
| > | > > > > > I really appreciate your help.
| > | > > > > >
| > | > > > > >
| > | > > > > > Pedro
| > | > > > > >
| > | > > > > >
| > | > > > >
| > | > > > >
| > | > > >
| > | > > >
| > | > >
| > | > >
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|

Scavenging question

Pete

Herb Martin

Pete

Pete

Pete

Ace Fekay [MVP]

Herb Martin

Pete

Herb Martin

Pete

Alex Zhang

Herb Martin

Herb Martin

Pete

Herb Martin

Alex Zhang

Pete

Jack Wang [MSFT]