Networking, Windows Server 2008 R2

Port forward/proxy/redirect – Windows – Just like Xinetd.

So, if you have an issue where you need to forward a port to a different location with Windows, you’re in luck. Whilst you don’t have xinetd, you don’t have to use a third party tool or service.

SYSTEM A – 10.0.0.10

SYSTEM B – 192.168.0.10

SYSTEM C – 172.16.0.10

If you cannot directly route SYSTEM A to SYSTEM C but need to hit a service running on port 25/tcp on SYSTEM C from SYSTEM A, you can use portproxy. Let’s say both sides can hit SYSTEM B. You can use portproxy to set up SYSTEM B to forward your request to SYSTEM C, yet access the same service from SYSTEM A by hitting SYSTEM B.

Simply at the command prompt on SYSTEM B, type:

netsh

interface portproxy

add v4tov4 listenport=25 connectaddress=172.16.0.10 connectport=25 protocol=tcp

This means when you now hit 192.168.0.10 on port 25, you’ll receive the data from SYSTEM C’s socket. Simple port proxying or forwarding.

You can also do this from IPv4 to v6, or v6 to v6.
Best of all, you can use DNS names.. !!

Simply add this in as a startup script via a group policy object, and you’ve got your own cross-network router for specific ports.

Port Proxy documentation at Microsoft:

http://technet.microsoft.com/en-us/library/cc776297%28WS.10%29.aspx

Documentation, Hacking, Hardware, Microsoft, Server Technologies

How To: Intel 82579V Gigabit Network Connection – Windows Server 2008 R2

Clearly Intel doesn’t want us to install server OS onto desktop motherboards nowadays.

Look at your driver CD. Navigate to the PRO1000 folder; depending on whether you have 32bit or 64bit OS, you will then want either Win32 or Winx64 (not Win64 which is for Itanium).
The choice for the next folder will depend on your OS; NDIS5x is Server2003 or XP, NDIS61 is Server2008 or Vista, NDIS62 is Server2008R2 or 7, I presume NDIS63 is for Windows 8, Server 2012.

Copy the correct folder to your desktop.

In either case once you have chosen the correct folder you need to find the .inf starting e1c ; so for Server 2008 R2 64bit it will be called e1c62x64.inf. Ensure you are doing this on the copy that now exists on your desktop.

Open the file in notepad;

;******************************************************************************
; e1c62x64.INF (Intel 64-bit extension Platform Only,
; Windows 7 64-bit extension and Windows Server 2008 R2 64-bit extension)
;
; Intel(R) Gigabit Network connections
;******************************************************************************
;
[Version]
Signature = "$Windows NT$"
Class = Net
ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}
Provider = %Intel%
CatalogFile = e1c62x64.cat
DriverVer = 06/21/2012,11.16.96.0
[Manufacturer]
%Intel% = Intel, NTamd64.6.1, NTamd64.6.1.1, NTamd64.6.2
[ControlFlags]
ExcludeFromSelect = \ 
 PCI\VEN_8086&DEV_1502,\ 
 PCI\VEN_8086&DEV_1503
[Intel]
[Intel.NTamd64.6.1.1]
; DisplayName Section DeviceID
; ----------- ------- --------
%E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502
%E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
%E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
%E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025
[Intel.NTamd64.6.1]
; DisplayName Section DeviceID
; ----------- ------- --------
%E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502
%E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
%E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
%E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025

Open the file in notepad;

If you look in [ControlFlags], you see that there are two device IDs listed. DEV_1502 and DEV_1503.
If you go back to the new computer you built (with no NIC driver installed ūüôā ), in Device Manager, you should see “Ethernet Adapter” listed as an unknown device. Go into the Properties of that, then Details, Hardware Ids. Now, you see that the device should be DEV_1503. Great.

Go back to the notepad file you have open, you can see that under the second section within [Intel] you don’t have anything listed for DEV_1503 under [Intel.NTamd64.61]. Ironically, every other section has Server 2008 R2 provided for. Sneaky Intel, sneaky.

Anyway, copy and paste the two lines that provide for DEV_1503 in the [Intel.NTamd64.6.1.1] section to the new section, like above. Save the file.

Go back to the other computer that still has device manager open (it might be the same computer..), click Driver -> Update Driver, then manually select the desktop location of your NDIS62 directory you copied and then edited.

Driver should install successfully. Hit me up if your mileage varies.

Active Directory, DNS, Microsoft, Windows Server 2008 R2

DNS and Subnet Priortization & DNS Round Robin

If you have any subnets other than a Class C in the environment, Subnet Priortization may not work as expected due to this reason. I included a separate section explaining this in further detail, and how to set a DNS server to take this into acccount, which of course must be set on all DNS servers in the environment.

DNS and Subnet Priortization & DNS Round Robin – Which one Supercedes?

This has been a question that arises from time to time. I thought to provide some information on how it works to understand what is at play with these two DNS features.

Preface on Subnet Priortization and Round Robin:

Subnet priortization works by default. No other action is required. If you have multiple identical A records, then Round Robin will supercede.

If Round Robin is not needed, it can be disabled in order to take full advantage of Subnet Priortization, otherwise, Round Robin will superceded.

In scenarios involving ISA Enterprise, because ISA Enterprise is AD enabled, you can either publish the ISA records in AD, and if AD SItes are configured, the client site will be used first by the AD client side extension disregarding Round Robin and Subnet Priortization, unless there were multiple records in each AD Site.

Some have asked regarding if an ISA Array will work. It is possible to configure an ISA Array with multiple ISA Enterprise servers which will share their web cache, however this will nothelp Subnet Priortization or Round Robin, since the Array is considered as a single logical entity and published as such.

Nslookup is a good tool to test Round Robin, and will give you a general response purely based on DNS, but the results are as expected in a non-AD Site scenario, since it can’t test AD Sites responses.

You can also create an IE GPO for each Site. In the GPO, you would state the Proxy address for them to use.

Subnet Priortization and Round Robin Logic:

Keep in mind, Subnet Priortization and Round Robin work hand in hand, however, not necessarily so if an AD Site aware service is querying (such as the client side GetDcList function). If there are more than on in the same subnet, Round Robin will kick in, which DNS performs.

If there are more than one record, DNS will re-order the response with an IP that is in the same client subnet.

However, if Round Robin and Subnet Priortization is enabled, Round Robin wins.

If you do not want this default action to occur, that is you want to use Subnet Priortization, and AD Sites are not involved, you will need to disable Round Robin, otherwise, if both Round Robin and Subnet Prioritization are enabled, the server rotates among the A resource records. You may wish to check how it works if you disable the round robin if you have multiple separate subnets and you want a client to respond to a subnet closest to it’s own subnet.

The following passage on the specific logic was quoted from:
Configuring Subnet Prioritization
http://technet.microsoft.com/en-us/library/cc961422.aspx

[Begin Quote]
============

  • If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
  • The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.
  • If Enable round robin is deselected and the value of LocalNetPriority is 1:
  • The server returns the records in local net priority order. It does not rotate among available addresses.
  • If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
  • The server rotates among the available records in the order in which the records were added to the database.
  • If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default):
  • The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

============
[/End Quote]

Subnet Priortization and Round Robin Example:

The following example was quoted from:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

[Begin Quote]
===
For example, suppose there are three Web servers that all host the Web
page for www.reskit.com and they are all located on different subnets.
The DNS name server for the network contains the following resource records:

www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.18.64.33

When a Windows XP Professional‚Äďbased
computer’s DNS resolver (client) receives a response to the query for
the A record of www.reskit.com, it returns A records in order,
starting with the IP addresses from subnets to which the computer is
directly connected.

For example, if a computer with the IP address
172.17.64.93 is queried for www.reskit.com, the resolver returns the
resource records in the following order:

www.reskit.com.IN A172.17.64.22
www.reskit.com.IN A172.16.64.11
www.reskit.com.IN A172.18.64.33

Subnet prioritization prevents the
resolver from choosing the first IP address returned in the DNS query
and using the DNS server’s round robin feature (defined in RFC 1794.)
With round robin enabled, the server rotates the order of resource
records returned when multiple A resource records exist for a queried
DNS domain name.

Thus, in the example described earlier, if a user
queried for www.reskit.com, the name server replies to the first
client request by ordering the addresses as follows:

172.16.64.11
172.17.64.22
172.18.64.33

It replies to the second client request by ordering the addresses as follows:

172.17.64.22
172.18.64.33
172.16.64.11

It replies to the third client request by ordering the addresses as follows:

172.18.64.33
172.16.64.11
172.17.64.22

With round robin enabled, if clients are configured to use the first
IP address in the list that they receive, different clients will use
different IP addresses, thus balancing the load among multiple network
resources with the same name. However, if the resolvers are configured
for subnet prioritization, the resolvers reorder the list to favor IP
addresses from networks to which they are directly connected, reducing
the effectiveness of the round robin feature.

Although subnet prioritization does reduce network traffic across
subnets, in some cases you might prefer to have the round robin
feature work as described in RFC 1794. If so, you can disable the
subnet prioritization feature on your clients by adding the registry
entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in
the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DnsCache\ Parameters

[…]
===========
[/End Quote]

 Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet

Yep, that’s correct! We need to note and keep in mind, Windows 2003 and newer, will automatically assume it’s a Class C subnet, well more accurately, it’s set by default to look for a Class C subnet. If the environment is anything other than a Class C, all DNS servers must be configured with the correct mask used.

The process involves understanding a little binary math. We need to take into account by defining the Hosts part of the mask that is relative for netmask ordering for the subnet in the environment, otherwise DNS will not reorder it correctly and expected results will be incorrect when testing the feature.

This can be accomplished with the DNSCMD command.

For example, using DNSCMD to set the default settings for a 255.255.255.0 subnet, is:
Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF

For anything other than a Class C, we need to alter the “/LocalNetPriorityNetMask” value to the environment’s subnet.

The last two characters in the value used for a Class C subnet (“0x000000FF”) is “FF.” This indicates the number of hosts bits (opposite of what some may think when looking at a mask in binary). Therefore the last two digits in the value is actually Hex. Hex FF, converted to Binary, is actually equal to 1111 1111, which is equal to “FF” in Hex.

Taking that into account, we can view a simple table with the base Class subnets:

For the base Classes, the values are:

Netmask  LocalPriorityNet
255.255.255.0      0x000000ff
255.255.0.0         0x0000ffff
255.0.0.0             0x00ffffff

To set it for something other than the default classes, such as for example a /22 (255.255.252.0 or 11111111.11111111.11111100.00000000), we see there are 10 bits for the hosts. Now change only the 0’s to 1’s and you get 1111111111. Convert that to hex, and you get 3FF. Therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

Another example, if you have a /27 (255.255.255.224 or 11111111.11111111.11111111.11100000), convert the 0’s to 1’s –> 11111, convert that as a binary number to Hex, and we get 1F, therefore the command will be:
Dnscmd /Config /LocalNetPriorityNetMask 0x0000001F

Keep in mind, whatever the setting is, it MUST be set on ALL DNS servers in the environment.

Table: NetMasks broken down by CIDR to the necessary LocalPriorityNet Value
Note: Of course, some of the values can’t be used in the table, but I created the table to show all possible binary values.

NetMask                Binary                                                   CIDR    Comments                     LocalPriorityNet Value

255.255.255.255   11111111.11111111.11111111.11111111    /32      Host (single addr)          0x00000000
255.255.255.254   11111111.11111111.11111111.11111110    /31      Unuseable                     0x00000001
255.255.255.252   11111111.11111111.11111111.11111100    /30      2  useable                     0x00000003
255.255.255.248   11111111.11111111.11111111.11111000    /29      6  useable                     0x00000007
255.255.255.240   11111111.11111111.11111111.11110000    /28     14  useable                    0x0000000F
255.255.255.224   11111111.11111111.11111111.11100000    /27     30  useable                    0x0000001F
255.255.255.192   11111111.11111111.11111111.11000000    /26     62  useable                    0x0000003F
255.255.255.128   11111111.11111111.11111111.10000000    /25     126  useable                  0x0000007F
255.255.255.0¬†¬†¬†¬†¬† ¬†11111111.11111111.11111111.00000000¬† ¬† /24 ¬†¬†¬† “Class C” 254 useable¬†¬† 0x000000ff

255.255.254.0¬†¬†¬†¬† ¬†11111111.11111111.11111110.00000000¬† ¬† /23¬†¬†¬†¬† ¬†¬†2¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x000001FF
255.255.252.0¬†¬†¬†¬† ¬†11111111.11111111.11111100.00000000¬† ¬† /22¬†¬†¬†¬†¬† ¬†4¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x000003FF
255.255.248.0¬†¬†¬† ¬† 11111111.11111111.11111000.00000000¬† ¬† /21¬†¬†¬†¬† ¬†¬†8¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x000007FF
255.255.240.0¬†¬†¬† ¬† 11111111.11111111.11110000.00000000¬† ¬† /20¬†¬†¬† ¬†¬†16¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x00000FFF
255.255.224.0¬†¬†¬† ¬† 11111111.11111111.11100000.00000000¬† ¬† /19¬†¬† ¬†¬† 32¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x00001FFF
255.255.192.0¬†¬†¬† ¬† 11111111.11111111.11000000.00000000¬†¬†¬† /18¬†¬†¬†¬† ¬†64¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x00003FFF
255.255.128.0¬†¬†¬† ¬† 11111111.11111111.10000000.00000000¬†¬†¬† /17¬†¬†¬† ¬†128¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x00007FFF
255.255.0.0¬†¬†¬†¬†¬†¬†¬† ¬† 11111111.11111111.00000000.00000000¬† ¬† /16¬†¬†¬† ¬† “Class B”¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x0000ffff

255.254.0.0¬†¬†¬†¬†¬† ¬†¬†¬† 11111111.11111110.00000000.00000000¬† ¬† /15¬†¬†¬†¬† ¬†2¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x0001FFFF
255.252.0.0¬†¬†¬†¬†¬†¬†¬† ¬† 11111111.11111100.00000000.00000000¬†¬† ¬†/14¬†¬†¬† ¬†¬†4¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x0003FFFF
255.248.0.0¬†¬†¬†¬†¬† ¬† ¬† 11111111.11111000.00000000.00000000¬† ¬† /13¬†¬†¬† ¬†¬†8¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x0007FFFF
255.240.0.0¬†¬†¬†¬†¬†¬† ¬†¬† 11111111.11110000.00000000.00000000¬†¬† ¬†/12¬†¬†¬† ¬†16¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x000FFFFF
255.224.0.0¬†¬†¬†¬†¬†¬† ¬†¬† 11111111.11100000.00000000.00000000¬† ¬† /11¬†¬†¬† ¬†32¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x001FFFFF
255.192.0.0¬†¬†¬†¬†¬† ¬†¬†¬† 11111111.11000000.00000000.00000000¬† ¬† /10¬†¬†¬† ¬†64¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x003FFFFF
255.128.0.0¬†¬†¬†¬†¬† ¬†¬†¬† 11111111.10000000.00000000.00000000¬† ¬† /9¬†¬†¬† ¬† 128¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†0x007FFFFF
255.0.0.0¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†¬† ¬†11111111.00000000.00000000.00000000¬† ¬† /8¬†¬†¬†¬†¬† ¬†“Class A”¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x00ffffff

254.0.0.0              11111110.00000000.00000000.00000000    /7                                               0x01FFFFFF
252.0.0.0              11111100.00000000.00000000.00000000    /6                                               0x03FFFFFF
248.0.0.0              11111000.00000000.00000000.00000000    /5                                               0x07FFFFFF
240.0.0.0              11110000.00000000.00000000.00000000    /4                                               0x0FFFFFFF
224.0.0.0              11100000.00000000.00000000.00000000    /3                                               0x1FFFFFFF
192.0.0.0              11000000.00000000.00000000.00000000    /2                                               0x3FFFFFFF
128.0.0.0              10000000.00000000.00000000.00000000    /1                                               0x7FFFFFFF
0.0.0.0                  00000000.00000000.00000000.00000000    /0    IP subnet definition         0xFFFFFFFF

You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF Dnscmd.exe command to restore Windows Server 2003 settings to the default settings.

More info on this value and setting:

Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS
http://support.microsoft.com/kb/842197

Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems

Windows Vista, Windows 7¬†and Windows 2008 behaves a bit differently,¬†than XP or 2000. With Windows Vista, Windows 7 and Windows 2008 and Windows 2008 R2, it changes the way it handles Subnet Priortization a bit. Here’s more info, and keep in mind in mind it doesn’t mention Windows 7 or WIndows 2008 R2 directly, unless Microsoft updates the KB, but it applies to Windows 7 and WIndows 2008 R2 and future operating systems:

Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default
http://support.microsoft.com/kb/968920

Please check the following registry entry. This key with a value of 1, will disable NetMaskOrdering. Is it enabled?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD = OverrideDefaultAddressSelection
Value data: = 1

DNS Round Robin and Destination IP address selection (talks about differences with Vista and 2008 non R2)
http://blogs.technet.com/b/networking/archive/2009/04/17/dns-round-robin-and-destination-ip-address-selection.aspx

However, AD Sites¬†should prevail in an AD environment. An AD client’s GetDcList functions¬†will use¬†Sites to determine which DC or GC to communicate with.

Therefore, basically:

Set the registry entry to 0 and the newer operating systems will behave like the older operating systems. If you leave the entry blank, such as the default with no entry, it results in the same effect as an entry equal to 1, that means no subnet mask preference.

To see the subnet mask ordering work on a Windows 7 client, you need to set up the following entry :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD = OverrideDefaultAddressSelection
Value data: = 0

Summary:

If Active Directory Sites Are Involved with AD Aware Services:

AD Sites provide two basic things: Logon & Authentication control to
limit the auth request to only a GC/DC in it’s own site, and
replication traffic control between Sites. Replication is compressed
in Site to Site communications. Good for the WAN link. AD enabled apps
also use AD Sites.

You would first create a new Site giving it a unique Site Name. Then
create an IP Subnet Object that represents the subnet or subnets of
the location (you may and can create multiple IP SUbnet Objects if
needed), then associate the IP Subnet to the Site Name.

In the Site link, you will notice the default replication period is 3
hours. You can chop that down to as low as 15 minutes. You can’t go
lower, because that is the max time allotted for all DCs within a site
to be able to replicate changes between each other. If DCs are added,
the KCC jumps in and re-evaluates the intra site connection objects
between DCs to optimize and keep within the 15 minute alotment.

A standalone would rely simply on DNS’ ability to provide responses
either as Subnet prioritized, or Round Robin.

However, with AD Sites, and this works for AD enabled services and
entities (such as Exchange, client machines, etc). So AD aware apps
and services adds an extra twist and can be used to your advantage.
That was why I was asking if you are using ISA. ISA can be published
into AD, and set by GPO. This way a client in SiteA will always use
the ISA in SiteA.

However, if standalone servers are in use, and  you can disable Round Robin.

Thank you!!! Source: http://msmvps.com/blogs/acefekay/archive/2010/05/29/dns-and-subnet-priortization-amp-dns-round-robin.aspx

Update:

You need to enable this individually on each domain controller. This setting is not replicated. I pushed this setting via GPO using the corresponding registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\LocalNetPriority

^ DWORD; Value: 0√ó00000001 (decimal 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\LocalNetPriorityNetMask

^ DWORD; Value: 0x0000ffff (decimal 65535) ‚ÄĒ for /16 subnet; use 0x00ffffff for /8 or 0x000000ff for /24, etc.

 

Microsoft

System Center – SCOM, SCCM – All change!

  • Summary of Changes
    • Individual point products will no longer be available (SCCM, SCOM, etc.). All System Center Products will only be available as one cohesive suite.
    • Only Client Management Licenses and Server Management licenses will be available, the management servers themselves will no longer require licensing.
    • Software Assurance will be required across all System Center products.
    • There will be price increases across the board, with the largest financial impact being to organizations that had planned to implement this technology a la carte.
    • These changes are going into effect on February 1st, after which you will no longer be able to buy under the old licensing model.
Exchange 2010, Microsoft, Windows Server 2008 R2

Windows Server 2008 R2 RC and Exchange 2010 Beta

Well. This is just a short update.
I tried to install Exchange 2010 Beta onto Windows Server 2008 R2 RC today. It gave me some garbage – MICROSOFT EXCHANGE SERVER 2010 BETA IS NOT SUPPORTED ON THIS VERSION OF WINDOWS. INSTALL SERVER 2008 R2 BETA 7000.
Of course, RC is 7100.

Workaround: Edit the registry and alter HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\

BuildLab, BuildLabEx, CurrentBuild, CurrentBuildNumber

.. to reflect 7000 instead of 7100.

Summary: 10 item(s). 10 succeeded, 0 failed.

OK. Seems that there are various errors when using the management tools on the server.
The actual Exchange services themselves seem to be running OK.
Unfortunately, I don’t have an x64 desktop OS, so I can’t install the mangement tools at this time. I will verify when I can.

An example of one of these errors:

Microsoft, Office Communications Server

Office Communications Server 2007 R2 (OCS) – Multiple domain forest

Hello!
Well, I’ve been wanting to install Exchange 2007 and OCS 2007 R2 into a multi domain environment for a wee while now. When I say multiple domains, I mean parent and children.

Exchange 2007 was a doddle. No problems there at all. Each user can be assigned to their own logon domain and everything seamlessly works. Presuming your DNS configuration is sane.

I’ve finally got this working 100% seamlessly. Sadly, under the hood it’s a little bit messy – but no different to the way it had to be done to get Exchange 2003 working in a similar environment.

Unfortunately, at this moment in time, Office Communications Server (all versions) doesn’t really support multiple domains well, at all. If this lives in the parent domain, such as parent.com and your users live in child1.parent.com and child2.parent.com then the user logging into OCS technically has to be parent.com.

The one thing that OCS does provide is an ADSI variable that lets you link the SID (security identifier) of the user on child.parent.com to the user on the parent domain. This user doesn’t even have to be enabled.

Whilst this is a welcomed workaround that at least allows you to ‘seamlessly’ authenticate, it does pose a few other problems around managing your users and any Active Directory data that you may utilise – such as job title, manager, phone number.. you get the drift.

To get around these and calm down the nightmare a little, I wrote a script that will basically keep things in sync for the admins. Unfortunately, I cannot post the script here as my employer technically owns it.
What I can do, is tell you what variables are involved:

  1. msRTCSIP-PrimaryUserAddress
  2. msRTCSIP-OriginatorSid
  3. msRTCSIP-PrimaryHomeServer
  4. msRTCSIP-UserEnabled
  5. msRTCSIP-OptionFlags
  1. The primary user address is basically the sip address. It’s possible to populate this from the sAMAccountName plus the parent domain suffix. Remember the sip: prefix.
  2. The originator SID has to match up with the actual SID from the user in the child domain.
  3. Primary home server is the distinguished name of your OCS server. Kinda.
    Example: CN=LC Services,CN=Microsoft,CN=ServerName,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=parent,DC=com
  4. UserEnabled: This generally should be set to TRUE. ūüôā
  5. OptionFlags: For some strange reason, I kept getting errors about the server being temporarily unavailable until I set this to 256.

Now these are just the required variables specific to OCS. You can also add things in such as mail, title, telephoneNumber, sn, givenName and so on.. you know the script.

It’s probably a good idea to scan all the domains and delete any ghost/dead users that no longer exist on the children as well as creating new ones that do.

Microsoft, Server Technologies

ADMT computer migration to new domain.

When using ADMT 3.1 (Active Directory Migration Tool) to migrate a computer from a domain to a new domain you may experience the error – “The security database on the server does not have a computer account for this workstation trust relationship.”

My environment is 2003 forest -> 2008 forest and 2008 child domain at 2003 native. I think this is irrelevent in this instance though.

However, it’s pretty important that if you ARE migrating between domains that you update (or set manually on the computer’s nic) DHCP server so that the DNS points at the new DNS server. If you have trusts and DNS configured properly this shouldn’t matter too much, but it certainly is best practice.

Also, probably more importantly. If you have any group policy configuration that sets the primary DNS suffix to OLDDOMAIN then this will stay in effect after the migration and probably cause the breakage discussed here.

Anyway, onto the fix.

If you fire up ADSIEdit.msc on the target domain after migration, check out properties of the computer object that you migrated and look for the variable – servicePrincipalName

You need to make sure that there are values in there of:
HOST/THECOMPUTERNAME
HOST/THECOMPUTERNAME.NEWDOMAIN
TERMSRV/THECOMPUTERNAME
TERMSRV/THECOMPUTERNAME.NEWDOMAIN

.. chances are only the TERMSRV records will exist.

This solved the trust issues here.