2- Create a
New Delegation in your current zone (My new delegation name is
Users). Right click on your
Zone (my zone name is
Contoso.com) and select
New Delegation.
3- on
Welcome to the New Delegation Wizard page, click
Next.
4- On
Delegated Domain Name page, write your
Delegated domain name (in my case Users).
5- On
Name Servers page, select
Add.
6- Add your DNS server (in my case DC.Contoso.com with IP address 192.168.0.1), then click
Next.
7- On
Completing the New Delegation Wizard page, click
Finish.
8- Now you can see new delegation name.
9- Now, we create new Zone (in my case, new zone name is Users.Contoso.com).
10- Right click on
Forward Lookup Zones, select
New Zone.
11- on
Welcome to the New Zone Wizard page, click
Next.
12- On
Zone Type page, select
Primary zone, then select
Store the zone in Active Directory (available only if DNS server is a writeable domain controller), then click
Next.
12- On
Zone Type page, select
Primary zone, then select
Store the zone in Active Directory (available only if DNS server is a writeable domain controller), then click
Next.
13- On
Active Directory Zone Replication Scope page, select
To all DNS servers running on domain controllers in this domain: (in my case domain name is Contoso.com), then select
Next.
14- On
Zone Name page, type you
Zone name: (in my case is Users.Contoso.com), then select
Next.
15- On
Dynamic Update page, select
Allow only secure dynamic updates, then select
Next.
16- On
Completing the New Zone Wizard page, check your setting, then click
Finish.
17- You can see your new Zone name in DNS console (in my case Users.Contoso.com).
18- Now, I create a batch file with dnscmd.exe, also we create CNAME record for every user with logon script and delete this record with logoff script.
19- Here is batch file for logon (for example: DNSLogon.cmd) and I use pushd and popd because I will run Dnscmd.exe from UNC path:
pushd "%~dp0"
Dnscmd.exe DC.Contoso.com /recordadd Users.Contoso.com %USERNAME% CNAME %COMPUTERNAME%.Contoso.com
popd
20- Here is batch file for logoff (for example: DNSLogoff.cmd):
pushd "%~dp0"
Dnscmd.exe DC.Contoso.com /recorddelete Users.Contoso.com %USERNAME% CNAME %COMPUTERNAME%.Contoso.com /f
popd
21- But wait!!!, on clients we do not have Dnscmd.exe command and I will not copy Dnscmd.exe on clients, I copy Dnscmd.exe in Logon and Logoff Script folders.
22- Open
Group Policy Management console.
23- I edit Default Domain Policy (but remember, in real environment you must create new GPO).
24- Right click on Default Domain Policy and select
Edit.
25- Go to
User Configuration\Polices\Windows Settings\Scripts (Logon/Logoff).
26- Right click on
Logon and select
Properties.
27- Select
Add, select
Browse and add your batch file (dnslogon.cmd) and copy Dnscmd.exe in this folder too.
28- Click
OK and close Logon Properties window.
29- Same work for Logoff properties.
30- Now, run
GPUPDATE /FORCE on Domain Controller.
31- Now, Open your DNS console again. Right click on DNS server name and select
Properties.
32- Select
Security tab, select
Add, and add
Users group and set just
Read permission (
again just Read permission).
32- Open Regedit.exe on Domain Controller, go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters and set this registry keys:
Key: RpcAuthLevel
Value: 0x00000002
Key: MaxCacheTtl
Value: 0x00000001
Now, I test that configuration work or not.
I use Windows XP client and logged on with Ed Price (ed.price) account and use Windows 7 client with Richard Mueller (r.mueller) account (both accounts are normal domain user account) .
Key: RpcAuthLevel
Value: 0x00000002
Key: MaxCacheTtl
Value: 0x00000001
Now, we show DNS console, all users that logged on in domain have CNAME record:
I ping user names and I can find user on which client logged on!!
Ed Price use WinXP with IP 192.168.0.25
OR, I can find Richard Mueller on which client logged on with NSLOOKUP command:
When user logged off, CNAME record deleted automatic with logoff batch file and you can find out that user is not logged on to domain.
Now, Ed price logged off and CNAME record delted automatic.
Note: If your user did not correct logoff, CNAME record does not delete automatic. You must delete manually.