Active Directory Flexible Authentication Secure Tunneling (FAST)

Let’s discuss Flexible Authentication Secure Tunneling (FAST).

This new feature implemented in the Windows Server 2012 KDC, provides protection against password-based dictionary attacks. FAST is an extra level of security above password lockout policies and works at the Kerberos authentication level.

What is FAST and Kerberos Armoring?

Sometimes referred to as one in the same, FAST provides offline dictionary attack prevention, that work around Kerberos errors being spoofed. If the Kerberos authentication sequence fails, authentication falls back to NTLM authentication, a less secure method.

FAST is defined by RFC 6113 and RFC 4851, to prevent spoofing Kerberos errors. FAST is also referred to as Kerberos Armoring. FAST provides a secured and protected channel to provide a protected channel between a domain-joined client and DC and involves the LSA (Local Security Authority), the Netlogon Service, and the KDC. FAST protects Kerberos pre-authentication data for the “AS_REQ” by using the LSK (randomly generated logon session key) from the TGT (Ticket Granting Ticket during the Kerberos authentication sequence) as a shared secret to fully encrypt Kerberos messages and sign all possible Kerberos errors. The shared secret provides an additional “salt” in the Kerberos authentication process. This results in increased processing time, but it does not change the Kerberos service ticket size. The shared secret provides DCs the ability to return Kerberos authentication errors, which in turn, protects against spoofing, man-in-the middle, and other attacks.

FAST and Windows Server 2008

Although Windows Server 2012 and newer domain controllers are required to support this feature, there are no requirements for the domain or forest functional levels to be at Windows Server 2012. Therefore, you can have Windows Server 2008 and Windows Server 2008 R2 domain controllers, with forest functional level on Windows Server 2008.

The only exception is if you are implementing claims across a forest trust.

FAST requirements

  • Functional levels must be at least Windows Server 2008.
  • For full support, Domain and Forest Functional Levels must be at Windows Server 2012, which means that all domain controllers must be at least Windows Server 2012.
  • The Active Directory Domain must support Claims Based Access Control (CBAC) and Kerberos Armoring policy for all Windows Server 2012 domain controllers.
  • CBAC is an authorization method granting or denying access based on an arbitrary authorization decision algorithm using data in claims.

Additional Reading on CBAC:
Authorization in Claims-Aware Web Applications and Services
http://msdn.microsoft.com/en-us/library/windowsazure/gg185915.aspx

The domain can be configured either to require Kerberos armoring, or use it upon request. This allows backward support for legacy clients.This can be enabled by using two Group Policy settings:

  • “Support CBAC and Kerberos armoring”
  • “All DCs can support CBAC and Require Kerberos Armoring”

Additional Reading

What’s New in Kerberos Authentication?
http://technet.microsoft.com/en-us/library/hh831747.aspx

The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)
http://tools.ietf.org/html/rfc4851

A Generalized Framework for Kerberos Pre-Authentication
http://tools.ietf.org/html/rfc6113

==================================================================

Summary

Stay tuned. This is part of a release of previously unreleased documentation.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Fine-Grained Password Policies User Interface in Windows 2012 R2 and Newer

Intro

Ace again! Let’s talk about FGPP!

When Active Directory was first introduced in Windows Server 2000, you can only create one password policy for the domain. That was configured in the Default Domain Policy. If you attempted to create a GPO linked to an OU with password policy settings, the Active Directory CSEs (Client Side Extensions – the client side DLLs that determine, download and run GPOs assigned to the computer or user) will ignore them.

FGGP Expanded Requirements

Therefore if an IT infrastructure design required a different password for different locations or users, the only option was to either create a password filter or create a separate child domain or a new Tree in the forest. Of course this came with design challenges, additional hardware and administrative overhead. For a number of years, this was a limitation that IT administrators had no real solution or alternative.

To provide a solution, Fine-Grained Password Policies (FGPPPs), were introduced in Windows Server 2008, continued in Windows 2008 R2. They provided administrators to create a Password Settings Policy (PSO) for a set of user accounts or groups and cannot be linked to GPOs, and the only way to create and administer PSOs and FGGPs are using low-level utilities, such as ADSI Edit.

Windows Server 2012 introduced a new GUI to ease creation and administration of PSOs and FGPPs. In this section, we will learn about the new FGPP and PSO features, and how to create administer them.

  • Why would we need an FGGP?
  • Understanding Password Settings Objects (PSOs)
  • What’s new in Windows 2012 FGGP?
  • PSO Resultant Set of Policies (RSOP)
  • What’s required to implement FGGPs? PowerShell and FGGPs

Why would we need a FGGP?

You can use fine-grained password policies to specify specific password policies in a single domain by applying different restrictions settings for password and account lockout policies to different sets of users and groups in a domain.

For example, you can apply stricter settings to privileged accounts such as administrator accounts, or executive accounts, and apply less strict settings to the accounts of other users. You can also create special password policies for accounts that get their passwords synchronized with other data sources or applications.

Understanding Password Settings Objects (PSOs)

Password Settings Objects (PSOs) have identical password settings as the password policy in a GPO. These settings include password length, complexity, account lockout, password minimum and maximum age, password history settings, PSO link, and Precedence.

PSOs are not linked to an OU. PSOs are applied users or groups. To help keep track of PSOs to an OU, for example, administrators can create an Active Directory group in an OU that is identically named as the group name.

With Windows Server 2008 and Windows Server 2008 R2, ADSI Edit (Active Directory Services Editor), a low level editor, is required to create, modify and apply PSOs to users or groups. ADSI Edit is akin to a “registry editor” that allows you to modify data in the various partitions in the AD database. Using ADSI Edit requires additional knowledge and skill level by an administrator to understand the various Active Directory database partitions and how to access them.

What’s new in Windows Server 2012 FGGPs?

In Windows Server 2012, creating and managing fine-grained password policy can now be performed using a user interface, the ADAC (Active Directory Administration Center), vastly improving ease of administration.

Administrators can now visually see a specific user’s resultant set of policies (RSOP), view and sort all password policies within a given domain, and manage individual password policies.

image

PSO Resultant Set of Policies (RSOP)

If a user or group has multiple PSOs linked to them, possibly because they are part of multiple Active Directory groups that have different PSOs, only one PSO can be applied. Therefore, the RSOP must be evaluated to insure the correct PSO is applied.

To determine and calculate the RSOP, each PSO has an additional attribute called the msDS-PasswordSettingsPrecedence.

The msDS-PasswordSettingsPrecedence attribute has an integer value of 1 or greater. The lower the value, the higher precedence it has. In a scenario where an AD group has two PSOs linked, with one of them having a value of 2, and the a value of 4, then the PSO with a value of 2 wins, and is applied to the AD group.

RSOP msDS-PasswordSettingsPrecedence Logic:

• A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to users.)

• If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.

• If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.

Additional reading on RSOP:

AD DS: Fine-Grained Password Policies
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

What’s required to implement FGGPs?

To point out, Fine-grained password policies can only be applied to global security groups and user objects (or inetOrgPerson objects, a specific attribute some third party applications may use, if they are used instead of user objects).

Requirements include:

  • Only members of the Domain Admins group can set fine-grained password policies, however, the tasks can be delegated to other users.
  • The domain functional level must be Windows Server 2008 or higher.
  • You must use the Windows Server 2012 version of ADAC (Active Directory Administrative Center) to administer fine-grained password policies through a graphical user interface.

Server Manager can be used to install the RSAT tools (Remote Server Administration Tools) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

  • You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage FGGPs.

PowerShell and FGGPs

PowerShell can also be used to create and manage FGGPs. For example, the command below will create the following settings:

  • • PSO Name: TestPswd
  • • Complexity: Enabled
  • • Lockout Duration: 30 Minutes
  • • Lockout Observation Windows: 30 Minutes
  • • Lockout Threshold: 0 Minutes
  • • MaxPasswordAge: 42 Days
  • • Minimum Password Age: 1 Day
  • • MinPasswordLength: 7 characters
  • • PasswordHistoryCount: 24 passwords remembered that you can’t use
  • • ProtectedFromAccidentalDeletion: Yes (prevents accidental deletion)
  • • Security Principal Applied to: AD Group called “group1”
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects group1
Additional Reading:

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

Introduction to Active Directory Administrative Center Enhancements (Level 100)
http://technet.microsoft.com/en-us/library/hh831702.aspx

Creating fine grained password policies through GUI Windows server 2012 “Server 8 beta”
Microsoft Technet, by Tamer Sherif Mahmoud, Team Blog of MCS
http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

============================================================

Summary

Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2][2] clip_image0043[2][2][2] clip_image0063[2][2][2] clip_image0083[2][2][2] clip_image0103[2][2][2] clip_image0123[2][2][2] clip_image0143[2][2][2] clip_image0163[2][2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

What is Cloud Computing?

Intro

Ace here again. This is part of my blog series on Azure and Cloud Computing

This is a short discussion about cloud computing, another aspect of Internet service providers offering to help companies reduce costs by practically eliminating hardware.

Service Providers and Services

In the past few years, many online service providers have gained momentum offering datacenter services to allow customers the ability to host services, applications, and operating systems. These service providers provide 24/7 availability and uptime monitoring, backups, disaster recovery, maintain application updates and provide full support.

As long as an employee has internet access, whether at the office or away, they can access these services and applications.

A Cloud Operating System does what a traditional operating system does – manage applications and hardware, but at the scope and scale of cloud computing, meaning the applications and hardware are operated and managed outside of a company’s network.

The foundations of the Cloud OS are Windows Server 2012 and Windows Azure, complemented by the full feature set of Microsoft technology solutions, such as SQL Server, System Center, Exchange Server, and Visual Studio. Together, these technologies provide a consistent platform for infrastructure, applications and data that can span your datacenter, service provider datacenters, and the Microsoft public cloud.

Public Clouds

Shared Public Cloud

A Shared Public Cloud provides the benefit of rapid implementation, massive scalability, and low cost of entry because multiple tenants share and absorb the overall costs reducing individual tenant costs.

It is delivered in a shared physical infrastructure where the architecture, customization, and degree of security are designed and managed by the hosting provider according to market-driven specifications.

Public clouds have weaker security due to their shared nature.

Dedicated Private Clouds

Dedicated Private clouds are similar to a Shared Public Cloud, except they are delivered on a dedicated physical infrastructure dedicated to a single organization.

Security, performance, and sometimes customization are better in the Dedicated Public Cloud than in the Shared Public Cloud. Its architecture and service levels are defined by the provider and the cost may be higher than that of the Shared Public Cloud.

Private Cloud

Dedicated Private clouds may be hosted by the organization itself at a co-location service where the organization owns all hardware and software, and provide their own full maintenance procedures including disaster recovery solutions, with the co-location only providing 24/7 power and internet connectivity guarantees, or they may be hosted by a cloud services provider, which provides all hardware and software and ensures that the cloud services are not shared with any other organization.

Private clouds are more than just large-scale hypervisor installation. They can use the Microsoft System Center 2012 management suite, which makes it possible to provide self-service delivery of services and applications.

Self-hosted Private Cloud

A Self-hosted Private Cloud provides the benefit of architectural and operational control utilizing the existing investment in people and equipment, and provides a dedicated on-premise environment that is internally designed, hosted, and managed.

Hosted Private Cloud

A Hosted Private Cloud is a dedicated environment that is internally designed, externally hosted, and externally managed. It blends the benefits of controlling the service and architectural design with the benefits of datacenter outsourcing.

Private Cloud Appliance

A Private Cloud Appliance is a dedicated environment that is purchased from a vendor and designed by that vendor, and are based on provider & market driven features and architectural control. They can be hosted internally or externally, and can be internally or externally managed. A Private Cloud Appliance benefits consumers by combining advantages of a predefined functional architecture, lower deployment risk with the benefits of internal security and control.

What does Windows 2012 R2 and Cloud OS Mean to Organizations?

It means organization can shift to efficiently manage datacenter resources as a whole, including networking, storage and computing. Organizations will be able to deliver and manage powerful apps that boost employee productivity providing faster access across private, hybrid (mixture of private & public clouds) and public clouds.

With Windows Server 2012 and newer, and System Center, an organization owns its own private cloud, and they can provide users a self-service portal to request their own multitier applications including web servers, database servers, and storage components.

Windows Server 2012 and the components of the System Center 2012 suite can be configured so service requests can be processed automatically, without requiring manual deployment of virtual machines and database server software.

Microsoft Private Cloud Fast Track

Microsoft Private Cloud Fast Track is a joint effort between Microsoft and its hardware partners to deliver pre-configured solutions that reduce the complexity and risk of implementing a private cloud, and provides and delivers flexibility and choice across a range of hardware vendor options technologies in pre-configured solutions.

For more information on Microsoft Private Cloud Fast Track, and the implementation deployment guide:

Microsoft Private Cloud Fast Track Information New and Improved, by Thomas W Shinder, MSFT, 7/27/2012
http://blogs.technet.com/b/privatecloud/archive/2012/07/27/microsoft-private-cloud-fast-track-information-new-and-improved.aspx

For a complete list of Reference Architecture for Private Cloud Documents:

Reference Architecture for Private Cloud
http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx

============================================================

Summary

Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2] clip_image0043[2][2] clip_image0063[2][2] clip_image0083[2][2] clip_image0103[2][2] clip_image0123[2][2] clip_image0143[2][2] clip_image0163[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

What is SaaS, PaaS, and IaaS?

Intro

Ace here again. With Azure gaining traction, and the whole “Cloud”computing buzzwords becoming a staple to every day life, I thought to bring some sunlight through and explain some of the offerings.

SaaS: Software as a Service

Software as a Service (SaaS) delivers business processes and applications, such as Sharepoint, CRM, collaboration, and e-mail, as standardized capabilities for a usage-based cost at an agreed, business-relevant SLA (service level agreement).

SaaS provides significant efficiencies in cost and delivery with minimal customization that represents a shift of operational risks from the consumer to the hosting provider. All infrastructure and IT operational functions are abstracted away from the consumer reducing consumer resource overhead.

The end user is the consumer, and benefits the most with SaaS with increased application uptime and performance.

PaaS: Platform as a Service

The most complex of the three, cloud platform services or “Platform as a Service,” (PaaS) delivers computational resources with an efficient and agile approach to operate scale-out applications in a predictable and cost-effective manner, through a platform, such as Windows Server 2012.

With PaaS, the application owner is the consumer. PaaS delivers application execution services, such as application runtime, storage, and integration, for applications written for a pre-specified development framework the consumer can build upon to develop, customize, and test applications. Deployment of applications is quick, simple, and cost-effective, eliminating the need to purchase underlying layers of hardware and operating systems.

PaaS is highly scalable. Consumers need not worry about platform upgrades or downtime due to maintenance.

Service levels and operational risks are shared because the consumer (customer) takes responsibility for the stability, architectural compliance, and overall operations of the application while the provider delivers the platform capability (including the network infrastructure and operational functions) at a predictable service level and cost.

One comparison between SaaS vs. PaaS is with PaaS, vendors still manage runtime, middleware, O/S, virtualization, hardware (servers & storage), and networking, but users manage applications and data. With SaaS, the users only control the software, not the platform the software is running on.

IaaS: Infrastructure as a Service

Cloud infrastructure services, known as “Infrastructure as a Service,” (IaaS), deliver computer infrastructure (such as a platform virtualization environment), storage, and networking.

IaaS abstracts hardware (server, storage, and network infrastructure) into a pool of computing, storage, and connectivity capabilities that are delivered as services for a usage-based (metered) cost. Its goal is to provide a flexible, standard, and virtualized operating environment that can become a foundation for PaaS and SaaS.

IaaS is usually seen to provide virtual server standardization by the hosting provider. The hosting provider manages virtualization and provides service level agreements (SLA) that cover the performance and availability of the virtualized infrastructure.

The consumer takes responsibility for configuration, operations, maintenance, updates, upgrades and support of the guest Operating System (OS), software, and Database (DB). Compute capabilities (such as performance, bandwidth, and storage access) are also standardized.

IaaS is an advanced state of IT maturity that has a high degree of automation, integrated-service management, and efficient use of resources.

The consumer can be the application owner and/or the IT department, and also provide middleware, application and operating system updates, upgrades and support. The benefit to the consumer is they can install any required platforms.

image

Click here for additional information

What does Windows 2012 R2 and Cloud OS Mean to Organizations?

It means organization can shift to efficiently manage datacenter resources as a whole, including networking, storage and computing. Organizations will be able to deliver and manage powerful apps that boost employee productivity providing faster access across private, hybrid (mixture of private & public clouds) and public clouds.

With Windows Server 2012 and System Center, an organization owns its own private cloud, and they can provide users a self-service portal to request their own multitier applications including web servers, database servers, and storage components.

Windows Server 2012 and the components of the System Center 2012 suite can be configured so service requests can be processed automatically, without requiring manual deployment of virtual machines and database server software.

Microsoft Private Cloud Fast Track

Microsoft Private Cloud Fast Track is a joint effort between Microsoft and its hardware partners to deliver pre-configured solutions that reduce the complexity and risk of implementing a private cloud, and provides and delivers flexibility and choice across a range of hardware vendor options technologies in pre-configured solutions.

For more information on Microsoft Private Cloud Fast Track, and the implementation deployment guide:

Microsoft Private Cloud Fast Track Information New and Improved, by Thomas W Shinder, MSFT, 7/27/2012
http://blogs.technet.com/b/privatecloud/archive/2012/07/27/microsoft-private-cloud-fast-track-information-new-and-improved.aspx

For a complete list of Reference Architecture for Private Cloud Documents:

Reference Architecture for Private Cloud
http://social.technet.microsoft.com/wiki/contents/articles/3819.reference-architecture-for-private-cloud.aspx

============================================================

Summary

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2] clip_image0043[2] clip_image0063[2] clip_image0083[2] clip_image0103[2] clip_image0123[2] clip_image0143[2] clip_image0163[2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory DNS Single Label Names

Intro

Hey everyone, Ace again. Let’s discuss this issue. I hardly see this issue any more, because it was a previously prevalent when Active Directory was introduced, since there were some confusion about AD domain naming, and many IT admins used NT4’s domain naming guidelines. Man of us are now familiar with AD’s naming convention, and have more than likely renamed or rebuilt their AD domains. However, there are still some installations with this issue. 

How did it happen? Many reasons, such as lack of research on AD’s DNS requirements, assumptions, or a simple typo when originally upgrading from NT4 or promoting your new AD domain. It doesn’t matter now, because you were brought here to find out what to do with it.

I hope you find this blog informative on this issue and what to do about it.

First, let’s discuss a little background on the necessary components at play…

FQDN

First, let’s discuss the FQDN. What is an FQDN? It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminiscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

Unfortunately, since this does not work with DNS, and Active Directory relies on DNS, therefore, it does not work with Active Directory. Stay with me. I’ll explain…

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately the old NT4 style names are not hierarchal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single label name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? As I said earlier, it doesn’t matter now, because you were brought here to find out what to do with it.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/kb/555040

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.

Period. Why? good question. It’s based on the fact DNS is hierarchal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc., names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc.). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authoritative for that TLD.Such as when looking up Microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for Microsoft.com zone.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

  1. The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.
  2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).
  3. As a temporary resort, you can use the patch or band aid registry fix to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

Single Label Names and being a better Internet Neighbor

The following was posted by Microsoft’s Alan Woods in 2004:

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles – Even though they seem old, they STILL APPLY!!!

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

============================================================

Summary

I hope this helps!

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Remote Server Administration for Windows 2012 R2

image

 

Prologue

Ace here again. This discusses remote administration. Simple, right? Maybe not!

Remote Server Administration for Windows 2012 R2

Server Manager in Windows Server® 2012 R2 can be used to perform various management tasks on remote servers. By default, remote management is enabled on Windows Server 2012 R2.You can add remote servers to the Server Manager Server pool in Windows Server 2012 R2 Server Manager.

Objectives

Discuss the following remote admin methods

  • What is Remote Management?
  • How to Enable and Disable Remote Management
  • Remote Management and Tools Commands
  • Server Manager
  • WinRM
  • PowerShell Remoting
  • Remote Desktop
  • Remote Server Administration Tools (RSAT)
  • SCONFIG

What is Remote Management?

Windows Server 2012 R2 provides the ability to remotely manage multiple servers with a number of methods. One of the newest features in Windows Server 2012 is the ability to use Server Manager for this task.

In addition to Windows Remote Management, you can also use Remote Shell and Remote Windows PowerShell to manage remote computers. This provides you the ability to locally load Windows PowerShell modules, such as Server Manager, and execute PowerShell cmdlets available in the loaded module on remote servers. This allows you the ability to run PowerShell commands and scripts. This works including when the script is only on the local server

Windows Remote Management (WinRM) is the Windows implementation of WS-Management, which is an industry standard, Web-based services based protocol. Windows runs the WinRM as a service under the same name, WinRM. WinRM provides secure local and remote communications for management applications and scripts.

In addition, Windows Remote Management is one of the components of the Windows Hardware Management features to allow secure local and remote Windows Server management across a firewall using standard Web service-based protocols.

If the server hardware has an optional, built-in Baseboard Management Controller (BMC) provided by the hardware vendor, you can also remotely manage a system even if the Windows operating system has not yet booted or has failed. This also allows access to the server’s BIOS.

A BMC is an option m provided by hardware vendors, that consists of a microcontroller and an independent network connection that you can communicate to if the server ever becomes offline.

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where firewalls may block DCOM communications, because WinRM uses the secure web-based port, TCP 443.

Additional Reading on WinRM:

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

Hardware Management Introduction (includes BMC information)
http://technet.microsoft.com/en-us/library/f550cac0-5344-41cb-8e89-6e5c93236886

.
 
How to Enable and Disable Remote Management

There are a number of methods to administer WinRM.

· Winrm.cmd – Command line tool that allows administrators to configure WinRM, get data, or manage resources. For syntax, you can run winrm /? for online help.

· Win-RM Scripting API – Allows you to create remote administration scripts that expose the WS-Management APIs and protocols.

· Winrs.exe –A command line tool to execute CMD commands on remote servers using WS-Management APIs. For example, to remotely get an ipconfig /all from a remote machine, you can run:
winrs –r:DC12.trimagna.com “ipconfig /all”;tasklist

You can also use the help command to see all possible options and syntax:
winrs –?

· IPMI and WMI Providers – The IPMI provider and drivers allow remote hardware management using BMC. These can be used programmatically.

· WMI Service – Using the WMI plug-in, WMI runs together with WinRM to provide data or control functions for remote management.

· WS-Management protocol – SOAP based protocol using XML messages. It is a web-based, firewall friendly protocol running across secure TCP 443 providing industry-standard interoperability to transfer and exchange management information.

Remote Management Tools and Commands

There are a number of ways to enable, disable and configure Remote Management.

Server Manager

To enable or disable Remote Management, in Server Manager Local Server node, click the text next to Remote Management icon.

WinRM Command

You can use the WinRM command to enable, disable, and configure Remote Management.

The syntax is:

WinRM OPERATION RESOURCE_URI [-SWITCH:VALUR [-SWITCH:VAKLUE] …] [@{KEY=VALUR [;KEP=VALUE]…}]

You can use the following to check the current Remote Management configuration and status:
winrm get winrm/config

Or you can run it remotely on another server using the WinRS command:
winrs –r:DC12-1.trimagna.com “winrm /config”;tasklist

To enable or disable Remote Management:
WinMR qc

When the WinRM qc command is run, it performs a number of steps to enable and configure the Remote Management service:

  1. Configures and changes the WinRM service from Manual to Automatic startup.
  2. Starts the WinRM service.
  3. Creates and configures a listener that will accept WinRM requests on any IP address.
  4. Creates a Windows Firewall exception for WS-Management traffic for the HTTP protocol.

If the Windows Firewall is disabled, you will see one of the following error messages:

  • WSManFault
  • Message
  • ProviderFault
  • WSManFault
  • Message = Unable to check the status of the firewall.
  • Error number: -2147023143 0x800706D9
  • There are no more endpoints available from the endpoint mapper.

To view the command syntax and options, you can run winrm -?

WinRM supports the following commands:

  • PUT
  • GET
  • ENUMERATION
  • INVOKE
WinRM Examples:

Start a service on a remote machine:
winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:DC12

Reboot a remote machine:
winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:FS1

Additional Reading on the WinRM commands:

An Introduction to WinRM Basics – From the EPS Windows Server Performance Team
http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

.

PowerShell Remoting

There a number of cmdlets that use WMI for remote administration. The cmdlets invoke a temporary connection the remote computer using WMI, runs the command, then closes the session.

These cmdlets do not use WS-Management based remoting, therefore the computer does not require to be configured for WS-Management nor does it have to meet the system requirement for WS-Management. Because they are not WS-Management service related, you can use the ComputerName parameter in any of these cmdlets

You can run the Invoke-Command cmdlets to run commands on other computers.

For example, to get a list of all services on a remote computer that are either running or stopped, you can run the following command
Invoke-Command –computername DC12 –scriptblock {get-service)

Or to see the status of a single service:
Invoke-Command –computername DC12 –scriptblock {get-service WinRm)

Additional Reading on Remote PowerShell:

Windows PowerShell Remoting – Complete list of commands
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx

.

 

Remote Server Administration Tools (RSAT) for Windows

Remote Server Administration Tools for Windows®  includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell® cmdlets and providers, and some command-line tools for managing roles and features that run on Windows Server 2012 R2.

.

SCONFIG

For Server Core, you can use the SCONFIG command and choosing Option #4, then choosing Option #1 to Enable Remote Management, or Option #2 to Disable Remote Management.

image

Additional Reading on WinRM tools

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

.

Remote Desktop

Remote Desktop has been used for a number of years, and it is the most common method to remotely administer a remote machine. To use Remote Desktop, it must be enabled first on the remote computer. To enable Remote Desktop on the full version of Windows Server 2012, perform the following steps”

  1. Open Server Manager
  2. Click the Local Server Node
  3. Click the “Disabled” status next to Remote Desktop.
  4. The System Properties page appears and is focused on the Remote tab.
  5. Under the Remote tab, select one of the following:
  1. Don’t allow connections to this computer – Default disabled.
  2. Allow connections only from Computers running:
  1. Checkbox: Allow Remote Desktop with Network Level Authentication – If you check this box, this setting enables and only allows secure connections from Remote Desktop clients that support network-level authentication.

image

You can also enable Remote Desktop on Sever Core using the SCONFIG command.

==================================================================

 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Delegate Permissions for an OU in Active Directory Users and Computers (ADUC) & Create a Custom MMC, or Just Use RSAT

Updated 9/20/2016

Note- this was put together and fast published and there may be errors. Check back for updates when I add RSAT info.

Prologue

Ace here again. Yep, me again. This scenario comes up time to time. Sure, you can use the RSAT tools, but here an old fashioned, truly tried method that works nicely so a delegated OU admin can only see and do what they need to do in their OU.

Scope

After you Delegate Permissions in to a limited admin in Active Directory, such as the ability to reset passwords, you may want to create a custom ADUC MMC (console or custom taskpad)  for the delegated admin to control the portion of AD (the OU) they are allowed or delegated in.

For Windows 2003 AD – but it will work in 2008 and newer

The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the right-click feature.
 
You can also choose to remove the left hand pane (tree view).

MMC v2 and v3 are the same:

  • Start/run/mmc, hit enter
  • File, Add-Remove Snap-in, Add ADUC
  • Drill down under the domain to the OU you want.
  • Right-click on that OU, choose new window from here.
  • A new window pops up with the OU in the left pane and the contents in the right pane.
  • Close the original ADUC window leaving the new window open that you’ve just created.
  • Expand the window to take up the whole console. – This will keep them in this section and they will not be able to go up levels and are ‘stuck’ in this OU.
  • Select View/Customize
  • Uncheck everything but Console Tree.
  • File/Options Choose Console Mode, then select:

User mode: Limited Access single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it.

  • Logon as a test user that was delegated permissions and test it.

If you want to eliminate the ability for the delegated admin to right-click on a user account, uncheck the Console Tree above, then change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset password, or anything else in the right column, choose an icon, and finish.

Copy the .MSC file via a UNC connected to the delegated person’s XP workstation’s \Documents and Settings\username\desktop folder, or if Windows Vista or newer, in the C:\users\username\desktop folder.

Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.

 

For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:

Copy over the following three DLLS from the 2003 or newer DC you are on, to their client’s system32 folder. All three of these are needed on a 2003 DC or newer, or the ADUC won’t open. However, on an XP or newer machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

  • adprop.dll (for object properties)
  • dsadmin.dll (ability to alter object properties)
  • dsprop.dll (for object properties related to directory services)

Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.
Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

  • psexec \\machinename regsvr32 adprop.dll
  • psexec \\machinename regsvr32 dsadmin.dll
  • psexec \\machinename regsvr32 dsprop.dll

Here are some screenshots at the following link:

Create Taskpads for Active Directory Operations:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

===============================================

For AD on Windows 2008 and newer:

You can use the ADAC & RSAT Tools, or you can use the above method.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.

For the Active Directory Administration Center and the RSAT tools:

For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.

Active Directory Administration Center (ADAC):

Active Directory Administrative Center: Getting Started
http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx

Active Directory Administrative Center —  the New AD interface
http://techibee.com/active-directory/active-directory-administrative-center-a-new-ad-interface-for-win7-and-win-2008/290

Learn New Features in Active Directory Administrative Center
http://www.enterprisenetworkingplanet.com/windows/article.php/3887136/Learn-New-Features-in-Active-Directory-Administrative-Center.htm

Remote Server Administration Tools (RSAT) for Windows operating systems (Discusses how to install it for all versions of Windows)
https://support.microsoft.com/en-us/kb/2693643

Remote Server Administration Tools for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=45520 

Customizing – Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

Remotely managing your Server Core using RSAT
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/04/27/remotely-managing-your-server-core-using-rsat.aspx
==================================================================

Summary

I hope this helps!

Last updated – 2/2006, updated 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[3] clip_image004[3] clip_image006[3] clip_image008[3] clip_image010[3] clip_image012[3] clip_image014[3] clip_image016[3]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Dynamic DNS Updates & How to Get it to Work with DHCP, Scavenging, Static Entries & their Timestamps, the DnsUpdateProxy Group, and DHCP Name Protection

Posted on August 13, 2016 by Ace Fekay

It’s me again. I originally posted this in 4/2006, and updated throughout the years, but I still get questions from time to time asking why updates are not working, especially PTR. Well, I thought it’s time for an update and to just offer a summary in the beginning, because in this day and age, no one wants to read! A quick Facebook read the first line and click “Like,” seems to be the norm.  Well, I will also offer the nitty gritty below the summary for those who want to read.

 

Topics Covered:

  1. Preface: The entity that registers the record into DNS, owns the record
  2. Summary: How to configure DHCP & Dynamic DNS Updates
  3. Scavenging Defined
  4. DNS Timestamp and Scavenging (and info on the dnsTombstoned Attribute)
  5. Scavenging Refresh & NoRefresh Settings must be less than the DHCP Lease Period
  6. DHCP Conflict Detection
  7. DHCP Lease has a “pen” or “pencil” Icon
  8. Records & timestamps, and the lack of timestamps
  9. Related Links

    Preface:

    Dynamic DNS Update Basics:

  10. This is the part that many do not understand. Please read thoroughly before asking me why your PTR updates don’t work.

     

    1. By default, ALL Windows 2000 and newer machines statically configured machines will register their own A record (hostname) and PTR (reverse entry) into DNS.

    Yep. That’s the basic rule. And yea, I had to state Windows 2000 and newer, because this stuff doesn’t apply to older Windows versions.

    2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow the machine itself to register its own A (forward entry) record.

    But DHCP will register its PTR (reverse entry) record.

    3. If Windows 2008/Vista, 2008 R2, Windows 2012 R2, Windows 7, 8, 8.1, 1, and all future releases, the DHCP server always registers and updates client information in DNS

    Note: “This is a modified configuration supported for DHCP servers running Windows Server 2008 and DHCP clients. In this mode, the DHCP server always performs updates of the client’s FQDN, leased IP address information, and both its host (A) and pointer (PTR) resource records, regardless of whether the client has requested to perform its own updates.”
    http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx

    4. The entity that registers the record in DNS, owns the record.

    Note:  “With secure dynamic update, only the computers and users you specify in an ACL can create or modify dnsNode objects within the zone.

    By default, the ACL gives Create permission to all members of the Authenticated User group, the group of all authenticated computers and users in an Active Directory forest. This means that any authenticated user or computer can create a new object in the zone.

    Also by default, the creator owns the new object and is given full control of it.
        Secure Dynamic Update
        http://technet.microsoft.com/en-us/library/cc961412.aspx

     

    Reference:

    Updating DNS Resource Records
    https://technet.microsoft.com/en-us/library/ff631099%28v=ws.10%29.aspx

    How to configure DNS dynamic updates in Windows Server 2003.
    http://support.microsoft.com/kb/816592

    Using DNS servers with DHCP (Contains information on the DnsUpdateProxy group and its usage)
    http://technet.microsoft.com/en-us/library/cc787034 (WS.10).aspx

    ===============================================================

    Summary: How to configure DHCP & Dynamic DNS Updates

    1. Configure DHCP Credentials.

       The credentials only need to be a plain-Jane, non-administrator, user account.
       But give it a really, REALLY strong password.

    2. Set DHCP to update everything, whether the clients can or cannot.

    3. Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.

    4. Add the DHCP server(s) computer account to the Active Directory,  Built-In DnsUpdateProxy security group.

       Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group.
       For example, some folks believe that the DNS servers or other DCs not be running DHCP should be in it.
       They must be removed or it won’t work.
       Make sure that NO user accounts are in that group, either.
       (I hope that’s crystal clear – you would be surprised on the number of responses I get asking if the DHCP credentials should be in this group.)

    5. On Windows 2008 R2 or newer, DISABLE Name Protection.

    6. If DHCP is co-located on a Windows 2008 R2, Windows 2012 R2, and all future Windows versions Domain Controllers:

       You must secure the DnsUpdateProxy group by running the following command:
       dnscmd /config /OpenAclOnProxyUpdates 0

    7. Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.

    8. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    Just to be crystal clear, this means that if the lease is an 8 day lease, than  NOREFRESH should be 4 (four) and REFRESH should be 4 (four) so when you add them together, they are not greater than the lease length.

     

    ===============================================================

    Caveat with the DHCP service out-of-the-box configuration

    The goal is to keep DNS clean without duplicate records.

    When a client shuts down, and later returns past the lease time, it may get a different IP address. With the default settings, a duplicate A record gets registered by DHCP with the client’s new IP. This is because the client will not update itself due to the current record in DNS is beyond the lease period. This happens even though DHCP registered the record. This is because DHCP doesn’t own the record, the client does, even though DHCP registered it.

    DHCP Option 081:

    The way to get around this is you can configure DHCP’s Option 081 to update the record for all client, no matter if the client asks or not. To configure DHCP Option 081, you must look at the DHCP server properties, under the DNS Tab in DHCP properties. Despite it being a DHCP Option, it’s not found in a DHCP server, scope or class option.

  11. .

    Overview to make this work:

    • DHCP must own the record, not the client. This is done by configuring DHCP to register all DHCP clients, whether the client supports Dynamic Updates or not.
      • As long as DHCP owns the record, can keep the records in the FLZ and RLZ up to date when the client renews its lease, same IP or different IP.
      • Otherwise you’ll see duplicate A and PTR records in DNS, whether scavenging is enabled or not.
    • Configure DHCP credentials by creating a plain-Jane, Domain User account. It doesn’t have to be an administrator account.
    • Add the DHCP Server object in Active Directory to the DnsUpdateProxy group.
    • In addition, I suggest to enable DNS scavenging to remove stale records, which will keep the zone clean.

    .

    How do we configure DHCP for this to work??

    Summary to Configure Credentials and add the DHCP server to the DnsUpdateProxy group.

    Windows 2008 R2 or newer:

    You have a new feature to prevent Name Squatting: DHCP Name Protection, you still need to configure Credentials and add the server to the DnsUpdateProxy group.

  12. Add the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group.
  13. Configure DHCP Credentials.
  14. Configure Name Protection.
  15. If DHCP is co-located on a Windows 2008 R2 DC, you must secure the DnsUpdateProxy group by running the following:
    dnscmd /config /OpenAclOnProxyUpdates 0 

    Note: Configuring DHCP credentials AND using the DnsUpdateProxy group, and forcing DHCP to update all records, will also allow DHCP to register Win9x machines, as well as non-Windows machines, such as Linux, OSx (BIND based), and other Unix flavors, and update the records when they get renewed with a different IP.

  16. Scroll down to the Name Protection section for more specifics and references,

    For Windows 2008 and older:

    To force DHCP to own and control all records it updates into the DNS zone, there are two parts of the procedure:

    1. Add the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group.
    2. Configure DHCP Credentials.

    .

    Step by Step procedure:

    Step 1: To add the DHCP server’s computer account to the DnsUpdateProxy Group  

      • In ADUC, add the DHCP server’s computer properties to the DnsUpdateProxy security group.

        • In ADUC, click on the Built-In container.
        • Scroll down to the DnsUpdateProxy group.
        • Right-click DnsUpdateProxy group, choose properties
        • Click ADD –  make sure that the search criteria is set to look for computer objects,
        • Either type in the DHCP server’s name and click Check Name or click on Advanced, then click on FIND, and scroll down to the DHCP server name.
        • Once you see the DHCP server’s computer object, highlight it
        • Click OK.

    Step 2: Force DHCP to register all records, Forward and PTR, whether a client machine can do it or not:

    See screenshots below to configure the Option 081 settings under DHCP properties, DNS tab

    Step 3: Configure other DHCP Options as needed

    Suggested basic DHCP options:

    • Set the Connection Specific Suffix DHCP Option 015 to the AD domain name (such as example.com).
    • Set Option 006 to only the internal DNS servers.
    • Option 003 to your router

    Step 4: Configure the zone for Secure Updates Only:

    Credentials and the DnsUpdateProxy group will be used to register them.

    Step 5: Configure DHCP Credentials. Note – you can do this on 2008 R2 and newer, if you chose not to use .    

        • In AD, create and configure a dedicated Domain User account to use as credentials in DHCP.
        • The user account does not need any elevated rights, a normal user account is fine.
        • Choose a very strong password.
        • Set the password so it does not expire.

    Then configure DHCP with the credentials you created:

    For Windows 2003:

    • Open the DHCP Console:

    • Right-click the DHCP servername

    • Choose Properties.
    • Click the Credentials button
    • Provide the account’s credentials

    In Windows 2008 and 2008 R2:

    • Select IP Scope
    • Choose Properties
    • Select the Advanced tab
    • Click the Credentials button
    • Provide the account’s credentials.

    For Windows 2000:

    • It must be done with the Netsh command. Windows 2003 and newer can also be done with the Netsh command, if you desire.

    .

    Note and warning: about using the DnsProxyUpdate group on a DC

    • We normally shy away from adding a DC to the DnsProxyUpdate group, as it weakens security including the DC records if DHCP is on a DC. However, in many cases, there’s not much of a choice.
    • Windows 2008 R2 and newer gives you the option to use the DHCP Name Protection Feature, but as stated above, you still need to configure credentials and add the server to the DnsUpdateProxy group.
    • When DHCP is running on a Windows 2008 R2 domain controller, you must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0

    .

    Note on older, pre-existing records in DNS:

    After configuring the above provedure, the credentials and DnsUpdateProxy group configuratuion will not update current or delete duplicate records. You must delete them manually to allow DHCP to take care of all new records moving forward.

    Also, it will allevaite another issue – If DHCP is on a DC, it will not overwrite the original host record for a machine getting a new lease with an IP previoulsy belonging to another host. 

    If there is a problem with PTRs getting updated even after configuring credentials, please see this article:

    DHCP server processes expired PTR resource records in Windows Server 2003
    http://support.microsoft.com/kb/837061

    .

    Step by step screenshots:

    Windows 2003:

    .

    .

    .

    Windows 2008 & Windows 2008 R2:

    .

    .

    DHCP Name Protection

    If you have Windows 2008 R2 or Windows 2012 R2, in addition to configuring the DNS tab to force registration, you still must configure credentials and add the server to the DnsUpdateProxy group. If DHCP is on a Windows 2008 R2 DC, to protect the DC when using the DnsUpdateProxy group, you must secure the group by running:

    dnscmd /config /OpenAclOnProxyUpdates 0

    Using  “DHCP Name Protection.” will register A and PTR record on behalf of a client, and will prevent a workstation (non-Windows) Name Squatting, meaning using a name that another machine (non-Windows or Windows) client that DHCP already registered , from registering it’s name. DHCP will give that duplicate named client an IP, but it will not register it into DNS. 

    Quoted from the following link:

    “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows® operating system. The use of Name Protection in the Windows Server® 2008 R2 operating system prevents name squatting by non-Windows-based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory® Domain Services (AD DS) can be used to reserve a name for a single user or computer.”

    DHCP Step-by-Step Guide: Demonstrate DHCP Name Protection
    “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows® operating system. The use of Name Protection in the Windows Server® 2008 R2 operating system prevents name squatting by non-Windows-based computers. “
    http://technet.microsoft.com/en-us/library/ee404786(v=ws.10).aspx

    Configuring DHCP Name Protection
    http://technet.microsoft.com/en-us/library/dd759188.aspx

    DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv4 scope
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    .

    To configure Name Protection:

    • Right-click IPv4, choose Properties
    • Click on the DNS tab
    • Click “Configure”
    • Check the box, “Enable Name Protection”

    You can optionally select it on IPv6, too. No harm done, whether you have IPv6 scopes or not.

    .

    You will notice that once you enable it:

    • Except the “Enable DNS Dynamic Updates according to the settings below,” checkbox, everything else under the DNS tab will be grayed out.
      • This is because the Name Protection feature takes over these functions, and will force register everything, so these settings are no longer used.
    • If you have multiple IPv4 scopes, once set at the IPv4 level, it will apply to all IPv4 scopes.
      • If you don’t want it to apply to all scopes, you can selectively disable the setting under each scope, or don’t enable it at the IPv4 level, and selectively enable it on a per scope basis.

    .

    Here’s a screenshot of where to enable it:

    .

    Screenshot of DNS Tab (which is actually Option 081), which grays out. This is because Name Protection took over these functions:

    .

    If you have multiple IPv4 scopes, once set at the IPv4 level, it will apply to all IPv4 scopes.

    Back to top of page>

    .=================================================================

    Scavenging Defined

    Misconceptions about Scavenging

    There are some misconceptions prompting fears that Scavenging will remove everything in your zone, includind servers. Please understand, the main thing that scavenging works on is the timestamp. If there is no timestamp, such as a manually created, static record, it will not get scavenged. Also, if all servers, including DCs, are automatically updating their own record, then there is no fear of losing their records, because for one, their records (timestamps) are current, therefore scavenging won’t touch them, and two, Windows Servers by default will update their records every 24 hours, with the exception of domain controllers at every 60 minutes. Therefore, even if they were to scavenge these records, assuming the time stamp has ever been reached, the machines will refresh themselves anyway!

    DNS UPdate Interval is based on Operating System and Windows Server Role:

    By default, statically configured clients and remote access clients that do not rely on the DHCP server for DNS registration, will re-register their A & PTR records dynamically and periodically every 24 hours. This applies to Windows 2000 Professional and all newer operating systems.
    For domain controllers, due to the importance of keeping up to date and accurate SRV and other records, the Netlogon service will attempt to update these records every 60 minutes.
    By default, on a computer that is running Windows XP/2003 or newer, the DefaultRegistrationRefreshInterval key value controls this (except Windows 2000, whichdoes not have this key but can be added), and is set by default to 1 day. This is true regardless of whether the computer is a client or a server, except domain controllers, which are every 60 minutes.
    You can use the following registry subkey to modify the update interval:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
    Data type: REG_DWORD
    Range: 0x0 – 0xFFFFFFFF seconds
    Default value: 0x15180 (86,400 seconds = 24 hours) for Windows 2000 Professional
    Default value: 0xE10 (3,600 seconds = 1 hour) for Windows 2000 Server and Windows Advanced Server
    Scope: Affects all adaptors
    This specifies the time interval between DNS update registration updates.
    The default Time To Live (TTL) value used for dynamic registrations is 20 minutes. You can use the following registry subkey to modify the TTL value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationTTL

    .

    In Summary:

    • Scavenging is a feature that will remove expired records based on their Timestamps.
    • Scavenging is not enabled by default.
    • Scavenging will NOT remove statically configured records, the ones you manually create unless you run dnscmd /AgeAllRecords, which will stamp them making them eligible for scavenging (more below on this). Without running this command, DNS will scavenge dynamically updated records that have reached their time stamp. To look at the time stamps of a record using Windows 2003 DNS, put the DNS console “view” in the menu to Advanced View, then look at the individual record properties, and you will see the time stamp. If using Windows 2008 or or newer, it will show up in the console as a separate column.

    .

    Scavenge Refresh and No Refresh vs DHCP Lease period

    Scavenging Refresh and No Refresh settings must be equal to or less than the lease period. For example, using  the default DHCP lease period of 8 days with a 7day scavenge setting, is perfect. If you lower the lease, you need to lower the scavenge settings. If you are using a 4 hour lease, well, that’s a tough one, because the lowest you can go with scavenging is 1 day, and may provide inconsistent results.

    And please bear in mind, as already stated, scavenging will not remove statically configured records, (the ones you’ve manually created). It will scavenge updated records that have reached their time stamp. However, if you run dnscmd /AgeAllRecords, it will timestamp all records, making them eligible for scavenging.More on this in the next section, Static records.

    To set aging and scavenging properties for a DNS server using the DNS Console:

    1. In the DNS console, right-click the DNS server name, and choose “Set Aging/Scavenging for All Zones.
    2. Select the Scavenge stale resource records check box.
    3. You can now either choose to set Scavenging for all zones, or choose No, and manually set each zone individually. I suggest setting it for all zones.
    4. It’s recommended to go with the defaults of 7 days. If you choose to change it, it should reflect and stay in line with DHCP’s lease times. Now I’ve never found anything specific stating this, but keeping the scavenge setting to the lease minus one day, ensures that records will be deleted one day before lease renewal so it will be deleted if that record were actually not in use by a client, and has expired. If still in use, it will go through the scavenging refresh period and scavenge lifetime until the next expiration time.
    5. Once you’ve set scavenging, all records that have a time stamp will be aged,  will get scavenged. This does not include static records, because static records do not have a time stamp.

    Excample of a dynamically created record:

    .

    Static Records:

    Static records will not get scavenged, since they have a 0 time stamp. When viewing a static record, it will show as the following:

    However, regarding static records, if you use force age all records using the dnscmd /AgeAllRecords. If the “Delete the record when it becomes stale” box was checked at time of the record creating, it will set a TimeStamp on it, which will make it eligible for scavenging. Therefore, if you have an static records, host, cnames, etc, they will get scavenged, and I advise to take inventory of your static entries if you run this command. I would suggest not to, and just allow scavenging to take it’s time to do its thing. Be PATIENT!!!!

    .

    You MUST BE PATIENT!!

    .

    Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 3 day scavenge period.

    Here’s a chart showing when events occur with a 3-day NoRefresh, 3 day Refresh, and 3 day Scavenging. (Graphics from Don’t Be Afraid of Scavening. You must be patient):

    If you look at the chart, based on scavenging settings of a 3 day NoRefresh and 3 day Refresh, then it becomes eligible for scavenging the day after these two pass, so it will be the 7th day. Then it waits for the next scavenge cycle (I kind of call it the garbage collection point), which is somewhere withing the next 72 hours (based on the NoRefresh). So based on this chart, starting at 1/1/2008, the record becomes eligible on 1/7/2008, then it’s deleted (scavenged) on, in this case, on 1/10/2008, at 6am during the next 72 hour scavenge cycle. The 72 hour scavenge cycle in this case, is based on the 3day scavenge setting..

    That was a total of about 10-11 days, but it could have happened, as you can see in the chart, anytime between the 10th day and the 14th day.

    .

    image

    .

    If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.

    .

    .

    AD Integrated zones – Where do you set it? – Enable it only on one server, and the timestamp will replicate with AD replication

    In summary, with using AD integrated zones, you just enable scavenging on one server, then the time stamp will replicate to other servers with the normal AD replication process. When AD integrated zones are involved, DNS uses an additional mechanism to control replicating the records’s time stamp behavior through the dnsTombstoned attribute.

    In addition, regarding enabling it on one server, Josh Jones [MSFT] quotes (in his blog, “Don’t be afraid of DNS Scavenging” ):

    “Although you can set every server hosting the zone to scavenge I recommend just having one. The logic for this is simple: If the one server fails to scavenge the world won’t end. You’ll have one place to look for the culprit and one set of logs to check. If on the other hand you have many servers set to scavenge you have many logs to check if scavenging fails. Worse yet, if things start disappearing unexpectedly you don’t want to go hopping from server to server looking for 2501 events.”

    For more specifics, and to not duplicate Josh Jones’ efforts, please read his blog for specific info – “Don’t be afraid of DNS Scavenging

    Don’t be afraid of DNS Scavenging, Josh Jones [MSFT], 19 Mar 2008 6:49 PM
    http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

    .

    AD Integrated Zones and Scavenging – How does it do it? It uses the AD attribute called, “dnsTombstoned”

    Good article by Guy Teverovsky [MSFT], explaining how AD handles scavenging with records in an AD integrated zone, as well as what happens if say a machine who’s record is marked as dnsTombstoned, but the machine is reinstalled, which now has a new SID, and how it can’t update the original record –  the original host record is not removed immediately:

    DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones, by Guy Teverovsky [MSFT], 23 Sep 2010
    http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

    .

    Other articles on Scavenging:

    Optimizing your network to keep your DNS squeaky clean
    http://blogs.technet.com/b/networking/archive/2009/02/09/optimizing-your-network-to-keep-your-dns-squeaky-clean.aspx

    .

    Enable Scavenging Screenshots

    Screenshots showing enabling scavenging with the default 7 Day NoRefresh, and 7 Day Refresh. Note that scavenging will not kick in until 1 day after these two periods combined, meaning 15 days later. And if you also notice, that after I enabled them, and ran dnscmd /AgeAllRecords, the static records still didn’t show as stamped. Eventually they will. That’s the “being patient” part.

    .

    1.
    https://qis15w.sn2.livefilestore.com/y1pK2oaDPwDuWcOKuruFE_mG60DX_JdOD9PUVuj8YEvK9bo-HK1WMPfHg3_smfglSU6RuKpxkxvZkP1mgb0AFJD_WZ-yUEOo6np/1.%20Set%20Aging-Scavenging%20for%20all%20zones.jpg?psid=1

    .

    2.
    https://qis15w.sn2.livefilestore.com/y1pjeNJXBaiplqSW8EK6KEbWLD7awc19PpsNJEF6S5456DDriVTJUvCAsIH6EbpHb6zu3at6n2jZVN9BuOMVbNZdJQCCzFYi5I8/2.%20Using%20default%207%20day%20scavenge%20settings.jpg?psid=1

    .

    3.
    https://qis15w.sn2.livefilestore.com/y1pBwESri4t7Ru2PHdykn2_lJm6yxE_QejQVUZP1ROdPqEnd6KenfqyHrYAtU8Vori8WyElUTu_3AjAPe6egZIyK6FuO_yRlJU8/3.%20Chose%20to%20apply%20this%20to%20all%20AD%20integrated%20zones.jpg?psid=1

    .

    4.
    https://qis15w.sn2.livefilestore.com/y1pXZk5kHkkl6EvfrcSprvdxp80i2WdPYaOy5M6uo98Gj5t1Heop_AR2cWXXaCof3yxQ6ORbxUBVAT1C_iDc9hUuymzdwZy2psz/4.%20%20You%20can%20see%20when%20scavenging%20will%20kick%20in%20-%201%20day%20after%20the%207%20day%20No-refresh%20and%207%20day%20Refresh%20period.jpg?psid=1

    .

    5.
    https://qis15w.sn2.livefilestore.com/y1pZdhGtBL_KWnpNMUTcSDkQWF21Ws8y_pkGvfQIZIp4GrHesAv-vl2uyrIhMu2MYm-3SyBa566R_ymHa9ja_ORyEce-cd2U09U/5.%20Set%20aging%20on%20contoso.com%20zone.jpg?psid=1

    .

    6.
    https://qis15w.sn2.livefilestore.com/y1pkkRp01cx-ArzkC6hZ9SW1L2QwKOYK6lWRN5hE0NywrwCKD4a3fNTiwKuWLDIAoM9x0pCK3Z1b5tEZYVICF9qOoSecKMytReK/6.%20DNS%20Server%20Properties%2C%20Advanced%20Tab%2C%20Checked%20Enable%20Automatic%20Scavenging%20of%20stale%20records.%20This%20basically%20turns%20it%20on.jpg?psid=1

    .

    7.
    https://qis15w.sn2.livefilestore.com/y1pInNfBbD8vssqF85PS8-Sgg-60yXVzmxA910iEz_yS2NlY5b8rRUJrr-KlP9dO79XdRksQvHmlrFCNz4FRWAjZmUDNjmguTq9/7.%20Ran%20dnscmd%20ageallrecords.jpg?psid=1

    Note of Caution: T\the only problem with running this command, is it will timestamp all static records making them eligible for scavenging. Therefore, you may NOT want to do this.

    .

    8.
    https://qis15w.sn2.livefilestore.com/y1pPWlVIC7sDUQkjxinOJhT0nEGJRi4Y_Gctkg_inp2g3ZiMJMSLM16uz_e7GQPEJ7zFqnx2T03n0eRnyZuF8m3Dudp0kdAPQfG/8.%20Restarted%20DNS%20%20although%20this%20is%20not%20necessary.jpg?psid=1

    .

    9.
    https://qis15w.sn2.livefilestore.com/y1pD3XxvDENwxCwEzOVPbngly9Hb29y3Dq1esQItYpXWif5wiBfdBDn19r-O1lGYzGYApi8gEjCb83BvJP9JRXCCXeW-tjzTZUQ/9.%20NYC-DC1%20still%20shows%20as%20static.jpg?psid=1

    Note on the screenshot below (quoted from Don’t Be Afraid of Scavening. You must be patient)::
    “The Scavenging Period is how often this particular server will attempt to scavenge. When a server scavenges it will log a DNS event 2501 to indicate how many records were scavenged. An event 2502 will be logged if no records were scavenged. Only one server is required to scavenge since the zone data is replicated to all servers hosting the zone.

    Tip: You can tell exactly when a server will attempt to scavenge by taking the timestamp on the most recent EventID 2501 & Event ID 2502 events and adding the Scavenging period to it.

    Image from: http://blogs.technet.com/blogfiles/networking/WindowsLiveWriter/DNSscavengingiseasy.Havingpatienceishar_C6E0/image_14.png

    .

    Moral of the story: Be Patient!!

    Back to top of page>

    =================================================================

     

    DNS Time stamp and Scavenging

    If the record was manually created, it won’t show a time stamp, however, if the record was dynamically registered, it will show a time stamp. If you manually create a record, the checkbox will not be checked to scavenge, however if it was dynamically registered, it will be checked.
    As for the server entries (such as from a DC), if you allow auto registration, which is done by default, and it gets scavenged, it gets re-registered anyway by the DC’s Netlogon service (for the SRV, LdapIpAddress and GcIpAddress records) and the operating system (for the A and PTR records). Unless you are seeing something going on that is affecting your environment, the default settings work fine, at least they do for me for all of my customers and installations I’ve worked in that I’ve set scavenging and forced DHCP to own the records so it can update the records it had registered at lease refresh time.

    Regarding the Active Directory dnsTombstoned Attribute

    DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones
    Discuss the internal processing of DNS Scavenging.
    http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

    dnsTombstoned Records clean-up:
    Everyday at 2AM (non-configurable) the DNS server scans all DNS integrated zones in AD and determines whether the tombstoned record is ready to be deleted. The default retention time of the tombstoned records is 7 days. This value can be changed by the DsTombStoneinterval value (dnscmd w2k8r2dc01 /config /DsTombstoneInterval value) or by editing the registry under HKLM\CCS\Services\DNS\Parameters Value Name:DsTombstoneInterval

    Value Type: DWORD). The value is in seconds.

    At that point the DNS deletes the record.

    Back to top of page>

    =================================================================

     

    Scavenging Refresh and No Refresh Settings Must be less than the DHCP Lease Period

    The scavenging period must be set less than the lease time. The way you have it currently set, you have two different settings but both are beyond the lease time. Due to both of these settings being different and beyond the lease time, is why you are getting inconsistencies, as I previously mentioned.

    For example: The 7 and 7 day intervals work hand in hand with a default DHCP lease time of 8 days. DHCP renewals are half the lease interval right, whcih is 4 days. If it doesn’t get renewed, then it waits until 87.5% of the lease time to renew, which is at the 7th day. If it doesn’t get renewed, then the lease is lost, and the DHCP client will attempt to get a new lease. Once the lease is lost at the 7th day, then if you left scavenging set to default, it will clean out that old lease entry from DNS in all zones it existed in.

    Therefore, if you have an 8 hour lease, you’ll need to set scavenging for 1 day, but that is not a recommended setting. It’s simply too low. Also an 8 hour lease tries to renew at 50% of the lease time, and if unsuccessful, at 87.5% of the lease time, which is at the 7th hour. Scavenging needs to be set below that, but scavenging settings are in days, which is at 24 hours intervals, so there’s no possible way to set it below the lease time.

    Also, a lease time of 8 hours, or even 4 hours, as I’ve heard some admins have set it to, is really an aggressively short lease and can cause other problems elsewhere, such as with WINS and replication partners. I’ve seen errors in WINS in a partnership scenario where the data is constantly changing and WINS simply couldn’t keep up with the changes between partners.

    My suggestion is at least that if you want to keep an aggressively short lease, to at least make the lease period 2 days and scavenging 1 day.

    However, I’ve been in environments with the default 8 day lease and 7 day scavenging settings, along setting either using credentials so DHCP owns all records it updates, or using the DnsProxyUpdate group, and it works fine. If a laptop gets a record at 8am on a Monday, but unplugs and goes home and comes back on Thursday, the laptops will attempt to get the same lease. If the laptop doesn’t come back until Tuesday the following week, it will get a new lease and new IP, since DHCP owns the record, it simply updates it in DNS for the forward and reverse zones.

    To properly make it work using the DnsProxyUpdate group or using credentials, you must force DHCP to update ALL RECORDS, whether the client knows how to update or not or requests it or not (the bottom setting). This will force DHCP to own ALL records. If you do not set these settings, and the scavenging period is more than the lease, unexpected results will occur.

    Scenario: Choosing a Short DHCP Lease Time of 8 hours

    If you reduce the DHCP lease to 8 hours, a number of things can occur, such as increased AD Tombstoning of DNS entries, which will increase the AD NTDS.dit file size, as well as possibly an inconsistency with the records in DNS, as well as issues with WINS trying to keep up with the changes, which will be evident with WINS Event log error entries.

    Also keep in mind, with any DHCP client no matter what operating system, uses the DORA method, that is Discovery, Offer, Request, and Acknowledgement. The point in time a client will ask for a lease refresh is at the 50% mark, where it uses RA, or Request (for the current lease config it has), and Acknowledgment. If it can’t get it at the 50% mark after 3 attempts, it will wait until 7/8 of the lease time to broadcast out a refresh request until the end of the lease period. If it doesn’t get a renewal at the end of lease, the client machine removes the current config from its interface and has no IP.

    Therefore with an 8 hour lease, the refresh time is at 4 hours. That needs to be taken into account with additional traffic, and how DNS updates, as well as how WINS handles it with the constant requests coming through.

    Regarding the WINS issue, I’ve seen this once at a customer site years ago. It’s always stuck to the back of my mind to keep this in mind when such a short lease is desired. I found  a default lease works fine, as long as scavenging is enabled (using default settings as well), including if the DHCP server is on a DC, adding the DHCP server to the DnsUpdateProxy group, or to alleviate the security issues with such as move, to rather supplying credentials for DHCP, so it owns all records it registers into DNS, in order so it can update the records as they change. Otherwise, expect issues to occur.

    (The following, which goes into much more detail of what is actually occuring, was compiled and posted by Chris Dent in the Microsoft DNS newsgroup.)


    Why would one choose 8 hours? Possibly to handle many laptops coming in and out of the network. So you would think a shorter lease time would work. However, keep in mind with any lease time, the point at which a client will ask for a lease refresh is at 50% of the lease time. Therefore, the client machine will asking for a refresh every four hours.

    This will result in a high rate of change in DNS, which may lead to a large number of tombstoned DNS entries. It would seem reasonable to reconsider the DHCP Lease duration, 8 hours is, after all, extremely short.

    Essentially you have:

    • The amount of AD Tombstoned Data is increasing because of Stale DNS records
    • The number of Stale DNS Records is high because of the (potential) rate of change of records in both Forward and Reverse Lookup
    • The rate of change must be somewhat proportional to changing leases in DHCP

    The DNS Record lifecycle:

    1. An A record is created (as a dnsNode in AD).
    2. When the Timestamp is no longer updated, and the Aging Intervals passes it’s aged setting, the A Record becomes Stale.
    3. Stale Records are removed from the active DNS system, and the AD dnsTombstoned attribute is set to TRUE.
    4. Tombstoned record exists for value of the DsTombstoneInterval attribute, which is 7 days by default.
    5. The DnsNode object is moved to the Deleted Objects for the length of time of the tombstoneLifetime attribute value.

    Note : The Active Directory Tombstone Lifetime is listed in the schema.ini and will be set during the promotion of the very first DC in the forest based on the Windows version used to install the first DC. This value does not change after upgrading all domain controllers to newer Windows versions or by changing the Domain or Forest Functional Levels. The entry in the schema.ini “tombstoneLifetime=<number of days>”  and can be changed. Therefore, this will tell you what the value is depending on what Windows operating system was used to install the very first domain controller in your infrastructure:

    • If the very first DC was installed using a Windows 2003 with integrated SP1 CD or newer, the Tombstone Lifetime Value is 120 days.
    • If the very first DC installed in the forest is Windows 2000 (any Service Pack), or Windows 2003 (pre-Windows 2003 SP1), the Tombstone LIfetime is 60 days.

    The values can be changed. Please read the following for information on how to change it:

    Active Directory Lingering Objects, Journal Wraps, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023
    (Scroll down to “Active Directory Tombstone Lifetime”)
    http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx

    Therefore, you either need to reduce the rate of change by increasing the lease duration, or deal with the inaccuracy in DNS, by limiting the Aging and Scavenging settings, or deal with an increasing directory size to store all this additional data. The directory size should level out eventually, when you reach the point where the number of tombstoned records being flushed is equal to the number being created.

    Back to top of page>

    DHCP Conflict Detection

    When DHCP provides a lease to a client, it tries to determine if there are no conflicts with another machine using the IP, which may have been inadvertently configured with a static IP configuration not realizing the IP is withing the Lease Scope.

    DHCP uses pings for conflict detection.

    Enable address conflict detection
    http://technet.microsoft.com/en-us/library/cc737924(WS.10).aspx

    DHCP Best Practices
    Look for: “Use server-side conflict detection on DHCP servers only when it is needed”
    http://technet.microsoft.com/en-us/library/cc780311(WS.10).aspx

    DHCP Server Conflict Detection
    http://technet.microsoft.com/en-us/library/cc958918.aspx

    I’ve been asked a few times in the past if DHCP Conflict detection pings are the same as the pings when one uses a command prompt to ping a host. The answer to that is yes.

    To expand, the term “ping” is short for “Packet Internet Groper.” Pings are based on ICMP packets, just as you would ping an IP address, the DHCP server does the same to detect conflicts. It’s sumamrized in the following link by searching the sentence, “When conflict detection attempts are set, the DHCP server uses the Packet Internet Groper (ping) process …”

    DHCP Server Conflict Detection
    http://technet.microsoft.com/en-us/library/cc958918.aspx

    Specific info on the Ping command:

    Ping – General Summary
    http://en.wikipedia.org/wiki/Ping

    Internet Control Message Protocol – Technical Summary
    http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

    Back to top of page>

    =================================================================

     

    DHCP Lease has a “pen” or “pencil” Icon

    If a record shows up in the DHCP Lease list with a pen icon, it means that a write is pending. If it doesn’t disappear, it may mean it is trying to register into a zone that does not exist on the DNS servers. This happens in cases where the client machine is not joined to the domain and has a missing or different Primary DNS Suffix than the zone in DNS.

    Registration can only occur into a zone that exists on DNS and that zone updates have been configured to allow updates.

    If this is the case, go into the client machine’s IP properties, and perform the following:

    • On the DNS tab in TCP/IP Advanced properties, clear the “Register this connection’s addresses in DNS”
    • Clear the  “Use this connection’s DNS suffix in DNS registration” check boxes,
    • The DHCP Server will fill these in for you and register using the domain name in Option 015.

    Reference:

    DHCP console icons reference
    http://technet.microsoft.com/en-us/library/cc784812(WS.10).aspx

    Back to top of page>

    =================================================================

     

    Records & timestamps, and the lack of timestamps

    If the record was manually created, it won’t show a time stamp, however, if the record was dynamically registered, it will show a time stamp. My guess is the records you are referring to were manually created. If you manually create a record, the checkbox will not be checked to scavenge, however if it was dynamically registered, it will be checked.

    I just tested this with Windows 2003 DNS. When I had built a few servers for a customer and let them auto register, they had a timestamp and the scavenge checkbox was checked. For the records I manually created, such as internal www records, and others, they did not have a time stamp and were not checked to scavenge.

    Even if you allow auto registration, which I do by default, and it gets scavenged, it gets re-registered anyway by the OS. Unless you are seeing something going on that is affecting your environment, the default settings work fine, at least they do for me for all of my customers and installations I’ve worked in that I’ve set scavenging and forced DHCP to own the records so it can update the records it had registered at lease refresh time.

    Back to top of page>

    Related Links

    How to configure DNS dynamic updates in Windows Server 2003.
    http://support.microsoft.com/kb/816592

    Using DNS servers with DHCP (Contains information on the DnsUpdateProxy group and its usage)
    http://technet.microsoft.com/en-us/library/cc787034 (WS.10).aspx

    Using DNS Aging and Scavenging
    Aging and scavenging of stale resource records are features of Domain Name System (DNS) that are available when you deploy your server with primary zones.
    http://technet.microsoft.com/en-us/library/cc757041(WS.10).aspx

    Microsoft Enterprise Networking Team : Don’t be afraid of DNS, Mar 19, 2008
    DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.
    http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be- patient.aspx

    How DHCP Technology Works
    http://technet.microsoft.com/en-us/library/cc780760(WS.10).aspx

    From Ulf B. Simon Weidner:
    DHCP, DNS and the DNSUpdateProxy-Group
    I had a discussion in the Newsgroups lately about DHCP and the DNSUpdateProxy-Group which is used to write unsecured DNS-Entries to a DNS-Zone which only …
    http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx

    And from Kevin Goodnecht:
    Setting up DHCP for DNS registrations
    http://support.wftx.us/setting_up_dhcp_for_dns_registra.htm

    317590 – HOW TO Configure DNS Dynamic Update in Windows 2000 and DNSUpdateProxy Group:
    http://support.microsoft.com/kb=317590

    816592 – How to configure DNS dynamic updates in Windows Server 2003:
    http://support.microsoft.com/kb/816592

    Follow up discussion on the DNSUpdateProxy-Group:
    http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx
    ==================================================================

    Back to top of page>

     

    More to come… Comments are welcomed.

    ==================================================================

    Summary

    I hope this helps!

    Published 8/13/2016

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services

    clip_image002622[2][2][2] clip_image004622[2][2][2] clip_image006622[2][2][2] clip_image008622[2][2][2] clip_image010622[2][2][2] clip_image012622[2][2][2]

    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Migrate Files to a new File Server using RoboCopy, IP addresses, and Relative Paths using the Administrative Shares

    Prologue

    Ace Fekay here again.

    You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

    Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, when tasked to quickly get a list of users in a group.

    I hope this, and my future scripts, especially with Office 365, help you out.

    Scope

    This is one method to migrate data from one file server to another. I have one method that I will post later, that does it by the share names. This is to just get the two closer to having the same data before I run the final script.

    DFS

    Keep in mind, we use DFS. I will already have created a new target to the new file server for the current share, but keep the new targets disabled until ready to cut over.

    However, when we cut over the target to the new server, we would like to shut off the shares on the source (old) server, to prevent anyone from using it. Of course, we’ve already communicated to the user base the migration schedule.

    Therefore, since the shares will be deleted, we must rely on running this by using IP addresses and relative paths from the default administrative shares (c$, d$, etc).

    Share and NTFS Permissions Backup

    Yes, absolutely! You definitely want to back up your Share and NTFS permissions on this server just in case something happens! The following link is a great article to show you how to do it:

    How to Back Up and Restore NTFS and Share Permissions
    http://blogs.technet.com/b/askds/archive/2008/11/24/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx

    Easy? Nah…

    Many may say this is simple stuff. Sure, for the seasoned scripter, which I’m not, The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up. I’ve found various websites that provide how-tos, but when it comes to handling variables and piping, I’ve found there is no one place to get various examples and have found myself looking at multiple places to get this info, including my colleagues, who are extremely adept at scripting. With many place, I also see elaborate scripts that do more than what I need. They are fabulous blogs and websites, but sometimes I need the simple one-liners to perform day to day stuff.

    Script:

    /

    # Uses relative paths
    # Make sure you change directory to where your script is located on the computer you are running this before running
    #
    # =========================================================================================
    #Function: Get the Total Size of Folder

    function Get-Size
    {
         param([string]$pth)
         “{0:n2}” -f ((gci -path $pth -recurse | measure-object -property length -sum).sum /1mb) + ” mb”
    }
    # =========================================================================================
    #
    cd “C:\PSScripts\OldServerName”

    $SourceServerNetBIOSName =     “OldServerName”
    $SourceServerIP =         “10.100.200.200”
    $DestinationServerName =     “NewFileServer.contoso.com”

    #**************************************************************************************
    #Ignore this section
    #Test files with only one share

    #Note: This section was a test to see if I can get this script to work if there is only one share.
    #I could not get it to work with one share. The reason is there must be two (2) or more shares for
    #this to work, because I’m using an array. There is no such thing as a single array.

    #$SourceServerPath =            @()
    #$SourceServerShares =          @()
    #$DestinationServerShareNames = @()

    #$SourceServerPath =            Get-Content ‘.\OldServerName-Share-paths-test.txt’
    #$SourceServerShares =          Get-Content ‘.\OldServerName-SourceSharesList-test.txt’
    #$DestinationServerShareNames = Get-Content ‘.\OldServerName-DestinationSharesList-test.txt’

    #Ignore this section
    #**************************************************************************************

    $SourceServerPath =            Get-Content ‘.\OldServerName-Share-paths.txt’
    $SourceServerShares =          Get-Content ‘.\OldServerName-SourceSharesList.txt’
    $DestinationServerShareNames = Get-Content ‘.\OldServerName-DestinationSharesList.txt’

    $LogDestinationFolder = “.\Logs”
    $LogfileName = $SourceServerNetBIOSName+”.txt”
    $LogFileAndPath = $LogDestinationFolder+”\”+$LogfileName

    # Checks for existence of a directory for log files if not, one gets created.
    If (!(Test-Path -Path $LogDestinationFolder)){
        New-Item -ItemType directory -Path $LogDestinationFolder
    }

    write-host “Total Share count = ” $SourceServerShares.count

    for ($i = 0; $i -lt $SourceServerShares.count; $i++){

        $srcpath = $SourceServerPath[$i] -replace ‘(.*):’,’$1$’
        #$srcpath = $SourceServerPath -replace ‘(.*):’,’$1$’
        $dstpath = $DestinationServerShareNames[$i]

        $FullSourcePath = “\\”+$SourceServerIP+”\”+$srcpath
        $FullDestPath = “\\”+$DestinationServerName+”\”+$dstpath

        write-host “”
       
        if ((Test-Path $FullSourcePath) -and (Test-Path $FullDestPath))
        {
            $log = $LogDestinationFolder + “\” + $SourceServerNetBIOSName + “-” + $SourceServerShares[$i] +”.txt”
            write-host “Current share’s log:” $Log
           
            robocopy $FullSourcePath $FullDestPath /E /R:1 /W:1 /TEE /log:$log | Out-String

        #This is trying different switches – Ignore
            #robocopy $FullSourcePath $FullDestPath /MIR /copy:DT /W:5 /R:1 /V /IT /FP /NFL /TS  /log:$log | Out-String

        #This was a local drive to drive attempt – Ignore
        #robocopy e:\users y: /copy:DATSO /E /R:1 /W5 /TEE /log:c:\robocopy.log

        write-host “Source path is: ” $srcpath
            write-host “Full Source Path is: ” $FullSourcePath
        write-host “Destination path is:” $dstpath
            write-host “Full Destination path is: ” $FullDestPath

            $SharesProcessedSoFar = $i + 1
            write-host “Shares processed so far =” $SharesProcessedSoFar ” out of a total share count of ” $SourceServerShares.count
            write-host “”
            Write-Host “”
        }

        else

        {
            write-host “Problem with: ”           $srcpath         “Destination sharename is:”     $dstpath
            write-host “Referencing full Source Path:” $FullSourcePath  “Destination Path:”         $FullDestPath
            $SharesProcessedSoFar = $i + 1
            write-host “Shares processed so far =” $SharesProcessedSoFar ” out of a total share count of ” $SourceServerShares.count
        }
    }
    write-host “Total Shares processed = ” $SourceServerShares.count

    More to come…

    Comments are welcomed.

    ==================================================================

    Summary

    I hope this helps!

    Published 10/3/2015

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services

    clip_image002622[2][2] clip_image004622[2][2] clip_image006622[2][2] clip_image008622[2][2] clip_image010622[2][2] clip_image012622[2][2]

    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Get-QADGroupMember to CSV

    Prologue

    Ace Fekay here again.

    You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

    Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, when tasked to quickly get a list of users in a group.

    I hope this, and my future scripts, especially with Office 365, help you out.

    Scope

    I needed to get a user membership list from a global group called, “Marketing Dept,” into a CSV. Group scope doesn’t matter. I just need a list of the members because the share owner that the group is controlling access, needed a list to ensure that it’s current and to clean up any disabled accounts from users that have left the company.

    And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up and there is no one place to get all of this at the simple level. All I see are elaborate scripts that do more than what I needed. Hence, my posts.

     

    I usually kick it off with a get-credential because I run this from my workstation logged on with my non-admin account. And because I work in a multi-forest, multi domain environment, I must connect to the specific domain where the group exists.

    Of course, we must add the PS Quest snap-in. In addition, I use the “-NoTypeInformation” switch to suppress the silly “Type” data that shows up in the output.

    Code

    get-credential
    add-pssnapin Quest*
    connect-qadservice domain2
    Get-QADGroupMember “Marketing Dept” | Select-Object DisplayName,Name,AccountIsDisabled | Export-Csv c:\output\Domain2-MarketinDept.csv –NoTypeInformation

    Comments are welcomed.

    ==================================================================

    Summary

    I hope this helps!

    Published 8/17/2015

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services

    clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.