>>> If you "look" at netlogon.dll with .... hahaha! You make me laugh :) FYI, when *I* can't sleep, I turn to a warm body. OK....OK...TMI. I was just trying to say I don't go looking inside any f-ing dll just cause I'm bored or can't sleep :) Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/15/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? DnsModifyRecordsInSet and DnsReplaceRecordSet API calls. These are out of dnsapi.dll. If you look at netlogon.dll with Dependency Walker you will see 10 imports from dnsapi.dll including the two above. Looking at their defs they have the ability to add/delete/clear/replace records between them. So that is what I tested and got working. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, January 15, 2006 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? So, which API are you relying on? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/15/2006 12:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? I couldn't sleep this evening so I decided to test the API calls below. They work fine. :o) I have a new utility that will clear, replace, delete, and add SRV records called DNSSrvRec. I need to test it a little more when I am more awake. <eg> F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com Server: 2k3dc01.joe.com Address: 192.168.0.10 *** 2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent domain F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._ m sdcs.joe.com:600:0:100:636:2k3dc01.joe.com AddSrvRec V01.00.00cpp Joe Richards ([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ) January 2006 Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success. Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success. Results ------- Total Records To Update: 2 Total Records Updated : 2 Total Updates Failed : 0 The command completed successfully. F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com Server: 2k3dc01.joe.com Address: 192.168.0.10 _ldaps._tcp.dc._msdcs.joe.com SRV service location: priority = 0 weight = 100 port = 636 svr hostname = 2k3dc02.joe.com _ldaps._tcp.dc._msdcs.joe.com SRV service location: priority = 0 weight = 100 port = 636 svr hostname = 2k3dc01.joe.com 2k3dc01.joe.com internet address = 192.168.0.10 F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._ m sdcs.joe.com:600:0:100:636:2k3dc01.joe.com AddSrvRec V01.00.00cpp Joe Richards ([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ) January 2006 Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success. Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success. Results ------- Total Records To Update: 2 Total Records Updated : 2 Total Updates Failed : 0 The command completed successfully. F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com Server: 2k3dc01.joe.com Address: 192.168.0.10 *** 2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent domain F:\Dev\BDSCPP\DNSSrvRec\Debug_Build> Here is the current usage screen. I will relook at the API calls again tomorrow or Monday and decide if I want to add any more features. F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /? AddSrvRec V01.00.00cpp Joe Richards ([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ) January 2006 Usage: DNSSrvRec [switches] Switches: (designated by - or /) -clear xx Clear DNS SRV records with name xx Format xx --------- The format for xx is a semicolon delimited list of DNS names such as _ldaps._tcp.dom.com or _ldaps._tcp.dom.com;_ldaps._tcp.child.dom.com -replace yy Replace DNS SRV records with name yy -delrec yy Delete DNS SRV records with name yy -addrec yy Add DNS SRV records with name yy Format yy --------- The format for yy is a semicolon delimited list of DNS Records. Each DNS record has the format: aaa:bb:cc:dd:ee:fff aaa - DNS Name (_ldaps._tcp.dom.com) bb - TTL Value (300) cc - Priority (0) dd - Weight (100) ee - Port (636) fff - Host Name (somedc.dom.com) -delim Delimiter to separate values in DNS Record. -mrdelim Delimiter to separate multiple DNS Records. Notes: You can have multiple actions (add/delete/clear/replace) in a single command, they will be processed in the order clear, replace delete, and add. Ex1: DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com Add DNS SRV Record _ldaps._tcp.dc._msdcs.joe.com with TTL=600, priority=0, weight=100, port=636, and hostname of 2k3dc01.joe.com Ex2: (command is all one line) DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com; _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com Add 2 DNS SRV Records for _ldaps._tcp.dc._msdcs.joe.com Ex3: DNSSrvRec -delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com Delete specified specific DNS SRV Record. Ex4: DNSSrvRec -clear _ldaps._tcp.dc._msdcs.joe.com Clear all SRV Records for _ldaps._tcp.dc._msdcs.joe.com Ex5: DNSSrvRec -replace _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com Replace all SRV Records for _ldaps._tcp.dc._msdcs.joe.com with specified record. I do not warrant this software to be fit for any purpose or use and I do not guarantee that it will not damage and/or destroy your system. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 14, 2006 12:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? Hey Brandon. The call that something like IPCONFIG /REGISTERDNS uses is *probably* I_NetLogonControl2 with NETLOGON_CONTROL_FORCE_DNS_REG. That just tells a DC to reregister its records. Nothing to do with what records are actually registered for a DC. You definitely don't want to look into hooking into NETLOGON. First off it would have to be on the DCs which would be very difficult to get approval for even if the code could be written in a secure and stable way (doubtful since you would have to do code injection). I personally wouldn't allow it, there is no reason why this can't be done from another machine. Of course you could try to script around dnscmd or nsupdate. The dnscmd may be MS-DNScentric, I do not know. If it is, it may not work in your environment. Unless there has been some serious changes in DNS there nsupdate works great. I used to do a lot with DNS via perl scripts and nsupdate. Vern et alii should have some perl scripts that I left behind that show how to use nsupdate. You could set something up with the scheduler service. Some job that runs every hour and checks to see if a certain DC (or the local DC if you can get it cleared to get it to run there) has LDAPS available and then registers the appropriate LDAPS record. At a lower level, looking about, you may be able to use the API in DNSAPI.DLL, unfortunately most of that API seems to be undocumented (when comparing the exports with MSDN) but DnsModifyRecordsInSet and DnsReplaceRecordSet look extremely promising... I would be willing to bet big that those are the calls MS is using under the covers in NetLogon. It is Windows 2000 and better so you should be safe for any machine you want to run from. Note I was pinged on this offline from someone else there and put in a DCR for registering LDAPS records back in December. joe ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Friday, January 13, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
