Test Scenario - DNS Resolutoin - Resolving user sAMAccountName to their computer

Overview

The feature enables the administrators to dynamically manage the DNS CNAME records that resolves user sAMAccountName to the last computer they logged into. 

  

Purpose

This article provides instructions on testing the SYNERGIX AD Client Extensions software Network \ DNS Client \ Manage DNS CNAME Type record for sAMAccountName feature.

The software will maintain dynamic CNAME record for the user sAMAccountName in the Active Directory primary DNS domain or in a specified DNS domain ex. users.<activeDirectoryDomainFQDN>. For this feature to work, the DNS zone must be Active Directory integrated and must allow Dynamic Updates by the Windows Client computer. 

Note: Dynamic DNS updates performed by the DHCP Servers, on behalf of the Windows Client Computer, are not supported.

If you create a new DNS zone ex. users.<activeDirectoryDomainFQDN> and setup proper DNS delegation, you have the added advantage of hosting it in an application partition and limit the scope of replication to specific number of domain controllers. In such situation, the name resolution becomes more reliable as the propagation delay (due to Active Directory replication) in the CNAME record change is reduced drastically.

The CNAME record will have the target hostname set to the FQDN of the computer that the user is currently logged into. If the user logs into another computer, the software will update the CNAME entry and resolve to the new target computer.

A low TTL value ( default is 5 minutes ) for the CNAME record will ensure that the name resolution is fairly reliable. The Run Interval is used to specify how often the CNAME record should be validated.

If the user account becomes obsolete, the dynamic CNAME record will age and get removed as part of the DNS Server and DNS Zone Scavenging settings.

 

Prerequisites

  • Supported Microsoft Windows Operating System
    • Microsoft Windows 7.0 
    • Microsoft Windows 8.x
    • Microsoft Windows 10
  • .NET Framework 4.0 or higher
  • Active Domain Membership in Microsoft Active Directory domain
  • Microsoft Outlook or other EMail client 
    • EMail client is required to submit log files to support@synergix.com or x@mail.asana.com
  • SYNERGIX AD Client Extensions 2016

 

Active Directory Domain Environment

  • Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. F10.LOCAL
    • You can setup a more complex Active Directory Domain environment, if needed.  For example, one forest F10.LOCAL with child domains D10.F10.LOCAL, D11.F10.LOCAL and D12.F10.LOCAL and a trusted forest F20.LOCAL with child domains D20.F20.LOCAL, D21.F20.LOCAL and D22.F20.LOCAL
  • Security Group(s)
    • Create a security group called "SYNERGIX ADCE Managed Computers".  The group type may be Domain Global Group or Domain Local Group.
    • Add the test domain computer(s) into the security group "SYNERGIX ADCE Managed Computers"
  • Delegate Control
    • On the Active Direcotry domain DNS zone, grant the security principal "Domain Computers" READ PROPERTIES, WRITE PROPERTIES, DELETE, READ PERMISSIONS and ALL VALIDATED WRITES permissions or
    • On the Active Directory domain DNS zone, grant the security group "SYNERGIX ADCE Managed Computers" READ PROPERTIES, WRITE PROPERTIES, DELETE, READ PERMISSIONS and ALL VALIDATED WRITES permission
      • The test domain computer must be member of "SYNERGIX ADCE Managed Computers" security group.
  • Configure domain Group Policy Object
    • Copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions on admin workstation ( must be Windows 7.0 ) 
    • Copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US on same admin workstation ( must be Windows 7.0 or higher version ) 
    • Using GPMC.MSC, edit existing or new Group Policy Object.  
      • In Group Policy Editor, expand COMPUTER CONFIGURATION
      • Expand Administrative Templates
      • Expand SYNERGIX AD Client Extensions
      • Expand Network
      • Expand DNS Client
      • Select Manage DNS CNAME record  Type for user sAMAccountName 
      • Enable policy setting
      • Configure Zone Name and DNS Server Name 
        • The value for TTL  interval before next update occurs.  By default, it is 5 minutes.
        • Run time Interval is 1440 Seconds
 

More Information

 

Procedure

  • Log into a domain computer with local administrative privileges
  • Install SYNERGIX AD Client Extensions software
  • Logout
  • Log into the same domain computer with a domain user account.  This domain account represents a business user who does not have elevated privileges on his / her computer.
  • Launch DNS Management console ( DNSMGMT.MSC ) 
    • If DNSMGMT.MSC is not installed, log into another workstation with Administrative Tools installed and then, launch DNSMGMT.MSC on it
  • Select Active Directory domain DNS zone
  • Select the Forward Lookup Zone and in that select the Domain Name 
  • You Should see the CNAME Record with the username from which you are logged in and with the FQDN (Fully Qualified Domain Name) and Along with the Type Generated, By Default it is Alias(CNAME) 
  • Logoff and Logon with the Different user and you should see the CNAME Record for that particular user Then SYNERGIX AD Client Extension is working fine with this Feature 
  • If yes,Test is Successful
  • If No then Re-run the Test
  • Mostly there will be an issue with the Permissions so Please delegate the permissions Correctly 

 

Test Results

  • Pass or
  • Fail

 

Test Result Submission

  1. Complete the Test Environment worksheet
  2. Upload test results document file to software test repository
  3. Upload log files
    1. ServiceLogfile.txt
    2. ClientLogfile.txt
    3. Output of GPRESULTS.EXE /V command
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit
 

References

N/A

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk