MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

MCTS Guide to Configuring Microsoft Windows Server 2008

Active Directory

Chapter 9: Configuring DNS for Active Directory

MCTS Windows Server 2008 Active Directory 2

Objectives

2

• Describe the structure of Domain Name System

• Install and use the DNS Server role in Windows Server 2008

• Configure DNS zones

• Configure advanced DNS server settings

• Monitor and troubleshoot DNS


Introduction to Domain Name System

• Domain Name System (DNS) is a distributed hierarchical database composed mainly of computer name and IP address pairs

• In order to resolve a name to an address, a DNS lookup will often require multiple queries to a hierarchy of DNS servers


The Structure of DNS

• DNS can be described as an inverted tree structure

• Entire DNS tree is called the DNS namespace

• Each domain has one or more servers that are authoritative for the domain

• Root servers keep a database of addresses of other DNS servers managing top-level domain names, called top-level domain (TLD) servers


The Structure of DNS (cont.)


The DNS Database

• A zone is a grouping of DNS information that represents one or more domains and possibly subdomains

• Zones contain a variety of record types called resource records, which contain information about network resources

• DNS records can be added and changed by:– Static updates– Dynamic updates


The DNS Database (cont.)

DNS resource record types


The DNS Lookup Process

• Two different types of DNS lookup can be performed– Iterative query

• A DNS server will respond with the best information it has to satisfy the query, or it may give a referral response

– Recursive query• DNS server processes the query until it responds with an address

that satisfies the query or with an “I don’t know message”

• A typical DNS lookup made by a DNS client can involve both recursive and iterative queries

• DNS clients maintain a Hosts file that can contain static DNS entries; Hosts is stored in %systemroot%\System32\drivers\etc


The DNS Lookup Process (cont.)


DNS Server Roles

• DNS servers can perform one or more of the following roles for a zone:– Authoritative server

• Holds a complete copy of a zone’s resource records

– Forwarder• A DNS server to which other DNS servers send requests they

can’t resolve themselves

– Conditional forwarder• DNS server to which other DNS servers send requests targeted for

a specific domain

– Caching-only server• Does not have zones; it fields DNS queries, does recursive

lookups to root servers, or sends requests to forwarders and then caches the results


DNS Zones

• Three different types of zones– Primary zone

• Contains a read/write master copy of all resource records for the zone; it is considered authoritative for the zone

– Secondary zone• Contains a read-only copy of all resource records for the zone; it is

considered authoritative for the zone

– Stub zone• Contains a read-only copy of only the SOA and NS records for a

zone and the necessary A records to resolve NS records; not authoritative


Installing DNS

• DNS installation begins by installing the DNS Server role in Server Manager

• If the DNS server is intended to manage domain name services for Active Directory, DNS Server role should be installed on a domain controller

• Windows automatically detects whether or not the server is configured as a domain controller and then integrates DNS zones with Active Directory


Creating DNS Zones

• An Active Directory integrated zone is a primary or stub zone with the DNS database stored in an Active Directory partition

• Installing DNS on a domain controller that is part of an existing domain will have zone information copied to it automatically during AD replication

• Some situations may require that a zone be created manually

• Zones that are not Active Directory integrated are referred to as standard zones


Creating DNS Zones (cont.)


Active Directory-Integrated Zones

• “Store the zone in Active Directory” check box means you want the zone stored in an Active Directory partition

• Standard zones are stored in a text file called zone-name.dns, which is located in the %systemroot%\system32\dns folder

• Active Directory-integrated zones have the following advantages over a standard zone:– Automatic zone replication– Multimaster replication and update– Secure updates– Efficient replication


Zone Replication Scope

• After selecting the zone type and specifying the zone to be stored in Active directory, you are asked to select the zone replication scope with one of these options:– To all DNS servers in this forest– To all DNS servers in this domain– To all domain controllers in this domain (for Windows 2000

compatibility)– To all domain controllers specified in the scope of this directory

partition


Forward and Reverse Lookup Zones

• Next, you are asked whether a zone should be a forward lookup zone or a reverse lookup zone– FLZ – Forward lookup zone contains records that translate

names to IP addresses, such as A, AAAA, and MX records– RLZ – Reverse lookup zones contain PTR records that map IP

addresses to names and is named after the IP network address (IPv4 or IPv6) of the computers whose records it contains


Dynamic Updates

• Final step allows you to choose whether and how to use dynamic updates, which can be configured in one of three ways– Allow only secure dynamic updates– Allow both nonsecure and secure dynamic updates– Do not allow dynamic updates

• Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur


Creating Zones from the Command Line

• Dnscmd.exe can create and configure various DNS settings

• Basic syntax: dnscmd server /command

• Examples:– Create a new primary Active Directory-integrated zone named

zone1 that allows only secure dynamic updates:dnscmd server99 /ZoneAdd zone1 /DsPrimary

– Add an A record for the host named host1 in zone1 with the IP address 192.168.200.99:dnscmd server99 /RecordAdd zone1 host1 A 192.168.200.99


Configuring DNS Zones

• Zones can be viewed and changed in DNS Manager

• DNS Manager provides the following options:– Status– Type– Replication– Dynamic updates– Aging


Configuring DNS Zones (cont.)


Aging and Scavenging Resource Records

• Stale resource records can degrade server performance, provide incorrect information, and generally make DNS less reliable and efficient

• Enabling scavenging causes the server to check for stale records periodically and deletes those meeting the criteria for a stale record

• Options in the Zone Aging/Scavenging Properties dialog box– Scavenge stale resource records– No-refresh interval– Refresh interval– The zone can be scavenged after


Start of Authority Records

• SOA records are found in every zone and contain information that identifies the server primarily responsible for the zone as well as some operation properties for the zone

• The SOA record contains the following information:– Serial number– Primary server– Responsible person– Refresh interval– Retry interval– Expires after– Minimum (default) TTL


Name Server Records

• NS records specify FQDNs and IP addresses of authoritative servers for a zone

• NS records are also used to refer DNS queries to a name server that has been delegated authority for a subdomain

• Glue A records are A records containing a name server’s IP address and are used to resolve NS record information


Zone Delegation

• Zone delegation is transferring authority for a subdomain to a new zone, which can be on the same server or another server

• The server hosting the parent zone maintains only an NS record pointing to the DNS server hosting the delegated zone

• _msdcs subdomain exists inside every Windows domain zone and holds SRV records for Microsoft-hosted services, such as global catalog, LDAP, and Kerberos


Zone Delegation (cont.)


Using Stub Zones

• Stub zones are a special type of zone that contain only an SOA record, one or more NS records, and the necessary glue A records to resolve NS records

• Reasons for using stub zones– Maintenance of zone delegation information– In lieu of conditional forwarders– Faster recursive queries– Distribution of zone information


Zone Transfers

• A zone transfer copies all or part of a zone from one DNS server to another and occurs as a result of a second server requesting the transfer from another server

• Zone transfers can be initiated in two ways– Refresh interval– DNS notify

• Zone transfers are configured in the Zone Transfers tab of a zone’s Properties dialog box, which has the following options:– Allow zone transfers

• To any server• Only to servers listed on the Name Servers tab• Only to the following servers

– Notify


Incremental Zone Transfers

• Two types of zone transfer– Full zone transfers– Incremental zone transfers

• Both master and slave DNS servers must support incremental zone transfers to use them

• During the initiation of an incremental zone transfer, the serial number decides whether the slave or the master determines the differences between its current zone data and the zone data on the other server


Using WINS with DNS

• Windows Internet Name Service (WINS) is a legacy name service used to resolve NetBIOS names, sometimes referred to as single-label names

• Similar to DNS in that it keeps a database of name-to-address mappings

• Generally used in environments that require NetBIOS resolution or where applications depend on it

• The WINS tab has the following options:– Use WINS forward lookup

– Do not replicate this record

– IP address

– Time to live (TTL)


Using the GlobalNames Zone

• GlobalNames zone (GNZ) allows administrators to add single-label names to DNS, giving client computers the ability to resolve these names without including a DNS suffix in the query

• Entries must be made manually

• Can assist mobile users by dropping the need for remembering a resource’s FQDN

• Enabled via dnscmd.exe– Dnscmd server /config /EnableGlobalNamesSupport 1


DNS Forwarders

• Referring a DNS query to a forwarder can be more efficient under some situations– When the DNS server address for the target domain is known– When only one DNS server in a network should make external

queries– When a forest trust is created– When the target domain is external to the network and an

external DNS server’s address is known

• Conditional forwarding allows queries for particular domains to particular name servers and all other unresolved queries to a different server


Configuring Traditional Forwarders

• To configure a traditional forwarder, right-click the server node in DNS Manager, click Properties, and click the Forwarders tab

• If more than one server is specified, they are queried in the order in which they’re listed

• Additional servers are only queried if the first server provides no response

• No response from any forwarders triggers a normal recursive lookup process, starting with a root server


Configuring Conditional Forwarders

• Previously, traditional and conditional forwarders were configured under the Forwarders tab, but Server 2008 has conditional forwarders as a node in DNS Manager

• With forwarders and/or conditional forwarders configured, the DNS server attempts to resolve DNS queries in this order:– 1. From locally stored zone resource records– 2. From the DNS cache– 3. From conditional forwarders– 4. From traditional forwarders– 5. Recursively by using root hints


Root Hints

• Root hints consist of a list of name servers preconfigured on Windows DNS servers that point to Internet root servers

• These servers contain lists of name servers that are responsible for top-level domains

• Root hints data comes from the Cache.dns file located in the %SystemRoot%\System32\DNS folder

• Internal DNS servers can be configured as root servers if the network is isolated from the public Internet


Round Robin

• Load sharing can be configured among servers running mirrored services

• Accomplished by creating multiple A records with the server’s name in both records but with each entry configured with a different IP address

• DNS will then respond to queries by sending all addresses associated with the server’s name but will also vary their order

• This process is called round robin because each IP address is placed first in the list an equal number of times


Recursive Queries

• Recursion is enabled on Windows DNS servers by default, but there are two ways to change this setting

• First involves configuring forwarders

• Second is the “Disable recursion (also disables forwarders)” option in the Advanced tab of the DNS server’s Properties dialog box

• Recursion might be disabled when you have a public DNS server containing resource records for your publicly available servers, but you don’t want unauthorized users using your DNS server for recursive client requests


Event and Debug Logging

• When DNS is installed, a new event log is created to record informational, error, and warning events generated by the DNS server

• Common events include zone serial number changes, zone transfer requests, and DNS server startup and shutdown events

• Debug logging can be enabled in the server’s Properties dialog box

• Debug logging records selected packets coming from and going to the DNS server in a text file


Event and Debug Logging (cont.)


DNS Troubleshooting

• Windows has several tools to administer, monitor, and troubleshoot DNS server operation, including the following tools:– DNS Manager– Dnscmd.exe– Event Viewer– Dnslint– Nslookup– Ipconfig– Performance Monitor– Protocol analyzer


Monitoring DNS Performance

• DNS performance can degrade over time because of increased database size and increased client activity

• Dnscmd.exe can display a snapshot of server statistics with the dnscmd.exe /statistics command

• Performance monitor can continuously monitor and gather statistics

• Creating a performance baseline is good practice for troubleshooting issues that may arise later on


Monitoring DNS Performance (cont.)


Chapter Summary

• DNS is based on a hierarchical naming structure and a distributed database

• DNS can be described as an inverted tree with the root domain at the top, TLDs branching off the root, and domains and subdomains branching off TLDs

• The DNS database is composed of zones containing resource records, such as Start of Authority (SOA), Host (A), and Service (SRV) records


Chapter Summary (cont.)

• DNS lookups involve iterative and recursive queries– Most lookups start from the DNS resolver with a recursive

query to a DNS server; the DNS server satisfies the query or performs a series of iterative queries, starting with a root server

• DNS servers can perform one or more of the following roles: authoritative server, forwarder, conditional forwarder, and caching-only server

• Active Directory-integrated zones have the advantages of automatic replication, multimaster replication, and update, secure updates, and efficient replication



• A zone can be a forward lookup zone or a reverse lookup zone

• SOA records contain information about a zone, including its serial number and a number of timers used for zone transfers

• Subdomains can be delegated to a zone on another server to improve performance and control replication scope

• Advanced DNS settings include configuring forwarders, root hints, round robin, recursive queries, and logging



• Tools for monitoring and troubleshooting DNS include Dnscmd, Dnslint, Nslookup, Ipconfig, and Performance Monitor– You need to understand the DNS query process to

troubleshoot DNS problems efficiently

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Documents

dns mcts windows server

results mcts windows

microsoft windows server

dns server rolesdns

active directory chapter

system dns

mcts guide

dns namespaceeach domain