6.1.1 Configure a Central Store
http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx
Without a Central Store, Group Policy Management will read ADMX template files from the local administrative workstation to configure GPO's. A central store allows all administrator workstations that update GPO's to use the same templates.
Create a PolicyDefinitions folder in the %logonserver%
\sysvol\
%userdnsdomain%
\policies
folder for each domain you want to create a central store.
(you can also just go directly to \\%userdnsdomain%\sysvol ie \\contoso.com\sysvol)
Copy all the files and subfolders from %systemroot%\policydefintions to the new PolicyDefinitions folder in sysvol.
Note that any new custom admx files should now be added to the central store, and that the group policy editor will prefer the central store admx files over any local ones. The GP tools will ignore any ADM files that have updated ADMX files, but you can use custom ADM templates still.
6.1.2 manage starter GPOs
http://technet.microsoft.com/en-us/library/cc772538.aspx
starter GPO - default template policies.
These are stored in \\%userdnsdomain%\sysvol\%userdnsdomain%\StarterGPOs
If the StarterGPO's folder doesn't exist in this domain, then Group Policy Management will ask to create it when you click on the starter gpo link under the domain. It will then create the folder and populate with the default templates called System Starter GPO's. These templates are read only by default.
You can now create/edit your own starter GPO's.
6.1.3 configure GPO links
GPO's can be linked to sites, domains, and OU's, and can use security filtering to apply to specific users/groups.
Under Domains choose either the domain or an OU, right click, Link an existing GPO. Or go under Sites and select a site, right click and Link an existing GPO. By left clicking or expanding on a domain, OU, or site, you can see GPO's that are linked to this object. You can also see what locations are linked to a specific GPO by clicking on the GPO itself under "Group Policy Objects" and selecting the Scope tab.
6.1.4 configure multiple local group policies
http://technet.microsoft.com/en-us/library/cc731758.aspx
There are four types of local policies(LGPO) available on supported systems:
Local policy: This is the legacy policy that supports both user and computer settings
Administrators policy: User settings only that applies to administrators
Non-administrators policy: user settings only that applies to all non-administrators
Specific user policies: user settings only for a specific user.
Local policies are applied in this order: Local, Administrators/non-administrators, specific user.
To edit each policy, load the mmc console, and go to a file/addremove snapin. Select Group Policy Object and click Add. Click Finish to accept the default Local Computer OR to choose others, select Browse. If this version of windows supports multiple LGPO's, you should have a "users" tab here. click Users and select either Administrators, non-administrators, or a specific user. Do this multiple times if you want to see all policies in one custom snap-in.
6.1.5 configure security filtering
Security filtering is configured per GPO in the scope tab under Security Filtering. Because it's the GPO itself, this filtering will affect all containers that link to this GPO.
GPO security filtering defaults to Authenticated Users.
Saturday, June 15, 2013
Friday, June 14, 2013
5. Install and administer Active Directory 5.3 Create and manage active directory groups and organizational units(OUs)
Group types:
Security: used for granting resource permissions
Distribution: non-security for distribution of information
Group scopes:
Domain local : Can contain Accounts from any domain, Global and Universal groups from any domain,
but domain local groups from same domain only
Global: Can contain Accounts from same domain, global groups from same domain
Universal: Accounts from any domain in the forest, global groups from any domain in forest, universal
group from any domain in forest
Group permission assignment:
Universal: resources in any domain or forest
Global: resources in any domain
Domain local: only to resources in same domain
5.3.1 Configure group nestingMS's "best practice" AGUDLP method suggests putting users and other groups into Global groups, then assigning that to Universals if needed, then assigning to Domain Locals which are assigned permissions to a resource. So Global for users and groups, and domain locals for the resource assignments.
5.3.2 convert groups including security, distribution, universal, domain local, and domain global
Universal can convert to Domain local
Universal can convert to Global if no other universal groups exist as members.
Global can convert to universal, as long as its not a member in other Globals
Domain local can convert to universal as long as no other domain local groups exists as members.
5.3.3 manage group membership using Group Policy
In GPO drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Here you can configure what members can be in this group for the computers this GPO affects, and/or what groups this group can belong to in relation to the computers this GPO affects.
This is used most effectively to limit local group memberships.
5.3.4 enumerate group membership
ADUC and ADAC: right click properties, members tab
get-adgroupmember "cn=sales,ou=sales,dc=contoso,dc=com"
dsget group "cn=sales,ou=sales,dc=contoso,dc=com" -members
5.3.5 delegate the creation and management of Active Directory objects
see 1.2.2 Delegate Administraton
Tools used to delegate administration:
Delegation of Control Wizard in ADUC
ACL Editor
ldp.exe
dsacls.exe
acldiag.exe
dsrevoke.exe
5.3.6 manage default Active Directory containers; create, copy, configure, and delete groups and OUs
default containers CN objects cannot have GPO's assigned or use admin delegation
Domain container - root domain container
Builtin - default service admin accounts
Users - default location for new user and groups
Computers - default location for new computers
Other default containers: Foreign Security Principals. Managed Service Accounts
4 others are hidden in ADUC under Advanced: LostAndFound, NTDS Quotas, System, Program Data
There's also a default OU Domain Controllers.
Create new:
ADUC and ADAC: Right click and New-OU, right click and new Group
command line:
dsadd ou "ou=Sales,dc=contoso,dc=com"dsadd group "cn=salesgroup,ou=sales,dc=contoso,dc=com"
powershell:
new-adorganizationalunit -name HR -path "dc=contoso,dc=com"
new-adgroup -name "Human Resources" -path "ou=HR,dc=contoso,dc=com"
-groupscope Global
Configure: ADUC and ADAC: Right click, properties
command line
dsmod group "ou=sales,dc=contoso,dc=com" -addmbr
"cn=administrator,cn=users,dc=contoso,dc=com"
dsmod ou
powershell
set-adgroup -identity "cn=human resources,ou=HR,dc=contoso,dc=com"
add-adgroupmember -identity "cn=human resources,ou=HR,dc=contoso,dc=com" -members
"cn=John Doe,ou=HR,dc=contoso,dc=com"
set-adorganizationalunit
Remove:
ADUC and ADAC: right click, delete
remove-adgroup
remove-adorganizationalunit
Security: used for granting resource permissions
Distribution: non-security for distribution of information
Group scopes:
Domain local : Can contain Accounts from any domain, Global and Universal groups from any domain,
but domain local groups from same domain only
Global: Can contain Accounts from same domain, global groups from same domain
Universal: Accounts from any domain in the forest, global groups from any domain in forest, universal
group from any domain in forest
Group permission assignment:
Universal: resources in any domain or forest
Global: resources in any domain
Domain local: only to resources in same domain
5.3.1 Configure group nestingMS's "best practice" AGUDLP method suggests putting users and other groups into Global groups, then assigning that to Universals if needed, then assigning to Domain Locals which are assigned permissions to a resource. So Global for users and groups, and domain locals for the resource assignments.
5.3.2 convert groups including security, distribution, universal, domain local, and domain global
Universal can convert to Domain local
Universal can convert to Global if no other universal groups exist as members.
Global can convert to universal, as long as its not a member in other Globals
Domain local can convert to universal as long as no other domain local groups exists as members.
5.3.3 manage group membership using Group Policy
In GPO drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Here you can configure what members can be in this group for the computers this GPO affects, and/or what groups this group can belong to in relation to the computers this GPO affects.
This is used most effectively to limit local group memberships.
5.3.4 enumerate group membership
ADUC and ADAC: right click properties, members tab
get-adgroupmember "cn=sales,ou=sales,dc=contoso,dc=com"
dsget group "cn=sales,ou=sales,dc=contoso,dc=com" -members
5.3.5 delegate the creation and management of Active Directory objects
see 1.2.2 Delegate Administraton
Tools used to delegate administration:
Delegation of Control Wizard in ADUC
ACL Editor
ldp.exe
dsacls.exe
acldiag.exe
dsrevoke.exe
5.3.6 manage default Active Directory containers; create, copy, configure, and delete groups and OUs
default containers CN objects cannot have GPO's assigned or use admin delegation
Domain container - root domain container
Builtin - default service admin accounts
Users - default location for new user and groups
Computers - default location for new computers
Other default containers: Foreign Security Principals. Managed Service Accounts
4 others are hidden in ADUC under Advanced: LostAndFound, NTDS Quotas, System, Program Data
There's also a default OU Domain Controllers.
Create new:
ADUC and ADAC: Right click and New-OU, right click and new Group
command line:
dsadd ou "ou=Sales,dc=contoso,dc=com"dsadd group "cn=salesgroup,ou=sales,dc=contoso,dc=com"
powershell:
new-adorganizationalunit -name HR -path "dc=contoso,dc=com"
new-adgroup -name "Human Resources" -path "ou=HR,dc=contoso,dc=com"
-groupscope Global
Configure: ADUC and ADAC: Right click, properties
command line
dsmod group "ou=sales,dc=contoso,dc=com" -addmbr
"cn=administrator,cn=users,dc=contoso,dc=com"
dsmod ou
powershell
set-adgroup -identity "cn=human resources,ou=HR,dc=contoso,dc=com"
add-adgroupmember -identity "cn=human resources,ou=HR,dc=contoso,dc=com" -members
"cn=John Doe,ou=HR,dc=contoso,dc=com"
set-adorganizationalunit
Remove:
ADUC and ADAC: right click, delete
remove-adgroup
remove-adorganizationalunit
5. Install and administer Active Directory 5.2 Create and manage Active Directory users and computers
5.2.1 Automate the creation of Active Directory accounts
Ways to manage users:
Active Directory Administrative Center
Active Directory Users and Computers
dsadd.exe command line
new-aduser powershell
csvde.exe command line
LDIFDE.exe command line
5.2.2 create, copy, configure, and delete users and computers
Poweshell module = ActiveDirectory
Create User:
ADAC: Drill down to the OU you want to create in. In the right pane, under Users, select New User.
(you can also select the OU location for user in the new user page)
ADUC right click OU and new User
Powershell:
new-aduser -name"John Doe" -givenname "John" -surname "Doe" -displayname "John Doe"
-samaccountname "jdoe" -userprincipalname "jdoe@contoso.com" -enabled $true
-accountpassword (convertto-securestring -string "password" -asplaintext -force)
Copy User
ADAC: Not supported in ADAC
ADUC: right click user and Copy user.
Powershell: no specific cmdlets provided for this.
Configure User
ADAC: right click user, properties
ADUC right click user, properties
Powershell: set-aduser
Delete User
ADAC: right click, delete
ADUC: right click delete
Powershell: remove-aduser -identity "cn=John Doe,ou=Accounting,dc=contoso,dc=com"
Creating Computers:
ADUC and ADAC: Right click Ou and New-Computer
dsadd computer "cn=testpc,cn=computers,dc=contoso,dc=com"
new-adcomputer -name testpc -path "cn=computers,dc=contoso,dc=com"
Add new computer to domain with
GUI: right click computer, properties
netdom join testpc /domain:contoso.com
add-computer -computername testpc -domainname contoso.com
5.2.3 configure templates
Templates can be created in the ADUC because of the copy function. You create a user object and call it Default Template, for example. Clear the "user must change password at next logon" and check the "Disable account". Change the properties you want to use as template. Now you can just right click copy this user.
5.2.4 perform bulk Active Directory operations
Create a CSV with a header line that contains "columns" with AD attributes to be imported into new records
Use the objectclass attribute to specify the type of object ie user
csvde.exe -i -f filenametoimport.csv
You can only add or read records with CSVDE
LDIFDE.exe has 3 types of functions: add, modify, delete. The format of the data file is LDAP Data Interchange format(LDIF), which is different from CSV used in CSVDE. Example:
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: add
ObjectClass: user
SAMAccountname: jdoe
UserPrincipalName: jdoe@contoso.com
Here the Changetype variable distinguishes what should be done with this record.
you would use ldifde -i filenametoimport.ldf
Use "replace" variable with Modify changetype
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: modify
replace: emailaddress
emailaddress: jdoe@contoso.com
You can also use new-aduser by piping in import-csv cmdlet.
5.2.5 configure user rights
User rights for a computer can be configured locally using the GPedit MMC(gpedit.msc)
Or you can define the user rights in a group policy
The order of assigning rights is Local, Site, Domain, OU with each overwriting the previous. The exception is when domain policies use the Enforced option, they are not overwritten, unless another GPO with enforced is higher in the AD hierarchy.
Extra note: You can use Local User Policy(secpol.msc) but I believe gpedit is preferred in domain and secpol is just a subset of it.
5.2.6 offline domain join
offline domain joins are done using the djoin command line
using a computer with access to DC,
djoin /provision /domain contoso.com /machine OFFPC /savefile offlinefile.txt
then run on offline computer:
djoin /requestodj /loadfile offlinefile.txt /windowspath %systemroot% /localos
5.2.7 manage inactive and disabled accounts
Disable/Enable a user or computer in ADAC or ADUC: right click and disable/enable
Powershell:
enable-adaccount -identity
disable-adaccount -identity
For inactive accounts, you can use the
Search-adaccount -accountinactive
you can also use dsquery with -inactive parameter specifying number of weeks inactive
dsquery user dc=contoso,dc=com -inactive 4
Ways to manage users:
Active Directory Administrative Center
Active Directory Users and Computers
dsadd.exe command line
new-aduser powershell
csvde.exe command line
LDIFDE.exe command line
5.2.2 create, copy, configure, and delete users and computers
Poweshell module = ActiveDirectory
Create User:
ADAC: Drill down to the OU you want to create in. In the right pane, under Users, select New User.
(you can also select the OU location for user in the new user page)
ADUC right click OU and new User
Powershell:
new-aduser -name"John Doe" -givenname "John" -surname "Doe" -displayname "John Doe"
-samaccountname "jdoe" -userprincipalname "jdoe@contoso.com" -enabled $true
-accountpassword (convertto-securestring -string "password" -asplaintext -force)
Copy User
ADAC: Not supported in ADAC
ADUC: right click user and Copy user.
Powershell: no specific cmdlets provided for this.
Configure User
ADAC: right click user, properties
ADUC right click user, properties
Powershell: set-aduser
Delete User
ADAC: right click, delete
ADUC: right click delete
Powershell: remove-aduser -identity "cn=John Doe,ou=Accounting,dc=contoso,dc=com"
Creating Computers:
ADUC and ADAC: Right click Ou and New-Computer
dsadd computer "cn=testpc,cn=computers,dc=contoso,dc=com"
new-adcomputer -name testpc -path "cn=computers,dc=contoso,dc=com"
Add new computer to domain with
GUI: right click computer, properties
netdom join testpc /domain:contoso.com
add-computer -computername testpc -domainname contoso.com
5.2.3 configure templates
Templates can be created in the ADUC because of the copy function. You create a user object and call it Default Template, for example. Clear the "user must change password at next logon" and check the "Disable account". Change the properties you want to use as template. Now you can just right click copy this user.
5.2.4 perform bulk Active Directory operations
Create a CSV with a header line that contains "columns" with AD attributes to be imported into new records
Use the objectclass attribute to specify the type of object ie user
csvde.exe -i -f filenametoimport.csv
You can only add or read records with CSVDE
LDIFDE.exe has 3 types of functions: add, modify, delete. The format of the data file is LDAP Data Interchange format(LDIF), which is different from CSV used in CSVDE. Example:
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: add
ObjectClass: user
SAMAccountname: jdoe
UserPrincipalName: jdoe@contoso.com
Here the Changetype variable distinguishes what should be done with this record.
you would use ldifde -i filenametoimport.ldf
Use "replace" variable with Modify changetype
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: modify
replace: emailaddress
emailaddress: jdoe@contoso.com
You can also use new-aduser by piping in import-csv cmdlet.
5.2.5 configure user rights
User rights for a computer can be configured locally using the GPedit MMC(gpedit.msc)
Or you can define the user rights in a group policy
The order of assigning rights is Local, Site, Domain, OU with each overwriting the previous. The exception is when domain policies use the Enforced option, they are not overwritten, unless another GPO with enforced is higher in the AD hierarchy.
Extra note: You can use Local User Policy(secpol.msc) but I believe gpedit is preferred in domain and secpol is just a subset of it.
5.2.6 offline domain join
offline domain joins are done using the djoin command line
using a computer with access to DC,
djoin /provision /domain contoso.com /machine OFFPC /savefile offlinefile.txt
then run on offline computer:
djoin /requestodj /loadfile offlinefile.txt /windowspath %systemroot% /localos
5.2.7 manage inactive and disabled accounts
Disable/Enable a user or computer in ADAC or ADUC: right click and disable/enable
Powershell:
enable-adaccount -identity
disable-adaccount -identity
For inactive accounts, you can use the
Search-adaccount -accountinactive
you can also use dsquery with -inactive parameter specifying number of weeks inactive
dsquery user dc=contoso,dc=com -inactive 4
5. Install and administer Active Directory 5.1 Install domain controllers
5.1.1 Add or remove a domain controller from a domain
After installing the Active Directory Domain Services(AD-Domain-Services) role, you can Promote this Server to a domain controller.
Add a domain controller to an existing domain, add a new domain to an existing forest, add a new forest.
When adding a new domain or new forest:
Forest/Domain functional levels should coincide with the oldest version of domain controller that will be used as a DC in this forest or domain.
First domain in a forest must be Global Catalog and cannot be RODC.
Extra note: dcpromo command no longer works unless you are using an unattended answer file
5.1.2 upgrade a domain controller
You cannot upgrade 2003 or 32 bit 2008 DC's.
Pre-requisites:
pre-2003 DC's cannot exist when adding 2012 DC's
Forest functional level should be 2003+
Adding a 2012 DC will now perform an automatic run of the Adprep utility to extend the existing forest/domain schema. However, upgrading a DC to 2012 will require adprep to still be run.
Must be enterprise admin to run adprep /forestprep. Can only be run on 64 bit 2008/2008R2. Server you are running it on must be have connectivity to forest schema master and domain infra master.
Extra note: you can use dsquery to verify the opbjectversion of the forest schema. Objectversion should be 56:
dsquery * "cn=schema,cn=configuration,dc=contoso,dc=com" -scope base -attr objectversion
5.1.3 install Active Directory Domain Services (AD DS) on a Server Core installation
first, install the role:
install-windowsfeature -name ad-domain-services -includemanagementtools
install-addsforest - used for first dc in new forest
install-addsdomain - used for first dc in a new domain
install-addsdomaincontroller - used to add a dc to a domain
5.1.4 install a domain controller from Install from Media (IFM)
IFM is typically used to install a DC in a location where initial replication is impossible or too slow.
On a DC with the same windows version(In this case, 2012 obviously), run the ntdsutil:
c:\windows\system32\ntdsutil.exe: activate instance ntds
c:\windows\system32\ntdsutil.exe: ifm
c:\windows\system32\ntdsutil.exe: create full "c:\ntdsifm"
you can also include the sysvol:
c:\windows\system32\ntdsutil.exe: create sysvol full "c:\ntdsifm"
Now you copy the ntdsifm folder to a media that you transport to the location for the new DC.
While promoting the DC, you check "Install from media" on the Additional Options page, and point it at the media that has the DC info.
Powershell:
Us the -installationmediapath parameter with the install-addsdomaincontroller cmdlet
5.1.5 resolve DNS SRV record registration issues
run the dcdiag command
dcdiag /test:registerindns /dnsdomain:contoso.com
5.1.6 configure a global catalog server
Global Catalogs store information about the overall forest. Replication of a GC can possibly cause lots of traffic.
If you did not configure a DC as a GC you can always do so at a later time using the AD Sites and Services MMC, under the properties for the NTDS Settings for the server, General tab. Check/uncheck GC.
Monday, June 3, 2013
4. Deploy and configure core network services 4.3 Deploy and configure DNS service
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to
query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive
query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer
Stub: copy of primary zone that forwards or refers requests.
AD-integrated
Extra note: With Server 2012 and Powershell 3 you can configure dns server using cmdlets in module DnsServer. You can also use the command line tool dnscmd.
4.3.1 Configure Active Directory integration of primary zones
AD-integrated DNS is automatically replicated to other DC's with DNS installed
You can integrate a primary zone in AD while creating it, or by going to properties for the zone and Change/Type on general tab
Options for replication scope:
To all dns servers running on DC's in this forest
To all dns servers running on DC's in this domain
to all DC's in this domain
to all DC's specified in the cope of this directory partition
creates domaindnszones and forestdnszones subdomains
Extra note: _msdcs subdomain created for the first dns server in the forest. This zone contains SRV records for AD.
4.3.2 configure forwarders
Forwarders are DNS servers that will conduct the queries on behalf of other DNS servers.
Forwarders are configured in the DNS server properties under Forwarders.
Conditional Forwarders are DNS servers who conduct queries for specific zones. You can configure Conditional Forwarders under the node below the server.
add-dnsserverforwarder, add-dnsserverconditionalforwarderzone, get-dnsserverforwarder, remove-dnsserverforwarder, set-dnsserverforwarder, set-dnsserverconditionalforwarderzone
Extra Note: Root Hints will be contacted if there is no forwarder unless unchecked in the dns server properties/forwarders tab.
4.3.3 configure Root Hints
root hints are the list of the root name servers. These are configured in the properties for the server on the root hints tab.
get-dnsserverroothint, add-dnsserverroothint, remove-dnsserverroothint, set-dnsserverroothint
Extra Note: There are 13 default root names A through M dot root-servers.net(ex. A.root-servers.net) made up of many more physical servers all over the world
4.3.4 manage DNS cache
right click server, clear cache.
clear-dnsservercache, get-dnsservercache
dnscmd Servername /clearcache
dnscmd Servername /zoneprint
Extra note: Client dns cache's can be cleared by ipconfig /flushdns
4.3.5 create A and PTR resource records
Types of records:
SOA: Start of Authority: indicated the server is authoritative source for the zone. Each zone must have one SOA record
NS: SIdentifies Name Servers that can be authority for zone. Each primary/secondary DNS server must have NS record
A: A name to address mapping IPv4
AAAA: name-to address mapping for IPv6
PTR: address-to-name (reverse lookup)
CNAME: Creates an alias to an A record
MX: mail server record
SRV: records for services. Heavily used in AD to indicate different services.
Creating a new A/AAAA record:
Expand server node and Forward Lookup zones. Right click zone to create record in, and select New Host
Give it an IP Address, name, and you can create an associated PTR record here as well. There must be a Reverse Lookup zone created already for that network or the PTR record will not be created.
If you have a reverse lookup zone for the associated network of the host, you can either create a PTR record during A record creation, as above, or expand reverse lookup zones, and right click a specific zone and New Pointer(PTR).
get-dnsserverresourcerecord, add-dnsserverresourcerecordA, add-dnsserverresourcerecordPTR, add-dnsserverresourcerecordAAAA, remove-dnsserverresourcerecord, set-dnsserverresourcerecord, set-dnsserverresourcerecordaging
dnscmd /recordadd
dnscmd /recorddelete
dnscmd /enumrecords contoso.com .
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to
query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive
query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer
Stub: copy of primary zone that forwards or refers requests.
AD-integrated
Extra note: With Server 2012 and Powershell 3 you can configure dns server using cmdlets in module DnsServer. You can also use the command line tool dnscmd.
4.3.1 Configure Active Directory integration of primary zones
AD-integrated DNS is automatically replicated to other DC's with DNS installed
You can integrate a primary zone in AD while creating it, or by going to properties for the zone and Change/Type on general tab
Options for replication scope:
To all dns servers running on DC's in this forest
To all dns servers running on DC's in this domain
to all DC's in this domain
to all DC's specified in the cope of this directory partition
creates domaindnszones and forestdnszones subdomains
Extra note: _msdcs subdomain created for the first dns server in the forest. This zone contains SRV records for AD.
4.3.2 configure forwarders
Forwarders are DNS servers that will conduct the queries on behalf of other DNS servers.
Forwarders are configured in the DNS server properties under Forwarders.
Conditional Forwarders are DNS servers who conduct queries for specific zones. You can configure Conditional Forwarders under the node below the server.
add-dnsserverforwarder, add-dnsserverconditionalforwarderzone, get-dnsserverforwarder, remove-dnsserverforwarder, set-dnsserverforwarder, set-dnsserverconditionalforwarderzone
Extra Note: Root Hints will be contacted if there is no forwarder unless unchecked in the dns server properties/forwarders tab.
4.3.3 configure Root Hints
root hints are the list of the root name servers. These are configured in the properties for the server on the root hints tab.
get-dnsserverroothint, add-dnsserverroothint, remove-dnsserverroothint, set-dnsserverroothint
Extra Note: There are 13 default root names A through M dot root-servers.net(ex. A.root-servers.net) made up of many more physical servers all over the world
4.3.4 manage DNS cache
right click server, clear cache.
clear-dnsservercache, get-dnsservercache
dnscmd Servername /clearcache
dnscmd Servername /zoneprint
Extra note: Client dns cache's can be cleared by ipconfig /flushdns
4.3.5 create A and PTR resource records
Types of records:
SOA: Start of Authority: indicated the server is authoritative source for the zone. Each zone must have one SOA record
NS: SIdentifies Name Servers that can be authority for zone. Each primary/secondary DNS server must have NS record
A: A name to address mapping IPv4
AAAA: name-to address mapping for IPv6
PTR: address-to-name (reverse lookup)
CNAME: Creates an alias to an A record
MX: mail server record
SRV: records for services. Heavily used in AD to indicate different services.
Creating a new A/AAAA record:
Expand server node and Forward Lookup zones. Right click zone to create record in, and select New Host
Give it an IP Address, name, and you can create an associated PTR record here as well. There must be a Reverse Lookup zone created already for that network or the PTR record will not be created.
If you have a reverse lookup zone for the associated network of the host, you can either create a PTR record during A record creation, as above, or expand reverse lookup zones, and right click a specific zone and New Pointer(PTR).
get-dnsserverresourcerecord, add-dnsserverresourcerecordA, add-dnsserverresourcerecordPTR, add-dnsserverresourcerecordAAAA, remove-dnsserverresourcerecord, set-dnsserverresourcerecord, set-dnsserverresourcerecordaging
dnscmd /recordadd
dnscmd /recorddelete
dnscmd /enumrecords contoso.com .
Subscribe to:
Posts (Atom)