Active Directory and DNS: Why you should not practice adding 8.8.8.8 in DNS forwarder?

Hi everyone and hope you are doing great today. A new day is a new start.

If you are the type of engineer that treat every DNS feature as it must add 8.8.8.8 or filling the DNS forwarder with values, then you must having trouble in understanding active directory and its DNS functionality.

Why mistakes happen?

When you are in a rush to rectify connectivity to the internet and the only idea is to point to 8.8.8.8 as the DNS. However, amending this into your DNS as your practice would impact the connectivity by an additional delay in DNS resolution and potentially adding a point of failure.

How DNS resolution works actually?

These are the basic order of resolution attempts. The first to reply wins either it’s right or wrong.

First phase: Local Windows Host File

Second phase: Computer’s DNS Server list

Third phase: Internal DNS Server

Fourth phase: Designated Conditional Forwarders

Fifth phase: DNS forwarders

Sixth phase: Root hints

What are the impacts?

Host file is static. It should only be used for troubleshooting and then immediately set back to it’s default after resolving the issue via internal DNS Servers.

If your DNS is only pointing to 8.8.8.8, it will reach out externally for DNS resolution. This means it will give you internet access but it will not resolve local DNS. Thus, will prevent your devices from communicating to Active Directory and devices won’t be able to grab policies, logins will be really slow and would cause intermittency with the domain.

Doing this would allow the local DNS queries will broadcasting your internal request to the internet. However, this is not recommended as its violating of your security policies.

DNS forwarders that points to 8.8.8.8 only are using your ISP connection to hop to 8.8.8.8 when resolving DNS. You have a local DNS resolution much closer that will speed up requests if used instead.

Moreover, if your DNS is set to 8.8.8.8, DNS failures may seem to be an ISP outage when your ISP connection if fine. If there is a failover rules set in place that are NOT using your ISP’s DNS, your system may failover when there is not an outage.

If you disabled root hints, one external DNS provider outage can stop external DNS resolution at your business.

Your Windows firewall internally would see you are on public network, which can cause it to start blocking network traffic. When you have a domain controller in your environment with its primary or secondary DNS pointing to an external address like 8.8.8.8, it can cause the same as well. Checking and unchecking IPv6 is a temporarily fix the public error, but it will continue happening until you remove 8.8.8.8.

It’s recommended that any domain controller/DNS servers local network interface should always point to another domain controller/DNS interface then itself, never to an external IP.

DNS Forwarders should be configured in the DNS management console to point to external DNS servers of your ISP. Doing this should resolve external DNS resolution.

References:

  1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings
  2. https://www.mirazon.com/stop-using-8-8-8-8-for-your-production-network/#:~:text=That%20is%20not%20recommended%20and,connection%20to%20hop%20to%208.8

Exchange Migration: Windows 10’s Outlook kept prompting after turn off modern authentication

If you had read my previous/recent post about exchange migration on Windows 7, then today I’m writing a post about Windows 10. https://sabrinaksy.com/2021/10/14/exchange-migration-outlook-kept-prompting-for-password-after-migration/

It seems that after we turn off the modern authentication, there was no more further prompt issues with Windows 7 but Windows 10 on the next day is receiving prompt and with the user name shows as “contoso.onmicrosoft.com” domain instead of the “contoso.com” registered domain or default domain.

After research, we notice Microsoft just recently release an enforcement towards basic authentication on 1st October 2021. Hence, we have no choice to look for workarounds for Windows (7 and 10) to support Modern Authentication. The only workaround is to create a registry and amend them to the Windows machines.

Workaround

  1. Create a Group Policy Object in your Active Directory environment
  2. Under the Computer > Preferences > Windows Settings > Registry
  3. Create a new registry item
  4. This is the registry item that we want to create
    • Path: HKEY_CURRENT_USER\Software\Microsoft\Exchange
    • Value Name: AlwaysUseMSOAuthForAutoDiscover
    • Value: 1
    • Type: REG_DWORD
  5. Once you have created this policy and link it to the particular organization unit that contains the Windows machines
  6. Run a force group policy update from the Active Directory server
  7. Go back to the Office 365 admin center portal with Global administrator rights
  8. Settings > Org Settings > Modern Authentication > Turn on modern authentication
  9. Make sure you select all of the items under the modern authentication

  1. Monitor for the next 24 to 48 hours, for further prompt issues
  2. If there’s issues, troubleshoot the machine and check is registry amended if not just manually run it

You can always export the registry settings as .reg file format, so is easier to install on the affected machine(s) just by double clicking the .reg file.

How to export the registry file?

You can use the PowerShell’s Invoke-Command

Invoke-Command {reg export 'HKEY_CURRENT_USER\Software\Microsoft\Exchange' C:\Temp\ModernAuth.reg}

References:

  1. https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210
  2. https://docs.microsoft.com/en-us/outlook/troubleshoot/authentication/outlook-prompt-password-modern-authentication-enabled

Format not working. How to reformat USB to its original size?

The format from here doesn’t help to reformat the USB to its original size.

What I mean is this format here: File Explorer > Right click on the USB > Format

Capture

you will see that the format size allow is 32GB only, but your USB  is more than that.

The resolution to this is that you use Disk Management to reformat your USB.

  1. Open Disk Management
  2. You will notice that your USB’s volume has partial that is “Unallocated” and partial is “Used”
  3. Right click on the USB > Delete the Volume
    • Capture
  4. Then the Volume status will become “Unallocated”
  5. Right click on the USB > Select New Volume > Setup the new volume of your USB
  6. The End

Troubleshoot Virtual machines status off-critical problem in Hyper-V

In this case, it was my lab environment, I have an external SSD which is purely just for my lab. I faced this problem is because my laptop reads the external SSD and apply that drive with a different disk letter.

So at first all my virtual Hard Disk are located in disk letter E, this is their original location.

I have multiple USB and external drives so the laptop tends to have a cache of previous used drive. I recently created a bootable USB for another product and when I try to plug in my lab’s external drive, my laptop apply the driver letter as G, I didn’t notice it until I launch my Hyper-V console, the status of my virtual machines are still showing “Off-critical” for quite a long period, refresh also didn’t work. Thus, this causes unable to boot up my virtual machines.

Capture

After some thoughts, I connect one of the virtual machine and see the location/directory of my virtual hard disk and it is pointing to the driver letter E, next I go ahead and launch the file explorer and there my external drive is no longer listed as letter E instead of the letter G.

To resolve this, I launch the “Disk management” console, and change the letter of my external drive from G to E. Head back to my Hyper-V console, my virtual machines are able to boot up and the status “Off-critical” is no longer showing.

Note:

  • Do take note that it requires a requires a reboot of your laptop if you were trying to mimic/simulate this issue.

Capture

There are other reasons that you could face this issue, it could be corrupted drive, or drive is disconnected.

 

RAM upgrade: HP EliteBook 840 G4 Laptop “Error: Beep Sound, Black Screen”

For your information, I’m not a computer hardware nerd!

  1. I bought a HyperX DDR4 RAM 2400MHz and a crucial 1TB SSD from online. How I face the error, is where I wanted to test the new RAM, first remove my HP’s RAM and insert the HyperX’s RAM.
  2. On the first restart, the laptop able to load up the screen. However, on the 2nd time restart, the “beeping sounds starts and black screen” the screen would not load up.
  3. So I had to remove and replace the HP’s RAM back into my laptop,  and research what was the cause.
  4. I came about the term “Overclocking“, I installed the CPUID(CPU-Z) tool to monitor the CPU Speed to making sure it is not exceeding ;
    • Capture
  5. I also came about a forum saying that they, place the original RAM and the new RAM together to resolve this error problem.
  6. So I give it a try and, it works! Checking the CPU speed was running normal and the laptop able to detect the RAM, I rebooted 2 or 3 times the laptop runs fine. Is already 1 week passed, I encounter no issues.
    • Capture

 

Hopefully this post helps you guys!

 

 

 

Azure Information Protection: Install Azure Information Protection Application for Windows Client

If your Windows client is a joined to the domain and has limited privilege, to download software or applications. Thus, requirements a local administrator or an administrator account to proceed with these changes.

Requirements

  1. Supported Windows
  2. Supported Office Application
  3. The Internet
  4. Browers

Step-by-Step

  1. Browse to Microsoft Download
  2. Once you have finish download, double click on the installer
    • az02.png
  3. Select “I agree”
    • az01
  4. Select “close”, once completed
    • az03.png
    • az04.png
  5. You will find the Azure Information Protection Viewer application shown and your office application has the Azure Information Protection labels shown too
  6. Select Start or Windows button
    • az05.PNG

 

There is another way to have this installed in the client’s device that is joined to the domain, which is through GPO (Group Policy Management).