Category Archives: DNS

Migration Computer with ADMT gives an error Logon Failure: The target account name is incorrect

If you’re doing a Cross Forest migration project then you most likely have had a big experience but the more you do those kind of projects the more you’ll see different types of errors and issues rising up.

One of the issues I had in one of the cross forest projects that I have done before was the following error

clip_image001

To start troubleshooting, we’ll start by ruling out the following main causes.

  1. Checked DNS.
  2. Checked relative services (Netbios, RPC, Computer browser ..etc)
  3. Checked firewall (Kaspersky and windows) and closed them both.
  4. Checked connected DC and changed it to a different one.
  5. Checking DCs / Frs (File repliation service) replication and health.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smart0188$. The target name used was RPCSS/Smart0248.smartmoss.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SMARTMOSS.LOCAL) is different from the client domain (SMARTMOSS.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Suppose you have a domain member named DOMAINMEMBER. You can reset the member secure channel by using the following command:

NETDOM MEMBER \\DOMAINMEMBER /JOINDOMAIN

From <https://support.microsoft.com/en-us/kb/175024/>

You can run the command above on the member DOMAINMEMBER or on any other member or domain controller of the domain, provided that you are logged on with an account that has administrator access to DOMAINMEMBER.

The output received from the command should be similar to the following:

Searching PDC for domain DOMAIN …
Found PDC \\DOMAINPDC
Querying domain information on PDC \\DOMAINPDC
Querying domain information on computer \\DOMAINMEMBER
Computer \\DOMAINMEMBER is already a member of domain DOMAIN.
Verifying secure channel on \\DOMAINMEMBER
Verifying the computer account on the PDC \\DOMAINPDC
Resetting secure channel …
Changing computer account on PDC \\DOMAINPDC
Stopping service NETLOGON on \\DOMAINMEMBER …. stopped.
Starting service NETLOGON on \\DOMAINMEMBER …. started.
Querying user groups of \\DOMAINMEMBER
Adding DOMAIN domain groups on \\DOMAINMEMBER

The computer \\DOMAINMEMBER joined the domain DOMAIN successfully.

Logoff/Logon \\DOMAINMEMBER to take modifications into effect.

From <https://support.microsoft.com/en-us/kb/175024/>

Solution 1-

nltest.exe can be used to check the channel and attempt to reset it.

nltest.exe /sc_verify:smartmoss.local

If that does not do it, you can restart the netlogon service (I mainly use PowerShell, so I’ll give an example of that).

Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

I ran the nltest command after restarting the service to validate that the secure channel was back in operation.

If you’ve made some network changes (IP Addresses, changing hardware, virtualizing, etc..) you might want to flush your dns cache and clear your arp table before running the above commands.

ipconfig /flushdns
arp -d *
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

Let’s try to find out which DC the client is connected to

nltest /dsgetdc: Dc.local

Point the client to a different DC

nltest /Server:client0 /SC_RESET: DC.Local\DC02

Testing tool

Checked the following tool

http://www.lansweeper.com/kb/2/The-RPC-server-is-unavailable.html

Checked the services RPC, computer browser,

Solution 2-

There is a bug in MS after 400 days of uptime that they don’t tear down their time_wait connections so the server runs out of sockets and can’t make connections to the DC – a reboot should fix this issue temporarily.

From <http://community.spiceworks.com/topic/218426-there-are-currently-no-logon-servers-available-to-service-the-logon-request>

net stats srv

clip_image002

clip_image003

DOT/H Google Launches Secure DNS but not supported by Chrome yet

You might have heard that very recently Google has launched their DNS over TLS which is based on their Google Public DNS service the most commonly used DNS recursive resolver worldwide.

In a statement Google published the following article

https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html

 

Google Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.

 

(DOH) Support for Google Chrome

Although the service is now available however, you still can’t use it on your Windows 10 OS since Microsoft didn’t add the support yet. Linux OS like Ubuntu supports DOT.

 

Alternative Browsers with DOH support

Firefox’s Nightly browser which is dedicated to power users or developers already have the support for DNS over HTTPS (DOH) and upon testing it I could clearly see no indication of any plain text in my wireshark traffic for the websites that I have visited.

I used Godaddy.com as an example to see if whether Wireshark would show the requested website in the DNS filtered traffic. Using Firefox Nightly, didn’t show any DNS result in Wireshark.

image

 

Checking result with Chrome

visiting Godaddy.com on Chrome gave a different result. Here everything is clear text. Although I am using Simple DNScrypt app but still exposes the DNS traffic.

image

 

Even if I changed the DNS settings on my NIC to 1.1.1.1 (cloudflare’s DOT) it would still show the result on Wireshark.

 

image

 

On November 3rd 2018, Chromium released the following article stating:

 

Add DoH UI setting. This CL adds a UI setting allowing users to enable DNS over HTTPS (DoH). Users may select a DoH server from a dropdown menu of preapproved options or enter a DoH server of their choosing. Bug: 878582 Test: out/Default/chrome –enable-features=”SecureDnsSetting” Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I1138c3b8e77aea10a0d4e8a542b889a285a1a492

 

How to secure your Windows 10 ? 

Lots of tools out there that support Dns over TLS, one of them is dns simple DNSCrypt which uses the protocol dnscrypt. The application can be used temporarily or as a service. 

Windows 10 

I have installed the tool on my Windows 10 as a service and ran a test to see if resolving Google or any other domain would come as clear text but result was negative. 

The app uses various range of DNS recursive resolver services like Google, Cloudflare, Freesta… etc 

To Encrypt your DNS traffic, use Simple DNSCrypt

How I configured my own name server (Public DNS) on Pfsense

To configure your own nameserver, first you must have a public domain (domain.com) ..
In this example I will register a free domain from this registrar: www.freenom.com
The process for registration is pretty simple, you will have to follow the wizard and validate your email then sign in to your portal to edit or configure your free domain.
I have already added a new domain for myself which is called ( moh10ly.cf )
clip_image001
To configure name servers, You must fulfill the following prerequisites:

  1. Public static IP.
  2. DNS Package on Pfsense
  3. Firewall that supports static NAT.

Next step: I will click on Manage domain to change the DNS configuration to point it to my own name server
clip_image002
When you get the following window, click on Management tools and choose “Register glue records”
clip_image003
Very important note:
Next add your Name servers (They don’t need to exist as we will create them later) but you will have to create 2 at least and you can point them to the same Public IP address.
clip_image004
Scroll down and you will find an option to add the second dns, you can call it dns2 and point it to the same IP address.
Next save changes, then click on Management tools –> Name Servers and there if you couldn’t find the new name servers you have configured then enter them here.
clip_image005
Save changes again
Now let’s go on Pfsense and setup our Public DNS (Name Server), You will have to go to “System>Packages>Available Packages” and there download “dns-server” or “TinyDns”
clip_image006
When you have finished installing TinyDns you will find it under “Services” menu. Click on it
Once you are there, click on “Settings tab” and on the binding IP address place your Public IP which you’ll use for the name servers. And make sure you use the WAN NIC to listen on.
clip_image007
Save and click on the “New domain wizard” to setup your domain
clip_image008
Click Next
clip_image009
On the next window configure your domain as in the following, make sure that it matches your configuration on registrar’s domain.
clip_image010
Click Next and Finish
Once finished, go to the Add/ Edit record tab and there you will find 4 created records
clip_image011
Next create the root DNS record which is . And point it to the same public IP and any other records that you might have an installed role for like Exchange, IIS ..etc
clip_image012
Now it’s time to configure the firewall to allow inbound queries on port 53. here’s the rule that I have created under (FirewallRules) because I have only one Public IP address on WAN I won’t use a static NAT rule.
clip_image013
I will go back to TinyDns on Pfsense to see the incoming requests for name resolving from public clients.
Under the logs tab I could see the requests I was making from my PC using google as my DNS.. So everything works fine.
clip_image014
That’s it, the configuration of your own Name server is done. Smile

del.icio.us Tags: ,,,