DNS Architecture

DNS Architecture

The following article describes and depicts the recommended architecture for integrated DNS with Active Directory. It is highly recommended that Active Directory Integrated DNS be deployed within enterprise networks that utilise Active Directory as the authoritative authorisation and authentication mechanism, the following diagram builds on the standard Active Directory Integrated DNS architecture to provide higher levels of DNS resiliency and security.

The following solution doesn’t account for deployment of DNSSEC. DNSSEC is a large topic, something that I hope to document in a future article.

Walking through the above diagram from bottom to top:

  1. The domain client devices are configured (using group policy) for a Primary and Secondary DNS settings pointing to the main Active Directory Integrated DNS Servers. In this diagram, Domain Controller 1 is the Primary and Domain Controller 2 is the secondary DNS server.
  2. TLD Root Hints have been removed from the DNS Service on the Domain Controllers. The Domain Controller DNS Service is configured to Forward all “unknown” DNS requests to DNS Server 1 and/or DNS Server 2, respectively.
  3. DNS Servers 1 and 2 have had their TLD Root Hints removed from the DNS Service configuration. Both DNS servers are configured with Forwarders to the ISP DNS Services.
  4. There are three layers to the network security boundaries for the depicted solution. Campus being the location for client devices and campus infrastructure. Intranet being the internal server boundary. Perimeter being the internet facing services boundary. Finally, internet being the far edge of the network boundary for the depicted enterprise infrastructure.

Closing

In this article we briefly examined the recommended architecture for DNS within an Active Directory Integrated DNS Environment.

Script to Batch Create Test User Accounts in Active Directory

Recently I have been working in my test labs and needed to create a large number of Test User Accounts in Active Directory. Rather than manually create the users using the GUI (which would take forever), I wrote a script to automate the process. You’ll find the script below and should be able to easily modify the script to work in your own environment.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# --------------------------------------------------------------------------------- #
.SYNOPSIS
 
Creates a batch of Test Users in Active Directory
 
.DESCRIPTION
 
Use this script to create a number of test user accounts within Active
Directory. Modify the following variables to customise this script for
your environment.
 
.PARAMETER
 
N/A
 
.NOTES
 
Version: 1.0
Author: Craig Bull
Creation Date: 10th September 2018
 
.EXAMPLE
 
N/A
 
# ---------------------------------------------------------------------------------#
#>
 
Import-Module ActiveDirectory
 
# DEFINE VARIABLES
 
$AdminCredentials = Get-Credential "YOURDOMAIN\Administrator"
 
# Use the following password for the User Accounts being created.
$Password = "@Passw0rd" | ConvertTo-SecureString -AsPlainText -Force
 
# Change this variable to the hostname of one of the domain controllers.
$ServerName = "YOURDC.YOURDOMAIN.COM"
 
# Customise this variable for a custom description on user accounts.
$Description = "Test User"
 
# Change this variable to match the DN of the OU where you want to create the
# the new user accounts.
$Path = "OU=Users,DC=YOURDOMAIN,DC=COM"
 
# Change this variable to match the UPN of your domain.
$UPNSuffix = "@YOURDOMAIN.COM"
 
# Change this variable to equal the number of user accounts you wish to create.
$NumberUsers = "100"
 
$i = 0
 
Write-Host " "
Write-Host "Script: Create AD User Test Accounts" -ForegroundColor White
Write-Host " "
 
# START LOOP
 
While ($i -ne $NumberUsers)
{
# INCREMENT COUNTER
 
$i = $i + 1
 
# DEFINE VARIABLES
 
$Name = "Test User $i"
$SamAccountName = "Test $i"
$UserPrincipalName = "TestUser$i$UPNSuffix"
 
Try
{
# TRY TO CREATE NEW TEST USER IN ACTIVE DIRECTORY
 
New-ADUser -Credential $AdminCredentials `
-Name $Name `
-GivenName "Test" `
-Surname "User" `
-SamAccountName $SamAccountName `
-Server $ServerName `
-AccountPassword $Password `
-Enabled $True `
-ChangePasswordAtLogon $False `
-PasswordNeverExpires $True `
-UserPrincipalName $UserPrincipalName `
-DisplayName "Test User" `
-Description $Description `
-Path $Path
}
 
Catch
 
{
# AN EXCEPTION WAS DETECTED, DISPLAY ERROR INFORMATION AND BREAK OUT OF SCRIPT
 
$ErrorMessage = $_.Exception.Message
Write-Host "An Error Occurred: $ErrorMessage" -ForegroundColor Red
Write-Host " "
Write-Host "Check Active Directory to confirm whether Test User accounts already exist." -ForegroundColor Yellow
Break
}
 
# DISPLAY USER CREATED MESSAGE
 
Write-Host "Created User Account: $Name" -ForegroundColor Green
}
 
Write-Host " "
Write-Host "Script execution completed successfully. Tidying up." -ForegroundColor White
Write-Host " ";
 
# CLEAR VARIABLES
 
$AdminCredentials = $Null
$ServerName = $Null
$Password = $Null
$Description = $Null
$Path = $Null
$UPNSuffix = $Null
$NumberUsers = $Null
$i = $Null