Authorizing a DHCP Server

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags: ,
0


Problem

You want to permit (i.e., authorize) a DHCP server to process DHCP requests from clients. This is necessary only if the DHCP server is a member of an Active Directory domain.

Solution

Using a graphical user interface

Windows 2000 DHCP servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP server has Service Pack 2 or higher installed.
  1. Open the DHCP snap-in.
  2. In the left pane, right-click on DHCP and select Add Server.
  3. Type in the name of the DHCP server you want to target and click OK.
  4. Click on the server entry in the left pane.
  5. Right-click on the server and select Authorize.
If the DHCP server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP server in Active Directory:

> netsh dhcp add server <DHCPServerName> <DHCPServerIP>

This example shows how to authorize the DHCP server named dhcp01.rallencorp.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.rallencorp.com 192.168.191.15

Using VBScript

‘ The following script prints out the list of

‘ authorized DHCP Servers in Active Directory.

‘ —— SCRIPT CONFIGURATION ——

strForestRootDN = “<ForestRootDN>” ‘ e.g. dc=rallencorp,dc=com

‘ —— END CONFIGURATION ——–

set objCont = GetObject(“LDAP://CN=DhcpRoot,CN=NetServices,CN=Services,” & _

“CN=Configuration,” & strForestRootDN)

colDHCPServers = objCont.GetEx(“dhcpServers”)

for each strDHCPServer in colDHCPServers

Wscript.Echo strDHCPServer

next

Discussion

Windows 2000 and Windows Server 2003based DHCP servers that belong to an Active Directory domain must be authorized before they can give leases to clients. This feature helps reduce the danger of a rogue Windows 2000 or Windows Server 2003 DHCP server that an end user sets up, perhaps even unintentionally.

However, this still doesn’t prevent someone from plugging in a non-Windows DHCP server (e.g., a Linksys router with the DHCP server enabled) and causing clients to receive bad leases. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

If the DHCP server service is enabled on a domain controller, it is automatically authorized. A DHCP server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone Windows DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP server, it will respond to client requests and distribute leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, in the cn=NetServices,cn=Services,cn=Configuratation,<ForestRootDN> container. The relative distinguished name of these objects is the IP address of the DHCP server. There is also an object in the same container named cn=dhcpRoot, which is created after the first DHCP server is authorized. It has an attribute named dhcpServers that contains all authorized servers. We enumerated this attribute in the VBScript solution to display all authorized servers.

By default, only members of the Enterprise Admins group can authorize DHCP servers. However, you can delegate the rights to authorize a DHCP server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

  1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.
  2. In the left pane, expand the Configuration Container CN=Configuration CN=Services CN=NetServices.
  3. Right-click on CN=NetServices and select Properties.
  4. Select the Security tab.
  5. Click the Advanced button.
  6. Click the Add button.
  7. Use the object picker to select the DHCP Admins group.
  8. Check the boxes under “Allow for Create dHCPClass objects” and “Delete dHCPClass objects.”
  9. Click OK until all dialog boxes are closed.
  10. Back in ADSI Edit, right-click on CN=dhcpRoot (if you’ve previously authorized DHCP Servers) and select Properties.
  11. Select the Security tab.
  12. Click the Advanced button.
  13. Click the Add button.
  14. Use the object picker to select the DHCP Admins group.
  15. Check the boxes under Allow for “Write for all properties.”
  16. Click OK until all dialog boxes are closed.

Using a graphical user interface

You can quickly determine whether a DHCP server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, it isn’t authorized; if the flag is green, it is authorized.

Using a command-line interface

To see the list of authorized servers using the command line, run the following command:

> netsh dhcp show server

Preventing a Domain Controller from Dynamically Registering All Resource Records

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
2

Problem

You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register a domain controller’s resource records, you’ll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.

Solution

Using a command-line interface
	> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v
	UseDynamicDNS /t REG_DWORD /d 0
	The operation completed successfully.

	> net stop netlogon
	The Net Logon service is stopping.
	The Net Logon service was stopped successfully.

	> del %SystemRoot%\system32\config\netlogon.dnb

	> net start netlogon
	The Net Logon service is starting.......
	The Net Logon service was started successfully.

Using VBScript
	' This code prevents a DC from registering resource records dynamically.
	' It must be run directly on the server.

	' Create Registry Value
	const HKLM = &H80000002
	set oReg=GetObject("winmgmts:root\default:StdRegProv")
	strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters"
	if oReg.SetDWORDValue(HKLM,strKeyPath,"UseDynamicDNS",1) <> 0 then
	   WScript.Echo "Error creating registry value"
	else
	   WScript.Echo "Created registry value successfully"
	end if

	' Stop Netlogon service
	strService = "Netlogon"
	set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _
	                           strService & "'")
	if objService.StopService <> 0 then
	   WScript.Echo "Error stopping " & strService & " service"
	else
	   WScript.Echo "Stopped " & strService & " service successfully"
	end if

	' Delete netlogon.dnb file
	set WshShell = CreateObject("WScript.Shell")
	set objFSO = CreateObject("Scripting.FileSystemObject")
	set objFile = objFSO.GetFile( _
	                    WshShell.ExpandEnvironmentStrings("%SystemRoot%") _
	                    & "\system32\config\netlogon.dnb" )

	objFile.Delete
	WScript.Echo "Deleted netlogon.dnb successfully"

	' Start Netlogon service
	if objService.StartService <> 0 then
	   WScript.Echo "Error starting " & strService & " service"
	else
	   WScript.Echo "Started " & strService & " service successfully"
	end if

	WScript.Echo
	WScript.Echo "Done"

Discussion

By default, domain controllers attempt to dynamically register their Active Directoryrelated resource records every hour via the NetLogon service. You can prevent a domain controller from doing this by setting the UseDynamicDNS value to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters. After you set that value, you should stop the NetLogon service, remove the %SystemRoot%\system32\config\netlogon.dnb file, and then restart NetLogon. It is necessary to remove the netlogon.dnb file because it maintains a cache of the resource records that are dynamically updated. This file will get re-created when the NetLogon service restarts.

Deregistering a Domain Controller’s Resource Records

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
1

Problem

You want to manually deregister a domain controller’s resource records.

Solution

Using a command-line interface

With the following nltest command, replace <DomainControllerName> with the FQDN of the domain controller you want to deregister and <DomainDNSName> with the FQDN of the domain of which the domain controller is a member:

	 
> nltest /dsderegdns: 
<DomainControllerName> /dom:<DomainDNSName>

Discussion

When a domain controller is demoted from a domain, it dynamically deregisters its resource records. This is a nice feature of the demotion process because it means you do not have to manually remove all of the resource records or wait for scavenging to remove them. If, however, you have a domain controller that crashes and you do not plan on bringing it back online, you’ll need to remove the records manually or wait for the scavenging process to take place.

You can use the DNS Mgmt MMC snap-in and even the dnscmd.exe utility to manually remove them one by one, or you can use nltest, as shown in the solution.

The /dsderegdns switch also has /DomGUID and /DsaGUID options if you want to delete the records that are based on the domain GUID and DSA GUID, respectively. You need to know the actual GUIDs of the domain and domain controller to use those switches, so if you don’t have them handy, it would be easier to delete them using the DNS Management MMC snap-in.

Registering a Domain Controller’s Resource Records

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
0

Problem

You want to manually force registration of a domain controller’s resource records. This may be necessary if you’ve made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.

Solution

Using a command-line interface
	> nltest /dsregdns /server:<DomainControllerName>

Discussion

The Windows Server 2003 version of nltest provides a /dsregdns switch that allows you to force registration of the domain-controller-specific resource records. You can also force reregistration of its resource records by restarting the NetLogon service on the domain controller. The NetLogon service automatically attempts to reregister a domain controller’s resource records every hour, so if you can wait that long, you do not need to use nltest.

Enabling DNS Server Debug Logging

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
4

Problem

You want to enable DNS debug logging to troubleshoot issues related to DNS queries or updates.

Solution

Using a graphical user interface

  1. From the Administrative Tools, open the DNS Management snap-in.

  2. Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select “Connect to DNS Server.” Select “The following computer” and enter the target server name. Click OK.

  3. Right-click on the server and select Properties.

  4. Click on the Debug Logging tab (or the Logging tab in Windows 2000).

  5. Select what you want to log and the location of the logfile (in Windows 2000, the logfile location is hardcoded to %systemroot%\system32\dns\dns.log).

  6. Click OK.

Using a command-line interface

Use the following four commands to enable debug logging. For the log level, you have to add together the event codes you want logged and specify the result in hex. The available event codes can be found in Table 14-3.

	> dnscmd <ServerName> /Config /LogLevel <EventFlagSumInHex>

Use the following command to specify the location of the logfile:

	> dnscmd <ServerName> /Config /LogFilePath <DirectoryAndFilePath>

Use the following command to log only entries that pertain to certain IP addresses:

	> dnscmd <ServerName> /Config /LogIPFilterList <IPAddress1>[,<IPAddress2>…]

Use the following command to specify the maximum logfile size:

	> dnscmd <ServerName> /Config /LogFileMaxSize <NumberOfBytesInHex>

Use the following command to disable debug logging:

	> dnscmd <ServerName> /Config /LogLevel 0

Using VBScript
	' This code enables  
DNS debug logging.
	' ------ SCRIPT CONFIGURATION -------
	strServer = "<ServerName>" ' e.g. dc1
	' The log level must be in decimal, not hex like dnscmd
	intLogLevel = <EventFlagSumInDecimal> ' e.g. 65535
	arrFilterList = Array("<IPAddress1>") ' e.g. 192.168.1.12
	strFilePath = <DirectoryAndFilePath> ' e.g. c:\dnslog.txt
	intFileSize = <NumberOfBytesInDecimal> ' e.g. 50000000
	' ------ END CONFIGURATION ---------

	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	objDNSServer.LogLevel = intLogLevel
	objDNSServer.LogIPFilterList = arrFilterList

	 
objDNSServer. 
LogFilePath = strFilePath
	objDNSServer.LogFileMaxSize = intFileSize
	objDNSServer.Put_
	WScript.Echo "Enabled DNS  
Debug Logging on " & strServer

	' To disable  
debug logging, set the intLogLevel variable to 0

Discussion

With the DNS Server debug log, you can record all DNS operations received and initiated by the server, including queries, updates, zone transfers, etc. If you need to troubleshoot a particular host, you can use the LogIPFilterList setting in dnscmd or the WMI DNS Provider to restrict the log to operations performed only for or by that host.

The most important debug log setting is the log level. With the DNS snap-in, you can select from a list of available options. With Windows Server 2003, the DNS snap-in provides an intuitive interface for selecting the required options. On Windows 2000, you are presented with a list of checkboxes and you have to figure out which ones need to be used in conjunction with one another. You have a similar issue with CLI and VBScript solutions, where you need to determine what log level you want to set.

Table contains all of the event codes with their hexadecimal and decimal values.

Table . DNS debug logging event codes
Hexadecimal value Decimal value Descriptions
0x0 0 No logging. This is the default.
0x1 1 Query transactions.
0x10 16 Notifications transactions.
0x20 32 Update transactions.
0xFE 254 Nonquery transactions.
0x100 256 Question packets.
0x200 512 Answer packets.
0x1000 4096 Send packets.
0x2000 8192 Receive packets.
0x4000 16384 UDP packets.
0x8000 32768 TCP packets.
0xFFFF 65535 All packets.
0x10000 65536 AD write transactions.
0x20000 131072 AD update transactions.
0x1000000 16777216 Full packets.
0x80000000 2147483648 Write-through transactions.

DNS debug logging can come in handy if you want to look at the dynamic update requests a particular DNS Server is processing. For example, if a client or DHCP server is attempting to dynamically register records, you can enable the Update Transactions log category on the DNS Server you think should be processing the updates. If you don’t see any update transactions, this can indicate that another server is processing the dynamic update requests.

Clearing the DNS Cache

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
0

Problem

You want to clear the DNS cache. The DNS cache contains resource records that are cached by the server or workstation for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the cache on the Windows DNS client resolver (this can refer to both server and workstation operating systems when they are requesting DNS information from a server), and the other refers to the cache used by the Microsoft DNS server software.

Solution

To flush the client resolver cache, use the following command:

	 
>  
ipconfig /flushdns

To flush the DNS server cache, use any of the following solutions.

Using a graphical user interface

  1. Open the DNS Management snap-in.

  2. Right-click on DNS in the left pane and select “Connect to DNS Server.”

  3. Enter the server you want to connect to and click Enter.

  4. Right-click on the server and select Clear Cache.

Using a command-line interface

The following command will clear the cache on <DNSServerName>. You can leave out the <DNSServerName> parameter to simply run the command against the local server:

	> dnscmd <DNSServerName> /clearcache

Using VBScript
	' This code clears the DNS server cache on the specified server.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com
	' ------ END CONFIGURATION --------

	set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	set objDNSCache = objDNS.Get("MicrosoftDNS_Cache.ContainerName=""..Cache""" & _
	                             ",DnsServerName=""" & objDNSServer.Name & _
	                             """,Name=""..Cache""")
	objDNSCache.ClearCache
	WScript.Echo "Cleared server cache"

Discussion

The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server (e.g., with nslookup). It’s important to remember that this cache will store both positive DNS responses as well as negative ones. For example, if lost network connectivity causes DNS queries for an external resource like a mail server to fail, those queries will continue to fail until the cache refreshes: the queries have been negatively cached.

The second type of cache is in place only on Microsoft DNS servers. It is a cache of all DNS requests that the server has made while processing queries from various clients. You can view this cache by browsing the Cached Lookups folder for a server in the DNS Management snap-in. This folder is not shown by default, so you’ll need to select Advanced from the View menu.

With both the client and server cache, records are removed from the cache after the record’s TTL value expires. The TTL is used to age records so that clients and servers will request an updated copy of the record at a later point in order to receive any changes that may have occurred.

Modifying the DNS Server Configuration

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
2

Problem

You want to modify the DNS Server settings.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in.

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.

  3. Right-click on the server and select Properties.

  4. There will be several tabs you can choose from to edit the server settings.

  5. Click OK to commit the changes after you’ve completed your modifications.

Using a command-line interface

With the following command, replace <Setting> with the name of the setting to modify and <Value> with the value to set:

	> dnscmd <DNSServerName> /config /<Setting> <Value>

The following command enables the EnableDnsSec setting on dns01:

	> dnscmd dns01 /config /EnableDnsSec 1

The following command disables the NoTcp setting on the local host:

	> dnscmd /config /NoTcp 0

The following command sets the DsPollingInterval setting to 60 on dns02:

	> dnscmd dns02 /config /DsPollingInterval 60

For the complete list of settings, run dnscmd /config from the command-line.

Using VBScript
	set objDNS = GetObject("winMgmts:root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	objDNSServer.<Setting> = <Value> ' e.g. objDNSServer.AllowUpdate = TRUE
	objDNSServer.Put_

Discussion

The Microsoft DNS server supports a variety of settings to configure everything from scavenging and forwarders to logging. With the DNS Management snap-in, the settings are spread over several tabs in the Properties property page. You can get a list of these settings by simply running dnscmd /config from a command line. For the CLI and VBScript solutions, the setting names are nearly identical. In the VBScript solution, be sure to call the Put_ method after you are done configuring settings in order for the changes to take effect.

Querying Resource Records

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
0

Problem

You want to query resource records.

Solution

Using a graphical user interface

The DNS Management snap-in does not provide an interface for searching resource records.

Using a command-line interface

In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match:

	> nslookup -type=<RecordType> <RecordName>

Using VBScript
	' This code prints the  
resource records that match
	' the specified name.
	' ------ SCRIPT CONFIGURATION ------
	strQuery = "<RecordName>"
	' ------ END CONFIGURATION --------

	 
set objDNS = GetObject("winMgmts:root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	set objRRs = objDNS.ExecQuery(" select * " & _
	                              " from MicrosoftDNS_ResourceRecord" & _
	                              " where OwnerName = """ & strQuery & """" & _
	                              " Or DomainName = """ & strQuery & """" & _
	                              " Or RecordData = """ & strQuery & """")
	if objRRs.Count < 1 then
	   WScript.Echo "No matches found for " & strHostName & " of " _
	                & strRecordType & " type"
	else
	   for each objRR in objRRs
	      WScript.Echo objRR.TextRepresentation
	   next
	end if

Discussion

Using a command-line interface

You can leave off the -type switch, and the command will find any A, PTR, and CNAME records that match <RecordName>.

You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters, or switch back and forth between query types by using the q=ANY command to reset nslookup.

Using VBScript

In the VBScript solution, a WQL query was used to find all matching resource records. This is a good example of how powerful the DNS WMI Provider can be. The query attempts to find any object of the MicrosoftDNS_ResourceRecord class that has an OwnerName, DomainName, or RecordData field equal to the <RecordName>. This is not the most efficient query if the server supports multiple large zones, so you may want to restrict it to search for specific types of records by adding criteria to match RecordType = <Type>.

Creating and Deleting Resource Records

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
0


Problem

You want to create and delete resource records in a zone.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in.
  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
  3. If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

  1. In the left pane, right-click the zone and select the option that corresponds to the record type you want to createe.g., New Host (A).
  2. Fill in all required fields.
  3. Click OK.

To delete a resource record, do the following:

  1. In the left pane, click on the zone the record is in.
  2. In the right pane, right-click on the record you want to delete and select Delete.
  3. Click Yes to confirm.

Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the rallencorp.com zone:

> dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the rallencorp.com zone:

> dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25

Using VBScript

‘ This code shows how to add an A record and PTR record using

‘ the DNS WMI Provider.

‘ —— SCRIPT CONFIGURATION ——

strForwardRRAdd = “test-xp.rallencorp.com. IN A 192.32.64.13”

strReverseRRAdd = “13.64.32.192.in-addr.arpa IN PTR test-xp.rallencorp.com”

strForwardDomain = “rallencorp.com”

strReverseDomain = “192.in-addr.arpa.”

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:root\MicrosoftDNS”)

set objRR = objDNS.Get(“MicrosoftDNS_ResourceRecord”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

‘ Create the A record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strForwardDomain, _

strForwardRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo “Created Record: ” & objRR2.TextRepresentation

‘ Create the PTR record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strReverseDomain, _

strReverseRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo “Created Record: ” & objRR2.TextRepresentation

‘ This code shows how to delete an A and PTR record for the record

‘ we created in the previous example.

strHostName = “test-xp.rallencorp.com.”

set objDNS = GetObject(“winMgmts:root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objRRs = objDNS.ExecQuery(” select * ” & _

” from MicrosoftDNS_ResourceRecord ” & _

” where OwnerName = “”” & strHostName & “””” & _

” Or RecordData = “”” & strHostName & “”””)

if objRRs.Count < 1 then

WScript.Echo “No matches found for ” & strHostName

else

for each objRR in objRRs

objRR.Delete_

WScript.Echo “Deleted ” & objRR.TextRepresentation

next

end if

Discussion

Using a graphical user interface

The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then we’d recommend writing a batch file around dnscmd or using the DNS WMI Provider to automate the process.

Using a command-line interface

Adding A, CNAME, and PTR resource records is pretty straightforward as far as the data you must enter, but other record types, such as SRV, require quite a bit more data. The help pages for /recordadd and /recorddelete display the required information for each record type. For example, to add an SRV record using dnscmd, you need to specify the priority, weight, port, and hostname of the record as in the following example:

> dnscmd /recordadd dc1.rallencorp.com SRV 50 100 88 _kerberos

Using VBScript

The first example creates A and PTR records using the CreateInstanceFrom TextRepresentation method, which is a MicrosoftDNS_ResourceRecord method that allows you to create resource records by passing in the textual version of the record. This is the textual representation of the A record used in the example:

test-xp.rallencorp.com IN A 192.32.64.13

The first parameter to this method is the DNS server name, the second is the name of the domain to add the record to, the third is the resource record, and the last is an out parameter that returns a reference to the new resource record.

The second example finds all resource records that match a certain hostname and deletes them. This is done by first using a WQL query to find all resource records where the OwnerName equals the target hostname (this will match any A records) and where RecordData equals the target hostname (this will match any PTR records). The Delete_ method is called on each matching record, removing them from the DNS server.

Delegating Control of a Zone

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:
0

Problem

You want to delegate control of managing the resource records in a zone.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in.

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone.

  4. Right-click on the name of the zone and select Properties.

  5. Click on the Security tab.

  6. Click the Add button.

  7. Use the Object Picker to locate the user or group to which you want to delegate control.

  8. Under Permissions, check the Full Control box.

  9. Click OK.

Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

	> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G
	<UserOrGroup>:GA;;

Using VBScript
	' This code grants full control for the specified user or group over
	' an AD-Integrated zone.
	' ------ SCRIPT CONFIGURATION -------
	strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
	strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe
	' ------ END CONFIGURATION ---------

	set objZone = GetObject("LDAP://" & strZoneDN)
	'############################
	' Constants
	'############################
	' ADS_ACETYPE_ENUM
	Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

	' ADS_FLAGTYPE_ENUM
	Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

	' ADS_RIGHTS_ENUM
	Const ADS_RIGHT_GENERIC_ALL = &h10000000

	'############################
	' Create ACL
	'############################

	set objSD = objZone.Get("nTSecurityDescriptor")
	set objDACL = objSD.DiscretionaryAcl

	' Full Control
	set objACE1 = CreateObject("AccessControlEntry")
	objACE1.Trustee    = strUserOrGroup
	objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL
	objACE1.AceFlags   = 0
	objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
	objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

	objDACL.AddAce objACE1

	'############################
	' Set ACL
	'############################
	objSD.DiscretionaryAcl = objDACL
	objZone.Put "nTSecurityDescriptor", objSD
	objZone.SetInfo
	WScript.Echo "Delegated  
control of " & strZoneDN & " to " & strUserOrGroup

Discussion

By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD-integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant Full Control to an additional user or group over a particular zone.

Older Entries
Newer Entries