Monthly Archives: February 2025

Changing Public IP Addresses

Posted on by
Reply

Changing Public IP KB ID 0001908

Problem

We simply cannot accept a change of IP addresses.
To be honest we just don’t know what’s talking to those IP addresses, so it’s too much of a risk to change them.

Is this you? I’ve heard this A LOT over the past 25 years, or variations on the same theme as.

Our applications were coded a long time ago, and we don’t know if IP addresses are embedded into the code?
We have thousands of IoT devices (or dumb devices) that point directly to an IP address.

It may be somewhat harsh but this is YOUR RESPONSIBILITY. If there was any other risk to your business continuity. You would address and (if possible) mitigate that risk. But with IP addresses, you just hope and pray that an expensive commodity (a /24 network is about 10k GBP at the moment,) that’s owned by someone else, either your hosting/MSP/ or ISP company, won’t end your contract, or sell that range onto another entity (that may be a lot less sympathetic to the fact your main line of business application was coded in 1994 by a student in Virtual Basic, and has been cobbled and mended, by successive developers to keep it working).

It does not even have to be application specific, any services you offer or consume that requires a public IP is a potential business risk.

Remember IP addresses are like post codes, (or Zip codes for our US visitors). You don;t own or maintain them, and just because you want to move house, does not mean you can take them with you.

Solution: Changing Public IP

Changing Public IP: DNS (Domain Name System)

If you’re responsible for the availability of your information systems and you DON’T know what DNS is then, you need to think about getting some IT consultancy to aid you with your business continuity plan, (or you are going to have a steep learning curve).

Essentially DNS replaces IP addresses with names, e.g. www.petenetlive.com is actually 213.219.36.142 (at time of writing), it’s also 2a01:7e00::f03c:91ff:fe7b:ba59 (in IPv6).

What does that mean? Well If I needed to change my public IP address. All I would need to do is change the DNS record (Called an ‘A Record’ or an ‘AAAA Record’ for IPv6) so that it reflects the NEW IP Address. Then wait until that propagates though the DNS system worldwide, which can be quite quick, particularly if you send a lot of DNS lookups through something like WhatsMyDNS.

Now, I appreciate there’s a lot of background work to do, your systems need to have the new IP addresses pointing to them when the DNS records are changed, that might need firewall or load balancer works and will certainly need new IP addresses routing to you. But if planned and built into a maintenance window the impact can be minimised.

Cloud Based Application Delivery Controller or Content Delivery Networks

Both these solutions are designed to offer resilience to your public facing services. They both behave a little differently.

A Content Delivery Network (CDN) is a distributed network of servers strategically placed around the world to cache and serve content closer to end users. CDNs are primarily used to improve website performance, reduce latency, and offload traffic from the origin server. They work by caching static and dynamic content (such as images, videos, scripts, and HTML) at edge locations, ensuring users receive data from the nearest server rather than making long-haul requests to a central data centre. CDNs are commonly used by websites, streaming services, and online platforms to enhance speed and reliability while mitigating DDoS attacks through traffic distribution.

A Cloud-based Application Delivery Controller (ADC), on the other hand, is a virtual or hosted service that optimises application performance, security, and availability. Unlike a CDN, which focuses on caching and content distribution, a cloud ADC provides advanced load balancing, SSL offloading, web application firewall (WAF) protection, and traffic shaping. It operates at Layer 4-7 of the OSI model, ensuring that application requests are intelligently routed based on factors such as health checks, user location, and server load. Cloud ADCs are typically deployed in public or hybrid cloud environments to provide high availability and security for enterprise applications, whereas CDNs are designed primarily for content acceleration.

By using one of the above solutions you can start to build resiliency into your public facing services, so they ARE NOT DEPENDANT ON SINGLE IP ADDRESSES. A good example of how to do this is with the Azure Traffic Manager solution (which is a cloud based ADC). You can place your public facing services behind it and have it running with your OLD AND NEW IP RANGES, then simply scale down and renew the old IP ranges with ZERO DOWNTIME.

Well all that is Great, But I need to keep My IP Addresses.

To move a block of IP addresses from one provider to another provider, there a number of things you need to take into account.

1. Who owns them, If the owner says NO, you can offer to buy the range from them, and they still may say no.

2. The range needs to be (AT LEAST) a /24 network. We are talking about public routing of addresses now, outside your network, (in the world of BGP) carriers enforce a prefix length filter, which will reject routes that are smaller than /24. This makes sure that routing tables are not getting clogged up with smaller (more specific) routes.

3. The company that owns the network block needs to update their RIR Record (Regional Internet Registry) to replace the ASN (Autonomous System Number) of the MSP/ISP the address block will be getting sent to.

4. Additionally the OLD MSP/ISP may need to provide the NEW MSP/ISP with a Letter Of Authority (LOA) that allows them to announce the new block.

5. Additionally If you use RPKI (Resource Public Key Infrastructure), update or issue a new Route Origin Authorisation (ROA) to authorise the new MSP’s ASN to advertise the block.

6. The old provider then needs to CEASE advertising this IP block via BGP, and the new provider need to start advertising the new prefix.

7. Finally, if you have reverse DNS lookup zones, they will need updating, and check BGP propagation is working correctly.

REMEMBER: All this needs manging to make sure the backend network ‘works’ are carried out at the correct time, that records are changed at the right time, and downtime is minimised as much as possible (a BGP change can be made VERY QUICKY, if planned correctly we could be talking mere seconds of downtime).

Changing Public IP: What’s the Best Way To Mitigate ALL RISK?

Buy your own IPv4 space, (then you can decide what to do with it), or simply migrate to IPv6.

I’ve Approached a New Provider about Changing Public IP, and they Don’t Seem Very Helpful.

When asked about Changing Public IPs, I provide technical advice and guidance to prospective clients, and I know when I’m being asked this, that in most cases the people that own those IP addresses, are at risk of losing revenue. But more importantly so do they: So if they can say no, and force you to stay with them what do you think they will do? If that does happen, then start planning an exit, if you can buy the addresses great, if not then START PLANNING.

Related Articles, References, Credits, or External Links

Setting up the Correct DNS Records for your Web or Mail Server

Manually Remove Exchange

Posted on by
Reply

Manually Remove Exchange KB ID 0001907

Problem

There are several reasons why you might want to manually remove Exchange from Active Directory, for example.

Failed or Offline Exchange Server: If the Exchange Server is not starting, (or is completely offline), it might be necessary to remove it manually to clean up the environment.

Incomplete Uninstallation: Sometimes, the uninstallation doesn’t complete properly, leaving behind remnants that can cause issues.

Migration to a Newer Version: After migrating to a newer version of Exchange, or migrating to Office 365, you may need to remove old configurations to avoid problems.

Corruption: If the Exchange Server is corrupted or cannot be recovered, manual removal might be the only option.

Removing Old References: To ensure that no legacy references to the previous Exchange Server remain, which could interfere with new installations.

Solution Manually Remove Exchange

Before you start, ensure there are no remaining Exchange servers in your organization that rely on the one you are removing. If migrating to another Exchange server, verify mailboxes, connectors, and databases have been transferred properly.

Also consider trying to recover the Exchange server, and then removing it gracefully, or performing a migration.

Safely Remove Exchange

If you do not have access to the Exchange Management shell, and the server still exists, you can either mount the installation media for Exchange and use the following commands. Note: You do not actually need the media, if you locate the ‘bin‘ folder on your Exchange server you will find setup.exe* in there, and can run the uninstall command from that location.

*Note: Older versions of Exchange may need to use setup.com not setup.exe.

[box]

setup.exe /mode:uninstall

[/box]

Manually Remove Exchange Server

On a Domain controller Open ADSI Edit (adsiedit.msc) > Right-click ADSI Edit > Connect to… In “Select a well-known Naming Context,” choose Configuration> Click OK.

Navigate to CN=Configuration,DC=YourDomain,DC=com > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Administrative Groups > CN=Exchange Administrative Group (FYDIBOHF23SPDLT) > CN=Servers.

Note: This assumes you have not manually named your, Exchange organisation or  administrative group something else.

Locate the offending Exchange server, and delete it

Repeat the above procedure but this time remove any databases that were hosted on the failed server.

Manually Remove Exchange Envrionment Completely

Now if you completely want to COMPLETELY remove Exchange* from your organisation, Delete the following,

Note: Dont do this if you still have live Exchange servers!

Delete: CN=Configuration,DC=YourDomain,DC=com > CN=Services > CN=Microsoft Exchange

Delete: CN=Configuration,DC=YourDomain,DC=com > CN=Services > CN=Microsoft Exchange AutoDiscover

Now connect ADSIEdit to the Default Naming Context.

Navigate to DC=YOUR-DOMAIN and locate

OU=Microsoft Exchange Security Groups
CN=Microsoft Exchange System Objects

Then delete them BOTH

 

On a domain controller, or a system that has the RSAT tools installed, launch Active Directory Users and Computers (dsa.msc). Navigate to your domain > Users. Then locate and delete the following objects.

  • DiscoverySearch Mailbox {GUID}
  • Exchange Online-ApplicationAccount
  • FederatedEmail.GUID
  • Migration.GUID
  • SystemMailbox {GUID}

Now whilst still in AD users and Computers. locate the Computer Object that represents the failed Exchange server and delete it. (Obviously if you are retaining the server for other purposes do not do this).

Note: If searching AD you will need to add in computers to the default search

Then remove the DNS entry in your DNS forward lookups zone (Check your reverse lookup zones and see if there’s a PTR record in there also that might need deleting).

IN SOME CASES, if you have deployed split DNS you may have entire zones that handle DNS addressing for you broken Exchange deployment, below is an example of what that may look like, these will also need to be removed.

Note: You may discover an autodiscover.your-domain forward lookup zone that also may need to be deleted.

Manually Delete Exchange From Registry

If you still have access to the server that’s failed, you can remove references to Exchange from its registry in the following locations.

HKEY_LOCAL_MACHINE > Software > Microsoft  > ExchangeServer.

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > MSExchange* (there will be a LOT!)

If you have retained Exchange, and were simply removing a single failed Exchange Server, you other Exchange servers may have cached references to that failed Exchange server, you can restart the Microsoft Exchange Information Store (MSExchangeIS)  – Warning: This will dismount and remount the information stores, and may cause a popup on your Outlook clients. Or you can simply wait until the cache is refreshed.

 

Related Articles, References, Credits, or External Links

NA

PowerShell DNS Records (Creating)

Posted on by
Reply

 PowerShell DNS KB ID 0001906

Problem

You can use PowerShell to create DNS records in a Windows environment, this is typically on a Windows Server OS, that is running DNS services. Below are some  methods (depending on whether you’re managing an Active Directory-integrated DNS zone or a standalone DNS server) to do this.

Solution

PowerShell DNS: Creating an A Record (Host Record)

To add an A record (IPv4 address) to a DNS zone, use the following syntax.

[box]

Add-DnsServerResourceRecordA -Name "my-server" -ZoneName "pnl.com" -IPv4Address "192.168.100.101"

[/box]

PowerShell DNS: Creating an AAAA Record (IPv6 Host Record)

To add an A record (IPv4 address) to a DNS zone, use the following syntax.

[box]

Add-DnsServerResourceRecordAAAA -Name "my-server" -ZoneName "pnl.com" -IPv6Address "2001:db8::2"

[/box]

PowerShell DNS: Creating an CNAME Record (Cananonical Name Record)

To add an CNAME record (IPv4 address) to a DNS zone, use the following syntax.

[box]

Add-DnsServerResourceRecordCName -Name "www" -ZoneName "pnl.com" -HostNameAlias "my-server.pnl.com"

[/box]

PowerShell DNS: Creating an MX Record (Mail Exchange)

To add an MX record for mail delivery to a DNS zone, use the following syntax, Note: This will create an MX record with a priority of 10.

[box]

Add-DnsServerResourceRecordMX -ZoneName "pnl.com" -Name "@" -MailExchange "mail-01.pnl.com" -Preference 10

[/box]

PowerShell DNS: Creating an PTR Record (Reverse DNS)

To add an PTR record (or a reverse DNS lookup record) the following syntax, Note: Assumes you already have a reverse lookup zones created.

[box]

Add-DnsServerResourceRecordPTR -Name "101" -ZoneName "100.168.192.in-addr.arpa" -PtrDomainName "my-server.pnl.com"

[/box]

Note: This creates a PTR Record for 192.168.100.101 that points back to my-server.pnl.com.

PowerShell DNS: Creating an TXT Record (For SPF, DKIM, etc)

To add an TXT record use the following syntax.

[box]

Add-DnsServerResourceRecord -DescriptiveText "v=spf1 mx -all" -Name text -Txt -ZoneName pnl.com

[/box]

Using PowerShell for DNS record creation helps streamline the administrative workload, improves consistency, and reduces the potential for errors, especially in larger environments. It’s an efficient, flexible, and scalable solution that can significantly enhance the management and automation of DNS infrastructure. Whether for one-off record creation or bulk updates, PowerShell is a powerful tool for IT administrators.

Related Articles, References, Credits, or External Links

Setting up the Correct DNS Records for your Web or Mail Server

Add-DnsServerResourceRecord