Posts Tagged ‘DNS’

Per information here : , in a Pentest you might fail this unless you do the below

  • Disabling LLMNR:
    • Open the Group Policy Editor in your version of Windows
    • Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
    • Under DNS Client, make sure that “Turn OFF Multicast Name Resolution” is set to Enabled
  • Netbios over TCPIP disabled
    • DHCP option “001 Microsoft Disable Netbios Option” configured for all scopes with value of 0x2
    • NetbiosOptions value changed to 2 in registry for all interfaces with PS script
    • LLMNR disabled using GPO
    • Configured Secure only dynamic updates for all DNS zones
  • WPAD
GD Star Rating
GD Star Rating

Upon restoring a domain controller to a new or isolated network in example a DR environment, the domain controller will lose access to its other domain controllers for replication. You might find you cannot start the DNS server and or Active directory services.

To force the server to start without checking for others modify the below key and reboot the server

 Add the Following reg Key

Value name:  Repl Perform Initial Synchronizations
Value type:  REG_DWORD
Value data: 0

You should then go into Active Directory Sites and services and remove the old Domain Controllers and Also go into the DNS server and remove any references in the Nameserver tabs for the Zones



GD Star Rating
GD Star Rating

A new 2012 Domain controller rebooted after being promoted , however on restart DNS server would not start with the follow error

 The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

Multiple sites online recommend a registry change to skip the initial replication , however this was production

Check the directory services event tab

This directory server has not completed a full synchronization of the following directory partition. This directory server will not available to clients until this task is completed.

Note , how big it your Sysvol + Netlogon + ntds.dit ? This will effect replication time!

The command will show this

repadmin /showrepl


In the end replication time won , it took 6 Hours!

GD Star Rating
GD Star Rating

Recently had a colleague call me , after a mainboard switch over , the DNS server was not working

  1. Could ping the server from Remote Device
  2. Nslookup from the device would come back with (Request Timed Out)
  3. I could NSLOOKUP local host on the SBS Server
  • Restarted the DNS Server Service , enabled Logging could see Items 
  • DNS Server was listening on correct IP interfaces 


Found out during the main board swap out , the Subnet Mask of had been set instead

What does this do? It sets a Single Device on the Subnet , which means it can’t route to the Default Gateway

If you did want to do this , it should be set to ( two items on the Subnet ) for and .2

GD Star Rating
GD Star Rating

mit-logo[1]To get Autodiscover working on a certificate that does not have any extra SAN’s available apart from it’s main Conical Name on the Certificate , you will need to use either a autodiscoer.xml file hosted on the companies main website or create a SRV record with the registrar.

The registrar was Melbourne IT , who for some reason don’t have valid DNS validation so records get stuck “Publishing”. After trial and error I finally got the records needed and beat their own Helpdesk by 2 Weeks to the fix.

Name : ( remember dot on the end )

TTL : Can be left @ their default 86400 but should be 3600

Priority : 0

Port : 443

Weight : 0

Service : _autodiscover

Protocol :  _tcp

Target : ( domain name on the CN Cert) ( remember dot on the end )

GD Star Rating
GD Star Rating