Windows Server Hosts File Ignored or Not Looked Up

Our Symptom:

We often need to circumvent customer/client's DNS or supplement them since FQDN is a very stringent requirement for Microsoft SQL Server Mirroring technology.

One of the tricks we use is to edit the local hosts file C:\Windows\System32\Drivers\Etc\Hosts to yield correct FQDN internally.

At one point I have noticed that no matter what I enter the information there, they are ignored.

Also you may have noticed this when the SQL Server Management Studio takes a long time to come up especially in a closed network where there is actually no "outside" route. As I have posted previously, this is due the fact that SQL Server Management Studio performs Certificate Revocation List (CRL) lookup. We usually add

127.0.0.1 crl.microsoft.com

in our local Hosts file so that CRL lookup will purposely fail in order to get the SSMS to come up quicker.

What Worked for Me:

Quick Test: Try to see in your service controller if "DNS Client Service" that is running. If you turn it off, the system starts to look up names in the local Hosts file.

Next you should look your Windows registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

In there you will find the value

UseDomainNameDevolution

If this is set to 1, your Hosts wont' work. Just reset this to zero (0)

For additional information on this, find here: http://technet.microsoft.com/en-us/library/cc766230(WS.10).aspx

ActiveDirectory Recovery Note

Since the time of Windows NT, I really disliked the Domain Controller architecture in Microsoft network. The part that I really did not like about it is that it basically required two dedicated machines to handle this, and we are not supposed to install anything else on it, for example SQL server (you can, and I strongly advise you against doing this. Some day you run into trouble and it will cost you several times over the cost of the hardware you thought you saved.) In addition they had the idea of Primary and Backup domain controllers with the notion of the backup controller a bit dubious since if you lost the primary, you probably lost the ability to get back the primary easily.

When Windows 2000 came out I was a bit excited to be told about the fact that the AD does not have the notion of the Primary and Backup. But soon enough that was not true, and in fact it got even more complicated.

This was now 2008, in my small office, I had a brilliant idea of hosting two AD servers on virtual machines since we don't really maintain any more than a few user names and such. Well, however, we've just lost one of the controllers during a VM migration completely, so I had to basically create another one from the remaining "backup" controllers.

This has caused a several hours of "wasted time," since I really don't want delve into this AD stuff. So if this happens again here is the note to myself. Things like a backup fail-over should be basically instantaneous and I expect there ought to be one-button thingy for basically an idiotic (by choice) user by me, but this not being like that does protect lot of jobs in the industry I would guess.

• It seems to work better if you'd install the DNS first before adding the domain controller role.
• Download the Windows Support Tool from the MS web site. This has two important tools . One is called NETDIAG and another is DCDIAG. These are command line tools and if you run them without any argument they will tell you in more gory details about what's wrong with your DNS and Domain Controller settings. Basically they run a series of tests and they will return either pass or fail. The idea is to fix things so that they will all Pass. For each Fail, type in the error message into Google (not Live Search) and you will find the answer article on how to fix things on Microsoft web site. (Message to MS - Please improve the search on your own product related information.) I would fix the DNS first.
  
• Next tool you will need to use is NTDSUTIL program. You use this tool to basically transfer some of the critical roles that your lost domain controller had. The terminology you need to use to search is "Seize [blah blah] role" And you basically issue the Seize command to this tool. There are about 4 or 5 roles that you need to Seize, and one additional tricky thing is the "Infrastructure" role. This apparently should not be seized by the primary, so run the same tool on the secondary server and have it seize the "Infrastructure" role.
  

I think these would provide enough hints for you to get out of the lost PDC situation.

Mac Tiger Does Not Autheticate When Connecting To WIndows 2003

Symptom:

When trying to access a file share (SMB share) from a Mac OS 10.4 (Tiger) to Windows 2003 Server which is in a Windows domain, you get a login screen, but it always fails on authentication.

Cause:

The "Microsoft network server: Digitally sign communications (always)" is Enabled in the Security Options of Local Policies of Security Settings in the Default Domain Controller Security Settings.

Fix:

This applies to Tiger which is running an older version of Samba software. A new version of it will not have this issue, and I have not checked that with Leopard.

Note that this may violate your general local security policy and may expose your windows server with additional security issues.

1. From the Start Menu, open Administrative Tools
2. Select Domain Controller Security Policy
3. In the Default Domain Controller Security Settings applet navigate through Security Settings, Local Policies, Security Options
4. Scroll down the list and find "Microsoft network server: Digitally sign communications (always)
5. Disable it.
6. From the command line tool type in "gpupdate" to load the change into the OS.

Time Took To Research and Fix This

About year and half.