Posts Tagged ‘Server’


When you add domain controllers to a site, Active Directory uses the Knowledge Consistency Checker (KCC) to establish a replication path between domain controllers.


What is Knowledge Consistency Checker?

The KCC is a built-in process that runs on each domain controller and generates the replication topology for all directory partitions contained on that domain controller. The KCC runs at specified intervals (every 15 minutes by default) and designates replication routes between domain controllers that are the most favorable connections available at the time.


How KCC works?

To automatically generate a replication topology, the KCC evaluates information in the configuration partition on sites, the cost of sending data between these sites, any existing connection objects, and the replication protocols that can be used between the sites. Next, the KCC calculates the best connections for a domain controller’s directory partitions to other domain controllers. Additionally, if replication within a site becomes impossible or has a single point of failure, the KCC automatically establishes new connection objects between domain controllers to maintain Active Directory replication.


If a DNS Server does not have an entry in its database for the remote host specified in a client request, it can respond to the client with the address of a DNS Server more likely to have that information, or it can query the other DNS server itself. This process can take place recursively until either the client computer receives the IP address or the DNS server establishes that the queried name cannot be resolved. DNS Servers to which other DNS Servers forward requests are known as Forwarders.

The Windows 2008 DNS Server service extends the standard forwarder configuration by using conditional forwarders. A Conditional Forwarder is a DNS Server that forwards DNS Query according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with to the IP address of one or more specified DNS Servers. This feature is particularly useful on extranets, where several organizations and domains access the same private internetwork.

Other Posts Related to DNS:


Active Directory (AD) relies on several communications services to communicate with client computers and between domain controllers. The variety of communications protocols used reflects the complex nature both of AD and of the industry-standard protocols that AD implements, such as Kerberos and the Lightweight Directory Access Protocol (LDAP).

Understanding how AD communicates can be critical when you’re working with domain controllers or clients that are separated from domain controllers by firewalls or other port filtering devices (such as routers).

Basic Communications

AD needs only a few basic services to be available for normal operations:

User Datagram Protocol (UDP) port 88 is used for Kerberos authentication. Transmission Control Protocol (TCP) port 88 can also be used, although it’s less common.

  • TCP and UDP ports 135 are needed for remote procedure call (RPC) endpoint mapping. RPCs are used for a number of domain controller-to-domain controller and client-to domain controller operations. Unfortunately, not all communications take place over port 135, as I’ll discuss later.
  • TCP port 139 and UDP port 138 are needed for file replication between domain controllers. This port combination is the standard NetBIOS session service port set.
  • UDP port 389 handles LDAP queries and is used for normal domain controller operations.
  • TCP and UDP ports 445 are used for file replication and are the standard Windows files sharing ports.
  • TCP and UDP ports 464 are the Kerberos password change protocol ports.
  • TCP port 593 is used by the RPC over HTTP transport. Although you don’t technically need this port for normal operations, I’ll discuss later how this feature can make working with domain controllers through firewalls a bit easier.
  • TCP port 636 is for LDAP over Secure Sockets Layer (SSL), which is the default LDAP methodology for Windows Server 2003 and later.
  • TCP port 3268 and 3269 handle Global Catalog (GC) queries. Port 3269 handles secure queries. Any domain controller that needs access to a GC or that is acting as a GC server will use these ports.
  • TCP and UDP ports 53 are used to communicate with Domain Name System (DNS), which is a vital part of AD communications.

Generally, opening these ports between clients and domain controllers, or between domain controllers, will enable AD to function normally. One exception is RPC traffic.


Issue: We had a System running Server 2008 and when it would boot it would hang with “Applying User Settings”.  When it would finally load, many of the services were not started.
Diagnosis: – This Microsoft Article explains the issue associated with the SCM database being locked:

sc querylock
The output below would indicate that the SCM database is locked:
QueryServiceLockstatus – Success
IsLocked : True
LockOwner : .\NT Service Control Manager
LockDuration : 1090 (seconds since acquired)

Resolution: You can modify the behavior of HTTP.SYS to depend on another service being started first.  To do this, perform the following steps:

  1. Open Registry Editor
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP and create the following Multi-string value: DependOnService
  3. Double click the new DependOnService entry
  4. Type CRYPTSVC in the Value Data field and click OK.
  5. Reboot the server


NOTE: Please ensure that you make a backup of the registry / affected keys before making any changes to your system.

DNS keeps track of Information in Zones. Essentially, a zone is a flat-file database for a particular domain, such as The zone can contain different rexord types, all of which can be queried by clients:

> A : Which i a Host Address record – this resolves a single host name. suck as www, to an IP address.

> CNAME : or Alias – This resolves a name such as www to an actual host name, such as www1. think of it as a nickname for a computer -“www”, for example, is easier to remember and more standardized than a computer name like “w4salwin” which is what a Web Server’s real name might be.

> MX : or Mail Exchanger – This provides the name of the mail server for a Domain. Multiple MX records can be provided for fault tolerance or load balancing and a prioroty assigned to each. Clients, Such as sending mail servers, will attempt to contact the server in the MX record with the lowest-Numbered Priority.

> AAAA – This maps an IPv6 IP address to a host name.

> SRV: or Service – This provides the IP address of  one or more servers providing a particular service. AD uses SRV records to allow clients to locate Domain Controllers, among other things.

> SOA: or Start of Authority – This Special record indicates that the DNS Server hosting the zone is authoritative for the zone and is the primary source of name resolution for hosts within that domain.

All active directory data base security related information store in SYSVOL folder and it’s only created on NTFS partition.

In Microsoft Windows, the System Volume (Sysvol) is a shared directory that stores the server copy of the domain’s public files that must be shared for common access and replication throughout a domain. The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders.

The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.

ReplMon can do the following:

  • See when a replication partner fails.
  • Display changes that have not yet replicated from a given replication partner.
  • Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication topology.
  • View the history of successful and failed replication changes for troubleshooting purposes.
  • Find all direct and transitive replication partners on the network.
  • View the properties of directory replication partners.
  • Display the metadata of an Active Directory object’s attributes.
  • Poll replication partners and generate individual histories of successful and failed replication events.
  • Create your own applications or scripts written in Microsoft Visual Basic Scripting Edition (VBScript) to extract specific data from Active Directory.
  • View a snapshot of the performance counters on the computer, and the registry configuration of the server.
  • Generate status reports that include direct and transitive replication partners, and detail a record of changes.
  • Display replication topology.
  • Force replication.
  • Display a list of the trust relationships maintained by the domain controller being monitored.

The stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The concert hall at the Syndey Opera House holds 2,700 people. This blog was viewed about 10,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 4 sold-out performances for that many people to see it.

Click here to see the complete report.

VM Backup – Backing up Virtual Machines with Windows Server 2008 R2 & Hyper-V


Virtual machines are basically made of files. They contain configuration files, virtual hard disks, snapshot files and saved state files. While running computers are virtual machines can benefit from virtualization, a lot of thought needs to be taken in order to protect the contents of the virtual machines and the VMs themselves, so that if something goes wrong, you can perform a pre-defined list of steps to successfully restore the VMs to a functional and running state.

Note: To install Windows Server Backup, log on to the computer by using the local Administrator account or another account with Administrator privileges. To perform backups or recoveries by using Windows Server Backup, you must be a member of the Administrators or Backup Operators groups.

Performing the backup

To perform the actual VM backup follow these steps:

1. Open Windows Server Backup from the Administrative Tools folder. In the Actions pane, click “Backup Once” (you can, of course, create a schedule for this backup).


2. In the “Backup Options” page, select “Different Options” and click Next.

3. In the “Select Backup Configuration” page, select “Custom” and click Next.

4. In the “Select Items for Backup” page, click “Add Items“.

5. In the “Select Items” window, click to select the volumes where the VM configuration files and VM hard disks are located. Also note that while it may look possible to select individual folders, do NOT select individual folders. Only select the entire volume. Failing to select the right volumes will result in a failure for the backup procedure and even if it will seem to you that all items were backed up, in fact you will not be able to restore your VMs. Click Ok.

6. Back in the “Select Items for Backup” page, click “Advanced Settings“.

7. In the “Advanced Settings” window, click to select “VSS Full Backup” and click Ok.

8. Back in the “Select Items for Backup” page, click Ok.

9. In the “Specify Destination Type” page, select the destination for the backup. I chose Local Drives, but you can also perform the backup on remote shares. Click Next.

10. In the “Select Backup Destination” page, use the drop-down list to select your destination. If you plan to backup on an external USB drive, make sure the computer recognizes it before you get to this spot. Also make sure that the destination volume contains enough free disk space for the backup to be place in. Remember that volume level backup are ALWAYS full, therefore if you’ve got 500 GB worth of VMs in one volume, you’ll need to have as much space as that (and preferably more) on your destination volume. Click Ok.

11. In the “Confirmation” page click Backup and let the backup procedure begin.

12. If you immediately switch to the Hyper-V management console, you’ll see that the VMs are being snapshotted. This is not equivalent to taking a Hyper-V snapshot, which in fact is not really a true snapshot and has nothing in relation to VSS snapshots. Because the VSS writer was registered, and because the Integration Services (Components) are installed and enabled on the VMs, they will be successfully backed up without being paused, saved or turned off. In addition, the ICs will inform the VMs that a backup procedure is taking place on the parent partition, so any VSS-aware application that is running inside the VM will also be triggered (which is very important for applications such as SQL, Exchange and so on).

13. Windows Server Backup begins to write the file(s) to disk.

14. When finished, click Close.


Backing up virtual machines can be a little different than backing up a traditional system.  Because a virtual machine is nothing more than a collection of files, it is important to be especially mindful of the backup process. One oversight along the way can mean a failed VM backup.  Hopefully this article has prepared you to backup your Virtual Machines with Hyper-V using Windows Server Backup.



Source: Petri