Monday, October 10, 2016

No Sysvol and netlogon folders on new domain controller

Fix no Sysvol and netlogon folders on new domain controller:

open regedit--
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

 change SyvolReady value from 0 to 1

 After reboot you can see empty sysvol folder. Recovery polices from backup or fix dfsr replication.

 again change change SyvolReady value from 1 to 0

 reboot and after reboot again change SyvolReady value from 0 to 1.

 after reboot you can see Sysvol an Netlogon folders.

Posted by at No comments:
Labels:

Thursday, October 6, 2016

RODC AD in DMZ ports

Ports to be open on the firewall between the RODC in the perimeter network and the writable Domain Controller in the LAN:
PortType of traffic
TCP 57344                                            DRSUAPI, LsaRpc, NetLgonR
TCP Static 53248                                            FrsRpc
TCP 135                                            EPM
TCP 389                                            LDAP
TCP 3268                                            GC, LDAP
TCP 445                                            DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53                                            DNS
TCP 88                                            Kerberos
UDP 123                                            NTP
UDP 389                                            C-LDAP
UDP 53                                            DNS
TCP and
UDP464		                                           Kerberos Change/Set Password





Ports to be open on any host or network firewall between a member server in the perimeter network and the RODC in the perimeter network:
PortType of traffic
TCP 135EPM
TCP 389LDAP
TCP 445DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 88Kerberos
TCP DynamicDNS, DRSUAPI, NetLogonR, SamR
UDP 389C-LDAP
UDP 53DNS


Source
Posted by at No comments:
Labels:

RODC AD in DMZ ports

Ports to be open on the firewall between the RODC in the perimeter network and the writable Domain Controller in the LAN:
PortType of traffic
TCP 57344                                            DRSUAPI, LsaRpc, NetLgonR
TCP Static 53248                                            FrsRpc
TCP 135                                            EPM
TCP 389                                            LDAP
TCP 3268                                            GC, LDAP
TCP 445                                            DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53                                            DNS
TCP 88                                            Kerberos
UDP 123                                            NTP
UDP 389                                            C-LDAP
UDP 53                                            DNS
TCP and
UDP464		                                           Kerberos Change/Set Password
Ports to be open on any host or network firewall between a member server in the perimeter network and the RODC in the perimeter network:
PortType of traffic
TCP 135EPM
TCP 389LDAP
TCP 445DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 88Kerberos
TCP DynamicDNS, DRSUAPI, NetLogonR, SamR
UDP 389C-LDAP
UDP 53DNS


Source
Posted by at No comments:
Labels:

Windows DNS Command Line

Query DNS forest-wide partition replica 
dsquery * "DC=ForestDNSZones,dc=forestRootDomain

Add a CNAME record to DNS 
dnscmd %server% /recordadd %zone% %AliasName% CNAME %HostnameAliasing%

Query zone resource records on a Microsoft DNS server
wmic /namespace:\\root\microsoftdns /node:%server% path MicrosoftDNS_ResourceRecord WHERE ContainerName='%zone_name%'

nslookup with debug information 
nslookup -debug %IP%

DSQuery authorised DHCP Servers
Dsquery * "cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain" -attr dhcpServers

Enumerate all records from a DNS zone
dnscmd /enumrecords @ /additional /continue > DNS_all.txt

Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}

DNS Information
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dnscmd %i /info

DNS Zone Detailed information
dnscmd /zoneinfo %userdnsdomain%

DNS Zones in AD
for /f %i in ('dsquery server -o rdn') do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

Enumerate DNS Server Zones
for /f %i in ('dsquery server -o rdn') do dnscmd %i /enumzones

Print DNS Zones 
dnscmd DNSServer /zoneprint DNSZone

Add a host record in DNS
dnscmd %dnsserver% /recordadd %zone% %relative_name% A %ip%

Find aging records from an enumerated zone
find /i "aging:" DNS_all.txt > DNS_aging.txt

DNS Scavenging check, based on the output of aging records from dnscmd.exe
cscript DNSScavengeTest.wsf /f:DNS_aging.txt

Query DNS objects from the directory
dsquery * DC=,CN=MicrosoftDNS,cn=System,dc=

Start DNS scavenging 
dnsmd /startscavenging

Delete a host record from DNS
dnscmd %server% /recorddelete %zone% @ A %IP%

Determine the DNS suffix search list set through policy for a computer
reg query "\\%Computer%\HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows NT\DNSClient" /v SearchList

Query for the zones hosted on a Microsoft DNS server 
wmic /namespace:\\root\microsoftdns /node:%server% path MicrosoftDNS_Zone

Find DNS Forwarder information from dnscmd output
for %b in (DNS*.txt) do @for /f "skip=2 delims=[]" %i in ('"find /i /N "Forwarders:" %b"') do @for /f "skip=2 delims=[]" %m in ('"find /i /N "Command completed successfully." %b"') do @for /f %p in ('set /a %m-%i') do echo tail -%p %b

List primary reverse lookup zones from a DNS server
dnscmd %server% /EnumZones /secondary /reverse

List allowed secondary servers for the specified zone
dnscmd %server /zoneinfo %ip%.in-addr.arpa SecondaryServers

 Source
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)