RSS

Domain Controllers and DNS

28 Apr

Earlier I blogged about the Domain Admin account. Thats a user account that access to Domain Controllers which are simply Windows Servers with special features installed. The enterprise admin account is one step up and can make changes that cannot be undone but have to be re applied from scratch.

Usually when people hear DNS they think of the public version that everyone has access to. nslookup is a network utility that will tell you what IPS are behind a name

C:>nslookup www.google.com
Server:  your.isps.dns.server.comcast.net
Address:  68.87.77.134

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  74.125.225.16
          74.125.225.19
          74.125.225.17
          74.125.225.20
          74.125.225.18
Aliases:  www.google.com

That would be the public response, however if you have an internal network you can have an internal naming system. A computer on your network with a hostname of “SERVER1” could also have HOST Aliases in your local dns server. If you setup a domain called (Myhouse.local) you can add a bunch of alias records such as SRV1.myhouse.local, SQLBOX.myhouse.local, DEVENVIRONMENT.myhouse.local that all point to SERVER1’s IP address. In DNS you can also set reverse lookup record to allow… well a reverse lookup. You can perform a reverse lookup with the -a option in the ping utility:

C:>ping -a www.google.com

Pinging www.l.google.com [74.125.225.17] with 32 bytes of data:
Reply from 74.125.225.17: bytes=32 time=31ms TTL=55
Reply from 74.125.225.17: bytes=32 time=63ms TTL=55

You can install both the domain controller and dns roles on a windows server. Domain controllers main feature is authentication. In a domain I can have one account nujakuser@myhome.local that has the ability to log into one more (or no) computers. Without a domain you login with local windows users, COMPUTERNAMEAdministrator or COMPUTERNAMEnugz. With a domain you can login with your local account(COMPUTERNAMEnugz) or login with your domain account (MYHOMEnujakuser). Unless turned off a local computer caches your domain account so in the case of a network outage, the user can still log in to the computer with their domain user.

Active Directory is Microsoft’s name for what stores all this authentication information. AD can store all kinds of user information such as manager, phone number, email address, security group memeberships and mailing list memberships…etc. AD also stores information on any computer that joins the domain. If you are on a domain and browse to \MYHOME.localSysvol you will see the information that AD stores. You can also get this information by \domaincontrollerhostnameSysvol. I highly recommend having redundancy in your domain controllers. The sysvol information is replicated using DFS replication if you have more than one DC. Sometimes this replication can take a while and cause a delay between the time a change is made and when it takes affect for a computer connected to another domain controller.

Group policy is another feature of domains. If you had 100 servers and all the sudden needed to make a firewall change this is where group policy would come in handy. You can setup policies that apply to your domain users and policies that apply to your computers. You can group servers together to receive different policies such as, SQL which opens port 1433 and IIS servers which open port 80 and 443. If you use the Active Directory Users and Computers you can move a computer into a different OU and apply different group policy changes. From ADUC you have a GUI that you can reset passwords, make new computers, disable computers and search for anything in your directory fairly easily.

Group policy can be a cuss word in some organizations. It can should severely limit security. If your network has a group policy, you can be a local administrator on a pc and still not have access to restricted items since GP takes precedence over local security policies. If you need to update group policy, simply run gpupdate /force from the command prompt or reboot your computer. Its good to have an organizational unit (OU) that does not apply GP so you can easily test security problems.

Domains are a bit of overkill for a home network of 5 or less computers. If you need to share files and whatnot you can setup a workgroup that will accomplish most all of what you need.

Advertisements
 
Leave a comment

Posted by on April 28, 2011 in Uncategorized

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: