Phantom DHCP servers

I recently came across this issue when working with the DHCP servers on the domain at work. Instead of 41 DHCP servers, one for each remote location, the DHCP administration snap-in was showing we had 93! That’s just a few too many.

In order to clean up the DHCP server list, I first opened Active Directory Sites & Services. You have to click View and then Show services node in order to see the available AD services. Then, I expanded Services and clicked on NetServices to see what DHCP servers (dHCPClass records) were listed. I removed all of the invalid records (but not the DhcpRoot record) and then checked the DHCP admin utility. All of the invalid servers were still listed.

The next step was to use ADSI Edit in order to edit the DhcpRoot record found in the NetServices container. Using ADSI Edit, I browsed to the CN=NetServices,CN=Services,CN=Configuration,DC=Domain,DC=Domain container, substitute your domain name after DC=, right clicked on DhcpRoot and chose Properties. I found another list of invalid DHCP servers when I opened the dhcpServers property of the DhcpRoot record. Once I deleted the invalid servers there, the DHCP admin utility only listed the valid DHCP servers.

It was odd that the list was wrong to begin with. Any time a DHCP server is taken off line it is unauthorized first. Only one or two of the invalid servers were servers that had been replaced due to a server crash that resulted in reloading Windows Server 2003. I may need to set up a DHCP server, authorize on the domain and then decommission it to see if AD is removing them properly. I hope it was just a minor glitch carried over from when the domain controllers were Windows 2000 based.

Patience is something you admire in the driver behind you and scorn in the one ahead. – Mac McCleary

23.Nov.09 Active Directory, DHCP, Networking, Server 2003, Windows Comments (0)

Ubuntu home LAN server: Samba DC

Since I posted my configs for the DHCP and DNS servers, here is my Samba domain controller config:

smb.conf

I used an article from HowToForge as the main information resource to set it up. The section about mapping Windows domain groups to Unix groups was easy to understand.

One thing that really differs in my set up and the article is that I don’t have to manually add computer accounts to the server hosts file. Computer accounts are automatically set up when I join a PC to the domain. Also, the Domain Admins group is mapped to the ntadmins Unix group instead of the root group.

The set up is working well so far. When I log on to the domain from my XP laptop, I get the U: drive mapping to the user home directory on the server. The domain groups had to be added to the laptop groups (e.g. Domain Admins in the Local Admins group) manually in order to have the right permissions. I did test it a few times to be verify that the Domain Admins group has full control of the system and Domain Users group has limited control of the system. So far, so good.

Roaming profiles are not being used because they are the bane of networks. I’ve hated them on medium and large networks. I always vowed to never use them, no matter how small the network.

As with the previous configs, if you notice anything that could be improved, let me know in the comments. I’m constantly tweaking the file (improvements mostly) and will upload the latest when necessary.

Before it’s asked: No, I did not compile Samba from source. I used apt-get and installed from the Ubuntu repository. Don’t give me any crap about it either Hawk! :-p

There are no facts, only interpretations. – Friedrich Nietzsche

26.Jan.08 Linux Comments (3)

Ubuntu home LAN server: Dynamic DNS & DHCP

Ok, I know I said in the last post that I was going to post these configs “later”. Well, it’s now 12 days later so I think it’s time to post them. Without further ado:

If you’re wondering “Why the hell didn’t he just put everything into a single named.conf file?”, I have a good reason. It’s Ubuntu’s fault! The BIND installation split the configs and I just stuck with that! Sure, I could just combine it all but I just went with the flow. :)

To help understand what some of the IP settings in the configs mean, here is my network setup:

I know it’s not “perfect” but it’s still being tweaked. See something I’m missing? Let me know in the comments! :)

I wish I would have gotten this posted sooner. Unfortunately, work has really picked up since the Chri….Winter Break. Things won’t be getting any better in February. That’s when my big project starts up. That project involves implementing the Cisco NAC in several schools. I can’t wait to get started on it because it will be a lot of fun learning how to operate it.

The urge to save humanity is almost always only a false-face for the urge to rule it. – H.L. Mencken

19.Jan.08 Linux, Networking Comments (3)

The Ubuntu domain controller lives!

This is just a quick update, more will be written later. I was able to get the Ubuntu 7.10 server set up as my home domain controller. Here is the current set up:

It took a couple of days to make Samba work right. I used pieces of several How-To’s in order to get the configuration correct. Some of the guides said to enable the root login but I didn’t do that. I either would just use sudo to run the commands or I’d run sudo -s to switch to the root login. I’ll post all of the server service configs later in case they could help anyone else.

I know, I shouldn’t run all those services on a single box. I wouldn’t except for the fact that this is for a home LAN and not a corporate environment.

It behooves a father to be blameless if he expects his child to be. – Homer

07.Jan.08 Linux, Networking Comments (3)

The Ubuntu home server

So far, the installation of the Linux (Ubuntu) server is progressing very slowly. The first thing I did, after the initial install, was set up the DHCP and DNS servers. The DHCP server was to be set up to add DNS records whenever a client received an IP address. The clients would not be allowed to update DNS records.

I’ve installed both services before but this time I wanted to set it up as if it were in an enterprise environment. It took many Google searches and about three hours of time to make it work properly. Why did it take me that long? I wanted to implement some security on BIND. No reason to get sloppy just because it’s a home system. :)

The instructions found here are what I used to install and run BIND chrooted. Running BIND in a chroot jail prevents the BIND process from accessing files outside of it’s own directory. That narrows the damage done if the DNS server was compromised to just having to fix the BIND installation.

Next, I set up the dynamic DNS updates to use TSIG. This will help to prevent unauthenticated DNS updates. Bind9.net has a BIND 9 manual that is full of useful information. I followed the instructions for creating and implementing TSIG keys here to create a 256 bit TSIG key. The key was used in both the named.conf.local (BIND9 config) and the dhcpd.conf (DHCP3 config) files. The name of the key is used in the allow-updates directives for the forward and reverse zones.

Dynamic DNS updates are now working properly. The forward and reverse zones are being populated with the host information every time a new client connects. The next service I’m going to set up is Samba. Hopefully it won’t take as long as the DHCP/DNS set up did.

Happy new year! :)

Be always at war with your vices, at peace with your neighbors, and let each new year find you a better man. – Benjamin Franklin

01.Jan.08 Linux Comment (1)

« Previous Entries