Posted on

DNS Zone Types Explained, and their Significance in Active Directory

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

Revisions

Original publication 4/30/2013

Prelude

Ace here again. I thought to touch base on DNS zones, and more so, focus on what AD integrated zones are and how they work. This blog almost mimics my class lecture on this topic. Check back for updates periodically, which I will notate with a timestamp above with whatever I’ve added or modified.

This topic was also briefly discussed in the following Microsoft Technet forum thread:
Technet thread: “Secondary Zones?”
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c1b0f3ac-c8af-4f4e-a5bc-23d034c85400

 

AD Integrated Zones AD Database Storage Locations

First up is a background on the various parts of the Active Directory database and what gets stored in them. This will help understand where DNS data is stored as I discuss it later in this blog.

The Active Directory Data Store (the AD database):

There are three possible storage locations for DNS zone storage in the Active Directory database:

  • DomainNC – This was the only available location with Windows 2000. This replicates to all DCs only in a specific domain.
  • DomainDnsZones partition – Introduced in Windows 2003 and used in all newer operating systems. This replicates to all DCs only in a specific domain in the forest.
  • ForestDnsZones partition. This replicates to all DCs in the forest.

You can see how not all partitions are replicated forest wide. It depends on the partition:

 

Ok, Now the DNS Basics:

  • A Secondary is a read-only copy
  • A Secondary zone stores it’s data in a text file (by default in the system32\dns folder)
  • A Secondary gets a copy of the zone data from the Primary
  • A Primary is the writeable copy
  • A Primary stores it’s zone data in a text file (by default in the system32\dns folder)
  • There can only be one Primary, but as many Secondary zones as you want.
  • You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.
  • AD integrated zones do NOT need zone transfers to be allowed (see below for specifics)

Active directory Integrated Zones changes this a bit:

AD Integrated zones are similar to Primary zones, however their data is stored as binary data in the actual AD database and not as a text file. The specific place in the AD database depends on the DC’s operating system version and replication scope, which means what “logical” part of the physical AD database it’s stored in, which will affect which DCs in the forest it will replicate to.

  • The “only one Primary Zone” rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 difference logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy.
  • The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
  • Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
  • Each DC that hosts the zone can “write” to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
  • The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
  • An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create the Secondary on will automatically change it to AD integrated, since it “sees” it in the AD database. In some cases, if this is forced or done incorrectly, it can lead to duplicate or conflicting zones in the AD database, which is problematic until fixed.

And if you install DNS on another DC, the zone data will *automatically* appear because DNS will recognize the data in the AD database. AD integrated zones can also act as a Primary zone for secondary zones, whether they are on Windows machines, BIND (on Unix) or any other name brand.

Remember, AD integrated zones still follow the RFCs, but have more features.

 

Duplicate or Conflicting zones?

Since I touched based on duplicate and conflicting zones, you may want to check if they exist in your AD database. You have to check each partition, and if you have more than one domain, you have to check the DomainDnsZones and DomainNC of each domain. You may even have to check it on multiple DCs in various AD Sites to see if they all “see” the same copy or different copies. You would be surprised what I’ve seen with AD replication problems and seeing different DCs “seeing” something different in its own database. This issue also manifests as a symptom in more than just a DNS problem, where you create a user on one DC and it never replicates to another DC.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

 

Primary Standard Zone, Secondary Standard Zones & Zone Transfers

Zone transfers allow you to create a read only copy (a Secondary zone) on another DNS server, that will pull a copy (transfers) from the read/writable zone (the Primary zone).

Primary and Secondary zones store their data as text files.

On a Windows machine, the zone files can be found in the \system32\dns folder with a file name such as “domain.com.dns”. You can have numerous read only copies, but there can only be one read/write of that zone.

Please keep in mind, the authoritative DNS server listed in the registrar for a public domain name (zone) does not have to be a Primary, it’s just the host nameserver listed as authoritative. It can get it’s data from a Primary that is not listed, hence the writable copy is actually hidden and protected from public access.

Do I need Zone transfers Allowed for AD Integrated Zones if I do not have Secondaries Zones?

The short answer: NOPE.

The reason is that the term “AD Integrated” means the zone is stored in the AD database, and the zone will replicate to other domain controllers within the same replication scope (domain-wide or forest-wide) automatically as part of the AD replication process.

By default, AD integrated zones are configured to not allow zone transfers.

Allowing zone transfers is an option provided to support non-DC DNS servers, BIND or any other name brand DNS server that you want to allow zone transfers to a secondary on those servers.

Rotating SOA

Additional security options of AD integrated zones, is one of the feature of AD integrated zones, as well as the fact that there can be more than one Primary zone copy of it. This is because all DNS servers that host the zone in a domain or forest has the ability to be a writable copies and becomes the actual “start of authority” (SOA) of that zone when a specific DC/DNS accepts a write operation, such as a client machine registering, or the DC itself updating its SRV records.

For example, if a DC updates it’s SRV and other records at the default 60 minute interval (all other machines register every 24 hours), it will update its data into the DNS server listed as the first DNS address in the network card. This server now writes it into DNS and NOW becomes the SOA of the zone. That data is replicated to other DC/DNS servers with default AD replication. Now all other DC/DNS servers will see the change.

To further explain, since the zone is AD integrated, each and every DC in the replication scope of the zone, can accept changes, due to an AD integrated zone’s Multi-Master Primary Zone features. Based on the definition of what an SOA is, that is being the DNS server that’s authoritative to accept writes, therefore, whichever DC/DNS accepted a change to the zone, that specific DC/DNS will become the SOA for that moment in time. Then when the next DC/DNS that accepts a change, it will now become the new SOA. The SOA constantly changing in an AD environment is accepted, and default behavior.

That is why you can watch the SOA name on AD integrated zones change. The data is replicated automatically as part of the AD replication process because it is stored in the AD database.

Active Directory-integrated DNS zone serial number behavior (SOA default behavior) 
http://support.microsoft.com/kb/282826 

 

References

Configure AD Integrated Zones
(When converting to AD integrated zones)
Quoted: “Only primary zones can be stored in the directory. If a zone is configured on other domain controllers as a secondary zone, these zones will be converted to primary zones when you convert the zone to AD integrated. This is because the multimaster replication model of Active Directory removes the need for secondary zones when a zone is stored in Active Directory. Conversion of the zone from secondary to primary will occur when AD DS is restarted.”
 http://technet.microsoft.com/en-us/library/ee649181(v=ws.10)

Understanding DNS Zones
http://www.tech-faq.com/understanding-dns-zones.html

Understanding stub zones: Domain Name System(DNS)
Jan 21, 2005 – The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary …
http://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspx

Posted on

Reanimate an Exchange Server Deleted From the Exchange Organization in the Configuration Container in Active Directory

By Ace Fekay
MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer & Janitor

Background:

Hey everyone, Ace here again. Here’s an interesting issue I came across when an administrator, while using ADSI Edit, deleted one of their Exchange 2010 servers from the Exchange Organization in AD’s Configuration Container. Of course, it was not intentional, so I didn’t even ask why or how, but I was told that they were working on something else in ADSI Edit, and the administrator unintentionally deleted the Exchange server object. And as we all know, there is no “Undelete” button in ADSI Edit.

Before I went about trying to perform an Authoritative Restore with AD, I figured I would try to use the AD Recycle Bin to recover the object. However, I knew it wouldn’t be there, because it was never deleted from ADUC Computer Container, rather it was deleted from the Exchange Organization. But I did it just to show how to do it, and to illustrate the differences in the object’s locations and significance.

What I did was is re-animated the deleted server using ADSI Edit. I used a lab machine to test it before attempted to try it on their production system.

 

Before I performed a test delete in my lab

Here are the three Exchange Servers, Van-EX1, Van-EX2, and Van-EX3, showing in the ADUC’s Computers Container:

 

Here’s VAN-EX3 in ADSI Edit and its attributes. This is what it’s supposed to look like.

 

Looking further into the server object attributes in ADUC Advanced View, Attribute Editor, it shows the server’s ObjectSID:

 

Delete VAN-EX3

Here’s where I deleted VAN-EX3 in ADSI Edit:

 

The delete warning message:

 

And the second delete warning message. Apparently ADSI Edit, the tool that doesn’t have an Undelete” button, wants to make sure that you want to delete it. I think it’s good that it asks twice:

 

VAN-EX3 has now been deleted from the Exchange Organization section in the Configuration Container:

 

However, as you an see in ADUC, it still shows VAN-EX3. That’s because we didn’t delete it from AD, rather it was deleted from the Configuration Container.

 

As you can see here, Exchange’s services still show that they’re still running.

 

Trying to find the deleted object in the Recycle Bin using LDP

Here’s where I looked for the Exchange object in the Recycle Bin using LDP. However, since the Exchange computer object still exists in AD, rather it was deleted from the Organization. I knew it won’t be in the Recycle Bin, because it wasn’t really deleted from AD.

These steps were more to show everyone the differences between a deleted computer object, that would show up here, and an Exchange server deleted from the Organization.

 

Click Connection, then Bind:

 

We’re binding using default values, meaning it will use the currently logged on domain administrator account.

 

In LDP, click Options, then Controls:

 

In the Load Predefined drop-down box, I chose to “Return Deleted Objects:”

 

As you can see, Return Deleted Objects chosen in the drop-down box:

Under Tree View, for the base DN, I typed in cn=deleted objects,dc=adatum,dc-com. As you can see, nothing showed up. So VAN-EX3 is not in the Recycle Bin.

 

Recreating VAN-EX3 in the Exchange Organization in the Configuration Container

I drilled down into the Exchange Organization in the Configuration Container, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Servers. Then I right-clicked CN=Servers, New, Object.

By the way, not to get off topic, but if you’re wondering how the Exchange team came up with that Administrative Group name, “(FYDIBOHF23SPDLT),” click here.

 

Once the server object has been created, now we need to create the necessary Exchange server object containers under the server object we created. What helps is that the attributes are still in AD:

 

For “Select a Class” dialog box, scroll down and select msExchServersContainer

 

For the Value field, type in VAN-EX3:

 

Click Finish:

 

Now we must create the Exchange Information Store container. Right-click, New, choose Object:

 

In the Select a Class dialog box, choose msExchInformationStore:

 

Type “Information Store” in the Value field:

 

Click Finish:

 

The values appear correct so far. If you double-click on the CN=Information Store object, scroll down, you can see the DN value is correct (sorry, I didn’t screenshot that part):

 

Now let’s create the MTA. Same deal as above, in the Select a Class dialog box, right-click, New, scroll down and choose mTA:

 

Type in Microsoft MTA:

 

To get the time out and other values it’s asking, I opened another instance of ADSI Edit, and looked at the values for one of the other existing Exchange Servers:

 

The transRetryMins value of 5 that I populated, which I found from the other Exchange server:

 

The last attribute, which of course is the server’s name:

 

Now we must create the Microsoft System Attendant object for VAN-EX3 by right-clicking Van-Ex3, new, choose Object, and in the Select a Class dialog box, scroll down and select exchangeAdminService:

 

For the CN value, type in Microsoft System Attendant:

 

Scroll down in the Attribute Editor to deliveryMechanism, set it to 0 (zero):

 

Click Finish:

 

Now test logging on with a mailbox that exists in VAN-EX3, and try to send and receive an email. You should find that it works perfectly.

 

Point of the story: Be careful what you do in ADSI Edit.

Suggestions, Comments, Corrections are welcomed.

Ace Fekay

Posted on

Redirect OWA Exchange 2010 & Exchange 2013 – The Cool and Easy Method

By Ace Fekay
MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer & Janitor

Preface

Hey everyone, Ace here again. An issue was presented to me regarding the EMC and EMS would not open on a new Exchange 2010 SP3 installation. The underlying operating system is Windows 2008 R2 SP1. I could not figure out how to resolve this issue, and not to pat myself on the back, I usually and eventually resolve something or get really close, but I was no where near close on this one, other than knowing it was an IIS issue. I eventually called Microsoft Support to assist in this scenario, instead of wasting any more of my time or the customer’s valuable productivity on the issue. That said, this will be the first time in two years that I’ve needed to contact Microsoft Support.

During the course of the support call, we discussed various ways to redirect the Default Site access by simply typing in, mail.domain.com, and have it redirect to https://mail.domain.com/owa, thus making it easier for users to remember the short URL instead of having to remember the whole URL.

I was originally following Brian Desmond’s blog on how to configure the redirect, and it works great. I’ve used it for a half dozen customers without incident for the past two years. But after I saw this method, I was astonished at the ease of configuration, and it does not affect any subfolders.

The idea behind it is configuring the IIS 7 and 7.5 HTTP Redirect feature on the actual iisstart.htm file, and not for the actual Default Website. If you set it for the website, you must uncheck it for each and every sub web folder which is a pain in the butt to go through each one, and you may make a mistake that can render Exchange useless. Support call anyone? Smile

 

This requires the IIS HTTP Redirect feature installed under Web Role Services

If you don’t already have it installed, you will need to install the HTTP Redirect feature under the IIS Web Server Role Services. If you don’t have it installed, it’s a quick installation that does not require a restart.

Steps to install the HTTP Redirect Feature:

  1. Open Server Manager, and then expand Roles.
  2. Right-click Web Server (IIS), and then choose “Add Role Services.”
  3. Under Web Server section, scroll down to find and click to select the “HTTP Redirect” check box.
  4. Click Next to complete the installation.
  5. Click Close when done.

Steps to configure OWA Redirect in Exchange 2010 and 2013:

  1. Click on the Default Website
  1. Right Click Default Website
  2. Choose “Switch to Content View
    For the full image, click here
  • In the middle pane, you will now see a list of all the sub webs. You will also notice the iisstart.htm file.
  • Right-click the iisstart.htm file
    1. Choose “Switch to Features View
      For the full image, click here
  • In the left pane, you will now see “iisstart.htm” in the navigation tree
    1. Click on iisstart.htm in the left navigation tree
      For the full image, click here
    3. In the middle pane, either (either one gets you to the same place)
    1. Right-click HTTP Redirect, choose Open Feature
    1. Or
  • Double-Click on HTTP Redirect
  • Check the box that states, “Redirect requests to this destination
  • Type in OWA URL, such as https://mail.domain.com/owa
  • Click Apply
    For full image, click here
  • Open a command window, or if you already have a PowerShell window open, that will work, too.
    1. Type in IISRESET
    2. Hit <enter>
      You’re done!

    It’s that easy. And it will not affect any of the Exchange’s necessary subfolders, or any other part of IIS.

    Easy, wasn’t it?

    Exchange 2003 & 2007 OWA Redirect

    1. Navigate to c:\inetpub\webroot
    2. Right click anywhere in the middle pane
    3. Choose New -> Text Document
    1. Notepad will open
    2. Type in (you only need this one line):
    1. <% response.redirect(“https://mail.domain.com/owa”)%>
  • Then save the file
    1. Click Save As
    2. Type in “default.asp
    3. And yes, you MUST use the quotes so the system will not append “.txt” on the end of it and rendering it useless.
  • Click Save
  • Open IIS Management Console
  • If this is Exchange 2000 or 2003 on Windows 2000/2003, IIS6:
    1. Navigate to the Default Website
    2. Right click, properties
    3. Under Default Document, make sure default.asp is at the top of the list. If it’s not, use the arrows to move it to the top.
    1. Click Ok
  • Open the Command prompt
    1. Type in IISRESET, then hit <enter>
  • If this is Exchange 2007 on Windows 2008, IIS7:
    1. Navigate to Default Website
    2. In the middle pane, Double-click on Default Document
    3. Make sure default.asp is at the top of the list
    4. Open the Command prompt
    1. Type in IISRESET, then hit <enter>

           

    References:

    If you want to use Brian Desmond’s which works perfectly, too, and I’ve been using it for over two years without a hitch, here it is:

    Redirecting OWA URLs in Exchange 2010, by Brian Desmond
    http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

    Microsoft’s KB on OWA Redirect:

    How to redirect requests from HTTP to HTTPS or to the OWA virtual directory in IIS 7
    Applies to Microsoft Internet Information Services 7.0
    http://support.microsoft.com/kb/975341

    Simplify the Outlook Web App URL
    Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
    http://technet.microsoft.com/en-us/library/aa998359(v=exchg.141).aspx

    How to redirect an HTTP connection to HTTPS for Outlook Web Access clients and how to redirect the Default Web Site to point to the Exchange virtual directory
    Applies to Exchange 5.5,  Exchange 2000, Exchange 2003 (Just thought to throw this in here for anyone still on the legacy Exchange versions)
    http://support.microsoft.com/kb/839357

    Other related links, just to get an idea what others have suggested, but I have not tried, so I can’t comment on them. You can try them at your own risk:

    HTTP to HTTPS OWA redirection.
    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/73e2e794-c2ec-4bd2-9f55-bb47c605e200

    Set-Exchange2010RedirectSSL.ps1 – Redirecting the root web site to /owa and forcing SSL in Exchange 2010 4/28/2010
    http://www.ehloworld.com/186
    http://www.ehloworld.com/wp-content/uploads/2010/04/Set-Exchange2010RedirectSSL.v1.31.zip

     

    Comments, corrections, concerns, and suggestions are all welcomed!

    Ace