Runs 15 minutes after the DC boots up (15 minutes after the NTDS service starts, in Win2008 or later)
Runs every 12 hours (by default) after that first time in #1
Runs on the interval set in attribute
if you want to override the default 12 hours (minimum supported is
hour, no less)
Runs when forced with doGarbageCollection
Manually running collection does not alter the schedule or “reset the timer”; only the boot/service start changes that, and only garbageCollPeriod alters the next time it will run automagically.
Therefore, if you wanted to control when it runs on all DCs and get them roughly “in sync”, restarting all the DCs or their NTDS services would do it. Just
do that to all DCs at precisely the same time or no one will be able to logon, mmmmkaaay?
I’ve read your post on
filtering group policy using WMI
. The piece about Core versus Full was quite useful. Is there a way to filter based on installed roles and features though?
Yes, but only on Windows Server 2008 and later server SKUs, which supports a class named
. This class returns an array of ID properties that populates only after installing roles and features. Since this is WMI, you can use the WMIC.EXE to see this before monkeying with the group policy:
So if you wanted to use the WQL filtering of group policy to apply a policy
to Win2008 FAX servers, for example:
On a server
the FAX Server role, the policy does not apply:
If you still care about FAXes though, you have bigger issues.
We’re having issues with binding Macs (OS 10.6.8 and 10.7) to our AD domain that uses a '.LOCAL’ suffix. Apple is
we create Ipv6 AAAA and PTR records for all our DCs. Is this the only solution and could it cause issues?
That’s not the first time Apple has had issues with .local domains and may not be your only problem (
.). Moreover, it’s not only Apple’s issue: .local is a pseudo top-level domain suffix used by multicast DNS. As our friend
points out, it can lead to other aches and pains. There is no
reason to use .local and the MS recommendation is to register your top level domains then create roots based off children of that: for example, Microsoft’s AD forest root domain is
.microsoft.com, then uses geography to denote other domains, like
; geography usually doesn’t change faster than networks. The real problem was timing: AD was in development several years before the .local RFC released. Then mDNS
had little usage in the next decade, compared to standard DNS. AD itself doesn’t care what you do as long as you use valid DNS syntax. Heck, we even used it automatically when creating Small Business Server domains.
Enough rambling. There should be no problem adding unused, internal network Ipv6 addresses to DNS; Win2008 and later already have IPv6 ISATAP auto-assigned addresses that they are not using either. If that’s what fixes these Apple machines, that’s what you must do. You should also add matching IPv6 network “subnets” to all your AD sites as well, just to be safe.
Although if it were me, I’d push back on Apple to fix their real issue and work with this domain, as they have done previously. This is a client problem on their end that they need to handle – these domains predate them by more than a decade. All they have to do is examine the SOA record and it will be clear that this is an internal domain, then use normal DNS in that scenario.
Oh, or you could rename your forest.
Sorry, had to do it. ツ
We were reviewing your previous
site coverage blog post
. If I use this registry
item on DCs in the two different sites to cover a DC-less site, will I get some form of load balancing from clients in that site? I expect that all servers with this value set will create SRV records in DNS to cover the site, and that DNS will simply follow normal round-robin load balancing when responding to client requests. Is this correct?
, who continues to rock even after he traitorously left us for PFE – Ned]
From a client perspective, all that matters is the response they get from DC/DNS from invoking DCLocator. So for clients in that site, I don’t care how it happens, but if DCs from other sites have DNS records registered for the DC-less site, then typical DNS round robin will happen (assuming you haven’t disabled that on the DNS server).
For me, the question is…”How do I get DCs from other sites to register DNS records for the DC-less site ?” review this:
I’m partial to using group policy though. I think it’s a cleaner solution. You can find the GP setting that does the same thing here:
Simply enable the setting, enter the desired site, and make sure that it only applies to the DC’s you want it to apply to (you can do this with security filtering).
Anyway, so I set this up in my lab just to confirm everything works as expected.
Notice TestCoverage has no DC’s.
My site links:
Corp-HQ is my hub so auto site coverage should determine the DC’s in Corp-HQ are closest and should therefore cover site TestCoverage.
Whaddya know, Infra-DC1 is covering site TestCoverage as expected.
Next I enable the GPO I pointed out and apply it only to Infra-DC2 and voila! Infra-DC2 (which is in the Corp-NA site) is now also covering the TestCoverage site:
You have a slightly more complicated scenario because auto site coverage has to go one step farther (using the alphabet to decide who wins) but in the end, the result is the same.
We’re seeing very high CPU usage in DFSR and comparably poor performance. These are brand new servers - just unboxed from the factory - with excellent modern hardware. Are there any known issues that could cause this?
[Not mine, but instead paraphrased from an internal conversation with MS hardware experts; this resolved the issue – Ned]
Set the hardware C-State to maximize performance and not save power/lower noise. You must do this through the BIOS menu; it’s not a Microsoft software setting. We’ve also seen this issue with SQL and other I/O-intensive applications running on servers.
Can NetApp devices host DFS Namespace folder targets?
NetApp community article
suggests that it works. Microsoft has no way to validate if this is true or not but sounds ok. In general, any OS that can present a Windows SMB/CIFS share
work, but it’s good to
How much disk performance reduction should we expect with DFSR, DFSN, FRS, Directory Services database, and other Active Directory “stuff” on Hyper-V servers, compared to physical machines?
We published a
Virtual Hard Disk Performance whitepaper
without much fanfare last year. While it does not go into specific details around any of those AD technologies, it provides tons of useful data for other enterprise systems like Exchange and SQL. Those apps are very “worst case” case as they tend to write much more than any of ours. It also thoroughly examines pure file IO performance, which makes for easy comparison with components like DFSR and FRS. It shows the metrics for physical disks, fixed VHD, dynamic VHD, and differencing VHD, plus it compares physical versus virtual loads (spoiler alert: physical is faster, but not as much as you might guess).
It’s an interesting read and not too long; I highly recommend it.
(in black) was nearly beaten in his last marathon by a Pekinese:
Looks ‘shopped, I’m pretty sure the dog had him
Weirdest Thanksgiving greeting I received last month?
“Have a great Turkey experience.”
Autumn is over and
is there (video SFW, site is often… not):
On a related topic, Microsoft has an internal distribution alias for these types of contingencies:
“A group whose goal is to formulate best practices in order to ensure the safety of Microsoft employees, physical assets, and IP in the event of a Zombie Apocalypse.”
This is the last mail sack before 2012, as I am a lazy swine going on extended vacation December 16th.
have some posts in the pipeline to keep you occupied. Next year is going to be
for AskDS, as Windows 8 info should start flooding out and we have all sorts of awesome plans. Stay tuned.