DNS availability on domain controller delayed after restore

[bc07]

Environment:
- Windows 2003 domain (maybe applies to 2008 too)
- multiple remote sites with domain controller and replication from/to them
- restored DC has no connection to any other domain controller
- DNS is integrated in Active Directory
- sub domain on remote DC (not sure if that is relevant or not)

Symptoms:
- restored DC boots up with a bunch of errors that it cannot contact other DCs
- DNS is not available (cannot contact server)
- Active directory is accessible and authentication works

Issue:
DC wants to replicate to other DC after boot and tries that for a while and doesn’t active DNS until replication times out which could take an hour.

I worked on this issue with Veeam support and Cody from support found a registry key that disables the initial replication. With that key set DNS is available right after booting the DC. This is helpful for test environments and SureBackup jobs which require a working DC with DNS.
This is the key that needs to be set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0

The implementation to have that key set automatically was tricky and took me a few days to figure out. I wrote a vbs script that checks during system start (windows task scheduler run with a user that has permissions to reboot server and set registry key) of the domain controller if that other local domain controller is available (via ping) and also if all three vhosts are pingable (where the DC could be on), if all the devices are not reachable the registry key is set and the domain controller reboots around 7 minutes later.

You save this as vbs file in a folder of your domain controller and modify the four IP addresses with the ones you want to check for availability:

Code: Select all

strComputer = "."

Const HKEY_LOCAL_MACHINE = &H80000002

Set objRegistry = GetObject("winmgmts:\\" & _ 
    strComputer & "\root\default:StdRegProv")

dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell") 
 
strKeyPath = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
strValueName = "Repl Perform Initial Synchronizations"
objRegistry.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValueb = 0

If IsNull(strValue) Then
  'The registry key does not exist

strTarget = "172.x.x.11" 'other local DC
strTargetb = "172.x.x.1" 'vhost1
strTargetc = "172.x.x.2" 'vhost2
strTargetd = "172.x.x.3" 'vhost3
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colPings = objWMIService.ExecQuery _
 ("Select * From Win32_PingStatus where Address = '" & strTarget & "'")
If Err = 0 Then
  Err.Clear
  For Each objPing in colPings
    If Err = 0 Then
      Err.Clear
      If objPing.StatusCode = 0 Then
	'response from 1st

      Else

	Set colPingsb = objWMIService.ExecQuery _
	 ("Select * From Win32_PingStatus where Address = '" & strTargetb & "'")
	If Err = 0 Then
	  Err.Clear
	  For Each objPingb in colPingsb
	    If Err = 0 Then
	      Err.Clear
	      If objPingb.StatusCode = 0 Then
		'no response 1st but response2

	      Else

		Set colPingsc = objWMIService.ExecQuery _
		 ("Select * From Win32_PingStatus where Address = '" & strTargetc & "'")
		If Err = 0 Then
		  Err.Clear
		  For Each objPingc in colPingsc
		    If Err = 0 Then
		      Err.Clear
		      If objPingc.StatusCode = 0 Then
			'no response 1st and 2nd but response3

		      Else

			Set colPingsd = objWMIService.ExecQuery _
			 ("Select * From Win32_PingStatus where Address = '" & strTargetd & "'")
			If Err = 0 Then
			  Err.Clear
			  For Each objPingd in colPingsd
			    If Err = 0 Then
			      Err.Clear
			      If objPingd.StatusCode = 0 Then
				'no response 1st and 2nd and 3rd but response4

			      Else
			        'no response 1st and 2nd and 3rd and 4th
  				objRegistry.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValueb
   				 If Not filesys.FileExists("C:\Documents and Settings\All Users\Desktop\REPL DISABLED.txt") Then
 				 filesys.CopyFile "C:\WINDOWS\REPL DISABLED.txt", "C:\Documents and Settings\All Users\Desktop\"
  				 End If
				 WScript.Sleep 450000
				  objShell.Run "C:\WINDOWS\system32\shutdown.exe -r -t 0"

			      End If
			    Else
			      Err.Clear
			       'Unable to call Win32_PingStatus   
			    End If
			  Next
			Else
			  Err.Clear
			  'Unable to call Win32_PingStatus
			End If

		      End If
		    Else
		      Err.Clear
		      'Unable to call Win32_PingStatus      
		    End If
		  Next
		Else
		  Err.Clear
		  'Unable to call Win32_PingStatus
		End If

	      End If
	    Else
	      Err.Clear
	      'Unable to call Win32_PingStatus      
	    End If
	  Next
	Else
	  Err.Clear
	  'Unable to call Win32_PingStatus
	End If

      End If
    Else
      Err.Clear
      'Unable to call Win32_PingStatus      
    End If
  Next
Else
  Err.Clear
  'Unable to call Win32_PingStatus
End If


Else
    ' the regkey exists
End If

Just in case the registry key is set when it shouldn’t be set and I cannot remembers it, I added in the script to copy a simple text file (REPL DISABLED.txt) to the All Users desktop that replication is disabled. Here is the text file which I put in c:\windows:

Code: Select all

Replication is disabled to speedup Domain/DNS startup when other domain controllers and sites are not available.

To activate Replication remove this entry in the regsitry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations

and reboot!

I hope that helps some people who have the same issue. Any comments or suggestions?

[Gostev]

My only comment is I think we need to be setting this registry key ourselves as a part of SureBackup job. We are already setting one registry key to facilitate SureBackup for DCs, so adding additional key should be super easy. I will pass this onto corresponding developer. Thanks.

[bc07]

Cody from Veeam support told they want to add this regkey the same way you add the other key. But no update when that'll be added, I assume with the next "maintenance" release? In the meantime the script should be an acceptable workaround.

[Gostev]

Yes, probably next release only (whatever this is going to be). Potentially, we could always make a patch for 5.0.2, but probably the issue is not critical enough for me to justify this activity with devs (especially given that workaround exists). Thanks.

[aharvey]

This would be a great feature to have incorporated into the product. I've been looking for a way to speed up bringing AD (DNS) online in a multi-DC environment. Currently it takes way too long for AD to become fully functional when it keeps looking for replication partners and doesn't have any available (our other DCs are physical boxes). This in-turn causes Exchange and other apps to not come online normally which slows the U-AIR restoration process way down.

I just wanted to throw my vote in to get the registry key change automated through Veeam to disable initial replication.

[mrt]

My only comment is I think we need to be setting this registry key ourselves as a part of SureBackup job. We are already setting one registry key to facilitate SureBackup for DCs, so adding additional key should be super easy. I will pass this onto corresponding developer. Thanks.

May I ask what this other registry key is? I'm using DC replicas in a manually created lab and therefore the SureBackup process isn't available to me.

[Reimold]

Yes, probably next release only (whatever this is going to be). Potentially, we could always make a patch for 5.0.2, but probably the issue is not critical enough for me to justify this activity with devs (especially given that workaround exists). Thanks.

Will this be included in v6 ?

Thanks

Dirk

[Gostev]

Yes, it is included in v6.

[bc07]

We are still running on version 5, waiting for 6.0.1 before upgrading

I just had to do a test where getting up the domain controller and DNS was not enough. I noticed that I is better to use a domain controller which does not replicate with any other sites even if it does not hold any roles like FSMO, PDC etc.
If you use this DC which is not hub and point for replication you don't have the hassle with getting all essential functions running required for proper domain authentication.
I tried to do it with the DC that was the replication point, and holds some roles and every time I tried to use a webapplication which uses a MSSQL database on another server I got access denied. I also got access denied when I tried to open the mmc for AD User and Computer from the webserver with selecting the domain controller.

[Gostev]

We are still running on version 5, waiting for 6.0.1 before upgrading

Enrico, I have to warn that this will be a long wait, because we are not planning for 6.0.1 release... all outstanding issues are being addressed with patches. And the next patch (#3) is looking like this will be the last patch we will need to release.

[bc07]

Enrico, I have to warn that this will be a long wait, because we are not planning for 6.0.1 release... all outstanding issues are being addressed with patches. And the next patch (#3) is looking like this will be the last patch we will need to release.

Well you could combine the patches and make 6.0.1 out of it?

[Gostev]

Thing is, every "maintenance" release bring at least 3-4 weeks overhead of full regression testing as well as upgrade testing, plus a bunch of other mandatory activities, so we only do this when there are truly critical issues affecting most customers. In cases when the maintenance release is not really needed, we would much rather spend this month moving the product forward to the next release.

[Christian33]

Hello,

currently we creating a test system with veeam backups. The test system is on an separate vmware esx host with no NIC configured.
The problem is the restore from the ad servers. The servers are running but the dns service is not real working. No remote desktop server can join the domain and no user can connect to the remote desktop server.
The AD server use Windows Server 2003 and 2008. A new 2012 R2 will start in a few days

Have you an idea what is the problem ?

[dellock6]

Not so much with these few informations. But what does it mean without NICs? How it can read or write data, and how users can connect to the remote desktop without any network????

[Christian33]

The servers are connected to a test network. This test network has no nic in the vsphere configuration. The test system has a separate network with no uplink to the wan and the produktiv network.

Currently the user can only connect over the vsphere console to the server.

[Christian33]

I have tested the registry solution. It's not working.

The remote desktop server can't join the domain. The message is:

No connection to the dc (domain.local).

In the error log i can see that he find the both dc ad01 and ad02.
This dcs can be reach with a ping. The domain.local can be also pinged.

Have you another solution or idea what is the problem ?

[Christian33]

I have restored the server again and we have the same issue.

I have tested the following things:
- Registry Configuration DNTS
- Change the network to private (default gateway must be changed to an available server in the test network)

Ping is working fine from the test servers to the ad01 (2k3) and ad02 (2k8). But the ping of the ad-servers to the test servers works well.
The test server can not be connected to the domain.