LOL. Most of my utiltities have been written because I
couldn't sleep or the television shows that were on weren't enough to keep me
fully engaged/entertained. I was ripping CDs to MP3's (>4100 songs ripped now
for my Creative Zen Sleek), watching Modern Marvels (history channel), looking
through newsgroup issues, and working on the code for this.
;o)
I really should have been working on something else I have
been working on for a while that I originally thought of back in about 2000 that
I finally started doing something about but this looked like a good one
nighter to get out of the way. No real committment to get it done, sense of
accomplishment afterward, makes people happy. :o)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Sunday, January 15, 2006 6:04 AM
To: [email protected]
Subject: RE: [ActiveDir] LDAPS SRV Records?
nice job joe! I couldn't sleep either, so I did some
reading and watched a movie :-)
Let's see what else you could do when you can't sleep:
anyone have some more ideas for joe? :-))
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sonntag, 15. Januar 2006 09:35
To: [email protected]
Subject: RE: [ActiveDir] LDAPS SRV Records?
I couldn't sleep this evening so I decided to test the API
calls below. They work fine. :o)
I have a new utility that will clear, replace, delete, and
add SRV records called DNSSrvRec. I need to test it a little more when I am more
awake. <eg>
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv
_ldaps._tcp.dc._msdcs.joe.com
Server: 2k3dc01.joe.com
Address: 192.168.0.10
Server: 2k3dc01.joe.com
Address: 192.168.0.10
*** 2k3dc01.joe.com can't find
_ldaps._tcp.dc._msdcs.joe.com: Non-existent domain
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe
/addrec
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
AddSrvRec V01.00.00cpp Joe Richards ([EMAIL PROTECTED])
January 2006
Adding
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.
Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.
Adding _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.
Results
-------
Total Records To Update: 2
Total Records Updated : 2
Total Updates Failed : 0
-------
Total Records To Update: 2
Total Records Updated : 2
Total Updates Failed : 0
The command completed successfully.
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com
Server: 2k3dc01.joe.com
Address: 192.168.0.10
_ldaps._tcp.dc._msdcs.joe.com SRV service
location:
priority = 0
weight = 100
port = 636
svr hostname = 2k3dc02.joe.com
_ldaps._tcp.dc._msdcs.joe.com SRV service location:
priority = 0
weight = 100
port = 636
svr hostname = 2k3dc01.joe.com
2k3dc01.joe.com internet address = 192.168.0.10
priority = 0
weight = 100
port = 636
svr hostname = 2k3dc02.joe.com
_ldaps._tcp.dc._msdcs.joe.com SRV service location:
priority = 0
weight = 100
port = 636
svr hostname = 2k3dc01.joe.com
2k3dc01.joe.com internet address = 192.168.0.10
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe /delrec
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com;_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
AddSrvRec
V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2006
Deleting
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com...Success.
Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.
Deleting _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com...Success.
Results
-------
Total Records To Update: 2
Total Records Updated : 2
Total Updates Failed : 0
-------
Total Records To Update: 2
Total Records Updated : 2
Total Updates Failed : 0
The command
completed successfully.
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>nslookup -type=srv _ldaps._tcp.dc._msdcs.joe.com
Server: 2k3dc01.joe.com
Address: 192.168.0.10
***
2k3dc01.joe.com can't find _ldaps._tcp.dc._msdcs.joe.com: Non-existent
domain
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>
Here is the current usage screen. I will relook at the API
calls again tomorrow or Monday and decide if I want to add any more
features.
F:\Dev\BDSCPP\DNSSrvRec\Debug_Build>DNSSrvRec.exe
/?
AddSrvRec V01.00.00cpp Joe Richards ([EMAIL PROTECTED])
January 2006
Usage:
DNSSrvRec [switches]
DNSSrvRec [switches]
Switches: (designated by - or /)
-clear xx Clear DNS SRV
records with name xx
Format xx
---------
The format for xx is a semicolon delimited list of DNS
names such as _ldaps._tcp.dom.com or
_ldaps._tcp.dom.com;_ldaps._tcp.child.dom.com
Format xx
---------
The format for xx is a semicolon delimited list of DNS
names such as _ldaps._tcp.dom.com or
_ldaps._tcp.dom.com;_ldaps._tcp.child.dom.com
-replace yy Replace DNS SRV records with name yy
-delrec yy Delete DNS SRV records with name yy
-addrec yy Add DNS SRV records with name yy
Format yy
---------
The format for yy is a semicolon delimited list of DNS
Records. Each DNS record has the format:
aaa:bb:cc:dd:ee:fff
aaa - DNS Name (_ldaps._tcp.dom.com)
bb - TTL Value (300)
cc - Priority (0)
dd - Weight (100)
ee - Port (636)
fff - Host Name (somedc.dom.com)
-delim Delimiter to separate values in DNS Record.
-mrdelim Delimiter to separate multiple DNS Records.
Notes:
You can have multiple actions (add/delete/clear/replace) in
a single command, they will be processed in the order clear, replace
delete, and add.
You can have multiple actions (add/delete/clear/replace) in
a single command, they will be processed in the order clear, replace
delete, and add.
Ex1:
DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Add DNS SRV Record _ldaps._tcp.dc._msdcs.joe.com with TTL=600,
priority=0, weight=100, port=636, and hostname of 2k3dc01.joe.com
Ex2: (command is all one line)
DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com;
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com
Add 2 DNS SRV Records for _ldaps._tcp.dc._msdcs.joe.com
Ex3:
DNSSrvRec -delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Delete specified specific DNS SRV Record.
Ex4:
DNSSrvRec -clear _ldaps._tcp.dc._msdcs.joe.com
Clear all SRV Records for _ldaps._tcp.dc._msdcs.joe.com
Ex5:
DNSSrvRec -replace _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Replace all SRV Records for _ldaps._tcp.dc._msdcs.joe.com with specified record.
DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Add DNS SRV Record _ldaps._tcp.dc._msdcs.joe.com with TTL=600,
priority=0, weight=100, port=636, and hostname of 2k3dc01.joe.com
Ex2: (command is all one line)
DNSSrvRec -addrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com;
_ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc02.joe.com
Add 2 DNS SRV Records for _ldaps._tcp.dc._msdcs.joe.com
Ex3:
DNSSrvRec -delrec _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Delete specified specific DNS SRV Record.
Ex4:
DNSSrvRec -clear _ldaps._tcp.dc._msdcs.joe.com
Clear all SRV Records for _ldaps._tcp.dc._msdcs.joe.com
Ex5:
DNSSrvRec -replace _ldaps._tcp.dc._msdcs.joe.com:600:0:100:636:2k3dc01.joe.com
Replace all SRV Records for _ldaps._tcp.dc._msdcs.joe.com with specified record.
I do not
warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage and/or destroy your system.
I do not guarantee that it will not damage and/or destroy your system.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 14, 2006 12:50 AM
To: [email protected]
Subject: RE: [ActiveDir] LDAPS SRV Records?
Hey Brandon.
The call that something like IPCONFIG
/REGISTERDNS uses is *probably* I_NetLogonControl2 with
NETLOGON_CONTROL_FORCE_DNS_REG. That just tells a DC to reregister its records.
Nothing to do with what records are actually registered for a DC.
You definitely don't want to look into hooking into
NETLOGON. First off it would have to be on the DCs which would be very difficult
to get approval for even if the code could be written in a secure and stable way
(doubtful since you would have to do code injection). I personally wouldn't
allow it, there is no reason why this can't be done from another
machine.
Of course you could try to script around dnscmd or
nsupdate. The dnscmd may be MS-DNScentric, I do not know. If it is, it may not
work in your environment. Unless there has been some serious changes in DNS
there nsupdate works great. I used to do a lot with DNS via perl scripts and
nsupdate. Vern et alii should have some perl scripts that I left behind
that show how to use nsupdate. You could set something up with the scheduler
service. Some job that runs every hour and checks to see if a certain DC (or the
local DC if you can get it cleared to get it to run there) has LDAPS available
and then registers the appropriate LDAPS record.
At a lower level, looking about, you may be able to use the
API in DNSAPI.DLL, unfortunately most of that API seems to be undocumented (when
comparing the exports with MSDN) but DnsModifyRecordsInSet and
DnsReplaceRecordSet look extremely promising... I would be willing to bet big
that those are the calls MS is using under the covers in NetLogon. It is Windows
2000 and better so you should be safe for any machine you want to run
from.
Note I was pinged on this offline from someone else
there and put in a DCR for registering LDAPS records back in
December.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Friday, January 13, 2006 3:03 PM
To: [email protected]
Subject: [ActiveDir] LDAPS SRV Records?
Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas.
-Brandon
