Clean up old SRV records
Have you ever decommissioned an old Active Directory (AD) domain controller (DC)? When you do, that old DC leaves a bunch of SRV records in your domain's DNS zone. SRV records are what your workstations use to find DCs. Deleting old SRV records is therefore a good idea: You don't want your domain members wasting a lot of time trying to contact a DC that no longer exists. Fortunately, Microsoft offers a command-line tool—Nltest—that's perfect for the job.
Way back in February 1998, in This Old Resource Kit, "NLTEST," http://www.winnetmag.com, InstantDoc ID 2947, I wrote about this useful domain-testing and -maintenance tool. Since then, Microsoft has rereleased Nltest several times, revising it in the Microsoft Windows NT Server 4.0 Resource Kit and including it in the Windows 2000, Windows XP and Windows Server 2003 Support Tools folders. Each new version of Nltest can do things that the earlier versions can't, but the majority of what I show you this month works on the versions of Nltest included in Win2K and later.
To clean a decommissioned DC's SRV records out of a DNS zone, you use the command
The command's syntax isn't immediately intuitive. Typically, you use the Nltest /server: option to identify the computer on which you want to perform a certain task, but in this case /server: identifies the name of the dynamic DNS server that contains the decommissioned DC's SRV records. With the /dsderegdns: option, you tell Nltest the name of the decommissioned DC. Suppose you're decommissioning a DC named dc4.bigfirm.biz for the bigfirm.biz domain, and bigfirm.biz's primary DNS server is called names.bigfirm.biz. You would use the following command to tell the DNS server to remove all of dc4's SRV records:
But what if you need to do the opposite? Can you tell Nltest to replace those records? You can, but only for Windows 2003 based DCs and only if you're sitting at the DC. The Windows 2003 and XP versions of Nltest include the /dsregdns option:
Suppose you've added a new DC named w2k3.bigfirm.biz to your domain. How do you place its SRV records into the DNS zone? You don't typically need to worry about that process because the Netlogon service rewrites a DC's SRV records every time the Netlogon service starts up. Therefore, you could use the following command to force any Windows 2003 or Win2K DC to put its SRV records into the domain's DNS zone:
The ampersand (&) in that command lets you place two or more commands on one line.
As a quicker alternative to Netlogon, a Windows 2003 system in the bigfirm.biz domain can use the following Nltest command to recreate its SRV records:
In this case, you can't specify a DC's name. Clearly, Microsoft wants you to run this Nltest variation only on the DC itself. And keep in mind that the Win2K Server version of Nltest doesn't let you use the /dsregdns option, although it does let you use the /dsderegdns option. (And don't bother trying to copy a more recent version of Nltest to a Win2K system; it will refuse to run.)
You might find two more Nltest options useful. One new challenge that AD introduces is the existence of sites. For this challenge, Nltest offers the /dsgetsite option. To determine what site a DC lives in, you can use this command:
where servername is the name of the DC whose location you want to determine. You can use the short machine name (e.g., dc1) or the complete DNS name (e.g., dc1.bigfirm.biz), and you don't need backslashes. If you don't specify a server name, Nltest assumes you want site information about the local system.
Knowing which site a server lives in is useful, but some sites don't have a DC. In that case, nearby DCs cover for the site. But which DCs? You can use the /dsgetsitecov option to find out:
I'd like to see Nltest work the other way too, so I could feed it a site and obtain the names of all the DCs that cover that site. Perhaps we'll see that functionality in the Longhorn version.