Add to collection(s) Add to saved
  1. Science
  2. Health Science
  3. Geriatrics

8: Managing and Troubleshooting DNS

advertisement 
70-293: MCSE Guide to
Planning a Microsoft Windows
Server 2003 Network, Enhanced
Chapter 8:
Managing and
Troubleshooting DNS
Objectives
•
•
•
•
•
Optimize DNS performance
Secure DNS replication and Dynamic DNS
Manage DNS servers
Manage DNS zones
Troubleshoot DNS issues using various tools
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
2
Optimizing DNS Performance
• DNS servers can be configured to perform different
roles depending on what network design is required
• Each role has an effect on WAN traffic and
performance levels in larger networks:
•
•
•
•
Caching-only
Non-recursive
Forwarding-only
Conditional forwarder
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
3
Delegating Authority
• To divide the DNS namespace, you must delegate
authority for a subdomain
• When authority for a subdomain is delegated, a name
server record is created for the subdomain
• The name server record points to the server that
contains the DNS information for the subdomain
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
4
Activity 8-1: Delegating
Authority for a Subdomain
• The purpose of this activity is to Delegate authority
for a subdomain to another DNS server
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
5
Caching-only DNS Servers
• A caching-only DNS server does not permanently
store any DNS namespace information
• Caching-only DNS servers reduce DNS lookup traffic
across an Internet connection or on a WAN
• The major disadvantage of caching-only DNS servers
is the potential for caching out-of date information
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
6
Nonrecursive DNS Servers
• When you do not want client computers to resolve
Internet DNS names directly, configuring your DNS
server as a nonrecursive DNS server stops them
• Disabling recursion prevents Internet DNS server
being overwhelmed by unauthorized DNS lookup
requests from anonymous users on the Internet
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
7
Forwarding-only DNS Servers
• Forwarding-only DNS server:
• Configured to look only at local DNS zones and forwarders
• Never queries the root servers on the Internet
• Can be useful if WAN is configured with only a
single Internet connection
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
8
Activity 8-2: Configuring a
Forwarding-only DNS Server
• The purpose of this activity is to configure your DNS
server to use forwarders, but not additional recursive
lookups using root servers
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
9
Conditional Forwarders
• A DNS server that is configured as a conditional
forwarder uses a forwarder for requests only if they
are for records in certain domains
• Useful for reducing WAN traffic
• When the authority for subdomains is delegated and
• Each location has its own Internet connection
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
10
DNS Security
• DNS security is very important in a network using
Active Directory because DNS is critical for the
proper functioning of Active Directory
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
11
Zone Replication Security
• Using Active Directory-integrated zones is the easiest
way to secure zone synchronization
• Primary and secondary zones are unencrypted
• If you want to encrypt zone transfers, you must use an
additional mechanism, such as IPSec or a VPN
• To prevent hackers from learning about internal
resources, ensure that DNS records for internal
resources are never made available on the Internet
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
12
Activity 8-3: Securing Zone
Transfers
• The purpose of this activity is to configure traditional
primary zones to limit zone transfers to approved
secondary zones
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
13
Dynamic DNS Security
• Active Directory-integrated zones can be secured for
Dynamic DNS
• Only allow secure dynamic updates in the zone properties
• When secure dynamic updates are enabled, the
permissions in Active Directory control who is able to
update DNS records
• Authenticated Users group can Create All Child objects,
which allows computers to create their own DNS records
• Does not give computers the ability to modify each others’
DNS records
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
14
Dynamic DNS Security (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
15
Dynamic DNS and DHCP
Servers
• When DHCP servers perform secure dynamic updates
on behalf of clients, the DHCP server is the owner of
the DNS record rather than the client computer
• When a roaming client receives an IP address from a
different DHCP server, that DHCP server cannot
update the record with the new IP address
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
16
Managing DNS Servers
• Can configure many DNS options at the server level:
•
•
•
•
•
•
•
•
Configure aging and scavenging
Update server data files
Clear cache
Configure bindings
Edit the root hints
Set advanced options
Configure security
Modify EDNSO
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
17
Configuring Aging and
Scavenging
• With aging and scavenging, DNS records created by
Dynamic DNS can be removed after a certain period
of time if they have not been updated
• Prevents out-of-date information from being stored in
a zone
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
18
Updating Server Data Files
• The Update Server Data Files option is available
when you right-click the server
• Has no effect if a zone is Active Directory-integrated
• If a primary zone is not Active Directory-integrated,
it forces all of the DNS changes in memory to be
written to the zone file on disk
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
19
Clearing Cache
• DNS server automatically caches all lookups it does
• You may have outdated information in the cache
• Clear the cache to force a DNS server to perform a
new lookup before the record in cache times out
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
20
Configuring Bindings
• By default, DNS Service listens on all IP addresses
that are bound to the server on which it is running
• Can configure DNS to respond only to those certain
IP addresses that are bound to the server
• The Interfaces tab of the server properties allows you
to configure the IP addresses to which the DNS
Service listens
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
21
Editing the Root Hints
• Root hints are servers that are used to perform
recursive lookups
• The Root Hints tab of the server properties is
automatically populated with the names and IP
addresses of the DNS root servers on the Internet
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
22
Activity 8-4: Creating a Root
Server
• The purpose of this activity is to configure your
server as a root DNS server
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
23
Setting Advanced Options
• You can configure several options on the Advanced
tab of the server properties, including:
•
•
•
•
•
•
Disable recursion (also disables forwarders)
BIND secondaries
Fail on load if bad zone data
Enable round robin
Enable netmask ordering
Secure cache against pollution
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
24
Configuring Security
• The Security tab of the server properties allows you
to view and modify which users and groups can
modify the configuration of the DNS server
• The Domain Admins group, Enterprise Admins
group, and DnsAdmins group can manage DNS
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
25
Modifying EDNSO
• Windows Server 2003 DNS Service supports a
relatively new protocol called Extension Mechanisms
for DNS (EDNSO)
• Allows DNS servers to send UDP packets with more
than 512 bytes of information
• Servers that support EDNSO send an OPT record
before their DNS lookup requests
• This OPT record gives the maximum size of DNS message
that is supported over UDP
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
26
Managing DNS Zones
• Can configure the following options for a zone:
•
•
•
•
•
•
•
•
Reload zone information
Change the type of zone and replication
Configure aging and scavenging
Modify the SOA (start of authority) record
Modify the list of name servers
Enable WINS resolution
Enable zone transfers
Configure security
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
27
Reloading Zone Information
• To perform mass editing of DNS information stored
in a non-Active Directory-integrated zone, you can
edit the zone file stored in
C:\WINDOWS\system32\dns
rather than using the DNS snap-in
• To get the DNS server to use the newly edited zone
file, restart the DNS Service or tell it to reload the
zone file
• To reload the zone file, right-click the zone, and click
Reload
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
28
Changing the Type of Zone and
Replication
• When a zone is created, you must select whether it is
a primary zone, secondary zone, or stub zone
• If it is a primary zone, you must also choose whether
it is stored in Active Directory
• If the zone is stored in Active Directory, you also
must choose how it is replicated
• All of these options can be changed after the zone is
created
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
29
Configuring Aging and
Scavenging
• After scavenging has been enabled at the server level,
the aging/scavenging properties must be configured at
the zone level
• To enable the deletion of old DNS records, select the
Scavenge stale resource records check box
• Manually created DNS records are never scavenged
• Dynamic DNS records are scavenged only if they
have not been updated or refreshed and both the norefresh interval and refresh interval have expired
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
30
Activity 8-5: Configuring Aging and
Scavenging
• The purpose of this activity is to configure a zone to
remove old records automatically
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
31
Modifying the Start of Authority
Record
• The start of authority (SOA) record for a domain
defines a number of characteristics for a zone,
including serial number and caching instructions
• Configured in the SOA tab of the zone properties
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
32
Modifying the List of Name
Servers
• The name servers configured for a zone are the
authoritative DNS servers for the zone
• They are used in the recursive lookup process to
resolve requests for the domain
• In addition, they are used by Dynamic DNS clients
for dynamic updates
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
33
Enabling WINS Resolution
• A DNS zone can be configured with a WINS server
that is used to help resolve names
• If a DNS zone receives a query for a host name for
which it has no A record, it forwards the request to a
WINS server
• You can specify that records resolved via WINS are
not replicated to other domain controllers by selecting
the Do not replicate this record check box
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
34
Enabling Zone Transfers
• Zone transfers are used to copy zone information
from a primary zone to a secondary zone
• You can configure which IP addresses can request
zone transfers
• By default, zone transfers are allowed
• To disable zone transfers, deselect the Allow zone transfers
check box
• If zone transfers are enabled, you can choose whether
they are enabled to any server, to only servers listed
in the Name Servers tab for the zone, or to specific IP
addresses
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
35
Configuring Security
• The Security tab in the zone properties allows you to
control the permissions to modify the records for this
zone
• The Security tab is only available for Active
Directory-integrated zones
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
36
Troubleshooting DNS
• When DNS problems are experienced, first discover
whether the problems are limited to one client or
applies to many clients
• If the problem applies to just a single client, it is
likely a configuration problem with only that client
• If a DNS resolution problem exists for multiple
clients, it is likely a server problem
• Server level problems may include incorrect records, the
DNS Service being unavailable, or improper firewall
configuration
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
37
Server Functionality
• To test whether a DNS server is functioning correctly,
use the Monitoring tab of the DNS server properties
• If a recursive query is requested, submit a NS query
for the root domain “.”
• If unsuccessful, it may be due to incorrectly configured
Internet connectivity or root hints
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
38
Server Functionality (continued)
• If a simple query is requested, test the server for
iterative query functionality
• An iterative query: DNS server looks only in the
zones for which it is responsible
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
39
Nslookup
• The utility Nslookup queries DNS records
• Nslookup can be used from a command prompt to
resolve host names, but is most powerful in
interactive mode
• With Nslookup, you can query any DNS record from
a DNS server
• Allows you to confirm that each DNS server is configured
with the correct information
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
40
Activity 8-6: Verifying DNS
Records with Nslookup
• The purpose of this activity is to verify proper DNS
lookups using the utility Nslookup
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
41
DNSLint
• DNSLint is a command-line utility that allows you to
verify correct DNS configuration
• It has commands that help you confirm that a zone is
correctly configured or verify records for Active
Directory
• This utility uses command-line switches to control
functionality
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
42
DNSLint (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
43
Activity 8-7: Using DNSLint to
Verify Active Directory DNS
Records
• The purpose of this activity is to use the DNSLint
utility to confirm that the proper DNS records exist
for Active Directory
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
44
DNSCmd
• DNSCmd is a command-line utility that can be used
to view DNS server status and to configure DNS
servers, DNS zones, and DNS records
• This utility can be used in a script that is useful when
you want to make changes on many servers
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
45
Resetting Default Settings
• When attempting to optimize DNS, you may render
DNS inoperable or impair functionality
• When making system changes, always fully
document the existing configuration first
• Windows Server 2003 allows you to reset the
configuration of a DNS server back to the defaults
• Default settings should restore functionality
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
46
Resetting Default Settings
(continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
47
Activity 8-8: Resetting a DNS
Server to the Defaults
• The purpose of this activity is to reset the settings on
a DNS server back to installation defaults
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
48
Resetting Default Security
• When attempting to optimize security settings for
DNS, you may render your server inoperable or
impair its operation
• If you did not properly document the default security
permissions, you can reset them in the Advanced
Security Settings of the zone properties
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
49
DNS Server Logging
• DNS servers are capable of event logging and debug
logging
• Event logging records errors, warnings, and information to
the event log
• Debug logging records much more detailed information
• The Event Logging tab of the DNS server properties
gives you the option to record:
•
•
•
•
No events
Errors only
Errors and warnings
All events
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
50
DNS Server Logging (continued)
• Debug logging records packet-by-packet information
about the queries that the DNS server is receiving
• Enabled only for troubleshooting because it records a
large volume of information
• To reduce the amount of information recorded, can
specify the type of information:
•
•
•
•
Packet direction
Transport protocol
Packet contents
Packet type
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
51
Summary
• To optimize DNS, you can delegate authority for
subdomains to different servers
• A caching-only server is used to speed up DNS name
resolution
• Forwarding-only DNS servers use forwarders to
resolve recursive queries rather than root servers on
the Internet
• A nonrecursive DNS server does not communicate
with other DNS servers when resolving queries
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
52
Summary (continued)
• Conditional forwarders use forwarders only for certain
specified DNS domains
• Dynamic updates for Active Directory-integrated
zones can be secured
• EDNSO allows Windows Server 2003 to send UDP
packets larger than 512 bytes
• Wide variety of DNS server and zone management
tasks
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
53
Summary (continued)
• Nslookup queries DNS records
• DNSLint is a command-line utility that allows you to
verify correct DNS configuration
• DNSCmd can be used to view DNS server status and
to configure DNS servers, zones, and records
• The Advanced Security Settings for a zone can be
used to reset zone security back to defaults for an
Active Directory-integrated zone
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
54
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
What Is DNS, And Why Do I Care
What Is DNS, And Why Do I Care
Assignment-2_old Paper
Assignment-2_old Paper
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Matching game to review for Exam II
Matching game to review for Exam II
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
Name Services
Name Services
Download
advertisement