Section 5.3. Implementing, Managing, and Maintaining Name Resolution

5.3. Implementing, Managing, and Maintaining Name Resolution

When you install a computer, you assign the computer a name, which is used as the computer's NetBIOS name and as the computer's DNS hostname. On Windows NT 4.0 networks, WINS is used to resolve NetBIOS names. On networks running Windows 2000 and later computers, DNS is used to resolve DNS hostnames. With DNS, computers are grouped by name with domains. Domains establish a hierarchical naming structure so a computer's place within the domain structure can be determined.

In a standard configuration, a computer's fully qualified domain name (FQDN) is its hostname combined with the related domain name. For example, the FQDN for the computer FileServer81 in the WilliamStanek.com domain is FileServer81.WilliamStanek.com.

Since domain structure is hierarchical, domains can have subdomains. For example, the WilliamStanek.com domain might have Tech and Eng subdomains. The computer Workstation82 in the Tech domain would have a FQDN of Workstation82.Tech.WilliamStanek.com. The computer TestServer21 in the Eng domain would have a FQDN of TestServer21.Eng.WilliamStanek.com.

DNS uses client/server architecture. Any computer that uses DNS for name resolution is a DNS client. A computer that provides DNS name resolution services to a client is referred to as a DNS server. For name resolution to work properly, both DNS clients and DNS servers must be configured appropriately.

When the network is not fully configured for DNS name resolution, you might need NetBIOS name resolution. NetBIOS is also required for some applications such as the Computer Browser service. NetBIOS is enabled by default in Windows Server 2003.

5.3.1. Managing DNS Clients

For clients to use DNS, the client must have an appropriate computer name and a properly configured primary DNS suffix. The computer name serves as the computer's hostname. The computer's primary DNS suffix determines the domain to which it is assigned for name resolution purposes. DNS clients can dynamically update their own records and also cache query responses. The DNS Client service, also known as Resolver, is enabled by default on Windows Server 2003 and Windows XP computers.

5.3.1.1. Configuring primary and alternate DNS suffixes

By default, the primary DNS suffix is the domain in which the computer is a member. To view or modify the primary DNS suffix of a computer, follow these steps:

1. Open the System utility in Control Panel. On the Computer Name tab, click Change.

2. Click More. As shown in Figure 5-14, the computer gets its primary DNS suffix from the domain in which it is a member by default.

   Figure 5-14. Viewing the primary DNS suffix.

   

3. If you don't want the computer to get its primary DNS suffix from the domain in which it is a member, clear the Change Primary DNS Suffix When Domain Membership Changes checkbox, type the desired primary DNS suffix, and then click OK.

Unqualified names that are used on a computer are resolved using the primary DNS suffix. For example, you are logged on to a computer with a primary DNS suffix of Tech.WilliamStanek.com and you ping FileServer21 at a command prompt, the computer directs the query to FileServer21.Tech.WilliamStanek.com.

When computers have multiple IP addresses, the additional IP addresses can have different (alternate) DNS suffixes, allowing the computer to have connection-specific settings and to communicate as a local host on multiple subnets.

The way DNS suffixes are used is determined by the computer's Advanced TCP/IP Settings. You can view and modify these settings by following these steps:

1. Click Start Control Panel Network Connections Local Area Connection.

2. Click Internet Protocol (TCP/IP) and then select Properties. Be careful not to clear the checkbox. Scroll down through the list of protocols used by the connection if necessary.

3. Click the Advanced Button.

4. Click the DNS tab. Figure 5-15 shows two typical configuration for DNS suffixes.

   Figure 5-15. Configuring DNS suffixes.

   

5. If the network connection you are working with uses the primary DNS suffix as configured on the computer, use the default options shown in the lefthand dialog box.

6. If the network connection you are working with uses an alternate DNS suffix that is specific to the connection, enter the alternate the DNS suffix for the connection, as shown in the righthand dialog box, and select the Use This Connection's DNS Suffix In DNS Registration checkbox.

7. Click OK.

Typically, you will use a primary or connection-specific alternate DNS suffix as discussed previously. Still, there is one other possible configuration that can be usedand that is to append specific DNS suffixes. If you select the Append These DNS Suffixes radio button, you can specify the suffixes to append and define the order in which the computer attempts to use these suffixes to resolve names.

5.3.1.2. Configuring dynamic DNS updates

In the Advanced TCP/IP Settings dialog box, the Register This Connection's Addresses In DNS checkbox is selected by default, which allows Windows 2000 and later computers to dynamically update their A and PTR records in DNS. As discussed previously, the default configuration for DHCP clients is to dynamically update their A records and allow DHCP servers to dynamically update their PTR records. This behavior is configurable.

Dynamic updates can only occur when the client is configured with a domain suffix that matches a zone name hosted by the preferred DNS server. Thus, for a computer named Workstation18 to be dynamically updated in the eng.williamstanek.com zone, the FDQN of the computer must be Workstation18.eng.williamstanek.com.

Normally, the FQDN is the computer's name combined with the name of which the computer is a member. However, if you've modified the primary DNS suffix, the FQDN is the computer's hostname combined with the primary DNS suffix. For example, the FQDN for the computer Workstation27 with a primary DNS suffix of Tech.WilliamStanek.com is Workstation27.Tech.WilliamStanek.com.

If you create a connection-specific alternate DNS suffix, the FQDN is the computer's hostname combined with the DNS suffix for the connection. For example, the FQDN for the computer Workstation31 with a connection-specific DNS suffix of Eng.WilliamStanek.com is Workstation31.Eng.WilliamStanek.com.

5.3.1.3. Working with the resolver cache on DNS clients

You can force a client to register its DNS records by typing ipconfig /registerdns at a command prompt. DNS clients send name resolution queries to DNS servers using two key types of lookups: forward lookups , to determine the IP address of a computer from its FQDN, and reverse lookups , to determine a computer's FQDN from its IP address. When DNS clients receive a query response from a DNS server, the response is stored in the local DNS resolver cache. If you type ipconfig /displaydns at a command prompt, you can view the contents of the resolver cache.

Each stored response has a specific expiration date and time, as set for the related record on a DNS server. DNS clients display a countdown to this expiration date and time as a Time To Live (TTL) value. This value is the number of seconds until the resolver cache entry expires.

You can clear a client's resolver cache by typing ipconfig /flushdns at a command prompt.

5.3.2. Understanding DNS Queries and DNS Server Configuration Options

DNS uses both recursive and iterative queries to resolve queries. With a recursive query, the DNS client requests that the DNS server either respond directly with an answer that resolves the query or return an error message that the query cannot be resolved. The DNS server cannot refer the client to another DNS server, and instead, queries other DNS servers until it obtains a response that resolves the request or the query fails.

With an iterative query, a DNS server attempts to resolve the query from its records or from its cache. If it is unable to resolve the query, the server can refer the client to another DNS server.

When you configure a DNS client, you specify the primary and alternate DNS servers for the client to use. Each DNS server is responsible for name resolution within specific administrative areas known as zones. Simply put, a zone is a portion of the DNS database that is being managed. A single zone can contain a single domain or it can span multiple domains.

DNS servers are said to be either authoritative or non-authoritative for a zone:

• A DNS server that is authoritative for a zone is responsible for the related portion of the DNS database and is the primary source from which other DNS servers resolving any quests for that zone.

• A DNS server that is non-authoritative for a zone may cache information related to the zone, but ultimately, must rely on an authoritative DNS server to keep its cache up to date.

DNS servers store zone information in zone files. Zone files contain resource records that are used to resolve queries and primarily map hostnames to IP addresses. Several types of zone files are used including:

Primary

A primary zone file is the master copy of a zone, and as such it is the only writeable copy and the one that must be updated when you want to modify or maintain records.

Secondary

A secondary zone is a copy of a primary zone, and as such, is a read-only copy that is updated when the primary DNS server for a zone sends a copy of the zone file to a secondary server.

Stub

A stub zone lists authoritative name servers for a zone so that DNS servers hosting a parent zone are aware of authoritative DNS servers for the related child zones.

DNS servers can be configured in the following roles:

Primary

Maintain one or more primary zone files.

Secondary

Maintain one or more secondary copies of zone files.

Forwarding-only

Maintain a cache of resolved queries.

A single DNS server can have multiple roles. For example, a server can be the primary for one or more zones and the secondary for other zones.

5.3.3. Installing, Configuring, and Managing the DNS Server Service

With Windows Server 2003, any server can run the DNS Server service and act as a DNS server. Although the server doesn't have to have a static IP address, a static IP address is recommended. However, it is also recommended that domain controllers not be configured as DHCP servers. In a standard configuration, DHCP is integrated with DNS, and DHCP clients are permitted to create, alter, and remove their own records. If you install DHCP on a DC, any client on the network might be able to alter critical service locator (SRV) records, which is an unnecessary security risk.

You can install the DNS Server service by completing the following steps:

1. Open Add Or Remove Programs in Control Panel.

2. In the Add Or Remove Programs window, click Add/Remove Windows Components.

3. Click Networking Services and then select Properties. Be careful not to clear the checkbox.

4. Select Domain Name System (DNS), and then click OK.

5. Click Next. Setup configures the server's components.

6. Click Finish.

You can also install the DNS Server service using the Configure Your Server Wizard. To start the wizard, click Start Programs Administrative Tools Configure Your Server Wizard. Click Next twice, and then under Server Roles, select DNS Server and then click Next. Review the installation tasks that will be performed and click Next again.

Installation of the DNS Server service is only the first step in the configuration of a name server. You also need to configure the name server's:

• DNS server options

• DNS zone options

• DNS resource records

• DNS forwarding

Once you've completed these steps, clients in the domain will be able to query DNS and obtain responses. If you've installed the DNS Server service on a server but have not configured DNS zones, the server acts as a caching-only server.

5.3.3.1. Configuring and managing DNS Server options

As with other Windows services, the DNS Server service can be managed using the Services utility in Control Panel. However, the best way to manage the DNS Server service and DNS itself is to use the DNS Management console, which can be accessed by clicking Start Programs Administrative Tools DNS.

When you start the DNS Management console on a DNS server, the console connects automatically to DNS on this server. If you start the DNS Management console on your workstation or want to connect to a different DNS server, you can do this by right-clicking the DNS node and selecting Connect To DNS Server. You can then use the Connect To DNS Server dialog box to select the remote server you want to work with by its fully qualified domain name or IP address.

Each server to which you are connected is listed in the DNS Management console. When you select a server entry in the left pane, the DNS Management console connects to the server so that you can view and manage the server's properties and configuration. If there is a problem connecting to or communicating with a server, this is displayed as depicted in Figure 5-16. Troubleshooting can be performed by right-clicking the server entry and selecting Launch Nslookup. NSLOOKUP.EXE is a command-line tool for querying name servers.

Figure 5-16. The DNS Management console.

For each Active Directory domain, there is a single primary DNS server, referred to as the domain's primary name server. This server is the holder of the primary zone file for the domain.

DNS servers have many options that can be configured using the server's Properties dialog box, which can be accessed in the DNS Management console by right-clicking the server entry and clicking Properties. As shown in Figure 5-17, the server's Properties dialog box has multiple tabs. These tabs are used as follows:

Figure 5-17. The Advanced tab.

Advanced

Using the Advanced tab shown in Figure 5-17, you can configure advanced options that determine the method of name checking, the location from which zone information is loaded, and automatic scavenging configuration.

Debug Logging

Using the Debug Logging tab shown in Figure 5-18, you can configure Debug Logging options for troubleshooting. Debugging is disabled by default. To enable Debug Logging, select the Log Packets For Debugging checkbox, configure the types of packets and packet contents to log during debugging, and then enter a log file path and name.

Figure 5-18. The Debug Logging tab.

Event Logging

Using the Event Logging tab shown in Figure 5-19, you can configure the type of events that should be written to the DNS event logs. By default, all types of events are logged. Other logging options include No Events, to turn off event logging; Errors Only, to log only critical errors; and Errors And Warnings, to log both critical errors and warnings.

Figure 5-19. The Event Logging tab.

Forwarders

Using the Forwarders tab shown in Figure 5-20, you can configure where a DNS server can forward DNS queries that it cannot resolve. By default, a DNS server can forward queries to servers in all other DNS domains. See "Configuring and managing DNS forwarding ," later in this chapter.

Figure 5-20. The Forwarders tab.

Interfaces

Using the Interfaces tab shown in Figure 5-21, you can configure the IP addresses on which the DNS server will listen for DNS queries. By default, a name server listens to all IP addresses defined on the computer.

Figure 5-21. The Interfaces tab.

Monitoring

Using the Monitoring tab shown in Figure 5-22, you can test and verify the DNS configuration by sending queries against the server. A Simply Query test uses the DNS client on the server to query the DNS service on the local machine. A Recursive Query test uses the local DNS server to query other DNS servers to resolve a query. You can perform manual monitoring for selected tests by clicking the Test Now button. To perform automatic monitoring, select the Perform Automatic Testing checkbox and then set the test interval.

Figure 5-22. The Monitoring tab.

Root Hints

Using the Root Hints tab shown in Figure 5-23, you can configure root name servers that the DNS server can use and refer to when resolving queries. Root hints are stored in the %SystemRoot%\System32\Dns\Cache.dns file. For most internal DNS server, the root hints do not need to be modified. For an internal root server (name ".") on private networks, however, you should delete the Cache.dns file.

Figure 5-23. The Root Hints tab.

Security

Using the Security tab shown in Figure 5-24, you can assign permissions to users and groups for the DNS server. (Active Directory-integrated zones only.)

Figure 5-24. The Security tab.

5.3.3.2. Configuring DNS zone options

As discussed previously, a single name server can be configured to have multiple roles in DNS. Those roles are determined by the server's configuration and by the types of zones it hosts. Zone types include: primary zones, secondary zones, and stub zones. For each type of zone, there are two related zone files:

Forward Lookup Zones

Used to resolve forward lookups, which determine the IP address of a computer from its FQDN.

Reverse Lookup Zones

Used to resolve reverse lookups, which determine a computer's FQDN from its IP address.

On domain controllers that also act as DNS servers, primary zones and secondary zones can be stored in Active Directory.

You can create a new zone by completing these steps:

1. Open the DNS Management console.

2. Right-click the DNS Server entry and click New Zone.

3. When the New Zone Wizards starts, click Next.

4. On the Zone Type page, shown in Figure 5-25, select the type of zone you want to create. If a primary or stub zones should be stored in Active Directory (and the DNS Server is also configured as a DC), select the Store The Zone In Active Directory checkbox. Click Next.

   Figure 5-25. Specify the type of zone to create.

   

5. If you are creating an Active Directory-integrated zone, you must next specify how the zone data should be replicated. The default option is to replicate the data to all DCs in the current domain. Click Next.

6. Select the type of zone to create either a forward lookup zone or a reverse lookup zone. Click Next.

7. If you are creating a forward lookup zone, enter the portion of the DNS namespace for which the server is authoritative in the Zone Name text box, such as Tech.WilliamStanek.com. Click Next.

8. If you are creating a reverse lookup zone, identify the zone by entering its network ID (see Figure 5-26). Click Next.

   Figure 5-26. For reverse lookup zones, type the network ID.

   

9. The final wizard pages you see depend on the zone type and configuration as a forward or reverse lookup zone:

10. The Zone File Page lets you set the filename for zones files (when Active Directory-integration is not used).

11. The Master DNS Servers page lets you copy primary zone or stub data from designated primary servers (when you are configuring secondary or stub zones).

12. The Dynamic Update page lets you specify how dynamic DNS updates work. By default, dynamic DNS updates are not allowed, but you can configure the zone to allow only secure dynamic updating (in Active Directory-integrated primary zones only) or to allow both nonsecure and secure dynamic updating (in any type of zone).

13. On the final wizard page, click Finish to create the zone.

5.3.3.3. Using delegation and stub zones

In a large enterprise, you may find that you need to delegate administration of subdomains. To do this, you can create a delegated zone. When you delegate a zone, you assign authority over a portion of your DNS namespace and thereby pass control from the owner of the parent domain to the owner of a subdomain. For example, if you have tech.domain.local and eng.domain.local subdomains, you may want to delegate control over these subdomains so they can be managed separately from the organization's parent domain.

Delegation helps to ensure that branches or departments within the organization can manage their own DNS namespace. It also helps to distribute the workload so that rather than having one large DNS database, you have multiple DNS databases.

Before you can delegate a zone, you must first create the domain to be delegated on the server that will be hosting the delegated zone. Once you do this, run the New Delegation Wizard on the server hosting the parent zone to specify the zone to delegate.

To create a delegated zone, follow these steps:

1. Open the DNS Management console.

2. Right-click the parent domain and select New Delegation.

3. Follow the prompts.

Stub zones list authoritative name servers for a zone. Servers hosting stub zones do not answer queries directly, but instead direct related queries to any of the name servers specified in the stub zone's NS resource records. Stubs zones are most often used to track authoritative name servers for delegated zonesand the parent DNS servers of delegated zones are the ones to host the related stub zones.

You can create a stub zone by completing these steps:

1. Open the DNS Management console.

2. Right-click the DNS Server entry and click New Zone.

3. When the New Zone Wizards starts, click Next.

4. On the Zone Type page, select Stub Zone as the zone type. Store the stub zone in Active Directory if appropriate. Click Next.

5. Follow the prompts.

5.3.3.4. Managing DNS zone options

After you create a zone, you can manage its settings by right-clicking it and selecting Properties. The available options differ slightly based on zone type. Zone Properties dialog boxes have the following tabs:

General

Used to configure zone type, dynamic updating, replication, and scavenging options. You can also Pause/Start the zone.

Start Of Authority (SOA)

Used to configure the SOA record for a zone.

Names Servers

Used to configure the name servers for a zone, as specified using NS records.

WINS/WINS-R

The WINS tab is used with forward lookup zones and forward WINS lookups. The WINS-R tab is used with reverse lookup zones and reverse WINS lookups.

Security

Used to configure security for the zone. (Active Directory-integrated zones only.)

Zone Transfers

Used to configure the way a name server transfers a copy of the zone to requesting servers.

The sections that follow examine commonly configured zone options.

5.3.3.4.1. Configuring zone type, dynamic updating, and scavenging options

Using the General tab of the zone Properties dialog box, you can view the type and status of the zone as shown in Figure 5-27. To pause a "running" zone, click the Pause button. To change the zone type, click the Change button to the right of the Type entry, select the new zone type, and then click OK. Only one server can be designated as a primary, and thus only one server can have a primary zone. If the DNS server is also a DC, you can store the zone in Active Directory rather than in a text file. You are then able to determine how zone data is replicated by clicking the Change button to the right of the Replication entry.

Figure 5-27. The General tab.

Using the Dynamic Updates list, you can specify whether and how dynamic updates are used. By clicking the Aging button, you can enable aging and scavenging (see Figure 5-28). Aging refers to the process of placing timestamps on dynamically registered resource records and then tracking the age of the record using the TTL value. Scavenging refers to the process of deleting outdated (stale) resource records. Scavenging can occur when aging is enabled (because aging puts a TTL timestamp on dynamically registered resource records.

Figure 5-28. Configuring zone aging/scavenging.

To enable aging and scavenging in a zone, select the Scavenge Stale Resource Records checkbox, then set the no-refresh and refresh intervals as appropriate. The no-refresh interval is the period after the timestamp is set that must elapse before a resource record can be refreshed. The refresh interval is the period after the no-refresh interval during which the timestamp can be refreshed. If a timestamp on a resource record is not refreshed in this time, the record can be scavenged.

The default no-refresh interval is seven days. The default refresh interval is also seven days. This means dynamically registered record can be scavenged after 14 days by default.

Once aging/scavenging is enabled, scavenging can be performed manually or automatically. To manually scavenge a zone, right-click the zone entry in the DNS Management console and select Scavenge Stale Resource Records. To automatically scavenge a zone, follow these steps:

1. Right-click the server entry in the DNS Management console.

2. Click the Advanced tab.

3. Select the Enable Automatic Scavenging Of Stale Records checkbox.

4. Set the scavenging period (which is the interval between automatic scavenges).

5. Click OK.

5.3.3.4.2. Configuring the SOA

Using the Start Of Authority (SOA) tab of the zone Properties dialog box, you can configure the SOA record for a zone (see Figure 5-29). The Serial Number field lists the revision number of the zone file. This value is incremented each time a resource record changes in the zone. Zone transfers occur only when the zone serial number on the primary (master) server is greater than the zone serial number on secondary servers. If you are troubleshooting zone transfers, you can manually increment the serial number by clicking the Increment button.

Figure 5-29. The Start Of Authority (SOA) tab.

The Primary Server text box lists the primary server for the zone. The entry must end with a period.

The Responsible Person text box lists the person responsible for administering the zone. Typically, this is listed as hostmaster.. The entry must end with a period.

5.3.3.4.3. Configuring name servers for the zone

Using the Name Servers tab of the zone Properties dialog box, you can configure NS records for the zone as shown in Figure 5-30. You use NS records to specify the authoritative servers for the zone. The NS record of the primary name server for the zone is configured automatically. Records for alternate name servers must be configured as necessary. To create a NS record, click Add. In the New Resource Record dialog box, type the FQDN and at least one IP address for the name server, then click OK.

Figure 5-30. The Name Servers tab.

5.3.3.4.4. Configuring zone transfers

Using the Zones tab of the zone Properties dialog box, you can configure zone transfers. Zone transfers are used to send a copy of a zone to requesting servers. By default, zone transfers are not allowed or restricted only to the DNS servers specified in the Name Servers tab. If you've configured secondary (alternate) name servers for a domain, you should enable zone transfers by selecting the Allow Zone Transfers checkbox and then specifying the servers permitted to make requests. To maintain the integrity and security of the network, you'll usually want to limit the list of servers that can make requests to the servers listed on the Name Servers tab or to a specific list of designated name servers (see Figure 5-31).

Figure 5-31. For security, limit zone transfers to authoritative Name Servers (or to a specific list of name servers).

When the zone file changes, secondary servers can be automatically notified. To configure notification, click the Notify button on the Zone Transfers tab. In the default configuration, automatic notification is enabled, but only to a designated list of name servers. You must specify the designated name servers. As shown in Figure 5-32, you can also allow automatic notification to the name servers listed on the Name Servers tab.

Figure 5-32. Configuring notification for servers on the Name Servers tab.

5.3.3.5. Configuring and managing DNS resource records

After you create a zone, you can add any necessary resource records to it. When dynamic DNS updates are allowed, DNS clients can register their own A and PTR records. With DHCP and DNS integration, DHCP servers can register records on behalf of clients as well, as discussed previously in this chapter in "Using Dynamic DNS Updates with DHCP."

The most common types of records you'll work with are:

A (address)

An A record maps a hostname to an IP address. A computer with multiple IP addresses should have multiple address records.

CNAME (canonical name)

A CNAME record sets an alias or alternate name for a host.

MX (mail exchange)

An MX record specifies a mail exchange server for the domain. A properly configured MX record is required for mail delivery in a domain.

NS (name server)

An NS record specifies a name server for a domain. Each primary and secondary name server should be declared through this record.

PTR (pointer)

A PTR record creates a pointer that maps an IP address to a hostname for reverse lookups.

SOA (start of authority)

An SOA record declares the host that's the most authoritative for the zone (meaning it's the best source of DNS information for the zone).

To view the records in a zone, follow these steps:

1. Open the DNS Management console.

2. Expand the DNS Server entry and then expand the Forward Lookup Zones or Reverse Lookup Zones node as appropriate.

3. Select the zone in the left pane to display the related records in the right pane.

To create resource records in a zone, follow these steps:

1. Open the DNS Management console.

2. Expand the DNS Server entry and then expand the Forward Lookup Zones or Reverse Lookup Zones node as appropriate.

3. Right-click the zone and choose the appropriate option for the type of record you want to create:

4. Choose New Host (A) to create an A record. Enter the required information and then click Add Host.

5. Choose New Alias (CNAME) to create a CNAME record. Enter the required information and then click OK.

6. Choose New Mail Exchanger (MX) to create an MX record. Enter the required information and then click OK.

7. Choose Other New Records to create other enters of records. In the Resource Record Enter dialog box, select a resource record enter and then click Create Record. Next, enter the required information and then click OK.

To view the settings of, or edit, an existing record, follow these steps:

1. Open the DNS Management console.

2. Expand the DNS Server entry and then expand the Forward Lookup Zones or Reverse Lookup Zones node as appropriate.

3. Select the zone in the left pane to display the related records in the right pane.

4. Double-click the record you want to view or modify.

5. Make the necessary changes and then click OK.

5.3.3.6. Configuring and managing DNS forwarding

Forwarding allows DNS servers to forward queries that they cannot resolve to other DNS servers; in this way, the servers get a response that resolves a client's query. In the default configuration, a DNS server can forward queries to servers in all other DNS domains. Unfortunately, this allows any name server to forward queries outside the local network, which may not be the desired configuration. Instead of allowing your organization's DNS servers to forward to any DNS server, you'll typically want them to forward to specific name servers, which in turn can forward queries inside or outside the organization's network as necessary. In this way, you control the flow of DNS queries and funnel queries through specific name servers. Since these name servers also cache lookups, many lookups can be resolved without having to look outside the network, which reduces the flow of network traffic.

A name server designated as the recipient of forwarded queries is known as a forwarder. When forwarders are used, the DNS query resolution process changes as depicted here:

1. When a DNS server receives a query, it first attempts to resolve the query using its local zone information or its local cache.

2. If the query cannot be resolved, the DNS server forwards the request to the designated forwarder.

3. The forwarder attempts to resolve the query using its local zone information or its local cache. If the forwarder is unable to resolve the query, the DNS server attempts to contact the appropriate name server (as specified in its root hints data).

4. When an answer is returned to the forwarder, the forwarder returns the response to the originating DNS server, which in turn passes the response on to the client.

In a large enterprise with multiple domains, you might want to have multiple forwarding configurations. For example, you might have designated forwarders for the enterprise domains other than those services by the zone files on a name server, and designated forwarders for all other domains.

To configure a DNS server to use a forwarder, follow these steps:

1. Open the DNS Management console.

2. Right-click the DNS Server entry and Properties.

3. Click the Forwarders tab. Under DNS Domain, the entry "All other DNS domains" is used to configure forwarding for all domains other than domains serviced by zone files on the name server.

4. To limit forwarding to all other domains and specify a designated forwarder, click All Other DNS Domains, enter the IP address of the forwarder, and then click Add.

5. To configure a forwarder for a specific domain, click New, type a domain name, and then click OK. Under DNS Domain, click the related domain entry. Afterward, enter the IP address of the forwarder, and then click Add.

6. Click OK.

To configure your designated forwarders, simply allow the forwarder query all other DNS domains and do not designate the IP address of any specific name servers to use. With this in mind, the typical configuration is achieved by completing these steps:

1. Open the DNS Management console.

2. Right-click the DNS Server entry and Properties.

3. Click the Forwarders tab.

4. Under DNS Domain, click the All Other DNS Domains entry and remove any associated IP addresses.

5. Under DNS Domain, click any other entries, each in turn, and then click Remove.

6. Click OK.

The Forwarders tab also has the option Do Not Use Recursion For This Domain. By default, a DNS server uses recursion to query other DNS servers on behalf of clients. If recursion is disabled, the client performs iterative queries using the root hints from the DNS server. Iterative queries mean that the client will make repeated queries of different DNS servers.

5.3.4. Monitoring DNS

As discussed previously in this chapter in "Configuring and managing DNS Server options," DNS Server Options can be used to monitor many aspects of DNS. A name server's Properties dialog box can be accessed in the DNS Management console by right-clicking the server entry and clicking Properties.

When you configure a new name server, you can use Monitoring tab options to perform basic tests of name resolution. The results of these tests will tell you if DNS is configured properly. You can also use recursive query tests for basic troubleshooting.

To configure event logging, you can use the Event Logging options. When logging is enabled, tracked events are written to the DNS event log. As with most other services, the key types of events you will want to examine are warnings and errors. Event logging is enabled for All Events by default. In the DNS Management console, you can access DNS event log options by expanding the server node and then clicking the Event Viewer node.

For more detailed troubleshooting, you can use Debug Logging. Debug Logging is disabled by default, and can be enabled and configured on the Debug Logging tab. The resulting logfile tracks the types of packets and packet contents that you specify, and can help you resolve many types of name resolution issues.

Using System Monitor and Performance Logging, you can monitor the overall health of DNS and the underlying server. The DNS performance object has an extensive set of performance counters that you can use to track everything from zone transfers to dynamic updates. The Secure Update Failure and Zone Transfer Failure counters can be used to track key types of failure.

One of the best tools for troubleshooting is Nslookup. In the DNS Management console, you can start Nslookup by right-clicking a server entry and selecting Launch Nslookup.