DNS in Networking-

 DNS is short for Domain Name Service or Domain Name System.

 It is an application layer protocol.

Purpose-
 

 DNS is a host name to IP Address translation service.

 It converts the names we type in our web browser address bar to the IP Address of web
servers hosting those sites.

Need-
 

The need for Domain Name Service arises due to the following reasons-

Point-01:

 IP Addresses are not static and may change dynamically.

 So, a mapping is required which maps the domain names to the IP Addresses of their web
servers.

 
Point-02:

 IP Addresses are a complex series of numbers.

 So, it is difficult to remember IP Addresses directly while it is easy to remember names.

DNS Resolution-
 

DNS Resolution is a process of resolving a domain name onto an IP Address.

The following diagram illustrates the process of DNS resolution-

The steps involved in DNS Resolution are-

 

Step-01:
 

 A user program sends a name query to a library procedure called the resolver.

Step-02:
 

Resolver looks up the local domain name cache for a match.

 If a match is found, it sends the corresponding IP Address back.

 If no match is found, it sends a query to the local DNS server.

Step-03:
 

DNS server looks up the name.

 If a match is found, it returns the corresponding IP Address to the resolver.

 If no match is found, the local DNS server sends a query to a higher level DNS server.
 This process is continued until a result is returned.

Step-04:
 

 After receiving a response, the DNS client returns the resolution result to the application.

Important Notes-
 

Note-01:
 

DNS uses UDP (port 53) at the transport layer.

DNS uses UDP at the transport layer due to the following reasons-

Point-01:

 UDP is much faster than TCP.

 TCP is slow as it uses Three-way handshake to start the data transfer.

Point-02:

 DNS requests are very small.

 So, they fits well within UDP segments.

Point-03:

 Although UDP is not reliable but reliability can be added on application layer.
 Reliability can be added by using timeouts and resend at the application layer.

Thus, in the end both speed and protection are achieved.

Understanding DNS – Beginners Guide to
DNS

DNS (Domain Name System) is one of the most important technologies/services on the internet,
as without it the Internet would be very difficult to use.

DNS provides a name to number (IP address) mapping or translation, allowing internet users to
use, easy to remember names, and not numbers to access resources on a network and the
Internet.

In this tutorial we will cover the basics of DNS starting with why it was developed, what
problems it was designed to solve.

DNS Basics – Understanding Why we Need it

All devices (computers etc) that are connected to the Internet, your own network, or company
network are identified by an IP address; which is a number.

IP addresses are easy for computers to process but they are not so easy for people to remember.

To make it easy for people to remember names (host names) are used to identify individual
computers on a network.

On early computer networks a simple text file called a hosts file was created that mapped host
names to IP addresses.

This enabled people to refer to other computers by the name, and their computer translated that
name to an IP address when it needed to communicate with it.

Here is the host file taken from my PC. It comes with all Windows machines
The location for the hosts file is normally C\windows\system32\drivers\etc

As network sizes increased the hosts file approach became impractical due to the fact that:

 It needed to be stored on each computer

 The text file could take a along time to process due to the fact that it was unstructured.
 Updates were difficult to manage as all of the computers would need to be given an
updated file.

To overcome these (and other) limitations the DNS system was developed.

The DNS system essentially provides for:

 A way to organize the names- Domain name structure

 Protocols ,services and methods for storing,updating, and retrieving IP addresses for
hosts computers.- DNS System

From the perspective of an end user you can consider the DNS system as a structured hosts
file.

Domain Name Structure

The hosts file is simply a list of names and IP addresses with no structure making it difficult to
scale to a large number of machines.

The solution is to place the machines into administrative areas known as domains, and arrange
the domains in a hierarchy.
This takes the form of a tree like structure that resembles the file system structure found on
computers. See Understanding The Domain Name Structure

DNS System

The DNS system consists of many Domain Name servers that together provide the name to IP
address mapping for registered devices (usually servers) on the Internet.

The main DNS severs (root servers) are owned and managed by a variety of different
organizations, and are located mainly in the USA.

Here is a list http://www.iana.org/domains/root/servers.

Other companies including ISPs have their own DNS servers which are linked to the root servers
in a hierarchical fashion providing a distributed system.

The following video explain both the host file and its problems, and the basics of how DNS
works.

What is Active Directory?

 

Active Directory (AD) is a directory service for use in a Windows Server environment. It is a
distributed, hierarchical database structure that shares infrastructure information for locating,
securing, managing, and organizing computer and network resources including files, users,
groups, peripherals and network devices.

Active Directory is Microsoft’s own directory service for use in Windows domain networks. It
provides authentication and authorization functions, as well as providing a framework for other
such services. The directory itself is an LDAP database that contains networked objects. Active
Directory uses the Windows Server operating system.

When people talk about Active Directory, they typically mean Active Directory Domain
Services, which provides full-scale, integrated authentication and authorization services.

Before Windows 2000, Microsoft’s authentication and authorization model required breaking
down a network into domains, and then linking those domains with a complicated, and
sometimes, unpredictable system of one- and two-way trusts. Active Directory was introduced in
Windows 2000 as a way to provide directory services to larger more complex environments.

Other Active Directory services

Over time, Microsoft has added additional services under the Active Directory banner.

Active Directory lightweight directory services

This light version of Domain Services removes some complexity and advanced functionality to
offer just the basic directory service functionality, without the use of domain controllers, forests
or domains. Typically used in small, single office network environments.

Active Directory certificate services

Certificate Services offers digital certification services and supports public key infrastructure, or
PKI. This service can store, validate, create and revoke public key credentials used for
encryption rather than generating keys externally or locally.

Active Directory federation services

Provides a web-based, single sign-on authentication and authorization service primarily for use
across organizations. Thus, a contractor might log on to his own network and be authorized for
his/her access on the client’s network as well.

Active Directory rights management services

This is a rights management services that breaks down authorization beyond an access granted or
access denied model and limits what a user can do with particular files or documents. The rights
and restrictions are attached to the document rather than the user. These rights are commonly
used to prevent the printing, copying or taking a screenshot of a document.
Does your Active Directory work properly? Find out with PRTG Network Monitor!

A functional Active Directory is one of the core elements in a network’s organization. PRTG
Network Monitor solves typical Active Directory problems by preventing replication errors,
identifying logged-out and deactivated users, and monitoring ad group memberships. Try PRTG
now for free.

 Unlimited version of PRTG for 30 days

 After 30 days, PRTG reverts to a free version
 Or, you can upgrade to a paid license anytime

Free Download

Active Directory structure

One key feature of Active Directory structure is delegated authorization and efficient replication.
Each part of the AD organizational structure limits either authorization or replication to within
that particular sub-part.

Forest

The forest is the highest level of the organization hierarchy. A forest is a security boundary
within an organization. A forest allows for delegation of authority to be segregated within a
single environment. This provides for an administrator with full-access rights and permissions,
but only to a specific subset of resources. It is possible to just use a single forest on a network.
Forest information is stored on all domain controllers, in all domains, within the forest.

Tree

A tree is a group of domains. The domains within a tree share the same root name space. While a
tree shares a name space, trees are not limits on security or replication.

Domains

Each forest contains a root domain. Additional domains can be used to create further partitions
within a forest. The purpose of a domain is to break the directory into smaller pieces to control
replication. A domain limits Active Directory replication to only the other domain controllers
within the same domain. For example, an office in Oakland wouldn’t need to be replicating AD
data from the office in Pittsburg. This saves bandwidth and limits damage from a security
breach.

Each domain controller in a domain has an identical copy of that domain’s Active Directory
database. This is kept up to date via constant replication.

While domains were used in the previous Windows-NT based model, and still do provide a
security barrier, the recommendation is to not only use domains to control replication, but use
organizational units (OUs) to group and limit security permissions instead.

Organizational units (OUs)

An organizational unit provides for the grouping of authority over a subset of resources from a
domain. An OU provides a security boundary on elevated privileges and authorization, but does
not limit the replication of AD objects.

OUs are used to delegate control within functional groupings. OUs should be used to implement
and limit security and roles among groups, while domains should be used to control Active
Directory replication.

Domain controllers

Domain controllers are Windows Servers, which contain the Active Directory database and
perform Active Directory related functions, including authentication and authorization. A
domain controller is any Windows Server installed with the Domain Controller role.

Each domain controller stores a copy of the Active Directory database containing information
about all objects within the same domain. In addition, each domain controller stores the schema
for the entire forest, as well as all information about the forest. A domain controller will not store
a copy of any schema or forest information from a different forest even if they are on the same
network.

Specialized domain controller roles

Specialized domain controller roles are used to perform specific functions that are not available
on standard domain controllers. These master roles are assigned to the first domain controller
created in each forest or domain. However, an administrator may manually reassign the roles.

Schema master

Only one schema master exists per forest. It contains the master copy of the schema used by all
other domain controllers. Having a master copy ensures that all objects are defined the same
way.

Domain name master

Only one domain name master exists per forest. The domain master ensures that all objects
names are unique and, when necessary, cross-references objects stored in other directories.

Infrastructure master

There is one infrastructure master per domain. The infrastructure master keeps the list of deleted
objects and tracks references for objects on other domains.

Relative identifier master

There is one relative identifier master per domain. It tracks the assignment and creation of unique
Security Identifiers (SIDs) across the domain.

Primary Domain Controller Emulator

There is only one Primary Domain Controller (PDC) Emulator per domain. It exists to provide
backward compatibility from the older Windows NT-based domain systems. It responds to
requests made to a PDC as an old PDC would have.

Data store

Storage and retrieval of data on any domain controller is handled by the data store. The data store
is composed of three layers. The bottom layer is the database itself. The middle layer is service
components, the Directory System Agent (DSA), the database layer, and the Extensible Storage
Engine (ESE). The top layer is the directory store services, LDAP (Lightweight Directory
Access Protocol), the replication interface, the Messaging API (MAPI), and the Security
Accounts Manager (SAM).

 
Domain Name System

Active Directory contains location information on objects stored in the database, however Active
Directory uses Domain Name System (DNS) to locate domain controllers.

Within the active directory, every domain has a DNS domain name and every joined computer
has a DNS name within that same domain.

Objects

Everything within Active Directory is stored as an object. The class could also be defined as the
“type” of an object in the schema. The attributes are the components of the object – the attributes
of an object are defined by its class.

Objects must be defined within the schema before data can be stored in the directory. Once
defined, data is stored within the active directory as individual objects. Every object must be
unique and represent a single thing, such as a user, computer, or a unique group of things (e.g.
user group).

The two primary types of objects are resources and security principals. Security principals are
assigned Security Identifiers (SIDs), but resources are not.

Replication

Active Directory uses multiple domain controllers for many reasons including load balancing
and fault tolerance. For this to work, each domain controller must have a complete copy of its
domain’s own Active Directory database. Ensuring that each controller has a current copy of the
database occurs through replication.

Replication is limited by the domain. Domain controllers on different domains do not replicate
between one another, even within the same forest. Every domain controller is equal. Although
previous versions of Windows had Primary and Secondary domain controllers, there is no such
thing in Active Directory. There is occasionally some confusion due to the continuation of the
name ‘domain controller’ from the old trust-based system to Active Directory.

Replication works on a pull system, meaning that a domain controller requests or “pulls” the
information from other domain controller rather than each domain controller sending or
“pushing” data to others. By default, domain controllers request replication data every 15
seconds. Certain high-security events trigger an immediate replication event, such as an account
lockout.

Only changes are replicated. To ensure fidelity across a multi-master system, each domain
controller keeps track of changes and requests only the updates since the last replication.
Changes are replicated throughout the domain using a store-and-forward mechanism such that
any change is replicated when requested, even if the change did not originate on the domain
controller answering the replication request.

This both prevents excess traffic and can be configured to ensure that each domain controller
requests its replication data from the most desirable server. For example, a remote location with
one fast connection and one slow connection to other sites with domain controllers can set a
“cost” on each connection. In doing so, the replication request will be made across the faster
connection.

Does your Active Directory work properly? Find out with PRTG Network Monitor!

A functional Active Directory is one of the core elements in a network’s organization. PRTG
Network Monitor solves typical Active Directory problems by preventing replication errors,
identifying logged-out and deactivated users, and monitoring ad group memberships. Try PRTG
now for free.

Introduction of Active Directory Domain

Services
Last Updated: 06-11-2019

A directory is a hierarchical structure that stores information about objects on the network. A
directory, in the most generic sense, is a comprehensive listing of objects. A phone book is a type
of directory that stores information about people, businesses, and government organizations.
Phone books typically record names, addresses, and phone numbers.

Active Directory (AD) is a Microsoft technology used to manage computers and other devices on
a network. It is a primary feature of Windows Server, an operating system that runs both local
and Internet-based servers.

Benefits of Active Directory –

  Hierarchical organizational structure.
 Multimaster Authentication & Multimaster replication (the ability to access and modify
AD DS from multiple
points of administration)
 A single point of access to network resources.
 Ability to create trust relationships with external networks running previous versions of
Active Directory and even Unix.

Directory Service –
A directory service is a hierarchical arrangement of objects which are structured in a way that
makes access easy. However, functioning as a locator service is not AD’s exclusive purpose. It
also helps organizations have a central administration over all the activities carried out in their
networks. Essentially a Network Directory Service:

 Provides information about the user objects, computers and services in the network.
 Stores this information in a secure database and provides tools to manage and search the
directory.
 Allows to manage the user accounts and resources, apply policies consistently as needed
by an organization.

Active Directory provides several different services, which fall under the umbrella of “Active
Directory Domain Services, ” or AD DS. These services include:

1. Domain Services –
Stores centralized data and manages communication between users and domains;
includes login authentication and search functionality
2. Certificate Services –
It generates, manages and shares certificates. A certificate uses encryption to enable a
user to exchange information over the internet securely with a public key.
3. Lightweight Directory Services –
Supports directory-enabled applications using the open (LDAP) protocol.
4. Directory Federation Services –
Provides single-sign-on (SSO) to authenticate a user in multiple web applications in a
single session.
5. Rights Management –
It controls information rights and management. AD RMS encrypts content, such as email
or Word documents, on a server to limit access.

Domain Controllers –
A server that is running AD DS is called a domain controller.Domain controllers host and
replicate the directory service database inside the forest. The directory service also provides
services for managing and authenticating resources in the forest.These servers host essential
services in AD DS, including the following:
– Kerberos Key Distribution Center (kdc)
– NetLogon (Netlogon)
– Windows Time (W32time)
– Intersite Messaging (IsmServ)

Active Directory Objects:

1. Container Objects –
These objects can contain other objects inside them, and we can make collection from
them. For Ex- Forest, Tree, Domains, Organisational Units.
2. Leaf Objects –
These objects can not contain other objects inside them. For Ex- users, computers,
printers, etc.

Common Terminologies and Active Directory Concepts:

o Schema –
A set of rules, the schema, that defines the classes of objects and attributes
contained in the directory, the constraints and limits on instances of these objects,
and the format of their names.
o Global catalog –
A global catalog that contains information about every object in the directory.
This allows users and administrators to find directory information regardless of
which domain in the directory actually contains the data. For more information
about the global catalog, see The role of the global catalog.
 o Forest Root Domain –
The first domain that is installed in an Active Directory Forest is referred to as the
root domain.
o Sites –
Sites in AD DS represent the physical structure, or topology, of your network.
AD DS uses network topology information, which is stored in the directory as
site, subnet, and site link objects, to build
the most efficient replication topology.
o Lightweight Directory Access Protocol –
AD is based on the Lightweight Directory Access Protocol (LDAP). This protocol
provides a common language for clients and servers to speak to one another.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory
concepts for SDE interviews with the CS Theory Course at a student-friendly price and
become industry ready.

Recommended Posts:
o Active Directory PenTesting

DHCP defined and how it works

Dynamic host configuration protocol simplifies and improves the accuracy of IP
addressing but can raise security concerns

The ability to network devices quickly and easily is critical in a hyper-connected world, and
although it has been around for decades, DHCP remains an essential method to ensure that
devices are able to join networks and are configured correctly.

 DHCP greatly reduces the errors that are made when IP addresses are assigned manually, and
can stretch IP addresses by limiting how long a device can keep an individual IP address.

DHCP definition
DHCP stands for dynamic host configuration protocol and is a network protocol used on IP
networks where a DHCP server automatically assigns an IP address and other information to
each host on the network so they can communicate efficiently with other endpoints.

In addition to the IP address, DHCP also assigns the subnet mask, default gateway address,
domain name server (DNS) address and other pertinent configuration parameters. Request for
comments (RFC) 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF)-
defined standard based on the BOOTP protocol.

DHCP simplifies IP address management

The primary reason DHCP is needed is to simplify the management of IP addresses on
networks.  No two hosts can have the same IP address, and configuring them manually will
likely lead to errors. Even on small networks manually assigning IP addresses can be confusing,
particularly with mobile devices that require IP addresses on a non-permanent basis. Also, most
users aren’t technically proficient enough to locate the IP address information on a computer and
assign it. Automating this process makes life easier for users and the network administrator.

Components of DHCP
When working with DHCP, it’s important to understand all of the components.  Below is a list of
them and what they do:

 DHCP server: A networked device running the DCHP service that holds IP addresses and
related configuration information. This is most typically a server or a router but could be
anything that acts as a host, such as an SD-WAN appliance.
 DHCP client: The endpoint that receives configuration information from a DHCP server.
This can be a computer, mobile device, IoT endpoint or anything else that requires
connectivity to the network.  Most are configured to receive DHCP information by
default.
 IP address pool: The range of addresses that are available to DHCP clients. Addresses are
typically handed out sequentially from lowest to highest.
 Subnet: IP networks can be partitioned into segments known as subnets. Subnets help
keep networks manageable.
 Lease: The length of time for which a DHCP client holds the IP address information.
When a lease expires, the client must renew it.
 DHCP relay: A router or host that listens for client messages being broadcast on that
network and then forwards them to a configured server. The server then sends responses
back to the relay agent that passes them along to the client. This can be used to centralize
DHCP servers instead of having a server on each subnet.

Benefits of DHCP servers

In addition to simplified management, the use of a DHCP server provides other benefits.  These
include:

 Accurate IP configuration: The IP address configuration parameters must be exact and

when dealing with inputs such as “192.168.159.3”, it’s easy to make a mistake.
Typographical errors are typically very difficult to troubleshoot and the use of a DHCP
server minimizes that risk.
 Reduced IP address conflicts: Each connected device must have an IP address. However,
each address can only be used once and a duplicate address will result in a conflict where
one or both of the devices cannot be connected. This can happen when addresses are
assigned manually, particularly when there are a large number of endpoints that only
connect periodically, such as mobile devices.  The use of DHCP ensures that each
address is only used once.
  Automation of IP address administration: Without DHCP, network administrators would
need to assign and revoke addresses manually.  Keeping track of which device has what
address can be an exercise in futility as it’s nearly impossible to understand when devices
require access to the network and when they leave.  DHCP allows this to be automated
and centralized so network professionals can manage all locations from a single location.
 Efficient change management: The use of DHCP makes it very simple to change
addresses, scopes or endpoints. For example, an organization may want to change its IP
addressing scheme from one range to another. The DHCP server is configured with the
new information and the information will be propagated to the new endpoints. Similarly,
if a network device is upgraded and replaced, no network configuration is required.

DHCP poses security risks  

The DHCP protocol requires no authentication so any client can join a network quickly. Because
of this, it opens up a number of security risks, including unauthorized servers handing out bad
information to clients, unauthorized clients being given IP addresses and IP address depletion
from unauthorized or malicious clients.

Since the client has no way of validating the authenticity of a DHCP server, rouge ones can be
used to provide incorrect network information. This can cause denial-of-service attacks or man-
in-the-middle attacks where a fake server intercepts data that can be used for malicious purposes.
Conversely, because the DHCP server has no way of authenticating a client, it will hand out IP
address information to any device that makes a request.  A threat actor could configure a client to
continually change its credentials and quickly exhaust all available IP addresses in the scope,
preventing company endpoints from accessing the network.

The DHCP specification does addresses some of these issues. There is a Relay Agent
Information Option that enables engineers to tag DHCP messages as they arrive on the network.
This tag can be used to control access to the network. There is also a provision to authenticate
DHCP messages, but key management can be complicated and has held back adoption. The use
of 802.1x authentication, otherwise known as network access control (NAC), can be used to
secure DHCP.  Most of the leading network vendors support NAC, and it has become
significantly simpler to deploy.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are
top of mind.
Related:

 Internet
 Networking

Zeus Kerravala is the founder and principal analyst with ZK Research.

Follow


 



Copyright © 2018 IDG Communications, Inc.

IT Salary Survey: The results are in

  

Sponsored Links

 This is no time for a vulnerable network. Find the DDoS threat before it’s too late.
Protect Your Customers. - Protect Availability 3
 Digital Transformation wasn’t supposed to happen this way. You need visibility to gain
control. Take control with NETSCOUT – Business Continuity
 Software defines your networks. NETSCOUT defines your visibility. See it all. – SDN
 OpenText Voyager Awards: Celebrating Success in a Changed World
 dtSearch® instantly searches terabytes of files, emails, databases, web data. See site for
hundreds of reviews; enterprise & developer evaluations

Network World Follow us





 About Us
 Contact
 Privacy Policy
 Cookie Policy
 Member Preferences
 Advertising
 IDG Careers
 Ad Choices
 E-commerce Links
 California: Do Not Sell My Personal Info

Copyright © 2020 IDG Communications, Inc.

Explore the IDG Network descend

$12 for 12 weeks of Insider Pro

Create an Active Directory Infrastructure
with Samba4 on Ubuntu – Part 1
Matei CezarSeptember 17, 2019 Categories Samba4 Active Directory 120 Comments

Samba is a free Open Source software which provides a standard interoperability between
Windows OS and Linux/Unix Operating Systems.

Samba can operate as a standalone file and print server for Windows and Linux clients through
the SMB/CIFS protocol suite or can act as an Active Directory Domain Controller or joined
into a Realm as a Domain Member. The highest AD DC domain and forest level that currently
Samba4 can emulate is Windows 2008 R2.

The series will be titled Setting Up Samba4 Active Directory Domain Controller, which
covers following topics for Ubuntu, CentOS, and Windows:

Part 1: Install Active Directory Infrastructure with SAMBA4 on Ubuntu

Part 2: Manage Samba4 AD Infrastructure from Linux Command Line
Part 3: Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT
Part 4: Manage Samba4 AD Domain Controller DNS and Group Policy from Windows
Part 5: Join an Additional Ubuntu DC to Samba4 AD DC
Pare 6: Setup SysVol Replication Across Two Samba4 AD DC with Rsync
Part 7: Create a Shared Directory on Samba AD DC and Map to Windows/Linux Clients
Part 8: Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind
Part 9: Integrate CentOS 7 Desktop to Samba4 AD as a Domain Member
Part 10: How to Install iRedMail on CentOS 7 for Samba4 AD Integration
Part 11: Integrate iRedMail Services to Samba4 AD DC
Part 12: How to Integrate iRedMail Roundcube with Samba4 AD DC
Part 13: How to Configure Thunderbird with iRedMail for Samba4 AD
Part 14: Integrate Ubuntu 16.04 to Samba4 AD DC with SSSD and Realm
Part 15: Integrate CentOS 7 from Command Line to Samba AD DC as a Domain Member
Part 16: Integrate VMware ESXI Host to Samba4 AD Domain Controller

This tutorial will start by explaining all the steps you need to take care off in order to install and
configure Samba4 as a Domain Controller on Ubuntu 16.04 and Ubuntu 14.04.

This configuration will provide a central management point for users, machines, volume shares,
permissions and other resources in a mixed-up Windows – Linux infrastructure.

Requirements:

1. Ubuntu 16.04 Server Installation.

2. Ubuntu 14.04 Server Installation.
3. A static IP Address configured for your AD DC server.
Step 1: Initial Configuration for Samba4

1. Before proceeding your Samba4 AD DC installation first let’s run a few pre-required steps.
First make sure the system is up to date with the last security features, kernels and packages by
issuing the below command:

$ sudo apt-get update

$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade

2. Next, open machine /etc/fstab file and assure that your partitions file system has ACLs
enabled as illustrated on the below screenshot.

Usually, common modern Linux file systems such as ext3, ext4, xfs or btrfs support and have
ACLs enabled by default. If that’s not the case with your file system just open /etc/fstab file for
editing and add acl string at the end of third column and reboot the machine in order to apply
changes.

Enable ACL’s on Linux Filesystem

3. Finally setup your machine hostname with a descriptive name, such as adc1 used in this
example, by editing /etc/hostname file or by issuing.

$ sudo hostnamectl set-hostname adc1

A reboot is necessary after you’ve changed your machine name in order to apply changes.

Step 2: Install Required Packages for Samba4 AD DC

4. In order to transform your server into an Active Directory Domain Controller, install Samba
and all the required packages on your machine by issuing the below command with root
privileges in a console.

$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind

libnss-winbind

Install Samba on Ubuntu

5. While the installation is running a series of questions will be asked by the installer in order to
configure the domain controller.

On the first screen you will need to add a name for Kerberos default REALM in uppercase. Enter
the name you will be using for your domain in uppercase and hit Enter to continue..
Configuring Kerberos Authentication

6. Next, enter the hostname of Kerberos server for your domain. Use the same name as for your
domain, with lowercases this time and hit Enter to continue.

Set Hostname Kerberos Server

7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the
same as your domain and hit Enter to finish the installation.
Set Hostname Administrative Server

Step 3: Provision Samba AD DC for Your Domain

8. Before starting to configure Samba for your domain, first run the below commands in order to
stop and disable all samba daemons.

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service

winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service
winbind.service

9. Next, rename or remove samba original configuration. This step is absolutely required before
provisioning Samba AD because at the provision time Samba will create a new configuration
file from scratch and will throw up some errors in case it finds an old smb.conf file.

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

10. Now, start the domain provisioning interactively by issuing the below command with root
privileges and accept the default options that Samba provides you.

Also, make sure you supply the IP address for a DNS forwarder at your premises (or external)
and choose a strong password for Administrator account. If you choose a week password for
Administrator account the domain provision will fail.

$ sudo samba-tool domain provision --use-rfc2307 --interactive

Samba Domain Provisioning

11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it
using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private
path by issuing the below commands:
$ sudo mv /etc/krb5.conf /etc/krb5.conf.initial
$ sudo ln -s /var/lib/samba/private/krb5.conf /etc/

Create Kerberos Configuration

12. Start and enable Samba Active Directory Domain Controller daemons.

$ sudo systemctl start samba-ad-dc.service

$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service
Enable Samba Active Directory Domain Controller

13. Next, use netstat command in order to verify the list of all services required by an Active
Directory to run properly.

$ sudo netstat –tulpn| egrep ‘smbd|samba’

Verify Samba Active Directory

Step 4: Final Samba Configurations

14. At this moment Samba should be fully operational at your premises. The highest domain
level Samba is emulating should be Windows AD DC 2008 R2.

It can be verified with the help of samba-tool utility.

$ sudo samba-tool domain level show

Verify Samba Domain Level

15. In order for DNS resolution to work locally, you need to open end edit network interface
settings and point the DNS resolution by modifying dns-nameservers statement to the IP
Address of your Domain Controller (use 127.0.0.1 for local DNS resolution) and dns-search
statement to point to your realm.

$ sudo cat /etc/network/interfaces

$ sudo cat /etc/resolv.conf
Configure DNS for Samba AD

When finished, reboot your server and take a look at your resolver file to make sure it points
back to the right DNS name servers.

16. Finally, test the DNS resolver by issuing queries and pings against some AD DC crucial
records, as in the below excerpt. Replace the domain name accordingly.

$ ping -c3 tecmint.lan #Domain Name

$ ping -c3 adc1.tecmint.lan #FQDN
$ ping -c3 adc1 #Host
Check Samba AD DNS Records

Run following few queries against Samba Active Directory Domain Controller..

$ host -t A tecmint.lan
$ host -t A adc1.tecmint.lan
$ host -t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record
$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

17. Also, verify Kerberos authentication by requesting a ticket for the domain administrator
account and list the cached ticket. Write the domain name portion with uppercase.

$ kinit administrator@TECMINT.LAN
$ klist
Check Kerberos Authentication on Domain

That’s all! Now you have a fully operational AD Domain Controller installed in your network
and you can start integrate Windows or Linux machines into Samba AD.

On the next series we’ll cover other Samba AD topics, such as how to manage you’re the
domain controller from Samba command line, how to integrate Windows 10 into the domain
name and manage Samba AD remotely using RSAT and other important topics.

Tags Samba Active Directory

Domain Name Service (DNS)

Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified
domain names (FQDN) to one another. In this way, DNS alleviates the need to remember IP
addresses. Computers that run DNS are called name servers. Ubuntu ships with BIND (Berkley
Internet Naming Daemon), the most common program used for maintaining a name server on
Linux.

Installation
At a terminal prompt, enter the following command to install dns:

sudo apt install bind9

A very useful package for testing and troubleshooting DNS issues is the dnsutils package.
Very often these tools will be installed already, but to check and/or install dnsutils enter the
following:

sudo apt install dnsutils

Configuration
There are many ways to configure BIND9. Some of the most common configurations are a
caching nameserver, primary server, and secondary server.

 When configured as a caching nameserver BIND9 will find the answer to name queries
and remember the answer when the domain is queried again.
 As a primary server, BIND9 reads the data for a zone from a file on its host and is
authoritative for that zone.
 As a secondary server, BIND9 gets the zone data from another nameserver that is
authoritative for the zone.

Overview
The DNS configuration files are stored in the /etc/bind directory. The primary configuration
file is /etc/bind/named.conf, which in the layout provided by the package just includes these
files.

 /etc/bind/named.conf.options: global DNS options

 /etc/bind/named.conf.local: for your zones
 /etc/bind/named.conf.default-zones: default zones such as localhost, its reverse,
and the root hints

The root nameservers used to be described in the file /etc/bind/db.root. This is now provided
instead by the /usr/share/dns/root.hints file shipped with the dns-root-data package, and
is referenced in the named.conf.default-zones configuration file above.

It is possible to configure the same server to be a caching name server, primary, and secondary:
it all depends on the zones it is serving. A server can be the Start of Authority (SOA) for one
zone, while providing secondary service for another zone. All the while providing caching
services for hosts on the local LAN.

Caching Nameserver
The default configuration acts as a caching server. Simply uncomment and edit
/etc/bind/named.conf.options to set the IP addresses of your ISP’s DNS servers:

forwarders {
1.2.3.4;
5.6.7.8;
};

Note
Replace 1.2.3.4 and 5.6.7.8 with the IP Addresses of actual nameservers.

To enable the new configuration, restart the DNS server. From a terminal prompt:

sudo systemctl restart bind9.service

See dig for information on testing a caching DNS server.

Primary Server
In this section BIND9 will be configured as the Primary server for the domain example.com.
Simply replace example.com with your FQDN (Fully Qualified Domain Name).

Forward Zone File

To add a DNS zone to BIND9, turning BIND9 into a Primary server, first edit
/etc/bind/named.conf.local:

zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};

Note

If bind will be receiving automatic updates to the file as with DDNS, then use
/var/lib/bind/db.example.com rather than /etc/bind/db.example.com both here and in the
copy command below.

Now use an existing zone file as a template to create the /etc/bind/db.example.com file:

sudo cp /etc/bind/db.local /etc/bind/db.example.com

Edit the new zone file /etc/bind/db.example.com and change localhost. to the FQDN of
your server, leaving the additional . at the end. Change 127.0.0.1 to the nameserver’s IP
Address and root.localhost to a valid email address, but with a . instead of the usual @
symbol, again leaving the . at the end. Change the comment to indicate the domain that this file
is for.

Create an A record for the base domain, example.com. Also, create an A record for
ns.example.com, the name server in this example:

;
; BIND data file for example.com
;
$TTL 604800
@ IN SOA example.com. root.example.com. (
 2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL

@ IN NS ns.example.com.
@ IN A 192.168.1.10
@ IN AAAA ::1
ns IN A 192.168.1.10

You must increment the Serial Number every time you make changes to the zone file. If you
make multiple changes before restarting BIND9, simply increment the Serial once.

Now, you can add DNS records to the bottom of the zone file. See Common Record Types for
details.

Note

Many admins like to use the last date edited as the serial of a zone, such as 2020012100 which is
yyyymmddss (where ss is the Serial Number)

Once you have made changes to the zone file BIND9 needs to be restarted for the changes to
take effect:

sudo systemctl restart bind9.service

Reverse Zone File

Now that the zone is setup and resolving names to IP Addresses, a Reverse zone needs to be
added to allows DNS to resolve an address to a name.

Edit /etc/bind/named.conf.local and add the following:

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};

Note

Replace 1.168.192 with the first three octets of whatever network you are using. Also, name the
zone file /etc/bind/db.192 appropriately. It should match the first octet of your network.

Now create the /etc/bind/db.192 file:

sudo cp /etc/bind/db.127 /etc/bind/db.192

Next edit /etc/bind/db.192 changing the same options as /etc/bind/db.example.com:

;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
10 IN PTR ns.example.com.

The Serial Number in the Reverse zone needs to be incremented on each change as well. For
each A record you configure in /etc/bind/db.example.com, that is for a different address, you
need to create a PTR record in /etc/bind/db.192.

After creating the reverse zone file restart BIND9:

sudo systemctl restart bind9.service

Secondary Server
Once a Primary Server has been configured a Secondary Server is highly recommended in order
to maintain the availability of the domain should the Primary become unavailable.

First, on the Primary server, the zone transfer needs to be allowed. Add the allow-transfer
option to the example Forward and Reverse zone definitions in /etc/bind/named.conf.local:

zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
};

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
};

Note

Replace 192.168.1.11 with the IP Address of your Secondary nameserver.

Restart BIND9 on the Primary server:

sudo systemctl restart bind9.service

Next, on the Secondary server, install the bind9 package the same way as on the Primary. Then
edit the /etc/bind/named.conf.local and add the following declarations for the Forward and
Reverse zones:

zone "example.com" {
type slave;
file "db.example.com";
masters { 192.168.1.10; };
};

zone "1.168.192.in-addr.arpa" {
type slave;
file "db.192";
masters { 192.168.1.10; };
};

Note

Replace 192.168.1.10 with the IP Address of your Primary nameserver.

Restart BIND9 on the Secondary server:

sudo systemctl restart bind9.service

In /var/log/syslog you should see something similar to the following (some lines have been
split to fit the format of this document):

client 192.168.1.10#39448: received notify for zone '1.168.192.in-addr.arpa'

zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
Transfer completed: 1 messages,
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)

client 192.168.1.10#20329: received notify for zone 'example.com'

zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected using
192.168.1.11#38577
zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1
messages,
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)

Note

Note: A zone is only transferred if the Serial Number on the Primary is larger than the one on the
Secondary. If you want to have your Primary DNS notifying other Secondary DNS Servers of
zone changes, you can add also-notify { ipaddress; }; to /etc/bind/named.conf.local
as shown in the example below:

zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};

Note

The default directory for non-authoritative zone files is /var/cache/bind/. This directory is
also configured in AppArmor to allow the named daemon to write to it. For more information on
AppArmor see Security - AppArmor.

Troubleshooting
This section covers diagnosing problems with DNS and BIND9 configurations.

Testing
resolv.conf

The first step in testing BIND9 is to add the nameserver’s IP Address to a hosts resolver. The
Primary nameserver should be configured as well as another host to double check things. Refer
to DNS client configuration for details on adding nameserver addresses to your network clients.
In the end your nameserver line in /etc/resolv.conf should be pointing at 127.0.0.53 and
you should have a search parameter for your domain. Something like this:

nameserver 127.0.0.53
search example.com

To check which DNS server your local resolver is using, run:

systemd-resolve --status

Note
You should also add the IP Address of the Secondary nameserver to your client configuration in
case the Primary becomes unavailable.

dig

If you installed the dnsutils package you can test your setup using the DNS lookup utility dig:

 After installing BIND9 use dig against the loopback interface to make sure it is listening
on port 53. From a terminal prompt:
 dig -x 127.0.0.1

You should see lines similar to the following in the command output:

;; Query time: 1 msec

;; SERVER: 192.168.1.10#53(192.168.1.10)

 If you have configured BIND9 as a Caching nameserver “dig” an outside domain to

check the query time:
 dig ubuntu.com

Note the query time toward the end of the command output:

;; Query time: 49 msec

After a second dig there should be improvement:

;; Query time: 1 msec

ping

Now to demonstrate how applications make use of DNS to resolve a host name use the ping
utility to send an ICMP echo request:

ping example.com

This tests if the nameserver can resolve the name ns.example.com to an IP Address. The
command output should resemble:

PING ns.example.com (192.168.1.10) 56(84) bytes of data.

64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms

named-checkzone

A great way to test your zone files is by using the named-checkzone utility installed with the
bind9 package. This utility allows you to make sure the configuration is correct before restarting
BIND9 and making the changes live.
  To test our example Forward zone file enter the following from a command prompt:
 named-checkzone example.com /etc/bind/db.example.com

If everything is configured correctly you should see output similar to:

zone example.com/IN: loaded serial 6

OK

 Similarly, to test the Reverse zone file enter the following:

 named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.192

The output should be similar to:

zone 1.168.192.in-addr.arpa/IN: loaded serial 3

OK

Note

The Serial Number of your zone file will probably be different.

Quick temporary query logging

With the rndc tool, you can quickly turn query logging on and off, without restarting the service
or changing the configuration file.

To turn query logging on, run:

sudo rndc querylog on

Likewise, to turn it off, run:

sudo rndc querylog off

The logs will be sent to syslog and will show up in /var/log/syslog by default:

Jan 20 19:40:50 new-n1 named[816]: received control channel command 'querylog

on'
Jan 20 19:40:50 new-n1 named[816]: query logging is now on
Jan 20 19:40:57 new-n1 named[816]: client @0x7f48ec101480 192.168.1.10#36139
(ubuntu.com): query: ubuntu.com IN A +E(0)K (192.168.1.10)

Note

The amount of logs generated by enabling querylog could be huge!

Logging
BIND9 has a wide variety of logging configuration options available, but the two main ones are
channel and category, which configure where logs go, and what information gets logged,
respectively.

If no logging options are configured the default configuration is:

logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};

Let’s instead configure BIND9 to send debug messages related to DNS queries to a separate file.

We need to configure a channel to specify which file to send the messages to, and a category. In
this example, the category will log all queries. Edit /etc/bind/named.conf.local and add the
following:

logging {
channel query.log {
file "/var/log/named/query.log";
severity debug 3;
};
category queries { query.log; };
};

Note

The debug option can be set from 1 to 3. If a level isn’t specified, level 1 is the default.

 Since the named daemon runs as the bind user the /var/log/named directory must be
created and the ownership changed:
 sudo mkdir /var/log/named
 sudo chown bind:bind /var/log/named
 Now restart BIND9 for the changes to take effect:
 sudo systemctl restart bind9.service

You should see the file /var/log/named/query.log fill with query information. This is a
simple example of the BIND9 logging options. For coverage of advanced options see More
Information.

References
Common Record Types
This section covers some of the most common DNS record types.

 A record: This record maps an IP Address to a hostname.

  www IN A 192.168.1.12
 CNAME record: Used to create an alias to an existing A record. You cannot create a CNAME
record pointing to another CNAME record.
 web IN CNAME www
 MX record: Used to define where email should be sent to. Must point to an A record, not a
CNAME.
 @ IN MX 1 mail.example.com.
 mail IN A 192.168.1.13
 NS record: Used to define which servers serve copies of a zone. It must point to an A
record, not a CNAME. This is where Primary and Secondary servers are defined.
 @ IN NS ns.example.com.
 @ IN NS ns2.example.com.
ns IN A 192.168.1.10

Definition of 'Web Server'

Definition: A web server is a computer that runs websites. It's a computer program that
distributes web pages as they are requisitioned. The basic objective of the web server is to store,
process and deliver web pages to the users. This intercommunication is done using Hypertext
Transfer Protocol (HTTP). These web pages are mostly static content that includes HTML
documents, images, style sheets, test etc. Apart from HTTP, a web server also supports SMTP
(Simple Mail transfer Protocol) and FTP (File Transfer Protocol) protocol for emailing and for
file transfer and storage.

Description: The main job of a web server is to display the website content. If a web server is
not exposed to the public and is used internally, then it is called Intranet Server. When anyone
requests for a website by adding the URL or web address on a web browser’s (like Chrome or
Firefox) address bar (like www.economictimes.com), the browser sends a request to the Internet
for viewing the corresponding web page for that address. A Domain Name Server (DNS)
converts this URL to an IP Address (For example 192.168.216.345), which in turn points to a
Web Server.

The Web Server is requested to present the content website to the user’s browser. All websites
on the Internet have a unique identifier in terms of an IP address. This Internet Protocol address
is used to communicate between different servers across the Internet. These days, Apache server
is the most common web server available in the market. Apache is an open source software that
handles almost 70 percent of all websites available today. Most of the web-based applications
use Apache as their default Web Server environment. Another web server that is generally
available is Internet Information Service (IIS). IIS is owned by Microsoft.

web server
Posted by: Margaret Rouse
WhatIs.com
Contributor(s): Alexander Gillis; James B. Lingan








A web server is software and hardware that uses HTTP (Hypertext Transfer Protocol) and other
protocols to respond to client requests made over the World Wide Web. The main job of a web
server is to display website content through storing, processing and delivering webpages to users.
Besides HTTP, web servers also support SMTP (Simple Mail Transfer Protocol) and FTP (File
Transfer Protocol), used for email, file transfer and storage.

Web server hardware is connected to the internet and allows data to be exchanged with other
connected devices, while web server software controls how a user accesses hosted files. The web
server process is an example of the client/server model. All computers that host websites must
have web server software.

Web servers are used in web hosting, or the hosting of data for websites and web-based
applications -- or web applications.

How do web servers work?

Web server software is accessed through the domain names of websites and ensures the delivery
of the site's content to the requesting user. The software side is also comprised of several
components, with at least an HTTP server. The HTTP server is able to understand HTTP and
URLs. As hardware, a web server is a computer that stores web server software and other files
related to a website, such as HTML documents, images and JavaScript files.

When a web browser, like Google Chrome or Firefox, needs a file that's hosted on a web server,
the browser will request the file by HTTP. When the request is received by the web server, the
HTTP server will accept the request, find the content and send it back to the browser through
HTTP.

More specifically, when a browser requests a page from a web server, the process will follow a
series of steps. First, a person will specify a URL in a web browser's address bar. The web
browser will then obtain the IP address of the domain name -- either translating the URL through
DNS (Domain Name System) or by searching in its cache. This will bring the browser to a web
server. The browser will then request the specific file from the web server by an HTTP request.
The web server will respond, sending the browser the requested page, again, through HTTP. If
the requested page does not exist or if something goes wrong, the web server will respond with
an error message. The browser will then be able to display the webpage.
Multiple domains also can be hosted on one web server.

Examples of web server uses

Web servers often come as part of a larger package of internet- and intranet-related programs
that are used for:

 sending and receiving emails;

 downloading requests for File Transfer Protocol (FTP) files; and
 building and publishing webpages.

Many basic web servers will also support server-side scripting, which is used to employ scripts
on a web server that can customize the response to the client. Server-side scripting runs on the
server machine and typically has a broad feature set, which includes database access. The server-
side scripting process will also use Active Server Pages (ASP), Hypertext Preprocessor (PHP)
and other scripting languages. This process also allows HTML documents to be created
dynamically.

Dynamic vs. static web servers

A web server can be used to serve either static or dynamic content. Static refers to the content
being shown as is, while dynamic content can be updated and changed. A static web server will
consist of a computer and HTTP software. It is considered static because the sever will send
hosted files as is to a browser.

Dynamic web browsers will consist of a web server and other software such as an application
server and database. It is considered dynamic because the application server can be used to
update any hosted files before they are sent to a browser. The web server can generate content
when it is requested from the database. Though this process is more flexible, it is also more
complicated.

Common and top web server software on the market

There are a number of common web servers available, some including:

 Apache HTTP Server. Developed by Apache Software Foundation, it is a free and open
source web server for Windows, Mac OS X, Unix, Linux, Solaris and other operating
systems; it needs the Apache license.
 Microsoft Internet Information Services (IIS). Developed by Microsoft for Microsoft
platforms; it is not open sourced, but widely used.
 Nginx. A popular open source web server for administrators because of its light resource
utilization and scalability. It can handle many concurrent sessions due to its event-driven
architecture. Nginx also can be used as a proxy server and load balancer.
 Lighttpd. A free web server that comes with the FreeBSD operating system. It is seen as
fast and secure, while consuming less CPU power.
  Sun Java System Web Server. A free web server from Sun Microsystems that can run
on Windows, Linux and Unix. It is well-equipped to handle medium to large websites.

Leading web servers include Apache, Microsoft's Internet Information Services (IIS)

and Nginx -- pronounced engine X. Other web servers include Novell's NetWare server, Google
Web Server (GWS) and IBM's family of Domino servers.

Considerations in choosing a web server include how well it works with the operating system
and other servers; its ability to handle server-side programming; security characteristics; and the
publishing, search engine and site-building tools that come with it. Web servers may also have
different configurations and set default values. To create high performance, a web server, high
throughput and low latency will help.

Web server security practices

There are plenty of security practices individuals can set around web server use that can make for
a safer experience. A few example security practices can include processes like:

 a reverse proxy, which is designed to hide an internal server and act as an intermediary
for traffic originating on an internal server;
 access restriction through processes such as limiting the web host's access to
infrastructure machines or using Secure Socket Shell (SSH);
 keeping web servers patched and up to date to help ensure the web server isn't susceptible
to vulnerabilities;
 network monitoring to make sure there isn't any or unauthorized activity; and
 using a firewall and SSL as firewalls can monitor HTTP traffic while having a Secure
Sockets Layer (SSL) can help keep data secure.

See an introductory tutorial on web servers: