Nutanix is very flaky! On a new (single host cluster,) post setup whilst attempting to login to Prism for the first time, it wanted to link to my Nutanix account.
Unknown host, could not reach NEXT server. Please configure name server
Solution : Could Not Reach Next Server
Why do I say it’s flaky, well I defined a DNS server when I created the cluster.
However, If I fired up SSH and connected into the CVM and queried the DNS servers for the cluster, ncli cluster get-name-servers, the list was blank? I created a new entry with ncli cluster add-to-name-servers servers=192.168.100.10 (then retested to make sure).
Problem solved.
Related Articles, References, Credits, or External Links
I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?
VPN no DNS Solution
By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN.
Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?
Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?
Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!
Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command.
From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!
How Do I Fix this VPN no DNS?
Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;
VPN no DNS On Your Physical Adapter;
Start > ncpa.cpl {enter} > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.
Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.
On Your VPN Connector;
Start > ncpa.cpl {enter} > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.
Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK.
Now your DNS look-ups should behave!
Related Articles, References, Credits, or External Links
Affected Server OS: Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows 2016, Windows 2019
Yesterday Microsoft released a critical notice (KB4569509) to address vulnerabilities identified in (CVE-2020-1350). Basically it allows a remote attacker to perform remote code execution on your DNS servers (unless you patch them!) The reason its so important is that its considered ‘wormable’, (can jump from machine to machine with our user interaction).
To see how easy that is to do, watch the video below;
To be attacked from an external source the DNS Server has to be publicly addressable, however if you have a compromised machine in your network, it wont be long before a malicious payload can be delivered from that vector also.
Solution
The correct fix is to update you servers from Windows Update as soon as possible! However if you want to protect yourself in the interim.
You need to make a slight change in the Windows DNS Server registry. I’ve written the PowerShell out, to save you poking around in the registry, it will change the key for you, and then restart the DNS Service.
[box]
# Set DNS Registry Key (Vulnerability CVE-2020-1350)
$RegKey ="HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
Set-ItemProperty -Path $RegKey -Name TcpReceivePacketSize -Value 0xFF00
Get-ItemProperty -Path. -Name TcpReceivePacketSize
Restart-Service DNS
[/box]
If you have a Cisco Firewall you can use the default DNS inspection to mitigate this, RFC 1035 define DNS packets should be less than 512 bytes. But Window uses EDNS so you may have “message-length maximum client auto” in your config, If you remove that, and change the maximum allowed size to 65280 you will mitigate THIS problem. Though I don’t like that as a solution, (unless you have a lot of DNS servers to update, and want to throw in a quick fix while you patch them all).
Note: This vulnerability has existed for 17 years! But now it’s public knowledge, so the clock is ticking before it gets exploited, ACT NOW!
Related Articles, References, Credits, or External Links
An IP address is the address used on a network to find your PC, Server, Laptop, or Printer etc. It’s the networking equivalent of your house number and post code (or Zip Code for visitors from over the pond).
Do you want your PUBLIC or PRIVATE IP address? As we started to run out of addresses, there were a number of solutions that we came up with, one you will see below (DHCP) the other is NAT (Network Address Translation) that lets many IPs on a network share one (or more) public IP addresses on the internet. If you want to know your PUBLIC address (your address in on the internet) then simply see below;
Your Public IP Address Is: [user_ip]
Where does my IP address come from?
You get an IP address by two methods,
1. Statically Assigned: Your address never changes and is allocated to you manually.
2. Dynamically Assigned: Your machine gets its IP address automatically via a system called DHCP.
What does an IP address look like?
Most IP addresses in use today are IP version 4 and consist of 4 numbers separated by three full stops (or once again, periods, for overseas visitors).
An IP address 192.168.1.100
Is that all my computer needs?
NO! You need FOUR pieces of information to access the internet and work properly;
1. The IP address itself (i.e. 192.168.1.100) this is unique to every machine on the network.
2. The Subnet Mask (i.e. 255.255.255.0) this tells the machine how big the network it is on, is.
3. The Default Gateway, this is another IP address on the network that you need to go through to get off the local network, i.e. to access the internet.
4. The DNS IP address, this is another IP address of a machine that can translate IP addresses into names (e.g. translate www.bbc.co.uk to 212.58.246.159).
What’s my IP address?
1. Windows Key + R > type ‘cmd’ {Enter}
2. A Command Window will open, click within the box and you can type in commands, the command to show your IP address is ipconfig, but this WONT show us the DNS settings as well, to do that the command is “ipconfig /all“.
Note: If you have many network connections you will get results for them all, you may need to scroll up and down to find the right one.>
IP Problems
Problem 1: My machine has got an IP address that is 169.254.x.y (where x and y can be any number from 1 to 254).
Answer: This machine is set to get its IP address automatically via DHCP but it cant speak to the DHCP server, because either the DHCP server is down or there is no connection between the DHCP server and you.
Problem 2: My IP address shows as 0.0.0.0
Answer: You have been given a static IP address and someone on the same network is using the same address, this causes an IP conflict, change one of the IP addresses.
Find out if your IP address is statically assigned of dynamically assigned
The more eagled eyed of you will see on the ipconfig /all results above that this machine is disabled for DHCP so its dynamically assigned however, on your Windows machine do the following.
1. Windows Key + R > Tyoe ‘ncpa.cpl’ {Enter}
2. Your network connections window should open and locate the connection you are connecting with (you might have many, be sure to select the right one, i.e. you might have one for dial up, one for wireless, one for a VPN to the office etc). Right click the connection and select properties.
3. On the window that appears you may have to scroll down the list, we are looking for its TCP/IP (on newer machines it will be called “Internet Protocol Version 4 (TCP/IPv4)”, Select it and click properties.
4. Now you can see if your addresses are set statically or dynamically.
How to change your IP address
To change your IP address you first need to know if you have a static IP address or a Dynamically assigned one. (That’s why this section is below the one above).
1. If you have a static IP address, simply change it on the screen shown (diagram above).
2. If you have a Dynamic IP address, you can either reboot the machine in question or Click Start > run > cmd {enter}
3. A Command Window will open, click within the box and you can type in commands, the command to release your IP address is ipconfig/release
Then to get a new address type in ipconfig /renew
Related Articles, References, Credits, or External Links
Seen when attempting to ‘Activate’ a Window machine;
Error: 0x8007232B DNS name does not exist
Solution
The reason for this error is the Windows machine has looked for a KMS (Key Management Server) in its local DNS, and not found one. This is because (out of the box) it has a Windows KMS licence code installed. Now if you have a KMS server you need to work out why you cant see it, I’ve covered troubleshooting KMS in link below;
So if you don’t have a KMS server and dont wish you deploy one, you need to change, the Windows activation code on this machine to a MAK (Multiple Activation Key) instead, Note: you will get these keys from the Microsoft Volume Licence Service Center. Then from an administrative command window;
I got an email from a colleague who was setting up an RDS farm, (2012 R2). He was having some problems and asked me; “If the Connection Broker brokers the connections to the Session Hosts, how do I RDP to the Session Broker?”
This threw me completely, I usually jump on the console in VMware or use a third party remote management tool, I don’t tend to to RDP onto servers. I had fallen into the same trap he had. I assumed: You connect to a SESSION BROKER and it BROKERS YOUR SESSION to the least busy session host, (or reconnects your broken sessions).
THIS IS WRONG!
How Session Brokers Work
You don’t connect to a session broker, (unless you are an admin who is about to do some work on the Session Broker). You connect to a DNS RECORD, and that record points to a SESSION HOST, (I know that makes no sense, but bear with me). And you create a DNS record with the SAME NAME for every Session Host like so,
This works because, (by default) Windows DNS uses ’round robin’ so if it has multiple values for one DNS name is responds with the first one to the first request, the second one to the second etc.
But Pete? Round Robin is Bobbins for Load Balancing? Yes it is, that’s what the Session Broker is for! In reality this is what happens;
This is two scenarios that should clear things up, User1 queries DNS for TSFarm.my-domain.com and gets an IP of 192.168.1.1, They go to that SESSION HOST, the the session host CHECKS WITH THE CONNECTION BROKER, firstly to see if User1 already has a session on another session host, if so they are reconnected to that session, above that’s on SESSION HOST 2.
Then User2 attempts to connect toTSFarm.my-domain.com and gets an IP of 192.168.1.2 (Because of DNS ’round-robin’). They go to that SESSION HOST, then the session host CHECKS WITH THE CONNECTION BROKER, firstly to see if User2 already has a session on another session host, in this case they don’t. But, this host already has User1 connected to it, so it redirects User2 onto SESSION HOST 1.
Of course a user can connect to a SESSION HOST and after checking with the the CONNECTION BROKER they get connected to the host they originally queried if, (for example) the other session hosts are busier, (and the user has no existing sessions.)
But With Server 2012 You Can Do Connection Broker Load Balancing? Yes, you can, but that’s load balancing for the connection brokers, NOT the user sessions!
Related Articles, References, Credits, or External Links
When attempting to connect to a remote machines registry;
Error
The program cannot open the required dialog box because no locations can be found. Close this message and try again.
Solution
The ultimate cause of this problem is, that the machine you are on cannot see Active Directory, either because there are no domain controllers are online, or its DNS settings are incorrect.
Related Articles, References, Credits, or External Links
If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this;
http://wired.meraki.com:8090
This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A quick nmap of that IP will tell you port 8090 is not open, (only port 80 and port 443 are).
This is happening because if you were to use your Meraki Device for DNS forward lookups, it would ‘DNS Doctor’ the return DSN packet and insert its own IP address in there instead. That’s fine but most corporate networks don’t want to use their Meraki devices for DNS forward lookups.
The easiest way to resolve the problem, is with your own corporate DNS servers.
Solution
First you need the inside IP of your Meraki device(s). You can get these from the Meraki Dashboard (Security Devices > Addressing and VLANS). If you browse to that IP, you should se something similar to below;
Armed with that information, go to one of your DNS Servers, and create a new forward lookup zone.
Next > Primary zone > Next > To all DNS Servers… > Next.
Zone Name = wired.meraki.com > Next > Allow only Secure… > Next > Finish.
In the newly created zone, create a ‘New Host (A or AAAA) record.
Enter the Inside IP or your MX device (only) > Add Host > Repeat for each Meraki device, if you have more than one.
Now you will receive a slightly more friendly blocked page.
Related Articles, References, Credits, or External Links
I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into.
The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.
Don’t worry if it looks like there’s a problem as long as the DNS servers can se each other, (and there’s no firewall in-between blocking TCP and UDP port 53). Just add in the DNS server give it a while then re-open the forwarders settings and it should have ‘gone-green’.
You can test it’s working by pinging BOTH the old and new domain names, in BOTH domains.
In addition, we want all machines (in both domains) to set their primary DNS Suffix, to their own domain, and their DNS suffix search list to look for their own domain first, then the other domain. The easiest way to do that is via group policy. On a domain controller > Administrative Tools > Group Policy Management Console.
It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.
Above: you can see both the policies have taken effect.
Repeat the procedure in the new domain, (but the domain names will be the opposite way round) like so;
ADMT – Creating Domain Trust
Both domains need to trust each other for the migration to take place. If you have two simple domains like I do a “two way domain trust” is fine. You would only need a ‘forest-trust‘ if you were migrating from/to root and sub domains for example.
As the name implies Trusts are setup from Administrative tools > Active Directory Domains and Trusts. You can setup the whole thing from one domain, below I’m creating it in the old domain.
Welcome Screen = Next > Provide the name to the ‘other’ domain > Next > External Trust > Next.
Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the ‘other’ domain > Next.
Domain wide authentication > Next > Domain wide authentication > Next > Next.
Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next.
Finish > READ the warning about SID history, we will have to mess about with SID History filtering a bit further on > OK.
This step is not really necessary, (it’s just for peace of mind). I do this in BOTH domains and validate each trust, (so you will do this four times).
Select the trust > Properties > Validate > Type in credentials > OK > Type in Credentials > OK > OK.
ADMT – Users / Admins and Rights Assignment
Create the user that will do all the hard work in the NEW domain. Then add that user to the domain admins group (again in the NEW domain).
Username: ADMTAdmin (Can be anything you want, but I’ll refer to this username throughout).
Over in the OLD domain, you won’t be able to add your ADMT user into the domain admins group, you need to add the ADMTAdmin account from the NEW domain into the Builtin\Administrators group on the OLD domain.
Additionally: the ADMTAdmin user needs to have local administrative rights to all the machines in the OLD domain. The easiest way to do that is again with a group policy.
In the OLD domain create a group, (Type: Domain Local)
Group Name: GP-ADMT-Admins, (again you can call it something else if you want).
Add your ADMTAdmin account to this group, (Note: I like to add the domain admin account for the NEW domain as well, though that’s not necessary).
On a domain controller > Administrative Tools > Group Policy Management Console.
Once Again: It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.
Or the best test is, make sure that the GP-ADMT-Admins group is actually in the local admins group.
ADMT – Database Requirements
OK, a lot of posts say don’t install ADMT/SQL on a domain controller. That’s not strictly true, you can install ADMT and SQL on a domain controller, in fact that’s what Im going to do (there are a few commands and extra steps that I will point out below).
You can you use full blown SQL if you like, but it’s just as easy to use SQL Express 2008 SP1 > Download and run > Instalation > New SQL Server stand-alone installation or add features to an existing installation.
Accept the defaults > In feature Installation select ‘Database Engine Services’.
Accept the named instance ‘SQLExpress’.
Keep accepting defaults until you get to ‘Server configuration‘ page, add in the ADMTAdmin account.
Then add in your ADMTAdmin account again. (Once again theres nothing wrong with adding the domain admin account as well).
ADMT – Additional SQL Steps For Domain Controllers
NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD
SC SHOWSID MSSQL$SQLEXPRESS
{Copy the SID to the clipboard you will need it in a minute}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F
[/box]
ADMT – Downloading and Installing ADMT
Download the ADMT software, if that link ever dies use this one. Download ADMT 3.2. Launch the installer and accept all the defaults until you get to database selection, use .SQLEXPRESS
No we don’t want to import and data from an existing database > Next > Finish.
We can now open the ‘Active Directory Migration Tool’ management console.
In Part Two we will look at SID filtering, setup a password export server, and do some group policy work.
Related Articles, References, Credits, or External Links
When promoting a server to be a domain controller, you might see the following error,
“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.
Or if you are on older domain controllers;
I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?
Solution
Quick Answer:
If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.
But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;
Could not log into the domain with the specified credentials. Supply a valid credential and try again.
Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.
The Long Answer:
It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;
AD domaindomain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.
AD Domainsubdomain.domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).
AD Child Domainsubdomain.domain.com This will look to the DNS servers responsible for domain.com (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.
Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.
If you open the delegation, you will see that the name server entry for your child domain has been created;
The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?
Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.
Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. ns1.yourdomain.com etc.
Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.
Related Articles, References, Credits, or External Links