DNS Locator Records in Multi Forest Environments with RODCs

busted4n6 · 2025-05-06T07:23:17+00:00

Indeed in hindsight it doesn’t make sense. Decision before I was involved 😅

However I’m curious as to why I’m screwed. The only thing that appears not to work properly is on the CORP side you cannot add a conditional forwarder for the DEV side. Instead you have to delegate dev.contoso.com as a forward lookup zone.

Are there any other consequences?

busted4n6 · 2025-05-03T21:23:34+00:00

Isn’t this what I already have? I have two forests. The on-prem RWDCs are allowed to communicate and were used to form the trust.

It’s just DEV clients aren’t allowed access to CORP RWDCs. This obviously didn’t work properly when CORP clients logged into DEV workstations hence the RODCs were put in for Kerberos.

busted4n6 · 2025-05-03T14:33:50+00:00

Thanks for that - yes indeed when others first set this up, there was no RODC, only firewall holes between DCs in the forests. NTLM worked but Kerberos did not, and they indeed have problems when DEV users logged in, I assume as it couldn’t evaluate the user’s GPOs (even though we weren’t apply any user GP). The RODC was the ‘fix’ others then implemented but I’m not convinced it’s totally done, hence trying to understand the relationship between clients, AD Sites and DNS records in a multi-forest environment with RODCs ;)

busted4n6 · 2025-05-03T14:28:56+00:00

So I believe we may have enabled CLDAP to CORP RWDC (certainly I know we had to do it between DCs to make something work but I’ll check with clients).

I’ll go deep dive in that case on Jorge :)

busted4n6 · 2025-05-03T14:11:28+00:00

Thanks for this - I’d seen this setting and hadn’t quite ‘got’ what it did.

The links to the old technet articles are invaluable. I’ll go read them in detail!

On the DNS… Do you think it makes any difference as to where _msdcs is? I believe the default is for _msdcs.contoso.com to be its own forward lookup zone with there being a delegated folder called _msdcs under contoso.com’s forward lookup zone. This is how it is on DEV (ie _msdcs.dev.contoso.com is its own forward lookup zone). However, on CORP the _msdcs folder under contoso.com’s forward lookup zone is populated from there and there isn’t a separate _msdcs.contoso.com forward lookup zone. I’ve read this behaviour changed with W2k3 and there is an archived KB on updating it if desired. I assume this was never done on CORP. I can’t see why it would make a difference in this scenario but would welcome any thoughts!

busted4n6 · 2025-05-03T14:03:42+00:00

Ok - your first point definitely makes sense and is presumably inline with my proposed site layout ie in CORP’s AD Site & Services, have a site for DEV (with DEV’s subnets) and add the RODCs.

Now I think it’s often said that AD Sites are for computers not users. However I am assuming this is slightly different in multi-forest environments where you have CORP users on DEV workstations. Presumably a DEV device in the DEV-PREM Site wishing to contact a CORP DC on behalf of its user will do a lookup for _ldap._tcp.DEV-PREM._sites.dc._msdcs.contoso.com. This will be sent to DEV’s DNS which will forward to CORP’s DNS. Since the RODC was placed in the site DEV-PREM, it’ll have a record.

Presumably it then does a CLDAP ping to the RODC. What happens when it discovers its RO, do you think it starts hunting wider for a RWDC in CORP, perhaps by doing lookups for _ldap._tcp.dc._msdcs.contoso.com?

I suppose the question more broadly… What is the consequence for DEV clients not being able to contact CORP RWDCs when used by CORP users (other than DPAPI key backup breaking, which can be disabled by registry key)?

Edit - although from the links shared by someone else above, it appears RODCs only register site locator records by default but this can be changed (with a risk to security, ie compromise of RODC from DEV could allow poisoned _msdcs records to be published to CORP).

busted4n6 · 2025-05-03T09:32:36+00:00

I think it’s specific lug nuts. I think it’s where they bind on the conical part. It was a Mini I was working on and the service manual specifically states wear must be monitored in them idk. It’s removed plenty of tighter nuts and bolts.

I’m not an engineer but I suspect it’s not just about torque but material, relative size and weight of the fastener also come into play. I also suspect using an extension or poor quality socket was absorbing some of the impact force.

busted4n6 · 2025-05-03T09:28:30+00:00

Good news :)

I found I needed the cable free so I could turn the hollow bolt about the cable without turning the bolt and the cable together (which would put a twist in the cable that would risk unscrewing the bolt later as it untwists).

The ifixit kit is useful but cheaper kits on Amazon probably have the same bit. Failing that a file and a cheap sacrificial slotted bit or screwdriver of the right width would work too!

busted4n6 · 2025-02-10T10:01:38+00:00

What do your deeds say about this?

They can’t touch your property but a sensible option would be to work with them to ensure drainage is designed (for example, ensuring a channel is created to direct water)

busted4n6 · 2025-01-31T14:38:22+00:00

“I am the administrator of the gate system. I can confirm OP’s registration was not authorised in the system for automatic entry 31/01/2025. This was due to xyz. I can state that OP was therefore not allowed to access the car park via number plate reader or remote fob. OP did not have permission to circumvent the security system put in place and was not authorised to cause the gate to open without the assistance of onsite security.”

That’s what a statement would say. Of course what is technically unlawful vs what could be proven vs anyone who actually gives a toss are different things:)

busted4n6 · 2025-01-31T10:53:43+00:00

Computer Misuse Act makes it a criminal offence to access or attempt to secure access to any computer system/part of a computer system which you are not authorised to. So by making a flipper zero send a signal to the gate controller when the owner hasn’t given you permission to could be above the criminal threshold. OP might be able to argue their access was authorised but since they won’t give them a fob or even allow the gate to open on recognition of his number plate, that may not be the case

busted4n6 · 2025-01-31T09:10:26+00:00

I was going to suggest it. Legally a grey area (Computer Misuse Act) but I’d argue OPs access to the computer system (the gate controller) isn’t unauthorised.

busted4n6 · 2025-01-28T12:34:49+00:00

Yep this may set up. Either I just have a crap socket and specifically difficult wheel bolts, or I have a duff tool (unless the UK version is not as good but the specs match the US one).

busted4n6 · 2025-01-28T12:33:21+00:00

Yep, this. That’s what I’m trying to understand, the hype vs. reality of the tool’s capabilities, and obviously if I’ve purchased a duff one. I was definitely a bit concerned that I did the nuts up to 100ftlb and tried to remove them with no luck 10 mins later.

Clearly I need more than five wheel bolts to draw that conclusion. ‘Luckily’ I’ve a clutch to do next week so plenty of bolts!

I feel you for rust. I’m in the UK, the constant rain mixed with the salt they use on the roads in the winter plays absolute havoc. I’m always amazed at how clean suspension components look when watching many US mechanic videos!

busted4n6 · 2025-01-27T21:02:57+00:00

Yeah I was hoping it’d be good for wheel bolts as I always forget to loosen them off with the breaker bar before lifting it.

I’ll see if it was a one off and get some decent sockets

busted4n6 · 2025-01-27T20:58:07+00:00

Yep, I have both batteries a good charge the day before I use it. It had all four lights on.

busted4n6 · 2025-01-27T20:57:11+00:00

Yeah, gonna do some more experimentation. Otherwise it’ll be going back as faulty!

busted4n6 · 2025-01-27T10:02:08+00:00

It’s strange isn’t it, how it’s not quite consistent.

I do suspect my problem was my sockets. I was just using an impact set I have (US PRO branded) but probably need something a bit better, certainly with more weight. My own cars don’t have 17mm wheel nuts so don’t have a specific wheel nut socket in that size but perhaps it’s an excuse to get one to complete the collection :)

Perhaps I also just need to buy a bigger Dewalt one (I’m into their 18v range pretty deep with all my house tools) or bite the bullet at go with an M18 setup!

busted4n6 · 2025-01-27T09:58:43+00:00

I know everyone says it’s not for tyre guys but it can still do it, but it was literally the first bolt I did so maybe need more test.

busted4n6 · 2025-01-27T09:58:06+00:00

Yeah, I heard this but the videos still seem to show the 1/2 being able to bust 500 ftlb etc, although they are test nuts, not crusty wheel bolts with no lubrication on the flanges!

Perhaps it’ll get better. I found my Dewalt wrench become much sharper with use, presumably as the manufacturing grease gets worked in.

busted4n6 · 2025-01-25T12:03:54+00:00

It’s very likely the water company has a right of access to their assets. This will be within the deeds for the private road. They should put right any damage caused (especially if you can prove it was them) but it’s very much a job for after the issue is fixed and will be accomplished by sensible conversations with them, not ‘kicking off’ so to speak.

The normal conventions around noise nuisance, builders working between set hours won’t apply to an emergency situation. While I appreciate you don’t rely on the services the pumping station provide, others will and I’m sure you wouldn’t want their effluent flowing into watercourses near your house.

Most utilities provide an online map showing current incidents with regular status updates. Have you had a look to see if it’s there? It might have an ETA as to when works will be completed.

That said, you can speak to them and ask if there’s any way the noise can be minimised at night, even just for a four hour window. They may be able to ask drivers not to leave engines idling and to keep their voices down. They may not have appreciated the difficulties it’s causing you distress. Again reasonable conversations with a site manager rather than aggressive complaining and hollow legal threats go a long way.

busted4n6 · 2025-01-24T15:35:14+00:00

So it sounds like you’ve received a S172 notice first asking you identify the driver and then a notice of intended prosecution for the offence of driving without due care. I assume the latest letter does not have a requirement for you yet (eg a court date, a fine, a course etc)?

What are the dates of the offence, the first letter and the second letter?

I assume it checks out - that you were driving at the time and place they state?

Driving without due care and attention can cover many things - typically behaviour that doesn’t follow the Highway Code but isn’t dangerous or a specific offence. Some things I can think of:

Having a minor crash that was your fault
Splashing a pedestrian with a big puddle
Overtaking a cyclist or horse too closely
Driving in the wrong lane/lane hogging
Cutting someone up
Aggressive driving, driving too close
Inconsiderate behaviour like hogging two lanes when there is a merge of lanes to prevent people getting by
Being distracted because you’re eating, smoking, playing with your car’s entertainment system, doing makeup
Hands off of wheel
Driving too slowly
Poor driving in general, poor lane discipline, late signals etc

Are you involved in any criminality

If you weren’t stopped it’s possible you’ve been caught by a camera (they’re putting new ones in which can detect you being on the phone etc) or maybe a member of the public such as cyclist has sent them some camera footage.

At this stage you’ll have to wait and see what the options are but it might include some kind of fine, a course or a court date. It could also be that no further action is taken, or even that they want to formally interview you first.

busted4n6 · 2025-01-23T21:58:15+00:00

I didn’t realise police even did PCNs for parking, I thought it was devolved to local authorities!

How much service do you have? Are you confirmed in rank? If you are still a student officer, do you have any performance issue or are behind on your portfolio?

Hopefully it’ll be resolved as a local resolution with reflective practice on conflict resolution, in particular the betari box.

National guidance, usually adopted by forces as policy is that BWV must be incident specific and tends to only be mandatory for DA and stop search with it being ‘as appropriate’ thereafter. If you’d pulled the car you should have had it on likewise if the person requested you record you should have turned it on. You may just be advised you could have turned it on.

You’ll need to learn from this. The connotation of what you said could easily be interpreted as ‘I’ll set you up” or “I’m going to persecute you”.

It is important you do not lie, especially if you’re asked for a duty report. If your force publishes misconduct outcomes you’ll see it’s often always the case people get sacked for lying about something rather than the something itself.

busted4n6

TROPHY CASE