List DNS zones on a NTDS.DIT file is it possible?

Hi guys,
is it possible that after mounting an active directory database NTDS.DIT file to list the DNS zones that existed in that domain controller active directory integrated zones?
I have mounted successfully the AD database using
dsamain.exe -dbpath “C:\path\to\ntds.dit” -ldapport 5532 -allownonadminaccess -allowupgrade
and now i can see it on dsa.msc console. But since the DNS folder on that drive didn't had the DNS zone files i assume this are embedded on the database as they were AD integrated.
Thanks in advance for any information.

Simply use ldp.exe and you then you can go under:
CN=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=COM
CN=MicrosoftDNS,DC=ForestDnsZones,DC=Domain,DC=COM
This is an example of article about how you can use ldp.exe: https://ramazancan.wordpress.com/2009/12/11/dsamain-%E2%80%93-active-directory-database-mounting-tool/
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Similar Messages

Restore Active Directory on Server 2008 using NTDS.DIT file

hello
I have NTDS.DIT file with me and want to restore it on same hardware with same host name and IP
Please help

Hi Rochak,
You have only the NTDS.DIT file?
No its not possible to restore the AD only using NTDS.DIT. You need to have the System state backup.
System state backup and restore operations include all system state data: you cannot choose to backup or restore individual components
due to dependencies among the system state components. However, you can restore system state data to an alternate location in which only the registry files, Sysvol directory files, and system boot files are restored. The Active Directory database, Certificate
Services database, and Component Services Class Registration database are not restored to the alternate location.
http://technet.microsoft.com/en-us/library/cc938537.aspx
Regards,
Rafic
If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Mounting and Unmounting NTDS.dit file

Hi,
I am creating a PowerShell script that will give a possibility to mount the NTDS.dit file from the backup and compare the Backup AD with the current AD. If you are interested I can share the unfinished script. The problem is that I want to moun the NTDS.dit
file in a scripted maner. When you mount the file manualy using:
dsamain -dbpath "<path_to_the_NTDS.dit_file>" -ldapPort 10389
the process starts normaly but to end it the user needs to press "Ctrl+C" and once the process is running the script will not conitnue. I want to stop ager certain amount of time. I tried different ways starting the command as different process
(e.g.
cls
$w1 = ""
$w2 = ""
get-process -name powershell -ErrorAction SilentlyContinue | Foreach-object {$w1 = @();$w1 += $_.ID}
start-process powershell.exe -argument '-nologo -noprofile -executionpolicy bypass -command "dsamain -dbpath "<path_to_the_NTDS.dit_file> -ldapport 33389"'
Start-Sleep -Seconds 10
get-process -name powershell | Foreach-object {$w2 = @();$w2 += $_.ID}
$e = Compare-Object -ReferenceObject $w1 -DifferenceObject $w2
$e1 = foreach ($r in $e) {if($r -like "*=>*"){ $r }}
$e1 | Foreach-object {$y = @();$y += $_.InputObject}
Start-Sleep -Seconds 600
stop-process -id $y
and
Start-Process "Powershell.exe" -WindowStyle Hidden -ArgumentList "
Start-Job -Name 'Mounting the NTDS.dit' -ScriptBlock {
    Do
        # --- This will mount the ntds.dit file from the backup ---
        dsamain -dbpath $NTDS_File -ldapPort $LDAP_PortNumber
    Until ($False)
    }; Start-Sleep -s $time_ntds
But both commands don't allways work. I was browsing other solutions and came accross the main article of
dsamain:
Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide
and little bit from top of the "Steps for using the Active Directory databse mounting tool" there is a line that says:
"..You can stop Dsamain by pressing CTRL+C in the Command Prompt window or, if you are running the command remotely, by setting the
stopservice attribute on the rootDSE object. "
Can anyone tell me how to use stopservice, e.g. give example scripts or equivelent.
Or if anyone has any other ideas how to acomplish the task I would be more than happy to hear them out and try.

Solved it by using this command:
$time_ntds = 10
$time_ntds = $time_ntds*60
Start-Process "Powershell.exe" -WindowStyle Hidden -ArgumentList "
Start-Job -Name 'Mounting the NTDS.dit' -ScriptBlock {
Do
# --- This will mount the ntds.dit file from the backup ---
dsamain -dbpath $NTDS_File -ldapPort $LDAP_PortNumber
Until ($False)
}; Start-Sleep -s $time_ntds
start-sleep -Seconds 35
Atis Smits

Windows Server 2008 R2 - ntds.dit grows abnormal

Hi all!
We have a domain with 20 domain controllers in 18 different sites, the servers are in different countries around the world. All servers are Windows Servers 2008 R2 SP1, domain functional level is Windows 2008 R2. We have about 6000 users and clients in the
domain.
Our ntds.dit file is 5,2GB in size! I think it's too big for our environment, isn't it? At the moment we don't have any problems with replication or anything else, but I wanted to know why it became that big, and it's still growing!
I found a tool dsastat in Windows 2003 support tools... i tried dsastat.exe -loglevel:debug -output:both and got an output. The DSA Diagnostics shows me a total size of 98MB! Maybe the tools doesn't work for 2008? I also tried the registry key
from this website http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ to show me the garbage collection... This was the output:
Internal event: The Active Directory Domain Services database has the following amount of free hard disk space remaining.
Free hard disk space (megabytes):
15
Total allocated hard disk space (megabytes):
5170
So I don't think offline defragmentation would help.
Just some more information... we have Exchange 2010 and Lync 2010, our users can upload picture to AD (size limit 10KB!). AD recycle bin is enabled in our domain.
Does anybody know a tool to get more information about what's writting so much stuff to ntds.dit file?
Thanks for you help! Best regards
Steffi

Free hard disk space (megabytes):
15
Total allocated hard disk space (megabytes):
5170
That is NOT very nice.. Yo do not need to do a defragmentation to recover those 15 MB space. :)
Run this process in some of your domain controllers and compare the results with this one. See if they have ~5170 space allocated to database. I believe that much information is related to the Lync and Exchange as you mentioned. Repetitive data is a case
in point. You mentioned that users are able to upload their own photo, so make sure the old photos are no longer resides somewhere in the database.
Try to dcpromo an additional domain controller. After that what is the size of the newly promoted DC database? In that case we can drill down the problem.
BTW: Since you got 98MB from dsastat I recommend you to run the command against deleted objects. By default dsastat is not querying for deleted objects. Drop a
isDeleted=TRUE and check the results.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or
to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

DNS ZONE FILES

HI I need to make changes to the DNS zone file how do i do this

Hi,
Updating External DNS files.
Updating DNS Records with a Domain Registrar
Both these links discuss making changes to DNS Zone files.
Hopefully, you'll find an answer there.
Tricia

Can't create DNS zones in Server Admin

Hi All,
So, I've run into this strange problem where when configuring the zone files for the DNS server in Server Admin that clicking on the + button doesn't do anything. I've re-installed Tiger Server including reformating the disk and still nothing.
Can anyone tell me where the zone file is kept. It might be better just to make my own unless anyone can tell me why the + button isn't working.
Thanks much!

Definitely better to make your own, if you know how (lots of good google-able docs on this). Using Server Admin for DNS zone files is dicey at best.
BIND config file is located at '/etc/named.conf'
Zone files live in '/var/named/.' Primary zone files are named 'myDomain.com.zone' and secondary files are named 'myDomain.com.bak'
Feel free to email me if you need some default files.
Can anyone tell me where the zone file is kept. It
might be better just to make my own unless anyone can
tell me why the + button isn't working.
iBook G4 Mac OS X (10.4.3)

Publishing DITA files in Frontmatter and Backmatter

Hello,
I am using FM11 and DITA 1.2.
I have a bookmap that consists of <frontmatter>, 3 <chapter>, 3 <appendix>, and <backmatter>.
In <frontmatter>, I have two <topicref> elements that contain DITA files
In the <backmatter> I have my glossary DTIA file.
When I save the ditamap as Book 11 with fm components none of the files in <frontmatter> and <backmatter> publish.
I have the ditafm-output.ini set up to GenerateFlatBook=1
Regards,
Stan

Hi Stan...
I could be wrong .. but I believe that FM ignores everythign within a <frontmatter> or <backmatter> element. No, that's not the "right" thing to do, but as far as I know that's the way it is.
In order to have FM properly recognze these elements (including build generated lists from the related elements .. <toc>, <indexlist>, etc.), you'll need to use DITA-FMx ..
http://leximation.com/dita-fmx/
Cheers,
...scott
Scott Prentice
Leximation, Inc,
www.leximation.com

Another DNS Zone Question! :)

I have several geographic sites all with their own leopard servers (ten or so). Each are open directory masters managing public ip subnets. We do have an external dns server and all of our servers have registered names that are part of the same domain....
My question is this... when setting up dns on each server, do I need to create zones, or can I just make the dns forward to our external name server. I am worried that having more that one ns authoritative for the same domain will cause problems with our isp dns server? I have one server running just fine without zones... just forwarders ... and all is running smoothly, ical, wiki's, mcx, mobile accounts, etc...
Looking forward to finding out whether having zones at other locations and authoritative dns servers is a bad thing or not.
Thanks.

As long as the external DNS server has all of the info you need, there's no need to set up duplicate zones on your servers; as you note, it could even cause problems if the info got out of sync. In fact, you don't even need to act as a forwarder, you could just turn off DNS service and configure all your computers (servers & clients) to use your ISP's DNS servers.
In your situation, I see two reasons you might want to run DNS service: in case your internet link goes down (losing access to DNS tends to make it hard to find servers, even if they're on the same LAN), or if the public DNS servers don't have the reverse DNS (IP number -> domain name) entries you need. If you're worried about the first, you could set your servers as secondaries (aka slaves) for the relevant zones, in which case they'll download the zone files from the master and automatically keep in sync. If the second is an issue, you're probably best off bugging your ISP -- since the reverse records are tied to your IP numbers, and those're "owned by" the ISP, they're generally in charge of the reverse DNS no matter who's hosting your forward DNS zones.

Child DNS Zone changing PTR record of OD Master

Grretings,
I am setting up a new OD master server for our school that will also host our DNS. Home folders will be on another server. I am using the DNS GUI for now. Setup master DNS zone of ourschool.lan. OD master has FQDN of admin.ourschool.lan with an IP address of 172.16.2.254. Forward and reverse lookups of OD master are great.
#host admin.ourschool.lan returns 172.16.2.254
#host 172.16.2.254 returns admin.ourschool.lan
When I go to set up a child zone, highschool.ourschool.lan, on this server I set the nameserver to ns1.highschool.ourschool.lan and IP address of 172.16.2.254, I have had the following happen:
#host admin.ourschool.lan returns 172.16.2.254
#host 172.16.2.254 returns ns1.highschool.ourschool.lan (not what I want!)
I understand forward and reverse lookups to OD master need to be rock solid. The changing of the PTR record is going to ruin this. Has anyone else seen this behavior. Should I just do the DNS through terminal and forget the GUI?
Thank you for any feedback. I searched this discussion list and didn't find anything similar to this in the postings.
Best Regards,
Steve
OS X Server and Client Mac OS X (10.4.6)

Your problem stems from the fact you're trying to create two separate A records for the same IP address.
The GUI will automatically create a reverse DNS entry for each a record. Since you have two A records that point to 172.16.2.254 that's where your problem lies.
Your solution is either to use a CNAME (or alias) for the second hostname (e.g. ns1.highschool.ourschool.lan CNAME admin.ourschool.lan), or manage the DNS by hand and don't use the GUI tools.

Different SBA DNS SRV entry for the same dns zone?

Hello,
I got here a testlab with one enterprise pool and one sba deployed. The Branch Site got also an DNS Server installed. Both are using the same dns zone "test.com".
Of course now i got different server for the same SRV Record _sipinternaltls._tcp.test.com - one for autodiscovery in the enterprise pool and one for the sba. Also I want to add the second one as failover srv + the DNS Server in the Enterprise Pool should
be used as a Forwarder.
Now I got some issues how to deploy several entries on two different dns server for the same zone.
1.) If I add manually the same zone + DNS SRV entries on the SBA the dns is somehow not resolving/forwarding the entries on the other dns server in ee to other servers which are not on my SBA dns.
2.) If I only pinpoint the SRV entries for _sipinternaltls._tcp.test.com (one for sba and failover for ee site) the dns won't resolve the second a record to the enterprise pool.
What is the Best Practise for DNS SBA? Always point to the enterprise pool and, therefore, no other configuration is needed?
Regards DrWho

I played a little bit around. Problem was that I can not add the pinpoint dns srv entries via gui. Aditionally the tutorials did not work as my DNS server for SBA is not on a domain controller. In the end I did this:
sbafe -> fqdn of my sba
eefe -> fqdn of my frontend of enterprise pool
dnscmd . /zoneadd _sipinternaltls._tcp.test.com. /primary /file _sipinternaltls._tcp.test.com.dns
dnscmd . /recordadd _sipinternaltls._tcp.test.com. @ SRV 0 0 5061 sbafe.test.com.
dnscmd . /recordadd _sipinternaltls._tcp.test.com. @ SRV 10 0 5061 eefe.test.com.
dnscmd . /zoneadd sbafe.test.com. /primary /file sbafe.test.com.dns
dnscmd . /recordadd sip.sbafe.test.com. @ A 192.168.10.220
dnscmd . /zoneadd eefe.test.com. /primary /file eefe.test.com.dns
dnscmd . /recordadd sip.eefe.test.com. @ A 192.168.0.40
Question is if that is a good best proctise or should the dns server within a zone contain the same records (Primary/Backup). The Client will then always hit the FE of the EE Pool first.
Also its quite a lot of work to setup.

No DNS zones in server admin

Here's my log:
Oct 21 12:49:25 server servermgrd[2019]: -[DNSManagerRRMgr bindZoneDB]: Unable to load zone database (RRs) for "***.com" from file "/var/named/db.***.com": CNAME and other data

Definitely better to make your own, if you know how (lots of good google-able docs on this). Using Server Admin for DNS zone files is dicey at best.
BIND config file is located at '/etc/named.conf'
Zone files live in '/var/named/.' Primary zone files are named 'myDomain.com.zone' and secondary files are named 'myDomain.com.bak'
Feel free to email me if you need some default files.
Can anyone tell me where the zone file is kept. It
might be better just to make my own unless anyone can
tell me why the + button isn't working.
iBook G4 Mac OS X (10.4.3)

Question about DNS zones

Here's my problem..
I have an internal webserver that has an external address. Clients on my internal network (the same as the webserver) can't access the internal server using its external address. I got around this in a Windows enviornment (there are multiple buildings with different environments) by creating a primary DNS zone with the external address of the server, and an A Host pointing to the internal address.
I'm having some trouble getting this setup on Lion server, and rather than breaking DNS again, I figured I'd ask around first. Like I said, I tried adding a new zone, and did something that broke DNS. I had to manually edit the configuration file to remove the new zone. The FQDN is different from the name of the Mac server.
Basically the Mac server is school.com, and I need school.google.com to point internally. These obviously aren't the real addresses, but it illustrates what I need to accomplish.
Does this make sense? Is it possible with Lion Server?
Thanks

If you want to access the webserver internally as school.google.com you cannot and should not try to create a google.com zone. If your website has your own private domain e.g. www.myschool.edu then as you (presumably) own and control that domain then you can run what is typicially called a 'split-horizon' DNS setup.
You could have a second domain name just for the website which still needs to be owned by you, this would let you use say domain.local as the main internal Active Directory domain and a second dmoain like myschool.edu for the website.
With a spit-horizon setup you need two DNS servers, one would be used just internally, the other would be used just externally. So anyone outside your network i.e. on the Internet would use the external DNS server (often your ISP), and anyone on your LAN uses the internal one. The internal one would map www.myschool.com to your internal LAN IP address of your webserver, the external DNS server would map the same www.myschool.edu to your internet routers address. Your router would then have to setup a NAT port mapping rule to forward the HTTP traffic to your internal webservers IP address. You can still have multiple websites hosted internally and be accessible externally but all of them must run on a single internal webserver as the NAT port mapping can only map to a single IP address per protocol (port number).

10.4.4 update and now my DNS zones aren't visible!

After the 10.4.4 update, I can't see my DNS zones, and the log says there are now errors . for example: servermgr_dns: Bad zone file for zone macs4ever.com MX/CNAME line: "@" before A line. Ignoring.
This wasn't an issue before. Has something changed in the zone formatting?
What file can I edit to correct the syntax if needed.
I appreaciate your time and assistance,
matt caswell

Note that I write my own zone files and prefix them with "db." just so that I do not overwrite the default ones. The name of the zone file is in itself not critical, as long as the correct file is referenced in named.conf.
My zone definitions in /etc/named.conf...
// a caching only nameserver config
zone "." IN {
type hint;
file "named.ca";
zone "localhost" IN {
type master;
file "db.localhost";
allow-update { none; };
zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
zone "foo.com" in {
file "db.foo.com";
type master;
zone "0.0.10.in-addr.arpa" IN {
file "db.10.0.0";
type master;
============================
The Zone Files in /var/named...
============================
Zone File "db.localhost"
$TTL 86400
localhost. IN SOA server.foo.com. postmaster.foo.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS server.foo.com.
IN A 127.0.0.1
====================
Zone file "127.0.0" (reverse zone for localhost)
$TTL 86400
0.0.127.in-addr.arpa. IN SOA server.foo.com. postmaster.foo.com. (
2006011511 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
0.0.127.in-addr.arpa. IN NS server.foo.com.
1.0.0.127.in-addr.arpa. IN PTR localhost.foo.com.
==========================
Zone file "db.foo.com"
$TTL 86400
foo.com. IN SOA server.foo.com. postmaster.foo.com. (
2005101301 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
; NAME SERVERS
foo.com. IN NS server.foo.com.
; ADDRESSES FOR CANONICAL NAMES
localhost IN A 127.0.0.1
server IN A 10.0.0.1
; ALIASES
ical.foo.com. IN CNAME server
mail.foo.com. IN CNAME server
ftp.foo.com. IN CNAME server
; MAIL RECORDS
foo.com. IN MX 0 server
======================
Zone File db.10.0.0 (reverse zone for foo.com)
$TTL 86400
0.0.10.in-addr.arpa. IN SOA server.foo.com. postmaster.foo.com. (
2006011500 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
0.0.10.in-addr.arpa. IN NS server.foo.com.
; REVERSE LOOKUPS
1 IN PTR server.foo.com.
========================
Note that you may have different records but hopefully you get the drift of it.
"Bad zone file for zone domain.com MX/CNAME..."
The particular cause, for me, of the above error was that, in db.foo.com, I used to have the following for the MX record...
foo.com. IN MX 0 mail
This created the error message as there was not a direct A record for 'mail'. The amended zone file now works... but...
I still have an issue with this... In my case my DNS is purely for the private LAN but if it was a public DNS then I would have needed to set up the server with a hostname "mail.foo.com" instead of "server..." and then alias 'server' to 'mail'. Something you really should know before setting up the server
(Actually, I don't even know why I have the MX record in the internal DNS as the mail server can function quite happily without it.)
Anyway, I find this on-line reference really handy although you can get a bit 'lost' in all the links within it...
http://www.zytrax.com/books/dns/
Have fun.
-david

DNS - Zone NS / delegation in 10.6?

Is it possible to create a new name server (NS) record (New Delegation in Microsoft Windows DNS Management utility) in a already made DNS zone under Snow Leopard?
thanks

I'm assuming you mean an NS record for a subdomain (creating them for the zone itself is easy in Server Admin -> DNS service -> Zones -> select the zone -> General -> Nameservers). The GUI admin tools don't have a way to delegate subdomains, but you should be able to do it by editing the zone files directly. There are actually two files for each zone, /var/named/db.zonename. (note the period at the end) and /var/named/zones/db.zonename.zone.apple; the second is maintained by the GUI tools, and is not save to edit, but you can add whatever you want to the first one. Just add an NS record to the end of it; it should look something like this:
;THE FOLLOWING INCLUDE WAS ADDED BY SERVER ADMIN. PLEASE DO NOT REMOVE.
$INCLUDE /var/named/zones/db.zonename.zone.apple
subdomain.zonename. IN NS delegatedserver.example.net.
Be sure to include the trailing periods on both the subzone and delegated server portion. Then stop & restart the DNS service to get it to reload the zone, and test to make sure it's actually serving the info properly (it's very picky about its file syntax, and if anything's wrong it tends to skip the zone, or even not start at all).

Can't remove dns zone

I messed up my dns zone while while adding a zone. I am trying to remove everything and start over, but SA will not let me. I have a primary and reverse zone that keeps coming back after I remove it. I have looked in /var/named/zone, but there is nothing there.
If I add another zone, it appears in /var/named/zone, and I can remove it with SA. What should I try next?

Hi
This afp548 article explains the Leopard DNS Service including where relevant files are located. You might find it useful. You could restart the Server in safe mode (shift key depressed) and try deleting the zones that way. A normal restart thereafter should get you going again. You may actually be looking at a rebuild/reinstall but only you would know or decide that.
This recent post describes how to set up the DNS Service in Leopard simply:
http://discussions.apple.com/thread.jspa?threadID=1251475&tstart=0
Stick with it because its not that obvious to begin with. Its about the 7th post down. One thing that could be added is at the setup assistant stage and when you are prompted to configure the Network Settings is to switch off IPv6.
Hope this helps, Tony

List DNS zones on a NTDS.DIT file is it possible?

Similar Messages

Maybe you are looking for