Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-07-15) Enlisting A DC For The Default App NCs After Promotion

Posted by Jorge on 2006-07-15


As you may know, by default each W2K3 forest contains 1 application partition for DNS (ForestDNSZones.<ForestName>) and each W2K3 domain contains 1 application partition for DNS (DomainDNSZones.<DomainName>).
When a server is freshly promoted to a DC, it might take a while before it receives the default application partitions. Of course you may ask why it might take a while…

When a server is promoted to a DC, a computer account (and other leaf objects) is created within the domain partition and a server object and a NTDS Settings object is created within the configuration partition. The creation of these objects occurs on the DC that is used as the source DC for the newly promoted DC. After the promotion has finished and the new DC has been rebooted, the DNS service on the new DC will try to enlist itself automatically for the default application partition within the forest and within its own domain by contacting the Domain Naming Master FSMO. However, the Domain Naming Master FSMO will not enlist the new DC in the application partitions until it becomes aware of the new DC by means of normal Active Directory replication (the Domain Naming Master FSMO wants to have the server object and the NTDS Settings object before it enlists the newly promoted DC). So if some server is being promoted to a DC in some distant branch office and AD replication schedules are tightly configured (e.g. only after working hours or something similar) it might take some time before the Domain Naming Master FSMO becomes aware of the new DC. Forcing AD replication to the Domain Naming Master FSMO, including some other steps helps speeding this up. After the new DC has been enlisted, it still needs to inbound replicate the application partitions from a source DC.

The default period a DC tries to enlist for application partitions is 24 hours. This period is configurable through a registry change as shown below:

  • Registry Key:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
  • Registry Value Name:
    • DirectoryPartitionAutoEnlistInterval
  • Registry Value Type:
    • REG_DWORD
  • Registry Value Data:
    • <DECIMAL value in seconds>

To speed this up, the following steps can be performed:

  1. Force inbound replication on the DC hosting the Domain naming Master FSMO (e.g. with REPADMIN /SYNCALL)
  2. Check in the local replica of the DC hosting the Domain naming Master FSMO if the newly promoted DC is visible within the configuration container (server object, NTDS Settings objects, connection objects)
  3. Stop and start the DNS service on the newly promoted DC
  4. Check if the newly promoted DC has enlisted for the application partitions on the Domain Naming Master FSMO (e.g. with DNSCMD <FQDN DNM FSMO> /DIRECTORYPARTITIONINFO)
  5. Force outbound replication on the DC hosting the Domain naming Master FSMO (e.g. with REPADMIN /SYNCALL)
  6. Force inbound replication on the newly promoted DC (e.g. with REPADMIN /SYNCALL)
  7. Trigger the KCC to check the replication topology and setup replica links (e.g. with REPADMIN /KCC)
  8. Force inbound replication on the newly promoted DC(e.g. with REPADMIN /SYNCALL)
  9. Stop and start the DNS service on the newly promoted DC
  10. By now the DNS zone information should be visible in DNS for those zones that are stored within an application partition.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: