Google Safe-Search can't be forced on Windows Server 2008R2

-

about 3 or 4 weeks ago (that know of) google started using https send google searches if @ machine user or has been logged gmail/google apps account. example, if sit down @ client machine , bring google , search goes through http, if log gmail account , go google , search web or images go through https. problem @ high school uses google apps education. if 1 of students logs his/her own private gmail account or school account , google search google search not filtered our web content filter in way shape or form. i've tried 2 different, known web filtering hardware devices (fortinet's fortiguard , cipafilter) , neither of them can turn https google search safe-search doesn't produce offensive results, images. helped support tech @ cipafilter in we've found far.

google has fix this, fix doesn't work windows server 2008r2. contacted google support , had them step through steps create fix, every time got error @ end , wouldn't create cname record needed in google's fix. (my conversation google , errors associated post below). google told me performed procedure correctly, must problem on server. went school last night. school has windows server 2008r2 dc tried perform fix them , got same error on win server 2008r2 machine, have windows server 2003 dc , got fix work on 2003 machine , did replicate 2008r2 machine. guy know has 2008r2 server , tried on , got same exact error also, has 2008 server dc in domain, , did allow him add google's fix 2008 server , replicated windows server 2008r2 dc fine. i don't have server os in domain!!!!

i have flimsly workaround , running. created host name record pointing ip address of nosslsearch.google.com, ip change @ moment , did change overnight last night.

my recap of conversation google support emailed support tech talked to:

samir,

to recap, google automatically  forcing signed-in google accounts use ssl search, providing workaround school network adminitrators.  reference material resides within following google write-up:

http://www.google.com/support/websearch/bin/answer.py?hl=en&answer=173733

as google has stated in article, "to utilize nosslsearch option network, please configure dns entry www.google.com cname nosslsearch.google.com. not serve ssl search results requests receive on hostname."

following instructions, have written article within our knowledge base conforms specifications in google has deemed necessary, in order disable ssl-based searches.  please refer write-up, attached email in pdf format.  have supplied information school adminitrators, trend has become visible:  solution not possible in windows server 2008 r2.  attached screen capture demonstrates happens when attempting follow google's recommendation, creating forward lookup zone "www.google.com" , creating corresponding cname "nosslsearch.google.com".  error states:

 

=================

dns

=================

a new record cannot created.

an alias (cname) record cannot added dns name.  dns name contains records incompatible cname record.

 

 

i've spent great deal of time researching issue.  after troubleshooting, research, , review of forum postings, there 1 major issue google's offered solution.  google requiring administrators perform action prohibited under rfc 1034, section 3.6.2. "aliases , canonical names", can referenced here:

http://tools.ietf.org/html/rfc1034

the specification states:

 

"if cname rr present @ node, no other data should present; ensures data canonical name , aliases cannot different.  rule insures cached cname can used without checking authoritative server other rr types."

 

microsoft has published technet article discussing additon of resource record forward lookup zone:

 

http://technet.microsoft.com/en-us/library/cc816819(ws.10).aspx

 

 

contained within article, find important note explains occurance of error in dns manager.  note states:

 

"you cannot create alias (cname) resource record name if there dns record name. this includes root of zone; is, cannot create alias (cname) record root of zone."

 

to sum issue, not possible windows server 2008 r2 administrator create cname record @ root of zone "www.google.com".  way accomplish create forward lookup zone of "google.com", , create cname alias "www", , redirect traffic "nosslsearch.google.com".  however, doing turns local dns server authoritative dns server google.com, breaking every single other service google offers (docs, gmail, calendar, etc.). 

 

at time, functional workaround have devised create forward lookup zone "www.google.com", , create record root points @ ip "74.125.45.114".  while performing action appears effective in testing, not acceptable solution google can change ips, or distribute work among several ip addresses @ point in future.

 

i under belief google cannot offer solution, nor proposed workaround, , must come appropriate solution issue rfc compliant.  please resolve.

 

google's response was:

hello jim,

 

thank message.

 

i contacted support team matter. set looks done correctly through screenshot. support have articles shared. @ google apps, cannot assist further in troubleshooting why issue still happening. told must check settings on servers. settings entered correctly same different domains , different servers wanting same are. if fails, escalate dns or our admin. have no 1 can error getting.

 

feel free answer email other comments or questions, pleasure. case close in 3 business days.

 

sincerely,

 

samir

enterprise support

 

so @ point i'm screwed. can't google searches safe-search turned on automatically without host record pointing ip address can change second , will. google says it's settings, don't know didn't @ settings. every other windows server 2008r2 machine either, try on or know using these exact directions make safe-search fix (which google has seen , approved - sent them copy of article made use , said perfect), has exact same error.

 

so...hopefully here can give me clue of or microsoft looking @ forum , somehow google believe it's prohibited fix , cajole google fix issue. can't school going encounter problem , has windows server 2008r2 dcs.

any way can try add cname record using article linked in original post on 2008r2 server , see if same error? you'll able delete , flush dns was. but, maybe config error on our end, if other people same error can forward on google - maybe them solution.


Windows Server  >  Network Infrastructure Servers



Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

Hyper-V VM not reaching OS 'Logon' screen

-
i trying migrate vm vmware hyper-v. so far have done following (seemingly successfully): prepare vmware vm conversion hyper-v format (vhd) within vmware workstation 8.0 environment following steps guide: http://social.technet.microsoft.com/forums/en/winserverhyperv/thread/ef8c12f7-c45d-442e-9a30-c43cd87df3b3   (i.e. remove vm tools, add new ide hard disk…) use vmdk2vhd application convert individual vmdk files vhd ones create new vm in hyper-v exporting in 3 newly converted vhd files at point have checked settings , powered on vm in hyper-v find although windows begins load expected manages reach screen prior login screen saying either of following messages: “windows starting up…” “the active directory rebuilding indices… please wait” to knowledge, albeit limited in area, vm should present me login screen since appears in vmware. if start vm in safe mode can login not desired affect. below details of vm: operating system: windows server 2003 (enterprise edit...
Read more

DNS question...

-
i new setting dns server....my domain name expl. "domain.com"....i set "a" record in forward lookup for  www.domain.com itself...."server's local ip"....i've added no other zones , i seem able resolve names except own....www.domain.com.....also, do i put my isp's dns ip's....for external dns's server can't resolve?....forwarding or in nic setup?......i want setup in my dns server don't have include them on client side..... thanks mark     not put isp dsn server address in settings on nic dc or clients. should point local dns server on dc. set dns forward public dns, such isp. bill Windows Server  >  Network Infrastructure Servers
Read more