client interactions
DESCRIPTION
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Client Interactions. Active Directory Client Interactions. Intro. Central Database. LDAP – Lightweight Directory Access Protocol - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/1.jpg)
CLIENT INTERACTIONS
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
![Page 2: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/2.jpg)
INTROActive Directory Client Interactions
![Page 3: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/3.jpg)
Central Database
LDAP – Lightweight Directory Access Protocol database query language, similar to SQL TCP/UDP 389, SSL TCP 636 Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269 D/COM Dynamic TCP – Replication
Kerberos UDP/TCP 88
Windows NT 4.0 SAM SMB/CIFS TCP 445 (or NetBIOS)
password resets, SAM queries SMB/DCOM Dynamic TCP
NTLM pass-through Kerberos PAC validation
![Page 4: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/4.jpg)
Design Considerations
Distributed system DCs disconnected for very long times
several months Multimaster replication
with some FSMO roles
![Page 5: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/5.jpg)
Design Considerations
Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office.
Challenge: Must work independently for long time periods. Different independent cruise-liners/DCs can accomodate changes to user accounts, email addresses, Exchange settings. Cannot afford lost of any one.
![Page 6: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/6.jpg)
Database
Microsoft JET engine JET Blue common with Microsoft Exchange used by DHCP, WINS, COM+, WMI, CA,
CS, RDS Broker %WINDIR%\NTDS\NTDS.DIT
ESENTUTL Opened by LSASS.EXE
![Page 7: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/7.jpg)
Installed servicesLSASS
Security Accounts Manager
TCP 445SMB + Named
Pipes
Kerberos Key Distribution Center
UDP, TCP 88Kerberos
Active Directory Domain Services
UDP, TCP 389, ...LDAP
NTDS.DIT
D/COM Dynamic TCP
![Page 8: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/8.jpg)
Network Interactions(DC Location)
Any DC2000+
Client2000+
LDAPUDP
SRV: Any DC List
Get My Site
DNSDNS
SRV: My Side DC
My Site DC
2000+
![Page 9: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/9.jpg)
Network Interactions(2008/Vista+ DC Location)
Any DC2008+
ClientVista+
LDAPUDP
SRV: Any DC List
Get My Site
DNSDNS
SRV: My Site DC
Next Closest Site
Close Site DC2000+ My Site
DC2000+
SRV: Close Site
![Page 10: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/10.jpg)
Network Interactions(Join Domain)
DC2000+
Client2000+
KerberosSMB
TGT: User
SAM Interface
TGT: CIFS
![Page 11: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/11.jpg)
Network Interactions(Local Logon)
DC2000+
Client2000+
KerberosLDAPSMB
TGT: User
GPO List
GPO Download
TGS: LDAP, CIFS
![Page 12: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/12.jpg)
Network Interactions (Kerberos Network Logon)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
DC2000+
SMBD/COMTGT: User
In-bandTGS: Server
Occasional PAC
Validation
TGS: Server
D/COM Dynamic TCP
![Page 13: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/13.jpg)
Network Interactions(NTLM Network Logon)
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
SMBD/COM
In-bandNTLM
Pass-through NTLM
D/COM Dynamic TCP
![Page 14: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/14.jpg)
Network Interactions (Basic/RDP Logon)
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
In-bandclear text
KerberosTGT: User
![Page 15: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/15.jpg)
ATTRIBUTE NOTESActive Directory Replication
![Page 16: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/16.jpg)
Attribute Types
string, integer, datetime, boolean, binary DN reference multivalue
up to 5000 items linked multivalue
unlimited, requires 2003 Forest Level backlink
memberOf computed
primaryGroupToken, tokenGroups, lastLogonTimestamp write/only attributes
unicodePwd
![Page 17: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/17.jpg)
Group membershipSales
CN=Kamil,OU=London,DC=...
CN=Judith,OU=Paris,DC=...
CN=Victor,OU=London,DC=...
CN=Stan,OU=London,DC=...
member
member
member
member
JudithCN=Sales,OU=Groups,DC
=...CN=IS
Access,OU=Groups,DC=...
memberOf
memberOf
Link
Backlink
![Page 18: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/18.jpg)
(Not)replicated attributes Not replicated
logonCount badPasswordCount badPasswordTime lastLogon lastLogoff
Replicated pwdLastSet lockoutTime lastLogonTimestamp (since 2003)
![Page 19: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/19.jpg)
Logon timestamps (2003 DFL)
Client
DC
DC
DC
lastLogon 11:38
lastLogon 9:00
lastLogon -
lastLogonTimestamp
11:00
lastLogonTimestamp
11:00
lastLogonTimestamp
11:00
![Page 20: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/20.jpg)
lastLogonTimestamp
Requires 2003 domain level Updated only once per 14-random(5)
days DC=idtt,DC=local msDS-LogonTimeSyncInterval 1+ – minimum without randomization 5+ – randomization starts 14 – the default ...
![Page 21: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/21.jpg)
Password changes
Password ChangeImmediate
Replication password
hash
hash
hash
Normal replication
Normal replication
DC
PDC
Client
![Page 22: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/22.jpg)
Password changes
Client
DC
DC
DC
PDC
pwdLastSet
pwdLastSet pwdLastSet
pwdLastSet
![Page 23: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/23.jpg)
Authentication failures
DC
PDC
pwd1
DC
pwd1
pwd1
Client
![Page 24: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/24.jpg)
Authentication failures
DC
PDC
pwd1
DC
pwd2
pwd2
Client
pwd2
![Page 25: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/25.jpg)
Authentication failures
Client
PDC
pwd2
DC
pwd2
pwd2
DC
pwd1
![Page 26: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/26.jpg)
Authentication failures
ClientDC
DC
badPasswordCount 3
badPasswordCount 2
PDC
badPasswordCount 7
lockoutTime
DC
badPasswordCount 2
![Page 27: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/27.jpg)
DC LOCATIONActive Directory Client Interactions
![Page 28: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/28.jpg)
Client Applications
Kerberos and NTLM authentication Secure Channel
password changes, NTLM pass-through, Kerberos PAC validation
Group Policy client DFS client Certificate Autoenrollment client
![Page 29: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/29.jpg)
Client Applications
NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) group membership, Dial-In tab
RD Host (Terminal Server) Remote Control tab etc., Licensing servers
DHCP Server authorization
IIS account and group membership for SSL certificate
authentication WDS
computer MAC addresses or GUIDs
![Page 30: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/30.jpg)
Connection Properties
Bandwidth (Mbps) forget about this
Latency (ms) round-trip-time (RTT) SMB, D/COM, SQL
Packet Loss (per sec., per Mb) packet loss rate (PLR) VPN such as PPTP, SSTP, IP-HTTPS
![Page 31: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/31.jpg)
Timeouts
DNS primary DNS = 1 sec. secondary DNSs = 2 sec. ... 1 2 2 4 8 ...
ARP ... 600 ms 1000 ms
LDAP UDP Site Location 600 ms
TCP SYN = 21 sec. (3x retransmission) PSH/ACK = 93 sec. (5x retransmission) ... 3 6 12 24 48 ...
![Page 32: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/32.jpg)
Basic DC location
Know the DNS name of the domain Query general DNS DC SRV records
_ldap._tcp.dc._msdcs.idtt.local Ping DC
Windows 2003- LDAP UDP (ping) DC
to get the client’s site/close site
![Page 33: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/33.jpg)
DNS Domain Location
Makes use of DNS round robin Site unaware lookup
NSLOOKUP SET Q=SRV _ldap._tcp.dc._msdcs.idtt.local
Site specific lookup NSLOOKUP
SET Q=SRV _ldap._tcp.Paris._sites.dc._msdcs.idtt.local
![Page 34: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/34.jpg)
London 10.10.x.x
Site Example – Single Site
DC1
DC2
DC3
Client
DC4
DC5
![Page 35: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/35.jpg)
Paris10.20.x.x London 10.10.x.x
Site Example – Multihomed DC (DNS Bitmask Ordering)
DC1
DC2
DC3
Client
DC4
DC5
![Page 36: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/36.jpg)
Berlin10.50.x.x
Paris10.20.x.xRoma
10.30.x.x
London10.10.x.x
Site Awareness
DC1
DC2
DC3
DC4
DC5
DC6
Client
where I am?Anonymous
LDAP UDP
![Page 37: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/37.jpg)
General Operation
Use DNS to find generic DC list Ping selected DC
Windows 2003- Anonymous LDAP (UDP) to determine
site DC defines site from the request source IP
address (NAT?) Use DNS to find close DC in site Ping or LDAP UDP to determine
availability
![Page 38: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/38.jpg)
DC Locator
NetLogon Service nltest /sc_query:idtt
no network access nltest /sc_verify:idtt
tries to authenticate with the DC nltest /sc_reset:idtt
always performs new DNS lookup nltest /dsgetsite
anonymous query against selected DC
![Page 39: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/39.jpg)
DFS Client (MUP)
Multiple UNC provider (MUP) driver Determines its own DFS server
referrals obtains the list of DFS root servers from
AD using the default DC from Netlogon SYSVOL may be accessed from a
different DC DFSUTIL /PKTINFO
Windows Server 2003/Windows XP DFSUTIL CACHE REFERRAL
Windows Server 2008/Windows Vista
![Page 40: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/40.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Empty Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
DC4
DC5
![Page 41: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/41.jpg)
Automatic Site Coverage
Each DC registers itself for its neighboring empty sites
HKLM\System\CurrentControlSet\Services\Netlogon AutoSiteCoverage = DWORD = 1/0
GPO: Sites Covered by the DC Locator DNS SRV Records
![Page 42: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/42.jpg)
MISPLACED OR CONFUSED CLIENTS
Active Directory Troubleshooting
![Page 43: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/43.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Out of Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
10.100.0.7
![Page 44: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/44.jpg)
Out-of-site clients
![Page 45: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/45.jpg)
Out-of-site clients
![Page 46: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/46.jpg)
Limiting generic DC list
Limit creation of generic DC DNS records
GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records DC Locator DNS Records not Registered Ldap, Kdc
![Page 47: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/47.jpg)
DC Stickiness
When one close selected, client sticks to it even when moved into a different site must reset secure channel
Force rediscovery interval GPO Vista+ hotfix for Windows XP also registry value
ForceRediscoveryInterval
![Page 48: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/48.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Moving Client
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
DC4
DC5
previously in Paris
![Page 49: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/49.jpg)
CLIENT FAILOVERActive Directory Troubleshooting
![Page 50: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/50.jpg)
Berlin10.50.x.x
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Failed DC
DC1
DC2
DC3
DC4
DC5
DC6
DC7 Clien
t
![Page 51: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/51.jpg)
Non-close Site DC
Close site client’s site next closest site if enabled
If there is not DC available in the close site, rediscovery every 15 minutes HKLM\System\CurrentControlSet\
Services\Netlogon\Parameters CloseSiteTimeout = REG_DWORD = x
seconds
![Page 52: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/52.jpg)
Paris10.20.x.x
Cyprus10.40.x.x
Roma10.30.x.x
London10.10.x.x
Site Example – Close Site
DC1
DC2
DC3
DC4
DC5
DC6
DC7
Berlin10.50.x.x
Client
![Page 53: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/53.jpg)
Try Next Closest Site
First get any DC name from DNS Second query the DC for clients site
name returns the clients site plus the closest site (determined by the
DC) Then query DNS for DCs in its current
site and then tries to use the DCs If none responds, the client queries
DNS for its next closest site and tries to use the found DCs
![Page 54: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/54.jpg)
Try Next Closest Site
Does not consider RODC sites by default Can be change in registry NextClosestSiteFilter
Windows 2003- cannot return the next closest site information problem if the hit “any DC” is Windows
2003- it is then going to be used regardless of
its site
![Page 55: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/55.jpg)
Client Rules Recap
Windows 2003- In current site In any site
Windows Vista+ with Next closest site In current site In the closest site In any site
If the client is out of any site, find any dc consider creating subnets for VPNs etc.
![Page 56: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/56.jpg)
SITE DESIGNActive Directory Client Interactions
![Page 57: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/57.jpg)
Site Link Design
![Page 58: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/58.jpg)
Site Link Design (Better?)
London
Olomouc
Roma
Cyprus
Paris
Berlin
![Page 59: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/59.jpg)
Site Link Design (Worse?)
Olomouc
Roma
Cyprus
Paris
Berlin
London
![Page 60: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/60.jpg)
DNS INTEGRATIONActive Directory Client Interactions
![Page 61: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/61.jpg)
DNS Integration
Clients find DCs by domain/site name DCs find replication partners
according to their GUID Netlogon de/registers locator records DNS stores its data in
domain partition DomainDnsZones application partition ForestDnsZones application partition
![Page 62: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/62.jpg)
Netlogon de/registration
Netlogon registers its own records at startup and deregisters them at shutdown requires DNS registration enabled on at
least one network adapter %windir%\System32\Config\netlogon.dns
It does not touch others’ records Autosite coverage
turned on by default
![Page 63: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/63.jpg)
AD Integrated Zones
Offer Secure Dynamic Update Timestamping
trimmed to whole hour Aging and scavenging
records deleted by default between 14-21 days of their age
![Page 64: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/64.jpg)
DNS Application Partitions Domain partition
CN=MicrosoftDNS,CN=System,DC=... DomainDnsZones
replicated to all DNS Server which are also DCs for the domain
ForestDnsZones replicated to all DNS Server which are
also DCs for the forest
![Page 65: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/65.jpg)
Secure Dynamic Update
Client side feature DHCP Client on Windows 2003- DNS Client on Windows Vista+
DNS Server must be on DC to authenticate clients with Kerberos
All Authenticated Users can create new records
When a record is created, only the creator/owner can modify/update it
![Page 66: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/66.jpg)
Secure Dynamic Update
Updates done regularly by clients every hour by default
Default TTL is 20 minutes Disable DHCP dynamic updates
insecure!
![Page 67: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/67.jpg)
Dynamic Update
Primary DNS
Secondary DNS
Secondary DNS
Secondary DNSClient DNS1
3
2
SOA
Update
![Page 68: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/68.jpg)
Adjust A/PTR Record TTL
![Page 69: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/69.jpg)
Dynamic Update and Replication
DNS
AD AD
DNS
0 sec.
15-21 sec.
0-3 min.
schedule
![Page 70: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/70.jpg)
Dynamic Update and Replication
![Page 71: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/71.jpg)
Dynamic DNS Update on RODC Each writable DC returns itself as a
primary DNS RODC returns either (random)
writable DC as the primary DNS
![Page 72: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/72.jpg)
Dynamic DNS Update on RODC
DNS
AD RODC
R/ODNS
0 sec.
Client
SOA
Upd1
2
![Page 73: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/73.jpg)
Dynamic DNS Update on RODC
DNS
AD RODC
R/ODNS
0 sec.0-3 min.
Client
replicateSingleObject
0 sec.
![Page 74: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/74.jpg)
Time stamping/Aging
Record Created timestamp trimmed to whole hour
No-refresh period starts by default 7 days timestamp does not change if the record
does not change Refresh period follows
by default next 7 days timestamp gets updated at the first
update
![Page 75: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/75.jpg)
Scavenging
Server wide configuration Should be done by only one DNS
Server as best practice By default ocurres only once per 7
days
![Page 76: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/76.jpg)
DNS Aging and Scavenging per-zone setting implemented by all
DNS servers timestamp updates
only during the refresh interval
limits replication traffic
![Page 77: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/77.jpg)
DNS Aging and Scavenging per-server setting should be done only
by one of the DNS servers
![Page 78: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/78.jpg)
DNS Aging and Scavenging
![Page 79: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/79.jpg)
DNS Best Practice
DC1
DNS
DC2
DNS
ADAD
![Page 80: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/80.jpg)
DNS Waiting for AD
![Page 81: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/81.jpg)
DNS Best-Practice Reasons
Faster boot time without errors and timeouts
Deregistration at shutdown is recorded in live DNS Server would have problems replicate if sent
into shutting-down DC
![Page 82: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/82.jpg)
Client DNS balancing
Clients do not balance DNS servers queries/updates use the first one always if possible
DHCP server does not use round robin
Configuration must be done “manually” manual on servers more DHCP scopes for clients
![Page 83: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/83.jpg)
Client DNS non-balancing
Always alternateDNS serverIP addresses
![Page 84: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/84.jpg)
Client DNS non-balancing
DNS1
DNS2
Client1
DNS1
DNS2
Client2
DNS1
DNS2
Client3
DNS1
DNS2
![Page 85: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/85.jpg)
DNS Client Settings
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Timetouts DNSQueryTimeouts
Disjoint namespace on multihomed machines DisjointNameSpace PrioritizeRecordData
GPO – DNS Suffix appending on Vista+
![Page 86: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/86.jpg)
DNS Server UDP Pool
After applying KB 953230, DNS Server reserves 2500 UDP ports
HKLM\System\CurrentControlSet\Services\DNS\Parameters SocketPoolSize = DWORD = 2500
DNSCMD /Config /SocketPoolSize 2500
![Page 87: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/87.jpg)
DNS Cache Pollution
server: idtt.com authoritative DNS server
question: test.idtt.com, type A answer: no records authority answer:
idtt.com SOA idtt.com NS ns37.domaincontrol.com ns37.domaincontrol.com A
216.69.185.19
![Page 88: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/88.jpg)
GENERAL BEST PRACTICEActive Directory Troubleshooting
![Page 89: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/89.jpg)
General Best Practice
Create and assign subnets for any possible client IP
Limit the general (site unaware) DNS registration of DCs
Enable Try next closest site and Force rediscovery options
Enable DNS Aging and Scavenging Alter clients’ DNS settings to rotate
the DNS server addresses
![Page 90: Client Interactions](https://reader036.vdocument.in/reader036/viewer/2022062501/56816934550346895de08c67/html5/thumbnails/90.jpg)
THANK YOU!
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |