DNS Resolution on Single NIC and Multiple IP’s


Who should read this : 

a) System Engineers

b) System Administrators

c) DNS Administrators

d) Active Directory Admins

e) Active Directory Technical Architects

 

Risk / Considerations: 

The changes below should be performed in the test environment and evaluate any dependent applications / hardcoded applications which are configured with the DNS and its behavior. The application behavior to be analyzed by the change includes, the DNS server response time, DNS Query forwarder and DNS Query failures.

 

Scenario: 

DNS name resolution is most critical aspect of any IT infrastructure, whether it is Microsoft DNS / UNIX the protocol behavior does not change. One such scenario is discussed below between IT Manager Mark and System Engineer Shaun.

 

IT Manager [Mark]: Good morning Shaun, on the Windows Server 2012 R2 member server with single NIC ( Network Interface Card ) installed and multiple IP Addresses configured, i would like to control DNS name resolution based on IP Address , is that possible ?

 

System Engineer [Shaun]: Hi Mark, can you elaborate your question please

 

IT Manager [Mark]: Sure, on the Windows Server 2012 R2 member server which is also acting as DNS server, i see that there are two IP Addresses configured on single NIC

IP Address 1 [Private] = 10.0.0.4

IP Address 2 [Public] = 4.13.24.45

Any Private DNS name resolution should be resolved by 10.0.0.4 and for any Public names ,the queries should be forwarded and resolved by 4.13.24.45 , how do we achieve this ?

 

System Engineer [Shaun]: This is highly unlikely to be achieved, Mark. The reason is with single NIC, there is no way to define the binding. The closest work around is to set the DNS server address order under the NIC properties

Note: This setting should be performed for Static IP Addresses and not controlled by Group Policy

Step1 : Logon to the Windows Server 2012 R2 using Administrator account / account which has privileges to make modifications to NIC

Step2: Start –> Run –> NCPA.cpl

Step3: Navigate to Network Adapter to be configured , right click the adapter –> Properties –> Internet Protocol Version 4 –> Properties

Step4: Navigate Advance TCP/IP Settings as shown below and add the DNS Server addresses IP Address under “DNS Server addresses, in                           order to use” section as shown below

image

 

Step 5: Click Ok and close all the windows of the Network interface

Step 6: Open the command prompt and run IPConfig / flushdns and IPConfig /registerdns

 

DNS Server priority is determined by the order. If the first server isn’t available to respond to a host name resolution request, the next DNS server in the list is accessed, and so on. To change the position of a server in the list box, select it and then click the up or down arrow button

 

 

 

Advertisements

Am I a GC?


Am I a GC ? or DC ?

The answer is fun to find out whether a Domain Controller is Global Catalog server which has several ways to find out

I. ADUC:

Open Active Directory Users and Computers –>Right click on Domain –> select Change Domain Controller

DSA-change DC dsa-change dc2

II. ADSIEdit Output:

There are three important attribute types which are important in AD

  • System Only
  • Constructed and
  • Backlinks

Constructed attributes are most important attributes in AD which provides advance interpretation of AD operations. One such attribute is msds-isgc, this attribute identifies the state of Global Catalog Server.

ISGC-ADSIedit

III. DSQuery

Global catalog status can be viewed using DSQuery tool as shown below

ISGC-DSQuery

IV NLTest:

Global Catalog status can be found using NLTest tool through Flags Status as shown below

ISGC-NLTest1

ISGC-NLTest2

V. LDP:

One other tool to view Global catalog status is by using LDP tool. Please note that Constructed Attribute cannot be viewed using standard LDP interface instead, a search should be made to view the status of a Global Catalog Server as shown below.

ldp -isgc

Other tools include PowerShell or DS API requires DN path to search for the value.

Security Token Service Integration using WS Protocols


Details:

There are three documents in this download associated with interoperability for the Works with Office 365 – Identity program. First is the paper that details the agreement for STSs to Interop with Azure Active Directory using the WS-Federation and WS-Trust protocols. The second is the paper which specifies the scenarios for STS testing that Microsoft use for qualification in the Works with Office 365 – Identity program. The third is the program guide for partners for the Works with Office 365 – Identity program. This enables use of a third party Identity Provider to be used for authentication by Office 365 and other Microsoft services that use Azure Active Directory.

Download Link:

http://www.microsoft.com/en-us/download/details.aspx?id=41185

Active Directory Partitions and Replicas In a Forest


Active Directory Partitions and replicas form firm foundation for Active Directory Replication. For any enterprise Active Directory infrastructure, there will be 10’s to 100’s of Domain Controllers spanned across different sites supporting multiple Active Directory Domains in a Forest.

Below table lists Active Directory Partitions and its roles.

 

Serial Number Active Directory Partition Forest Wide Domain Wide What does it store Replication
1 Configuration Partition Yes. only one Configuration partition per Forest Store information about Sites, services , extended permissions etc.. Replicate across all Domain controllers in the Forest
2 Schema Partition Yes. only one Schema partition per Forest Schema definitions, classes , attribute definitons of all AD Objects Replicate across all Domain controllers in the Forest
3 Domain Partition Yes. One Per Domain Stores user objects, Computer objects , Organizational Units, Groups etc.. Replicated only to Domain controllers within Domain
4 Domain Partition (Global Catalog) Yes. One Per Domain Stores partial set of attributes from different directory partitions ( domains) Replicated across all Domain controllers in the Forest
5 Application Partition Yes. Any number of Application Partitions Stores application specific data Replicated across specific Domain Controllers in the Forest

 

 
With the information above, we will do a little math on a conceptual Organization which is spread across different sites and having two Active Directory Domains in a AD Forest.

Solution Architecture Diagram 

 

 

AD Forest

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Active Directory Replica Chart

Domain AD Sites Domain Controller Configuration Partition Schema Partition Domain Partition A  Domain Partition B
Domain A Primary Site Global Catalog PS Full Replica Full Replica Full Replica Partial Replica
Domain A Primary Site Domain Controller 1 PS Full Replica Full Replica Full Replica
Domain A Primary Site Domain Controller 2 PS Full Replica Full Replica Full Replica
Domain A Branch Site 1 Global Catalog BS1 Full Replica Full Replica Full Replica Partial Replica
Domain A Branch Site 1 Domain Contorller BS1 Full Replica Full Replica Full Replica
Domain A Branch Site 2 Global Catalog BS2 Full Replica Full Replica Full Replica Partial Replica
Domain A Branch Site 2 Domain Controller BS2 Full Replica Full Replica Full Replica
             
Domain B Primary Site Global Catalog PS Full Replica Full Replica Partial Replica Full Replica
Domain B Primary Site Domain Controller PS Full Replica Full Replica Full Replica
Domain B Branch Site 1 Global Catalog BS1 Full Replica Full Replica Partial Replica Full Replica
Domain B Branch Site 1 Domain Contorller BS1 Full Replica Full Replica Full Replica
Domain B Branch Site 2 Global Catalog BS1 Full Replica Full Replica Partial Replica Full Replica
Domain B Branch Site 2 Domain Contorller BS1 Full Replica Full Replica Full Replica

 

 

 

 

 

Active Directory Directory System Agent


The directory system agent (DSA) is a collection of services and processes that run on each Windows 2000 Server and later domain controller and provides access to the data store. The data store is the physical store of directory data located on a hard disk. In Active Directory Domain Services, the DSA is part of the local system authority (LSA) subsystem. Clients access the directory using one of the following mechanisms supported by the DSA. This document provides details about Active Directory Directory System Agent implemenation and practical view of the component. DSA is the primary component for Active Directory LDAP operations and helps Administrators to understand the implementation aspects of the component.

 

Please follow the below link to download the document , hope it helps !

http://gallery.technet.microsoft.com/Active-Directory-Directory-cca49b03

Windows Security Support Provider Architecture


The SSPI in Windows provides a mechanism that carries authentication tokens over the existing communication channel between the client computer and server. When two computers or devices need to be authenticated so that they can communicate securely, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use.

 

Windows Security Support Provider Architecture

Windows Security

LDIFDE Export User from OU Location


Description:

One of the tricky situation of an Active Directory Administrator is User Management. Often they are challenged by the scenarios to extract user info , export user data from an OU to other or export User attributes from one Active Directory domain to other. Below sript is targetted to extract user information from an OU.

Export Single User Active Directory Attribute.

ldifde -f UserAttribute.ldf -s <Source DC FQDN> -d “CN=Standard Worker,OU=Research,DC=Innovative,DC=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType”

The above script dumps Standard Worker attributes to UserAttribute.ldf. Before exporting the .ldf, Administrators has to perform the following

a) Remove the legacy domain DN and replace with target domain DN . In our example DC=innovative, dc=com  should be change to reflect DC=target, dc=com

b)Remove userAccountControl attribute from the export ( userattribute.ldf)

c) Remove Lastlogontimestamp attribute from the export ( userattribute.ldf)

d) Modify the OU path ( if required ) to reflect the user target OU.

Import the dump using

ldifde -i -f <file path> -s <destination AD FDQN>