mcts chapter 9

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 9: Configuring DNS for Active Directory

*

MCTS Windows Server 2008 Active Directory*Objectives*Describe the structure of Domain Name SystemInstall and use the DNS Server role in Windows Server 2008Configure DNS zonesConfigure advanced DNS server settingsMonitor and troubleshoot DNS

MCTS Windows Server 2008 Active Directory*

MCTS Windows Server 2008 Active Directory*Introduction to Domain Name SystemDomain Name System (DNS) is a distributed hierarchical database composed mainly of computer name and IP address pairsIn order to resolve a name to an address, a DNS lookup will often require multiple queries to a hierarchy of DNS servers

MCTS Windows Server 2008 Active Directory

MCTS Windows Server 2008 Active Directory*The Structure of DNSDNS can be described as an inverted tree structureEntire DNS tree is called the DNS namespaceEach domain has one or more servers that are authoritative for the domainRoot servers keep a database of addresses of other DNS servers managing top-level domain names, called top-level domain (TLD) servers


MCTS Windows Server 2008 Active Directory*The Structure of DNS (cont.)


MCTS Windows Server 2008 Active Directory*The DNS DatabaseA zone is a grouping of DNS information that represents one or more domains and possibly sub-domainsZones contain a variety of record types called resource records, which contain information about network resourcesDNS records can be added and changed by:Static updatesDynamic updates


MCTS Windows Server 2008 Active Directory*The DNS Database (cont.)DNS resource record types


MCTS Windows Server 2008 Active Directory*The DNS Lookup ProcessTwo different types of DNS lookup can be performed:Iterative QueryA DNS server will respond with the best information it has to satisfy the query, or it may give a referral responseRecursive QueryDNS server processes the query until it responds with an address that satisfies the query or with an I dont know messageA typical DNS lookup made by a DNS client can involve both recursive and iterative queriesDNS clients maintain a hosts file that can contain static DNS entries. Hosts is stored in %systemroot%\System32\drivers\etc


MCTS Windows Server 2008 Active Directory*The DNS Lookup Process (cont.)


MCTS Windows Server 2008 Active Directory*DNS Server RolesDNS Servers can perform one or more of the following roles for a zone:Authoritative serverHolds a complete copy of a zones resource recordsForwarderA DNS server to which other DNS servers send requests they cant resolve themselvesConditional forwarderDNS Server to which other DNS servers send requests targeted for a specific domainCaching-only serverDoes not have zones. It fields DNS queries, does recursive lookups to root servers or sends requests to forwarders, then caches the results


MCTS Windows Server 2008 Active Directory*DNS ZonesThree different types of zones:Primary zoneContains a read/write master copy of all resource records for the zone; it is considered authoritative for the zoneSecondary zoneContains a read-only copy of all resource records for the zone; it is considered authoritative for the zoneStub zoneContains a read-only copy of only the SOA and NS records for a zone and the necessary A records to resolve NS records; not authoritative


MCTS Windows Server 2008 Active Directory*Installing DNSDNS installation begins by installing the DNS Server role in Server ManagerIf the DNS server is intended to manage domain name services for Active Directory, DNS Server role should be installed on a domain controllerWindows automatically detects whether or not the server is configured as a domain controller, then integrates DNS zones with Active Directory


MCTS Windows Server 2008 Active Directory*Creating DNS ZonesAn Active Directory integrated zone is a primary or stub zone with the DNS database stored in an Active Directory partitionInstalling DNS on a domain controller that is part of an existing domain will have zone information copied to it automatically during AD replicationSome situations may require that a zone be created manuallyZones that are not Active Directory integrated are referred to as standard zones


MCTS Windows Server 2008 Active Directory*Creating DNS Zones (cont.)


MCTS Windows Server 2008 Active Directory*Active Directory-Integrated ZonesStore the zone in Active Directory check box means you want the zone stored in an Active Directory partitionStandard zones are stored in a text file called zone-name.dns, which is located in the %systemroot%\system32\dns folderActive Directory-integrated zones have the following advantages over a standard zone:Automatic zone replicationMultimaster replication and updateSecure updatesEfficient replication


MCTS Windows Server 2008 Active Directory*Zone Replication ScopeAfter selecting the zone type and specifying the zone is to be stored in Active directory, you are asked to select the zone replication scope with one of these options:To all DNS servers in this forestTo all DNS servers in this domainTo all domain controllers in this domain (for Windows 2000 compatibility)To all domain controllers specified in the scope of this directory partition


MCTS Windows Server 2008 Active Directory*Forward and Reverse Lookup ZonesNext, you are asked whether a zone should be a forward lookup zone or a reverse lookup zone:FLZ Forward lookup zone contains records that translate names to IP addresses, such as A, AAAA, and MX recordsRLZ Reverse lookup zones contain PTR records that map IP addresses to names and is named after the IP network address (IPv4 or IPv6) of the computers whose records it contains


MCTS Windows Server 2008 Active Directory*Dynamic UpdatesFinal step allows you to choose whether and how to use dynamic updates, which can be configured in one of three ways:Allow only secure dynamic updatesAllow both nonsecure and secure dynamic updatesDo not allow dynamic updatesDynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur


MCTS Windows Server 2008 Active Directory*Creating Zones from the Command LineDnscmd.exe can create and configure various DNS settingsBasic syntax: dnscmd server /commandExamples:Create a new primary Active Directoryintegrated zone named zone1 that allows only secure dynamic updates:dnscmd server99 /ZoneAdd zone1 /DsPrimaryAdd an A record for the host named host1 in zone1 with the IP address 192.168.200.99:dnscmd server99 /RecordAdd zone1 host1 A 192.168.200.99


MCTS Windows Server 2008 Active Directory*Configuring DNS ZonesZones can be viewed and changed in DNS ManagerDNS Manager provides the following options:StatusTypeReplicationDynamic updatesAging


MCTS Windows Server 2008 Active Directory*Configuring DNS Zones (cont.)


MCTS Windows Server 2008 Active Directory*Aging and Scavenging Resource RecordsStale resource records can degrade server performance, provide incorrect information, and generally make DNS less reliable and efficientEnabling scavenging causes the server to check for stale records periodically and deletes those meeting the criteria for a stale recordOptions in the Zone Aging/Scavenging Properties dialog box:Scavenge stale resource recordsNo-refresh intervalRefresh intervalThe zone can be scavenged after


MCTS Windows Server 2008 Active Directory*Start of Authority RecordsSOA records are found in every zone and contains information that identifies the server primarily responsible for the zone as well as some operation properties for the zoneThe SOA record contains the following information:Serial numberPrimary serverResponsible personRefresh intervalRetry intervalExpires afterMinimum (default) TTL


MCTS Windows Server 2008 Active Directory*Name Server RecordsNS records specify FQDNs and IP addresses of authoritative servers for a zoneNS records are also used to refer DNS queries to a name server that has been delegated authority for a subdomainGlue A records are A records containing a name servers IP address, and are used to resolve NS record information


MCTS Windows Server 2008 Active Directory*Zone DelegationZone delegation is transferring authority for a subdomain to a new zone, which can be on the same server or another serverThe server hosting the parent zone maintains only an NS record pointing to the DNS server hosting the delegated zone_msdcs subdomain exists inside every Windows domain zone, and holds SRV records for Microsoft hosted services, such as global catalog, LDAP, and Kerberos


MCTS Windows Server 2008 Active Directory*Zone Delegation (cont.)


MCTS Windows Server 2008 Active Directory*Using Stub ZonesStub zones are a special type of zone that contain only an SOA record, one or more NS records, and the necessary glue A records to resolve NS recordsReasons for using stub zones:Maintenance of zone delegation informationIn lieu of conditional forwardersFaster recursive queriesDistribution of zone information


MCTS Windows Server 2008 Active Directory*Zone TransfersA zone transfer copies all or part of a zone from one DNS server to another and occurs as a result of a second server requesting the transfer from another serverZone transfers can be initiated in two ways:Refresh intervalDNS notifyZone transfers are configured in the Zone Transfers tab of a zones Properties dialog box, which has the following options:Allow zone transfersTo any serverOnly to servers listed on the Name Servers tabOnly to the following serversNotify


MCTS Windows Server 2008 Active Directory*Incremental Zone TransfersTwo types of zone transfer:Full zone transfersIncremental zone transfersBoth master and slave DNS servers must support incremental zone transfers to use themDuring the initiation of an incremental zone transfer, the serial number decides whether the slave or the master determines the differences between its current zone data and the zone data on the other server


MCTS Windows Server 2008 Active Directory*Using WINS with DNSWindows Internet Name Service (WINS) is a legacy name service used to resolve NetBIOS names, sometimes referred to as single-label namesSimilar to DNS in that it keeps a database of name-to-address mappingsGenerally used in environments that require NetBIOS resolution, or where applications depend on itThe WINS tab has the following options:Use WINS forward lookupDo not replicate this recordIP addressTime to live (TTL)


MCTS Windows Server 2008 Active Directory*Using the GlobalNames ZoneGlobalNames zone (GNZ) allows administrators to add single-label names to DNS, giving client computers the ability to resolve these names without including a DNS suffix in the queryEntries must be made manuallyCan assist mobile users by dropping the need for remembering a resources FQDNEnabled via dnscmd.exe:Dnscmd server /config /EnableGlobalNamesSupport 1


MCTS Windows Server 2008 Active Directory*DNS ForwardersReferring a DNS query to a forwarder can be more efficient under some situations:When the DNS server address for the target domain is knownWhen only one DNS server in a network should make external queriesWhen a forest trust is createdWhen the target domain is external to the network and an external DNS servers address is knownConditional forwarding allows queries for particular domains to particular name servers and all other unresolved queries to a different server


MCTS Windows Server 2008 Active Directory*Configuring Traditional ForwardersTo configure a traditional forwarder, right click the server node in DNS Manager, click Properties, and click the Forwarders tabIf more than one server is specified, they are queried in the order in which theyre listedAdditional servers are only queried if the first server provides no responseNo response from any forwarders triggers a normal recursive lookup process, starting with a root server


MCTS Windows Server 2008 Active Directory*Configuring Conditional ForwardersPreviously, traditional and conditional forwarders were configured under the Forwarders tab, but Server 2008 has conditional forwarders as a node in DNS ManagerWith forwarders and/or conditional forwarders configured, the DNS server attempts to resolve DNS queries in this order:1. From locally stored zone resource records2. From the DNS cache3. From conditional forwarders4. From traditional forwarders5. Recursively by using root hints


MCTS Windows Server 2008 Active Directory*Root HintsRoot hints consist of a list of name servers preconfigured on Windows DNS servers that point to Internet root serversThese servers contain lists of name servers that are responsible for top-level domainsRoot hints data comes from the Cache.dns file located in the %SystemRoot%\System32\DNS folderInternal DNS servers can be configured as root servers if the network is isolated from the public Internet


MCTS Windows Server 2008 Active Directory*Round RobinLoad sharing can be configured among servers running mirrored servicesAccomplished by creating multiple A records with the servers name in both records, but with each entry configured with a different IP addressDNS will then respond to queries by sending all addresses associated with the servers name, but will also vary their orderThis process is called round robin because each IP address is placed first in the list an equal number of times


MCTS Windows Server 2008 Active Directory*Recursive QueriesRecursion is enabled on Windows DNS servers by default, but there are two ways to change this settingFirst involves configuring forwardersSecond is the Disable recursion (also disables forwarders) option in the advanced tab of the DNS servers Properties dialog boxRecursion might be disabled when you have a public DNS server containing resource records for your publicly available servers, but you dont want unauthorized users using your DNS server for recursive client requests


MCTS Windows Server 2008 Active Directory*Event and Debug LoggingWhen DNS is installed, a new event log is created to record informational, error, and warning events generated by the DNS serverCommon events include zone serial number changes, zone transfer requests, and DNS server startup and shutdown eventsDebug logging can be enabled in the servers Properties dialog boxDebug logging records selected packets coming from and going to the DNS server in a text file


MCTS Windows Server 2008 Active Directory*Event and Debug Logging


MCTS Windows Server 2008 Active Directory*DNS TroubleshootingWindows has several tools to administer, monitor, and troubleshoot DNS server operation, including the following tools:DNS ManagerDnscmd.exeEvent ViewerDnslintNslookupIpconfigPerformance MonitorProtocol analyzer


MCTS Windows Server 2008 Active Directory*Monitoring DNS PerformanceDNS Performance can degrade over time because of increased database size and increased client activityDnscmd.exe can display a snapshot of server statistics with the dnscmd.exe /statistics commandPerformance monitor can continuously monitor and gather statisticsCreating a performance baseline is good practice for troubleshooting issues that may arise later on


MCTS Windows Server 2008 Active Directory*Monitoring DNS Performance (cont.)


MCTS Windows Server 2008 Active Directory*Chapter SummaryDNS is based on a hierarchical naming structure and a distributed databaseDNS can be described as an inverted tree with the root domain at the top, TLDs branching off the root, and domains and subdomains branching off TLDsThe DNS database is composed of zones containing resource records, such as Start of Authority (SOA), Host (A), and Service (SRV) records


MCTS Windows Server 2008 Active Directory*Chapter Summary (cont.)DNS lookups involve iterative and recursive queries. Most lookups start from the DNS resolver with a recursive query to a DNS server. The DNS server satisfies the query or per- forms a series of iterative queries, starting with a root serverDNS servers can perform one or more of the following roles: authoritative server, forwarder, conditional forwarder, and caching-only serverActive Directoryintegrated zones have the advantages of automatic replication, multimaster replication and update, secure updates, and efficient replication


MCTS Windows Server 2008 Active Directory*Chapter Summary (cont.)A zone can be a forward lookup zone or a reverse lookup zone.SOA records contain information about a zone, including its serial number and a number of timers used for zone transfersSubdomains can be delegated to a zone on another server to improve performance and control replication scopeAdvanced DNS settings include configuring forwarders, root hints, round robin, recursive queries, and logging


MCTS Windows Server 2008 Active Directory*Chapter Summary (cont.)Tools for monitoring and troubleshooting DNS include Dnscmd, Dnslint, Nslookup, Ipconfig, and Performance Monitor. You need to understand the DNS query process to troubleshoot DNS problems efficiently


*

*

mcts chapter 9

Documents

dns mcts windows server

results mcts windows

microsoft windows server

dns server rolesdns

iterative querya dns

active directory chapter

system dns

dns namespaceeach domain