Client Interactions
description
Transcript of Client Interactions
![Page 1: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/1.jpg)
CLIENT INTERACTIONS
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
![Page 2: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/2.jpg)
CLIENT INTERACTIONSActive Directory Troubleshooting
![Page 3: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/3.jpg)
Client Applications
Kerberos and NTLM authentication Secure Channel
password changes, NTLM pass-through, Kerberos PAC validation
Group Policy client DFS client Certificate Autoenrollment client
![Page 4: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/4.jpg)
Client Applications
NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) group membership, Dial-In tab
RD Host (Terminal Server) Remote Control tab etc., Licensing servers
DHCP Server authorization
IIS account and group membership for SSL certificate
authentication WDS
computer MAC addresses or GUIDs
![Page 5: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/5.jpg)
Site Design Scenarios
Central
Branche Branche Branche
Branche
Branche
BrancheBranche
Branche
Branche
![Page 6: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/6.jpg)
Site Design Scenarios
Office Office
Office
![Page 7: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/7.jpg)
Site Design Scenarios
Central
Branche
Branche
Branche
Branche
BrancheBranche
![Page 8: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/8.jpg)
Network Interactions Racap(DC Location)
Any DC2000+
Client2000+
LDAPUDP
SRV: Any DC List
Get My Site
DNSDNS
SRV: My Side DC
My Site DC
2000+
![Page 9: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/9.jpg)
Network Interactions Recap(2008/Vista+ DC Location)
Any DC2008+
ClientVista+
LDAPUDP
SRV: Any DC List
Get My Site
DNSDNS
SRV: My Site DC
Next Closest Site
Close Site DC2000+ My Site
DC2000+
SRV: Close Site
![Page 10: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/10.jpg)
Network Interactions (Network Logon)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
DC2000+
SMBD/COMTGT: User
In-bandTGS: Server
NTLM Occasional PAC
Validation
TGS: Server
D/COM Dynamic TCP
NTLMPass-through
![Page 11: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/11.jpg)
Connection Properties
Bandwidth (Mbps) forget about this
Latency (ms) round-trip-time (RTT) SMB, D/COM, SQL
Packet Loss (per sec., per Mb) packet loss rate (PLR) VPN such as PPTP, SSTP, IP-HTTPS
![Page 12: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/12.jpg)
Timeouts
DNS primary DNS = 1 sec. secondary DNSs = 2 sec. ... 1 2 2 4 8 ...
ARP ... 600 ms 1000 ms
LDAP UDP Site Location 600 ms
TCP SYN = 21 sec. (3x retransmission) PSH/ACK = 93 sec. (5x retransmission) ... 3 6 12 24 48 ...
Kerberos (TCP, 3 attempts, KdcSendRetries) 63 sec.
![Page 13: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/13.jpg)
Basic DC location
Know the DNS name of the domain Query general DNS DC SRV records
_ldap._tcp.dc._msdcs.idtt.local Ping DC
Windows 2003- LDAP UDP (ping) DC
to get the client’s site/close site
![Page 14: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/14.jpg)
Site DC Location
Site unaware lookup NSLOOKUP
SET Q=SRV _ldap._tcp.dc._msdcs.idtt.local
Site specific lookup NSLOOKUP
SET Q=SRV _ldap._tcp.Paris._sites.dc._msdcs.idtt.local
![Page 15: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/15.jpg)
Lab: Finding DCs Manually
Use NSLOOKUP to query for the generic DC list NSLOOKUP SET q=SRV _ldap._tcp.dc._msdcs.idtt.local
![Page 16: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/16.jpg)
London 10.10.x.x
Site Example – Single Site
DC1
DC2
DC3
Client
DC4
DC5
![Page 17: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/17.jpg)
Paris10.20.x.x London 10.10.x.x
Site Example – Multihomed DC (DNS Bitmask Ordering OK)
DC1
DC2
DC3
Client
DC4
DC5
![Page 18: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/18.jpg)
Roma10.30.x.x
Paris10.20.x.x London 10.10.x.x
Site Example – Multihomed DC (DNS Bitmask Ordering Error)
DC1
DC2
DC3
ClientDC
4
DC5
![Page 19: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/19.jpg)
DNS Record Priority and Weight
![Page 20: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/20.jpg)
Berlin10.50.x.x
Paris10.20.x.xRoma
10.30.x.x
London10.10.x.x
Site Awareness
DC1
DC2
DC3
DC4
DC5
DC6
Client
where I am?Anonymous
LDAP UDP
![Page 21: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/21.jpg)
General Operation
Use DNS to find generic DC list Ping selected DC
Windows 2003- Anonymous LDAP (UDP) to determine
site DC defines site from the request source IP
address (NAT?) Use DNS to find close DC in site Ping or LDAP UDP to determine
availability
![Page 22: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/22.jpg)
DC Locator
NetLogon Service nltest /sc_query:idtt
no network access nltest /sc_verify:idtt
tries to authenticate with the DC nltest /sc_reset:idtt
always performs new DNS lookup nltest /dsgetsite
anonymous query against selected DC
![Page 23: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/23.jpg)
Lab: Check NLTEST Usage
Try the NLTEST to query, verify and reset secure channel from Seven2 to its London DCs
![Page 24: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/24.jpg)
Berlin10.50.x.x
Paris10.20.x.xRoma
10.30.x.x
London10.10.x.x
Limit UDP Site Location to a Central Site?
DC1
DC2
DC3
DC4
DC5
DC6
Client
where I am?Anonymous
LDAP UDP
![Page 25: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/25.jpg)
Limiting Generic DC List
Limit creation of generic DC DNS records
GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records DC Locator DNS Records not Registered Dc Kdc
![Page 26: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/26.jpg)
Limiting Generic DC List (Wise?)
Central
Branche Branche Branche
Branche
Branche
BrancheBranche
Branche
Branche
![Page 27: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/27.jpg)
Limiting Generic DC List (Wise?)
Office Office
Office
![Page 28: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/28.jpg)
DFS Client (MUP)
Multiple UNC provider (MUP) driver Determines its own DFS server
referrals obtains the list of DFS root servers from
AD using the default DC from Netlogon SYSVOL may be accessed from a
different DC DFSUTIL /PKTINFO
Windows Server 2003/Windows XP DFSUTIL CACHE REFERRAL
Windows Server 2008/Windows Vista
![Page 29: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/29.jpg)
DFS Context Menu
![Page 30: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/30.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Empty Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
DC4
DC5
![Page 31: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/31.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Empty Site
DC1
DC2
DC3
DC4 DC
5
DC6
DC7
Berlin10.50.x.x
Client
DC4
DC5
DC1DC
2
DC3
![Page 32: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/32.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Empty Site
DC1
DC2
DC3
DC6
DC7
Berlin10.50.x.x
Client
DC4
DC5
DC1DC
2
DC3
cost 50
cost 100
![Page 33: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/33.jpg)
Automatic Site Coverage
Each DC registers itself for its neighboring empty sites
HKLM\System\CurrentControlSet\Services\Netlogon AutoSiteCoverage = DWORD = 1/0
GPO: Sites Covered by the DC Locator DNS SRV Records
![Page 34: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/34.jpg)
MISPLACED OR CONFUSED CLIENTS
Active Directory Troubleshooting
![Page 35: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/35.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Out of Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
10.100.0.7
![Page 36: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/36.jpg)
Super-netting or Sub-netting
![Page 37: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/37.jpg)
Out-of-site Clients
![Page 38: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/38.jpg)
Out-of-site Clients
![Page 39: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/39.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Limiting Generic DC List
DC1
DC2
DC3
Berlin10.50.x.x
Client
10.100.0.7
![Page 40: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/40.jpg)
DC Stickiness
When one close selected, client sticks to it even when moved into a different site must reset secure channel
Force rediscovery interval GPO Vista+ hotfix for Windows XP also registry value
ForceRediscoveryInterval
![Page 41: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/41.jpg)
London10.10.x.x
Site Example – Until Restart/24 hours
DC3
DC1
DC2
ClientClientClient
ClientClient
Client
Client ClientClient
![Page 42: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/42.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Moving Client
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
DC4
DC5
previously in Paris
![Page 43: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/43.jpg)
Lab: Moving the Client
On Seven2 verify the current DC in use NLTEST /sc_query:idtt
Move the client into Paris and update group policy GPUPDATE
Verify the current DC in use again the client should use the same DC still although
in remote site (stick) Reset the secure channel several times and
determine the result NLTEST /sc_reset:idtt
![Page 44: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/44.jpg)
CLIENT FAILOVERActive Directory Troubleshooting
![Page 45: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/45.jpg)
Berlin10.50.x.x
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Failed DC
DC1
DC2
DC3
DC4
DC5
DC6
DC7 Clien
t
![Page 46: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/46.jpg)
Lab: Client Failover
Move the client into Cyprus Reset the secure channel and verify
it has been connected to DC5 Unplug DC5 from network Update group policy
GPUPDATE Verify the resulting DC in use
NLTEST /sc_query:idtt
![Page 47: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/47.jpg)
Non-close Site DC
Close site client’s site next closest site if enabled
If there is not DC available in the close site, rediscovery every 15 minutes HKLM\System\CurrentControlSet\
Services\Netlogon\Parameters CloseSiteTimeout = REG_DWORD = x
seconds
![Page 48: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/48.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Next Close Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
![Page 49: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/49.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Close Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
cost 50
cost 100
![Page 50: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/50.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Close Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
cost 100
cost 50
![Page 51: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/51.jpg)
Try Next Closest Site
First get any DC name from DNS Second query the DC for clients site
name returns the clients site plus the closest site (determined by the
DC) Then query DNS for DCs in its current
site and then tries to use the DCs If none responds, the client queries
DNS for its next closest site and tries to use the found DCs
![Page 52: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/52.jpg)
Try Next Closest Site
Does not consider RODC sites by default Can be change in registry NextClosestSiteFilter
Windows 2003- cannot return the next closest site information problem if the hit “any DC” is Windows
2003- it is then going to be used regardless of
its site
![Page 53: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/53.jpg)
Lab: Next Closest Site
Enable Try next closest site in a GPO Have DC5 unplugged from network Update group policy Check the resulting DC in use
NLTEST /sc_query:idtt
![Page 54: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/54.jpg)
Client Rules Recap
Windows 2003- In current site In any site
Windows Vista+ with Next closest site In current site In the closest site In any site
If the client is out of any site, find any dc consider creating subnets for VPNs etc.
![Page 55: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/55.jpg)
General Best Practice
Use only AD DNS servers on clients Do not use multi-homed DCs Define all IP ranges in AD
may use super-netting if necessary Limit the generic DC list
site UDP location, out-of-site clients, DC failure
may use static GPO Site assignment Force rediscovery Try next closest site
![Page 56: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/56.jpg)
RODCActive Directory Troubleshooting
![Page 57: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/57.jpg)
Read/only DC
Physically insecure locations Only specified password hashes Read/only database
other DCs are not willing to replicate back from the RODC
Local Administrator Managed By tab in the DC properties
![Page 58: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/58.jpg)
RODC scenario
Cyprus10.40.x.x
London10.10.x.x
DC1 DC2 DC3
DC5SRV
SRVCL1
2003
2003
2008
GC
2008
![Page 59: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/59.jpg)
Requirements
Forest functional level 2003 Domain functional level 2003 Global catalogue 2003+
understands confidential attributes At least one writable 2008+ DC
![Page 60: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/60.jpg)
RODC and Windows 2003
Windows 2003 doesnot consider RODC
Do not constructreplicationconnections
![Page 61: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/61.jpg)
RODC and Windows 2003
Disable Auto Site Coverage HKLM\SYSTEM\CurrentControlSet\
Services\Netlogon\Parameters AutoSiteCoverage = REG_DWORD = 0
or install RODC compatibility pack Windows 2003, XP (11 issues) KB 944043 Windows 2003, XP
![Page 62: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/62.jpg)
DNS locator records
![Page 63: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/63.jpg)
Password caching
Passwords are only cached once the user logs on using writable DC
first time can be prepopulated
If the login fails on RODC, the request is forwarded to another writable DC if offline, password expiration is ignored
![Page 64: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/64.jpg)
Password caching/forwarding
Cyprus10.40.x.x
London10.10.x.x
DC1 DC2 DC3
DC5SRV
SRVCL1
2003
2003
2008
GC
2008
not cached yet not cached yet after
recent password change wrong password expired password account locked
![Page 65: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/65.jpg)
Write referrals
Cyprus10.40.x.x
London10.10.x.x
DC1 DC2 DC3
DC5SRV
SRVCL1
2003
2003
2008
GC
2008
try update on RODC referral returned try update on the
referred writable DC directly
![Page 66: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/66.jpg)
Write Referral Problems
BitLocker SP1 for Windows 2008/Vista
Managed Service Accounts SP1 for Windows 2008 R2/Windows 7
![Page 67: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/67.jpg)
Account lockout
Accounts locked locally not replicated
But the failure attempt is also reattempted on a writable DC so this then replicates
![Page 68: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/68.jpg)
Expired passwords
pwdLastSet older than allowed by policy
Logon attempt fails completely Password must be changed out-of-
band and logon then attempted again
![Page 69: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/69.jpg)
Expired password
DC CL1
logon
error: expired
logon
ok
password change
pwdLastSetbefore 3 months
pwdLastSet
actual
![Page 70: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/70.jpg)
Discarding RODC
![Page 71: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/71.jpg)
RODC DMZ Scenario
Only RODC has internal domain access Cannot join domain normally
use a join script (+ RODC compatibility pack) Cannot change machine passwords Cannot determine their site from the "any DC
list" HKLM\SYSTEM\CCS\Services\Netlogon\Parameters
SiteName = REG_SZ Cannot update AD account
operating system service principal names
![Page 72: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/72.jpg)
DNS INTEGRATIONActive Directory Troubleshooting
![Page 73: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/73.jpg)
DNS Integration
Clients find DCs by domain/site name DCs find replication partners
according to their GUID Netlogon de/registers locator records DNS stores its data in
domain partition DomainDnsZones application partition ForestDnsZones application partition
![Page 74: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/74.jpg)
Netlogon de/registration
Netlogon de/registers its own records at startup and deregisters them at shutdown requires DNS registration enabled on at
least one network adapter does not require DNS/DHCP Client
service %windir%\System32\Config\netlogon.dns
It does not touch others’ records Autosite coverage
turned on by default
![Page 75: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/75.jpg)
Netlogon de/registration
Restarting Netlogon NLTEST /DSREGDNS
force reregistration NLTEST /DSQUERYDNS
query last status
does not require DNS/DHCP Client service and does not react on /REGISTERDNS
![Page 76: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/76.jpg)
AD Integrated Zones
Offer Secure Dynamic Update Timestamping
trimmed to whole hour Aging and scavenging
records deleted by default between 14-21 days of their age
![Page 77: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/77.jpg)
DNS Application Partitions Domain partition
CN=MicrosoftDNS,CN=System,DC=... DomainDnsZones
replicated to all DNS Server which are also DCs for the domain
ForestDnsZones replicated to all DNS Server which are
also DCs for the forest
![Page 78: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/78.jpg)
Secure Dynamic Update
Client side feature DHCP Client on Windows 2003- DNS Client on Windows Vista+ IPCONFIG /REGISTERDNS
DNS Server must be on DC to authenticate clients with Kerberos
All Authenticated Users can create new records
When a record is created, only the creator/owner can modify/update it
![Page 79: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/79.jpg)
Secure Dynamic Update
Updates done regularly by clients once a day by default by DNS/DHCP
Client once a day by Netlogon once a day by Cluster Service
Default TTL is 20 minutes Disable DHCP dynamic updates
insecure!
![Page 80: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/80.jpg)
Dynamic Update
Primary DNS
Secondary DNS
Secondary DNS
Secondary DNSClient DNS1
3
2
SOA
Update
![Page 81: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/81.jpg)
Adjust A/PTR Record TTL
![Page 82: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/82.jpg)
Dynamic Update and Replication
DNS
AD AD
DNS
0 sec.
15-21 sec.
0-3 min.
schedule
![Page 83: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/83.jpg)
Dynamic Update and Replication
![Page 84: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/84.jpg)
Speed up the refresh
![Page 85: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/85.jpg)
DHCP and dynamic update
DHCP acts only on behalf of its clients client must provide its name
(anonymously) Domain member computers since
Windows 2000 do register themselves
DHCP registers only workgroup computers, mobile phones printers, scanners, network devices,
crap… Insecure, chaotic, unnecessary,
corrupting
![Page 86: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/86.jpg)
Disabling DHCP dynamic update
![Page 87: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/87.jpg)
Dynamic DNS Update on RODC Each writable DC returns itself as a
primary DNS RODC returns either (random)
writable DC as the primary DNS
![Page 88: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/88.jpg)
Dynamic DNS Update on RODC
DNS
AD RODC
R/ODNS
0 sec.
Client
SOA
Upd1
2
![Page 89: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/89.jpg)
Dynamic DNS Update on RODC
DNS
AD RODC
R/ODNS
0 sec.0-3 min.
Client
replicateSingleObject
0 sec.
DsRemoteReplicationDelay
default 30 sec.
![Page 90: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/90.jpg)
DsRemoteReplicationDelay
Determines how long RODC's DNS server waits until it requests replication of the single object
Default = 30 sec. Minimum = 5 sec. Do not forget the DsPollingInterval
![Page 91: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/91.jpg)
Time stamping/Aging
Record Created timestamp trimmed to whole hour
No-refresh period starts by default 7 days timestamp does not change if the record
does not change Refresh period follows
by default next 7 days timestamp gets updated at the first
update
![Page 92: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/92.jpg)
Scavenging
Server wide configuration Should be done by only one DNS
Server as best practice By default ocurres only once per 7
days
![Page 93: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/93.jpg)
DNS Aging and Scavenging per-zone setting implemented by all
DNS servers timestamp updates
only during the refresh interval
limits replication traffic
![Page 94: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/94.jpg)
DNS Aging and Scavenging per-server setting should be done only
by one of the DNS servers
![Page 95: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/95.jpg)
DNS Aging and Scavenging
![Page 96: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/96.jpg)
DnsTombstoned = TRUE
Scavenged records remain in AD yet for another time DsTombStoneInterval before they are deleted from AD default 7 days checked and potentially deleted
everyday at 2:00 Aimed to decrease replication traffic
and limit DNT/USN exhaustion
![Page 97: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/97.jpg)
DNS Best Practice
DC1
DNS
DC2
DNS
ADAD
![Page 98: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/98.jpg)
DNS Waiting for AD
![Page 99: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/99.jpg)
DNS Best-Practice Reasons
Faster boot time without errors and timeouts
Deregistration at shutdown is recorded in live DNS Server would have problems replicate if sent
into shutting-down DC
![Page 100: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/100.jpg)
Client DNS balancing
Clients do not balance DNS servers queries/updates use the first one always if possible
DHCP server does not use round robin
Configuration must be done “manually” manual on servers more DHCP scopes for clients
![Page 101: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/101.jpg)
Client DNS non-balancing
Always alternateDNS serverIP addresses
![Page 102: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/102.jpg)
Client DNS non-balancing
DNS1
DNS2
Client1
DNS1
DNS2
Client2
DNS1
DNS2
Client3
DNS1
DNS2
![Page 103: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/103.jpg)
DNS Client Settings
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Timetouts DNSQueryTimeouts
Disjoint namespace on multihomed machines DisjointNameSpace PrioritizeRecordData
GPO – DNS Suffix appending on Vista+
![Page 104: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/104.jpg)
DNS Server UDP Pool
After applying KB 953230, DNS Server reserves 2500 UDP ports
HKLM\System\CurrentControlSet\Services\DNS\Parameters SocketPoolSize = DWORD = 2500
DNSCMD /Config /SocketPoolSize 2500
![Page 105: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/105.jpg)
DNS Cache Pollution
rogue attacker's DNS server: idtt.com, 1.2.3.4 server: idtt.com authoritative DNS server
question: www.idtt.com, type A answer: no records authority answer:
idtt.com SOA idtt.com NS a.gtld-servers.net a.gtld-servers.net A 1.2.3.4
server: idtt.com authoritative DNS server question: www.idtt.com, type A answer: no records authority answer:
microsoft.com NS ns.idtt.com ns.idtt.com A 1.2.3.4
Enabled by default since 2000 SP3 SecureResponses
![Page 106: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/106.jpg)
DNS Cache Locking
Further limits cache poisoning as already improved by the UDP pool
Records present in the cache cannot be updated before their TTL expires prevents cache poisoning in some
scenarios frequently visited sites are already in the
cache Windows 2008 R2
enabled by default - 100% CacheLockingPercent = DWORD = 0-
100
![Page 107: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/107.jpg)
Performance Considerations MaxCacheTtl
maximum Ttl limit on cached RRs by default 1 day maximum
MaxNegativeCacheTtl by default 15 minutes
![Page 108: Client Interactions](https://reader030.fdocuments.us/reader030/viewer/2022020921/56816934550346895de08c21/html5/thumbnails/108.jpg)
General Best Practice
More than 2 DNS servers are usually unnecessary for a site
Enable DNS Aging and Scavenging may decrease DsPollingInterval may shorten the client update refresh
interval Alter clients’ DNS settings to rotate
the DNS server addresses Disable DHCP dynamic update