Which Service Is Responsible To Register A and PTR Records In DNS?

Every computer on the network has to register the DNS Records in the DNS Server so that a computer can be accessed by name also. The DNS Query will always go to DNS Server for resolving Name to IP and vice-versa. 

The following services are responsible to register (A) Host Record and PTR Records when the client computers start: 

DHCP Client Service
A computer running Windows XP, Windows 2000, Windows 2003 use DHCP client service to register Host and PTR Records in the DNS Server. 

DNS Client Service
A computer running Windows Vista, Windows 7 and Windows Server 2008 always use DNS Client service to register Host and PTR Records in the DNS Server. Computers running these version of windows do not use DHCP Client Service.

Why DNS Works On Both TCP and UDP

DNS and some other Services work on both the TCP and UDP Protocols. Two protocols are different from each other. TCP is a connection-oriented protocol whereas UDP is a connection-less protocol. TCP requires the data to be consistent at the destination and UDP does not require the data to be consistent or does not need to establish the connection with the host for data accuracy. 

 DNS uses TCP for Zone Transfer over Port: 53

It is necessary to maintain a consistent DNS database between DNS Servers. This is achieved by the TCP protocol. This communication happens between DNS Servers only. The Zone Transfer feature of DNS Server will always use TCP protocol. The connection is established between the DNS Server to transfer the zone data and Source and Destination DNS Servers will make sure that data is consistent by using TCP ACK bit. 

DNS uses UDP for DNS Queries over Port: 53

A client computer will always send a DNS Query using UDP Protocol over Port 53. If a client computer does not get response from a DNS Server, it must re-transmit the DNS Query using the TCP after 3-5 seconds of interval.

A Quick Tip To Reconfigure Windows Time Service

Windows Time Service is used by the client computers or Server computers to sync time with its Domain Controllers or authenticators. Sometimes, Windows Time Service modules may be corrupted. You can use the steps mentioned below to reconfigure the Windows Time Service with its default settings:

Steps:

Go to Command Prompt and type the following commands:

• Net Stop W32time
• W32tm.exe /unregister
• W32tm.exe /register
• Net Start W32time

The above commands re-register the Windows Time Service module; Win32Time.DLL and its sub-components.

A Quick Tip To Modify The Interval For DHCP Database Cleanup

DHCP Server must delete the "expired records" from its database (dhcp.mdb file) so that it releases space for new IP Addresses. By default, it does every 4 hours. You can modify this value by hacking the following registry entry:

• KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer
• Entry Name: DatabaseCleanupInterval
• Type: REG_DWORD
• Value: (in minutes), default is 4 hours.

A Quick Tip To Prevent Users From Accessing The Computer Tab

You may need to prevent your users from accessing the Computer Tab on My Computer property for security or some other reason. There is no any Group Policy setting available to disable this but you can set the permissions on the NetID.DLL file which implements the necessary functions to show this Tab on My Computer property. You need to use the steps mentioned below to do so:

Steps:

• Search NetID.DLL file on the local computer.
• Remove or set the following permissions to hide the Computer Tab.

Administrators - Full Control
Power Users - Read & Execute, Read
System - Full Control

The default NTFS permissions are:

Administrators - Full Control
Power Users - Read & Execute, Read
System - Full Control
Users - Read & Execute, Read

Note: You can also create a script to deploy the permissions set on NetID.DLL using the Group Policy.

What To Check If A Single User Can't Log On To Domain?

Sometimes a single user might be not able to log on to domain. You can follow the checklist given below:

Make sure:

• You can ping the domain controller from the user's computer. 
• There is no white space in the User's Home Profile in User's Property > Check it using the DSA.MSC.
• The user computer is configured with the correct DNS Server to find the domain controller > Check in TCP/IP property of the user's computer.
• The Computer Account in the domain for the user's computer is not missing > Check using the DSA.MSC
• The Computer Account in the domain is not disabled > Check using the DSA.MSC
• The Time between the domain controller and the client computer is synchronized > Check using Net Time command.
• The Domain Controller can be found > Check environment variables and check "LOGONSERVER" value or execute Nltest /DsGetDc:domain to re-locate the domain controller for the user.

Using the Remote Desktop Client from the Command Prompt

The Microsoft remote desktop client can be found in %systemroot%/system32/mstsc.exe. Running this program with no extensions will bring up the remote desktop connection program. However, mstsc.exe has a full set of switches that can be used to accomplish things from the command prompt.

mstsc.exe {ConnectionFile | /v:ServerName[:Port]} [/console] [/f] [/w:Width/h:Height]

/v - specifies the remote computer and port (optional) you wish to connect to
/console – connects to the console of a Windows Server 2003 based system
/f – starts the remote desktop connection in full screen mode
/w & /h – specifies the width and height of the remote desktop connection

This can be very useful in creating batch files to use as quick routes to machines with a particular group of settings. For instance, mstsc.exe can be called from a batch file enforced by group policy to run at startup for machines that need to connect directly to a terminal server for use.

Disabling the RunAs Command

For standalone Windows XP machines in a workgroup environment, you can disable Run As by hacking the Registry. Simply use Regedit.exe to locate the following key on each machine:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

Then create a new DWORD value named HideRunAsVerb and assign it a value of 1. 

In a domain environment, you can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:
Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies

Right-click on this node and select New Software Restriction Policies, then right-click on Additional Rules and select New Path Rule. Now type the path to runas.exe and make sure the policy is set to disallowed. 

If you prefer to apply this policy to specific users instead of computers, use a GPO linked to an OU where the user accounts reside and configuring Software Restriction Policies using User Configuration instead of Computer Configuration, such as:

User Configuration/Windows Settings/Security Settings/Software Restriction Policies