Change Domain Functionality Level using script

The following snippet illustrates changing domain functionality level to windows 2000.

strDomain = "myrootdns2003.com" ' e.g. amer.rallencorp.com

set objDomain = GetObject("LDAP://" &  strDomain)
if objDomain.Get("nTMixedDomain") > 0 Then
Wscript.Echo " 
Changing mode to native … "
objDomain.Put "nTMixedDomain", 0
objDomain.SetInfo
else
Wscript.Echo "Already a native mode domain"
end if

Change Domain Functional Level to windows 200 native mode on command line

The following illustrates on how to changes domain functional level to windows 2000 on command prompt.

1. Assume the domain name "myrootdns2003.com".
2. Create a file say change_domain_mode.ldf with the following contents.
dn: myrootdns2003.com
changetype: modify replace: ntMixedDomain ntMixedDomain: 0
3. Now run the below command to change the functionality level to windows 2000 mode.
ldifde -i -f change_domain_mode.ldf

4. Alternatively, use the admod command to change the functionality level.
admod -b dc=myrootdns2003,dc=com "ntMixedDomain::0"

what is Top-level domain

A string of letters used to indicate a organization or an institution.

The following is a list of the top-level domains most often used on the Internet

.arpa: This is Owned by Advanced Research Project Agency (ARPA). Used to register reverse mapping of Internet Protocol version 4 (IPv4) addresses assigned by the Internet Assigned Number Authority (IANA) to DNS domain names for computers that use those addresses on the Internet. This is used by in-addr.arpa domain.

.com: This is used for business and commercial use.

.int: Reserved for international use. Currently planned for use in RFC 1886 to register reverse mapping of Internet Protocol version 6 (IPv6) addresses assigned by IANA to DNS domain names in the ip6.int domain for computers that use those addresses on the Internet.

what is root domain

root domain is a root of domain tree when used in a DNS domain name, it is stated by a trailing period (.) to designate that the name is located at the root or highest level of the domain hierarchy.

The following shows root domain.

ScavengingInterval Registry Key

This registry key determines whether to scavenge state records or not. By default, scavenging is disabled. If scavenging is enabled, then the DNS server looks in to timestamps of resource records in DNS storage and deletes records that are out of date.

Key Name: ScavengingInterval
Type: dword(boolean)
Default: disabled (0x0)
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dns\Parameters"
Functionality: Determines scavenging interval.

Note: 1. Direct changes to reg key through regedit.exe will be effective only after rebooting the server.

To make the scavenging enabled with out having to restart the server, do the following.

1. Open DNS Manager console using the command dnsmgmt.msc.
2. In the dns console tree, right click on the server node "dnsserver" (Assume the server name is dnsserver), select properties.













3. Go to advanced tab in the properties dialog and select "Enable Automatic scavenging of stale records" option, click apply and click ok.



















Note: By default,when scavenging is enabled, the scavenging interval is set to a week i.e 168hours.

AutoCacheUpdate registry key

This registry key determines whether to update dns cahe root hints when the dns server starts.

By Default, dns server update dns cache files based on the responses received for NS and A records.

Key Name: AutoCacheUpdate
Type: DWORD (Boolean)
Default: NoKey (does automatic cache update)
Functionality: Determine whether server attempts to update cache entries using data from root servers.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

If the reg key is zero, then the DNS server disables cache update.

To disable auto cache updates, do the following

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v AutoUpdateCache 0

If the AutoCacheUpdate key does NOT exist or is nonzero, then the server will update the cache file based on the responses received for root hint queries on start up.

Note: This reg key applies only on window 2000 or earlier versions.

RoundRobin Registry key

This registry key determines the order in which the dns server should return Type A reosurce records when multiple Type A records exists for the same name in the server memory cache. Thus this key determines the loadbalancing mechanism to be used for returning Type A records.

Key name: RoundRobin
Type: REG DWORD (Boolean)
Default: NoKey (Round robin A records)

Localtion: "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
Functionality: Determines order Type A records for same name to be sent

By default, the DNS server round robins Type A records. Also, If the reg key does not exist or is nonzero dns server round robins type A records. But if the key is zero, then the DNS server returns types A records in a fixed sequence order.

The reg key can be set by running the following command

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameter"

/v RoundRobin /t reg_dword /d 1

The above sets the server to use roundrobin for sending Type A records.

Changes to reg key by editing registry will be effective only after restarting the server. To make key changes effective immedietely without having to restart the server, do the following

1. Open DNS Manager console using the command dnsmgmt.msc

2. In the console tree, right click on the server node, click properties

3. Go to Advanced tab in dnsserver properties dialog and select "roundrobin" ( This enables roundrobin of Type A records)

RecursionTimeout Registry Key

This reg key determines the maximum time a dns server is allowed to do recursive query to remote servers repeatedly at regular intervals for resolving NS queries. i.e, If the DNS server does not receive a response for a recursive query, the server repeats the query at intervals as specified by the value of the registry key RecursionRetry. If the server does not receive a response before the value of RecursionTimeout expires.
Key Name: RecursionTimeout
Type: DWORD
Default: NoKey (Timeout is 15 seconds)
Functionaliry: timeout of DNS server to give up recursive query.
Location: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
\Parameters"

By default, the RecursionTimeout is 15 seconds. But can be changed by editing the registry as shown below (assuem the time to be set is 200 seconds)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v RecursionTimeout /t reg_dword /d 200

Note: 1. changes to key done through reg add will be effective only after restarting the server
2. default 15 seconds is enough for most of the scenarios unless the dns server is on very low speed link.
3. if RecursionTimeout key is deleted, does not exist is zero, the DNS server timeouts after 15 seconds.

RecursionRetry Registry Key

This registry key determines retry interval for recursive client queries. i.e, If the DNS server does not receive a response for a query with in the time interval, then the DNS server retries the same query to the same server or to other servers.

Key Name: RecursionRetry
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Type: DWORD
Default: NoKey (3 seconds)
Range: 0x1–0xFFFFFFFF seconds
Functionality: sets interval between repeated query recursive lookups.
By Default, dns server retries after three seconds.
To change the reg value to 10 secs, do the following
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v RecursionRetry /t reg_dword /d 10

Note:
1. Retries are made continously until RecursionTimeout period reaches.
2. Direct changes to reg key will not be effective until the server reboots.
3. To makes changes without having to restart the server then try with dnscmd.exe

Set MaxCacheTtl using dnscmd command

To following shows setting MaxCacheTtl using dnscmd.exe,


dnscmd.exe /config MaxCacheTtl 500.

To verify the MaxCacheTtl set to 500

run the command command

dnscmd /info /MaxCacheTtl

MaxCacheTtl Registry key

Recursive query records are saved by the DNS server. The length of cache time of saved records is determined by the TimeToLive (TTL) field in the record. This registry key determines maximum cache time of records saved by dns server irrespective of TimeToLive (TTL) field in the record. The DNS server deletes records from the cache when MaxCacheTime expires, even if the value of the TTL field in the record is greater than MaxCacheTime.

The registry key is located at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"


Key Name: MaxCacheTtl
Type : DWORD
Default : NoKey (Cache for up to one day)
Range : 0x0 | 0x1–0xFFFFFFFF seconds

To change the value the registry key to some cache time say 200 seconds, run the following

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v MaxCacheTtl /t reg_dword /t 200



Note: 1. The changes to registry key through regedit will be effective only after restarting the DNS server.
2. This registry key doesnot have effect on WINS records saved in the DNS memory cache.

3. This registry key is supported by windows 2ooo, windows 2003 and windows 2008.

ForwardDelegations Registry key

This registry key applys only if the delegated subzone is within the DNS server's authoritative zone. This reg key determines whether the DNS server should forwards dns queries about delegated subzones(delegated subzone is with in the DNS Server zone) to servers outside of its authoritative zone or to the delegated subzone itself.

The registry key is located at "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

Key Name: ForwardDelegations
Type:     DWORD (Boolean)
Default:  NoKey (doesnot forward delegations.)

By default, whenever a DNS server receives a dns query for a normal zone(not a delegated zone) name outside its authoritative zone, it simply forwards to a similar name server outside of its zone. However, when it receives a query for a delegated subzone, it sends the query directly to the delegated subzone and does not forward it.

But,if the registry key is set to 1, then the query for a delegated subzone (with in the authorative zone) should be sent to outside of authorative zone just as it does by default.

Forexample, A dns server has a delegation for blogspot.com to blogger.com, if the server receives a query for dns-info.blogspot.com then the server should send the query to delegated zone blogger.com. if the registry key is set to 1, then the server sends the query to blogspot.com.

To change the reg key value to 1, then run the following on command prompt

reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v ForwardDelegations /t REG_DWORD /d 1 /f

Note:
1. Changes to ForwardDelegations reg key will be effective only after restarting the server.

2. This reg key used only when forwarding is enabled. If forwarding not enabled then queries to delegated zones not forwarded.

3. Forwarding should be enabled if the delegation itself was at a remote site that is reachable only through the forwarder.

Set ForwardingTimeout using dnscmd command

The following show on how to set ForwardingTimeout using dnscmd.exe



1. To set forwarding timeout to default value run

dnscmd.exe /config /ForwardingTimeout






The above sets the forwarding timeout to 0 Secs in windows 2003(however through UI is sets minimum of 1 seccs) and 3 in windows 2008.
To verify the forwardingtimeout, run

dnscmd /info /ForwardingTimeout

2. To set forwarding timeout to a specific value say 10 seconds, then run

dnscmd.exe /config /ForwardingTimeout 10

ForwardingTimeout Registry key

ForwardingTimeout reg key determines time to wait before the forwarding server responds to given dns query. The registry is located at "HKLM\SYSTEM\CurrentControlSet\Services \DNS\parameters". Following is the description of the reg key .

Key Name: ForwardingTimeout
Type: DWORD
Default: NoKey (No Timeout)
Value : value in seconds.
Location: "HKLM\SYSTEM\CurrentControlSet\Services \DNS\parameters"

This registry key is useful when multiple forwarders exists. Forexample, A dns server forwards a query to a forwarder by looking into its forwarding list. if the first forwarder fails to respond with in the timeout period, then the query will be sent to next forwarder in the list.


Note: 1. The ForwardingTimeout key is read onlywhen forwarders are configured.
2 This registry key is supported in windows 2000, windows 2003 and
windows 2008.
3. The ForwardingTimeout key needed only when forwarding is enabled.

Warning: 1. Do not directly modify the key in registry instead use the Forwarders tab in dns server properties dialog to set the forwarding timeout. In the forwarders tab dialog, Zero is not a valid value . If you enter Zero (0), In windows 2000, DNS uses the default value 0x5 but in windows 2003 and windows 2008 it used the value one (1).
2. If this key doesn't exists or contains invalid (-ve) value when forwarders are
configured, the server may fail to start or fail to resolve remote names properly.

Relevant Post:

set forwardingtimeout using dnscmd

Set LocalNetPriority using dnscmd command

To enable LocalNetPriory to default mode, run the following

dnscmd.exe /config /LocalNetPriority 0x000000ff.

One can verify the default mode set by quering the reg key LocalNetPriority.



dnscmd /info /LocalNetPriority

Note, In default mode, 24 most significant bits are used to find address proximity list.

To set it to windows 2000's priority mode, run

dnscmd /config /LocalNetPriority 0xffffffff.

In this mode, traditional class A type subnet mask is used to find address proximity list.

To enable LocalNetPriority to custom enhanced mode, for example, if one wants to use 8-most significant bits to for calculating "address proximity", then just set the 8 most significant bits to zero as shown below in red color.

dnscmd /config /LocalNetPriority 0x00ffffff

if one want to change it to 16-bit, then run as dnscmd /config /LocalNetPriority 0x0000ffff