Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

9781423902355_PPT_CH09

advertisement 
MCTS Guide to Configuring
Microsoft Windows Server 2008
Active Directory
Chapter 9: Configuring DNS for Active
Directory
Objectives
• Describe the structure of Domain Name System
• Install and use the DNS Server role in Windows
Server 2008
• Configure DNS zones
• Configure advanced DNS server settings
• Monitor and troubleshoot DNS
MCTS Windows Server 2008 Active Directory
2
Introduction to Domain Name System
• Domain Name System (DNS) is a distributed
hierarchical database composed mainly of
computer name and IP address pairs
• In order to resolve a name to an address, a DNS
lookup will often require multiple queries to a
hierarchy of DNS servers
MCTS Windows Server 2008 Active Directory
3
The Structure of DNS
• DNS can be described as an inverted tree structure
• Entire DNS tree is called the DNS namespace
• Each domain has one or more servers that are
authoritative for the domain
• Root servers keep a database of addresses of
other DNS servers managing top-level domain
names, called top-level domain (TLD) servers
MCTS Windows Server 2008 Active Directory
4
The Structure of DNS (cont.)
MCTS Windows Server 2008 Active Directory
5
The DNS Database
• A zone is a grouping of DNS information that
represents one or more domains and possibly
subdomains
• Zones contain a variety of record types called
resource records, which contain information about
network resources
• DNS records can be added and changed by:
– Static updates
– Dynamic updates
MCTS Windows Server 2008 Active Directory
6
The DNS Database (cont.)
DNS resource record types
MCTS Windows Server 2008 Active Directory
7
The DNS Lookup Process
• Two different types of DNS lookup can be
performed
– Iterative query
• A DNS server will respond with the best information it has to
satisfy the query, or it may give a referral response
– Recursive query
• DNS server processes the query until it responds with an address
that satisfies the query or with an “I don’t know message”
• A typical DNS lookup made by a DNS client can
involve both recursive and iterative queries
• DNS clients maintain a Hosts file that can contain
static DNS entries; Hosts is stored in
%systemroot%\System32\drivers\etc
MCTS Windows Server 2008 Active Directory
8
The DNS Lookup Process (cont.)
MCTS Windows Server 2008 Active Directory
9
DNS Server Roles
• DNS servers can perform one or more of the
following roles for a zone:
– Authoritative server
• Holds a complete copy of a zone’s resource records
– Forwarder
• A DNS server to which other DNS servers send requests they
can’t resolve themselves
– Conditional forwarder
• DNS server to which other DNS servers send requests targeted
for a specific domain
– Caching-only server
• Does not have zones; it fields DNS queries, does recursive
lookups to root servers, or sends requests to forwarders and then
caches the results
MCTS Windows Server 2008 Active Directory
10
DNS Zones
• Three different types of zones
– Primary zone
• Contains a read/write master copy of all resource records for the
zone; it is considered authoritative for the zone
– Secondary zone
• Contains a read-only copy of all resource records for the zone; it is
considered authoritative for the zone
– Stub zone
• Contains a read-only copy of only the SOA and NS records for a
zone and the necessary A records to resolve NS records; not
authoritative
MCTS Windows Server 2008 Active Directory
11
Installing DNS
• DNS installation begins by installing the DNS
Server role in Server Manager
• If the DNS server is intended to manage domain
name services for Active Directory, DNS Server
role should be installed on a domain controller
• Windows automatically detects whether or not the
server is configured as a domain controller and
then integrates DNS zones with Active Directory
MCTS Windows Server 2008 Active Directory
12
Creating DNS Zones
• An Active Directory integrated zone is a primary or
stub zone with the DNS database stored in an
Active Directory partition
• Installing DNS on a domain controller that is part of
an existing domain will have zone information
copied to it automatically during AD replication
• Some situations may require that a zone be
created manually
• Zones that are not Active Directory integrated are
referred to as standard zones
MCTS Windows Server 2008 Active Directory
13
Creating DNS Zones (cont.)
MCTS Windows Server 2008 Active Directory
14
Active Directory-Integrated Zones
• “Store the zone in Active Directory” check box
means you want the zone stored in an Active
Directory partition
• Standard zones are stored in a text file called zonename.dns, which is located in the
%systemroot%\system32\dns folder
• Active Directory-integrated zones have the
following advantages over a standard zone:
–
–
–
–
Automatic zone replication
Multimaster replication and update
Secure updates
Efficient replication
MCTS Windows Server 2008 Active Directory
15
Zone Replication Scope
• After selecting the zone type and specifying the
zone to be stored in Active directory, you are asked
to select the zone replication scope with one of
these options:
– To all DNS servers in this forest
– To all DNS servers in this domain
– To all domain controllers in this domain (for Windows 2000
compatibility)
– To all domain controllers specified in the scope of this directory
partition
MCTS Windows Server 2008 Active Directory
16
Forward and Reverse Lookup Zones
• Next, you are asked whether a zone should be a
forward lookup zone or a reverse lookup zone
– FLZ – Forward lookup zone contains records that translate
names to IP addresses, such as A, AAAA, and MX records
– RLZ – Reverse lookup zones contain PTR records that map IP
addresses to names and is named after the IP network address
(IPv4 or IPv6) of the computers whose records it contains
MCTS Windows Server 2008 Active Directory
17
Dynamic Updates
• Final step allows you to choose whether and how
to use dynamic updates, which can be configured
in one of three ways
– Allow only secure dynamic updates
– Allow both nonsecure and secure dynamic updates
– Do not allow dynamic updates
• Dynamic updates enable DNS client computers to
register and dynamically update their resource
records with a DNS server whenever changes
occur
MCTS Windows Server 2008 Active Directory
18
Creating Zones from the Command Line
• Dnscmd.exe can create and configure various DNS
settings
• Basic syntax: dnscmd server /command
• Examples:
– Create a new primary Active Directory-integrated zone named
zone1 that allows only secure dynamic updates:
dnscmd server99 /ZoneAdd zone1 /DsPrimary
– Add an A record for the host named host1 in zone1 with the IP
address 192.168.200.99:
dnscmd server99 /RecordAdd zone1 host1 A 192.168.200.99
MCTS Windows Server 2008 Active Directory
19
Configuring DNS Zones
• Zones can be viewed and changed in DNS
Manager
• DNS Manager provides the following options:
–
–
–
–
–
Status
Type
Replication
Dynamic updates
Aging
MCTS Windows Server 2008 Active Directory
20
Configuring DNS Zones (cont.)
MCTS Windows Server 2008 Active Directory
21
Aging and Scavenging Resource Records
• Stale resource records can degrade server
performance, provide incorrect information, and
generally make DNS less reliable and efficient
• Enabling scavenging causes the server to check
for stale records periodically and deletes those
meeting the criteria for a stale record
• Options in the Zone Aging/Scavenging Properties
dialog box
–
–
–
–
Scavenge stale resource records
No-refresh interval
Refresh interval
The zone can be scavenged after
MCTS Windows Server 2008 Active Directory
22
Start of Authority Records
• SOA records are found in every zone and contain
information that identifies the server primarily
responsible for the zone as well as some operation
properties for the zone
• The SOA record contains the following information:
–
–
–
–
–
–
–
Serial number
Primary server
Responsible person
Refresh interval
Retry interval
Expires after
Minimum (default) TTL
MCTS Windows Server 2008 Active Directory
23
Name Server Records
• NS records specify FQDNs and IP addresses of
authoritative servers for a zone
• NS records are also used to refer DNS queries to a
name server that has been delegated authority for
a subdomain
• Glue A records are A records containing a name
server’s IP address and are used to resolve NS
record information
MCTS Windows Server 2008 Active Directory
24
Zone Delegation
• Zone delegation is transferring authority for a
subdomain to a new zone, which can be on the
same server or another server
• The server hosting the parent zone maintains only
an NS record pointing to the DNS server hosting
the delegated zone
• _msdcs subdomain exists inside every Windows
domain zone and holds SRV records for Microsofthosted services, such as global catalog, LDAP, and
Kerberos
MCTS Windows Server 2008 Active Directory
25
Zone Delegation (cont.)
MCTS Windows Server 2008 Active Directory
26
Using Stub Zones
• Stub zones are a special type of zone that contain
only an SOA record, one or more NS records, and
the necessary glue A records to resolve NS
records
• Reasons for using stub zones
–
–
–
–
Maintenance of zone delegation information
In lieu of conditional forwarders
Faster recursive queries
Distribution of zone information
MCTS Windows Server 2008 Active Directory
27
Zone Transfers
• A zone transfer copies all or part of a zone from one DNS
server to another and occurs as a result of a second server
requesting the transfer from another server
• Zone transfers can be initiated in two ways
– Refresh interval
– DNS notify
• Zone transfers are configured in the Zone Transfers tab of a
zone’s Properties dialog box, which has the following
options:
– Allow zone transfers
• To any server
• Only to servers listed on the Name Servers tab
• Only to the following servers
– Notify
MCTS Windows Server 2008 Active Directory
28
Incremental Zone Transfers
• Two types of zone transfer
– Full zone transfers
– Incremental zone transfers
• Both master and slave DNS servers must support
incremental zone transfers to use them
• During the initiation of an incremental zone
transfer, the serial number decides whether the
slave or the master determines the differences
between its current zone data and the zone data on
the other server
MCTS Windows Server 2008 Active Directory
29
Using WINS with DNS
• Windows Internet Name Service (WINS) is a legacy name
service used to resolve NetBIOS names, sometimes referred
to as single-label names
• Similar to DNS in that it keeps a database of name-toaddress mappings
• Generally used in environments that require NetBIOS
resolution or where applications depend on it
• The WINS tab has the following options:
–
–
–
–
Use WINS forward lookup
Do not replicate this record
IP address
Time to live (TTL)
MCTS Windows Server 2008 Active Directory
30
Using the GlobalNames Zone
• GlobalNames zone (GNZ) allows administrators to
add single-label names to DNS, giving client
computers the ability to resolve these names
without including a DNS suffix in the query
• Entries must be made manually
• Can assist mobile users by dropping the need for
remembering a resource’s FQDN
• Enabled via dnscmd.exe
– Dnscmd server /config /EnableGlobalNamesSupport 1
MCTS Windows Server 2008 Active Directory
31
DNS Forwarders
• Referring a DNS query to a forwarder can be more
efficient under some situations
– When the DNS server address for the target domain is known
– When only one DNS server in a network should make external
queries
– When a forest trust is created
– When the target domain is external to the network and an
external DNS server’s address is known
• Conditional forwarding allows queries for particular
domains to particular name servers and all other
unresolved queries to a different server
MCTS Windows Server 2008 Active Directory
32
Configuring Traditional Forwarders
• To configure a traditional forwarder, right-click the
server node in DNS Manager, click Properties, and
click the Forwarders tab
• If more than one server is specified, they are
queried in the order in which they’re listed
• Additional servers are only queried if the first server
provides no response
• No response from any forwarders triggers a normal
recursive lookup process, starting with a root
server
MCTS Windows Server 2008 Active Directory
33
Configuring Conditional Forwarders
• Previously, traditional and conditional forwarders
were configured under the Forwarders tab, but
Server 2008 has conditional forwarders as a node
in DNS Manager
• With forwarders and/or conditional forwarders
configured, the DNS server attempts to resolve
DNS queries in this order:
–
–
–
–
–
1. From locally stored zone resource records
2. From the DNS cache
3. From conditional forwarders
4. From traditional forwarders
5. Recursively by using root hints
MCTS Windows Server 2008 Active Directory
34
Root Hints
• Root hints consist of a list of name servers
preconfigured on Windows DNS servers that point
to Internet root servers
• These servers contain lists of name servers that
are responsible for top-level domains
• Root hints data comes from the Cache.dns file
located in the %SystemRoot%\System32\DNS
folder
• Internal DNS servers can be configured as root
servers if the network is isolated from the public
Internet
MCTS Windows Server 2008 Active Directory
35
Round Robin
• Load sharing can be configured among servers
running mirrored services
• Accomplished by creating multiple A records with
the server’s name in both records but with each
entry configured with a different IP address
• DNS will then respond to queries by sending all
addresses associated with the server’s name but
will also vary their order
• This process is called round robin because each IP
address is placed first in the list an equal number of
times
MCTS Windows Server 2008 Active Directory
36
Recursive Queries
• Recursion is enabled on Windows DNS servers by default,
but there are two ways to change this setting
• First involves configuring forwarders
• Second is the “Disable recursion (also disables forwarders)”
option in the Advanced tab of the DNS server’s Properties
dialog box
• Recursion might be disabled when you have a public DNS
server containing resource records for your publicly available
servers, but you don’t want unauthorized users using your
DNS server for recursive client requests
MCTS Windows Server 2008 Active Directory
37
Event and Debug Logging
• When DNS is installed, a new event log is created
to record informational, error, and warning events
generated by the DNS server
• Common events include zone serial number
changes, zone transfer requests, and DNS server
startup and shutdown events
• Debug logging can be enabled in the server’s
Properties dialog box
• Debug logging records selected packets coming
from and going to the DNS server in a text file
MCTS Windows Server 2008 Active Directory
38
Event and Debug Logging (cont.)
MCTS Windows Server 2008 Active Directory
39
DNS Troubleshooting
• Windows has several tools to administer, monitor,
and troubleshoot DNS server operation, including
the following tools:
–
–
–
–
–
–
–
–
DNS Manager
Dnscmd.exe
Event Viewer
Dnslint
Nslookup
Ipconfig
Performance Monitor
Protocol analyzer
MCTS Windows Server 2008 Active Directory
40
Monitoring DNS Performance
• DNS performance can degrade over time because
of increased database size and increased client
activity
• Dnscmd.exe can display a snapshot of server
statistics with the dnscmd.exe /statistics command
• Performance monitor can continuously monitor and
gather statistics
• Creating a performance baseline is good practice
for troubleshooting issues that may arise later on
MCTS Windows Server 2008 Active Directory
41
Monitoring DNS Performance (cont.)
MCTS Windows Server 2008 Active Directory
42
Chapter Summary
• DNS is based on a hierarchical naming structure
and a distributed database
• DNS can be described as an inverted tree with the
root domain at the top, TLDs branching off the root,
and domains and subdomains branching off TLDs
• The DNS database is composed of zones
containing resource records, such as Start of
Authority (SOA), Host (A), and Service (SRV)
records
MCTS Windows Server 2008 Active Directory
43
Chapter Summary (cont.)
• DNS lookups involve iterative and recursive
queries
– Most lookups start from the DNS resolver with a recursive
query to a DNS server; the DNS server satisfies the query or
performs a series of iterative queries, starting with a root server
• DNS servers can perform one or more of the
following roles: authoritative server, forwarder,
conditional forwarder, and caching-only server
• Active Directory-integrated zones have the
advantages of automatic replication, multimaster
replication, and update, secure updates, and
efficient replication
MCTS Windows Server 2008 Active Directory
44
Chapter Summary (cont.)
• A zone can be a forward lookup zone or a reverse
lookup zone
• SOA records contain information about a zone,
including its serial number and a number of timers
used for zone transfers
• Subdomains can be delegated to a zone on
another server to improve performance and control
replication scope
• Advanced DNS settings include configuring
forwarders, root hints, round robin, recursive
queries, and logging
MCTS Windows Server 2008 Active Directory
45
Chapter Summary (cont.)
• Tools for monitoring and troubleshooting DNS
include Dnscmd, Dnslint, Nslookup, Ipconfig, and
Performance Monitor
– You need to understand the DNS query process to troubleshoot
DNS problems efficiently
MCTS Windows Server 2008 Active Directory
46
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
What Is DNS, And Why Do I Care
What Is DNS, And Why Do I Care
Assignment-2_old Paper
Assignment-2_old Paper
Matching game to review for Exam II
Matching game to review for Exam II
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Basic Server Roles: File Services Role: The File Services Role has
Basic Server Roles: File Services Role: The File Services Role has
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
AD Messaging Engineer
AD Messaging Engineer
Download
advertisement