Name Resolution (continued)
advertisement
70-294: MCSE Guide to Microsoft
Windows Server 2003 Active
Directory, Enhanced
Chapter 2:
Name Resolution and DNS
Objectives
• Describe and identify valid NetBIOS and DNS
names
• Understand and describe how DNS resolves
names
• Install and configure the Microsoft DNS Server
Service to work with Active Directory
Guide to MCSE 70-294, Enhanced
2
Name Resolution
• Internet Protocol (IP) address
• Used on the Internet
• i.e. 207.46.249.222
• Contains information needed to contact remote system
on IP network
• Used to determine:
• On which network particular computer is located
• For which computer on network data is destined
Guide to MCSE 70-294, Enhanced
3
Name Resolution (continued)
• Process of converting human-friendly name into a
number that computers can use
• For example: www.microsoft.com to
207.46.249.222
• Allows names to stay constant
• Numbers such as IP addresses can change from time to
time
Guide to MCSE 70-294, Enhanced
4
Name Resolution (continued)
• Windows network 2 naming systems:
• NetBIOS (Network Basic Input Output System)
• Domain Name System (DNS)
• NetBIOS
• Introduced back in Windows 3.x and Windows NT 3.x
• Only provided for backwards compatibility today
• Replaced by Domain Name System (DNS)
Guide to MCSE 70-294, Enhanced
5
Name Resolution (continued)
• DNS
• Primary naming system used on Windows Server 2003
network
• Networks using Active Directory require DNS
infrastructure
Guide to MCSE 70-294, Enhanced
6
NetBIOS
• 16-character names
• First 15 characters available for name
• 16th character reserved to describe particular service or
functionality
• http://www.windowsitpro.com/Article/ArticleID/15257/
15257.html
• Can consist of:
• Letters
• Numbers
• !@#$%^&()-_'{}.~
Guide to MCSE 70-294, Enhanced
7
NetBIOS (continued)
• May not contain:
• Spaces
• \*+=|:;"?<>,
• Not case sensitive
• 16th character typically expressed as:
• Hexadecimal number
• Surrounded by angle brackets
• At end of name
Guide to MCSE 70-294, Enhanced
8
NetBIOS (continued)
• SUPERCORP<1C>
• Indicates SUPERCORP domain controllers
• All names are at the same level
• Known as a “flat” namespace
• Difficult to manage in large network environment
Guide to MCSE 70-294, Enhanced
9
NetBIOS (continued)
• Simplest method to resolve NetBIOS name:
• Network broadcast
• Message includes:
• NetBIOS name computer is looking for
• Type of service (represented by the 16th character)
• IP address of computer sending broadcast
• Not efficient
• Two computers on different physical networks
separated by a router are unable to resolve each other’s
NetBIOS names
Guide to MCSE 70-294, Enhanced
10
NetBIOS Name Resolution
Guide to MCSE 70-294, Enhanced
11
NetBIOS (continued)
• IP addresses associated with resolved NetBIOS
names are cached for 10 minutes
• WINS:
• Database
• All computers on network register NetBIOS names
• Computer sends request directly to WINS server
Guide to MCSE 70-294, Enhanced
12
WINS Configuration
Guide to MCSE 70-294, Enhanced
13
WINS Database
Guide to MCSE 70-294, Enhanced
14
NetBIOS (continued)
• Problems:
• Flat namespace
• Impossible to assign authority for part of namespace to
different administrators
• Impossible to split WINS database into multiple smaller
pieces
Guide to MCSE 70-294, Enhanced
15
Domain Name System
• Hierarchical naming system
• Most commonly known because of use on Internet
• Resolves Fully Qualified Domain Names
(FQDNs) to IP addresses
• Control over different parts of the namespace can
be given to different organizations or
administrators
Guide to MCSE 70-294, Enhanced
16
Domain Name System
(continued)
• Allows for different parts of namespace to be
located on different servers
• Provides reverse lookup services
• Ability to identify host’s name by knowing IP address
• Useful for:
• Logging and reporting
• Analysis
• Configuring certain types of security
Guide to MCSE 70-294, Enhanced
17
Domain Name System
(continued)
• FQDN made up of two parts:
• Hostname such as www or hostABC
• DNS domain suffix such as microsoft.com or
supercorp.net
• DNS namespace
• Names can contain:
• Letters
• Numbers
• Hyphen (-)
Guide to MCSE 70-294, Enhanced
18
Domain Name System
(continued)
• Names can contain:
• Periods (.)
• Only as separator between different levels in FQDN
•
•
•
•
Restricted to 63 bytes for host name
255 bytes for entire FQDN
Must begin and end with either a letter or a number
Not case sensitive
Guide to MCSE 70-294, Enhanced
19
DNS Namespace
Guide to MCSE 70-294, Enhanced
20
DNS Namespace (continued)
• Root domain
• Entire DNS namespace is represented by a single
period (.)
• Located at end of an FQDN
• Often not entered at all
Guide to MCSE 70-294, Enhanced
21
DNS Namespace (continued)
• Top-level domain (TLD)
• Rightmost part of FQDN
• Categories:
• Country code TLDs (ccTLD)
• Generic TLDs (gTLD)
• Example: com in www.microsoft.com
Guide to MCSE 70-294, Enhanced
22
DNS Namespace (continued)
• Second-level domain (SLD)
• Subdomain of a TLD
• Example: microsoft in www.microsoft.com
• Host
• Leftmost name in an FQDN
• IP address assigned to the particular FQDN
• Example: www in www.microsoft.com
• Any additional domain levels are referred to as
subdomains
Guide to MCSE 70-294, Enhanced
23
TLD By Country (ccTLD)
• Each country has been assigned two-letter TLD
• Examples:
• .ca for Canada
• .uk for the United Kingdom
• Each national government defines rules for its
ccTLD
Guide to MCSE 70-294, Enhanced
24
TLD By Country (continued)
• Assigned by Internet Assigned Numbers Authority
(IANA)
• Based on list of country codes maintained by
International Standards Organization (ISO)
• www.iana.org/cctld/cctld.htm
Guide to MCSE 70-294, Enhanced
25
Generic TLD (gTLD)
• Not tied to any particular country
• Include very common TLDs, such as:
• .com
• .net
• .org
• Each of these TLDs has specific criteria governing
who can register names within it
Guide to MCSE 70-294, Enhanced
26
Generic TLD (continued)
• Currently in use:
•
•
•
•
•
•
•
•
.aero
.biz
.com,
.coop
.edu
.gov
.info
.int
Guide to MCSE 70-294, Enhanced
•
•
•
•
•
•
mil
.museum
.name
.net
.org
.pro
• .arpa domain
• used to provide reverse
lookup services
27
TLD Registrars
• Each TLD
• Operated by a registrar
• Registrar collects and manages information
• Registrar usually charges a fee
• All subdomains within a public TLD should be
registered with registrar
Guide to MCSE 70-294, Enhanced
28
Understanding the Domain
Name System
• DNS server
• Answer queries presented by clients about FQDNs
• Each piece of DNS information is called a
Resource Record (RR)
Guide to MCSE 70-294, Enhanced
29
Understanding the Domain
Name System (continued)
• RR types:
•
•
•
•
Address (A) record
Mail exchanger (MX) record
Name server (NS) record
Start of authority (SOA) records
• stores zone name server; zone admin; data file version; update
checking, etc.
• RRs are kept in:
• Text file
• Database
Guide to MCSE 70-294, Enhanced
30
Understanding the Domain
Name System (continued)
• Zone
• Normally includes all RRs for subdomain
• Could include subdomain and other subdomains within
contiguous naming hierarchy
• Sometimes referred to as “zone files”
• BIND
• Acronym for Berkeley Internet Name Domain
Guide to MCSE 70-294, Enhanced
31
Authoritative Servers
• Authoritative server
• DNS server that has zone containing subdomain
• Never asks another server about subdomain for which it
is authoritative
• Names and IP addresses of at least two authoritative
DNS servers provided to registrar
Guide to MCSE 70-294, Enhanced
32
Authoritative Servers
(continued)
• Delegation
• Request is passed down to authoritative server from
root
• Primary name server
• DNS server with a read-write copy of zone
• Secondary name servers
• Other DNS servers with read-only copies of zone
Guide to MCSE 70-294, Enhanced
33
Primary and Secondary Name Servers
Guide to MCSE 70-294, Enhanced
34
Transferring Information
• Zone transfer
• Zone information transferred from primary to
secondary DNS server
• Incremental zone transfers
• Note: Primary does not mean Authoritative
Guide to MCSE 70-294, Enhanced
35
DNS Scenario
Guide to MCSE 70-294, Enhanced
36
The DNS Name Resolution
Process
• Workstation uses IP address for DNS server to
send query to DNS server
• Query types:
• Recursive
• Default
• Client wants the address resolved if at all possible, or an
error if it cannot be resolved
• Iterative
• Client wants DNS server to respond only with
information from that particular DNS server
Guide to MCSE 70-294, Enhanced
37
Resolving a DNS Query
Guide to MCSE 70-294, Enhanced
38
Activity 2-2: Tracing DNS
Name Resolution
• Objective: To trace DNS name resolution and
referrals from the root servers to the destination
• Use the Nslookup tool to query DNS servers
• Manually perform the name resolution process
from both the client computer and local DNS
server’s perspectives
Guide to MCSE 70-294, Enhanced
39
Setting Recursion Option
Guide to MCSE 70-294, Enhanced
40
Common Errors and
Misconceptions About DNS
• Most errors occur in one of three areas:
• Resource record errors
• Delegation errors
• Weak authorities
Guide to MCSE 70-294, Enhanced
41
Install and Configure DNS for
Active Directory
• Requires good understanding of DNS
• Three essential functions of DNS that affect
Active Directory:
• Defining the namespace
• Locating services
• Resolving names to IP addresses
Guide to MCSE 70-294, Enhanced
42
Defining the Namespace
• Active Directory domains use the same namespace
as DNS
• Active Directory domain not the same as DNS
domain
• But uses the same hierarchical system
• One-to-one relationship between Active Directory
domains and DNS domains
Guide to MCSE 70-294, Enhanced
43
Locating Services
• netlogon service
• Runs on domain controller
• Responsible for registering records in DNS
• Domain controller registers an A record for name
of the domain
• Allows clients to resolve name of domain to IP address
Guide to MCSE 70-294, Enhanced
44
Locating Services (continued)
• Service locator (SRV) record
• New type of RR used by Active Directory
• Allows clients to send DNS query specifying type of
service
• DNS server will return the name of computer providing
that service
Guide to MCSE 70-294, Enhanced
45
Resolving Names to IP
Addresses
• Active Directory clients machines
• Use DNS to resolve host names to IP addresses
• Used for:
• Hosts on internal LAN
• Hosts on extranets
• Hosts on intranets
Guide to MCSE 70-294, Enhanced
46
Installing Microsoft DNS
Server in Windows Server 2003
• Any DNS server software that supports functions
required by Active Directory can be used
• Must support SRV records
• Incremental zone transfer support recommended
• Microsoft DNS server:
• Ships with all versions of Windows Server 2003
• Specifically designed to support needs of Active
Directory
Guide to MCSE 70-294, Enhanced
47
Activity 2-5: Creating Zones on
the DNS Server
• Objective: To create a zone to hold the DNS
records for your child domain
• Manually create a DNS zone
Guide to MCSE 70-294, Enhanced
48
Summary
• Domain Name System (DNS) is a distributed,
scalable, hierarchical system that provides name
resolution services for Internet and private
networks
• The DNS namespace is organized into divisions
called domains and subdomains
• DNS data is organized into resource records
• RRs are grouped into zones
Guide to MCSE 70-294, Enhanced
49
Summary (continued)
• Active Directory uses DNS:
• To define namespace
• To locate various services by using SRV records
• To look up IP numbers for FQDNs
• The Microsoft DNS server can be installed:
• From Windows 2003 server setup
• From the control panel
• Automatically during Active Directory installation
Guide to MCSE 70-294, Enhanced
50
