On the DNS server option, a couple of interesting things
when I relooked at the API (on a lunch break this time Deji ;oP ) It doesn't let
you specify the server to make the change on, only the server to send the FAZ
(Find Auth Zone) request. I would have to play with that to see how that might
cause an issue. Also Microsoft did something they don't normally do and they
changed the da** format of the parameter between 2K/K3/XP and Vista/Longhorn. So
I would have to add additional code to determine OS version.
RE: the forreal. Well yes, someone could delete all
records, but not with a single command from DNSSRVRec without specifying each
SRV record individually. You can't do a zone *.*. Again, it doesn't look
anything up, it simply sends the command you send so if you want all
_ldap._tcp.dc._msdcs.dom.com you can send that in a clear and bang they are
gone, but you just asked for that to happen so I expect you would be
disappointed if they didn't go away. Not sure why you would say /clear
_ldap._tcp.dc._msdcs.dom.com unless that is what you intended. Am I
missing something here?
On the config file, that is exactly how nsupdate works now.
It doesn't have the defaults that you mention in the 'also', but you can write
to a file exactly what you want done for records and it does it. I am definitely
working through my head possible variations that would be cool/fun to have for
it though.
I was pinged offline from a list member about the
possibility of doing other types of records, not just SRV records. Can anyone
see that being valuable to them and could you explain why? I am waiting for the
response from that list member as well. The intent wasn't really to write a
DNS management tool but I guess if nothing else is really fitting the bill,
maybe its needed?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Monday, January 16, 2006 5:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAPS SRV Records?
Thanks for the link.
As you mentioned, adding DNS server option turned out to be quite trickier, why not one server at a time. I know it makes sense to add/delete same records on multiple servers, but who says they can't be serialized. After all, it is not that time critical operation.
For CLEAR switch, I was trying to say that, someone can accidentally delete ALL the records related to domain or site and make clients who are primarily pointing at that DNS server suffer, for the time those records are re registered/replicated back again.
For config file, my idea was that, if you provide a way to specify server and read SRV operations from a file. (something like ldifde.exe). I could create a config file in which I could list down all the operations/records I want to manage. of course, this can be scripted and given to DNSSrvRec as command line options, but putting all together in a file where each operation is separated on single line, would give nice readability. (something like LDF file)
Also, like adfind.exe if we can define some defaults for port,weight and ttl etc. in config file which are used for same RUN of the command.
Currently what I am doing is, preparing a excel sheet containing all the sites in my forest and manually defining the priority order in which clients in each site will get authenticated by DCs (like first same site DCs, then nearest site DCs, basically making sure clients never have to look for generic SRV records). Afterwards based on this sheet, I will prepare a list of SRV records to create/delete on each DNS server and push those SRV records to respective servers.
--
Kamlesh
On 1/16/06, joe
<[EMAIL PROTECTED]>
wrote:
Hi Kamlesh, you can get the initial version at http://www.joeware.net/win/free/tools/DNSSrvRec.htm. I posted it to the site last night and announced on my blog, there are over 50 downloads already which surprises me a bit.The initial version does not let you specify the DNS Server to make the change in. I had started to add it and backed out as I wanted to think over the whole SOA portion of it plus if I want to handle sending to multiple servers at the same time and how to handle the errors coming back. This is all I have for specifying specific servers at the moment, a commented out insertion to validate the command.// ValidOptions.push_back(L"dnssrv"); // Which DNS Server(s)Not sure what you are hoping for out of the clear option in terms of forreal. The tool doesn't look records up first and then clear then one by one. It simply sends a single clear command for the DNS Name, that is an option for one of the functions. Having a forreal option would only basically echo what you sent in via the parameters. I might consider having it try to pull the record first and then display what would get wiped out. But that brings up even more questions on the specifying multiple DNS servers thoughts.Like what kind of ops are you talking about taking from a config file? Like a script of records to add? This could be an interesting idea. A script of generic records that you specify the actual host name to resolve to on the command line with. Of course this could easily be wrapped in a script or batch file as well initially.Download it and any other thoughts about it send my way.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Monday, January 16, 2006 1:59 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAPS SRV Records?joe, nice work !!
In fact, I was playing with dnscmd.exe for same purpose not for LDAPS but other authentication records...(If you remember the thread about custom SRV priority per dc per site basis.)
I was planning for creating a HTA wrapper around dnscmd.exe for CLI-challenged. But I am not happy with the error reporting of dnscmd.exe, so was thinking of testing WMI class for DNS RR management, and now you created the utility. :-)
I would like to register as pre-beta tester. :-)
Looking at the current usage screen you provided, I have some queries top of my head.
* Can we specify DNS server to make change on? (stupid of me to even suggest this. Just trying to make a redundant entry in your to-do list :-))
* Can we have switch -FORREAL specially for clear option. (I know, DCs will recreate records in next refresh cycle, still there will be a resolution issue for a small period)
* Can we have SRV operations taken from config file, like we have it for latest adfind.exe ?
Just trying to participate :-)
--
Kamlesh
On 1/15/06, joe <[EMAIL PROTECTED]> wrote:I couldn't sleep this evening so I decided to test the API calls below. They work fine. :o)I have a new utility that will clear, replace, delete, and add SRV records called DNSSrvRec. I need to test it a little more when I am more awake. <eg>F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com
Server: 2k3dc01.joe.com
Address: 192.168.0.10*** 2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent domainF:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636: 2k3dc01.joe.comAddSrvRec V01.00.00cpp Joe Richards ( [EMAIL PROTECTED]) January 2006Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.
Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.Results
-------
Total Records To Update: 2
Total Records Updated : 2
Total Updates Failed : 0The command completed successfully.
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com
Server: 2k3dc01.joe.com
Address: 192.168.0.10_ldaps._tcp.dc._msdcs.joe.com SRV service location:
priority = 0
weight = 100
port = 636
svr hostname = 2k3dc02.joe.com
_ldaps._tcp.dc._msdcs.joe.com SRV service location:
priority = 0
weight = 100
port = 636
svr hostname = 2k3dc01.joe.com
2k3dc01.joe.com internet address = 192.168.0.10F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636: 2k3dc01.joe.comAddSrvRec V01.00.00cpp Joe Richards ( [EMAIL PROTECTED] ) January 2006Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.
Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.Results
-------
Total Records To Update: 2
Total Records Updated : 2
Total Updates Failed : 0The command completed successfully.
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com
Server: 2k3dc01.joe.com
Address: 192.168.0.10*** 2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent domainF:\Dev\BDSCPP\DNSSrvRec\Debug_Build>Here is the current usage screen. I will relook at the API calls again tomorrow or Monday and decide if I want to add any more features.F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /?AddSrvRec V01.00.00cpp Joe Richards ( [EMAIL PROTECTED]) January 2006Usage:
DNSSrvRec [switches]Switches: (designated by - or /)-clear xx Clear DNS SRV records with name xx
Format xx
---------
The format for xx is a semicolon delimited list of DNS
names such as _ldaps._tcp.dom.com or
_ldaps._tcp.dom.com;_ldaps._tcp.child.dom.com
-replace yy Replace DNS SRV records with name yy
-delrec yy Delete DNS SRV records with name yy
-addrec yy Add DNS SRV records with name yy
Format yy
---------
The format for yy is a semicolon delimited list of DNS
Records. Each DNS record has the format:
aaa:bb:cc:dd:ee:fff
aaa - DNS Name (_ldaps._tcp.dom.com)
bb - TTL Value (300)
cc - Priority (0)
dd - Weight (100)
ee - Port (636)
fff - Host Name (somedc.dom.com)
-delim Delimiter to separate values in DNS Record.
-mrdelim Delimiter to separate multiple DNS Records.Notes:
You can have multiple actions (add/delete/clear/replace) in
a single command, they will be processed in the order clear, replace
delete, and add.Ex1:
DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Add DNS SRV Record _ldaps._tcp.dc._msdcs.joe.com with TTL=600,
priority=0, weight=100, port=636, and hostname of 2k3dc01.joe.com
Ex2: (command is all one line)
DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com;
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com
Add 2 DNS SRV Records for _ldaps._tcp.dc._msdcs.joe.com
Ex3:
DNSSrvRec -delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Delete specified specific DNS SRV Record.
Ex4:
DNSSrvRec -clear _ldaps._tcp.dc._msdcs.joe.com
Clear all SRV Records for _ldaps._tcp.dc._msdcs.joe.com
Ex5:
DNSSrvRec -replace _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Replace all SRV Records for _ldaps._tcp.dc._msdcs.joe.com with specified record.I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage and/or destroy your system.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of joe
Sent: Saturday, January 14, 2006 12:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS SRV Records?Hey Brandon.The call that something like IPCONFIG /REGISTERDNS uses is *probably* I_NetLogonControl2 with NETLOGON_CONTROL_FORCE_DNS_REG. That just tells a DC to reregister its records. Nothing to do with what records are actually registered for a DC.You definitely don't want to look into hooking into NETLOGON. First off it would have to be on the DCs which would be very difficult to get approval for even if the code could be written in a secure and stable way (doubtful since you would have to do code injection). I personally wouldn't allow it, there is no reason why this can't be done from another machine.Of course you could try to script around dnscmd or nsupdate. The dnscmd may be MS-DNScentric, I do not know. If it is, it may not work in your environment. Unless there has been some serious changes in DNS there nsupdate works great. I used to do a lot with DNS via perl scripts and nsupdate. Vern et alii should have some perl scripts that I left behind that show how to use nsupdate. You could set something up with the scheduler service. Some job that runs every hour and checks to see if a certain DC (or the local DC if you can get it cleared to get it to run there) has LDAPS available and then registers the appropriate LDAPS record.At a lower level, looking about, you may be able to use the API in DNSAPI.DLL, unfortunately most of that API seems to be undocumented (when comparing the exports with MSDN) but DnsModifyRecordsInSet and DnsReplaceRecordSet look extremely promising... I would be willing to bet big that those are the calls MS is using under the covers in NetLogon. It is Windows 2000 and better so you should be safe for any machine you want to run from.Note I was pinged on this offline from someone else there and put in a DCR for registering LDAPS records back in December.joe
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bernier, Brandon (.)
Sent: Friday, January 13, 2006 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAPS SRV Records?
Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas.
-Brandon
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~