431 Recipe 13.14 Preventing a Domain Controller from Dynamically Registering All Resource Records 13.14.1 Problem You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register domain controllers' resource records, you'll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing. 13.14.2 Solution 13.14.2.1 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN] UseDynamicDNS /t REG_DWORD /d 0 The operation completed successfully. > net stop netlogon The Net Logon service is stopping. The Net Logon service was stopped successfully. > del %SystemRoot%\system32\config\netlogon.dnb > net start netlogon The Net Logon service is starting The Net Logon service was started successfully. 13.14.2.2 Using VBScript ' This code prevents a DC from registering resource records dynamically. ' It must be run directly on the server. ' Create Registry Value const HKLM = &H80000002 set oReg=GetObject("winmgmts:root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters" if oReg.SetDWORDValue(HKLM,strKeyPath,"UseDynamicDNS",1) <> 0 then WScript.Echo "Error creating registry value" else WScript.Echo "Created registry value successfully" end if ' Stop Netlogon service strService = "Netlogon" set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _ strService & "'") if objService.StopService <> 0 then WScript.Echo "Error stopping " & strService & " service" else WScript.Echo "Stopped " & strService & " service successfully" end if 432 ' Delete netlogon.dnb file set WshShell = CreateObject("WScript.Shell") set objFSO = CreateObject("Scripting.FileSystemObject") set objFile = objFSO.GetFile( _ WshShell.ExpandEnvironmentStrings("%SystemRoot%") _ & "\system32\config\netlogon.dnb" ) objFile.Delete WScript.Echo "Deleted netlogon.dnb successfully" ' Start Netlogon service if objService.StartService <> 0 then WScript.Echo "Error starting " & strService & " service" else WScript.Echo "Started " & strService & " service successfully" end if WScript.Echo WScript.Echo "Done" 13.14.3 Discussion By default, domain controllers attempt to dynamically register their Active Directory-related resource records every hour via the NetLogon service. You can prevent a domain controller from doing this by setting the UseDynamicDNS value to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters. After you set that value, you should stop the NetLogon service, remove the %SystemRoot%\system32\config\netlogon.dnb file and then start NetLogon back up. It is necessary to remove the netlogon.dnb file because it maintains a cache of the resource records that are dynamically updated. This file will get recreated when the NetLogon service restarts. 13.14.4 See Also Recipe 13.15 for preventing certain records from being dynamically registered, MS KB 198767 (How to Prevent Domain Controllers from Dynamically Registering DNS Names), and MS KB 246804 (How to Enable/Disable Windows 2000 Dynamic DNS Registrations) Recipe 13.15 Preventing a Domain Controller from Dynamically Registering Certain Resource Records 13.15.1 Problem You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives. 433 13.15.2 Solution 13.15.2.1 Using a command-line interface This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered: > reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN] DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress The operation completed successfully. > net stop netlogon The Net Logon service is stopping. The Net Logon service was stopped successfully. > del %SystemRoot%\system32\config\netlogon.dnb > net start netlogon The Net Logon service is starting The Net Logon service was started successfully. 13.15.2.2 Using VBScript ' This code prevents a DC from registering the resource records ' associated with the Ldap, Gc, and GcIpAddress mnemonics and must be run ' directly on the server. ' Create Registry Value const HKLM = &H80000002 set objReg = GetObject("winmgmts:root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters" ' prevent Ldap, Gc, and GCIpAddress records from being registered arrValues = Array("Ldap","Gc","GcIpAddress") if objReg.SetMultiStringValue(HKLM,strKeyPath,"DnsAvoidRegisterRecords", _ arrValues) <> 0 then WScript.Echo "Error creating registry value" else WScript.Echo "Created registry value successfully" end if ' Stop Netlogon service strService = "Netlogon" set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _ strService & "'") if objService.StopService <> 0 then WScript.Echo "Error stopping " & strService & " service" else WScript.Echo "Stopped " & strService & " service successfully" end if ' Delete netlogon.dnb file On Error Resume Next set WshShell = CreateObject("WScript.Shell") set objFSO = CreateObject("Scripting.FileSystemObject") set objFile = objFSO.GetFile( _ 434 WshShell.ExpandEnvironmentStrings("%systemroot%") _ & "\system32\config\netlogon.dnb") objFile.Delete if (Err.Number <> 0) then WScript.Echo "Error deleting netlogon.dnb: " & Err.Description else WScript.Echo "Deleted netlogon.dnb successfully" end if ' Start Netlogon service if objService.StartService <> 0 then WScript.Echo "Error starting " & strService & " service" else WScript.Echo "Started " & strService & " service successfully" end if WScript.Echo WScript.Echo "Done" 13.15.3 Discussion The procedure to disable registration of certain resource records is very similar to that described in Recipe 13.14 for preventing all records from being dynamically registered, except in this case, you need to create a value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters key. The type for DnsAvoidRegisterRecords should be REG_MULTI_SZ and the data should be a whitespace separated list of mnemonics. Mnemonics are used to represent various resource records that domain controllers register. The complete list of mnemonics is included in Table 13- 3. Table 13-3. Registry mnemonics for resource records Registry mnemonic Resource record type Resource record name LdapIpAddress A <DnsDomainName> Ldap SRV _ldap._tcp. <DnsDomainName> LdapAtSite SRV _ldap._tcp. <SiteName>._sites.<DnsDomainName> Pdc SRV _ldap._tcp.pdc._msdcs. <DnsDomainName> Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> GcAtSite SRV _ldap._tcp. <SiteName>._sites.gc._msdcs.<DnsForestName> DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> GcIpAddress A _gc._msdcs.<DnsForestName> 435 Table 13-3. Registry mnemonics for resource records Registry mnemonic Resource record type Resource record name DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName> Kdc SRV _kerberos._tcp.dc._msdcs. <DnsDomainName> KdcAtSite SRV _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName> Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName> GenericGc SRV _gc._tcp.<DnsForestName> GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName> Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName> Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName> Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName> 13.15.4 See Also Recipe 13.14 for preventing all records from being dynamically registered, MS KB 246804 (How to Enable/Disable Windows 2000 Dynamic DNS Registrations), and MS KB 267855 (Problems with Many Domain Controllers with Active Directory Integrated DNS Zones) Recipe 13.16 Deregistering a Domain Controller's Resource Records 13.16.1 Problem You want to manually deregister a domain controller's resource records. 13.16.2 Solution 13.16.2.1 Using a command-line interface 436 With the following nltest command, replace <DomainControllerName> with the FQDN of the domain controller you want to deregister and <DomainDNSName> with the FQDN of the domain of which the domain controller is a member: > nltest /dsderegdns:<DomainControllerName> /Dom:<DomainDNSName> 13.16.3 Discussion When a domain controller is demoted from a domain, it dynamically deregisters its resource records. This is a nice feature of the demotion process because it means you do not have to manually remove all of the resource records or wait for scavenging to remove them. If, however, you have a domain controller that crashes and you do not plan on bringing it back online, you'll need to remove the records manually or wait for scavenging. You can use the DNS Mgmt MMC snap-in and even the dnscmd.exe utility to remove them one by one, or you can use the nltest command, as shown in the solution. The /dsderegdns switch also has /DomGUID and /DsaGUID options if you want to delete the records that are based on the domain GUID and DSA GUID, respectively. You need to know the actual GUIDs of the domain and domain controller to use those switches, so if you don't have them handy, it would be easier to delete them using the DNS Mgmt MMC snap-in. Recipe 13.17 Allowing Computers to Use a Different Domain Suffix from Their AD Domain 13.17.1 Problem You want to allow computers to use a different domain suffix than their AD domain. 13.17.2 Solution The following solutions work only for Windows Server 2003 domains. Read the Discussion for a workaround for Windows 2000. 13.17.2.1 Using a graphical user interface 1. Open ADSI Edit. 2. Connect to the domain you want to edit. 3. Right-click on the domainDNS object and select Properties. 4. Edit the msDS-AllowedDNSSuffixes attribute and enter the DNS suffix you want to add. 5. Click OK. 13.17.2.2 Using a command-line interface Create an LDIF file called add_dns_suffix.ldf with the following contents: 437 dn: <DomainDN> changetype: modify add: msDS-AllowedDNSSuffixes msDS-AllowedDNSSuffixes: <DNSSuffix> - then run the following command: > ldifde -v -i -f add_dns_suffix.ldf.ldf 13.17.2.3 Using VBScript ' This code adds a domain suffix that can be used by clients in the domain. ' SCRIPT CONFIGURATION strDNSSuffix = "<DNSSuffix>" ' e.g. othercorp.com strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' END CONFIGURATION set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") ) objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix objDomain.SetInfo WScript.Echo "Added " & strDNSSuffix & " to suffix list." 13.17.3 Discussion Windows 2000, Windows XP, and Windows Server 2003 member computers dynamically maintain the dNSHostName and servicePrincipalName attributes of their corresponding computer object in Active Directory with their current host name. By default, those attributes can only contain host names that have a DNS suffix equal to the Active Directory domain the computer is a member of. If the computer's DNS suffix is not equal to the Active Directory domain, 5788 and 5789 events will be generated in the System event log on the domain controllers the clients attempt to update. These events report that the dnsHostName and servicePrincipalName attributes could not be updated due to an incorrect domain suffix. For Windows Server 2003 domains, you can avoid this by adding the computer's DNS suffix to the msDS-AllowedDNSSuffixes attribute on the domain object (e.g., dc=rallencorp,dc=com). With Windows 2000, the only workaround for this issue is to grant the Self principal the ability to write the dNSHostName and servicePrincipalName attribute for computer objects. Here are the steps: 1. Open ADSI Edit. 2. Right-click on the domain object and select Properties. 3. Click the Security tab. 4. Click the Add button. 5. Enter Self in the object picker and click OK. 6. Click the Advanced button. 438 7. Under the Name column, double-click on SELF. 8. Click the Properties tab. 9. Beside Apply onto, select Computer objects. 10. Under Permissions, check the Allow box for Write dNSHostName and Write servicePrincipalName. 11. Click OK until you close all the windows. It is worth noting that if you implement this method, it is possible for someone to cause a computer to write any name into those attributes, and, therefore, advertise itself as another computer. 13.17.4 See Also MS KB 258503 (DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ) 439 Chapter 14. Security and Authentication Introduction Recipe 14.1. Enabling SSL/TLS Recipe 14.2. Encrypting LDAP Traffic with SSL, TLS, or Signing Recipe 14.3. Enabling Anonymous LDAP Access Recipe 14.4. Restricting Hosts from Performing LDAP Queries Recipe 14.5. Using the Delegation of Control Wizard Recipe 14.6. Customizing the Delegation of Control Wizard Recipe 14.7. Viewing the ACL for an Object Recipe 14.8. Customizing the ACL Editor Recipe 14.9. Viewing the Effective Permissions on an Object Recipe 14.10. Changing the ACL of an Object Recipe 14.11. Changing the Default ACL for an Object Class in the Schema Recipe 14.12. Comparing the ACL of an Object to the Default Defined in the Schema Recipe 14.13. Resetting an Object's ACL to the Default Defined in the Schema Recipe 14.14. Preventing the LM Hash of a Password from Being Stored Recipe 14.15. Enabling List Object Access Mode Recipe 14.16. Modifying the ACL on Administrator Accounts Recipe 14.17. Viewing and Purging Your Kerberos Tickets Recipe 14.18. Forcing Kerberos to Use TCP Recipe 14.19. Modifying Kerberos Settings 440 Introduction The default Windows 2000 Active Directory installation was not as secure as it could have been. It allowed anonymous queries to be executed, which could take up valuable processing resources, and it did not place any requirements on encrypting or signing traffic between clients and domain controllers. As a result, usernames, passwords, and search results could be sent over the network in clear text. Fortunately, with Windows Server 2003, things have been tightened up significantly. LDAP traffic is signed by default and anonymous queries are disabled by default. Additionally, Transport Layer Security (TLS), the more flexible cousin of Secure Sockets Layer (SSL), is supported in Windows Server 2003, which allows for end-to-end encryption of traffic between domain controllers and clients. Active Directory's Access Control List (ACL) model provides ultimate flexibility for securing objects throughout a forest. You can restrict access down to the attribute level if you need to. With this flexibility also comes increased complexity. An object's ACL is initially generated from the default ACL for the object's class, inherited permissions, and permissions directly applied on the object. An ACL is a collection of ACE entries (Access Control Entry), which defines the permission and properties that a security principal can use on the object on which the ACL is applied. Defining these entries and populating the ACL is the foundation of Active Directory security and delegation. In this chapter, I will explore some of the common tasks around managing permissions in Active Directory. If you are looking for a detailed guide to Active Directory permissions, I suggest reading Chapter 11 in Active Directory, Second Edition (O'Reilly). In order for ACLs to be of use, a user has to authenticate to Active Directory. Kerberos is the primary network authentication system used by Active Directory. Kerberos is a standards-based system that was originally developed at MIT, and has been widely implemented at universities. I will also be covering some Kerberos-related tasks that you likely to encounter in this chapter. For a complete review of Kerberos, I recommend Kerberos: The Definitive Guide (O'Reilly). Recipe 14.1 Enabling SSL/TLS 14.1.1 Problem You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers. 14.1.2 Solution 14.1.2.1 Using a graphical user interface 1. Open the Control Panel on a domain controller. . guide to Active Directory permissions, I suggest reading Chapter 11 in Active Directory, Second Edition (O'Reilly). In order for ACLs to be of use, a user has to authenticate to Active Directory. . domain. 13.17.2 Solution The following solutions work only for Windows Server 2003 domains. Read the Discussion for a workaround for Windows 2000. 13.17.2.1 Using a graphical user interface. Sockets Layer (SSL), is supported in Windows Server 2003, which allows for end-to-end encryption of traffic between domain controllers and clients. Active Directory& apos;s Access Control List