DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Do I Need WINS? Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm

Ace Fekay again!!!!

Compiled 8/13/2018

I know everyone always has trouble with this topic, as in why doesn’t DNS failover on the client, especially that I set four or five DNS addresses on it??? Why!!!

Because it doesn’t work that way! And NO, it’s not a “Microsoft” client thing or server thing, it’s based on the client side resolver service defined as an industry standard that all manufacturer’s (Microsoft, Apple, Unix flavors, Android, etc) operating systems follow, including your phone.

Topics Covered

DNS & WINS Resolution Process

Browser service without WINS across subnets

Do I need WINS?

Disabling the Browser service, NetBIOS

DNS Client side Resolver service Query Process

DNS Forwarder Resolution and Time Out Process

If one DC or DNS is down, why can’t I logon to the other DC or not use the second DNS address to find another DC?

What happens with Exchange and Outlook when when DNS goes down?

Client side DNS Devolution on Windows 7 and Windows 2008 R2 has Changed

How does resolution work in a multi-domain forest (with child domains)?

Troubleshooting the Browser Service

========================================

1. DNS & WINS Resolution Process

Keep in mind, Win2000 and newer machines uses the DNS (hostname) process FIRST before the NetBIOS resolution process. If it does not get resolved using the DNS process, then it uses the NetBIOS process. Legacy pre-Windows 2000 clients, such as Windows NT, Windows 98, Windows 95, Windows 3.1, DOS, etc, use the NetBIOS process FIRST if the queried name is less than 15 characters, and if not, it uses hostname (DNS) resolution. If is is shorter than 15, then it will use NetBIOS, but if it doesn’t get resolved using NetBIOS, only then will it use the DNS hostname resolution process.

If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it a bit, and it also depends on what Node it’s in. H-Node is default, but the order can be changed with a registry change. There are four NetBIOS Nodes:

B-Node – Broadcast ONLY
P-Node – NBNS (Netbios Nameserver) or WINS ONLY
M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
H-Node – Mixed NBNS and Broadcast, but uses WINS FIRST.

Windows 2000 and newer, hostname (DNS or hosts file) resolution is used first before NetBIOS (WINS enabled)

Checks it’s own name.
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)
NetBIOS name cache
WINS
Broadcast
LMHOSTS

Windows 2000 and newer – If not using WINS:

Checks it’s own name.
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)
NetBIOS name cache
Broadcast
LMHOSTS

Prior to Windows 2000 (ME, 95, DOS, 3.1, etc), NetBIOS was tried first, essentially if using WINS:

Is name longer than 15 characters? If so, perform Hostname (DNS) resolution process. If not, continue…
Checks it’s own name.
NetBIOS name cache
WINS
Broadcast
LMHOSTS files
Local hostname (DNS client side resolver) cache
HOSTS file
DNS (this is where the search suffix comes in play if a single name query)

If NetBIOS is disabled, which only disabled the NBT transport and interface, TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000 or newer. If both the direct hosted and NBT interfaces are enabled, both methods are tried at the same time and the first to respond is used. This allows Windows to function properly with operating systems that do not support direct hosting of SMB traffic.

Regarding DirectSMB,

Quoted from Aiden Cao, MIcrosoft, 2/6/2012 in thread:
TechNet Thread question: “Netbios Session Service and SMB” 2/5/2012
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e03e2d52-0761-451a-91e8-40955172f460/

“Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

At Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. And Direct Hosting of SMB over TCP uses TCP port 445. Since Direct Hosting is not reliant on NetBIOS, NetBIOS over TCP/IP can be disabled and connectivity to resources via SMB is still possible to other machines, with the only caveat with legacy apps that rely on NetBIOS.”

Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a means of name resolution. DirectSMB uses TCP 445… Direct-hosted SMB’s cannot be disabled in Windows without disabling additional features…
http://support.microsoft.com/kb/204279

More on the client side resolver:

How DNS works, March 28, 2003
Client side process order, etc.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx#w2k3tr_dns_how_gaxc

How NetBIOS name resolution really works, By Robert L. Bogue, March 11, 2003
http://www.techrepublic.com/article/how-netbios-name-resolution-really-works/5034239

DNS Hostname Resolution Flowchart:

The following information was quoted from:
Chapter 7: Host Name Resolution
http://technet.microsoft.com/en-us/library/bb727005.aspx
(Image 1): http://technet.microsoft.com/en-us/library/Bb727005.chp7hn01_big(en-us,TechNet.10).gif

Second two images from this link:
Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx
(Image 2): http://i.technet.microsoft.com/Cc940063.CNBC05(en-us,TechNet.10).gif
(Image 3) http://i.technet.microsoft.com/Cc940063.CNBC05B(en-us,TechNet.10).gif

Image1:

Image 2 & Image 3:

NetBIOS Name Resolution Process:

The following two images are quoted from:

Configuring IP Addressing and Name Resolution
http://technet.microsoft.com/en-us/library/bb457118.aspx

Resolution Process Related Links:

Hostname Resolution – Describes DNS domain name resolution
http://technet.microsoft.com/en-us/library/cc958812.aspx

NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c Client:
http://support.microsoft.com/kb/169141/EN-US/

Name Resolution Process in detail:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

(This was Updated 1/2012 to reflect Windows 7 & Windows 2008 R2 changes)

Back to top of page>

========================================

2. Browser service without WINS across subnets

It appears to say that if all machines are Windows 2000 and newer, (nothing older), AD provides NetBIOS resolution for all clients. But it doesn’t say how it goes about doing that. It goes on saying that the backup browsers and master browsers for each segment over a WAN communicate to the PDC, which is the browse master for a domain, over UDP 138, means that AD has a role in this, but is not specific. What appears to be happening is an AD client uses DirectSMB over 445, but I’m not sure. I cannot find anything on the mechanism. I’m one to want to know and learn of the background functions of anything. This is not necessarily so with non-AD clients.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

Common causes and solutions of browser Event ID 8021 and Event ID 8032 on domain master browsers
http://support.microsoft.com/kb/135404

Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188305

New Networking Features in Windows Server 2008 and Windows Vista (Scroll down and read the “Computer Browse Service” section and its mention that the Computer Browser needs to be running on the PDC Emulator of a domain)::
http://technet.microsoft.com/en-us/library/bb726965.aspx

Windows 2008 – Appendix C – Computer Browser Service
http://technet.microsoft.com/en-us/library/bb726989.aspx

Back to top of page>

========================================

3. Do I need WINS?

That’s an extremely good question. The answer is it depends. It depends on what apps and services currently running that require NetBIOS name resolution support.

For example, unless it’s been recently changed, Symantec Backup Exec needs it to ‘browse’ for the agent in the network browse list. Therefore, Backup Exec currently uses NetBIOS to assemble a list of all machines on a network to allow you to backup up remote computers whether the agent is installed or not, and giving you the option to install the backup agent.

So it depends on what YOU have running.

For example, Some AV solutions, such as McAfee Enterprise, Symantec, and CA uses NetBIOS to “find” all machines on the network to allow you to rollout installations and administer.

Therefore, you must inventory your infrastructure for applications and sevices that use NetBIOS. If I may suggest, make sure there are no applications running that rely on NetBIOS, such as SQL, Exchange, Netgwork Neighborhood browsing, printer browsing, etc, before pulling WINS out.

And yes, keep in mind Exchange 2000/2003 and Outlook communications require WINS for certain functions, such as Calendaring. This was removed from Exchange 2007 and 2010, and uses a different mechanism.

Here are some relevant links:

Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
http://support.microsoft.com/kb/837391

Eileen Brown’s WebLog: Exchange 2003 and WINS
http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange-wins.aspx

WINS dependencies in Exchange 2003 Server
Summary of Microsoft’s implimentation of WINS Windows Internet Name Service. How even Exchange 2003 makes NetBIOS calls. Implications for a routed network.
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

If you need WINS and want to learn how to install and configure it, please see the following:

WINS – What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

How To Install a WINS server:
http://technet2.microsoft.com/windowsserver/en/library/e4d3c3d8-a846-49b9-aac6-e04f2907aac51033.mspx

WINS Best Practices (Use ONLY itself in ip properties):
http://technet2.microsoft.com/windowsserver/en/library/ed9beba0-f998-47d2-8137-a2fc52886ed71033.mspx

Back to top of page>

========================================

4. Disabling the Browser service, NetBIOS

Just be careful on what you disable. The effects of disabling certain services depend on the operating system version and its role. Disabling a necessary service may disable certain necessary functions on a machine. See section 3 above regarding apps that may be using or need NetBIOS support.

1. You can disable this service on a machine in a domain environment. It dictates whether it participates with becoming an eligible master browser on a subnet. To understand what that means, requires some reading.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001

What’s the Microsoft Computer Browser Service?
Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer Browser … Malicious User Can Shut Down Computer Browser Service:
www.petri.co.il/whats_the_microsoft_computer_browser_service.htm

Computer Browser Service
http://www.theeldergeek.com/computer_browser.htm

2. Leave that running. You need it. It works for all versions of NTLM.

NTLM Security Support Provider.
NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response and NTLM version 2 authentication …
http://msdn.microsoft.com/en-us/library/ms925943.aspx

3. If you disable the TCP NetBIOS Helper, you will not be able to map any drives or printers using NetBIOS names or FQDN.

“Network Location Cannot be Reached” Error Message When You Try to … To resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join the domain.

To start the NetBIOS Helper Service, follow these steps:
http://support.microsoft.com/kb/329866

4. One big advise – do not disable the DHCP Client service on any server, whether the machine is a DHCP client or statically configured. Somewhat of a misnomer, this service performs Dynamic DNS registration and is tied in with the client resolver service. If disabled on a DC, you’ll get a slew of errors, and no DNS queries will get resolved.

No DNS Name Resolution If DHCP Client Service Is Not Running. When you try to resolve a host name using Domain Name Service (DNS), the attempt is unsuccessful. Communication by Internet Protocol (IP) address (even to …
http://support.microsoft.com/kb/268674

Windows Vista/2008 and newer, the DNS Client service is now responsible for Dynamic Updates

This has changed in WIndows Vista, Windows 2008, Windows 7 and Windows 2008 R2 – It no longer uses the DHCP Client Services. It now uses the DNS Client Service.

For Windows 2000/2003/XP, the DHCP Client Service is what performs the Dynamic DNS Update process. For Windows 2008/Vista/2008 R2/Windows 7 and all newer operating systems, it is now the DNS Client Service.

Specific details can be found in the following link:

Understanding Dynamic Update, Applies To: Windows Server 2008, Windows Server 2008 R2 (and changes to the DNS Update process from previous operating systems)
http://technet.microsoft.com/en-us/library/cc771255.aspx

Quoted from above article:

“The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, “Dynamic Updates in the Domain Name System.”
The documentation after that indicates the DHCP CLient service, but please ignore that. There are a few of us in touch with the dev group about the documentation, and it wil be cleared up.
The point is the DHCP CLient service is no longer responsible for updates.

DHCP (Dynamic Host Configuration Protocol) Basics
http://support.microsoft.com/kb/169289

Back to top of page>

========================================

5. DNS Client side Resolver service Query Process

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

To summarize:

If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.

If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, and either restart the DHCP Client Service (on 2000/2003/XP), (ipconfig /flushdns), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

For specifics, the Microsoft DNS Whitepapers is a good start. Here’s more:

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760

Technet Thread: “problem with secondary dns”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8fc4597c-d64e-4a87-9cfe-5fe159df5735/

Other references:

How to Disable Client-Side DNS Caching in Windows XP and Windows …Oct 12, 2007 …
To disable the DNS cache permanently in Windows, use the Service Controller tool or the Services tool to set the DNS Client service startup …
http://support.microsoft.com/kb/318803

How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 (Read the part about the client side resolver algorithm and the client side resolver service timeout when querying multiple DNS entries)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx

DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp

286834 – DNS Client Service Doesn’t Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834

261968 – Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968

SP4 Changes DNS Name Resolution – Actual Query Timeout settings the resolver uses – (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550

Linux and Unix client resolver works pretty much the same:

That is correct, this behavior ALSO applies to Non-Microsoft operating system client side resolver, such as the Linux/Unix Client Side Resolver

Thread: Re: Complex DNS Resolver Question – DNS
http://fixunix.com/dns/220126-re-complex-dns-resolver-question.html

Quoted from the above link:
If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN
authoritatively.

Client Side Options If a DC goes down:

Run the following command line to fix this problem on your Active Directory clients by emptying the DC Locator cache (Replace “DomainName” with the Fully Qualified Domain Name (FQDN) of your Active Directory domain:
nltest /dsgetdc:DomainName /force

========================================

6. DNS Forwarder Resolution and the Time Out Process

Information on how a DNS Forwarder time-out works with using multiple Forwarder:

Keep in mind, if you have too many forwarders listed, and only one is recommended (I believe 6 is the most it will use), the client side resolver may time out waiting for the 4th forwarder to get queried and will go to the next DNS server listed in the client’s IP properties.

Configure a DNS server to use forwarders (you can change the time-out period)
http://technet.microsoft.com/en-us/library/cc773370.aspx

Good post by Kevin Goodnecht explaining the forwarders time out and scenarios with too many Forwarders listed.
http://help.lockergnome.com/windows2/Strange-forwarding-issues-ftopict482618.html

Quoted from above link:

“Actually, the DNS service will stick to the Forwarder that provides an answer, no matter where it is in the list, if one forwarder times out (no answer) it will move to the next forwarder in the list, if the next forwarder provides an answer it uses it until it times out. The problem for you is, that it may not get back around to the first forwarder, before the Forwarding timeout expires, and it starts using recursion itself and goes to the root hints.

Now, if you check the box “Do not use recursion” the DNS server will use only its forwarders, and will not use root hints. But this cannot guarantee that one of the other servers being used as a forwarder answer the query.

I recommend that if there is a domain that cannot be reached through the internet root, that you add a secondary zone for that domain on the Win2k DNS server.”

Comment on Forwarders:

DNS acts as a resolving client when it uses a Forwarder because as the explanation indicated, it is sending the request elsewhere, essentially offloading the request so it doesn’t have to hit the Roots to devolve the query. If there are multiple Forwarders, DNS will hit each Forwarder. If it runs out of Forwarders, only then will it use the Roots, unless the checkbox to disable recursion is set under the Forwarders tab (not the Advanced tab). But then that all takes time. Keep in mind there is a time out that a client will wait, so if the original client request that sent it to your DNS server is waiting beyond the time out period, and the DNS server is waiting on it’s resolution request from a Forwarder, and the time out period is reached and no response is received, the client will assume that the DNS address that it used is no good and will remove it from the ‘eligible resolvers list’ and then query the second one.

If a DNS server that is set as a Forwarder is no longer functioning, or if whomever owns the server decides to disable Recursion, which will make it not respond to queries to zones it does not host (effectively making it a content only server), or is controlling it by “views” ( a BIND feature to control what subnets it responds to for queries), then the DNS service will follow a time-out (TTL or Time to Live) algorithm when it sends the query to the first Forwarder in the list. If there is no response (NULL response) after the TTL, then it eliminate that Forwarder for this query only, and it will then send the query to the next Forwarder in the list. If none of the Forwarders respond, the DNS service will then send the query to the Root Hints to devolve the query.

Now – and this is an important “now,” if there are many DNS servers listed in the Forwarders list, such as 3 or 4, the time out value for the number of Forwarders listed may exceed the timeout (TTL) the client side resolver service is set to by default (on the client machine making the request), therefore receiving that familiar ‘HTTP 404 not found’ in the browser.

For practical purposes understanding the TTLs, I would suggest to never set more than two Forwarders.

To find out if a DNS server will respond to queries and be eligible to use as a Forwarder, you can test it by using the nslookup utility (use set -d2 option and look for ‘recursion available’ or ‘recursion not available’

So for all practical purposes, I never set more than two Forwarders, otherwise what’s the use? If the first two can’t resolve it, it probably is not resolvable anyway.

Back to top of page>

========================================

7. If one DC or DNS server goes down, why can’t I logon to the other DC or not use the second DNS address to find another DC?

Which begs the eternal philosophical question:
If a Domain goes down in a forest, and there’s nobody there, did it crash?
—

Keep in mind that if any of the DCs are multihomed (more than one NIC and/or
IP), you are using your ISP’s DNS, or the domain is a single label name
(‘domain’ versus the recommended minimum of ‘domain.com,’ domain.local,’ etc),
other problems will occur, and you will get unexpected and undesireable
results whether there is one DC down or not.

As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.

It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. As stated above in section #5:

If the first entry responds but doesn’t have an answer, which is what we call an NXDOMAIN response (when the DNS server doesn’t have an answer but it STILL responded), it won’t go to the second entry, because it got an answer, even though it is not the answer we wanted.
If the DNS server does not respond, which we call a NULL response (when the DNS is down and doesn’t respond), it will go to subsequent entries in the order entered after a time out period, or TTL, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the “eligible resolvers” list, until the list is reset after 15 minutes, or after you clear the client side cache (ipconfig /flushdns), or restart the DHCP Client Service (on 2000/2003/XP), restart the DNS Client Service (on 2008/Vista and all newer), or restart the machine.

To put it another way:

If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the ‘eligible resolvers list’ for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won’ even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down.

Summary:

As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as ‘it’s not working’ because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can’t connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine.

Or simply disable the DNS Client Side caching mechanism. It’s not suggested to do this due to performance and especially if you have many machines in the infrastructure. However for testing, you can give it a shot:

Back to top of page>

========================================

8. What happens with Exchange and Outlook when when DNS goes down?

Exchange uses its Own fault tolerent serivice DSaccess that is responsible for providing directory information to exchagne servers. DsAccess fires every 15 minutes will change the server it relies on on its own DC DSAccess location process. For more info on its process, see:

Directory service server detection and DSAccess usage
http://support.microsoft.com/kb/250570

But in addition, this goes back to the depending on on the client side resolver as well, which I covered above under the, “If one DC is down, why does it not logon to the other DC? Or If first DNS
is down, will it use the second DNS to find another DC to logon?”

Also with Exchange involved, it becomes a little trickier. Keep in mind, when Outlook 2002 and newer first connects, it is provided a DsProxy value for the GC that Exchange is using. Outlook will now cache it. If the GC goes down, even if there are other GCs up, Outlook will not ‘look’ for another GC. You have to literally restart Outlook. As for Exchange, Exchange will lock onto that GC as well, and if it goes down, it will indicate so in the event logs with numerous DSAccess errors until the GC is back up. The only way to circumvent that is to go into Exchange and manually change the DC/GCs
it was discovered with the automatic discovery process and changing it to manual and remove the downed GC. But the Outlook clients will still need to be restarted. However if you have multiple Exchange servers, it needs to be done on each one. If you have ISA, it needs to be restarted. Otherwise, it’s best to get the GC back up, and Exchange errors will disappear, however Outlook will still have a problem.

I’ve seen this while working in a 5000 user system with 20 Exchange servers. It was due to the AD group running Windows updates on the DCs. We talked them into doing it after hours. It was a pain. If you have BES servers, they need to be restarted after the GC is back up, too.

Keep in mind as well, that other Exchange related applications that rely on MAPI just as Outlook, such as BES servers (Blackberry Enterprise Server), need to be restarted for them to reinitialize.

Keep in mind too, that in a single domain scenario, all DCs should be Global Catalogs. If there are more than one domain in the forest (child domains), then the IM role cannot be on a GC. If Exchange is involved, access to Exchange may be affected by the GCs and DCs it’s been configured to use, and whether they are down or not. This would not be a DNS function, rather it is the DSAccess and DSProxy function on Exchange.

I hope that makes sense.

Also I am providing some links on it, however, sorry about all the links, however they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.

Back to top of page>

========================================

9. Client side DNS Devolution on Windows 7 and Windows 2008 R2

Devolution is when the parent suffix is derived when there are child suffixes. For example, if in a machine is joined to a child domain “sales.test.com,” then “test.com” is devolved from “sales.test.com.”

Therefore, if “fileserver1” is not resolved in “sales.test.com” the client side resolver service on a client (keep in mind, DCs are DNS clients, too), will attempt to resend the query with the parent suffix.

It is best to design your forest infrastructure with unique hostnames so if “fileserver1” doesn’t exist in a child, it doesn’t exist anywhere else. Having a computername called “fileserver1” in a child domain and another domain, is not a good practice, nor is it a best practice. Uniqueness is the key across a forest.

DNS Devolution
Published: October 21, 2009, Updated: July 7, 2010, Applies To: Windows 7, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee683928(WS.10).aspx

Quoted:
Devolution is not enabled in Active Directory domains when the following conditions are true:
1. A global suffix search list is configured using Group Policy.
2.The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.

Back to top of page>

========================================

10. How does resolution work in a multi-domain forest (with child domains)?

If you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down.

Further, if you have a hostname record, for example, called “Computer,” in both the parent domain and child domains, nslookup will resolve the IP address of hostname.domain.local without query or using the child domain suffix. This is part of the devolution process that starts with the higher level domain and works down. The devolution to the upper hierarchal levels is limited to the forest root domain level in the forest.

For example, if you have a forest root of ad.domain.local, and you have a child domain called child.ad.domain.local, the client side resolver will limit devolution of it’s joined domain and to the forest root domain, and will not go any higher, and will not devolve or populate domain.local as a Search Suffix, since that domain name does not exist in the forest.

Therefore, if you have a DNS suffix search list, the resolver adds those DNS suffixes in order and does not try any other domain names. In this case, if you submit the unqualified name ‘Computer,’ the resolver queries in order for the following FQDNs:

hostname.domain.local
hostname.child.domain.local

Based on the example, below shows that such a client in this scenario will only devolve the following two, and not “domain.local,” as was previous to Vist/2008.

child.ad.domain.local
ad.domain.local

More info on this behavior:

Host Name Resolution Order
http://support.microsoft.com/kb/172218/en-us

Configuring Query Settings:
http://technet.microsoft.com/en-us/library/cc959339.aspx

DNS client name resolution behavior in windows vista VS Windows XP
http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx

Back to top of page>

========================================

11. Troubleshooting the Browser Service

Keep in mind, each subnet has it’s own master browser, and they work together with the WINS service using WINS, to enumerate an infrastructure wide browse list. If not using WINS, it uses broadcasts, but if you are in a multi-subnetted environment, and you want full browsing capabilities, it’s suggested to use WINS.

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master.

Good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propogation cycle in a multiple-segment domain environment.

And the default settings out-of-the-box, works fine, otherwise you’ll find yourself trying to change reg entries on multiple servers.

If you find workstations are becoming masters, are there any server operating systems on their subnets? If not, then a workstation will win as a master. If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

Some basic things to look for and use:

Make sure the Computer Browser service is Started.
Make sure NetBIOS is enabled on everything.
On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available. In Windows 2008 and newer, the utility is already installed as part of the operating system files.

Multihomed DC?

Note: A multihomed DC is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. More info regarding multihoming and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Browser Troubleshooting Steps

If there are any antivirus software, it could block browser traffic. This of course is all assuming that the Computer browser service is running.

Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:

browstat status

You should get a response similar to:

Browsing is active on domain.
Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc. If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:

First run:

browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:

browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Back to top of page>

========================================

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

March 31, 2018March 31, 2018

Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017
Revamped 3/31/2018 – Added the option to selectively remove BLs without removing FullAccess permissions to the shared mailbox

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

This shows how to remove the mailbox permissions and to re-add, and I just added how to simply just remove the backlinks WITHOUT removing FullAccess permissions. The users in this case, must re-add the mailbox in Outlook once it disappears from their profile.

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned Backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

How to remove it?

First, establish your PowerShell session to Exchange OnPrem or your Office 365 tenant. If unsure how, see this:
http://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail | ft Name, DisplayName, mail –A

Then remove the msexchDelegateLinkListBL orphaned backlink and FullAccess permissions to the shared mailbox

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

To just remove the backlink WITHOUT removing permissions

Note, using this method, the shared mailbox will automatically disappear from the Outlook profile. As soon as it does, you must manually re-add the shared mailbox either under the user account properties, where the permissions are proxied through the user account, which is the same as if it were Automapped, or as a separate account, which provides better features including sent and deleted items go into the shared mailbox itself instead of the mailbox owner under an automapped account or added under the user account.

To remove all BLs all at once:

#########################################################
#Remove the MSExchDelegateListBL from an account

$userToClean = “I061859”
$userDN = Get-ADUser $userToClean | select -ExpandProperty DistinguishedName
$delegates = Get-ADUser $userToClean -Properties msExchDelegateListBL | select -ExpandProperty msExchDelegateListBL
Write-Host “======================================================”
write-host “List of Delegated accounts that are backlinked:” $Delegates
Write-Host “======================================================”
foreach ($delegate in $delegates) {
Set-ADUser $delegate -Remove @{msExchDelegateListLink = “$UserDN”}
}
Write-Host “======================================================”
Write-Host “If the following get-aduser cmdlet searching for backlinds is empty, then all delegated backlinks have been removed”
Get-ADUser $user -Properties msExchDelegateListBL | select -ExpandProperty msExchDelegateListBL
Write-Host “======================================================”

To remove specific BLs one at a time:

# 1. Find the list of users in a shared mailbox that have been backlinked.
# Note, as said, this is only for removing users that have requested it, unless you are working on removing all, which use the above

$SharedMailboxOrUserDisplayName = “Shared Mailbox Display Name”
$SharedMailboxOrUser = (get-recipient “$SharedMailboxOrUserDisplayName”).name
Write-Host “======================================================”
Write-host “Shared Mailbox sAMAccountName:” $sharedMailboxorUser
Write-host “List of Users (or ‘Delegates’) that currently have Backlinks on Shared mailbox ‘$sharedMailboxorUser’ :”
Get-ADUser $SharedMailboxOrUser -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink | get-aduser -Properties displayName,mail | ft Name,DisplayName,mail -A
write-host “======================================================”

# 2. Then enter the user account name from the above list that you want to remove, and then find the user’s DN:
$UserToClean = “User sAMAccountName”
$userToCleanDisplayName = (get-recipient $UserToClean).displayName
$userDN = Get-ADUser $UserToClean | select -ExpandProperty DistinguishedName
Write-Host “The DN of ‘$userToCleanDisplayName’ ($UserToClean) that you want to clean is: ” $userDN
Write-Host “======================================================”
write-host “List of Backlink DNs that you want to remove from $UsertoClean :”
Write-Host
Get-ADUser $UserToClean -Properties msExchDelegateListbl | select -ExpandProperty msExchDelegateListBL

Write-Host “======================================================”

# 3. Remove the MSExchDelegateListBL from my account or an account that was migrated to the cloud that previously had a MSExchDelegateListBL
# Just have to run this, the BL gets removed after you run it
# This does not remove any AccessRights to the Mailbox, it just removes the automapping

Set-ADUser $UserToClean -Remove @{msExchDelegateListLink = (Copy and Paste the Backlink DN of the specific shared mailbox from the previous list that you want to remove) }

# 4. Then check to see if it worked:
Get-ADUser $UserToClean -Properties msExchDelegateListBL | select -ExpandProperty msExchDelegateListBL
Get-ADUser $UserToClean -Properties msExchDelegateListLink | select -ExpandProperty msExchDelegateListBL

==========================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

March 27, 2018March 27, 2018

Exchange or Office 365 Mailbox Dumpster Report

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script to enumerate what’s in the dumpster, that I’ve created to help my day to day tasks. I hope you find it helpful.

Scope

This script enumerates an Exchange or Office 365 Dumpster, Purges, and Versions folders.

Note:

Dumpster and Deletions Report provides Size Values for the mailbox
Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
Does not apply to Mailusers” -ForegroundColor cyan
*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***

The ‘Recoverable Items’ folder contains the following subfolders

Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
Calendar Logging: For Calendar diagnostic purposes
Deletions: Recover Deleted Items or the ‘Dumpster'”
This subfolder contains all items deleted from the Deleted Items folder.
Versions: If In-Place Hold or Litigation Hold is enabled:
This subfolder contains the original and modified copies of the deleted items.”
Purges: If either Litigation Hold or single item recovery is enabled:”
This subfolder contains all items that are hard deleted.

Script

I did not make this into a function, although it can easily be converted. To run it, for the $RecipientName variable, just enter the username, email address, displayName, or their sAMAccountName, and fire away.

“======================================================”
$RecipientName = “user’s email address, DisplayName, or sAMAccountName”
$RecipientDisplayName = (get-recipient $RecipientName).displayname

Optional (for reporting purposed):

$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

“======================================================” -ForegroundColor Cyan
write-host “Dumpster and Deletions Report for ‘$RecipientDisplayName’ ($RecipientName) (Does not apply to Mailusers or Contacts):” “$(get-date)” -ForegroundColor Yellow
     Write-host “======================================================”
Write-host “Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.” -ForegroundColor Cyan
     Write-Host “Does not apply to Mailusers” -ForegroundColor cyan
     Write-Host “*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***” -ForegroundColor Red
     Write-Host “***”
     Write-host “The ‘Recoverable Items’ folder contains the following subfolders:” -ForegroundColor Yellow
     Write-Host ”   Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.”
     Write-Host ”   Calendar Logging: For Calendar diagnostic purposes”
     Write-Host ”   Deletions:         Recover Deleted Items or the ‘Dumpster'”
     Write-host ”                      This subfolder contains all items deleted from the Deleted Items folder. “
     Write-Host ”   Versions:          If In-Place Hold or Litigation Hold is enabled:”
     Write-Host ”                      This subfolder contains the original and modified copies of the deleted items.”
     Write-Host ”   Purges:            If either Litigation Hold or single item recovery is enabled:”
     Write-host ”                      This subfolder contains all items that are hard deleted.”
     Write-host “======================================================” -ForegroundColor Cyan
Get-MailboxFolderStatistics $RecipientName -FolderScope RecoverableItems | ft Name,FolderAndSubfolderSize, @{name=”LitigationHoldEnabled”;expression={(Get-mailbox $RecipientName).LitigationHoldEnabled}} –a
##########################################################

Report Output

(Watch the word-wrap):

=================================================================================================
Dumpster and Deletions Report for ‘User DisplayName’ (SAP Legal Operations) (Does not apply to Mailusers): 03/27/2018 11:22:01
=================================================================================================
Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
Does not apply to Mailusers
*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***
***
The ‘Recoverable Items’ folder contains the following subfolders:
    Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
    Calendar Logging: For Calendar diagnostic purposes
    Deletions:         Recover Deleted Items or the ‘Dumpster’
                       This subfolder contains all items deleted from the Deleted Items folder.
    Versions:          If In-Place Hold or Litigation Hold is enabled:
                       This subfolder contains the original and modified copies of the deleted items.
    Purges:            If either Litigation Hold or single item recovery is enabled:
                       This subfolder contains all items that are hard deleted.
=================================================================================================

Name              FolderAndSubfolderSize     LitigationHoldEnabled
—-              ———————-     ———————
Recoverable Items 1.32 MB (1,383,783 bytes)                  False
Calendar Logging 0 B (0 bytes)                              False
Deletions         1.196 MB (1,253,945 bytes)                 False
Purges            126.8 KB (129,838 bytes)                   False
Versions          0 B (0 bytes)                              False

Clear on the picture for a full view:

Summary

I hope this helps!

Published 3/27/2018

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

March 20, 2018March 20, 2018

What DNS Zone type should I use, a Stub, Conditional Forwarder, a Forwarder, or a Secondary Zone?? What’s the Difference??

By Ace Fekay
Originally Published 2012
Updated 3/20/2018

Intro

Ace again. DNS is a basic, yet important requirement that many still having problems wrapping their head around it.

Besides design, a huge part of DNS is understanding the differences between the zone types. Many have asked, when do I use a Stub zone, a Conditional Forwarder, or a Forwarder? Or better, what’s the difference?

I thought to put this simple comparison together compiled from past posts in the TechNet Forum.

Partner Organization DNS Resolution: What should I use, a Stub, Conditional Forwarder or Forwarder?

Secondary Zone

Secondary zones are read only copies “copied,” or “zone transferred” from a Master zone. This makes the zone data available locally (as read only, of course), instead of querying a DNS server across a WAN link. However, in many cases Secondaries are not used due to many limitations and security concerns, such as exposing all DNS zone data that a partner may not want to divulge.

In addition, Secondaries can’t be AD integrated, and the zone data is stored in a text file. So you would have to manually create a copy on all of your DNS servers.

Stub Zone

Organizations own their own AD zones. When business partners need to resolve data at a partner’s organization, there are a few options to support this requirement. Years ago, prior to Stub or Conditional Forwarders, there weren’t many options to handle this other than to use Secondary Zones and keep copies of each others zones via zone transfers. While the solution worked well in regards to name resolution, it was not the best security-wise, due to trust level between partners, because zone data is fully exposed at the partner. This became a security concern because the partner is able to see all of their business partner’s records. When the zone was transferred to partners, who knows what they were doing with the information. If the information was made public, attackers would have a field day with all of the IPs for the networked devices.

When stub zones were made available, it became a solution to overcome this security issue. What is also beneficial about Stubs, is you can AD integrate them instead of manually creating a Stub on each individual DC. This way the zone will be available domain or forest-wide, depending on replication scope.

However, some may say due to the fact that the SOA records are included in the zone file, it may be a concern that the SOA and NS data is exposed. In such high security concerns, the better solution would be to use a Conditional forwarder.

Conditional Forwarder

This option is heavily used, and many look at them as the best regarding security concerns with zone data exposure, because no data is exposed. This option has worked very well in many environments.

With Conditional Forwarders, no information is being transerred and shared. The only thing you would need to know is one or more of your business partner’s DNS server IPs to configure it, and they don’t have to be the SOA, rather any DNS server that hosts the zone or that has a reference to the zone.

However, it does require open communication and let each other know when their DNS server IPs may change, because you must manually set them.

Windows 2003 introduced Conditional Forwarders, but it did not have the option to make it AD Integrated. If you have 10 DNS servers, you must create the Conditional Forwarder on each server manually. The AD integrated option was added to Windows 2008 or newer DNS servers, so you don’t have to manually create them on each DNS server. THis way the Conditional Forwarder will be available domain or forest-wide.

Parent-Child DNS Zone Delegation

Delegation can be used in a situation where a child domain host their own DNS zone. Therefore in the forest root domain, you would create a delegation zone with the IPs of the DNS servers in the child domain. This is normally performed when the child zone have their own administrators. It’s also useful they do not have access to “see” all of the forest root DNS records.

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

March 20, 2018March 24, 2018

Get-Rules

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script I created to help my day to day tasks. I hope you find it helpful.

Like I said before, I’m far from being an expert, but I continue to read up on it, research, and ask lots of questions. The more you work at something, the more you get something out of it. Ever play pool?

Scope

This script will enumerate the Inbox rules for a mailbox. You will have four options:

List of rules without a description using FT
List of rules with a description using FT
Rules listed individually using FL
Rules sent to a CSV file named based on the user account entered

Get-Rule Script

Copy and paste the following into notepad, and save it as Get-UserList.ps1, and run it to load the function.

#################################\\\\\\\\\\\\\\\\////////////////#################################
# This script will:
# 1. Read a console entry for a user accounts, whether a sAMAccountName, alias, or email address
# 2. Provide a list of rules without descriptions
# 3. Provide a list of rules with descriptions
#
#    .SYNOPSIS
#    Lists a User’s Mailbox InboxRules
#
#    .DESCRIPTION
#    Enumerate Inbox rules with and without a description
#
#    .PARAMETER User
#    Specific user you want to search for.
#
#    .PARAMETER Description
#    You want the rules listed out individually with a description
#
#    .PARAMETER NoDescription
#    You want the rules listed out in table format without a description
#
#    .PARAMETER NoDescription
#    You want the rules listed out in table format without a description
#
#################################\\\\\\\\\\\\\\\\////////////////#################################
# Variables

$RecipientName = “I823135”
$RecipientDisplayName = (get-recipient $RecipientName).displayname
$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

# Script

Function Get-Rules {
[CmdletBinding()]
Param (
[Parameter(Position=0,Mandatory=$true)]
[string]$RecipientName,

[Parameter(Mandatory=$false)]
[switch]$Description,

[Parameter(Mandatory=$false)]
[switch]$NoDescription,

[Parameter(Mandatory=$false)]
[switch]$IndividualList,

[Parameter(Mandatory=$false)]
[switch]$CSVFile
)

$RecipientDisplayName = (get-recipient $RecipientName).displayname
$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

#If -Description was selected – Inboxrules to Console Screen:
If ($NoDescription) {
Write-Host “=================================================================================================” -ForegroundColor Cyan
Write-Host “You’ve selected to List the Inbox Rules to the Console Without a Description” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):” “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | ft @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype -Wrap -a
Write-Host “=================================================================================================” -ForegroundColor Cyan
}

#If -NoDescription was selected – Inboxrules to Console Screen :
If ($Description) {
Write-Host “You’ve selected to List the Inbox Rules to the Console With a Description” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):” “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | ft name,enabled,priority,ruleidentity,RedirectTo,movetofolder,inerror,errortype,description    -Wrap
#    Get-InboxRule -Mailbox $RecipientName -IncludeHidden | ft -AutoSize
#    (Get-InboxRule -Mailbox $RecipientName -IncludeHidden | ft -AutoSize).count
# FL –      Get-InboxRule -mailbox $RecipientName -IncludeHidden | fl @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
# Select – Get-InboxRule -mailbox $RecipientName -IncludeHidden | select @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
Write-Host “=================================================================================================” -ForegroundColor Cyan
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
Write-Host “=================================================================================================” -ForegroundColor Cyan
}
#################################\\\\\\\\\\\\\\\\////////////////#################################

#If -IndividualList is selected
If ($IndividualList) {
Write-Host “You’ve selected to list each InboxRule individually” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):” “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | fl @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
Write-Host “=================================================================================================” -ForegroundColor Cyan
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
Write-Host “=================================================================================================” -ForegroundColor Cyan
}
#################################\\\\\\\\\\\\\\\\////////////////#################################

If ($CSVFile) {
#####################################################################################
#Inboxrules to CSV file
Write-Host “=================================================================================================” -ForegroundColor Cyan
Write-Host “You’ve selected to send the Inbox Rules to a CSV file.” -ForegroundColor Magenta
Write-host
Write-Host “Rules list was sent to a CSV file located at ***C:\temp\InboxRules-for-$RecipientName.csv***” -ForegroundColor Yellow
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
#Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | select @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,description | export-csv “C:\temp\InboxRules-for-$RecipientName.csv”
Write-Host “=================================================================================================” -ForegroundColor Cyan
} }

How to run it

Create a list in notepad, save it as a txt file in c:\temp, or anywhere else and reference that in the script, then run:

get-Rules aceman –description –nodescription –individuallist –csv

Summary

I hope this helps!

Published 2/21/2018

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

March 20, 2018

Listing SendAs and SendOnBehalf Permissions

By Ace Fekay
Published 3/20/2018

Intro

Ace here again.

There are a number of tools that you can use in your day to day AD and Exchange management. This includes Office 365 Hybrid, but we’ll assume that you are performing one way sync to the cloud, and only replicating MSOL attributes back to on premises, so you can manage them locally, for the most part.

This is about getting SendAs and SendOnBehalf rights on a mailbox

SendAs

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-Host “///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
Write-Host “*****************************************************************”
Write-host “The following is a list of who has SendAs permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-recipient $_.User).Displayname}}, extendedRights -AutoSize
$MailboxCount = @(Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}).count
Write-Host “Total number of users that can SendAs on contact ‘$MailboxDisplayName’ is” $MailboxCount
Write-Host “*****************************************************************”

Write-Host “\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////”
Write-Host “*****************************************************************”

SendOnBehalf

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-host “The following is a list of who has SendOnBehalf permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
# – property not found – $sendonbehalfList = (get-recipient $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
$sendonbehalfList = (get-mailbox $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
#Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “Grant*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-User $_.User).Displayname}}, extendedRights -AutoSize
Write-Host “And the list of who have SendOnBehalf on ‘$MailboxDisplayName’ is:” $SendonBehalfList
Write-Host “*****************************************************************”

Example output:

*****************************************************************
///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*****************************************************************
The following is a list of who has SendAs permissions for ‘Fekay, Ace’ :
*****************************************************************
User            User’s DisplayName                           ExtendedRights
—-            ——————                                          ————–
Contoso\AFekay-Admin Fekay, Ace (Admin Only) {Send-As}

Total number of users that can SendAs on contact ‘Fekay, Ace’ is 1
*****************************************************************
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////
*****************************************************************

Summary

I hope this helps!

Published 3/20/2018

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

February 22, 2018February 22, 2018

Get-UserList

By Ace Fekay
Published 2/21/2018

Intro

Ace here again. I’ve been playing more and more with scripting and well, I’m far from being an expert, but I continue to read up on it, research, and ask lots of questions.

I thought to share this cool function to enumerate a list of sAMAccountNames and email addresses and validate if the account exists. There isn’t anything out there like this at the moment, at least that I could find, which prompted its creation.

Kudos to my colleague Gamal. that helped me with this script.

Scope

Ever had a list of user accounts that you want to run the Exchange PowerShell cmdlet Get-Recipient to list their email addresses and displayNames, etc?

And the list is mixed with sAMAccountNames, email addresses, and displayNames, and worse, there are spaces and empty lines in the list, and further, they include bunch of accounts that don’t exist that give you that awesome (yea right) RED errors on your screen?

And you have to clean up the list first. Isn’t that a pain to clean it up before you run it?

Here’s a quick function to clean up the list, then enumerate and validate the list, reporting in almost any way you like that also tells you which accounts are invalid, without all those errors.

Get-Recipient

I decided to use Get-Recipient because the Get-Mailbox cmdlet won’t work if the account is a MailUser, Contact, or DL.

Quick script to enumerate and count, but without account validation

(Get-content “c:\temp\email-addresses.txt”) | ? {$_.trim() -ne “” } | set-content “c:\temp\user-list.txt”
$File = ((Get-content “c:\temp\user-list.txt”)).Trim()
$File | get-recipient -Properties PrimarySmtpAddress ,displayName,name | ft Name,DisplayName, prim* -A
Write-Host “Total count:” ($file).Count

Script to enumerate and count, with account validation

Copy and paste the following into notepad, and save it as Get-UserList.ps1, and run it to load the function.

#################\\\\\\\\\\\\\\\\////////////////#################
# This Function (or script without the Function tag) will:
# 1. Reads a text file with mixed sAMAccountName, DisplayNames,
# or primary email alias (recommended to not use displayNames)
# 2. Clean up white spaces and empty lines in the list
# 3. Searches and performs a validity check creating a report that
# indicates active and inactive accounts
#
# Usage: Create a file of sAMAccountNames and email addresses,
# save it as a text file, then run Get-UserList
#
# Credit to my colleague Gamal for helping to create this cool script
#################\\\\\\\\\\\\\\\\////////////////#################
Function Get-UserList {

function change-color-red
{
process {Write-Host $_ -ForegroundColor DarkRed}
}
############
$EmailAddressList = “C:\temp\user-list.txt”
$File = ((Get-content $EmailAddressList) | Where-Object {$_.trim() -ne “” }).Trim()

$output = $File | ForEach-Object {

    $exists = if((Get-recipient $_ -erroraction SilentlyContinue)) {
                   Write-Output “Yes”
               }
             else {
                 Write-Output “Does not exist”
             }
     $recipient = Get-Recipient $_ -ErrorAction SilentlyContinue

    $hash = @{‘Name’ = $_;
               ‘Does-Account-Exist?’ = $exists;
               ‘userID’ = $recipient.SamAccountName
               ‘DisplayName’ = $recipient.DisplayName
               ‘Email’ = $recipient.PrimarySMTPAddress
       }

     New-Object psobject -Property $hash
}
Write-Host “******************************************************************************”
$output | ft name,UserId, DisplayName, Email, Does-Account-Exist? -AutoSize | Out-Host
Write-Host “******************************************************************************”
Write-Host “There is/are $(($output).Count) account(s) in the queried user access list.” -ForegroundColor Magenta
Write-Host “Out of the list of users, there is/are $(($output | Where-Object Does-Account-Exist? -EQ ‘Yes’).count) Active account(s).” -ForegroundColor Cyan
Write-Host “Out of the list of users, there is/are $((($output | Where-Object Does-Account-Exist? -EQ ‘Does not exist’) | Measure-Object).count) Inactive account(s).” -ForegroundColor Red
Write-Host “******************************************************************************”
Write-Host “Ref: Part of a Cool Scripts and Functions List! – Ace Fekay”
}
#################////////////////\\\\\\\\\\\\\\\\#################

User list file example

As you can see I’ve mixed up the input type. The first.last represents a saMAccountName,”Ace Fekay” represents a displayname, and of course, email addresses.

============================
Smith, John

Ace Fekay
tom.thumb@contoso.com

j.doe
m.smith
============================

If you have displayNames mixed in the file

Keep in mind, if the displayName is not an exact match, it will result in a “Does Not Exist.” In such cases if you need to look them up, add the –anr (for ambiguous name lookup) to the Get-Recipient cmdlet – there are two lines in the script wtih the Get-Recipient. Add –anr to both, as shown below:

$recipient = Get-Recipient -anr $_ -ErrorAction SilentlyContinue

However, if there are multiple similar names, then you won’t get an accurate report. I’d rather just not use it and just create a user list based on either email addresses or sAMAccount names.

How to run it

Create a list in notepad, save it as a txt file in c:\temp, or anywhere else and reference that in the script, then run:

get-Userlist

=====================

Summary

I hope this helps!

Published 2/21/2018

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

May 22, 2017March 24, 2018

Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

To add, this is a big stickler especially with migrating from on-premises to Office 365, where the SendAs permission is now changed, because the permission must be re-assigned to the EXO object, the entity actually sending-As the email as another, and not the on-premises AD object. This also discusses how to remove the original Automapped BL (backlink).

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

Outlook, Autodiscover, and those attributes

Orphaned backlink is still populated and the mailbox still shows up in Outlook

Example of an account with the msExchDelegateLinkListBL still populated:

How to remove it?

First, establish your PowerShell session to Exchange onprem or your Office 365 tenant. If unsure how, see this:
https://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail | ft Name, DisplayName, mail –A

Then remove the msexchDelegateLinkListBL orphaned backlink:

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

============================================================

Summary

I hope this helps!

Published 5/18/2017

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

May 11, 2017May 18, 2017

Establishing a PowerShell Session to Your Office 365 Tenant or OnPrem Exchange

By Ace Fekay
Published 5/11/2017

Prelude

I’m working on posting more scripting blogs managing Active Directory, Office 365, and Exchange OnPrem, or On Premises.

And I stress the phrase, “On Premises,” and NOT “On Premise!”

Scope

Instead of repeating this procedure in each blog I write that has something to do about scripting where you must connect a PowerShell or an ISE session (I’d rather use ISE) to the tenant or OnPrem box, I thought to just put this together and reference the URL to connect. It’s easier and takes up less space on the blog with the actuals PS commands and scripts.

Office 365 tenant without ADFS

If you are not using multifactor auth or ADFS, open a PowerShell window and the run the following:

$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $YourCred -Authentication Basic –AllowRedirection

This will prompt you for your credentials. Then import the session you just created:
import-pssession $MySession

If using a Proxy:

$MySession = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri https://ps.outlook.com/powershell/ -Credential $YourCred -Authentication Basic –AllowRedirection (New-PSSessionOption -ProxyAccessType IE)

This will prompt you for your credentials. Then import the session you just created:
import-pssession $MySession

Import AD Module:

I always import the Active Directory module so I can run AD tools. Of course, you will need AD permissions to modify, but anyone can read properties:

Import-module ActiveDirectory

Office 365 ADFS and/or Multifactor Auth

Go to http://aka.ms/exopspreview. It will open and create a PowerShell session specifically to assist with establishing a session with Office 365. Then run the following:

Connect-EXOPSSession -UserPrincipalName YourEmail@contoso.com -PSSessionOption

If using a Proxy:

Connect-EXOPSSession -UserPrincipalName YourUserNamea@contoso.com -PSSessionOption (New-PSSessionOption -ProxyAccessType IE)

Import the AD Module:

I always import the Active Directory module so I can run AD tools. Of course, you will need AD permissions to modify, but anyone can read properties:

Import-module ActiveDirectory

Exchange OnPrem

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Exchange02.contoso.local/PowerShell/ -Authentication Kerberos
Import-PSSession $Session
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Support

Import the AD Module:

I always import the Active Directory module so I can run AD tools. Of course, you will need AD permissions to modify, but anyone can read properties:

Import-module ActiveDirectory

============================================================

Summary

I hope this helps!

Published 5/11/2017

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

November 2, 2016March 24, 2018

Active Directory Trusts

Published 11/2016
Recompiled 3/2018

Intro

AD Trusts have always been confusing to many, such as, which direction does the trust point? I’ve included an easy to understand analogy that uses you and a friend as an example. I hope this helps. Ping me if you have any questions.

Scope

Let’s discuss AD trusts. And further in, after we discuss trusts types, we’ll revisit Kerberos authentication across a trust path, which I’ve previously discussed in the following blog and is pertinent in the scope of explaining trusts:

Kerberos Authentication Sequence Across Trusts
Kerberos Authentication Sequence Across Trusts

Active Directory Trusts

Active Directory domain to domain communications occur through a trust. An AD DS trust is a secured, authentication communication channel between entities, such as AD DS domains, forests, and UNIX realms. Trusts enable you to grant access to resources to users, groups and computers across entities.

The way a trust works is similar to allowing a trusted entity to access your own resources. It’s a two-step process. The first step is to establish the trust. The second step is to provide permissions.

For example, if users in the Contoso.com domain require access to a shared folder in the Trimagna.com domain, and the two domains are not in the same forest, you would establish the trust where Trimagna.com trusts Contoso.com, therefore the direction of the arrow would be Trimagna.com points to Contoso.com.

For an analogy, if you were to give your car keys to a friend to allow him or her to use your car, you are establishing a trust between you and your friend. In this case, you are the trusting friend, or domain, and the friend is the trusted friend, or domain. Once the keys have been provided, then the next step is to allow access to your resource, or car, by providing permissions to use the car. However, this trust is only in one direction, you trust your friend. If you want your friend to trust you, your friend, or the other domain, must be initiated by your friend, or the other domain.

AD DS Trust Types

There are various trust types. The trust that you create must be appropriate for the design. Trusts can be transitive or non-transitive. The one that you choose to create depends on the scenario and requirements. Other trusts types can be created as required, depending on the scenario. The table below shows the various trust types you can create.

Trusts can be created using the New Trust Wizard found in the Active Directory Domains and Trusts console, or using the Netdom command line utility. If you choose to create one of the one-way trust types in both directions, it can be created simultaneously, or separately. If you create it separately, you must re-run the procedure to establish the trust in the other direction.

Trust Type	Characteristics	Direction	Authentication Mechanism	Notes
Parent-Child	Transitive	Two-way	Kerberos V5 or NTLM	Created automatically when a child domain is added.
Tree-Root	Transitive	Two-way	Kerberos V5 or NTLM	Created automatically when a new Tree is added to a forest.
Shortcut	Transitive	One-way or Two-way	Kerberos V5 or NTLM	Created Manually. Used in an AD DS forest to shorten the trust path to improve authentication times.
Forest	Transitive	One-way or Two-way	Kerberos V5 or NTLM	Created Manually. Used to share resources between AD DS forests.
External	Non-transitive	One-way	NTLM Only	Created Manually. Used to access resources in an NT 4.0 domain or a domain in another forest that does not have a forest trust established.
Realm	Transitive or non-transitive	One-way or Two-way	Kerberos V5 Only	Created Manually. Used to access resources between a non-Windows Kerberos V5 realm and an AD DS domain.

Trust Flow: Transitive vs. Non-Transitive

Trust communication flow is determined by the direction of the trust. The trust can be a one-way or a two-way trust. And the transitivity determines whether a trust can be extended beyond the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a non-transitive trust can be used to deny trust relationships with other domains. Authentication requests follow a trust path. The transitivity of the trust will affect the trust path.

Transitive Trust

· Contoso.com trusts Trimagna.com.

· Contoso.com trusts Adatum.com.

· Therefore, Trimagna.com trusts Adatum.com.

One-way Trust

· Domain A trusts Domain B, but Domain B does not trust Domain A.

· Domain A trusts Domain C, but Domain C does not trust Domain A.

· Therefore, Domain B does not trust Domain C.

o For these two domains to trust each other, you would need a one way trust created between each other.

Automatic Trusts: and Tree-Root Trusts

By default, two-way, transitive trusts are created automatically when a child domain is added or when a domain tree is added. The two default trust types are parent-child trusts and tree-root trusts.

Parent-Child Trust

A transitive, two-way parent-child trust relationship automatically created and establishes a relationship between a parent domain and a child domain whenever a new child domain is created using the AD DS installation process process within a domain tree. They can only exist between two domains in the same tree with the same contiguous namespace. The parent domain is always trusted by the child domain. You cannot manually create a Parent-Child trust.

Tree-Root Trust

A transitive, two-way tree-root trust relationship automatically created and establishes a relationship between the forest root domain and a new tree, when you run the AD DS installation process to add a new tree to the forest. A tree-root trust can only be established between the roots of two trees in the same forest and are always transitive. You cannot manually create a tree-root trust.

Shortcut Trust

Shortcut trusts are manually created, one-way, transitive trusts. They can only exist within a forest. They are created to optimize the authentication process shortening the trust path. The trust path is the series of domain trust relationships that the authentication process must traverse between two domains in a forest that are not directly trusted by each other. Shortcut trusts shorten the trust path.

Forest Trust

Forest trusts are manually created, one-way transitive, or two-way transitive trusts that allow you to provide access to resources between multiple forests. Forest trusts uses both Kerberos v5 and NTLM authentication across forests where users can use their Universal Principal Name (UPN) or their Pre-Windows 2000 method (domainName\username). Kerberos v5 is attempted first, and if that fails, it will then try NTLM.

Forest trusts require DNS resolution to be established between forests, however to support NTLM failback, you must also provide NetBIOS name resolution support between the forests.

Forest trusts also provide SID filtering enforcement in Windows Server 2003 and newer. This ensures that any misuse of the SID history attribute on security principals (including the inetOrgPerson attribute) in the trusted forest cannot pose a threat to the integrity of the trusting forest.

Forest trusts cannot be extended to other forests, such as if Forest 1 trusts Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implied trust. If a trust is required, one must be manually created.

External Trust

An external trust is a one-way, non-transitive trust that is manually created to establish a trust relationship between AD DS domains that are in different forests, or between an AD DS domain and Windows NT 4.0 domain. External trusts allow you to provide users access to resources in a domain outside of the forest that is not already trusted by a Forest trust.

SID filter quarantining is enabled by default with Windows Server 2003 and newer AD DS domains. SID filtering verifies that incoming authentication requests made from security principals in the trusted domain contain only SIDs of security principals from the trusted domain.

External trusts are NTLM based, meaning users must authenticate using the Pre-Windows 2000 logon method (domain\username).NTLM requires NetBIOS name resolution support for functionality.

Additional reading on creating External Trusts and DNS Support:

DNS and NetBIOS Name Resolution to Create External, Realm and Forest Trusts
http://technet.microsoft.com/en-us/library/ee307976(v=ws.10).aspx
Configure a DNS Server to Use Forwarders
http://technet.microsoft.com/en-us/library/cc754941.aspx

Realm Trust

A Realm trust can be established to provide resource access and cross-platform inter-operability between an AD DS domain and non-Windows Kerberos v5 Realm.

A Realm trust only uses Kerberos V5 authentication. NTLM is not used.
When the direction of the trust is from a non-Windows Kerberos Realm to an AD DS domain (Realm trusts AD DS domain), the non-Windows realm trusts all security principals in the AD DS domain.
Realm trusts are one-way by default, but you can create a trust in the other direction to allow two-way access.
Because non-Windows Kerberos tickets do not contain all the information AD DS requires, the AD DS domain only uses the account to which the proxy account (the non-Windows principal) is mapped to evaluate access requests and authorization. With Realm trusts, all AD DS domain proxy accounts can be used in an AD DS group in ACLs to control access for non-Windows accounts.

Additional reading:

Understanding Trust Types
http://technet.microsoft.com/en-us/library/cc730798.aspx

Trusted Domain Object (TDO)

To understand cross domain authentication, we must first understand Trusted Domain Objects (TDOs). Each domain within a forest is represented by a TDO that is stored in the System container within its domain. The information in the TDO varies depending on whether the TDO was created by a domain trust or by a forest trust.

When a domain trust is created, attributes such as the DNS domain name, domain SID, trust type, trust transitivity, and the reciprocal domain name are represented in the TDO.

When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and then stores the information in a TDO. The trusted namespaces and attributes that are stored in the TDO include domain tree names, child domain names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are stored in each domain, then replicated to the global catalog.

Therefore, because trusts are stored in Active Directory in the global catalog as TDOs, all domains in a forest have knowledge of the trust relationships that are in place throughout the forest. If there are two or more forests that are joined together through forest trusts, the forest root domains in each forest know of the trust relationships throughout all of the domains in the trusted forests.

The only exception to the rule is External trusts to a Windows NT 4.0 domain do not create TDOs in Active Directory because it is NTLM based, in which SPN and domain SIDs do not exist, therefore do not apply.

Additional reading:

How Domain and Forest Trusts Work (TDO further explained)
http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx
Trusts (TDOs)
http://technet.microsoft.com/en-us/library/cc786873(v=ws.10).aspx

Trust Path between Domains

The trust path is the series of domain trust relationships that the authentication process must traverse between two domains in a forest that are not directly trusted by each other.

Before authentication for a user, computer or service can occur across trusts, Windows must determine if the domain being requested has a trust relationship with the requesting account’s logon domain. This is determined by quering the global catalog for TDO data. The Windows security system’s Netlgon service through an authenticated RPC (Remote Procedure Call) to the remote domain’s trusted domain authority, (the remote domain controller), computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account.

The Windows security system extends a secured channel to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups. The trust path is stored for authentication requests to the trusted domain.

Kerberos authentication Sequence between Domains in a Forest

A user in the marketing.trimagna.com domains needs to gain access to a file share on a server called fileserver.sales.contoso.com domain. This is assuming the User has already logged on to a workstation using credentials from the marketing.trimagna.com domain. As part of the logon process, the authenticating domain controller issues the User a ticket-granting ticket (TGT). This ticket is required for User1 to be authenticated to resources.

The User attempts to access a shared resource on \\FileServer.sales.contoso.com\share.

The following Kerberos V5 authentication process occurs:

1. The User’s workstation asks for a session ticket for the FileServer server in sales.contoso.com by contacting the Kerberos Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer.sales.contoso.com service principal name (SPN).

2. The KDC in the user’s domain (marketing.trimagna.com) does not find the SPN for FileServer.sales.contoso.com in its domain database and queries the GC to see if any domains in the forest contain this SPN.

a. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

b. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in marketing.trimagna.com.

3. The KDC in the marketing.trimagna.com then issues the workstation a TGT for the contoso.com domain. This is known as a referral ticket.

4. The workstation then contacts the KDC in the trimagna.com tree root domain to request a referral to the KDC in the sales.contoso.com.

5. The KDC in the trimagna.com domain recognizes the user’s request to establish a session with a resource that exists in a foreign domain’s server.

a. The KDC then issues a TGT for the KDC in the contoso.com domain.

6. The workstation then presents the TGT for the sales.contoso.com domain to the KDC in the contoso.com domain.

7. The contoso.com KDC queries a GC to see if any domains in the forest contain this SPN. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

a. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in contoso.com.

8. The KDC issues a TGT for the sales.contoso.com domain.

9. The workstation then contacts the KDC of the sales.contoso.com domain and presents the referral ticket it received from its own KDC.

a. The referral ticket is encrypted with the interdomain key that is decrypted by the foreign domain’s TGS.

b. Note: When there is a trust established between two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions, therefore it’s used to encrypt and decrypt tickets.

10. The workstation also presents the KDC in the sales.contoso.com the TGT it received from the KDC in contoso.com for the sales.contoso.com domain and is issued a ST (Session Ticket) for the sales.contoso.com domain.

a. The ST is populated with the domain local group memberships from the sales.contoso.com domain.

11. The user presents FileServer.sales.contoso.com the ST to the server to gain access to resources on the server in sales.contoso.com.

12. The server, FileServer.sales.contoso.com compares the SIDs include in the session ticket to the ACEs on the requested resource to determine if the user is authorized to access the resource. If there is, the user is permitted to access the resource based on the ACL permissions.

Kerberos Authentication with a Shortcut Trust

If a shortcut trust exists from the sales.contoso.com domain to the marketing.trimagna.com domain, then the trust path will shortened, therefore the user authentication path will be direct between the two domains.