Thursday, 18 March 2010
WINS forwarding through DNS
If you click on a DNS zone in the console, you'll see a WINS tab.
There you can enable the option to "Use WINS forward lookup" and then specify the WINS server to use.
What this does is creates a new record of type WINS lookup in the DNS zone.
DNS will always try and answer the query from its local DNS zones but if not can strip down the FQDN to just the hostname and then pass that request to a WINS server.
If WINS can answer the query it will pass the name and IP address to DNS, which then replies as if it came from it's own DNS database.
This also has the advantage of allowing Unix clients to indirectly read WINS databases.
Wednesday, 17 March 2010
About domain trusts
Each domain trust is stored as a Trusted Domain object in the System container in the domain partition. Regardless of what some documentation states, trusts with NT4 domains still create TDOs.
By querying the whenChanged attribute on the TDO you can determine if the trusts is still active as all trusts involve creating a secure channel to the trusted domain, so the password needs to be reset every 30 days.
Remember that the whenChanged attribute is not replicated so can be different on each DC.
Also beware that the whenChanged attribute is not the same as the creation date of the computer object as the date can be no older than the computer object itself. My golden rule is to ignore any whenChanged dates when they're the same as the whenCreated date of the DC's computer account itself.
Trust Types
nltest /server:nameofDC /domain_trusts
This shows all of the trusts, direction of trust, what sort of trust. Also shows the trust type which is basically what sort of domain it's with.
Can be NT4, NT5, MIT or DCE.
NT4 - this is only NT4 domains.
NT5 - Windows 2000 or higher (not confirmed for W2K8). Functional level of domain is not a factor - it's just the OS.
MIT - realm trust
DCE - have not found an example of this yet.
Verifying Trusts are Working
nltest /SC_VERIFY:trusteddomainname
This, and the netdom command
netdom verify nameofDC /domain:trusteddomainname
can only show details of the secure channel when you're on the trusting domain (so will show a DC on the trusted domain).
There is no way of seeing the secure channel from the trusted domain (presuming it's one-way) as there is no secure channel - the secure channel is only set up from the trusting domain to the trusted domain.
Which DC does a trusting DC set up a secure channel with?
It depends on how it resolves the name of the trusted domain.
It might be using a secondary zone, lmhosts file etc. Quite often this will be using the same as domain name A records. It will then choose at random so to stop this you need to manipulate which DCs it sees as answering to the name of the domain...
Friday, 12 March 2010
DNS Scavenging Revealed
DNS has 2 intervals relating to aging: the no refresh interval and the refresh interval:
No refresh interval - during this time, no refreshes may be made to the timestamp of a DNS record (more about refreshes in a moment), but updates are ok. This is done to prevent unnecessary frequent replication of DNS record changes.
Refresh interval - during this time, the timestamp of the record may be refreshed, at which point the no refresh interval kicks in again.
After the refresh interval has passed, if there has been no refresh (or update) of that record then it is available to be scavenged.
How to set up scavenging:
On the properties of the DNS zone, click on "Aging". Set whatever no refresh and refresh intervals you want. Ensure that you also tick the box to "scavenge stale resource records".
You then also need to tell the server to actually scavenge periodically. I am in favour of a single DC doing the scavenging.
In the properties of the DNS server, on the Advanced tab, check the box to "enable automatic scavenging of stale records", and set the scavenging period. Don't make this too frequent as scavenging hits the server.
Note that if you right click on the DNS server, there is a "set aging/scavenging for all zones..." option. This will, if you wish, allow you to set consistent scavenging options across all hosted zones. I don't use it personally.
That's the easy bit and what you can find on any website.
DNS record Refresh vs Update
A refresh is defined as when the record tries to update its timestamp but its IP address hasn't changed.
An update is when the IP address changes. This kind of operation can always occur as the no refresh interval does not impact on it.
So, let's see the processes in action:
Firstly, DNS refreshes being prevented by the no refresh interval:
The scenario here is that we have a DHCP server, with DHCP lease times set to 10 mins.
This means that DHCP half-life (T1) will occur every 5 mins.
Scavenging is enabled and scheduled every hour, with no refresh interval set to 1 hour, and refresh interval set to 2 hours:
- Scavenging is occurring at 25 past each hour.
- Client powers on at 09:44.
- The timestamp for the record is set to 09:00:00 because all timestamps are rounded down to the nearest hour.
- At 09:49, it attempts to refresh its timestamp in DNS. It is not allowed to do so due to it being in the no refresh interval.
- This goes on every 5 minutes. At 10:04, it tries again. Now, logic dictates that it should be able to refresh its timestamp this time because the no refresh interval is only 1 hour. However (and this is what I've never seen written anywhere else), it can't. This is because, all DNS registrations that occur from 09:00 to 09:59 will have a timestamp of 09:00:00. Therefore, counting only commences at 10:00, so the no refresh interval is officially from 10:00 - 11:00 (and any time before 10:00). Therefore the record timestamp will be refreshed on the first attempt after 11:00 and will be set to 11:00:00.
Now, let's see scavenging in action in the same scenario:
- Scavenging still occurs at 25 past the hour.
- Client is powered on at 13:38. DNS timestamp is set to 13:00:00.
- It tries to refresh its timestamp every 5 mins but is unable to.
- At 14:16 it is powered down.
- At 15:00, its DNS record enters the refresh interval. However, the client is powered down so does not refresh it.
- At 17:00 (2 hour refresh interval), the refresh interval expires and the record becomes eligible for scavenging.
- At 17:25, scavenging runs and the record is deleted.
Matching DHCP and DNS scavenging periods correctly is vital.
Here's an example where they aren't matched. DCs re-register their records every 24 hours by default, or whenever Netlogon is restarted. All clients automatically attempt to refresh their DNS records every 24 hours too.
In this scenario, we have the same scavenging settings as above, but this time, DHCP lease times are set to 4 days.
- Scavenging occurs at 25 past the hour again.
- Client powers on at 08:12 and receives an IP address from DHCP. DNS timestamp is set to 08:00:00. Since the lease time is 4 days, the client will not attempt to refresh its record for 2 days if left up and running.
- Therefore, by the end of the refresh interval at 12:00, the client has not refreshed its record and consequently at 12:25 the record is scavenged, despite the client being up and running and in use all that time.
Therefore, take care with over-zealous scavenging. Know your DHCP lease times!
What are the best settings?
I've heard talk that with a default DHCP lease time of 7 days, no refresh of 3 days and 4 days refresh intervals are good (the idea being that T1 is 3.5 days in, when the refresh interval is in place - again be careful its not the other way round with a no refresh of 4 days as T1 will always fail, though T2 at 87.5% of the way through the lease should succeed).
However, I'm not convinced. If the person goes on holiday for a week, the record will be scavenged - is that good? It might be depending on your point of view. However, by leaving it there it's not necessarily a bad thing. If the client is turned off for a few days and the lease expires, then as soon as it comes back on line and picks up a new IP address, the record is immediately updated anyway so it will always show the latest IP address.
Using DNSCMD to see record timestamps:
I don't like the DNS console much. It's slow to update so I can never trust the information it is giving me is up to date. DNSCMD often will show me that a timestamp is updated well before the console ever does.
If you want to see the timestamps for records in the console, you need to turn on advanced features. If you want to see them using DNSCMD, it's:
dnscmd servername /EnumRecords DNSZoneName @ /Type A
This will show you all A RRs, with timestamps.
Thursday, 11 March 2010
DNS Zone info in AD
In ADSIEdit you can see where each of the partitions stores DNS zone information (2 domain forest example):
Domain partition - cn=MicrosoftDNS,cn=System,dc=childdomain,dc=example,dc=com
DomainDnsZones partition (child domain) - cn=MicrosoftDNS,dc=DomainDnsZones,dc=childdomain,dc=example,dc=com
DomainDnsZones partition (root domain) - cn=MicrosoftDNS,dc=DomainDnsZones,dc=example,dc=com
ForestDnsZones partition - cn=MicrosoftDNS,dc=ForestDnsZones,dc=example,dc=com
If you try to change the replication scope from one to the other, and receive a message like:
"the name limit for the local computer network adapter card was exceeded"
then this likely to be because the zone already exists in the other location.
e.g. you try and move the replication scope of a DNS zone to DomainDnsZones and receive the message above.
Open up adsiedit and navigate to the relevant location in DomainDnsZones. You will likely already see a copy of the partition you are trying to move there.
Delete it, along with any ...in progress... zones you see there as these are the failed attempts to create the zone.
You will immediately be able to change the replication scope.
How did this get created?
Well, in my case it was creating a Server 2003 forest. This automatically installs DNS to the new partitions. However, I wanted to move them back, as well as move _msdcs.forestname to a sub domain of the forest root to represent how a Windows 2000 forest would look. Therefore, when I came to "upgrade" it to a Server 2003 forest-style DNS configuration again, the partition had already existed from when it was first installed.
_msdcs.forestname
Under Server 2003, this is in its own zone, replicating forest wide.
In Windows 2000, it's a sub-domain of the forest root domain. Which was always a pain as you had to ensure the child DCs also had a copy of the forest root DNS data, often using a secondary zone.
It can be upgraded using the instructions in kb817470.
To downgrade it, as I did here, I had to dfo the following:
The newly created _msdcs zone was deleted followed by the deletion of the automatically created delegation (under the forest name DNS zone), then create a new _msdcs subdomain under the forest name DNS zone and restart the netlogon service on every Domain Controller in the forest in order to force related DC RR registration.
Finally, you may speed the ForestDNSzone NC replication by running repadmin /syncall or /replicate /force commands.