Chapter 13. DNS and DHCP

Introduction

Active Directory is tightly coupled with the Domain Name System (DNS) name resolution service. Windows clients and domain controllers alike use DNS to locate domain controllers that are housed in a particular site or that serve a particular function (such as a global catalog server). Each domain controller registers numerous resource records (RRs) in DNS to advertise its services as a domain controller, global catalog server, PDC Emulator, and so on.

One of the innovative uses of Active Directory is as a store for DNS data. Instead of using the primary and secondary zone transfer method, or even the more recent NOTIFY method (RFC 1996) to replicate zone data between non-AD integrated DNS servers, AD integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. The one catch with AD integrated zones is that the DNS server must also be a domain controller, and overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan to support a large volume of DNS requests. You can integrate forward lookup zones, reverse lookup zones, and stub zones into Active Directory. Stub zones are used to maintain information about remote DNS zones and to reduce zone transfer traffic across WAN links. Additionally, you can use a GlobalNamesZone (GNZ), a manually maintained zone that is used to provide short name resolution on a DNS network: GNZ allows clients to resolve a hostname such as server1 via DNS instead of a fully qualified domain name such as server1.adatum.com. For a detailed description of resource records, zone types, and much more on DNS, see Chapter 8 of Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).

The Anatomy of a DNS Object

The only time DNS data is stored in Active Directory is if you have a zone that is AD integrated. When using standard primary and secondary zones that are not AD integrated, the DNS data is stored locally in the filesystem of each DNS server in zone files. If you have an AD integrated zone configured for legacy compatibility, a container is created in the following location: cn=<ZoneName>,cn=MicrosoftDNS,cn=System,<DomainDN>, where <ZoneName> is the name of the zone.

You can also use application partitions to store DNS data in an alternate location. By default, there are three replication options for DNS zones stored in Active Directory:

  • Replicate DNS data to all domain controllers in a domain.

  • Replicate DNS data to all domain controllers that are DNS servers in the domain.

  • Replicate DNS data to all domain controllers that are DNS servers in the forest.

The default location for the second option is dc=DomainDNSZones,<DomainDN>; for the third option, it is dc=ForestDNSZones,<ForestDN>. These two locations are actually application partitions that are replicated only to the domain controllers that are DNS servers in the domain or forest, respectively.

Inside the MicrosoftDNS container is a dnsZone object for each AD integrated zone. Inside the dnsZone container are dnsNode objects that store all resource records associated with a particular node. In the following text representation of an A record, the dc1.adatum.com name is considered a node (generally the left side of the resource record):

dc1.adatum.com. 600 IN A 6.10.57.21

There could be multiple resource records associated with the dc1.adatum.com name, so Microsoft decided to implement each distinct name as a dnsNode object. The dnsNode object has a dnsRecord attribute, which is multivalued and contains all of the resource records associated with that node. Unfortunately, the contents of that attribute are stored in a binary format and are not directly readable.

Table 13-1 and Table 13-2 contain some of the interesting attributes that are available on dnsZone and dnsNode objects.

Table 13-1. Attributes of dnsZone objects

Attribute

Description

Dc

Relative distinguished name of the zone. For example, the dc=domaindnszones,dc=adatum,dc=com dnsZone object has a dc attribute value of adatum.com.

dnsProperty

Binary-formatted string that stores configuration information about the zone.

msDS-Approx-Immed-Subordinates

Approximate number of nodes contained within the zone.

Table 13-2. Attributes of dnsNode objects

Attribute

Description

dc

Relative distinguished name of the node.

dnsRecord

Binary-formatted multivalued attribute that stores the resource records associated with the node.

dnsTombstoned

Boolean that indicates whether the node is marked for deletion. FALSE means that it is not and TRUE means that it is.

Creating a Forward Lookup Zone

Problem

You want to create a forward lookup zone. A forward lookup zone maps FQDNs to IP addresses or other names.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the server in the left pane and click on Forward Lookup Zones.

  4. Right-click on Forward Lookup Zones and select New Zone.

  5. Click Next.

  6. Select the zone type and click Next.

  7. If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection.

  8. Enter the zone name and click Next.

  9. Fill out the information for the remaining screens. They will vary depending on whether you are creating a primary, secondary, or stub zone.

Using a command-line interface

The following command creates an AD integrated zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

Using PowerShell

The following PowerShell code will create an Active Directory−integrated forward lookup zone:

Add-DnsServerPrimaryZone -Name "<ZoneName>" -ReplicationScope "Domain" -DynamicUpdate "Secure"

Discussion

Using a command-line interface

When you create an AD integrated zone with the /DsPrimary switch, you can additionally include a /dp switch and specify an application partition to add the zone to. Here is an example:

> dnscmd /zoneadd "<ZoneName>" /DsPrimary /dp domaindnszones.adatum.com

Using PowerShell

Since PowerShell provides a built-in way to easily create any type of DNS zone, this method can be quicker and more efficient than using the graphical user interface:

Add-DnsServerPrimaryZone "<ZoneName>" -ReplicationScope Domain

See Also

Creating a Reverse Lookup Zone for creating a reverse lookup zone; “Add a Forward Lookup Zone”; MSDN: DNS WMI Provider; MSDN: CreateZone Method of the MicrosoftDNS_Zone Class

Creating a Reverse Lookup Zone

Problem

You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the server in the left pane and click on Reverse Lookup Zones.

  4. Right-click on Reverse Lookup Zones and select New Zone.

  5. Click Next.

  6. Select the zone type (Primary, Secondary, or Stub zone). To AD integrate the zone, place a checkmark next to “Store the zone in Active Directory (available only if DNS server is a writeable domain controller)” and click Next.

  7. If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to: all DNS servers in the forest, all DNS servers in the domain, all domain controllers in the domain, or all DCs that are hosting a particular application partition. Click Next after you make your selection.

  8. Type the Network ID for the reverse zone or enter a reverse zone name to use.

  9. Fill out the information for the remaining screens. They will vary depending on whether you are creating a primary, secondary, or stub zone.

Using a command-line interface

The following command creates an AD integrated reverse zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

Using PowerShell

The following PowerShell command will create an Active Directory−integrated reverse lookup zone:

Add-DnsServerPrimaryZone 0.168.192.in-addr.arpa -ReplicationScope "Domain" -DynamicUpdate "Secure"

Discussion

Creating a reverse zone is very similar to creating a forward zone. See Creating a Forward Lookup Zone for more information.

See Also

“Add a Reverse Lookup Zone”; MSDN: CreateZone Method of the MicrosoftDNS_Zone Class

Viewing a Server’s Zones

Problem

You want to view the zones on a server.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. Right-click on DNS in the left pane and select Connect to DNS Server.

  3. Enter the server you want to connect to and click Enter.

  4. In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the hosted zones.

Using a command-line interface

> dnscmd <DNSServerName> /enumzones

Using PowerShell

Get-DnsServerZone

Discussion

Using a graphical user interface

When you click on either Forward Lookup Zones or Reverse Lookup Zones in the lefthand pane of the DMS MMC, the right pane contains a Type column that displays the zone type for each zone.

Using a command-line interface

When you use the /enumzones switch without additional parameters, it displays all of the zones on the server. You can specify additional filters that limit the types of zones returned, including the following:

/Primary

Lists both standard and Active Directory−integrated primary zones

/Secondary

Lists all standard secondary zones

/Forwarder

Lists all zones that forward unresolvable queries to another DNS server

/Stub

Lists all stub zones hosted on a server

/Cache

Lists zones that are loaded into cache on the server

/Auto-Created

Lists zones that were created automatically during the DNS server installation

/Forward

Lists all forward lookup zones

/Reverse

Lists all reverse lookup zones

/Ds

Lists all Active Directory−integrated zones

/File

Lists zones that are stored in text files

/DomainDirectoryPartition

Lists zones that are stored in the DomainDNSZones partition

/ForestDirectoryPartition

Lists zones that are stored in the ForestDNSZones partition

/CustomDirectoryPartition

Lists zones that are stored in a user-created directory partition

/LegacyDirectoryPartition

Lists zones that are stored in the domain NC

/DirectoryPartition <PartitionName>

Lists zones that are stored in a particular application partition

Using PowerShell

The Get-DnsServerZone cmdlet shows all DNS zones and some properties, including whether the zone is directory-integrated, if it is a forward or reverse lookup zone, as well as the zone type.

See Also

MSDN: MicrosoftDNS_Zone

Converting a Zone to an AD Integrated Zone

Problem

You want to convert a standard primary zone to an AD integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file on the local server.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. Right-click on DNS in the left pane and select Connect to DNS Server.

  3. Enter the server you want to connect to and click Enter.

  4. If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.

  5. Right-click on the zone you want to convert and select Properties.

  6. Beside Type, click the Change button.

  7. Check the box beside “Store the zone in Active Directory (available only if DNS server is a domain controller.”

  8. Click OK twice.

Using a command-line interface

> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary

Using PowerShell

ConvertTo-DnsServerPrimaryZone -Name "<ZoneName>" -ReplicationScope "<Forest|Domain|Legacy>" -Force

Discussion

See this chapter’s Introduction; Moving AD Integrated Zones into an Application Partition, and Active Directory, Fifth Edition by Brian Desmond et al. (O’Reilly) for more on AD integrated zones.

See Also

“Configure AD Integrated Zones”; MSDN: ChangeZoneType Method of the MicrosoftDNS_Zone Class

Moving AD Integrated Zones into an Application Partition

Problem

You want to move AD integrated zones into an application partition.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone you want to manage.

  4. Right-click on the name of the zone and select Properties.

  5. Click on the Change button beside Replication.

  6. Select the application partition you want to move the zone into.

  7. Click OK twice.

Using a command-line interface

The following command will move a zone to the default application partition that replicates across all domain controllers in the domain that are configured as DNS servers:

> dnscmd <DNSServerName> /zonechangedirectorypartition <ZoneName> <ApplicationPartition>

Using PowerShell

Set-DnsServerPrimaryZone "<ZoneName>" -ReplicationScope "Custom" -DirectoryPartitionName "<PartitionName>"

Discussion

Application partitions are user-defined partitions that can be configured to replicate with any domain controller in a forest. This provides flexibility for how you store and replicate your AD integrated zones. You could, in fact, have a few domain controllers from each domain act as DNS servers for all of your AD domains.

See Also

Chapter 17 for more information on application partitions

Configuring Zone Transfers

Problem

You want to enable zone transfers to specific secondary name servers.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone, depending on the type of zone you want to manage.

  3. Right-click on the zone and select Properties.

  4. Select the Zone Transfers tab.

  5. Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See this recipe’s Discussion for more on these two options.

Using a command-line interface

The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs

The next command enables zone transfers for the same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.11.33 and 172.16.11.34:

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.11.33172.16.11.34

Using PowerShell

Set-DnsServerPrimaryZone "<ZoneName>" -SecureSecondaries TransferToSecureServers -SecondaryServers "<IP Address>"

Discussion

Depending on your environment, your DNS implementation may require that you create secondary zones to allow for load balancing for busy DNS servers or remote sites connected by slow links. In this situation, you want to allow zone transfers to occur between your AD integrated DNS servers and your secondary servers, but you want to restrict which hosts can initiate zone transfers with your AD integrated name servers. Allowing anyone to initiate a zone transfer with your domain controllers could provide an attacker with information for mapping out your network; it is therefore critical that you limit which hosts can pull zone transfers from your servers.

If you are using only Active Directory−integrated zones, the Name Servers tab will be automatically populated with a list of all name servers that are authoritative for the selected zone, and this is the recommended choice when you have a large network with many name servers deployed. If any of your name servers are using standard zone files, however, you will need to populate this tab manually for any secondary name servers you deploy.

Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of creating the additional management overhead of keeping track of the IP addresses of all name servers on your network, so you should follow this approach only if your network is small and you have relatively few name servers deployed. Another disadvantage of this approach is that if you forget to add some IP addresses of name servers to your list, zone information stored on those servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.

DNS is secured, by default, because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directory integrated zones, DNS is configured to disallow zone transfers entirely—they generally aren’t needed in an Active Directory environment because the data replicates through Active Directory replication.

Configuring Forwarding

Problem

You want to configure forwarding to allow for name resolution outside of your corporate network.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. Connect to the DNS server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select “The following computer” and enter the target server name. Click OK.

  3. Right-click on the server and select Properties.

  4. Click the Forwarders tab.

  5. Click the Edit button.

  6. Enter the IP address, or DNS name, of the destination DNS server.

  7. Click OK twice.

Using a command-line interface

The following command sets the default forwarders. Replace <IPsOfForwarders> with a space-separated list of IP addresses for the name servers to forward requests to:

> dnscmd <ServerName> /resetforwarders <IPsOfForwarders>

For example:

> dnscmd dns01 /resetforwarders 10.22.3.4 10.22.3.5

The following command configures the default forwarder timeout:

> dnscmd <ServerName> /config /forwardingtimeout <NumSeconds>

The following command configures the forwarder timeout for a specific domain:

> dnscmd <ServerName> /config <DomainName> /forwardertimeout <NumSeconds>

Using PowerShell

Set-DnsServerForwarder -IPAddress "<IPAddress>" -Timeout "<Value>"

Discussion

Name servers have long supported the notion of forwarders. Rather than sending all unresolved queries to the root Internet name servers, you can use forwarders to send queries to a specific server or set of servers, perhaps hosted by your ISP or by a partner corporation. This allows you to better control the name resolution process on your network.

Using PowerShell

By using the –PassThru switch, you can see the object that you are working with and the values of the properties.

See Also

MS KB 304491 (Conditional Forwarding in Windows Server 2003); MS KB 811118 (Support WebCast: Microsoft Windows Server 2003 DNS: Stub Zones and Conditional Forwarding)

Configuring Conditional Forwarding

Problem

You want to configure forwarding for specific domain names.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. Connect to the DNS server that you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select “The following computer” and enter the target server name. Click OK.

  3. Expand the DNS server and then right-click on Conditional Forwarders. Click New Conditional Forwarder.

  4. Enter the DNS name of the domain you wish to forward.

  5. Enter the IP address or DNS name of the destination DNS server.

  6. Choose whether to store the forwarder in Active Directory or to modify the query timeout period, and then click OK.

Using a command-line interface

dnscmd <ServerName> /zoneadd <DomainName> /forwarder <IPsOfForwarders>

Using PowerShell

Add-DnsServerConditionalForwarderZone "<DomainName>" -MasterServers "<IPAddress>" -ReplicationScope <Forest|Domain|Legacy|Custom> -ForwarderTimeout "<Value>"

Discussion

With conditional forwarding, you can forward unresolved queries for specific domains to different name servers. The most common use of conditional forwarding is when you have two or more noncontiguous namespaces. Consider, for example, a merger between the adatum.com and othercorp.com corporations. Normally, for the name servers of adatum.com to resolve queries for othercorp.com, the queries would have to first be forwarded to the root Internet name servers. With conditional forwarding, you can configure the adatum.com DNS servers so that all requests for othercorp.com should be sent directly to the othercorp.com name servers and all other unresolved queries should be sent to the Internet, and vice versa. The trade-off for this feature is the additional CPU processing that’s necessary to examine each query and forward it to the appropriate server, rather than just funneling all unresolved queries to a single external server.

Delegating Control of an Active Directory Integrated Zone

Problem

You want to delegate control of managing the resource records in a zone.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone.

  4. Right-click on the name of the zone and select Properties.

  5. Click on the Security tab.

  6. Click the Add button.

  7. Use the Object Picker to locate the user or group to which you want to delegate control.

  8. Under Permissions, check the Full Control box.

  9. Click OK.

Using a command-line interface

The following command grants full control over managing the resource records in an AD integrated zone:

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G<UserOrGroup>:GA

Using PowerShell

The following script delegates full control of an AD integrated DNS zone to a particular user or group:

$Path = [ADSI]"LDAP://dc=<ZoneName>,cn=MicrosoftDNS,cn=System, <DomainOrAppPartitionDN>"
$Group = New-Object System.Security.Principal.NTAccount("<UserorGroup>")
$IdentityReference = $Group.Translate([System.Security.Principal.SecurityIdentifier])
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($IdentityReference,"GenericAll","Allow")
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Path.psbase.commitchanges()

Discussion

By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant full control to an additional user or group over a particular zone.

See Also

MS KB 256643 (Unable to Prevent DNS Zone Administrator from Creating New Zones)

Creating and Deleting Resource Records

Problem

You want to create and delete resource records in a zone.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer,” and then enter the server you want to connect to (if applicable) and click OK.

  3. If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

  1. In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—for example, New Host (A).

  2. Fill in all required fields.

  3. Click OK.

To delete a resource record, do the following:

  1. In the left pane, click on the zone the record is in.

  2. In the right pane, right-click on the record you want to delete and select Delete.

  3. Click Yes to confirm.

Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the adatum.com zone:

> dnscmd dc1 /recordadd adatum.com Server01 A 192.168.52.2

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the adatum.com zone:

> dnscmd dc1 /recorddelete adatum.com wins01 A 192.168.52.2

Using PowerShell

There are several PowerShell cmdlets available to create resource records for DNS zones:

Add-DnsServerResourceRecord

This cmdlet adds an available resource record for a given zone.

Add-DnsServerResourceRecordA

This cmdlet adds an A type record for IPv4 hosts in a given zone.

Add-DnsServerResourceRecordAAAA

This cmdlet adds an AAAA type record for IPv6 hosts in a given zone.

Add-DnsServerResourceRecordCName

This cmdlet adds a CNAME type record for a given zone.

Add-DnsServerResourceRecordDnsKey

This cmdlet adds a DNS Key record for DNSSEC zones.

Add-DnsServerResourceRecordDS

This cmdlet creates a Delegation of Signing record for a signed zone file.

Add-DnsServerResourceRecordMX

This cmdlet creates an MX record for mail records in a given zone.

Add-DnsServerResourceRecordPtr

This cmdlet creates a PTR record for reverse DNS lookup.

The following will add an A record named Host01 that corresponds to the IP address 10.0.0.3, in the adatum.com zone:

Add-DnsServerResourceRecordA -Name "Host01" -IPv4Address "10.0.0.3" -ZoneName "adatum.com"

The following will delete an A record named Host01, without prompting for confirmation, from the adatum.com zone:

Remove-DnsServerResourceRecord -ZoneName "adatum.com" -Name "Host01" -RRType "A" -Force

Discussion

Using a graphical user interface

The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then we’d recommend writing a PowerShell script to automate the process.

Using a command-line interface

Adding A, CNAME, and PTR resource records is pretty straightforward in terms of the data you must enter, but other record types, such as SRV, require quite a bit more data. The help pages for /recordadd and /recorddelete display the required information for each record type. For example, to add an SRV record using dnscmd, you need to specify the priority, weight, port, and hostname of the record, as in the following example:

> dnscmd /recordadd adatum.com dc1.adatum.com SRV _kerberos 50 100 88

See Also

MSDN: MicrosoftDNS_ResourceRecord

Querying Resource Records

Problem

You want to query resource records.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer.” and then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the lookup zone folder and then select the zone you wish to filter.

  4. Right-click the zone name and select View→Filter.

  5. Enter the filter parameters and then click OK.

  6. Right-click the zone name again and click Refresh.

Using a command-line interface

In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match:

> nslookup -type=<RecordType> <RecordName>

Using PowerShell

Get-DnsServerResourceRecord -ZoneName "<ZoneName>" -RRType "A"

Discussion

Using a command-line interface

You can leave off the -type switch, and the command will find any A, PTR, and CNAME records that match <RecordName>.

You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters, or you can switch back and forth between query types by using the set q=ANY command to reset nslookup. Interactive mode allows you to issue a series of queries with more efficiency because you don’t have to type nslookup or wait for the initial connection to the DNS server.

See Also

MSDN: MicrosoftDNS_ResourceRecord; RFC 1035 (Domain Names—Implementation and Specification); RFC 1700 (DNS Parameters)

Modifying the DNS Server Configuration

Problem

You want to modify the DNS server settings.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.

  3. Right-click on the server and select Properties.

  4. Edit the server settings from the tabs that are displayed.

  5. Click OK to commit the changes after you complete your modifications.

Using a command-line interface

With the following command, replace <Setting> with the name of the setting to modify and <Value> with the value to set:

> dnscmd <DNSServerName> /config /<Setting> <Value>

The following command enables the EnableDnsSec setting on dns01:

> dnscmd dns01 /config /EnableDnsSec 1

The following command disables the NoTcp setting on the local host:

> dnscmd /config /NoTcp 0

The following command sets the DsPollingInterval setting to 60 on dns02:

> dnscmd dns02 /config /DsPollingInterval 60

For the complete list of settings, run dnscmd /config from the command line.

Using PowerShell

There are several Windows PowerShell cmdlets that you can use to set DNS properties. To view a list of all available cmdlets that set DNS properties, use the following command:

Get-Command *Set-Dns*

Discussion

The Microsoft DNS server supports a variety of settings to configure everything from scavenging and forwarders to logging. With the DNS Management snap-in, the settings are spread over several tabs in the Properties page. You can get a list of these settings by simply running dnscmd /config from a command line.

See Also

MSDN: MicrosoftDNS_Server

Scavenging Old Resource Records

Problem

You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies only to resource records that were added via dynamic DNS (DDNS), but you can also scavenge manually created static records. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records.

Solution

The following solutions will show how to enable automatic scavenging on all AD integrated zones.

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer”, and then enter the server you want to connect to (if applicable) and click OK.

  3. Click on the server, right-click on it, and select “Set Aging/Scavenging for all zones”.

  4. Check the box beside “Scavenge stale resource records”.

  5. Configure the No-Refresh and Refresh intervals as necessary, and click OK.

  6. Check the box beside “Apply these settings to the existing Active Directory-integrated zones” and click OK.

  7. Right-click on the server again and select Properties.

  8. Select the Advanced tab.

  9. Check the box beside “Enable automatic scavenging of stale resource records”.

  10. Configure the scavenging period as necessary.

  11. Click OK.

Using a command-line interface

> dnscmd <DNSServerName> /config /ScavengingInterval <ScavengingMinutes>
> dnscmd <DNSServerName> /config /DefaultAgingState 1
> dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes>
> dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes>
> dnscmd <DNSServerName> /config ..AllZones /aging 1

Using PowerShell

Set-DnsServerScavenging -ScavengingState $True -RefreshInterval "<Value>" -ScavengingInterval "<Value>"
Start-DnsServerScavenging -Force

Discussion

There are four settings that you need to be aware of before enabling scavenging. You must use caution when enabling scavenging, because an incorrect configuration could lead to resource records getting deleted by mistake.

The first setting you have to configure is the scavenging interval. This is the interval in which the DNS server will kick off the scavenging process. It is disabled by default so that scavenging does not take place unless you enable this setting. The default value is seven days.

The second setting is the default aging configuration setting for new zones. If you want all new zones to be configured for scavenging, set this to 1.

The next two settings control how records get scavenged. The no-refresh interval determines how much time must pass before a dynamically updated record can be updated again. This setting is necessary to reduce how often a DNS server has to update its timestamp of the resource record. The default value is seven days. This means that after a resource record has been dynamically updated, the server will not accept another dynamic update for the same record for another seven days. However, if the IP address or some other data for the record changes, the server will still accept the new information. Static records have a timestamp of 0 and will not get scavenged in an automated scavenging process.

The refresh interval setting is the amount of time that must pass after the no-refresh interval during which a client can update its record before it is considered old or stale. The default value for this setting is also 168 hours (seven days). If you use the default values, the combination of the no-refresh interval and refresh interval would mean that a dynamically updated record would not be considered stale for up to 14 days after its most recent update. Combine this with the default scavenging interval, and it could be up to 21 days before a record is deleted if the record became stale immediately after the last scavenge process completed: 7 days (no refresh) + 7 days (refresh) + up to 7 days (scavenge process) = up to 21 days.

The solutions in this recipe show you how to configure these settings for all zones that are hosted on a server; however, you can configure these settings for individual zones as well. In the GUI solution, you would do this by accessing the Properties sheet of an individual zone rather than the server node; in dnscmd, simply specify the zone name after /aging, /scavenginginterval, /defaultagingstate, /defaultnorefreshinterval, or /defaultrefreshinterval.

Clearing the DNS Cache

Problem

You want to clear the DNS cache. The DNS cache contains resource records that are cached by the server or workstation for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the cache on the Windows DNS client resolver (this can refer to both server and workstation operating systems when they are requesting DNS information from a server), and the other refers to the cache used by the Microsoft DNS server software.

Solution

To flush the client resolver cache, use the following command:

> ipconfig /flushdns

To flush the client resolver cache by using PowerShell, use the following cmdlet:

Clear-DnsClientCache

To flush the DNS server cache, use any of the following solutions.

Using a graphical user interface

  1. Open the DNS Management snap-in (dnsmgmt.msc).

  2. Right-click on DNS in the left pane and select Connect to DNS Server.

  3. Enter the server you want to connect to and click Enter.

  4. Right-click on the server and select Clear Cache.

Using a command-line interface

The following command will clear the cache on <DNSServerName>. You can leave out the <DNSServerName> parameter to simply run the command against the local server:

> dnscmd <DNSServerName> /clearcache

Using PowerShell

Clear-DnsServerCache -Force

Discussion

The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server (e.g., by visiting a website in Internet Explorer, a DNS lookup is performed and cached). It’s important to remember that this cache will store positive DNS responses as well as negative ones. For example, if lost network connectivity causes DNS queries for an external resource like a mail server to fail, those queries will continue to fail until the cache refreshes: the queries have been negatively cached.

The second type of cache is in place on Microsoft DNS servers and on some third-party DNS servers. It is a cache of all DNS requests that the server has made while processing queries from various clients. You can view this cache by browsing the Cached Lookups folder for a server in the DNS Management snap-in. This folder is not shown by default, so you’ll need to select Advanced from the View menu.

With both the client and server cache, records are removed from the cache after the record’s TTL value expires. The TTL is used to age records so that clients and servers will request an updated copy of the record at a later point in order to receive any changes that may have occurred.

Verifying That a Domain Controller Can Register Its Resource Records

Problem

You want to verify that DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD services.

Solution

Using a command-line interface

With the following dcdiag command, replace <DomainName> with the FQDN of the domain that the domain controller is in. This command has to be run from the domain controller you want to test, not from an administrative workstation:

> dcdiag /test:RegisterInDNS /DnsDomain:<DomainName>

Starting test: RegisterInDNS
   DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller
   Locator records in DNS.

   The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name.

Using PowerShell

Test-DnsServer "<IPAddress>"

Discussion

With the default setup, domain controllers attempt to dynamically register the resource records necessary for them to be located by Active Directory clients and other domain controllers. Domain controllers must have their resource records populated in DNS in order to function, but it can be very tedious and error-prone to register all of the records manually. This is why allowing the domain controllers to use DDNS to automatically register and update their records can be much easier from a support standpoint.

The dcdiag command provides a RegisterInDNS switch that allows you to test whether the DC can register its records. In the solution, we showed the output if the domain controller passes the test.

Here is the output if an error occurs:

Starting test: RegisterInDNS
   This domain controller cannot register domain controller Locator DNSrecords. This is because it cannot locate a DNS server authoritative for thezone adatum.com. This is due to one of the following:

   1. One or more DNS servers involved in the name resolution of the adatum.com name are not responding or contain incorrect delegation of the DNS zones; or

   2. The DNS server that this computer is configured with contains incorrect root hints.

   The list of such DNS servers might include the DNS servers with which this computer is configured for name resolution and the DNS servers responsiblefor the following zones: adatum.com

   Verify the correctness of the specified domain name and contact yournetwork/DNS administrator to fix the problem.

   You can also manually add the records specified in the %systemroot%system32config
etlogon.dns file.

As you can see, the output of dcdiag offers some options for resolving the problem. The information provided will also vary depending on the error encountered.

See Also

Registering a Domain Controller’s Resource Records for registering a domain controller’s resource records

Enabling DNS Server Debug Logging

Problem

You want to enable DNS debug logging to troubleshoot issues related to DNS queries or updates.

Solution

Using a graphical user interface

  1. From the Administrative Tools, Open the DNS Management snap-in (dnsmgmt.msc).

  2. Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select “The following computer” and enter the target server name. Click OK.

  3. Right-click on the server and select Properties.

  4. Click on the Debug Logging tab.

  5. Select what you want to log and the location of the logfile.

  6. Click OK.

Using a command-line interface

Use the following four commands to enable debug logging. For the log level, you have to add together the event codes you want logged and specify the result in hex. The available event codes can be found in Table 13-3.

> dnscmd <ServerName> /Config /LogLevel <EventFlagSumInHex>

Use the following command to specify the location of the logfile:

> dnscmd <ServerName> /Config /LogFilePath <DirectoryAndFilePath>

Use the following command to log only entries that pertain to certain IP addresses:

> dnscmd <ServerName> /Config /LogIPFilterList <IPAddress1>[,<IPAddress2>...]

Use the following command to specify the maximum logfile size:

> dnscmd <ServerName> /Config /LogFileMaxSize <NumberOfBytesInHex>

Use the following command to disable debug logging:

> dnscmd <ServerName> /Config /LogLevel 0

Using PowerShell

Set-DnsServerDiagnostics -SaveLogsToPersistentStorage $True -LogFilePath "<LogFilePath>"

Discussion

With the DNS Server debug log, you can record all DNS operations received and initiated by the server, including queries, updates, zone transfers, etc. If you need to troubleshoot a particular host, you can use the LogIPFilterList setting in dnscmd or the WMI DNS Provider to restrict the log to operations performed only for or by that host.

The most important debug log setting is the log level. With the DNS snap-in, you can select from a list of available options. The DNS snap-in provides an intuitive interface for selecting the required options. Table 13-3 contains all of the event codes with their hexadecimal and decimal values for the command-line options.

Table 13-3. DNS debug logging event codes

Hexadecimal value

Decimal value

Descriptions

0x0

0

No logging. This is the default.

0x1

1

Query transactions.

0x10

16

Notifications transactions.

0x20

32

Update transactions.

0xFE

254

Nonquery transactions.

0x100

256

Question packets.

0x200

512

Answer packets.

0x1000

4096

Send packets.

0x2000

8192

Receive packets.

0x4000

16384

UDP packets.

0x8000

32768

TCP packets.

0xFFFF

65535

All packets.

0x10000

65536

AD write transactions.

0x20000

131072

AD update transactions.

0x1000000

16777216

Full packets.

0x80000000

2147483648

Write-through transactions.

DNS debug logging can come in handy if you want to look at the dynamic update requests a particular DNS server is processing. For example, if a client or DHCP server is attempting to dynamically register records, you can enable the Update Transactions log category on the DNS server you think should be processing the updates. If you don’t see any update transactions, this can indicate that another server is processing the dynamic update requests.

Note

Transactions are not immediately written to the debug logfile as they occur. They are buffered and written to the file after a certain number of requests are processed.

See Also

MSDN: MicrosoftDNS_Server

Registering a Domain Controller’s Resource Records

Problem

You want to manually force registration of a domain controller’s resource records. This may be necessary if you’ve made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.

Solution

Using a command-line interface

> nltest /dsregdns /server:<DomainControllerName>

Discussion

With the nltest command, a /dsregdns switch allows you to force registration of the domain-controller-specific resource records. You can also force reregistration of its resource records by restarting the NetLogon service on the domain controller. The NetLogon service automatically attempts to reregister a domain controller’s resource records every hour, so if you can wait that long, you do not need to use nltest.

See Also

Verifying That a Domain Controller Can Register Its Resource Records for verifying whether a domain controller is registering its resource records

Deregistering a Domain Controller’s Resource Records

Problem

You want to manually deregister a domain controller’s resource records.

Solution

Using a command-line interface

With the following nltest command, replace <DomainControllerName> with the FQDN of the domain controller you want to deregister and <DomainDNSName> with the FQDN of the domain of which the domain controller is a member:

> nltest /dsderegdns: <DomainControllerName> /dom:<DomainDNSName>

Discussion

When a domain controller is demoted from a domain, it dynamically deregisters its resource records. This is a nice feature of the demotion process because it means you do not have to manually remove all of the resource records or wait for scavenging to remove them. If, however, you have a domain controller that crashes and you do not plan to bring it back online, you’ll need to remove the records manually or wait for the scavenging process to take place.

You can use the DNS Management MMC snap-in and even the dnscmd.exe utility to manually remove them one by one, or you can use nltest, as shown in the solution.

The /dsderegdns switch also has /DomGUID and /DsaGUID options if you want to delete the records that are based on the domain GUID and DSA GUID, respectively. You need to know the actual GUIDs of the domain and domain controller to use those switches, so if you don’t have them handy, it would be easier to delete them using the DNS Management MMC snap-in.

Preventing a Domain Controller from Dynamically Registering All Resource Records

Problem

You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register a domain controller’s resource records, you’ll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.

Solution

Using a command-line interface

> reg add HKLMSystemCurrentControlSetServicesNetlogonParameters /v↵
UseDynamicDNS /t REG_DWORD /d 0
The operation completed successfully.

> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.

> del %SystemRoot%system32config
etlogon.dnb

> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.

Using PowerShell

$strRegPath = "HKLM:SystemCurrentControlSetServicesNetlogonParameters"
new-ItemProperty -path $strRegPath -name "UseDynamicDNS" -type DWORD
set-ItemProperty -path $strRegPath -name "UseDynamicDNS" -value "0"

Stop-Service netlogon
$strPath = join-path (get-content env:SystemRoot) system32config
etlogon.dnb
Remove-Item $strPath
Start-Service netlogon

Discussion

By default, domain controllers attempt to dynamically register their Active Directory−related resource records every hour via the NetLogon service. You can prevent a domain controller from doing this by setting the UseDynamicDNS value to 0 under HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters. After you set that value, you should stop the NetLogon service, remove the %SystemRoot%system32config etlogon.dnb file and then restart NetLogon. It is necessary to remove the netlogon.dnb file because it maintains a cache of the resource records that are dynamically updated. This file will get re-created when the NetLogon service restarts.

See Also

Preventing a Domain Controller from Dynamically Registering Certain Resource Records for preventing certain resource records from being dynamically registered; MS KB 198767 (How to Prevent Domain Controllers from Dynamically Registering DNS Names)

Preventing a Domain Controller from Dynamically Registering Certain Resource Records

Problem

You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you can prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. Create a GPO linked to the Domain Controllers OU, or else edit an existing GPO.

  3. Select Computer Configuration→Policies→Administrative Templates→System→Net Logon→DC Locator DNS Records.

  4. Enable the “Specify DC Locator DNS records not registered by the DCs” setting, and list one or more of the following record types that should not be registered:

    • Dc

    • DcAtSite

    • DcByGuid

    • Gc

    • Gc

    • GcAtSite

    • GcIpAddress

    • GenericGc

    • Kdc

    • Ldap

    • LdapIpAddress

    • Rfc1510Kdc

    • Rfc1510Kpwd

    • Rfc1510UdpKdc

    • Rfc1510UdpKpwd

Using a command-line interface

This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:

> reg add HKLMSystemCurrentControlSetServicesNetlogonParameters /v DnsAvoidRegisterRecords /t REG_MULTI_SZ /d LdapGcGcIpAddress

> net stop netlogon

> del %SystemRoot%system32config
etlogon.dnb

> net start netlogon

Using PowerShell

$strRegPath = "HKLM:SystemCurrentControlSetServicesNetlogonParameters"
$arrValues = "Ldap", "Gc", "GcIpAddress"
New-ItemProperty -Path $strRegPath -Name "DnsAvoidRegisterRecords" -TypeMultiString
Set-ItemProperty -Path $strRegPath -Name "DnsAvoidRegisterRecords" -Value$arrValues

Stop-Service netlogon
$strPath = Join-Path (Get-Content env:SystemRoot) system32config
etlogon.dnb
Remove-Item $strPath
Start-Service netlogon

Discussion

The procedure to disable registration of certain resource records is very similar to that described in Preventing a Domain Controller from Dynamically Registering All Resource Records for preventing all resource records from being dynamically registered; however, in this case you need to create a value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters key. The type for DnsAvoidRegisterRecords should be REG_MULTI_SZ, and the data should be a whitespace-separated list of mnemonics. Mnemonics are used to represent various resource records that domain controllers register. The complete list of mnemonics is included in Table 13-4.

Note

You can also control these values using Group Policy, in Computer ConfigurationPoliciesAdministrative TemplatesSystemNetlogon.

Table 13-4. Registry mnemonics for resource records

Registry mnemonic

Resource record type

Resource record name

LdapIpAddress

A

<DnsDomainName>

Ldap

SRV

_ldap._tcp.<DnsDomainName>

LdapAtSite

SRV

_ldap._tcp.<SiteName>._sites.<DnsDomainName>

Pdc

SRV

_ldap._tcp.pdc._msdcs.<DnsDomainName>

Gc

SRV

_ldap._tcp.gc._msdcs.<DnsForestName>

GcAtSite

SRV

_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>

DcByGuid

SRV

_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

GcIpAddress

A

_gc._msdcs.<DnsForestName>

DsaCname

CNAME

<DsaGuid>._msdcs.<DnsForestName>

Kdc

SRV

_kerberos._tcp.dc._msdcs.<DnsDomainName>

KdcAtSite

SRV

_kerberos._tcp.dc._msdcs.<SiteName>._sites. <DnsDomainName>

Dc

SRV

_ldap._tcp.dc._msdcs.<DnsDomainName>

DcAtSite

SRV

_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

Rfc1510Kdc

SRV

_kerberos._tcp.<DnsDomainName>

Rfc1510KdcAtSite

SRV

_kerberos._tcp.<SiteName>._sites.<DnsDomainName>

GenericGc

SRV

_gc._tcp.<DnsForestName>

GenericGcAtSite

SRV

_gc._tcp.<SiteName>._sites.<DnsForestName>

Rfc1510UdpKdc

SRV

_kerberos._udp.<DnsDomainName>

Rfc1510Kpwd

SRV

_kpasswd._tcp.<DnsDomainName>

Rfc1510UdpKpwd

SRV

_kpasswd._udp.<DnsDomainName>

If you configure DCs not to register these domain-wide SRV records, such as in a branch office environment, your branch office clients will still fail over to DCs in your hub site if their local DC becomes unavailable. Clients will continue to use the hub site DCs until they are rebooted, even if the local DC comes back online. MS KB 939252 provides a hotfix for Windows XP and Windows Server 2003 that will improve client failover behavior in this scenario. In Windows operating systems since Windows XP, there is improvement and built-in control available. See TechNet for more details.

See Also

Preventing a Domain Controller from Dynamically Registering All Resource Records for preventing all resource records from being dynamically registered

Allowing Computers to Use a Domain Suffix That Is Different from Their AD Domain

Problem

You want to allow computers to use a domain suffix that is different from their AD domain.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. Connect to the domain you want to edit.

  3. Right-click on the domainDNS object and select Properties.

  4. Edit the msDS-AllowedDNSSuffixes attribute and the DNS suffix you want to add.

  5. Click OK.

Using a command-line interface

Create an LDIF file called add_dns_suffix.ldf with the following contents:

dn: <DomainDN>
changetype: modify
add: msDS-AllowedDNSSuffixes
msDS-AllowedDNSSuffixes: <DNSSuffix>
-

Then run the following command:

> ldifde -v -i -f add_dns_suffix.ldf.ldf

You can also make this change using AdMod, as follows:

> admod -b <DomainDN> msDS-AllowedDNSSuffixes:+:<DNSSuffix>

Using PowerShell

You can modify the list of allowed DNS suffixes for a domain using PowerShell, as follows:

Set-ADObject "<DomainDN>" -Add @{"msDS-AllowedDNSSuffixes"="<Suffix>"}

Discussion

Windows Server and client domain members dynamically maintain the dNSHostName and servicePrincipalName attributes of their corresponding computer object in Active Directory with their current hostname. By default, those attributes can only contain hostnames that have a DNS suffix equal to the Active Directory domain the computer is a member of.

If the computer’s DNS suffix is not equal to the Active Directory domain, as may be the case during a domain migration or a corporate merger or consolidation, 5788 and 5789 events will be generated in the System event log on the domain controllers the clients attempt to update. These events report that the dnsHostName and servicePrincipalName attributes could not be updated due to an incorrect domain suffix. You can avoid this by adding the computer’s DNS suffix to the msDS-AllowedDNSSuffixes attribute on the domain object (e.g., dc=adatum,dc=com).

See Also

MS KB 258503 (DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ)

Authorizing a DHCP Server

Problem

You want to permit (i.e., authorize) a DHCP server to process DHCP requests from clients. This is necessary only if the DHCP server is a member of an Active Directory domain.

Solution

Using a graphical user interface

  1. Open the DHCP snap-in (dhcpmgmt.msc).

  2. If necessary, in the left pane, right-click on DHCP and select Add Server. Type in the name of the DHCP server you want to target and click OK.

  3. Click on the server entry in the left pane.

  4. Right-click on the server and select Authorize.

Note

If the DHCP server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP server in Active Directory:

> netsh dhcp add server <DHCPServerName> <DHCPServerIP>

This example shows how to authorize the DHCP server named dhcp01.adatum.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.adatum.com 192.168.191.15

Using PowerShell

The following PowerShell command will authorize a DHCP server in Active Directory:

Add-DhcpServerInDC -DnsName "<ServerName>"

Discussion

Windows-based DHCP servers that belong to an Active Directory domain must be authorized before they can give leases to clients. This feature helps reduce the danger of a rogue Windows DHCP server that an end user sets up, perhaps even unintentionally.

However, this still doesn’t prevent someone from plugging in a non-Windows DHCP server (e.g., a Linksys router with the DHCP server enabled) and causing clients to receive bad leases. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

A DHCP server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone Windows DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP server, it will respond to client requests and distribute leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, in the cn=NetServices,cn=Services,cn=Configuration,<ForestRootDN> container. The relative distinguished name of these objects is the IP address of the DHCP server. There is also an object in the same container named cn=dhcpRoot, which is created after the first DHCP server is authorized. It has an attribute named dhcpServers that contains all authorized servers. By default, only members of the Enterprise Admins group can authorize DHCP servers. However, you can delegate the rights to authorize a DHCP server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

  1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.

  2. In the left pane, expand the Configuration Container→cn=Configurationcn=Servicescn=NetServices.

  3. Right-click on cn=NetServices and select Properties.

  4. Select the Security tab.

  5. Click the Advanced button.

  6. Click the Add button.

  7. Use the object picker to select the DHCP Admins group.

  8. Check the boxes under “Create dHCPClass objects” and “Delete dHCPClass objects.”

  9. Click OK until all dialog boxes are closed.

  10. Back in ADSI Edit, right-click on cn=dhcpRoot (if you’ve previously authorized DHCP servers) and select Properties.

  11. Select the Security tab.

  12. Click the Advanced button.

  13. Click the Add button.

  14. Use the object picker to select the DHCP Administrators group.

  15. Check the boxes under Allow for Write All Properties.

  16. Click OK until all dialog boxes are closed.

Note

If the DHCP Administrators group does not exist, run the following command on a DHCP server or on a computer with the DHCP management tool installed:

netsh dhcp add securitygroups

Using a graphical user interface

You can quickly determine whether a DHCP server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, it isn’t authorized; if the flag is green, it is authorized.

Using a command-line interface

To see the list of authorized servers using the command line, run the following command:

> netsh dhcp show server

Using PowerShell

Get-DhcpServerInDC

See Also

“Controlling DHCP Active Directory Authorization”

Restricting DHCP Administrators

Problem

You want to restrict who can administer your DHCP servers in your domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers MMC snap-in (dsa.msc).

  2. In the console tree, click Active Directory Users and Computers→<DomainName>→Users.

  3. In the Details pane, click DHCP Administrators.

    Note

    If the DHCP Administrators group does not exist, run the following command:

    netsh dhcp add securitygroups
  4. Click Action→Properties→Members.

  5. Remove all users and groups you do not want to have administering your DHCP server by clicking their names and then clicking Remove.

  6. To add new DHCP administrators, click Add, provide the user or group name, and then click OK.

  7. Click OK.

Using a command-line interface

Add a member to a group with DSMod by passing the -addmbr option:

> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with AdMod, use the following syntax:

> admod -b "<GroupDN>" member:+:"<MemberDN>"

Remove a member from a group with DSMod by passing the -rmmbr option:

> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with AdMod, use the following syntax:

> admod -b "<GroupDN>" member:-:"<MemberDN>"

Replace the complete membership list with DSMod by passing the -chmbr option:

> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN ...>"

To replace the membership of a group with AdMod, use the following command:

> admod -b "<GroupDN>" member:+-:"<Member1DN>;<Member2DN>;<Member3DN>"

Using PowerShell

You can add a user or group to the membership of the DHCP Administrators group using the Add-ADGroupMember command as follows:

Add-ADGroupMember "DHCP Administrators" "<User/Group>"

Discussion

In Active Directory, most roles can be assigned independently of one another rather than just by making a user a Domain Admin or an Enterprise Admin. This is great for security administrators who want to ensure that users have only enough rights to perform their assigned tasks. For example, a user Fred might need to modify an enterprise-wide object. You could just add Fred to the Enterprise Admin groups to solve the problem. However, Fred now has access to virtually any object in the entire forest and could cause irreparable harm to your network, not to mention compromising all security in place. Instead, you can grant Fred access to just that object.

This can be done in different ways. One method is to use the Delegation of Control Wizard. Another way is to use the several built-in groups in Windows that are created and populated when specific services are installed. One such group is DHCP Administrators, which is created when the first DHCP server is brought up in a domain. You can control administrative access to the DHCP function of these servers through this group membership.

Note

Nondomain joined computers also have a DHCP Administrators group. This is a local group on each computer and must be managed separately on each server.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.103.28