A colleague rang to ask if I had any thoughts about a problem that they were having, we do a lot of VMware VCSA upgrades for customers, the process fails if there is no DNS resolution of the FQDN during the upgrade process. We had tried to fix the problem by creating hosts records (typically we don’t have access to the client’s DNS servers that run in the virtual environment). I had thought (wrongly) that it simply needed to lookup the FQDN, but I’m told it also needs to do a reverse lookup (locate a PTR record).
We could of course just spin up either a Windows server and put DNS on it, or a Linux BIND server, but what if we could use the firewall? With Cisco this is a non starter, but what about the clients that have FortiGate?
FortiGate DNS
By default the feature isn’t enabled, you need to go to System > Feature Visibility > DNS Database > Enable it > Apply.
Network > DNS Servers > Create New.
Select the interface that will serve DNS queries > OK.
Back at the min page under DNS Database > Create New > Give the zone a sensible name > Set the domain name > Under DNS Entries > Create New.
First create a host (A Record) that will point the FQDN to the correct IP address.
Then create a pointer (PTR Record) that will point the IP address back to the FQDN.
It should look something like this > OK.
Then test from a client that’s connected to the Interface serving DNS requests.
Related Articles, References, Credits, or External Links
I got an email from a colleague who was setting up an RDS farm, (2012 R2). He was having some problems and asked me; “If the Connection Broker brokers the connections to the Session Hosts, how do I RDP to the Session Broker?”
This threw me completely, I usually jump on the console in VMware or use a third party remote management tool, I don’t tend to to RDP onto servers. I had fallen into the same trap he had. I assumed: You connect to a SESSION BROKER and it BROKERS YOUR SESSION to the least busy session host, (or reconnects your broken sessions).
THIS IS WRONG!
How Session Brokers Work
You don’t connect to a session broker, (unless you are an admin who is about to do some work on the Session Broker). You connect to a DNS RECORD, and that record points to a SESSION HOST, (I know that makes no sense, but bear with me). And you create a DNS record with the SAME NAME for every Session Host like so,
This works because, (by default) Windows DNS uses ’round robin’ so if it has multiple values for one DNS name is responds with the first one to the first request, the second one to the second etc.
But Pete? Round Robin is Bobbins for Load Balancing? Yes it is, that’s what the Session Broker is for! In reality this is what happens;
This is two scenarios that should clear things up, User1 queries DNS for TSFarm.my-domain.com and gets an IP of 192.168.1.1, They go to that SESSION HOST, the the session host CHECKS WITH THE CONNECTION BROKER, firstly to see if User1 already has a session on another session host, if so they are reconnected to that session, above that’s on SESSION HOST 2.
Then User2 attempts to connect toTSFarm.my-domain.com and gets an IP of 192.168.1.2 (Because of DNS ’round-robin’). They go to that SESSION HOST, then the session host CHECKS WITH THE CONNECTION BROKER, firstly to see if User2 already has a session on another session host, in this case they don’t. But, this host already has User1 connected to it, so it redirects User2 onto SESSION HOST 1.
Of course a user can connect to a SESSION HOST and after checking with the the CONNECTION BROKER they get connected to the host they originally queried if, (for example) the other session hosts are busier, (and the user has no existing sessions.)
But With Server 2012 You Can Do Connection Broker Load Balancing? Yes, you can, but that’s load balancing for the connection brokers, NOT the user sessions!
Related Articles, References, Credits, or External Links
After my recent DNS troubles, I was checking my mail server’s (MX) records, and got a warning about not having any reverse lookup records (PTR) configured properly. I telnetted to the mail server on port 25, and saw it was responding with the servers host-name.
I know my records are correct for the FQDN of the server, I just needed to change its welcome banner.
Solution
Change the Postfix Welcome Banner by Editing The Postfix main.cf File
1. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.
2. Execute the following command;
[box]
nano /etc/postfix/main.cf
[/box]
3. Locate and edit the myhostname value, to match your servers public FQDN.
4. Once you have saved and exited nano, restart the Postfix service with the following command;
[box]postfix stop && postfix start[/box]
Change the Postfix Welcome Banner Using Webmin
1. Connect to the Webmin console > Postfix Mail server > General Options.
4. Scroll down to internet host-name of this mail system > Edit to match your servers public FQDN > Save and Apply.
5. Stop then Start Postfix.
Related Articles, References, Credits, or External Links
Simply purchasing a domain name is not enough to get email flowing in your direction, and people onto your website. you also need your DNS Records to point to your IP address(s) as well.
For those people, that needs either an email or fax (on company headed note paper) to request that these records be set up correctly. You will need to send this request to your ISP (or whoever is hosting your public DNS records).
This runs through what information you should request and why.
Remember if you have a security device on the outside of your network (like a firewall or a router providing firewall services) the correct ports will need to be open to your web server (usually TCP Port 80 and/or 443), or your mail server (TCP Port 25, though Exchange may require 443 for OWA and ActiveSync).
Note: This assumes your ISP has given you either a static public IP address, or a range of public IP addresses. While it is possible to use services like no-ip if you don’t have a static IP address.
To get to http://www.yourwebsite.com people need to be able to translate that address to the IP address of your web server. You do this by sending a “query” to a DNS server, which either checks with other DNS servers, or sends you the IP address directly.
1. You need to purchase your domain name. This may sound obvious but I’ve seen people who own companya.com, simply add company.co.uk to their Exchange server and expect it to work!
2. This website is on my petenetlive.com domain, the people who host my DNS records have a record called an “A Record” (may be called a “host” record depending on your ISP) that points www to the public address of my website, like so;
Note: Above I’ve shown you how the record would look in a Windows DNS server, just so you can get an idea of what these records are that you are requesting. (also they take seconds to create, don’t let your ISP take ages to do this!).
Testing your DNS Host Records
On a windows client you have a command that can test, and show you what your machine sees when it looks for DNS records, this is called nslookup, below you can see I’m issuing a query to see what IP address www.petenetlive.com should be on.
Note: I’m not on this IP address, I’ve just set it up this way for the purpose of demonstration. Drop to command line and issue the above command and you will see my real current IP address.
What do I need to Request from my ISP / Domain Host?
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for my www record to point to 234.234.234.234
Signed
{Someone your ISP has on record}
[/box]
Setting up DNS Records for a Email Server (A, MX, PTR and SPF Records)
1. Just as above your mail server(s) will need an “A Record“, I’m going to create two (just to demonstrate mail preferences later on), one for mail.petenetlive.com and the other for mail2.petenetlive.com
2. Now, you need an MX (Mail Exchange) Record that points to the A Record(s) you created earlier, you can set them with preferences.
What are MX Record Preferences
If you have multiple mail servers, or a backup mail system you can create as many MX Records as you like, by default mail will be sent to the LOWEST preference first, if that IP address is offline or unreachable it will try the NEXT HIGHEST preference.
Testing your MX Records
As above I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for to MX, before I issue my query.
Note: Helpfully it also shows you the correct A Records as well.
3. Though not essential to get your mail, you should also have a PTR (Pointer) record(s) set up as well. These work the opposite way round to an A Record. An A Record converts a name into an IP address, a PTR Record converts an IP address back to the name again.
Why Do I Need PTR Records?
With the explosion in the amount of spam being sent, people have sought a system that will cut it down. So some email systems (famously Hotmail) started doing reverse lookups on incoming mail, they lookup the address that is sending them mail (THAT WOULD BE YOU) and if it does not resolve back to the domain name of the email being sent they drop the mail (This is called a Reverse Lookup Failure). So without PTR records you may find you cannot email some domains. If your ISP cannot provide PTR records you may need to ask if you can route your mail through your ISP’s “Smart Host”.
Testing your PTR Records
As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for PTR records, before I issue my query.
4. The last type of record you MAY need is an SPF (Sender Policy Framework) Record. They are designed so you can list your mail servers and domains in a special record (either a text record or a DNS option 99 record). They are designed to cut down spam, but to be honest YOU ONLY NEED ONE IF you have some external entity that sends mail that comes from your email addresses (i.e. your web hosted CRM system).
How do I create an SPF Record?
An SPF Record is just some text (see above), the simplest way to work out what you need in yours, is to use this wizard.
Testing your PTR Records
As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for TXT records, before I issue my query.
What do I need to Request from my ISP / Domain Host?
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for the following records to be created;.
A/Host Record for mail.xyz-company.com to point to 234.234.234.234
MX Record (Preference 10) that points to mail.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
Signed
{Someone your ISP has on record}
[/box]
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234, and a backup mail server at your secondary site that has an IP address off 333.333.333.333. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for the following records to be created;.
A/Host Record for mail.xyz-company.com to point to 234.234.234.234
A/Host Record for mail2.xyz-company.com to point to 333.333.333.333
MX Record (Preference 10) that points to mail.xyz-company.com
MX Record (Preference 20) that points to mail2.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
PTR Record that points 333.333.333.333 to mail2.xyz-company.com
Signed
{Someone your ISP has on record}
[/box]
Related Articles, References, Credits, or External Links