Hello all, this is Eric again. Recently I was at a customer site finishing up a 2008 R2 (pre-SP1 – and there is a difference as discussed in my update at the end) upgrade project, cutting over their last site, when the customer randomly mentioned something that he had seen when he built and promoted a new 2008 R2 DC a couple of days ago. He said that he’d built it from media, added anti-virus, and then promoted it, checking the DNS and GC boxes in the dcpromo wizard. He said that he didn’t do any further configurations, but noticed that when he looked at the forwarders tab, it was automatically populated with his external Unix DNS servers that are in his DMZ and asked me how this could have happened. I told him that I was 99.999% sure that it was not getting it via replication, unless there was some new feature that I didn’t know about, since forwarders are stored in the registry (HKEY_LOCAL_MACHINESYSTEMControlSet001servicesDNSParameters – in the “Forwarders” Reg_Multi_SZ value) , and not in any replicated directory partition, like conditional forwarders (if configured to do so). So that being the case, I started looking into it, and in my research, I saw a lot of questions in the forums asking the same thing, but people were getting inconsistent results in regards to what was actually being populated in their forwarders. With that finding, I decided to turn to the lab to get conclusive answers for the different behaviors that were being reported (since I didn’t find much internally discussing the scenario). Essentially the settings are not replicated, but populated upon installation of DNS during the DCPromo process, however the result of what is populated in the forwarders will vary based on your current configuration.
Note: When watching what was going on using Procmon (or attempting to anyhow )filtered for DNS.exe during the DCPromo process, the DCPromo process fails with the following error: “Overlapped I/O operation is in progress”. I tried a few more times, but it kept failing until I stopped Procmon, so don’t waste your time trying this, apparently it won’t promote with Procmon running.
So here are the scenarios that I tested and my findings in those scenarios.
Note: As far as following along with the Repro steps below, it’s assumed that you already have a forest built with multiple DC/DNS servers already in place.
Scenario 1:
Repro Setup:
You’re promoting a new 2008 R2 DC named DC3.
DNS is NOT installed prior to promotion.
DC3 points to DC1 (primary) and DC2 (secondary) for DNS.
DC1 has the following server defined on the forwarders tab: 4.2.2.1
DC2 has the following server defined on the forwarders tab: 4.2.2.2
Expected behavior once the DC is promoted:
Once you promote the DC and open DNS to look at the forwarder settings, you will find that DC3 has copied the forwarder settings of the primary DNS server that was defined in the TCP/IP settings – 4.2.2.1
Scenario 2:
Repro Setup:
You’re promoting a new 2008 R2 DC named DC3.
DNS is NOT installed prior to promotion.
DC3 points to DC1 (primary) and DC2 (secondary) for DNS.
DC1 has the following server defined on the forwarders tab: no defined forwarders
DC2 has the following server defined on the forwarders tab: 4.2.2.2
Expected behavior once the DC is promoted:
Once you promote the DC and open DNS to look at the forwarder settings, you will find that DC3 has copied the forwarder settings of the secondary DNS server that was defined in the TCP/IP settings – 4.2.2.2. In this case the primary DNS server had no defined forwarder settings, so it used what was defined on the secondary DNS server. This is done to try to guarantee functional name resolution.
Scenario 3:
Repro Setup:
You’re promoting a new 2008 R2 DC named DC3.
DNS is NOT installed prior to promotion.
DC3 points to DC1 (primary) and DC2 (secondary) for DNS.
DC1 has the following server defined on the forwarders tab: no defined forwarders
DC2 has the following server defined on the forwarders tab: no defined forwarders
Expected behavior once the DC is promoted:
Once you promote the DC and open DNS to look at the forwarder settings, you will find that DC3 has added DC1 and DC2 as the servers defined in the forwarders tab. DC3 found no forwarder settings to copy because DC1 and DC2 had none defined.
Scenario 4:
Repro Setup:
Repeat Scenario’s 1 through 3
This time install DNS prior to promoting.
Expected behavior once the DC is promoted:
In these scenarios you should get the same results as you do in Scenario’s 1 through 3.
So now everyone’s next question is how can I disable the auto-populate feature? Personally I like it, at least when used in scenarios 1 and/or 2. For those of you that want to turn the feature off however, you’re out of luck..at least as far as I know….. I found some cases that mentioned modifying the following key would do the trick, assuming you installed DNS prior to promoting, but my testing didn’t show this as working:
Registry key HKLMSYSTEMCurrentControlSetServicesDNSParametersAdministratorConfigured Value – AdminConfigured Type – DWORD Data -1
I should note that the cases were specific to 2003 however, even though I don’t ever recall seeing this behavior in 2003. Also of note, even when you have DNS installed the “AdministratorConfigured” key does not exist. If you look under Parameters however, you will see an AdminConfigured value, but in testing I also modified that (when promoting with DNS already installed), but that also had no impact.
If I do figure out how to disable this, I’ll update the post.
UPDATE (3/13/2011): Ok, you in fact are not out of luck, should you want to disable the auto-population of forwarders. You can disable it, however since this behavior is only triggered during the dcpromo process, you have to create a DCPromo answer file using the “SkipAutoConfigDNS” parameter in order to do so. In order for this to work though, you also have to have DNS pre-installed prior to promoting.. More info on the parameter can be found here: http://technet.microsoft.com/en-us/library/cc732887(WS.10).aspx
Personally I like the feature, especially when used in scenarios 1 and/or 2 where the DNS servers that your new DC points to have forwarder values. The other thing, regarding trying to disable the feature via the answer file, is that in most cases, it would take more time to set the DC up the way that it needs to be to disable the auto forwarder population than it would to just go change the forwarders after the promotion process.
UPDATE (7/20/2011): I’ve been a sitting on this update for a bit too long, but I’m finally getting around to updating the blog. So when I wrote the original blog entry, Windows Server 2008 R2 Service Pack 1 wasn’t out as of yet. Since it came out, I’ve done a number of DC cutovers from 2003 to 2008 R2 SP1, and I expected to see the results that I had posted above, for what I would find in the forwarders of my new 2008 R2 SP1 DCDNS server, however, I didn’t.. Regardless of pointing to two DNS servers that both had forwarders, it did not pull those forwarders to use in it’s own configuration. It did however use the Primary and Secondary DNS servers that I had defined in the TCP/IP settings, as seen in Repro Scenario 3. Lab tests showed the same results.