EDNS0 and Windows Based DNS Server

Good afternoon everyone! I am going to dig into a quick short write up on DNS and one if its specifications. Im going to try and put this into the simplest terms, to avoid any confusion. A while back i was troubleshooting a clients network and was seeing some DNS issues within the infrastructure. Some of the bigger DNS queries generating from this network where unsuccessful thus causing some network issues to clients. so what is EDNS0? It is an extension mechanism for DNS that is supported in the Windows environment, this functionality allows UDP packets sizes to grow over their size of 512 bytes and where the issue comes in is with firewalls seeing this larger UDP traffic and blocking it. Your firewall will need to see any UDP traffic larger than 512 bytes and allow it through, that is the resolution. A quick workaround on the windows system is to disable this functionality and allow the packet to be converted to a TCP packet, therefore DNS Server will handle the conversion and traffic will pass through successfully. You might see some performance drops by disabling that because it will take longer to convert the packet rather than have it grow to the size needed. Check with your firewall manufacturer and get specific on support for this mechanism and how to properly configure. A quick workaround on the Microsoft DNS system is to take the below action :

To work around this issue, turn off the EDNS0 feature on Windows-based DNS servers. To do this, take the following action:
At a command prompt, type the following command, and then press Enter: 
dnscmd /config /enableednsprobes 0
Note Type a 0 (zero) and not the letter "O" after "enableednsprobes" in this command.

The following information appears:
Registry property enableednsprobes successfully reset.
Command completed successfully.

So you might ask why don't we just let the packet grow bigger? well DNS likes to utilize UDP packets because of their tiny size and can be transmitted quicker. Picture all the internet traffic and all the DNS quieres happening with all the website searches....with EDNS you have that compatibility with legacy systems and current DNS systems and allow for the proper and fast DNS exchanges. Most newer systems utilize EDNS, so it is not good practice to disable this feature and allow the technology to function properly with its peers that support it, as mentioned earlier it is more of a workaround, allow your firewall to accept EDNS support.


http://support.microsoft.com/kb/832223

Active Directory integrated DNS

Good Morning, Today's topic will dig into the DNS technology and how it can benefit you in a Microsoft Active Directory Environment. So how does an Active Directory integrated environment separate itself from a typical DNS setup? AD-Integrated DNS allows the replication and storage of the DNS zones, typically zones are stored as text files on DNS systems. These text files are then sync'd to other DNS systems using replication or zone transfers. With AD-Integration you can implement a domain controller and install the DNS role, the zone data is then available on the system as an AD object and is replicated to all other locations. Implementing this integration is fairly easy, when setting up the zone you need to assign the zone type as Active Directory Integrated. When you create the object it is created in the Microsoft DNS container that is a part of the system container. Each zone created in DNS will be its separate Active Directory container object ( class dnsZone, ie. domain.com, reskit.com ) which contains the DNS object node ( class dnsNode). These are unique names that contain information about a particular system such as the PDC emulator, root domain controllers or general domain systems. Below is a great visual representation courtesy from Microsoft tech-net website, of the connection of the dnsNode object (client1 object) in the zone. When a computer registers itself in DNS they are shown as attribute values on the dnsNode object.

That is as far as i will dig into the technical side of DNS, now to add more on advantages of AD integrated zones. Consider you have 4 sites, 1 of the sites being corporate with about 1,000 computers. 3 of your remote sites each have about 300 computers.Your are hosting an Active directory environment at corporate, your remote sites also support it, but your current setup only has a separate namespace server that serves corporate and your remote sites. You have identified you want to add some redundancy to the DNS environment and separate some of your DNS network traffic. The perfect solution would be to implement AD Integrated DNS. You would simply load up the domain controller with the DNS role, import or create your new AD integrated zone, install a secondary domain controller with AD DNS. Take your remote sites domain controllers and also load up the AD DNS role, it will automatically take your DNS zone you create at corporate and copy it down, now any changes that are made to DNS will automatically replicate within the sites at the next interval. You can then reconfigure your clients to re-point DNS to their corresponding sites and traffic for queries will stay local and you will have that redundancy in the event local DNS is not available. You will also have that global redundancy if your site DNS goes out along with a primary DNS server, we have implemented a secondary DNS server. And what makes this great is that you don't have to worry about configuring zone transfers, or making sure your DNS transfers are happening and best of all your replications are secure, to keep data secure while in route, RPC over IP replication utilizes authentication (using the Kerebros V5 authentication protocol) and data encryption. Many zone transfers can go through as plain text, you can imagine this security risk involved with that. This is still reliant on domain replication, so you have to make sure your sites and services are properly configured and that replication is happening. Any of your new applications installed or systems brought online can be managed at the site level and will be all automatically synced across the whole infrastructure without manually pushing those changes to each site. A tornado rolls through your data center and your system is gone, well now all my DNS entries are gone, i have to recreate them all? NO! In any event of disaster recovery and your domain controller and DNS server are gone you can easily build a new system at the site and once its promoted to the domain it will automatically pull all zones back down. If any day you have the choice of implementing this type of infrastructure, i would recommend it as you can clearly see some of the main advantages it has.

http://technet.microsoft.com/en-us/library/cc978010.aspx

The Power of Microsoft Windows Group Policies

If you ask any IT professional, they would agree that security is a very critical component to how their infrastructure is configured. Every different aspect of your infrastructure can be secured, but its understanding on how to properly secure each layer that will ultimately guarantee you from someone infiltrating your infrastructure. Along with security every IT professional moves on and looks for ways to be more efficient, how do you automate tasks or take away the every day cumbersome tasks no one wants to touch. Today we look at Microsoft Windows and securing the operating system layer, by utilizing Active directory and using group policies to secure your network. I think the biggest thing i take away from working with clients is that they don't understand the power of using group policies and how more efficient they can be with implementing group policies. So why join a domain? What will be my benefit? Well there may be different motivators that will drive your decision to implement or join a Microsoft Windows Active directory domain. It could be driven by your management or business and the need to protect critical highly sensitive data. For smaller businesses it could be that your IT admin is the only one understanding how critical it is to protect your data, whatever the reason , it is important to know that Active Directory domains make you more secure. Think about this scenario, you work for a small business with 2 different locations, and lets say they employ about 65 people, so that would include 75+ systems including all the servers running your critical applications. As an IT administrator it would not be efficient  to daily manage all the systems in a individual manner, that means i would have to literally drive to the remote office and log on to each computer individually and secure the operating system down. Something as simple as a new employee starting would have to include you creating a local user account on the PC, set his password expiration policy, lock down software installation rights, access to the control panel, turning on the firewall with all the needed exceptions or installing all the needed software for him to do his job. Whatever your security standards state, you would spend the time doing this over and over. As a small business the last thing management wants to do is spend more money on another  technical resource and as an IT professional you have better things to be focusing on.  That's where the power of  group policies come into play, Active directory allows all your systems to be managed centrally, not only managed centrally, but with group policies you can make your system that much more secure and make your staff more efficient. With group policy you create and define policies once,  set my password expiration policy, enable my firewall with the proper exceptions or even have the software installed automatically. When my new employee starts in the remote office i can have management run a simple double click on a file that will join the system to the domain and he is ready to get to work or if you have more efficient methods with imaging software that would automatically take care of it. I can be hands off, be efficient along with creating a secure layer. There are literally hundreds of different computer or user settings that you can configure through group policy, and probably the most unique feature is that it is a flexible tool. Group Policy design may be clearer by understanding your clients or company's need, SLAs, security, network and IT requirements. When you look at your infrastructure and your users needs you can meet them by utilizing Group Policies. By no means is something so complex and flexible easy to work with it can takes years of practice and trial and error to fully understand the capabilities of this technology, the design can take hours of planning and the environment must support it. Some of the concepts of the technology can be confusing and frustrating, so it is important to get good training or understanding before implementing any rules. After multiple years of experience in working with this technology i can still go into Group Policy and find out that it can do something for me automatically and make my life a lot easier. The best way to learn is to not be afraid to test out the capabilities of the software and to push the limits. Remember that Group Policies can make your life a lot easier but a good design and understanding will ultimately deem your success or failure. I haven't even scratched the surface on the technology and its further complex structure and capabilities. When something is so powerful its hard to explain in an article. Microsoft offers good documentation and training on Group Policy, i would recommend visiting their website and following their best practices. That is all for this article, see you next time.

http://www.microsoft.com/en-us/download/confirmation.aspx?id=22478