環境搭建:
準備至少3臺機器,一臺主DC & DNS,一臺從DC & DNS,一臺作爲測試的客戶端。
首先搭建主DC(主DC和從DC我們都用Server 2012來搭建,2008也OK,只要Forest和Domain的功能級別選對應的就行):
先在Server Manager中選擇Add Roles and Features,安裝ActiveDirectory Domain Services和DNS Server(彈出的選項都保持默認即可):
後面的選項保持默認即可。
安裝完成後,在上面通知的地方找到安裝成功的通知,在上面會有一個“Promote this server to a domain controller”:
對於主DC我們選擇下面的選項創建一個新的Forest:
接着我們選擇Forest和Domain的功能級別,如果希望2008的系統也可以加入域的話,就可以把級別調低一些:
![ive Directory Domain Services Configuration Wiza Domain Controller Options Deployment Configuration Domain Contrcller Opticrs DNS Options Additional Options Paths Review Options Prerequisites Check Select functional level of the new forest and root domain Forest functional level: Domain functional level: Windows Server 2008 Windows Server 2008 Specify domain controller capabilities Q] Domain Name System (DNS) server Q] Global Catalog (GC) Read only domain controller (RCDC) Type the Directory Services Restore Mode (DSRM) password Confi rm pass'vord: More about domain controller options TARGET SERVER Dan2012Test Cancel](https://pic1.xuehuaimg.com/proxy/csdn/https://img-blog.csdn.net/20180129175544716?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
後面的選項都保持默認就可以了,最後點擊Install:
搭建好主DC後,我們再搭建一臺從DC,從DC也是要安裝ADDS和DNS服務(與主DC的過程完全相同),完成後,在“Promotethis server to a domain controller”的過程中有一點不一樣,我們選擇“Add a domain controller to an existing domain”:
在Domain這填上“daniel.com”,也就是我們前面創建的Forest下的domain。點擊Select後需要我們使用域管理員認證。完成後點擊下一步,後面的步驟保持默認選項完成即可。
做完之後,我們在DNS的域名上面選擇右鍵菜單中的屬性:
確認一下Dynamic updates選項選擇的是“Secure only”:
然後我們找第三臺機器,將第三臺機器加入域中,然後查看主DNS和從DNS上面的記錄,可以看到DNS記錄自動加到DNS記錄中:
![Dan2012R2DC.danieI.com Global Logs Forward Lookup Zones msdcs.daniel.com daniel.com msdcs sites udp DomainDnsZone: ForestDnsZones test.com Reverse Lookup Zones Trust Points Conditional Forwarders sites udp DomainDnsZones ForestDnsZones (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) a (same as parent folder) DAN08R2 dan2012r2dc DanADClient2012 google Start of Authority (SOA) Name Server (NS) Name Server (NS) Host (A) Host (A) Host (A) Hcst (A) Host (A) Host (A) Host (A) Host (A) [64], dan2012r2dc.danieI.c... dan2012r2dc.danieI.com. danadcIient2012.danieI.co... 172.16.0.10 172.16.o.g 172.16.0.11 172.16.0.15 172.16.0.1 172.16.o.g 8.8.8.8 111.111.111.111 Timestamp static static 1/26/2018 AM 1/26/2018 AM 1/23/201 8 AM static](https://pic1.xuehuaimg.com/proxy/csdn/https://img-blog.csdn.net/20180129175707230?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
接着修改第三臺機器的內網IP,然後使用ipconfig /registerdns手動註冊一下DNS記錄:
![Administrator: Command Prompt Microsoft Windows [Uersion 6 ] Copyright (c) 2009 Microsoft Corporation . / registerdns indows IP Conf iguration All rights reserved. egistration OF the DNS resource records For all adapters OF this en initiated. Any errors will be reported in the Event Uiewer in : iel>_ computer has 15 minutes.](https://pic1.xuehuaimg.com/proxy/csdn/https://img-blog.csdn.net/20180129175720382?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
查看DNS上面的記錄已經更新:
![i Dan2012R2DC.danieI.com Global Logs Forward Lookup Zones msdcs.daniel.com daniel.com msdcs sites udp DomainDnsZone: ForestDnsZones test.com Reverse Lookup Zones Trust Points Conditional Forwarders msdcs sites udp DomainDnsZones ForestDnsZones (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) a (same as parent folder) DAN08R2 dan2012r2dc DanADClient2012 google Type Start of Authority (SOA) Name Server (NS) Name Server (NS) Host (A) Host (A) Host (A) Hcst (A) Host (A) Host (A) Host (A) Host (A) [74], dan2012r2dc.danieI.c... danadcIient2012.danieI.co... dan2012r2dc.danieI.com. 172.16.0.10 172.16.o.g 172.16.0.11 172.16.0.17 172.16.0.11 172.16.o.g 8.8.8.8 111.111.111.111 Timestamp static static static 1/26/2018 Y•DDDOAM 1/26/2018 100000 AM 1/22/2018 AM static](https://pic1.xuehuaimg.com/proxy/csdn/https://img-blog.csdn.net/20180129175745396?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
在實際操作過程中,客戶環境中遇到一個問題,加入域的一臺機器,在修改了機器的內網IP後,機器的DNS並沒有在DNS服務器上更新成功。通過在兩個DC上抓包可以看到,DNS記錄的同步順序是,客戶端首先會與自己的首選DNS服務器同步,通過UDP的53端口進行通信,如果UDP的53不通,會使用TCP的53端口通信,然後首選DNS服務器所在的DC會利用LDAP協議與其他DC同步記錄。
根據上面的判斷,檢查了虛擬機防火牆規則以及網絡中的安全規則,發現53端口並沒有被屏蔽,所以排除網絡原因。
進一步對比抓包看到正常更新主機DNS記錄的交互過程如下:
更新請求會經過2次申請,第一次DNS服務器會Refuse掉,然後客戶端會發送一個Query請求,進行認證:
![2041 2042 2043 2066 2072 2093 Time Date Local Adjus.. 2018/1/25 2018/1/25 2018/1/25 25 2018/1/25 2018/1/25 Sour ce dan2012r2dc. daniel com DAN08R2. daniel.com dan2012r2dc.daniel.com DANOSR2. daniel com dan20 12r2dc.daniel.com DANOSR2. daniel com dan2012r2dc. daniel com DAN08R2. daniel com dan2012r2dc.daniel.com Destnaton DAN08R2. daniel com dan2012r2dc.daniel.com DAN08R2. daniel.com dan2012r2dc.daniel.com DANOSR 2.daniel.com dan2012r2dc.daniel.com DAN08R2. daniel.com dan2012r2dc.daniel.com DAN08R2. daniel.com Protu... DNS DNS DNS DNS Description DNS:Query1d = OxA401, QUERY (Standard query), Resguynse - Success DNS:Query1d DNS:Query1d = ox81DD, DNS: uer Id = oxac38 DNS:Querv1d = oxac38 DNS:Query1d = ox5823, DNS:Query1d = ox5823, DNS:Query1d = oxc31g, DNS:Query1d = oxc31g, = ox81DD , Update, Query for daniel.com of type SOA on classlnternet Update, Response - Reüed, 172.16.0.15 LIERY Standard uer uer for 12-ms-7.1-14+1.5633aoc5-01a4-11e8-sga5-0017fa0104.. , QUERY (Standard Query), Resoonse -Success, Update, Query for daniel.com of type SOA on class Internet Update, Response - Success, 172.16.0.15 QUERY (Standard query), Query for isatap.reddo@.microsoft.com of type Host Addr on class In... QUERY (Standard query), Response - Name Error Frame Details Frame : Number NetEvent : 2070, Captured Frame Length 619, MediaType = Ne "Event + Packet Fragment (SIS (Ox206) bytes) g„Ethernet: Ety-pe = Internet IP (IPv4) , DestinationAddress: , SourceAddress: [00-17-FA-oo-AB-1B] Ipv4: Src 172.16. 0.11, Dest T cp : [Bad Checksum] Flags= Dnsc-.erTcp: ICPLength = 462 172.16. O. 15, Next Protocol = TCP, Packet ID = 2103, Total IP Length sog srcPort=DNS (53), DstPort=S4163, PayloadLen=464, sea-=781129036 781129500, Ack=2304276033, Win=S13 (scal Queryld = OxBC3S, QUERY (Standard query), Response Queryldentifier: 48184 (OxBC38) Success, Flags : Response, Opcode — QUERY (Standard query), Rcode : I (Oxl) „AnswerCount : I (Oxl) Success „NameServerCount : Addi t ionalCount : •Record : 12—ms—7 AR e cord: 12—ms—7 Addi t i onaIRecord : o (OXO) 1 (Oxl) 1-14a91.S633aocs-01a4-11e8-S9as-0017fa0104e3 of type TREY on class 1-14a91.S633aocs-01a4-11e8-S9as-0017fa0104e3 of type IKE Y on class 12-ms-7 . 1-14a91.S633aocs-01a4-11e8-S9as-0017fa0104e3 of type ISIG Inte rne t on class Any](https://pic1.xuehuaimg.com/proxy/csdn/https://img-blog.csdn.net/20180129175841534?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
認證完成後,會帶着認證得到的Record再次進行更新。
而客戶環境中的過程是:
可以看到兩次都失敗了。
在客戶端上面查看Windows System Events中,找到下面的報錯信息:
|
系統無法爲具有以下設置的網絡適配器 註冊主機(A 或 AAAA)資源記錄(RR):
適配器名稱 : {FD2F5820-3CFB-4043-8E0C-71D01CE1988E} 主機名 : CNCSAPVDI445 主域後綴 : shiseido.cn DNS 服務器列表 : 10.26.66.14, 10.26.72.4 向服務器發送更新 : <?> IP 地址 : 10.26.72.237
系統不能註冊這些 RR 的原因是因爲聯繫的 DNS 服務器拒絕了更新請求。導致此問題的可能原因有 (a) 你沒有被允許更新指定的 DNS 域名,或 (b) 對此名稱有權限的 DNS 服務器不支持 DNS 動態更新協議。
若要使用此適配器的特定 DNS 域名和 IP 地址註冊 DNS 主機(A 或 AAAA)資源記錄,請與你的 DNS 服務器或網絡系統管理員聯繫。 |
進一步查看客戶的DNS服務器的記錄的Security中有一個未知用戶(Account Uknown):
查看客戶端這臺機器,發現這臺機器的本地管理員被Disable了。對比正常的環境發現,這條記錄其實是需要客戶端本地管理員的Full control權限的,而這裏之所以顯示未知賬戶,是因爲本地管理員Disable之後,加入域的時候識別不到這個用戶了。因爲缺少了這個權限,導致更新的時候被DNS服務器refuse掉。
手動添加客戶端機器的本地管理員用戶的權限後,再次手動同步後問題解決。