Tuesday, December 27, 2016

Fixing dns record permissions for dynamic dns

In case you have dns records that need to be changed from static to dynamic, or the machine/clusters that will be updating them have changed, you can modify the dns record permissions to allow updates.  Doing this through the gui is fine for a few records, but if you need something a bit more simple and automated, you can try this script.  It takes both the computer name (doesn't have to match the dns record, just needs to be a computer object), and the dns record (fqdn) that you are updating.  This script will work for AD dns only, and would be limited to the current domain, and likely any forest wide partitions.  If you check my article on managing other domains in powershell, you can probably get edits to other domains working on this with a few modifications and extra parameters.



param (
  $computername,
  $dnsrecord
)

$script:computernameSam = $computername + "$"

try {
  import-module activedirectory
} catch {
  write-error "This script requires the AD powershell module"
  exit
}
while ( (test-path -path Ad:) -ne $true  )
{
  start-sleep -seconds 2
}

#Standard ACL for a dynamic dns entry
  #ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
  #                        GenericWrite, WriteDacl, WriteOwner
  #InheritanceType       : None
  #ObjectType            : 00000000-0000-0000-0000-000000000000
  #InheritedObjectType   : 00000000-0000-0000-0000-000000000000
  #ObjectFlags           : None
  #AccessControlType     : Allow
  #IdentityReference     : Domain\machine$
  #IsInherited           : False
  #InheritanceFlags      : None
  #PropagationFlags      : None
# 

function get-partition {
  param ( $record )
  #need to split off everything after first name to find longest zone match
  #using get-dnsserverzone ($name)
  
  $dnsrecordparts = $record.split(".")
  
  for ($i = 1; $i -lt $dnsrecordparts.length; $i++) {
    $zonenameTest = $dnsrecordparts[$i..($dnsrecordparts.length -1)] -join "."
    $zoneObj = get-dnsserverzone $zonenameTest -ea 0
    if ($zoneObj -ne $null) {
    write-output -inputobject $zoneobj
    $i = $dnsrecordparts.length + 1
    }
  }
  
}

function get-dnsobject {
  param ($record)
  $zoneObject = get-partition -record $record
  if ($zoneObject -ne $null) {
    $zonename = $zoneObject.zonename
    $record -match "(.*)(\.$zonename)"
    $dnsRecordDN = "dc=" + $matches[1] + "," + $zoneobject.distinguishedname
     try {
       get-adobject  $dnsRecordDN
    } catch { Throw "Unable to find dns record for this machine"}
  } else { throw "DNS zone not found"}
}

try {
  try {
    $guid = [guid]'00000000-0000-0000-0000-000000000000'
    $adcomputer = get-adcomputer $computername -property objectsid
    $sid = $adcomputer.objectsid
    $ctrl = [System.Security.AccessControl.AccessControlType]::Allow
    $rights = 983423
    $intype =[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
  } catch { throw "Unable to get computer account SID" }

  try {
    #find record
    $dnsDN = get-dnsObject -record $dnsrecord
  } catch { throw $_ }
  
  try {
    $acl = get-acl ad:"$($dnsDN.distinguishedname)"
    $acl.setowner([system.security.principal.ntaccount]"$script:computernameSam")
    $acl.AddAccessRule($rule)
    Set-Acl -acl $acl -path ad:"$($dnsDN.distinguishedname)"
  } catch { throw $_ }

} catch { $_}

Wednesday, December 21, 2016

DNS - limited forwarding delegated subdomain (in AD integrated zone)

If you find yourself in need to creating subdomains off of an existing AD integrated zone, which forward externally, you may encounter the problem that not all AD dns servers can access an external set of servers. To limit the domain controllers that do dns forwarding, while still allowing all dc's to know how to resolve records, you can combine delegated subdomains and conditional forwarders (non-AD integrated).

Example:

-Organization has AD integrated zone Contoso.com on all AD domain controllers.
-Organization is outsourcing dns for subdomain hosting.contoso.com to external domain name servers
-Only 2 out of 50 domain controllers can access external dns for name resolution.  All others do general forwarding to these 2 domain controllers.

Problem:
1) If we create a delegation in contoso.com directly to the external dns servers, recursion is not available and name resolution is not going to happen.
2) if we create AD integrated conditional forwarding for the subdomain, all servers will try to forward to external dns and will be unable to do so, causing queries to fail

Solution:
-Create a subdomain delegation in contoso.com using only the name servers of the 2 internal domain controllers that have access to forward dns queries to external servers
-Create non-AD integrated conditional forwarders for hosting.contoso.com on these same 2 servers, which use the dns server IP's of the external dns provider
-On the external provider, set up a dns zone for hosting.contoso.com

Wednesday, December 14, 2016

Learn typing on arabic keyboards

When trying to find a decent place to learn how to type arabic, I found a lot of sad looking websites that either didn't have what the search results suggested, or they only showed a few phrases to practice on. Most are more oriented as online keyboards for you to type and paste with. Since most operating systems provide alternate keyboards and easy switching between them, for anyone who seriously needs to type arabic, it would be great to have some alternative. So I thought I would put together something simple with lessons that goes through a touch typing style learning methodology. You can try it here: Arabic typing - free online course.

Tuesday, December 6, 2016

SCCM windows update deployment failure 0x80240438

Windows update problem caused by web troubleshooting tools and system proxy. Netsh winhttp settings were creating a local proxy that was not causing any issues in the user context, but in the system context, it was breaking outbound web connections. SCCM logs only showed the error code, but not much useful information beyond that. WindowsUpdate.log contained a clear message on the attempted use (and failure) of a proxy.

wuauhandler.log

<![LOG[OnSearchComplete - Failed to end search job. Error = 0x80240438.]LOG]!><time=".." date=".." component="WUAHandler" context="" type="3" thread="2744" file="cwuahandler.cpp:3223">
<![LOG[Scan failed with error = 0x80240438.]LOG]!><time=".." date=".." component="WUAHandler" context="" type="3" thread="2744" file="cwuahandler.cpp:3679">

updateshandler.log

<![LOG[Updates scan completion received, result = 0x80240438.]LOG]!><time=".." date=".." component="UpdatesHandler" context="" type="1" thread="9884" file="capplicabilityhandler.cpp:100">


updatesdeployment.log

<![LOG[Job error (0x80240438) received for assignment ({guid}) action]LOG]!><time=".." date=".." component="UpdatesDeploymentAgent" context="" type="3" thread="7056" file="updatesassignment.cpp:2235">


scanagent.log

<![LOG[ScanJob({guid}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80240438]LOG]!><time=".." date=".." component="ScanAgent" context="" type="3" thread="11024" file="utils.cpp:537">


ciagent.log

<![LOG[Failed result received from applicability handler, error = 0x80240438]LOG]!><time=".." date=".." component="CIAgent" context="" type="3" thread="7056" file="capplicabilitybroker.cpp:79">


WindowsUpdate.log

yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Web service call failed with hr = 80240438.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Current service auth scheme='None'.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Proxy List used: '127.0.0.1:8888', Bypass List used: '(null)', Last Proxy used: '127.0.0.1:8888', Last auth Schemes used: 'None'.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS FATAL: OnCallFailure failed with hr=0X80240438
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: NWS retry 1 for transient error 0x80240438
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: Nws Failure: errorCode=0x803d0010
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: There was an error communicating with the endpoint at 'http://deploymentserver:8530/ClientWebService/client.asmx'.
yyyy-mm-dd hh:mm:ss 1068 30a4 WS WARNING: The given proxy cannot be reached.

------------------------------------------
netsh winhttp>show proxy

Current WinHTTP proxy settings:
Proxy Server(s) : 127.0.0.1:8888
Bypass List : (none)