Planning Tech

Forward Lookup Zone

Holds all three Zones available:

• Primary Zone.
• Secondary Zone.
• Stub Zone.

Records Types per Zone:

• Primary Zone :

SOA, A, CNAME.MX.NS, SRV

• Secondary Zone:

SOA, A, CNAME.MX.NS, SRV

• Stub Zone:

SOA, A, NS

Reverse Lookup Zone

Holds all three Zones available:

• Primary Zone.
• Secondary Zone.
• Stub Zone.

Records Types per Zone:

• Primary Zone:

SOA, PTR

• Secondary Zone:

SOA, PTR

• Stub Zone:

SOA, NS, A

In this article I will try to explain you the type of answer you will get when you set a query to your DNS server.

The Recursive name query

When a client sends request to a Recursive type of DNS server he most gets a response no matter if the server an autoretive to response or not. In this case the server can respond in two different ways.

The first option is that the DNS servers hold the record for the requested client query, and will respond as it’s supposed to for the specific record type.

The second option is that the DNS server is not holding the requested record for the client query; in that case the server will send an error message to the client and not forward the client query to another DNS server to try to resolve the client query.

The Recursive name queries can be made by clients to a DNS server or from one DNS server to a second DNS server (To set queries between to DNS servers we need to set the second DNS server as Forwarder).

Here we need to remember one easy role!

No matter if the server can or cannot resolve the client query he is the last stage for the client queries.

The Iterative name query

When a client sends request to a Iterative type of DNS server he also allow the server to forward is request in case the server don’t holds the record for is query to another DNS server that holds the record and can answer the correct respond to the query forward to him .

 These types of queries typically established between two different DNS servers.

Here I will show you an example of those two queries types.

1. User connects to DNS1 with a Recursive query for dudu.planning-tech.com.

Note!

In that case the DNS1 server must respond to the client query with the correct answer or an error massage.

1. DNS1 need to check if he has an answer to the query and couldn’t find the correct record for it.

Note!

DNS1 will check both is Zones and is Cache to see if he can answer the client query.

1. Because DNS1 cannot respond the correct answer to the client query he send a recursive request to alterative DNS server over the internet.

Note!

DNS servers holds by default the “Root Hints” that help him sends queries to other DNS servers around the net.

1. The root DNS server from the internet also cannot resolve the request from DNS1.

1. The root DNS server try to resolve the request with autorative DNS server for .Com domain name.

1. DNS1 establish connection to the .COM domain with Iterative query for dudu.planning-tech.com.

1. Now the server responsible for the .Com domain doesn’t know the full answer for the client query so he answer with referral to server authorities for the planning-tech.com.

1. DNS1 connects to the server holds the planning-tech.com.

1. The planning-tech.com server also doesn’t know the full answer so he responds with the requested IP.

1.   After all this process DNS1 now can respond the user with the IP address to “dudu.planning-tech.com.”

We use different resource records to resolve many types of queries in today environment. The purpose of DNS query is to help us locate the server how’s Authoritative for ad Domain Controller, is mission is to check the query to its resource records.

Types of Records and what they here:

_SRV and _MSDSC records:

Thus two records I created by default when you install your DNS role in your environment and it required for communication with Active Directory.

This record helps us to see the services available and make the connection between client’s computers and the Domain Controllers with the resolve of the DC ip addresses.

For r example we can see our DNS servers, our Active-Directory servers and our Global Catalog servers.

SOA (State of Authority) Records:

This is the most important record that DNS server as to offer and for easy life for us the administrators we better know how to manage this record so we have easy life controlling our DNS server .we also need to remember that we have only on SOA record in a ZONE.

Basically this record contain all the information of our DNS server and Domain, for example in the SOA we can get information about updates and the time they occur in our domain, we also can specify our E-mail address in case we not in work because we transfer to a bigger office and we make much more money and our replacement need to ask stupid questions. We need also know that good SOA configuration helps us to save replication times in our domain.

MX Records:

If I have one way to describe the purpose of the MX records I would say that we use this type of records to help servers to deliver email between them.

The e-mail delivery can occur in your internal environment or to other external domains.

The process is very simple:

Client from planning-tech domain sends E-mail to other client that’s belonging to Microsoft domain.

The mail that send to an SMTP server and he checks the MX record of the domain in the send E-mail (XXX@IBM.com) if the SMTP server finds the MX record to be correctly configured he then checks for the A record for that domain and establish the connection to this Mail Server .

We can create multiple MX records (For redundancy or to create balance between our Exchange servers) with priority between them ,so when the SMTP server try one of our MX record he will chose the one with the lower number and if it’s not active he goes to the second priority MX record with higher number.

 NS Records:

This record simply helps us knowing the authorities DNS servers we have in our environment.

We need to know\use the NS records when we create forwarders between DNS servers both Internal and External DNS servers.

PTR Records:

First we need to know that we cannot create PTR record by default, to create the PTR records we firs need to create additional Zone called “Reverse Lockup”.

The PTR record maps the ip addresses into Hostnames. When you use this types of records you need to know that it’s also can allow security problems because attacker can easily create a “Reverse DNS Lookup “ and by that achieve the target to know all your domains name and other security problems(But that will explained in other post…).

The main purpose of the PTR records is to help us establish connection to an SMTP mail relay that must have the PTR record to function properly so we can enjoy Mail-Flow.

A Host Record:

This is the classic record that DNS server as to offer, the only thing that “A” record do is to map Hostnames into IP addresses. We can set one A record to an IP address because if we set A record to one or more IP address we have conflicts in our DNS server. The A record also help us to set static IP addresses to our Domain Controllers that must have (Or let’s say that it’s recommended by Microsoft…)Static IP addresses (Imagine your DC change is IP address ….not so recommended….).

For Example:

www.XXX.com Equaled to 192.XXX.XXX.X

CName Record:

Cname is a canonical name Record that helps us to map our “A” records (Hosts Names) to a different path like another hostname or to different FQDN.

With the TRACERT command we can determine the entire path ICMP echo request transfer between source computers to his destination. The path will show us all the pints the ICMP pass until him rich his destination

Syntax

Tracert [-switch] [Target Name]

Parameters

-d: with this switch we cause the command to prevent resolving the IP addresses. We chose this switch when you want to achieve faster results.

-h maximum Hops: here we can chose the HOPS numbers sending to each point between the Source and the Destination.

Target name: Here we need to specify the destination we want to check.

Example:

C:\Users\3>tracert www.microsoft.com

Tracing route to lb1.www.ms.akadns.net [207.46.19.254]

over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  SL2141.siemens [10.0.0.138]

  2    15 ms    15 ms    17 ms  bzq-79-179-197-1.red.bezeqint.net

  3     *       16 ms     *     www.microsoft.com [207.46.19.254]

  4     *        *     1773 ms  www.microsoft.com [207.46.19.254]

  5    19 ms    18 ms    18 ms  www.microsoft.com [207.46.19.254]

  6     *        *     3670 ms  www.microsoft.com [207.46.19.254]

  7    97 ms    96 ms    96 ms  www.microsoft.com [207.46.19.254]

  8    96 ms    97 ms    96 ms  www.microsoft.com [207.46.19.254]

  9   168 ms   168 ms   166 ms  www.microsoft.com [207.46.19.254]

 10   171 ms   176 ms   172 ms  www.microsoft.com [207.46.19.254]

 11   205 ms   171 ms   171 ms  www.microsoft.com [207.46.19.254]

 12     *        *        *     Request timed out.

 13     *        *        *     Request timed out.

 14     *        *        *     Request timed out.

 15     *        *        *     Request timed out.

 16     *        *        *     Request timed out.

Trace complete

The Pathping command helps us to get information about our network when we have latency and when we loosing hops between the source computers to the destination we want to get.

When we using Pathping the command sends multiple Echo requests massages to each point our packet need to pass before she arrive to our destination(Router for example) and then checks the time of the returned packets from each point.

When we use Pathping we can determine on which point we have latency or network problems because Pathping checks how much packets we lost on each point from the source to the destination.

Pathping Syntax

C:\pathping – {Switch}

-n: this switch cause the command ignores tempting to resolve the IP addresses of intermediate points and their names.

-h: here we can specify the MAX number of hops between the path and the destination.

Note!

The Maximum hops by default are 30.

-p Period: here we can specify how much milliseconds we wait between pings

Note!

The default time is 0.25 of a second!

-q NumQueries: here we can specify the number of Echo requests sent to each point between the Source and the Destination.

Note!

By default we have 100 queries!

-w Timeout: Here we set the number of milliseconds when we wait for each replay.

Note!

3 seconds is the default (1000 Milli = 1 second).

TargetName: The destination we want to get the information about.

Example:

C:\pathping www.microsoft.com

Microsoft Windows [Version 6.1.7600]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\3>pathping www.microsoft.com

Tracing route to lb1.www.ms.akadns.net [207.46.192.254]

over a maximum of 30 hops:

  0  3-PC.siemens [10.0.0.7]

  1  SL2141.siemens [10.0.0.138]

  2  bzq-79-179-197-1.red.bezeqint.net [79.179.197.1]

  3     *        *     www.microsoft.com [207.46.192.254]

  4     *        *     www.microsoft.com [207.46.192.254]

  5     *     www.microsoft.com [207.46.192.254]

  6     *        *        *

Computing statistics for 125 seconds…

            Source to Here   This Node/Link

Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address

  0                                           3-PC.siemens [10.0.0.7]

                                0/ 100 =  0%   |

  1    0ms     0/ 100 =  0%     0/ 100 =  0%  SL2141.siemens [10.0.0.138]

                                1/ 100 =  1%   |

  2   26ms     1/ 100 =  1%     0/ 100 =  0%  bzq-79-179-197-1.red.bezeqint.net

[79.179.197.1]

                                2/ 100 =  2%   |

  3   32ms     3/ 100 =  3%     0/ 100 =  0%  www.microsoft.com [207.46.192.254]

                                3/ 100 =  3%   |

  4   35ms     6/ 100 =  6%     0/ 100 =  0%  www.microsoft.com [207.46.192.254]

                                1/ 100 =  1%   |

  5   33ms     7/ 100 =  7%     0/ 100 =  0%  www.microsoft.com [207.46.192.254]

Trace complete.

C:\Users\3>

NSLookup is fantastic toll that help us to resolve troubleshooting in DNS server role. At first when you type the NSLookup command we will see the HOST and the IP address of the DNS server that configures as our DNS server.

Note!

To exit the NSLookup too all you need to do is to type “exit”.

You need to know that when you run the NSLookup too it’s always search for your Local Domain unless you provide a different FQDN.

For example we can resolve HOST names into IP’s:

Nslookup www.Microsoft.com

Server: lb1.www.ms.akadns.net

Address: 207.46.19.190

We also can query for the opposite:

NSLookup 207.46.19.190

Server: www.microsoft.com

Address: 207.46.19.190

Now I will provide you all the switches NSLookup as to offer to help you the best as possible:

Switch and the function he provides:

NSLookup -> here we lunches NSLookup tool.

Set Host Name -> Return the IP of the host name we provide.

Set Timeout=X -> here we determine the interval time limits.

Set ->

Here we can chose the query return type (A, ANY, CNAME, MX, NS.PTR, SOA, SRV).

Set Querytype -> exactly like type.

This command can help us modify and Display the ARP cache; The ARP contains one or more tables that store the IP address and their resolving names Physical addresses. Each Network Adapter has its own Unique ARP address.

To use ARP command we need to open the CMD:

Run -> CMD -> now we can use the ARP commands.

Syntax:

First if it’s the first time you use the Arp Syntax you can see all options that ARP has to offer:

C:\ ARP -> now you will see the Arp HELP Manuel.

Arp Parameters:

-a = this switch display the ARP cache tables for all interfaces.  If we want to display the ARP on specific IP address all we need to do is to type:

C:\arp –a -N  xx.xxx.xxx.x

Note!

-N is case sensitive!!!!

-S = this switch adds static entry to our Arp table that resolves the IP address to the Physical address , example for use :

IP : 10.10.10.2

MAC: 00-bb-vv-cd

Now we want to add entry to our cache that resolved the IP address to this MAC address :

Arp –s 10.10.10.2 00-bb-vv-cd

-d  = when we use this switch we deleted specific IP entry that saved on our cache or to delete all cache enters saved in our cache

To delete all entry in cache :

C:\Arp –d

To delete specific IP entery :

C:\arp –d  xxx.xxx.xxx.xxx

The RODC is a new function on server 2008 and if we want to be prosiest it’s new Domain-Controller. The main purpose of RODC is to provide and resolve security issues. Now we can use the RODC in small sites that we cannot put Physical servers because we cannot provide the ability to secure it. So the RODC will provide us the ability to put Domain-Controller without the sensitive data of our organization and Delegate the appropriate permission to the local administrator.

The RODC works only in one way, that’s mean that all databases that the RODC contains come from the root Domain-Controller, The RODC holds all object and their attributes.

So let’s imagine the next scenario, you put RODC in small site and the worst scenario upends and we have a thief in our site, the RODC will protect our organization date as follow:

• First not like Regular Domain-Controller the RODC will not enable access to the organization Active-Directory database because RODC contains only Readable Database so we cannot change objects in the small site.

• If we disabled password caching in RODC that’s provide us the ability to disabled the option of an attacker to use Brute-Force to crack our password to gain access to our database because the RODC is not contain objects Credentials .

• One of the most sensitive ROLES in DC is the DNS database; by using RODC we create protection on our DNS database so attacker cannot access our DNS records. If our RODC contains DNS role you cannot enabled the dynamic updates option, that’s mean that if you want to update a DNS record it’s not happens on the RODC, The RODC will send the request to the root DC (That’s old writable database) and just then the record will update and send back to the RODC server. 

• When you give the Local admin delegations he can install software on the RODC, to be able to get that delegation the local admin need to be including in the Domain Admin group.

Note!

In case attacker gets the local admin Password he cannot make changes in other Domain-Controllers.

RODC Deployment

Before we deploy the RODC server our environment need to meet few perquisites:

1. To be able to deploy RODC server we need to have at least one writable DC with server 2008 or server 2008 R2, Both servers need to be in the same Domain. The reason for that is that the RODC needs to get replica of our database because he don’t have one of his own.

1. Now we need to prepare our domain and schema , here we need to notice two different possibilities :

-          The first option is to have new forest with only 2008 Domain-Controllers , in that case we don’t need to run the  adprep /rodcprep command .

-          The second option and probably the most relevant are to have both 2003 and 2008 servers in our forest. In that case we need to prepare both forest and domain  with the next two commands :

Adprep /foresprep (On the Schema older).

Adprep /domainprep /gpprep (On infrastructure master).

Adprep /rodcprep (You can run it on any domain controller).

1. Be sure your Forest Functional level is Server2003 or higher.

1. Add yourself to Domain Admins group.

Installing RODC (Full Installation) follow the next easy steps:

1. First connect to your server and add it to the domain (we do it in case we don’t use delegation install).

1. Run “Dcpromo”.

1. Chose “Existing Forest” and “add domain controller to an existing domain”

1. On the Network Credentials page, type the name of a domain in the forest, and then click next.
2. Select the domain for the RODC, and then click next.
3. Chose the site you want to add the RODC.

1. In the “additional Domain Controller Options” chose :

-          DNS server.

-          Global Catalog.

-          RODC.

1. Next -> Finish.

Installing RODC (Delegate Installation) follow the next easy steps:

This is an optional possibility for us the organization admins to give the power to another user (Off course we need to trust this person….).

The installation need to follow 2 stages that both people need to be involved in them in the following way:

1. The “Big” admin with the domain credentials need to create the RODC account in

AD-DS, that account will include all records and data that we need for attached the RODC in the second stage. This stage must create with the right credentials (Domains Admin Groups).Darning this stage we also specify the user account that will proceed with the second stage.

1. The “Small” admin need to create the connection between the RODC that sits in other physical location into the account that the “Big” admin creates in the first stage of the process. The server that we install the RODC on must be joined to the domain before we precede the RODC installation. During the RODC installation the wizard checks our credentials to fit that has been created in the first stage and also that the name of the RODC much the name of the account created in stage one.

Stage1:

To create an RODC account by using Active Directory:

1. Open RUN.
2. Type: DSA.msc (Active Directory Users and Computers snap-in will show up).
3. Open the “Domain-Controller”.
4. Click the “Domain-Controller” -> Actions.
5. Now you need to click on “Pre-create Read-only Domain Controller account”.
6. A wizard will open and display.
7. 7.      On the Network Credentials, under Specify the account credentials to use to perform the installation, click my current logged on credentials.

Note!

We can specify credentials of another account:

Alternate credentials -> Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller.

1. Now you will ask to provide the name of the RODC server.
2. On the SITE selection you need to provide the site you want that the RODC will be belong into.

10.  In the “Additional Domain Controller Option” you need to go throw MICROSOFT recommendations as follow  :

1.  
   • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.
   • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.
   • RODC – When you create an RODC account, this option is selected by default and you cannot clear it.

11.  In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy -> OK.

1. On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating.
2. Now you need to see the Summery page to check the entire configuration that we created – click next.

That’s was the first stage of the RODC installation, after we created the account we need to install the RODC server and connect it to the account we just created.

Stage 2:

Attach the RODC account to the account we created  

1. Connect to the RODC server (The server we want to install the RODC)with Local Administrator credentials.
2. Open Run and type: Dcpromo /UseExistingAccount:Attach
3. On the welcome screen click next.
4. On the Network Credentials -> insert the Domain name in the forest where you want to install your additional DC:

Under Specify the Account : chose “Alternate credentials” -> Set -> in the Windows Security you need to provide the credentials that we inherit from the first stage .

1. On the Select Domain Controller Account -> Confirm->Next.
2. Location for Database ,Log Files, and SYSVOL : here you need to specify the location of the following databases.
3. The Directory Services Restore Mode Administrator Password page : insert your recovery credentials

Note!

Now its seams not important but when you have database corruption or failed server trust me that you will need this password so keep it in place you can remember!!!!

    !!!!!Good Luck You Have a New Read Only Domain Controller!!!!!

The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .

There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.

 The Forest level Fsmo:

• Schema Master Role – The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. As you already know from my other articles, when this update finish the schema will replicate to all other DC in our directory.

Note!

We have only ONE schema master per directory!

• Domain Naming Master Role – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.

The Domain level Fsmo:

• RID Master Role – The RID role hosts on a single DC, This DC responsible for the RID pool requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).

The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .

• PDC Emulator Role – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for Kerberos Autantication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.

The PDC role is the role that provides us the most services and from this we can said that this role is the busy one on our environment, here are few Examples:

-          This role helps us to replicate the Sysvol folder in our environment.

-          Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.

• Infrastructure Master Role – This role provide us the ability to update all objects SID’S and distinguished name in cross domains , this happens when object from one domain referenced with object from another DC.

FSMO levels:

Schema master                                         : One per forest.

Domain Naming Master                        : One per forest.

PDC Emulator                                            : One per domain.

RID Master                                                 : One per domain.

Infrastructure Master                            : One per domain.

Worst Case Scenario – What Happens’ if Fsmo fails…?

• Schema Master - If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.

• Domain Naming Master - Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest. 

• PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.

• Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).

• Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).

Microsoft Recommendations for placing FSMO roles

First we need to know that the first Domain-Controller installed in a forest holds all five FSMO.

When we add more DC’S we can transfer the FSMO from the firs DC installed on the forest (It’s not happened automatically so we need to manage the transfers manually).

As you already understand it’s nice to have more then on Domain-Controller in a forest so we can enjoy more redundancy and more flexibility to manage FSMO roles, here are MICROSOFT recommendations to manage FSMO roles in a FOREST environment:

1. The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server.  

1. The Infrastructure Master should not be on the same server that acts as a Global Catalog server.

Note!
 Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in its domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contently updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain.
Note!

 In a single domain environment this is not an issue.

Permissions

To be able to transfer FSMO you need the appropriate Permissions, every FSMO needs is own Permissions:

• Schema Master                             : Schema Admins group.
• Domain Naming Master            : Enterprise Admins group.
• PDC Emulator                               : Domain Admins group.
• RID Master                                    : Domain Admins group.
• Infrastructure Master              : Domain Admins group.

So where can we found the FSMO holders…?

• The Easiest way is to work with NETDOM Utility; we can find it in Microsoft “Support Tools” or in Win 2003 “Resource kit”.

Now all we need to do is go to the command line and type the following command:

“Netdom query fsmo”

After the command finishes we will see a list of Domain-Controllers and the role that they hosts.

• The second way is to use Administrative Tools Snap-In :

-          Open Users and Computers press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO’S.

The FSMO’S that we can see here will be:

1. Rid Master.
2. Pdc Emulator.
3. Infrastructure Master.

-           Open Domains and Trusts press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO.

Here we can see only the Domain naming FSMO.

-          To see the Schema Holder we need to add a blank MMC and add the “Active Directory Schema”.