Hey Brandon.
The call that something like IPCONFIG
/REGISTERDNS uses is *probably* I_NetLogonControl2 with
NETLOGON_CONTROL_FORCE_DNS_REG. That just tells a DC to reregister its records.
Nothing to do with what records are actually registered for a DC.
You definitely don't want to look into hooking into
NETLOGON. First off it would have to be on the DCs which would be very difficult
to get approval for even if the code could be written in a secure and stable way
(doubtful since you would have to do code injection). I personally wouldn't
allow it, there is no reason why this can't be done from another
machine.
Of course you could try to script around dnscmd or
nsupdate. The dnscmd may be MS-DNScentric, I do not know. If it is, it may not
work in your environment. Unless there has been some serious changes in DNS
there nsupdate works great. I used to do a lot with DNS via perl scripts and
nsupdate. Vern et alii should have some perl scripts that I left behind
that show how to use nsupdate. You could set something up with the scheduler
service. Some job that runs every hour and checks to see if a certain DC (or the
local DC if you can get it cleared to get it to run there) has LDAPS available
and then registers the appropriate LDAPS record.
At a lower level, looking about, you may be able to use the
API in DNSAPI.DLL, unfortunately most of that API seems to be undocumented (when
comparing the exports with MSDN) but DnsModifyRecordsInSet and
DnsReplaceRecordSet look extremely promising... I would be willing to bet big
that those are the calls MS is using under the covers in NetLogon. It is Windows
2000 and better so you should be safe for any machine you want to run
from.
Note I was pinged on this offline from someone else
there and put in a DCR for registering LDAPS records back in
December.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Friday, January 13, 2006 3:03 PM
To: [email protected]
Subject: [ActiveDir] LDAPS SRV Records?
Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas.
-Brandon
