Configuring DNS
EXAM OBJECTIVES
An Introduction to Domain Name System (DNS)
Configuring a DNS Server
Creating DNS Zones
Configuring and Managing DNS Replication
Creating and Managing DNS Records
Configuring Name Resolution for Client Computers

Copyright line.
An Introduction to DNS



DNS allows hosts and services to be located
on IP networks using friendly names instead
of IP addresses.
DNS can be used to resolve public FQDNs,
or used privately by organizations that wish to
use its features while remaining isolated from
the Internet.
DNS uses an incremental query process
involving client-to-server and server-to-server
queries to resolve names and IP addresses.
Copyright line.
Slide 2
Configuring a DNS Server



When the DNS Server role is installed, a caching only
DNS server is created.
Root hints tell a DNS server where to look next when
resolving queries for records not contained in locally
stored zones.
Forwarding can be used instead of root hints. Server
forwarding typically involves an organization’s
internal DNS servers’ forwarding requests for public
name resolution to a DNS server that has direct
access to the Internet. Conditional forwarding allows
administrators to configure DNS servers to forward
resolution requests to other DNS servers based on
specific domain names.
Copyright line.
Slide 3
Creating DNS Zones




Forward lookup zones resolve host names to IP
addresses. Reverse look up zones resolve IP
addresses to host names.
DNS records can be changed on primary and AD
integrated zones, but not on secondary or stub
zones.
Zone delegation allows a domain name space to be
divided among different zones on separate servers.
The new GlobalNames feature supports single name
resolutions (such as NetBIOS computer names) on
IPv6 networks using DNS.
Copyright line.
Slide 4
Configuring and Managing DNS
Replication



By default, primary, AD integrated and
secondary zones limit the servers from which
they can accept zone transfer requests.
Administrators can manually request
incremental zone updates or a complete
refresh of all zone records for secondary
zones using DNS Manager.
The SOA zone record is used to configure the
replication parameters for secondary zones.
Copyright line.
Slide 5
Creating and Managing DNS
Records



DNS records can be administered manually,
updated automatically by hosts, or both.
DNS record types include A, AAAA, PTR, MX,
SRV, CNAME, and NS.
Aging and scavenging is used to clean up
DDNS records that have not been updated or
refreshed within a given period and may be
invalid.
Copyright line.
Slide 6
Configuring Name Resolution for
Client Computers



Two primary forms of name resolution exist on Windows
networks: NetBIOS and host names. Microsoft increasingly has
moved away from NetBIOS toward DNS. If a network runs a
variety of Windows client and server versions, it’s important that
both forms of name resolution are configured properly. If the
network is comprised primarily of Windows XP and later clients,
and Windows Server 2003 and later servers, DNS is most likely
supporting many of the network’s name resolution needs.
By default, the following name resolution steps are taken when
resolving host names: the local host name => the local DNS
resolver cache => the local HOSTS file => DNS => the local
NetBIOS name cache => WINS => a local network broadcast =>
the local LMHOSTS file.
By default, the following name resolution steps are taken when
resolving NetBIOS names: the local NetBIOS name cache =>
WINS => a local network broadcast => the LMHOSTS file => the
local host name => the local DNS resolver cache => DNS.
Copyright line.
Slide 7
FAQ


Q: What exactly is DNS and why do I need it?
A: DNS is the primary name resolution
method for Windows Server 2008, making it
essential to a properly functioning domain
and network. It provides hosts with the actual
network location of network services and
other hosts. It also can be used to determine
host and service information when an IP
address is provided. Computers cannot find
themselves using most key components of
Windows Server 2008 without DNS.
Copyright line.
Slide 8
FAQ


Q: My organization does not wish to connect to the
Internet. We are using Windows Server 2008 and
Windows Vista DNS is essential for name resolution.
I know that DNS was designed to work with the
Internet; what can I do?
A: Although DNS originally was designed for use with
the Internet and its predecessors, it is no problem to
use it privately. In fact, if you have an Active Directory
domain, it will be required. In this scenario you will
create and configure a separate DNS environment
that is very similar to the Internet, except you will
control all levels of it instead of just a tiny portion.
Copyright line.
Slide 9
FAQ


Q: I need to specify a totally private DNS
server network for my organization. How
should I configure root hints?
A: When root hints don’t need to point to the
Internet’s root name servers, typically they
should point to the highest level DNS servers
within an organization. A good way to think
about root hints is that they are designed to
point to the top of whatever DNS hierarchy is
being used.
Copyright line.
Slide 10
FAQ


Q: I want to use forwarding, but don’t want all
queries to go to the same place. I need to
distribute them based on the domain being
asked for; how can I do this in Windows
Server 2008?
A: Conditional forwarding can be used to
distribute queries to forwarders based on the
domain being requested.
Copyright line.
Slide 11
FAQ


Q: Domains and zones are very confusing to me.
What is the difference between a domain and a
zone?
A: Because zones use domain names, it’s easy to
get confused. Zones hold the actual records for part
of the domain namespace. A domain like
syngress.com. has records distributed across several
zones. The root name servers hold the “.” portion,
which is typically hidden from users at the end of the
domain name. The “.com” name servers hold the
zone for this portion of the namespace. Finally a
server managed by the organization contains a zone
for the “syngress” portion of the DNS namespace.
Copyright line.
Slide 12
FAQ


Q: Does Microsoft recommend standard or
AD integrated zones?
A: Microsoft recommends AD integrated
zones. The records are stored in the AD
database, which increases their security and
allows for more efficient replication of the
records when compared to traditional zone
transfers. Using AD integrated zones also
enables secure DDNS, which eases the
burden of DNS administration without
compromising security.
Copyright line.
Slide 13
FAQ


Q: My organization is implementing IPv6.
Right now we use both DNS and WINS for
name resolution. WINS supports only IPv4.
What can I do to support NetBIOS type
names for IPv6?
A: Microsoft’s new GlobalNames feature can
be used. When activated, DNS servers can
serve manually created single name records.
You can create these records to match
important NetBIOS resource names, such as
key servers.
Copyright line.
Slide 14
FAQ


Q: What is the difference between an A and
AAAA host record?
A: The Windows Server 2008 DNS Server
role fully supports IPv4 and IPv6. The A host
record is one of the oldest in DNS and is used
to resolve a host name to an IPv4 address.
The newer AAAA record is used to resolve a
host name to an IPv6 address.
Copyright line.
Slide 15
FAQ


Q: What is a PTR record used for?
A: PTR, or pointer, records are the primary
records used in reverse lookup zones. These
records facilitate the resolution of IP
addresses into host names.
Copyright line.
Slide 16
FAQ


Q: My office has a lot of sales people that
work on laptops in and out of the office. I’ve
noticed that there are quite a few inaccurate
DDNS records being left behind by these
computers. What can be done about it?
A: Microsoft’s aging and scavenging feature
can be used to clean up records such as
these. You can set your organization’s
Windows 2000 and later DNS servers to
delete records automatically if they have not
been kept up to date.
Copyright line.
Slide 17
FAQ


Q: Most of the name resolution on my network uses
DNS, however all clients are still configured for
WINS. When a client attempts to access a resource
by using the resource’s host name, what steps may
occur?
A: By default, the following name resolution steps are
taken when resolving host names: the local host
name => the local DNS resolver cache => the local
HOSTS file => DNS => the local NetBIOS name
cache => WINS => a local network broadcast => the
local LMHOSTS file. All these steps are at least
partially configurable by an administrator.
Copyright line.
Slide 18
FAQ


Q: My environment uses IPv6 addresses, but
NetBIOS broadcasts are supported only for IPv4.
What can I do?
A: Microsoft has included a new protocol in Windows
Vista and Server 2008 to solve this problem: LinkLocal Multicast Name Resolution. If these are the
primary operating systems in use and hosts on a
segment of the network are unable to contact a DNS
server, some name resolution can still take place on
a peer-to-peer basis using either IPv4 or IPv6.
Copyright line.
Slide 19
FAQ


Q: I’m responsible for several hundred Windows XP
and Vista clients. Is there an easy way to automate
their DNS configuration?
A: Many DNS settings can be managed centrally
using group policy. In most cases, settings applied
with group policy will override settings that are
configured manually on the client. Not all settings
work with all client types, however. It’s important to
carefully read the description of each to determine
how and where it can be applied.
Copyright line.
Slide 20
Test Day Tip

In addition to caching responses from DNS servers
containing the requested resources (called positive
caching), the local resolver also caches negative
responses. These result from a failure to locate DNS
resources. When a server returns a request to a
client’s query that contains a negative response, the
local resolver caches it and will not request it again
for a period of time. Temporary DNS problems can
thus become longer term issues until this cached
record expires. You can manually purge the client’s
resolver cache using the following command:
ipconfig /flushdns.
Copyright line.
Slide 21
Exam Warning

A server cannot be configured to conditionally
forward for a domain if it has a zone
configured on it that includes the same
portion of the domain name space. For
example, if a DNS server hosts the
authors.syngress.com zone, it cannot also
have conditional forwarding setup for the
authors.syngress.com domain.
Copyright line.
Slide 22
Test Day Tip

Beware of Microsoft’s default options.
Sometimes they represent Microsoft’s
recommended settings. Other times a
nonrecommended setting is selected by
default. On the test, never assume that a
default option or setting is a recommended
one.
Copyright line.
Slide 23
Test Day Tip

Be sure to remember that Microsoft
recommends and really expects you to use
AD integrated zones with secure dynamic
updates whenever possible.
Copyright line.
Slide 24
Exam Warning

Only Windows Server 2008 servers support
GlobalNames zones.
Copyright line.
Slide 25
Exam Warning

Pay careful attention to Microsoft’s
recommendations regarding GlobalNames
zones. Although these zones do not have to
be AD integrated, or replicated to all domain
controllers in the forest, or configured not to
allow dynamic updates—this is how Microsoft
expects them to be configured. Often their
documentation does not even acknowledge
that other configuration options can be used.
Play it safe on the exam and give them the
answers they want.
Copyright line.
Slide 26
Exam Warning

The server’s right-click menu contains a
Reload option in addition to Reload from
Master. It’s important not to confuse these on
the exam. On a secondary zone, the Reload
option reloads the information in the local
zone file. The Reload from Master initiates a
full zone transfer from a master DNS server
and overwrites the records in the zone file.
Copyright line.
Slide 27
Exam Warning

Unlike standard primary zones, by default AD
integrated and secondary zones are not
configured to allow zone transfers. You must
check the Allow zone transfers: box in the
Zone Transfers tab in the server’s
Properties.
Copyright line.
Slide 28
Test Day Tip

The refresh, retry, and expiration settings on
the SOA record apply only to standard
secondary zones. AD integrated zones use
Active Directory replication and ignore these
settings.
Copyright line.
Slide 29
Test Day Tip

In addition to creating application directory
partitions, you can also add servers to and
remove servers from partitions using
DNSCMD.
Copyright line.
Slide 30
Test Day Tip

If you use a mix of Windows and nonWindows DNS servers, consider selecting the
Do not replicate this record option. WINS
records are not standard DNS record types
and are not supported by all DNS servers.
Attempting to replicate them to DNS servers
that do not support them may cause errors.
Copyright line.
Slide 31
Test Day Tip

DDNS can conflict with data in the
GlobalNames zone. If a GNZ is configured on
the DNS server, it is checked first when
DDNS requests are received. If a client
attempts to register or update a DDNS record
using a name that is already specified in the
GNZ, the request will fail.
Copyright line.
Slide 32
Exam Warning

Client DNS server settings can be assigned
by group policy. When a client has locally
configured DNS servers, and a group policy
setting that specifies them, the local server
list is ignored.
Copyright line.
Slide 33