The Role of the PDC FSMO [More]

A request came up in a newsgroup for a script which would automate the creation of a primary zone on one DNS server, enable zone transfers, and then configure a secondary zone on another DNS server.  A first generation release of a script was posted today.  If there is interest for a more flexible script which has more options for things like where the zone is stored, what the zone security is, etc, then I will gladly revise the script. For now, it’s fully functional and a link ... [More]

Numbers are legal characters for a DNS name and best I can tell from my understanding of the RFCs, there is nothing against names with all numbers.  In fact, I have customers that use number strings for their workstation names and I haven’t heard any screams.  I realize that saying that “nothing bad has happened” doesn’t necessarily mean that it is “good” but we go by the info we have.  What I do know is that all-numeric names in Active Director... [More]

There’s an interesting DNS registration behavior that occurs on domain controllers.  I’m not sure that it only occurs on domain controllers but I do know that it isn’t normal behavior. Most of our hardware these days comes with two NICs as part of the standard package.  On a standard server, this doesn’t really mean much for DNS registration.  If both NICs are plugged in and configured, both NICs will register in DNS.  If only one NIC is plugged in and configured but both a... [More]

There are quite a few schedules for Active Directory replication – some of which we are very aware and some of which are better hidden and oft forgotten.  Let’s start by looking at the connection object schedules. Connection Objects Connection objects are created for replication partners with schedules which vary by whether the partner is intrasite or intersite.  Schedules for intersite partners are generated from the site link on the transport – a mix of the schedu... [More]

Kinda by accident I came across an interesting behavior in Windows Server 2003 Remote Desktop. By default, on a Windows 2003 workgroup server, regardless of the user account rights or security group membership, remote desktop does not allow a user with a blank password to logon through Terminal Services.  This is because of a policy setting called Accounts: Limit local account use of blank passwords to console logon only.  However, via an odd series of steps, you can still logon with a... [More]

Enabling DNS Secure Only Updates Prerequisites / Suggestions                 This article is aimed to help start us on the right track to enabling DNS security in our organization in a way to best support all our users while protecting our resources. As with any network change, it is aimed at impacting users and services as little as possible. This is best accomplished when other best practices have been followe... [More]