Active Directory is tightly coupled with the Domain Name System (DNS) name resolution service. Windows clients and domain controllers alike use DNS to locate domain controllers that are housed in a particular site or that serve a particular function (such as a global catalog server). Each domain controller registers numerous resource records (RRs) in DNS to advertise its services as a domain controller, global catalog server, PDC Emulator, and so on.
One of the innovative uses of Active Directory is as a store for DNS data. Instead of using the primary and secondary zone transfer method, or even the more recent NOTIFY method (RFC 1996) to replicate zone data between non-AD integrated DNS servers, AD integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. The one catch with AD integrated zones is that the DNS server must also be a domain controller, and overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan to support a large volume of DNS requests. You can integrate forward lookup zones, reverse lookup zones, and stub zones into Active Directory. Stub zones are used to maintain information about remote DNS zones and to reduce zone transfer traffic across WAN links. Additionally, you can use a GlobalNamesZone (GNZ), a manually maintained zone that is used to provide short name resolution on a DNS network: GNZ allows clients to resolve a hostname such as server1 via DNS instead of a fully qualified domain name such as server1.adatum.com. For a detailed description of resource records, zone types, and much more on DNS, see Chapter 8 of Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).
The only time DNS data is stored in Active Directory is if you
have a zone that is AD integrated. When using standard primary and
secondary zones that are not AD integrated, the DNS data is stored
locally in the filesystem of each DNS server in zone
files. If you have an AD integrated zone configured for
legacy compatibility, a container is created in the following location:
cn=
<ZoneName>
,cn=MicrosoftDNS,cn=System,
<DomainDN>
,
where <ZoneName>
is the name of the
zone.
You can also use application partitions to store DNS data in an alternate location. By default, there are three replication options for DNS zones stored in Active Directory:
Replicate DNS data to all domain controllers in a domain.
Replicate DNS data to all domain controllers that are DNS servers in the domain.
Replicate DNS data to all domain controllers that are DNS servers in the forest.
The default location for the second option is dc=DomainDNSZones,
<DomainDN>
;
for the third option, it is dc=ForestDNSZones,
<ForestDN>
.
These two locations are actually application partitions that are
replicated only to the domain controllers that are DNS servers in the
domain or forest, respectively.
Inside the MicrosoftDNS
container is a dnsZone
object for
each AD integrated zone. Inside the dnsZone
container are dnsNode
objects that store all resource
records associated with a particular node. In the following text
representation of an A record, the dc1.adatum.com
name is considered a node (generally the left side of the resource
record):
dc1.adatum.com. 600 IN A 6.10.57.21
There could be multiple resource records associated with the
dc1.adatum.com name, so Microsoft decided to
implement each distinct name as a dnsNode
object. The dnsNode
object has a dnsRecord
attribute, which is multivalued and
contains all of the resource records associated with that node.
Unfortunately, the contents of that attribute are stored in a binary
format and are not directly readable.
Table 13-1 and Table 13-2 contain some of the
interesting attributes that are available on dnsZone
and dnsNode
objects.
Table 13-1. Attributes of dnsZone objects
Attribute | Description |
---|---|
| Relative distinguished
name of the zone. For example, the |
| Binary-formatted string that stores configuration information about the zone. |
| Approximate number of nodes contained within the zone. |
Table 13-2. Attributes of dnsNode objects
Attribute | Description |
---|---|
| Relative distinguished name of the node. |
| Binary-formatted multivalued attribute that stores the resource records associated with the node. |
| Boolean that indicates
whether the node is marked for deletion. |
You want to create a forward lookup zone. A forward lookup zone maps FQDNs to IP addresses or other names.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, then enter the server you want to connect to (if applicable) and click OK.
Expand the server in the left pane and click on Forward Lookup Zones.
Right-click on Forward Lookup Zones and select New Zone.
Click Next.
Select the zone type and click Next.
If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection.
Enter the zone name and click Next.
Fill out the information for the remaining screens. They will vary depending on whether you are creating a primary, secondary, or stub zone.
Creating a Reverse Lookup Zone for creating a reverse lookup zone; “Add a Forward Lookup Zone”; MSDN: DNS WMI Provider; MSDN: CreateZone Method of the MicrosoftDNS_Zone Class
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, then enter the server you want to connect to (if applicable) and click OK.
Expand the server in the left pane and click on Reverse Lookup Zones.
Right-click on Reverse Lookup Zones and select New Zone.
Click Next.
Select the zone type (Primary, Secondary, or Stub zone). To AD integrate the zone, place a checkmark next to “Store the zone in Active Directory (available only if DNS server is a writeable domain controller)” and click Next.
If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to: all DNS servers in the forest, all DNS servers in the domain, all domain controllers in the domain, or all DCs that are hosting a particular application partition. Click Next after you make your selection.
Type the Network ID for the reverse zone or enter a reverse zone name to use.
Fill out the information for the remaining screens. They will vary depending on whether you are creating a primary, secondary, or stub zone.
Creating a reverse zone is very similar to creating a forward zone. See Creating a Forward Lookup Zone for more information.
“Add a Reverse Lookup Zone”; MSDN: CreateZone Method of the MicrosoftDNS_Zone Class
When you click on either Forward Lookup Zones or Reverse Lookup Zones in the lefthand pane of the DMS MMC, the right pane contains a Type column that displays the zone type for each zone.
When you use the /enumzones
switch without additional parameters, it displays all of the zones on
the server. You can specify additional filters that limit the types of
zones returned, including the following:
/Primary
Lists both standard and Active Directory−integrated primary zones
/Secondary
Lists all standard secondary zones
/Forwarder
Lists all zones that forward unresolvable queries to another DNS server
/Stub
Lists all stub zones hosted on a server
/Cache
Lists zones that are loaded into cache on the server
/Auto-Created
Lists zones that were created automatically during the DNS server installation
/Forward
Lists all forward lookup zones
/Reverse
Lists all reverse lookup zones
/Ds
Lists all Active Directory−integrated zones
/File
Lists zones that are stored in text files
/DomainDirectoryPartition
Lists zones that are stored in the DomainDNSZones
partition
/ForestDirectoryPartition
Lists zones that are stored in the ForestDNSZones
partition
/CustomDirectoryPartition
Lists zones that are stored in a user-created directory partition
/LegacyDirectoryPartition
Lists zones that are stored in the domain NC
/DirectoryPartition
<PartitionName>
Lists zones that are stored in a particular application partition
You want to convert a standard primary zone to an AD integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file on the local server.
Right-click on DNS in the left pane and select Connect to DNS Server.
Enter the server you want to connect to and click Enter.
If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.
Right-click on the zone you want to convert and select Properties.
Beside Type, click the Change button.
Check the box beside “Store the zone in Active Directory (available only if DNS server is a domain controller.”
See this chapter’s Introduction; Moving AD Integrated Zones into an Application Partition, and Active Directory, Fifth Edition by Brian Desmond et al. (O’Reilly) for more on AD integrated zones.
“Configure AD Integrated Zones”; MSDN: ChangeZoneType Method of the MicrosoftDNS_Zone Class
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.
Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone you want to manage.
Right-click on the name of the zone and select Properties.
Click on the Change button beside Replication.
Select the application partition you want to move the zone into.
Application partitions are user-defined partitions that can be configured to replicate with any domain controller in a forest. This provides flexibility for how you store and replicate your AD integrated zones. You could, in fact, have a few domain controllers from each domain act as DNS servers for all of your AD domains.
Chapter 17 for more information on application partitions
In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone, depending on the type of zone you want to manage.
Right-click on the zone and select Properties.
Select the Zone Transfers tab.
Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See this recipe’s Discussion for more on these two options.
The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):
> dnscmd <ServerName>
/ZoneResetSecondaries test.local /SecureNs
The next command enables zone transfers for the same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.11.33 and 172.16.11.34:
> dnscmd <ServerName>
/ZoneResetSecondaries test.local /SecureList 172.16.11.33172.16.11.34
Depending on your environment, your DNS implementation may require that you create secondary zones to allow for load balancing for busy DNS servers or remote sites connected by slow links. In this situation, you want to allow zone transfers to occur between your AD integrated DNS servers and your secondary servers, but you want to restrict which hosts can initiate zone transfers with your AD integrated name servers. Allowing anyone to initiate a zone transfer with your domain controllers could provide an attacker with information for mapping out your network; it is therefore critical that you limit which hosts can pull zone transfers from your servers.
If you are using only Active Directory−integrated zones, the Name Servers tab will be automatically populated with a list of all name servers that are authoritative for the selected zone, and this is the recommended choice when you have a large network with many name servers deployed. If any of your name servers are using standard zone files, however, you will need to populate this tab manually for any secondary name servers you deploy.
Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of creating the additional management overhead of keeping track of the IP addresses of all name servers on your network, so you should follow this approach only if your network is small and you have relatively few name servers deployed. Another disadvantage of this approach is that if you forget to add some IP addresses of name servers to your list, zone information stored on those servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.
DNS is secured, by default, because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directory integrated zones, DNS is configured to disallow zone transfers entirely—they generally aren’t needed in an Active Directory environment because the data replicates through Active Directory replication.
Connect to the DNS server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select “The following computer” and enter the target server name. Click OK.
Right-click on the server and select Properties.
Click the Forwarders tab.
Click the Edit button.
Enter the IP address, or DNS name, of the destination DNS server.
Click OK twice.
The following command sets the default forwarders. Replace
<IPsOfForwarders>
with a
space-separated list of IP addresses for the name servers to forward
requests to:
> dnscmd<ServerName>
/resetforwarders<IPsOfForwarders>
For example:
> dnscmd dns01 /resetforwarders 10.22.3.4 10.22.3.5
The following command configures the default forwarder timeout:
> dnscmd<ServerName>
/config /forwardingtimeout<NumSeconds>
The following command configures the forwarder timeout for a specific domain:
> dnscmd<ServerName>
/config<DomainName>
/forwardertimeout<NumSeconds>
Name servers have long supported the notion of forwarders. Rather than sending all unresolved queries to the root Internet name servers, you can use forwarders to send queries to a specific server or set of servers, perhaps hosted by your ISP or by a partner corporation. This allows you to better control the name resolution process on your network.
Connect to the DNS server that you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select “The following computer” and enter the target server name. Click OK.
Expand the DNS server and then right-click on Conditional Forwarders. Click New Conditional Forwarder.
Enter the DNS name of the domain you wish to forward.
Enter the IP address or DNS name of the destination DNS server.
Choose whether to store the forwarder in Active Directory or to modify the query timeout period, and then click OK.
With conditional forwarding, you can forward unresolved queries for specific domains to different name servers. The most common use of conditional forwarding is when you have two or more noncontiguous namespaces. Consider, for example, a merger between the adatum.com and othercorp.com corporations. Normally, for the name servers of adatum.com to resolve queries for othercorp.com, the queries would have to first be forwarded to the root Internet name servers. With conditional forwarding, you can configure the adatum.com DNS servers so that all requests for othercorp.com should be sent directly to the othercorp.com name servers and all other unresolved queries should be sent to the Internet, and vice versa. The trade-off for this feature is the additional CPU processing that’s necessary to examine each query and forward it to the appropriate server, rather than just funneling all unresolved queries to a single external server.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.
Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone.
Right-click on the name of the zone and select Properties.
Click on the Security tab.
Click the Add button.
Use the Object Picker to locate the user or group to which you want to delegate control.
Under Permissions, check the Full Control box.
Click OK.
The following command grants full control over managing the resource records in an AD integrated zone:
> dsacls dc=<ZoneName>
,cn=MicrosoftDNS,<DomainOrAppPartitionDN>
/G<UserOrGroup>
:GA
The following script delegates full control of an AD integrated DNS zone to a particular user or group:
$Path = [ADSI]"LDAP://dc=<ZoneName>
,cn=MicrosoftDNS,cn=System,<DomainOrAppPartitionDN>
" $Group = New-Object System.Security.Principal.NTAccount("<UserorGroup>
") $IdentityReference = $Group.Translate([System.Security.Principal.SecurityIdentifier]) $Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($IdentityReference,"GenericAll","Allow") $Path.psbase.ObjectSecurity.AddAccessRule($Perms) $Path.psbase.commitchanges()
By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant full control to an additional user or group over a particular zone.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer,” and then enter the server you want to connect to (if applicable) and click OK.
If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.
To create a resource record, do the following:
In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—for example, New Host (A).
Fill in all required fields.
Click OK.
To delete a resource record, do the following:
In the left pane, click on the zone the record is in.
In the right pane, right-click on the record you want to delete and select Delete.
Click Yes to confirm.
To add a resource record, use the following command:
> dnscmd<DNSServerName>
/recordadd<ZoneName>
<NodeName>
<RecordType>
<RRData>
The following command adds an A record in the adatum.com zone:
> dnscmd dc1 /recordadd adatum.com Server01 A 192.168.52.2
To delete a resource record, use the following command:
> dnscmd<DNSServerName>
/recorddelete<ZoneName>
<NodeName>
<RecordType>
<RRData>
The following command deletes an A record in the adatum.com zone:
> dnscmd dc1 /recorddelete adatum.com wins01 A 192.168.52.2
There are several PowerShell cmdlets available to create resource records for DNS zones:
Add-DnsServerResourceRecord
This cmdlet adds an available resource record for a given zone.
Add-DnsServerResourceRecordA
This cmdlet adds an A type record for IPv4 hosts in a given zone.
Add-DnsServerResourceRecordAAAA
This cmdlet adds an AAAA type record for IPv6 hosts in a given zone.
Add-DnsServerResourceRecordCName
This cmdlet adds a CNAME type record for a given zone.
Add-DnsServerResourceRecordDnsKey
This cmdlet adds a DNS Key record for DNSSEC zones.
Add-DnsServerResourceRecordDS
This cmdlet creates a Delegation of Signing record for a signed zone file.
Add-DnsServerResourceRecordMX
This cmdlet creates an MX record for mail records in a given zone.
Add-DnsServerResourceRecordPtr
This cmdlet creates a PTR record for reverse DNS lookup.
The following will add an A record named Host01 that corresponds to the IP address 10.0.0.3, in the adatum.com zone:
Add-DnsServerResourceRecordA -Name "Host01" -IPv4Address "10.0.0.3" -ZoneName "adatum.com"
The following will delete an A record named Host01, without prompting for confirmation, from the adatum.com zone:
Remove-DnsServerResourceRecord -ZoneName "adatum.com" -Name "Host01" -RRType "A" -Force
The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then we’d recommend writing a PowerShell script to automate the process.
Adding A, CNAME, and PTR resource records is pretty
straightforward in terms of the data you must enter, but other record
types, such as SRV, require quite a bit more data. The help pages for
/recordadd
and /recorddelete
display the required
information for each record type. For example, to add an SRV record
using dnscmd, you need to specify the priority,
weight, port, and hostname of the record, as in the following example:
> dnscmd /recordadd adatum.com dc1.adatum.com SRV _kerberos 50 100 88
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer.” and then enter the server you want to connect to (if applicable) and click OK.
Expand the lookup zone folder and then select the zone you wish to filter.
Right-click the zone name and select View→Filter.
Enter the filter parameters and then click OK.
You can leave off the -type
switch, and the command will find any A, PTR, and CNAME records that
match <RecordName>
.
You can also run nslookup from interactive
mode, which can be entered by typing nslookup
at a command prompt with no
additional parameters, or you can switch back and forth between query
types by using the set q=ANY
command to reset nslookup. Interactive mode
allows you to issue a series of queries with more efficiency because
you don’t have to type nslookup
or
wait for the initial connection to the DNS server.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.
Right-click on the server and select Properties.
Edit the server settings from the tabs that are displayed.
Click OK to commit the changes after you complete your modifications.
With the following command, replace
<Setting>
with the name of the
setting to modify and <Value>
with
the value to set:
> dnscmd<DNSServerName>
/config /<Setting>
<Value>
The following command enables the EnableDnsSec
setting on
dns01:
> dnscmd dns01 /config /EnableDnsSec 1
The following command disables the NoTcp
setting on the local host:
> dnscmd /config /NoTcp 0
The following command sets the DsPollingInterval
setting to 60 on
dns02:
> dnscmd dns02 /config /DsPollingInterval 60
For the complete list of settings, run dnscmd /config
from the command line.
The Microsoft DNS server supports a variety of settings to
configure everything from scavenging and forwarders to logging. With the
DNS Management snap-in, the settings are spread over several tabs in the
Properties page. You can get a list of these settings by simply running
dnscmd /config
from a command
line.
You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies only to resource records that were added via dynamic DNS (DDNS), but you can also scavenge manually created static records. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records.
The following solutions will show how to enable automatic scavenging on all AD integrated zones.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.
Click on the server, right-click on it, and select “Set Aging/Scavenging for all zones”.
Check the box beside “Scavenge stale resource records”.
Configure the No-Refresh and Refresh intervals as necessary, and click OK.
Check the box beside “Apply these settings to the existing Active Directory-integrated zones” and click OK.
Right-click on the server again and select Properties.
Select the Advanced tab.
Check the box beside “Enable automatic scavenging of stale resource records”.
Configure the scavenging period as necessary.
> dnscmd<DNSServerName>
/config /ScavengingInterval<ScavengingMinutes
> > dnscmd<DNSServerName>
/config /DefaultAgingState 1 > dnscmd<DNSServerName>
/config /DefaultNoRefreshInterval<NoRefreshMinutes
> > dnscmd<DNSServerName>
/config /DefaultRefreshInterval<RefreshMinutes
> > dnscmd<DNSServerName>
/config ..AllZones /aging 1
There are four settings that you need to be aware of before enabling scavenging. You must use caution when enabling scavenging, because an incorrect configuration could lead to resource records getting deleted by mistake.
The first setting you have to configure is the scavenging interval. This is the interval in which the DNS server will kick off the scavenging process. It is disabled by default so that scavenging does not take place unless you enable this setting. The default value is seven days.
The second setting is the default aging configuration
setting for new zones. If you want all new zones to be
configured for scavenging, set this to 1
.
The next two settings control how records get scavenged. The no-refresh interval determines how much time must pass before a dynamically updated record can be updated again. This setting is necessary to reduce how often a DNS server has to update its timestamp of the resource record. The default value is seven days. This means that after a resource record has been dynamically updated, the server will not accept another dynamic update for the same record for another seven days. However, if the IP address or some other data for the record changes, the server will still accept the new information. Static records have a timestamp of 0 and will not get scavenged in an automated scavenging process.
The refresh interval setting is the amount of time that must pass after the no-refresh interval during which a client can update its record before it is considered old or stale. The default value for this setting is also 168 hours (seven days). If you use the default values, the combination of the no-refresh interval and refresh interval would mean that a dynamically updated record would not be considered stale for up to 14 days after its most recent update. Combine this with the default scavenging interval, and it could be up to 21 days before a record is deleted if the record became stale immediately after the last scavenge process completed: 7 days (no refresh) + 7 days (refresh) + up to 7 days (scavenge process) = up to 21 days.
The solutions in this recipe show you how to configure these
settings for all zones that are hosted on a server; however, you can
configure these settings for individual zones as well. In the GUI
solution, you would do this by accessing the Properties sheet of an
individual zone rather than the server node; in
dnscmd, simply specify the zone name after /aging
, /scavenginginterval
, /defaultagingstate
, /defaultnorefreshinterval
, or /defaultrefreshinterval
.
You want to clear the DNS cache. The DNS cache contains resource records that are cached by the server or workstation for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the cache on the Windows DNS client resolver (this can refer to both server and workstation operating systems when they are requesting DNS information from a server), and the other refers to the cache used by the Microsoft DNS server software.
To flush the client resolver cache, use the following command:
> ipconfig /flushdns
To flush the client resolver cache by using PowerShell, use the following cmdlet:
Clear-DnsClientCache
To flush the DNS server cache, use any of the following solutions.
The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server (e.g., by visiting a website in Internet Explorer, a DNS lookup is performed and cached). It’s important to remember that this cache will store positive DNS responses as well as negative ones. For example, if lost network connectivity causes DNS queries for an external resource like a mail server to fail, those queries will continue to fail until the cache refreshes: the queries have been negatively cached.
The second type of cache is in place on Microsoft DNS servers and on some third-party DNS servers. It is a cache of all DNS requests that the server has made while processing queries from various clients. You can view this cache by browsing the Cached Lookups folder for a server in the DNS Management snap-in. This folder is not shown by default, so you’ll need to select Advanced from the View menu.
With both the client and server cache, records are removed from the cache after the record’s TTL value expires. The TTL is used to age records so that clients and servers will request an updated copy of the record at a later point in order to receive any changes that may have occurred.
You want to verify that DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD services.
With the following dcdiag command, replace
<DomainName>
with the FQDN of the
domain that the domain controller is in. This command has to be run
from the domain controller you want to test, not from an
administrative workstation:
> dcdiag /test:RegisterInDNS /DnsDomain:<DomainName>
Starting test: RegisterInDNS
DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller
Locator records in DNS.
The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name.
With the default setup, domain controllers attempt to dynamically register the resource records necessary for them to be located by Active Directory clients and other domain controllers. Domain controllers must have their resource records populated in DNS in order to function, but it can be very tedious and error-prone to register all of the records manually. This is why allowing the domain controllers to use DDNS to automatically register and update their records can be much easier from a support standpoint.
The dcdiag command provides a RegisterInDNS
switch that allows you to test
whether the DC can register its records. In the solution, we showed the
output if the domain controller passes the test.
Here is the output if an error occurs:
Starting test: RegisterInDNS This domain controller cannot register domain controller Locator DNSrecords. This is because it cannot locate a DNS server authoritative for thezone adatum.com. This is due to one of the following: 1. One or more DNS servers involved in the name resolution of the adatum.com name are not responding or contain incorrect delegation of the DNS zones; or 2. The DNS server that this computer is configured with contains incorrect root hints. The list of such DNS servers might include the DNS servers with which this computer is configured for name resolution and the DNS servers responsiblefor the following zones: adatum.com Verify the correctness of the specified domain name and contact yournetwork/DNS administrator to fix the problem. You can also manually add the records specified in the %systemroot%system32config etlogon.dns file.
As you can see, the output of dcdiag offers some options for resolving the problem. The information provided will also vary depending on the error encountered.
Registering a Domain Controller’s Resource Records for registering a domain controller’s resource records
From the Administrative Tools, Open the DNS Management snap-in (dnsmgmt.msc).
Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select “The following computer” and enter the target server name. Click OK.
Right-click on the server and select Properties.
Click on the Debug Logging tab.
Select what you want to log and the location of the logfile.
Click OK.
Use the following four commands to enable debug logging. For the log level, you have to add together the event codes you want logged and specify the result in hex. The available event codes can be found in Table 13-3.
> dnscmd<ServerName>
/Config /LogLevel<EventFlagSumInHex>
Use the following command to specify the location of the logfile:
> dnscmd<ServerName>
/Config /LogFilePath<DirectoryAndFilePath>
Use the following command to log only entries that pertain to certain IP addresses:
> dnscmd<ServerName>
/Config /LogIPFilterList<IPAddress1>
[,<IPAddress2>
...]
Use the following command to specify the maximum logfile size:
> dnscmd<ServerName>
/Config /LogFileMaxSize<NumberOfBytesInHex>
Use the following command to disable debug logging:
> dnscmd <ServerName>
/Config /LogLevel 0
With the DNS Server debug log, you can record all DNS operations
received and initiated by the server, including queries, updates, zone
transfers, etc. If you need to troubleshoot a particular host, you can
use the LogIPFilterList
setting in
dnscmd or the WMI DNS Provider to restrict the log
to operations performed only for or by that host.
The most important debug log setting is the log level. With the DNS snap-in, you can select from a list of available options. The DNS snap-in provides an intuitive interface for selecting the required options. Table 13-3 contains all of the event codes with their hexadecimal and decimal values for the command-line options.
Table 13-3. DNS debug logging event codes
Hexadecimal value | Decimal value | Descriptions |
---|---|---|
0x0 | 0 | No logging. This is the default. |
0x1 | 1 | Query transactions. |
0x10 | 16 | Notifications transactions. |
0x20 | 32 | Update transactions. |
0xFE | 254 | Nonquery transactions. |
0x100 | 256 | Question packets. |
0x200 | 512 | Answer packets. |
0x1000 | 4096 | Send packets. |
0x2000 | 8192 | Receive packets. |
0x4000 | 16384 | UDP packets. |
0x8000 | 32768 | TCP packets. |
0xFFFF | 65535 | All packets. |
0x10000 | 65536 | AD write transactions. |
0x20000 | 131072 | AD update transactions. |
0x1000000 | 16777216 | Full packets. |
0x80000000 | 2147483648 | Write-through transactions. |
DNS debug logging can come in handy if you want to look at the dynamic update requests a particular DNS server is processing. For example, if a client or DHCP server is attempting to dynamically register records, you can enable the Update Transactions log category on the DNS server you think should be processing the updates. If you don’t see any update transactions, this can indicate that another server is processing the dynamic update requests.
Transactions are not immediately written to the debug logfile as they occur. They are buffered and written to the file after a certain number of requests are processed.
You want to manually force registration of a domain controller’s resource records. This may be necessary if you’ve made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.
With the nltest command, a /dsregdns
switch allows you to force
registration of the domain-controller-specific resource records. You can
also force reregistration of its resource records by restarting the
NetLogon service on the domain controller. The NetLogon service
automatically attempts to reregister a domain controller’s resource
records every hour, so if you can wait that long, you do not need to use
nltest.
Verifying That a Domain Controller Can Register Its Resource Records for verifying whether a domain controller is registering its resource records
When a domain controller is demoted from a domain, it dynamically deregisters its resource records. This is a nice feature of the demotion process because it means you do not have to manually remove all of the resource records or wait for scavenging to remove them. If, however, you have a domain controller that crashes and you do not plan to bring it back online, you’ll need to remove the records manually or wait for the scavenging process to take place.
You can use the DNS Management MMC snap-in and even the dnscmd.exe utility to manually remove them one by one, or you can use nltest, as shown in the solution.
The /dsderegdns
switch also has
/DomGUID
and /DsaGUID
options if you want to delete the
records that are based on the domain GUID and DSA GUID, respectively.
You need to know the actual GUIDs of the domain and domain controller to
use those switches, so if you don’t have them handy, it would be easier
to delete them using the DNS Management MMC snap-in.
You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register a domain controller’s resource records, you’ll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.
> reg add HKLMSystemCurrentControlSetServicesNetlogonParameters /v↵ UseDynamicDNS /t REG_DWORD /d 0 The operation completed successfully. > net stop netlogon The Net Logon service is stopping. The Net Logon service was stopped successfully. > del %SystemRoot%system32config etlogon.dnb > net start netlogon The Net Logon service is starting....... The Net Logon service was started successfully.
$strRegPath = "HKLM:SystemCurrentControlSetServicesNetlogonParameters" new-ItemProperty -path $strRegPath -name "UseDynamicDNS" -type DWORD set-ItemProperty -path $strRegPath -name "UseDynamicDNS" -value "0" Stop-Service netlogon $strPath = join-path (get-content env:SystemRoot) system32config etlogon.dnb Remove-Item $strPath Start-Service netlogon
By default, domain controllers attempt to dynamically register
their Active Directory−related resource records every hour via the
NetLogon service. You can prevent a domain controller from doing this by
setting the UseDynamicDNS
value to
0
under HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters.
After you set that value, you should stop the NetLogon service, remove
the %SystemRoot%system32config
etlogon.dnb
file and then restart NetLogon. It is necessary to remove the netlogon.dnb file because it maintains a
cache of the resource records that are dynamically updated. This file
will get re-created when the NetLogon service restarts.
Preventing a Domain Controller from Dynamically Registering Certain Resource Records for preventing certain resource records from being dynamically registered; MS KB 198767 (How to Prevent Domain Controllers from Dynamically Registering DNS Names)
You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you can prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.
Create a GPO linked to the Domain Controllers OU, or else edit an existing GPO.
Select Computer Configuration→Policies→Administrative Templates→System→Net Logon→DC Locator DNS Records.
Enable the “Specify DC Locator DNS records not registered by the DCs” setting, and list one or more of the following record types that should not be registered:
Dc
DcAtSite
DcByGuid
Gc
Gc
GcAtSite
GcIpAddress
GenericGc
Kdc
Ldap
LdapIpAddress
Rfc1510Kdc
Rfc1510Kpwd
Rfc1510UdpKdc
Rfc1510UdpKpwd
This command will disable the Ldap
, Gc
,
and GcIpAddress
resource records
from being dynamically registered:
> reg add HKLMSystemCurrentControlSetServicesNetlogonParameters /v DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap Gc GcIpAddress > net stop netlogon > del %SystemRoot%system32config etlogon.dnb > net start netlogon
$strRegPath = "HKLM:SystemCurrentControlSetServicesNetlogonParameters" $arrValues = "Ldap", "Gc", "GcIpAddress" New-ItemProperty -Path $strRegPath -Name "DnsAvoidRegisterRecords" -TypeMultiString Set-ItemProperty -Path $strRegPath -Name "DnsAvoidRegisterRecords" -Value$arrValues Stop-Service netlogon $strPath = Join-Path (Get-Content env:SystemRoot) system32config etlogon.dnb Remove-Item $strPath Start-Service netlogon
The procedure to disable registration of certain resource records
is very similar to that described in Preventing a Domain Controller from Dynamically Registering All
Resource Records for preventing all
resource records from being dynamically registered; however, in this
case you need to create a value called DnsAvoidRegisterRecords
under the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters
key. The type for DnsAvoidRegisterRecords
should be REG_MULTI_SZ
, and the data should be a
whitespace-separated list of mnemonics. Mnemonics are used to represent
various resource records that domain controllers register. The complete
list of mnemonics is included in Table 13-4.
You can also control these values using Group Policy, in Computer ConfigurationPoliciesAdministrative TemplatesSystemNetlogon.
Table 13-4. Registry mnemonics for resource records
Registry mnemonic | Resource record type | Resource record name |
---|---|---|
| A |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| A |
|
| CNAME |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
| SRV |
|
If you configure DCs not to register these domain-wide SRV records, such as in a branch office environment, your branch office clients will still fail over to DCs in your hub site if their local DC becomes unavailable. Clients will continue to use the hub site DCs until they are rebooted, even if the local DC comes back online. MS KB 939252 provides a hotfix for Windows XP and Windows Server 2003 that will improve client failover behavior in this scenario. In Windows operating systems since Windows XP, there is improvement and built-in control available. See TechNet for more details.
Preventing a Domain Controller from Dynamically Registering All Resource Records for preventing all resource records from being dynamically registered
Create an LDIF file called add_dns_suffix.ldf with the following contents:
dn:<DomainDN>
changetype: modify add: msDS-AllowedDNSSuffixes msDS-AllowedDNSSuffixes:<DNSSuffix>
-
Then run the following command:
> ldifde -v -i -f add_dns_suffix.ldf.ldf
You can also make this change using AdMod, as follows:
> admod -b<DomainDN>
msDS-AllowedDNSSuffixes:+:<DNSSuffix>
Windows Server and client domain members dynamically maintain the
dNSHostName
and servicePrincipalName
attributes of their
corresponding computer
object in
Active Directory with their current hostname. By default, those
attributes can only contain hostnames that have a DNS suffix equal to
the Active Directory domain the computer is a member of.
If the computer’s DNS suffix is not equal to the Active Directory
domain, as may be the case during a domain migration or a corporate
merger or consolidation, 5788 and 5789 events will be generated in the
System event log on the domain controllers the clients attempt to
update. These events report that the dnsHostName
and servicePrincipalName
attributes could not be
updated due to an incorrect domain suffix. You can avoid this by adding
the computer’s DNS suffix to the msDS-AllowedDNSSuffixes
attribute on the
domain object (e.g., dc=adatum,dc=com
).
You want to permit (i.e., authorize) a DHCP server to process DHCP requests from clients. This is necessary only if the DHCP server is a member of an Active Directory domain.
Open the DHCP snap-in (dhcpmgmt.msc).
If necessary, in the left pane, right-click on DHCP and select Add Server. Type in the name of the DHCP server you want to target and click OK.
Click on the server entry in the left pane.
Right-click on the server and select Authorize.
If the DHCP server is not a member of an Active Directory domain, you will not see the Authorize option.
Windows-based DHCP servers that belong to an Active Directory domain must be authorized before they can give leases to clients. This feature helps reduce the danger of a rogue Windows DHCP server that an end user sets up, perhaps even unintentionally.
However, this still doesn’t prevent someone from plugging in a non-Windows DHCP server (e.g., a Linksys router with the DHCP server enabled) and causing clients to receive bad leases. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.
A DHCP server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.
A standalone Windows DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP server, it will respond to client requests and distribute leases.
DHCP servers are represented in Active Directory as objects of the
dhcpClass
class, in the cn=NetServices,cn=Services,cn=Configuration,
<ForestRootDN>
container. The relative distinguished name of these objects is the IP
address of the DHCP server. There is also an object in the same
container named cn=dhcpRoot
, which is
created after the first DHCP server is authorized. It has an attribute
named dhcpServers
that contains all
authorized servers. By default, only members of the Enterprise
Admins group can authorize DHCP servers. However, you can
delegate the rights to authorize a DHCP server. Do the following to
delegate the necessary permissions to a group called DHCP
Admins:
Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.
In the left pane, expand the Configuration
Container→cn=Configuration
→cn=Services
→cn=NetServices
.
Right-click on cn=NetServices
and select
Properties.
Select the Security tab.
Click the Advanced button.
Click the Add button.
Use the object picker to select the DHCP Admins group.
Check the boxes under “Create dHCPClass objects” and “Delete dHCPClass objects.”
Click OK until all dialog boxes are closed.
Back in ADSI Edit, right-click on cn=dhcpRoot
(if you’ve previously
authorized DHCP servers) and select Properties.
Select the Security tab.
Click the Advanced button.
Click the Add button.
Use the object picker to select the DHCP Administrators group.
Check the boxes under Allow for Write All Properties.
Click OK until all dialog boxes are closed.
If the DHCP Administrators group does not exist, run the following command on a DHCP server or on a computer with the DHCP management tool installed:
netsh dhcp add securitygroups
You can quickly determine whether a DHCP server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, it isn’t authorized; if the flag is green, it is authorized.
“Controlling DHCP Active Directory Authorization”
Open the Active Directory Users and Computers MMC snap-in (dsa.msc).
In the console tree, click Active Directory Users and
Computers→<DomainName>
→Users.
In the Details pane, click DHCP Administrators.
Click Action→Properties→Members.
Remove all users and groups you do not want to have administering your DHCP server by clicking their names and then clicking Remove.
To add new DHCP administrators, click Add, provide the user or group name, and then click OK.
Click OK.
Add a member to a group with DSMod by passing the -addmbr
option:
> dsmod group "<GroupDN>
" -addmbr "<MemberDN>
"
To add a group member with AdMod, use the following syntax:
> admod -b "<GroupDN>
" member:+:"<MemberDN>
"
Remove a member from a group with DSMod by passing the -rmmbr
option:
> dsmod group "<GroupDN>
" -rmmbr "<MemberDN>
"
To remove a group member with AdMod, use the following syntax:
> admod -b "<GroupDN>
" member:-:"<MemberDN>
"
Replace the complete membership list with DSMod by passing the
-chmbr
option:
> dsmod group "<GroupDN>
" -chmbr "<Member1DN Member2DN ...>
"
To replace the membership of a group with AdMod, use the following command:
> admod -b "<GroupDN>
" member:+-:"<Member1DN>
;<Member2DN>
;<Member3DN>
"
In Active Directory, most roles can be assigned independently of one another rather than just by making a user a Domain Admin or an Enterprise Admin. This is great for security administrators who want to ensure that users have only enough rights to perform their assigned tasks. For example, a user Fred might need to modify an enterprise-wide object. You could just add Fred to the Enterprise Admin groups to solve the problem. However, Fred now has access to virtually any object in the entire forest and could cause irreparable harm to your network, not to mention compromising all security in place. Instead, you can grant Fred access to just that object.
This can be done in different ways. One method is to use the Delegation of Control Wizard. Another way is to use the several built-in groups in Windows that are created and populated when specific services are installed. One such group is DHCP Administrators, which is created when the first DHCP server is brought up in a domain. You can control administrative access to the DHCP function of these servers through this group membership.
Nondomain joined computers also have a DHCP Administrators group. This is a local group on each computer and must be managed separately on each server.
3.138.37.174