Michael Cornn's questions

In a lab, I'm testing split-horizon (aka split-brain) DNS policies. The policies set on a DC/DNS server do not replicate to other DC/DNS servers.

Is it possible to make them replicate?

The lab has subnets 192.168.72.0 and 192.168.73.0, and two DCs running DNS. The two DCs have IP addresses 192.168.72.100 and 192.168.73.100.

I created an A record in DNS of host1 at 10.0.0.2

I followed this tutorial from Microsoft the DC with IP 192.168.72.100. The specific commands are pasted below:

Add-DnsServerZoneScope -ZoneName "deez.datz" -Name Scope73"
Add-DnsServerResourceRecord -ZoneName "deez.datz" -A -Name "host1" -IPv4Address "10.0.0.100" -ZoneScope "Scope73"
Add-DNsServerQueryResolutionPolicy -Name "Policy73" -Action ALLOW -ClientSubnet "eq,TGH-North" -ZoneScope "Scope73,1" -ZoneName "deez.datz"

Nslookup from a system in the 192.168.73.0 subnet:

nslookup host1 192.168.72.100
Name: host1.deez.datz
Address: 10.0.0.100
nslookup host1 192.168.73.100
Name: host1.deez.datz
Address: 10.0.0.2

The DNS Policy functions correctly on the first DC where the commands were run. The policy did not take effect on the second DC. The policy did not replicate.

I understand this is the default behavior for Microsoft DNS Policy.

Is it possible to force the DNS policy to replicate (and avoid running the commands on every single DC)?

We have a new SCEP 2002 installation on a new AD domain, and we're having no luck at all deploying clients. Whether we deploy them from the Configuration Console (right-click, Install Client) or manually (copy the files, then run ccmsetup.exe), the ccmsetup.log gives multiple errors.

Boundary Group Troubleshooting The boundaries and boundary groups are set correctly. We have an AD site named "Site01". When we run 'nltest /dsgetsite' on a Windows 10 box, we get the response 'Site01'.

We added the Site01 as a boundary in SCEP, and we added that boundary to a boundary group, also named Site01. In our Distribution Point, we added the Site01 boundary group in the Boundary Groups tab.

Connectivity checks From the Windows 10 client, we can browse to http://scepserver (note: we're using http to rule out any SSL issues). We can also browse to http://scepserver/CCM_Client and its subfolders. http://scepserver/sms_mp gives us a 403.2 forbidden error, but I believe that's to be expected. The ccm.log on the server indicates that our client push account can reach the clients admin$ share, and the folder c:\windows\ccmsetup populates when we push the client.

ccmsetup.log review Rather than attaching the whole ccmsetup.log file, here are excerpts I think are important. I've bolded a few key items.

==========[ ccmsetup started in process 9364 ]========== ccmsetup 6/10/2021 8:11:15 PM >4032 (0x0FC0) Running on platform X64 ccmsetup 6/10/2021 8:11:15 PM 4032 (0x0FC0) Launch from folder C:\windows\ccmsetup\ ccmsetup 6/10/2021 8:11:15 PM 4032 (0x0FC0) CcmSetup version: 5.0.8968.1014 ccmsetup 6/10/2021 8:11:15 PM 4032 (0x0FC0) Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist. ccmsetup >6/10/2021 8:11:15 PM 4032 (0x0FC0) ... Ccmsetup command line: "C:\windows\ccmsetup\ccmsetup.exe" /runservice /ignoreskipupgrade >/config:MobileClient.tcf ccmsetup 6/10/2021 8:11:15 PM 9352 (0x2488)

...

Performing AD query: '(&(ObjectCategory=mSSMSManagementPoint)(mSSMSDefaultMP=TRUE)(mSSMSSiteCode=site01))' ccmsetup 6/10/2021 8:11:15 PM 9352 (0x2488) OperationalXml '5.00.8968.100002248044311removedsite01 SMSSITECODE=site01 ' ccmsetup >6/10/2021 8:11:15 PM 9352 (0x2488) The MP name retrieved is 'scepserver.mydomain.com' with version '8968' and capabilities '' ccmsetup
6/10/2021 8:11:16 PM 9352 (0x2488) MP 'scepserver.mydomain.com' is compatible ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) Retrieved 1 MP records from AD for site 'site01' ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

... FromAD: command line = SMSSITECODE=site01 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) ... Found MP http://scepserver.mydomain.com from AD ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

...

Failed to connect to machine policy namespace. 0x8004100e ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

...

Sending state '100'... ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) Failed to get client version for sending state messages. Error 0x8004100e ccmsetup >6/10/2021 8:11:16 PM 9352 (0x2488) [] Params to send '5.0.8968.1014 Deployment Error: 0x0, ' ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) A Fallback Status Point has not been specified and no client was installed. Message with STATEID='100' will not be sent. ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) Failed to send status 100. Error (87D00215) ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

...

Failed to get DP locations as the expected version from MP 'http://scepserver.mydomain.com'. Error 0x87d00215 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

...

Sending location request to 'scepserver.mydomain.com' with payload ' AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" >DPTokenAuth="1" UseInternetDP="0"> ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488) Failed to connect to machine policy namespace. 0x8004100e ccmsetup 6/10/2021 8:11:16 PM >9352 (0x2488)

...

Failed to get DP locations as the expected version from MP 'http://scepserver.mydomain.com'. >Error 0x87d00215 ccmsetup 6/10/2021 8:21:18 PM 9352 (0x2488) MP 'http://scepserver.mydomain.com' didn't return DP locations for client package with the >expected version. Retrying in 30 minutes. ccmsetup 6/10/2021 8:21:18 PM 9352 (0x2488) Next retry in 30 minute(s)... ccmsetup 6/10/2021 8:21:18 PM 9352 (0x2488)

I don't know why it's using 'MobileClient.tcf' for its configuration. This is a regular Windows 10 system.

Other than that, most of the errors indicate that the SCCM client can't connect to some part of the SCEP server's web site. Or is that the SCEP server's WMI namespace? Does anything in the log files point you toward a specific issue? Any help you can offer would be greatly appreciated.

EDIT: We also added the client push account to the local administrators group on the SCEP server and the client. We ran wbemtest and get-wmiobject from the client to retrieve class_win32 from the SCEP server.

We're building a new server stack. Our first Windows 2019 VM syncs to the ESX 7 host it's on rather than the NTP service on our router.

The results of "w32tm /query /configuration" are below. Note the setting "NtpClient" has Enabled "1". And "VMICTimeProvider" has Enabled "0".

Despite that, the command "w32tm /query /source" returns "Local CMOS Clock"

I have run "w32tm /config /manualpeerlist:"10.233.0.1" /syncfromflags:manual /reliable:yes /update", followed by restarting the Windows Time Service. But it has had no effect.

To test this, I manually set the time on the ESX host to 20 minutes behind the NTP server (and turned NTP service off on the ESX host). Then I manually set the VM time to midnight.

The command "w32tm /resync" failed. But after rebooting the VM, the time changed from midnight to the ESX host's time. It did not reset to the time on the NTP server.

We can ping the NTP server. Other hosts are syncing to the NTP server. I don't know why this VM refuses to sync with it. Based on the config below, can you give me some ideas?

[Configuration]

EventLogFlags: 2 (Local) AnnounceFlags: 5 (Local) TimeJumpAuditOffset: 28800 (Local) MinPollInterval: 6 (Local) MaxPollInterval: 10 (Local) MaxNegPhaseCorrection: 172800 (Local) MaxPosPhaseCorrection: 172800 (Local) MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local) PollAdjustFactor: 5 (Local) LargePhaseOffset: 50000000 (Local) SpikeWatchPeriod: 900 (Local) LocalClockDispersion: 10 (Local) HoldPeriod: 5 (Local) PhaseCorrectRate: 7 (Local) UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local) DllName: C:\windows\SYSTEM32\w32time.DLL (Local) Enabled: 1 (Local) InputProvider: 1 (Local) AllowNonstandardModeCombinations: 1 (Local) ResolvePeerBackoffMinutes: 15 (Policy) ResolvePeerBackoffMaxTimes: 7 (Policy) CompatibilityFlags: 2147483648 (Local) EventLogFlags: 0 (Policy) LargeSampleSkew: 3 (Local) SpecialPollInterval: 1024 (Policy) Type: NTP (Policy) NtpServer: 10.233.0.1 (Policy)

NtpServer (Local) DllName: C:\windows\SYSTEM32\w32time.DLL (Local) Enabled: 1 (Local) InputProvider: 0 (Local) AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local) DllName: C:\windows\System32\vmictimeprovider.dll (Local) Enabled: 0 (Local) InputProvider: 1 (Local)

Both of our domain controllers stopped responding to DNS requests. After quite a lot of troubleshooting, we found that it resolves DNS requests to its loopback address, but not to its own address.

When we start nslookup and server 127.0.0.1, it resolves every hostname we enter. When we start nslookup and server <server's IP> DNS requests timeout.

On every system outside the DNS, it can ping the server by IP, but DNS requests don't get a response.

We ran netstat -a and found the server's IP listening on port 53, as it should be.

We've disabled our firewall profiles.

Any ideas what could cause this issue?

Present a string of text as a file to an external program?

I have a script that calls openssl to digitally sign an XML element from an XML file. Not the whole XML file, just one element.

openssl only works with files, not strings or other objects. So I get the element in Powershell, export it to a file, then call openssl on the new file. Snippet:

[xml]$schema = Get-Content myFile.xml
$head = $schema.data.head.InnerXml
$head | Out-File temp.txt
./openssl.exe dgst -sha256 -sign mykey.key -passin:1234 -out sig.sig temp.txt
./openssl.exe base64 -in sig.sig -out base64sig.txt
$schema.data.signature = Get-Content base64sig.txt

This makes two temporary files (temp.txt and base64sig.txt). And if Out-File doesn't have the right flags, temp.txt is slightly different from the XML (whitespace) and thus produces a different signature.

I'd like to present the variable $head as a text file to openssl. Is this possible? Can you map a FileStream to a letter drive, then use the drive path to "fool" openssl into opening it as a file?

We run a VMWare data center with vCenter 6. We recently enabled High Availability on a 3-host cluster in our test environment.

If one cluster fails, the other 2 don't have the resources to take on all of the failed-over VMs. Some of them will remain powered off. Is it possible to prioritize which VMs fail over first?

For example, say a host hold a Windows domain controller, a Git repository, and a Windows deployment server. If that host fails, we definitely want DC and Git online right away. We're not worried if the deployment server stays offline.

In that scenario, how would we ensure the DC and repo get a higher priority than the deployment server?

I have a disconnected WSUS server. On my Internet-connected WSUS server, I performed an export. On the disconnected server, I performed an import, then copied the WSUSContent folder from the Internet-connected system to the disconnected system.

On the disconnected server, for the vast majority of updates, WSUS reports that "the files for this update have not yet been downloaded." When I click the file information, the files are present in the path listed.

I tried "wsusutil.exe reset", but that didn't fix the issue. It seems like the database simply won't check the file structure and see that the files are already there.

Any suggestions?

We use a mix of Windows 10 desktops and VMWare Horizon desktop pools.

We recently deployed RSA SecurID tokens to some of our users. On the physical desktops, authentication works as it should: On first login, users create a PIN, then enter their Windows password. After that, they only enter their RSA passcode (PIN plus the code on their token). They never need to enter their Windows password again.

The zero clients, however, are different. Before reaching the Windows VMs, Horizon challenges them for their passcode, followed by their Windows password. So our users have to remember the PIN for the passcode as well as their Windows password.

Is there a setting in Horizon that will allow users to authenticate using only their passcode?

Summary: I need to run a Powershell script continuously in the background whether a user is logged on or not. This is on Server 2012.

I ran the following command:

sc.exe create "MyService" binPath="powershell.exe 'c:\myFolder\myScript.ps1'"

This command ran successfully. However, when I start the service, it immediately errors out with "The service did not respond in a timely fashion." I know it's against best practices to run Powershell as a service, but is it even possible?

The best advice I've gotten is to run this script as a Scheduled Task instead of a service. That would make sense, but my security staff has enabled the GPO option "Network access: Do not allow storage of passwords and credentials". This prevents Task manager from running tasks with the correct credentials when no user is logged in.

Why am I doing this? We have an old program that runs only in windowed mode (not as a service) and prints both stdout and stderr to the screen. That means that (a)a user has to be logged into this server 24 hours a day, and (b)there are no log files. If you're not staring at the screen when an error occurs, the error will scroll right past you. The executable starts in a new window, so redirection operators have no effect on it.

While we replace this program, I need it to (a)run at all times, even after user logoff or reboot, and (b)write stdout and stderr to a log file.

I solved the second issue with a Powershell simple Powershell script:

"Program started at $(get-date)" | Out-File c:\myFolder\CrapProgram.log -append
& "c:\myFolder\CrapProgram.exe" | Tee-Object c:\myFolder\CrapProgram.log

This starts the program in Powershell. Its output is directed both to the Powershell window and to the log file.

Now if I can get this script to run when no one is logged on...and get it to start at computer startup...and make it easy for my lower-level support team to stop and start it easily, I'll be in business.

That's why I'm trying to register Powershell as a service. If there's a better solution, let me know.

We use a mix of Windows 7 physical desktops and vitual machines (hosted on ESX). We use the same image and AD domain for both.

On the VMs, when we create a new volume, whether on an existing disk or a new one, it appears as read-only. Read-only flags are not set in diskpart, nor does clearing those flags make the disk readable. This problem does not affect our physical desktops.

Here are steps you can replicate on your Win7 system:

1. Apply a Windows 7 image. Don't join to a domain. Log on as local administrator.
2. Open computer management and browse to disk management.
3. If Disk 0 is full, right click on the C volume and shrink it to get some free space. Or just add a hard drive in vCenter.
4. Right-click on the unallocated space and create a new simple volume. In the wizard, give it a drive letter and format it as NTFS.
5. Open DiskPart. In Diskpart, enter 'select disk 0' and 'select volume y' where y is the volume number of the new volume.
6. Enter the commands 'attr disk clear readonly' and 'attr volume clear readonly'
7. Enter 'detail disk' and 'detail volume' to verify that the read only flag is set to no.
8. Close DiskPart and open Windows Explorer. Right-click on the new drive and bring up properties.
9. Verify permissions are set so that the Administrators group has Full Control.
10. Right-click on open space in Windows Explorer and notice that "New" is not in the context menu.
11. Drag a file to the drive and get an error that the media is write-protected.
12. Go back into properties and try to change permissions. Get "media is write protected" errors again.
13. Repeat steps 5 - 10 until you go nuts.

If we apply this same Win7 image to a physical desktop, new volumes are read-write as normal. If we perform these steps on Server 2012 VMs on the same datacenter/cluster/datastore, new volumes are read-write as normal. If we apply this Win7 image to a VM, the volumes are read-only despite diskpart listing them as read-write.

In VMWare View 6, is there a way to configure administrators and/or authentication outside of the Admin Console?

At my site, we have regular user accounts and administrative user accounts. Both accounts can log in via username/password or smart card.

I set up a test View Connection Server and set my admin account as the administrator.

I accessed the Admin Console in a browser while logged in as my user account. Then I entered the username/password for my admin account. Everything was going well.

I changed the administrator authentication to require smart card access and logged out. Foolishly, I forgot that our security team blocks admin accounts from accessing web browsers.

Now the web-based console requires my admin smart card to log in, but my admin smart card can't access a web browser. My security team will not make a temporary exception to get me in.

I can log into the server with my admin account. But it appears that administrators and auth methods can only be set in the web-based admin console. If I can either add my regular user account as an admin, or change the smart card auth requirement, I can get in and fix the problem.

Does anyone know how to do that outside of the web-based Admin Console?

I've managed Dell's EMC and Equallogic SANs in the past. I was recently put in charge of a Hewlett-Packard P2000 SAN. HP and EMC use slightly different terminology. I'd like to confirm I understand HP's terminology. Can you verify/correct some of the definitions below?

vDisk. A collection of physical disks grouped into a RAID array. EMC refers to these as "Storage Pools." vDisks and Storage Pools aren't exactly the same as "RAID groups," but they serve the same purpose.

Volume. A logical division of a vDisk, which is presented to a host as a single volume. EMC refers to these as "LUNs", and LUN is the proper term.

Storage Groups. Distinct from "Storage Pools," EMC SANs can define "Storage Groups," which can combine multiple LUNs into a single volume that's presented to hosts. I can't find an equivalent to this on HP SANs.

Global Spares. Physical hard drives that are not assigned to any vDisk. If a hard drive in a vDisk fails, the SAN automatically uses an available spare to replace the drive and make the vDisk fault tolerant. EMC refers to these as "hot spares." With both vendors, spares do not need to be assigned to a particular RAID group or vDisk. The SAN will use them for any failed hard drive.

Regarding Equallogic SANs: Equallogic arrays create one RAID group and one LUN from all available disks in the array. The administrator can select only: the type of RAID in the RAID group, and the number and size of Storage Groups presented to the hosts.

I think I have these terms right, but I'd like to verify with someone who's used both vendors' SANs. I'm especially concerned that I can't find HP's equivalent of Storage Groups. Surely HP has a way to combine multiple LUNs into one logical volume. Am I missing that setting somewhere?

I have two servers in an Active Directory domain. Both servers have apps that run in Tomcat. I'm ordering PKI certificates for these two servers.

The servers are members of the AD domain "ourInternalNetwork.com". The majority of systems on this domain are not accessible from the public Internet. These two servers will be accessible from the 'Net.

For political reasons, we have not registered "ourInternalNetwork.com" Rather, we have the domain "ExternalNetwork.com" When we go into the system properties, the servers identify themselves as "server1.ourInternalNetwork.com" and "server2.ourInternalNetwork.com". However, we want Internet-connected users to reach the servers by "server1.externalNetwork.com" and "server2.externalNetwork.com"

This requires a Subject Alternative Name, right? My understanding is that if we create CSR's with no SAN, the CSR will be for "server1.ourInternalNetwork.com", and our CA won't issue us a certificate for "server1.ExternalNetwork.com"? But if we specify a SAN, then our CA will issue a cert for both "server1.ourInternalNetwork.com" and "server1.ExternalNetwork.com".

Do I have that right?

My PowerShell (2.0) script has the following code snippet:

$fileName = "c:\reports\1.xlsx"
$xl = new-object -comobject excel.application
$xlFormat = [Microsoft.Office.Interop.excel.XlFileFormat]::xlWorkbookDefault
$xl.displayalerts = $false
$workbook = $xl.workbooks.open($fileName)
#Code to manipulate a worksheet
$workbook.SaveAs($fileName, $xlformat)
$xl.quit()
$error | out-file c:\reports\error.txt

I can run this script in the PowerShell command prompt without any issues. The spreadsheet gets updated, and error.txt is empty. However, when I run it as a task in Task Scheduler, I get errors with the first line.

Exception calling "Open" with "1" argument(s): "Microsoft Office Excel cannot access the file 'C:\reports\1.xlsx'. There are several possible reasons: The file name or path does not exist. The file is being used by another program. The workbook you are trying to save has the same name as a currently open workbook.

I run the task with the same credentials I use to run the script in the PowerShell command prompt. When I run the script manually, it can open, update, and save the spreadsheet without any issues. When I run it in Task Scheduler, it can't access the spreadsheet.

The file in question is readable/writeable for all users. I've verified I can open the file in Excel with the same credentials. If I make a new spreadsheet and put its name in as the $filename, I get the same results. I've verified that there are no instances of Excel.exe in Task Manager.

Oddly, if I use Get-Content, I don't have any problems. Also, if I make a new spreadsheet, I don't have any problem.

$fileName = "c:\reports\1.xlsx"
$xl = get-content $filename
$xl = new-object -comobject excel.application
$xlFormat = [Microsoft.Office.Interop.excel.XlFileFormat]::xlWorkbookDefault
$xl.displayalerts = $false
# Commented out $workbook = $xl.workbooks.open($fileName)
$workbook = $xl.workbooks.add()
#Code to manipulate a worksheet
$workbook.SaveAs($fileName, $xlformat)
$xl.quit()
$error | out-file c:\reports\error.txt

That works fine. So Get-ChildItem can open the file without any issue. ComObject can open the file if I run it manually, but not if it's run as task.

I'm at a loss. Any ideas?

We have an iSCSI SAN unit connected to a cluster of ESX servers. The servers are all managed by an instance of vCenter. The vCenter instance manages a dozen Windows Server VMs.

Most of the VMs have more than one volume. Those volumes appear in the VM settings in vCenter. Drive C in Windows appears as Hard disk 1 in vCenter. Drive D appears as Hard disk 2, and so on. In other words, the SAN is obfuscated from the servers.

One server, however, is configured differently. Its C drive is handled by vCenter, but its second volume is directly connected to the SAN via Windows iSCSI Initiator. When I asked the server admin why he had configured it that way, he asked, "Why would you want a middleman handling your volumes?" I tried to explain that vCenter's HA and Snapshot features won't cover the second volume, but he remains unconvinced.

I remain unconvinced as well. Though it seems like all the VM's volumes should be handled by vCenter, I could be wrong. Have you configured your VMs in a similar manner? Something where the boot disk is presented to the VM by vCenter, but all other volumes are directly connected to the SAN?

I was writing a Powershell script for my network when I came across some alarming information in our DNS. Bear in mind we still use Powershell v2, not v3. So I have to query DNS via the Get-WMI command. I wrote a query to get all A records from one of our DNS servers. The exact command I used was:

get-wmiobject -computer OURDNS -Namespace roo\MicrosoftDNS -class MicrosoftDNS_AType

This command worked, but it gave me a very alarming root hint:

Caption:
ContainerName: ..RootHints
Description:
DnsServerName: OURDNS.ourdomain.com
DomainName: biz.
InstallDate:
IP Address: 195.22.26.253
Name:
OwnerName: hmksreiuojy.biz
....

I did a whois on that domain. The IP address is correct. It's flagged as a malware site. Based on the raw data above, any client who resolves a .biz domain name will be directed to that site. This is....bad.

Now I need to get rid of this. But I can't find it anywhere on my DNS server. The DNS snap-in doesn't have any reference to this hostname or IP. The server properties page doesn't list this host or IP in Root Hints or Forwarders. It's not in the Conditional Forwarders container. Nor is it in the file c:\windows\system32\dns\cache.dns.

So where is WMI getting this entry? And how do I get rid of it?

We have 3 DCs in our domain. One of the DCs died (wouldn't boot) two weeks ago. We performed metadata cleanup to remove the old DC from AD. Then we built a new DC with a new name (we used the same IP address).

The initial DNS replication functioned properly. However, two weeks in, we find that new DNS entries on the other DCs don't replicate to this one. We ran "repladmin /showrepl" on this DC and the other DCs. On the new DC, repladmin says all the recent replications went fine. On the other DCs, however, replication to the new DC has failed, giving error 8524 "The SDA operation is unable to proceed because of a DNS lookup failure."

The new DC's hostname is listed in our domain's forward and reverse lookup zones. However, it is formatted oddly in the _msdcs lookup zone. Only the hostname, not the FQDN is present. In DNS, the forward lookup zone "_msdcs.ourdomain.com" looks like this:

Name                Type                Data       
(same as parent)    Start of Authority  [630,DC3., hostmaster.ourdomain.com]
(same as parent)    Name Server (NS)    dc1.ourdomain.com.
(same as parent)    Name Server (NS)    dc2.ourdomain.com.
(same as parent)    Name Server (NS)    dc3.
SID1                Alias(CNAME)        dc1.ourdomain.com.
SID2                Alias(CNAME)        dc2.ourdomain.com.
SID3                Alias(CNAME)        dc3.
*Computer SIDs that I didn't feel like typing out. I verified that the SIDs are correct.

This information is the same when viewing DNS on all three DCs. Note that the new DC (DC3) doesn't have an FQDN next to its SID. Pings to that SID fail, while pings to the other two SIDs succeed. So there's my problem.

I'm very hesitant to manually modify anything in _msdcs. What do you say? Can I fix this just by editing that last entry to an FQDN? Or do I need to modify it somewhere else?