环境搭建:
准备至少3台机器,一台主DC & DNS,一台从DC & DNS,一台作为测试的客户端。
首先搭建主DC(主DC和从DC我们都用Server 2012来搭建,2008也OK,只要Forest和Domain的功能级别选对应的就行):
先在Server Manager中选择Add Roles and Features,安装ActiveDirectory Domain Services和DNS Server(弹出的选项都保持默认即可):
后面的选项保持默认即可。
安装完成后,在上面通知的地方找到安装成功的通知,在上面会有一个“Promote this server to a domain controller”:
对于主DC我们选择下面的选项创建一个新的Forest:
接着我们选择Forest和Domain的功能级别,如果希望2008的系统也可以加入域的话,就可以把级别调低一些:
![ive Directory Domain Services Configuration Wiza Domain Controller Options Deployment Configuration Domain Contrcller Opticrs DNS Options Additional Options Paths Review Options Prerequisites Check Select functional level of the new forest and root domain Forest functional level: Domain functional level: Windows Server 2008 Windows Server 2008 Specify domain controller capabilities Q] Domain Name System (DNS) server Q] Global Catalog (GC) Read only domain controller (RCDC) Type the Directory Services Restore Mode (DSRM) password Confi rm pass'vord: More about domain controller options TARGET SERVER Dan2012Test Cancel](https://img-blog.csdn.net/20180129175544716?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
后面的选项都保持默认就可以了,最后点击Install:
搭建好主DC后,我们再搭建一台从DC,从DC也是要安装ADDS和DNS服务(与主DC的过程完全相同),完成后,在“Promotethis server to a domain controller”的过程中有一点不一样,我们选择“Add a domain controller to an existing domain”:
在Domain这填上“daniel.com”,也就是我们前面创建的Forest下的domain。点击Select后需要我们使用域管理员认证。完成后点击下一步,后面的步骤保持默认选项完成即可。
做完之后,我们在DNS的域名上面选择右键菜单中的属性:
确认一下Dynamic updates选项选择的是“Secure only”:
然后我们找第三台机器,将第三台机器加入域中,然后查看主DNS和从DNS上面的记录,可以看到DNS记录自动加到DNS记录中:
![Dan2012R2DC.danieI.com Global Logs Forward Lookup Zones msdcs.daniel.com daniel.com msdcs sites udp DomainDnsZone: ForestDnsZones test.com Reverse Lookup Zones Trust Points Conditional Forwarders sites udp DomainDnsZones ForestDnsZones (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) a (same as parent folder) DAN08R2 dan2012r2dc DanADClient2012 google Start of Authority (SOA) Name Server (NS) Name Server (NS) Host (A) Host (A) Host (A) Hcst (A) Host (A) Host (A) Host (A) Host (A) [64], dan2012r2dc.danieI.c... dan2012r2dc.danieI.com. danadcIient2012.danieI.co... 172.16.0.10 172.16.o.g 172.16.0.11 172.16.0.15 172.16.0.1 172.16.o.g 8.8.8.8 111.111.111.111 Timestamp static static 1/26/2018 AM 1/26/2018 AM 1/23/201 8 AM static](https://img-blog.csdn.net/20180129175707230?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
接着修改第三台机器的内网IP,然后使用ipconfig /registerdns手动注册一下DNS记录:
![Administrator: Command Prompt Microsoft Windows [Uersion 6 ] Copyright (c) 2009 Microsoft Corporation . / registerdns indows IP Conf iguration All rights reserved. egistration OF the DNS resource records For all adapters OF this en initiated. Any errors will be reported in the Event Uiewer in : iel>_ computer has 15 minutes.](https://img-blog.csdn.net/20180129175720382?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
查看DNS上面的记录已经更新:
![i Dan2012R2DC.danieI.com Global Logs Forward Lookup Zones msdcs.daniel.com daniel.com msdcs sites udp DomainDnsZone: ForestDnsZones test.com Reverse Lookup Zones Trust Points Conditional Forwarders msdcs sites udp DomainDnsZones ForestDnsZones (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) (same as parent folder) a (same as parent folder) DAN08R2 dan2012r2dc DanADClient2012 google Type Start of Authority (SOA) Name Server (NS) Name Server (NS) Host (A) Host (A) Host (A) Hcst (A) Host (A) Host (A) Host (A) Host (A) [74], dan2012r2dc.danieI.c... danadcIient2012.danieI.co... dan2012r2dc.danieI.com. 172.16.0.10 172.16.o.g 172.16.0.11 172.16.0.17 172.16.0.11 172.16.o.g 8.8.8.8 111.111.111.111 Timestamp static static static 1/26/2018 Y•DDDOAM 1/26/2018 100000 AM 1/22/2018 AM static](https://img-blog.csdn.net/20180129175745396?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
在实际操作过程中,客户环境中遇到一个问题,加入域的一台机器,在修改了机器的内网IP后,机器的DNS并没有在DNS服务器上更新成功。通过在两个DC上抓包可以看到,DNS记录的同步顺序是,客户端首先会与自己的首选DNS服务器同步,通过UDP的53端口进行通信,如果UDP的53不通,会使用TCP的53端口通信,然后首选DNS服务器所在的DC会利用LDAP协议与其他DC同步记录。
根据上面的判断,检查了虚拟机防火墙规则以及网络中的安全规则,发现53端口并没有被屏蔽,所以排除网络原因。
进一步对比抓包看到正常更新主机DNS记录的交互过程如下:
更新请求会经过2次申请,第一次DNS服务器会Refuse掉,然后客户端会发送一个Query请求,进行认证:
![2041 2042 2043 2066 2072 2093 Time Date Local Adjus.. 2018/1/25 2018/1/25 2018/1/25 25 2018/1/25 2018/1/25 Sour ce dan2012r2dc. daniel com DAN08R2. daniel.com dan2012r2dc.daniel.com DANOSR2. daniel com dan20 12r2dc.daniel.com DANOSR2. daniel com dan2012r2dc. daniel com DAN08R2. daniel com dan2012r2dc.daniel.com Destnaton DAN08R2. daniel com dan2012r2dc.daniel.com DAN08R2. daniel.com dan2012r2dc.daniel.com DANOSR 2.daniel.com dan2012r2dc.daniel.com DAN08R2. daniel.com dan2012r2dc.daniel.com DAN08R2. daniel.com Protu... DNS DNS DNS DNS Description DNS:Query1d = OxA401, QUERY (Standard query), Resguynse - Success DNS:Query1d DNS:Query1d = ox81DD, DNS: uer Id = oxac38 DNS:Querv1d = oxac38 DNS:Query1d = ox5823, DNS:Query1d = ox5823, DNS:Query1d = oxc31g, DNS:Query1d = oxc31g, = ox81DD , Update, Query for daniel.com of type SOA on classlnternet Update, Response - Reüed, 172.16.0.15 LIERY Standard uer uer for 12-ms-7.1-14+1.5633aoc5-01a4-11e8-sga5-0017fa0104.. , QUERY (Standard Query), Resoonse -Success, Update, Query for daniel.com of type SOA on class Internet Update, Response - Success, 172.16.0.15 QUERY (Standard query), Query for isatap.reddo@.microsoft.com of type Host Addr on class In... QUERY (Standard query), Response - Name Error Frame Details Frame : Number NetEvent : 2070, Captured Frame Length 619, MediaType = Ne "Event + Packet Fragment (SIS (Ox206) bytes) g„Ethernet: Ety-pe = Internet IP (IPv4) , DestinationAddress: , SourceAddress: [00-17-FA-oo-AB-1B] Ipv4: Src 172.16. 0.11, Dest T cp : [Bad Checksum] Flags= Dnsc-.erTcp: ICPLength = 462 172.16. O. 15, Next Protocol = TCP, Packet ID = 2103, Total IP Length sog srcPort=DNS (53), DstPort=S4163, PayloadLen=464, sea-=781129036 781129500, Ack=2304276033, Win=S13 (scal Queryld = OxBC3S, QUERY (Standard query), Response Queryldentifier: 48184 (OxBC38) Success, Flags : Response, Opcode — QUERY (Standard query), Rcode : I (Oxl) „AnswerCount : I (Oxl) Success „NameServerCount : Addi t ionalCount : •Record : 12—ms—7 AR e cord: 12—ms—7 Addi t i onaIRecord : o (OXO) 1 (Oxl) 1-14a91.S633aocs-01a4-11e8-S9as-0017fa0104e3 of type TREY on class 1-14a91.S633aocs-01a4-11e8-S9as-0017fa0104e3 of type IKE Y on class 12-ms-7 . 1-14a91.S633aocs-01a4-11e8-S9as-0017fa0104e3 of type ISIG Inte rne t on class Any](https://img-blog.csdn.net/20180129175841534?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvcXdlcnR5dXBvaXV5dHI=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
认证完成后,会带着认证得到的Record再次进行更新。
而客户环境中的过程是:
可以看到两次都失败了。
在客户端上面查看Windows System Events中,找到下面的报错信息:
| 系统无法为具有以下设置的网络适配器 注册主机(A 或 AAAA)资源记录(RR):
适配器名称 : {FD2F5820-3CFB-4043-8E0C-71D01CE1988E} 主机名 : CNCSAPVDI445 主域后缀 : shiseido.cn DNS 服务器列表 : 10.26.66.14, 10.26.72.4 向服务器发送更新 : <?> IP 地址 : 10.26.72.237
系统不能注册这些 RR 的原因是因为联系的 DNS 服务器拒绝了更新请求。导致此问题的可能原因有 (a) 你没有被允许更新指定的 DNS 域名,或 (b) 对此名称有权限的 DNS 服务器不支持 DNS 动态更新协议。
若要使用此适配器的特定 DNS 域名和 IP 地址注册 DNS 主机(A 或 AAAA)资源记录,请与你的 DNS 服务器或网络系统管理员联系。 |
进一步查看客户的DNS服务器的记录的Security中有一个未知用户(Account Uknown):
查看客户端这台机器,发现这台机器的本地管理员被Disable了。对比正常的环境发现,这条记录其实是需要客户端本地管理员的Full control权限的,而这里之所以显示未知账户,是因为本地管理员Disable之后,加入域的时候识别不到这个用户了。因为缺少了这个权限,导致更新的时候被DNS服务器refuse掉。
手动添加客户端机器的本地管理员用户的权限后,再次手动同步后问题解决。