Active Directory Cookbook for windows server 2003- P42 pdf

13.7.3.2 Using a command-line interface Adding A, CNAME, and PTR resource records is pretty straightforward as far as the data you must enter, but other record types, such as SRV, requi

Trang 1

> dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType>

<RRData>

The following command deletes an A record in the rallencorp.com zone:

> dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25

13.7.2.3 Using VBScript

' This code shows how to add an A record and PTR record using

' the DNS WMI Provider

' - SCRIPT CONFIGURATION -

strForwardRRAdd = "test-xp.rallencorp.com IN A 192.32.64.13"

strReverseRRAdd = "13.64.32.192.in-addr.arpa IN PTR test-xp.rallencorp.com" strForwardDomain = "rallencorp.com"

strReverseDomain = "192.in-addr.arpa."

' - END CONFIGURATION -

set objDNS = GetObject("winMgmts:root\MicrosoftDNS")

set objRR = objDNS.Get("MicrosoftDNS_ResourceRecord")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

' Create the A record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strForwardDomain, _

strForwardRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo "Created Record: " & objRR2.TextRepresentation

' Create the PTR record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strReverseDomain, _

strReverseRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo "Created Record: " & objRR2.TextRepresentation

' This code shows how to delete an A and PTR record for the record

' I created in the previous example

strHostName = "test-xp.rallencorp.com."

set objRRs = objDNS.ExecQuery(" select * " & _

Trang 2

WScript.Echo "No matches found for " & strHostName

else

for each objRR in objRRs

objRR.Delete_

WScript.Echo "Deleted " & objRR.TextRepresentation

13.7.3 Discussion

13.7.3.1 Using a graphical user interface

The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then I'd recommend writing a batch file around

dnscmd or preferably, use the DNS WMI Provider

13.7.3.2 Using a command-line interface

Adding A, CNAME, and PTR resource records is pretty straightforward as far as the data you must enter, but other record types, such as SRV, require quite a bit more data The help pages for

/recordadd and /recorddelete display the required information for each record type

In the first example, I created A and PTR records using the CreateInstanceFrom

TextRepresentation method, which is a MicrosoftDNS_ResourceRecord method that allows you to create resource records by passing in the textual version of the record This is the textual representation of the A record used in the example:

test-xp.rallencorp.com IN A 192.32.64.13

The first parameter to this method is the DNS server name, the second is the name of the domain

to add the record to, the third is the resource record, and the last is an out parameter that returns a reference to the new resource record

In the second example, I find all resource records that match a certain hostname and delete them This is done by first using a WQL query to find all resource records where the OwnerName equals the target host name (this will match any A records) and where RecordData equals the target host name (this will match any PTR records) The Delete_ method is called on each matching record, removing them on the DNS server

13.7.4 See Also

MSDN: MicrosoftDNS_ResourceRecord

Trang 3

Recipe 13.8 Querying Resource Records

13.8.1 Problem

You want to query resource records

13.8.2 Solution

The DNS Management snap-in does not provide an interface for searching resource records

In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match:

> nslookup -type=<RecordType> <RecordName>

' This code prints the resource records that match

' the specified name

strQuery = "<RecordName>"

set objRRs = objDNS.ExecQuery(" select * " & _

" from MicrosoftDNS_ResourceRecord" & _

" where OwnerName = """ & strQuery & """" & _ " Or DomainName = """ & strQuery & """" & _ " Or RecordData = """ & strQuery & """")

if objRRs.Count < 1 then

WScript.Echo "No matches found for " & strHostName & " of " _

& strRecordType & " type"

else

for each objRR in objRRs

WScript.Echo objRR.TextRepresentation

Trang 4

In the VBScript solution a WQL query was used to find all matching resource records This is a good example of how powerful the DNS WMI Provider can be The query attempts to find any object of the MicrosoftDNS_ResourceRecord class that has an OwnerName, DomainName, or

RecordData field equal to the <RecordName> This is not the most efficient query if the server supports multiple large zones, so you may want restrict it to search for specific types of records

by adding criteria to match RecordType = <Type>

13.8.4 See Also

MSDN: MicrosoftDNS_ResourceRecord

Recipe 13.9 Modifying the DNS Server Configuration

13.9.1 Problem

You want to modify the DNS Server settings

13.9.2 Solution

1 Open the DNS Management snap-in

2 If an entry for the DNS server you want to connect to does not exist, right-click on DNS

in the left pane and select Connect to DNS Server Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK

3 Click on the server, right-click on it, and select Properties

4 There will be several tabs you can choose from to edit the server settings

5 Click OK to commit the changes after you've completed your modifications

With the following command, replace <Setting> with the name of the setting to modify and

<Value> with the value to set:

> dnscmd <DNSServerName> /config /<Setting> <Value>

objDNSServer.<Setting> = <Value> ' e.g objDNSServer.AllowUpdate = TRUE

objDNSServer.Put_

Trang 5

The Microsoft DNS server supports a variety of settings to configure everything from

scavenging and forwarders to logging With the DNS Management snap-in, the settings are spread over several tabs in the Properties property page You can get a list of these settings by simply running dnscmd /config from a command line For the CLI and VBScript solutions, the setting names are nearly identical In the VBScript solution, be sure to call the Put_ method after you are done configuring settings in order for the changes to take effect

13.9.4 See Also

MSDN: MicrosoftDNS_Server

Recipe 13.10 Scavenging Old Resource Records

13.10.1 Problem

You want to scavenge old resource records DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time Typically, this applies to only resource records that were added via DDNS, but you can also scavenge manually added, also referred to as static, records DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records

13.10.2 Solution

The following solutions will show how to enable automatic scavenging on all AD-integrated zones

2 If an entry for the DNS server you want to connect to does not exist, right-click on DNS

in the left pane and select Connect to DNS Server Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK

3 Click on the server, right-click on it, and select Set Aging/Scavenging for all zones

4 Check the box beside Scavenge stale resource records

5 Configure the No-Refresh and Refresh intervals as necessary and click OK

6 Check the box beside Apply these settings to the existing Active Directory-integrated zones and click OK

7 Right-click on the server again and select Properties

8 Select the Advanced tab

9 Check the box beside Enable automatic scavenging of stale resource records

Trang 6

> dnscmd <DNSServerName> /config /ScavengingInterval <ScavengingMinutes>

> dnscmd <DNSServerName> /config /DefaultAgingState 1

> dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes>

> dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes>

> dnscmd <DNSServerName> /config AllZones /aging 1

' This code enables scavenging for all AD-integrated zones

strServer = "<DNSServerName>"

intScavengingInterval = <ScavengingMinutes>

intNoRefreshInterval = <NoRefreshMinutes>

intRefreshInterval = <RefreshMinutes>

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

objDNSServer.ScavengingInterval = intScavengingInterval

objDNSServer.DefaultNoRefreshInterval = intNoRefreshInterval

objDNSServer.DefaultRefreshInterval = intRefreshInterval

objDNSServer.DefaultAgingState = TRUE

objDNSServer.Put_

WScript.Echo "Configured server scavenging settings"

set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _

"Where DnsServerName = '" & _

objDNSServer.Name & "'" & _

" And DsIntegrated = TRUE")

WScript.Echo "Configuring AD-integrated zones: "

for each objZone in objZones

WScript.Echo " " & objZone.Name & " HERE: " & objZone.Aging

objZone.Aging = 1

objZone.Put_

caution when enabling scavenging because an incorrect configuration could lead to resource records getting deleted by mistake

The first setting you have to configure is the scavenging interval This is the interval in which the DNS server will kick off the scavenging process It is disabled by default so that scavenging does not take place unless you enable this setting The default value is 168 hours, which is equivalent

to 7 days

The second setting is the default aging state for new zones If you want all new zones to be configured for scavenging, set this to 1

Trang 7

The next two settings control how records get scavenged The no refresh interval determines how long before a dynamically updated record can be updated again This setting is necessary to reduce how often a DNS server has to update its timestamp of the resource record The default value is 168 hours (7 days) That means that after a resource record has been dynamically

updated, the server will not accept another dynamic update for the same record for another 7 days If the IP address or some other data for the record changes, the server will accept that The refresh interval setting is the amount of time after the no refresh interval that a client has to update its record before it is considered old or stale The default value for this setting is also 168 hours (7 days) If you use the default values, the combination of the no refresh interval and refresh interval would mean that a dynamically updated record would not be considered stale for

up to 14 days after its last update In actuality, it could be up to 21 days before the record is deleted if the record became stale right after the last scavenge process completed—7 days (no refresh) + 7 days (refresh) + up to 7 days (scavenge process)

Recipe 13.11 Clearing the DNS Cache

13.11.1 Problem

You want to clear the DNS cache The DNS cache contains resource records that are cached for a period of time in memory so that repeated requests for the same record can be returned

immediately There are two types of DNS cache One pertains to the resolver on any Windows client (servers and workstations), and the other to the cache used by the Microsoft DNS server

To flush the client resolver cache, use the following command:

> ipconfig /flushdns

To flush the DNS server cache, use any of the following solutions

2 Right-click on DNS in the left pane and select Connect to DNS Server

3 Enter the server you want to connect to and click Enter

4 Right-click on the server and select Clear Cache

The following command will clear the cache on <DNSServerName> You can leave out

<DNSServerName> to run against the local server:

Trang 8

' This code clears the DNS server cache on the specified server

strServer = "<DNSServerName>" ' e.g dc1.rallencorp.com

set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objDNSCache = objDNS.Get("MicrosoftDNS_Cache.ContainerName="" Cache"""

& _

",DnsServerName=""" & objDNSServer.Name & _ """,Name="" Cache""")

objDNSCache.ClearCache

WScript.Echo "Cleared server cache"

The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server; for example, with the nslookup command

The second type of cache is only for Microsoft DNS servers It is a cache of all DNS requests the server has made to resolve queries from clients You can view this cache by browsing the

Cached Lookups folder for a server in the DNS Management snap-in This folder is not shown

by default, so you'll need to select Advanced from the View menu

With both the client and server cache, the records are removed from the cache after the record's TTL or Time To Live value expires The TTL is used to age records so that clients and servers have to rerequest them at a later point and receive any changes that may have occurred

Recipe 13.12 Verifying That a Domain Controller Can Register Its Resource Records

13.12.1 Problem

You want to verify DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD services

This test is available only with the Windows Server 2003 version of

dcdiag

Trang 9

With the following dcdiag command, replace dc1 with the DNS name of the domain the domain controller is in This command has to be run directly on the domain controller you want to test

> dcdiag /test:RegisterInDNS /DnsDomain:dc1

Starting test: RegisterInDNS

DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller Locator records in DNS

The DNS configuration is sufficient to allow this computer to

dynamically

register the A record corresponding to its DNS name

dc1 passed test RegisterInDNS

With the default setup, domain controllers attempt to dynamically register the resource records necessary for them to be located by Active Directory clients and other domain controllers The domain controllers must have their resource records populated in DNS in order to function It can

be very tedious and error-prone to register all of the records manually, which is why allowing the domain controllers to use dynamic DNS (DDNS) to automatically register and update their records can be much easier from a support standpoint

The Windows Server 2003 version of the dcdiag command provides a new RegisterInDNS

switch that allows you to test whether or not the DC can register its records In the solution above, I showed the output if the domain controller passes the test

Here is the output if an error occurs:

Starting test: RegisterInDNS

This domain controller cannot register domain controller Locator DNS

records This is because either the DNS server with IP address

6.10.45.14 does not support dynamic updates or the zone rallencorp.com is configured to prevent dynamic updates

In order for this domain controller to be located by other domain members and domain controllers, the domain controller Locator DNS records must be added to DNS You have the following options:

1 Configure the rallencorp.com zone and the DNS server with IP address 6.10.45.14 to allow dynamic updates If the DNS server does not

support dynamic updates, you might need to upgrade it

2 Migrate the rallencorp.com zone to a DNS server that supports dynamic updates (for example, a Windows 2000 DNS server)

3 Delegate the zones _msdcs.rallencorp.com, _sites.rallencorp.com,

Trang 10

systemroot\system32\config\netlogon.dns file

DcDiag cannot reach a conclusive result because it cannot interpret the following message that was returned: 9501

dc1 failed test RegisterInDNS

As you can see, it offers several options for resolving the problem The information provided will also vary depending on the error encountered

13.12.4 See Also

Recipe 13.13 for registering a domain controller's resource records

Recipe 13.13 Registering a Domain Controller's

Resource Records

13.13.1 Problem

You want to manually force registration of a domain controller's resource records This may be necessary if you've made some configuration changes on your DNS servers to allow your

domain controllers to start dynamically registering resource records

> nltest /dsregdns /server:<DomainControllerName>

The Windows Server 2003 version of nltest provides a /dsregdns switch that allows you to force registration of the domain controller-specific resource records You can also force

reregistration of its resource records by restarting the NetLogon service on the domain controller The NetLogon service automatically attempts to reregister a domain controller's resource records every hour, so if you can wait that long, you do not need to use the nltest command

13.13.4 See Also

Recipe 13.12 for verifying if a domain controller is registering its resource records

Định dạng
Số trang	10
Dung lượng	33,45 KB