Installing and Configuring the DNS Server Service


Objective:

Install and configure the DNS Server service.

  • Configure DNS server options.

  • Configure DNS zone options.

  • Configure DNS forwarding.

Manage DNS.

  • Manage DNS zone settings.

  • Manage DNS server options.

Now that you have a solid background on DNS, you can install, configure, and test the Windows Server 2003 DNS server service. The following sections show how.

Installing the DNS Server Service

To install the Windows Server 2003 DNS server service, follow the procedure outlined in Step by Step 3.2.

Note: Using a Dynamic IP Address

If you are using a dynamically assigned IP address on the system on which you are installing DNS, you will get a warning message stating that you should use static IP addresses only for a DNS server. You are then given the option to set a static IP address from there. If this occurs in a lab environment or you have a reservation for the server on your DHCP server so that it will always have the same dynamic IP address, you can ignore this warning. If you are using dynamic addressing for production servers, you might want to rethink that IP address strategy. For the purpose of this exercise, you can ignore the warning.


Step By Step
3.2. Installing the DNS Server Service

1.

Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.

2.

Open the Control Panel and then open the Add/Remove Programs applet. The Add or Remove Programs dialog box appears (see Figure 3.2).

Figure 3.2. The Add or Remove Programs dialog box provides useful information about installed applications, including application size and in some cases the frequency of use of an installed application.


3.

Click Add/Remove Windows Components on the left side of the Add or Remove Programs dialog box. The Windows Components Wizard dialog box appears (see Figure 3.3).

Figure 3.3. The Windows Components Wizard allows you to install, remove, or configure the various components of Windows Server 2003.


4.

Select Networking Services and click Details. The Networking Services dialog box, shown in Figure 3.4, appears. Select Domain Name System (DNS) and then click OK.

Figure 3.4. On the Networking Services screen, you need to select Domain Name System and click OK.


5.

On the next screen that appears, click Next to complete the installation. The Windows Component Wizard prompts you for the Windows Server 2003 CD-ROM if it needs to copy files.

6.

When the wizard is finished, it displays a summary window of the changes to be made. Click Finish to complete the installation.

You can also use the Manage Your Server utility (see Figure 3.5) to install DNS. We won't go through all the steps in doing so, but you should know that it is another option. This application opens following the installation of Windows Server 2003, and you can reopen it by selecting Start, Manage Your Server.

Figure 3.5. The Manage Your Server utility provides a very simple, easy-to-use interface for configuring a server for a variety of roles, including DNS server.


Examining DNS Server Options

Windows Server 2003 DNS is complex and has many configuration options. The best way to understand these many options is to examine them one group at a time, as we will do in the following sections. To get to these options, you will need to first open the DNS management console by clicking Start, Control Panel, Administrative Tools, DNS. The DNS console seen in Figure 3.6 will open.

Figure 3.6. The DNS console is used to manage the DNS service, including setting options and creating and managing zones.


The server Properties dialog box, seen in Figure 3.7, is opened by right-clicking the DNS server in the left pane of the DNS console and selecting Properties from the context menu. The DNS server Properties dialog box appears.

Figure 3.7. The DNS server Properties dialog box is used to configure and manage all DNS server parameters.


The Interfaces Tab

Figure 3.7 shows the Interfaces tab of the DNS server Properties dialog box. From this screen, you can set the server options that determine which of the network interfaces of the server will respond to DNS queries. You can either specify all interfaces or choose specific interfaces to respond to queries. When would you need to choose specific interfaces to respond to queries? There are two circumstances in which you might not want your server to respond to DNS queries on all interfaces.

The first circumstance involves the use of a dedicated, non-routable network used for system-to-system data transfers and data backup. This type of network is commonly found in large data centers, where traffic such as database synchronization and network-based backups is kept off the production network to reduce the network overhead and to avoid saturating network interfaces used by end users to access applications. If your DNS server is connected to the production network for DNS queries and to the backup network for data backups, you might not want the connection to the backup network to respond to queries. This configuration keeps additional overhead off the interface to the backup network.

Another circumstance in which you might not want DNS resolution to respond to multiple interfaces on a Windows Server 2003 DNS server is when the server is connected to multiple discrete networks that utilize different DNS server records. One possible example of this might be a Windows Server 2003 that is connected to an extranet network and an internal network. You might not want that server to respond to DNS queries on the extranet network because you might want to avoid exposing internal name resolutions to customers or business partners who connect to the extranet.

The Forwarders Tab

Figure 3.8 shows the Forwarders tab of the DNS server Properties dialog box. As discussed earlier in this chapter, a DNS forwarder is a DNS server that passes recursive DNS requests to another DNS server; in other words, it forwards them to another DNS server. On the Forwarders tab, you can set the server(s) to which DNS queries should be forwarded.

Figure 3.8. The Forwarders tab is used to configure where the server will send DNS requests if another DNS server will be supplying some or all of the DNS resolution for that server.


Let's say you have a single internal domain called intranet.quepublishing.com. You need to forward any queries to that domain directly to the primary DNS server for the intranet.quepublishing.com domain. The Windows Server 2003 DNS service allows you to configure forwarding for a single domain, a group of domains, or all domains. Earlier versions of the Windows DNS service supported forwarding only for all domainsit was an all-or-nothing proposition. Being able to split forwarding between multiple servers while still resolving some domains locally is known as intelligent forwarding.

Exam Alert: Conditional Forwarding

Because the ability to do intelligent forwarding is a new capability with Windows Server 2003 DNS, you need to be familiar with how it works and when you might need to use it.


To configure a single-domain DNS forwarder, you follow the procedure outlined in Step by Step 3.3.

Step By Step
3.3. Setting Up a DNS Forwarder

1.

Select Start, Control Panel, Administrative Tools, DNS. The DNS console appears.

2.

Right-click the DNS server in the left pane of the DNS console and select Properties from the context menu. The DNS server Properties dialog box appears.

3.

Select the Forwarders tab (refer to Figure 3.8).

4.

Click New. The New Forwarder dialog box appears (see Figure 3.9). Enter intranet.quepublishing.com and click OK to add the domain.

Figure 3.9. The New Forwarder dialog box allows you to set the name of the domain for which requests will be forwarded.


5.

Back at the Forwarders tab, in the Selected Domain's Forwarder IP Address List field, enter 192.168.1.165 and click Add. The IP address you entered should then appear in the list box below, as shown in Figure 3.10.

Figure 3.10. You can enter multiple servers to forward requests to each forwarded DNS domain.


6.

Click OK to close the DNS server Properties dialog box.

Note: Deleting Your Forwarder

To avoid conflicts with later Step by Steps, you should go back and delete the forwarder you just configured.


Caution: Recursion and Forwarding

If you disable recursion by selecting Do Not Use Recursion for This Domain in the DNS server Properties dialog box, you will not be able to use a forwarder. Forwarding DNS requests requires that the DNS server be able to make recursive queries.


The Advanced Tab

Figure 3.11 shows the Advanced tab of the DNS server Properties dialog box.

Figure 3.11. You typically access the obscure settings on the Advanced tab of the DNS server Properties dialog box only if you are running a nonstandard DNS implementation.


The Advanced tab's settings include the following:

  • Disable Recursion This setting (which you might remember from the Forwarders tab) disables recursive DNS queries on the server as well as any forwarders that may be configured.

  • BIND Secondaries This setting is used when communicating with Berkeley Internet Name Domain (BIND) servers. In the event that you have old BIND servers that cannot handle fast-transfer DNS updates, you might need to disable this setting.

  • Fail on Load If Bad Zone Data This setting, if enabled, prevents the DNS service from loading data from a zone if it is incorrect or corrupt. By default, the Windows Server 2003 DNS service logs the error(s) and continues to load the good zone data.

  • Enable Round Robin Round robin (also known as "poor man's load balancing") allows the DNS service to rotate the resource records associated with a query result. Round robin allows you to use DNS to help spread the load on a group of servers by allowing you to tie multiple IP hosts to a single resource record. Each time a resolution is requested, DNS returns the "next" record in the list of addresses.

  • Enable Netmask Ordering Netmask ordering allows the DNS server to determine which resource record to respond with based on the IP address of the requesting host.

  • Secure Cache Against Pollution As the name implies, this setting allows the DNS service to monitor the cached entries for possible bad or insecure responses, and it deletes them. This setting is enabled by default, and it probably should be left enabled in almost all cases.

  • Name Checking Name checking determines what character set is supported by the DNS server for requested DNS names.

  • Load Zone Data on Startup This setting determines from where the server loads its DNS data on startup. By default, the server looks to Active Directory and the registry, but you can configure it to look just to the registry or even to a file for its domain information.

  • Enable Automatic Scavenging of Stale Records This setting allows the DNS service to prune records from the DNS cache when they become stalethat is, when they have not re-registered with DDNS within the set period of time. In an office with a very transient user population, you might want to shorten this interval. For very static environments, lengthening this period reduces the overhead on the server slightly because the process doesn't run as often.

A good general rule for the Advanced tab is to leave the settings alone until you have a very good understanding of the intricacies of DNS. These settings can have unanticipated results on DNS resolution if you are not absolutely sure of what each setting does. The most common reason you will configure a setting on the Advanced tab is to enable and configure scavenging of stale records.

The Root Hints Tab

Figure 3.12 shows the Root Hints tab of the DNS server Properties dialog box. The root hints identify the DNS servers that hold the root of the DNS tree. Because the Windows Server 2003 DNS server cannot use the DNS name of a root server to find a root server, it must have a static list of root servers so that it can find the root of the tree to find a DNS server to resolve its request. For example, if you were trying to connect to www.quepublishing.com, you would need to start at the root of the name, com, to find the DNS server that is authoritative for the quepublishing.com domain. The root hints contain the addresses of the DNS servers that are authoritative for the TLDs, including com. The authoritative root server for com would direct the request to the DNS server that was authoritative for the quepublishing.com domain, and that DNS server would resolve the query.

Figure 3.12. The Root Hints tab of the DNS server Properties dialog box contains the list of DNS servers that are authoritative for the TLDs.


The Debug Logging Tab

Figure 3.13 shows the Debug Logging tab of the DNS server Properties dialog box. Debug logging is discussed in more detail later in this chapter in the "Monitoring the DNS Service" section, but at this point, you should know that it is used to do detailed logging of DNS traffic and is typically used only when troubleshooting DNS issues with the server. Its limited use is due to the amount of data logged.

Figure 3.13. The Debug Logging tab of the DNS server Properties dialog box provides detailed logging information about DNS traffic.


The Event Logging Tab

The Event Logging tab of the DNS server Properties dialog box (see Figure 3.14) offers more traditional logging than the Debug Logging tab. The log file for these events can be found at %SystemRoot%\system32\dns\dns.log. %SystemRoot% is usually the Windows system file directory. Event logging is discussed in more detail later in this chapter in the "Monitoring the DNS Service" section.

Figure 3.14. Event logging records information on errors, warnings, and other DNS-related events.


The Monitoring Tab

Figure 3.15 shows the Monitoring tab of the DNS server Properties dialog box. The Monitoring tab allows you to automate the testing of the DNS service, which is discussed in detail later in this chapter, in the "Testing the DNS Service" section.

Figure 3.15. The Monitoring tab of the DNS server Properties dialog box allows you to automate the testing of the Windows Server 2003 DNS service.


The Security Tab

The Security tab of the DNS server Properties dialog box allows you to configure the rights to the DNS service (see Figure 3.16). This tab should look familiar to you because it is the standard rights assignment screen for any rights, from those for the file system to those for DNS privileges. If you want certain users or groups to have permissions on the DNS service, you can assign their rights from the Security tab.

Figure 3.16. If you want to configure granular privileges for DNS, you can do so on the Security tab of the DNS server Properties dialog box.


Note: The Security Tab

The Security tab will not be available for configuration on DNS servers that are not installed on a Domain Controller.


With the DNS service installed at a basic level, let's take a look at setting up a caching-only server.

Configuring Caching-Only Servers

Caching-only servers are used to speed up client computer DNS queries by gathering a large number of cached records based on client computer DNS queries. A caching-only server does not have a copy of the zone table and therefore cannot respond to queries against the zone unless they are already cached. A caching server is not authoritative on any zone.

Note: Room for Cached Information

All the cache entries on a caching-only server are stored in RAM. You need to be sure that your caching server has plenty of RAM; otherwise, it will not be effective.


Let's assume that you have an existing Windows Server 2003 DNS server and you want to convert it to a caching-only server that can resolve internal DNS entries. The procedure outlined in Step by Step 3.4 guides you through this process.

Exam Alert: Doing It the Easy Way

By default, when you install the Windows Server 2003 DNS service, it automatically acts as a caching-only serveralbeit one that is able to resolve only Internet-accessible DNS entriesuntil you start creating zones and setting parameters.


Caution: This Step by Step Is Optional

You do not need to complete this Step by Step if you have only one DNS server available. If you opt to complete this Step by Step, you should not delete the Root Hints as instructed in Step 6. Additionally, you should delete the record you created during this Step by Step after you are done. This will ensure that your DNS server will be ready to perform the rest of the exercises in this and following chapters.


Step By Step
3.4. Creating a Caching-Only DNS Server

1.

Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.

2.

Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS. Expand the tree view of the DNS server and delete any zones listed under either Forward Lookup Zones or Reverse Lookup Zones. A caching-only server cannot be authoritative on any zones.

3.

Double-click the Root Hints entry in the right pane, and the DNS Server Properties dialog box appears with the Root Hints tab selected, as seen in Figure 3.17.

Figure 3.17. The root hints entries contain the IP addresses of the root Internet DNS servers and tell the DNS server where to forward requests that cannot be resolved locally.


4.

Click the Add button; the New Resource Record dialog box appears, as seen in Figure 3.18. Add a resource record for every DNS server for which you want this server to cache lookups. These name servers must already exist in your DNS hierarchy. In this case, you can enter the FQDN and IP address of the server you just installed.

Figure 3.18. To create a caching-only server, you need to add to the Root Hints list the server that you want to perform resolution for the entries that have not yet been cached.


5.

Click OK when you are done entering the FQDN and IP address. The name server you added appears on the Root Hints tab of the DNS server Properties dialog box, as seen in Figure 3.19.



Figure 3.19. You need to make sure that the server that will be performing resolution of systems not in the cache is on this list before you delete all the other entries.


6.

Now that you have the forwarding DNS server in the list, delete all the other entries on the Root Hints tab, unless this is your only DNS server. This restricts all local name resolution to the DNS cache and causes requests for noncached entries to be forwarded to the specific server you have configured. When a response is received from that server, it is added to the cache of this server.

7.

Click OK to return to the DNS console. The creation of the caching-only server is complete.

To verify that the caching function is working, you can ping several hosts by DNS name from a workstation configured to use your caching-only DNS server for DNS resolution. This builds the cache. Then you should go to another workstation that is also using the caching-only server for DNS and ping the same hosts. This time, the response should be much quicker because the DNS server will be able to get the DNS name of the host from the cache instead of forwarding the request to another DNS server.

We have discussed how to set the server options. Now let's talk about configuring DNS zones so that the new server can perform name resolution.

Configuring Zones

Although it is possible to manually configure the text files that DNS creates, the DNS console makes it much easier to manage the DNS namespace configuration. When you first install your DNS server, you will need to configure your DNS server with its first zones before it works properly. We will look at how to do this by using the wizard and then take a look at how to do this if you need to add additional zones later.

Exam Alert: The DNS Console Equals the MMC

The DNS console is really nothing more than the MMC with the DNS Management snap-in installed. Microsoft provides this version of the MMC to make managing systems easier for new users of Windows Server 2003, so don't be confused if you see references to the MMC in the exam. That's all the DNS console is.


Using the MMC and Manually Adding Snap-ins

If you are an advanced user and would like to skip using differently configured versions of the MMC for each of the services installed on Windows Server 2003, there is an easy way to manage everything from a single configuration. You simply open the MMC by selecting Start, Run, MMC. This opens the MMC shell, which is empty the first time you load it. Next you select Console, Add/Remove Snap-in. When the Add/Remove Snap-in dialog box appears, you click the Add button. In the Add Standalone Snap-in dialog box that appears next, you can select any or all of the snap-ins for Windows Server 2003 services.

As discussed earlier in this chapter, the most common types of DNS zones are forward lookup zones, which are used to translate hostnames to IP addresses, and reverse lookup zones, which provide IP-address-to-hostname translations. Now let's look at how you would set up a new forward lookup zone and a new reverse lookup zone on a DNS server.

To configure the zones on your DNS server for the first time, you follow the procedure outlined in Step by Step 3.5.

Step By Step
3.5. Configuring a Forward Lookup Zone and a Reverse Lookup Zone

1.

Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.

2.

Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS. Right-click the new server and select the Configure a DNS Server option from the context menu. The Configure a DNS Server Wizard, seen in Figure 3.20, opens.

Figure 3.20. The Configure a DNS Server Wizard guides you in configuring your new DNS server.


3.

Click Next, and the Select Configuration Action screen appears, as seen in Figure 3.21.

Figure 3.21. The Select Configuration Action screen allows you to select which activities you need to perform based on the size of the network or other requirements.


4.

Select the Create Forward and Reverse Lookup Zones option and click Next. The Forward Lookup Zone screen appears, as seen in Figure 3.22.

Figure 3.22. The Forward Lookup Zone screen verifies that you really want to create a forward lookup zone.


5.

On the Forward Lookup Zone screen, you are asked to confirm that you do in fact wish to create the zone. Select Yes and click Next. The Zone Type screen appears, as seen in Figure 3.23.

Figure 3.23. The Zone Type screen allows you to create a primary, secondary, or stub zone.


6.

Select Primary zone to make this DNS server authoritative for the zone you are creating and click Next. The Zone Name screen appears, as seen in Figure 3.24.



Figure 3.24. As we discussed, it is generally a good idea to use a registered domain name whenever you are creating a zone.


Note: Active Directory-Integrated

If your DNS server were also a DC, you would have the option Store the Zone in Active Directory available to you (see Figure 3.23). For the purposes of this exercise, we're going to create a standard DNS zone as we'll examine Active Directory integration with DNS in more detail later in this chapter.

7.

Enter the name of the domain for which you will be resolving names into the Zone Name field. The example in Figure 3.24 uses publishing.quepublishing.com, but you can use something else if you like. If you are on a network that is not connected to the Internet and will not be resolving names for users outside your internal network, this name can be anything. Click Next, and the Zone File screen appears, as seen in Figure 3.25.

Figure 3.25. You should usually select the suggested default zone file name.


8.

On the Zone File screen, you will most likely leave the default selection intact. After making your selection, click Next. The Dynamic Updates screen appears, as seen in Figure 3.26.

Figure 3.26. Dynamic updates can be configured to make record management easier for an administrator.


9.

On the Dynamic Updates screen, you can opt to allow nonsecure and secure dynamic updates if you want, but for the purposes of this exercise, select the Do Not Allow Dynamic Updates option as we'll configure them later. Click Next, and the Reverse Lookup Zone screen appears, as seen in Figure 3.27.

Figure 3.27. The Reverse Lookup Zone screen verifies that you really want to create a reverse lookup zone.


10.

Select Yes, Create a Reverse Lookup Zone Now, and click Next to continue. The Zone Type screen appears. This should look familiar because it is the same screen that you used to create a forward lookup zone (refer back to Figure 3.23).

11.

Select Primary Zone, but do not opt to store the data in Active Directory. Click Next, and the Reverse Lookup Zone Name screen appears, as seen in Figure 3.28.



Figure 3.28. Unlike a forward lookup zone, whose name is based on the DNS domain of the Active Directory domain, a reverse lookup zone has its name created based on the network portion of the IP address range to which it will be providing reverse lookup services.


12.

Identify the reverse lookup ID by the network ID or by specifying a name. The name shown in Figure 3.28 uses the standard naming convention, which is the network ID (in this case, 192.168.0.x) in reverse order, with in-addr.arpa appended. This results in the name 192.168.0.in-addr.arpa. Notice the arpa in the name. If you were guessing that this naming convention has been around since the Internet was called the ARPAnet, you would be correct. As discussed earlier in this chapter, in the section "Reverse Lookups," this is the Internet-standard naming convention, and you should try to stick with it. Click Next. The Zone File screen appears as seen in Figure 3.29.

Figure 3.29. You should select the default zone file name suggested, unless you have a specific reason otherwise.


13.

On the Zone File screen, you will most likely leave the default selection intact unless you have a specific reason to change it. After making your selection, click Next. The Dynamic Updates screen appears, as seen previously in Figure 3.26.

14.

On the Dynamic Updates screen, select the Do Not Allow Dynamic Updates option. Click Next and the Forwarders screen appears, as seen in Figure 3.30.

Figure 3.30. Microsoft has added the capability to set a DNS server as a forwarder by using the Configure a DNS Server Wizard.


15.

For the purposes of this exercise, select No, It Should Not Forward Queries and click Next. The Completing the Configure a DNS Server Wizard dialog box appears, as seen in Figure 3.31. This screen allows you to review the configurations you selected and either go back to correct mistakes or cancel the wizard before the changes are committed.

Figure 3.31. You need to double-check your information before committing the changes you just made.


16.

Click Finish to complete the configuration. Notice in Figure 3.32 that the zones that were configured by the wizard now appear in the DNS console.



Figure 3.32. The DNS console gives you access to any information you need about the zones configured on that DNS server.


Exam Alert: Changing DNS Names Used with Active Directory

When choosing a domain name to use when installing DNS, it is always a good idea to register a domain name with the appropriate domain name registration agency and use that name even if your internal network is isolated (that is, not connected to the Internet). Doing so ensures that your domain name is not in use somewhere else. A famous example of this is the xyz.com domain, used in some old Windows documentation as a sample domain. Someone actually has that domain registered and is using it. If you set up Active Directory by using this domain name and are connected to the Internet, you can cause conflicts. The good news is that with Windows Server 2003, you can rename the domain without breaking Active Directorythis is a new feature with this release of Windows. The fact that the DNS name used with Active Directory can now be changed would make an excellent exam question.


Now that you have created new forward and reverse lookup zones by using the Configure a DNS Server Wizard, we'll look at configuring zone options in more detail. We will also come back to these zones later in the chapter and look at how they can be converted into Active Directory-integrated zones (provided that your DNS server is also a Domain Controller) in the "Integrating Active Directory and DNS" section of this chapter.

Examining Zone Options

For the most part, once they have been created and configured, DNS zones pretty much work without any problems. In this section, we examine the basic zone options available to you and how they are configured.

To access a zone's options, you simply need to select the zone, right-click it, and select Properties from the context menu. The Properties dialog box opens to the General tab, as seen in Figure 3.33.

Figure 3.33. The zone Properties dialog box allows you to fully manage the configuration and status for a domain.


The General Tab

From the General tab, as seen in Figure 3.33, you can configure basic options about how the zone itself operates and behaves. If for some reason you needed to stop name resolution from occurring against that zone, you could click the Pause button to pause the zone. This could be useful when configuring changes or troubleshooting the zone.

The Change button in the Type section of the tab allows you to change the zone type, such as from a primary zone to a secondary zone or from a primary zone to a stub zone. Beware that changing a standard primary zone to a secondary zone has the implications of leaving no primary zone afterwards, so you will need to change a secondary zone to a primary zone for DNS to work correctly.

On DNS servers that reside on a Domain Controller, the Change button in the Replication section of the tab will be available to you. You can change how the zone is replicated, such as from a standard primary zone to an Active Directoryintegrated zone, and also configure the scope of replication within Active Directory. We will examine these options later in the "Integrating Active Directory and DNS" section of the chapter.

You can also configure and change the zone file name, the type of dynamic updates that the zone will process, and the aging and scavenging properties for the zone. Under normal circumstances, there should never be a reason to change the zone file name; however, the ability to do so exists. We examine the configuration of dynamic updates in the next section and the configuration of aging and scavenging later in the "Configuring Aging/Scavenging" section of this chapter.

Configuring Zones for Dynamic Updates

One of the major advantages of running a Windows Server 2003 network is the capability to use DDNS. To configure a DNS zone for dynamic updates, you follow the procedure outlined in Step by Step 3.6.

Step By Step
3.6. Configuring a Zone for Dynamic Updates

1.

Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.

2.

Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.

3.

Right-click the zone you want to configure to receive dynamic updates (for example, publishing.quepublishing.com). From the context menu, select Properties. The Properties dialog box shown previously in Figure 3.33 appears. (Note that the title bar of the dialog box reflects the name of the zone.)

4.

For a DNS server that is not running on a Domain Controller, the only option to select is Nonsecure and Secure. If the zone were running on a Domain Controller and were Active Directory integrated, you would also have the option to enable secure updates, as we'll see later in the "Integrating Active Directory and DNS" section of the chapter. For now, select the Nonsecure and Secure option, click OK to confirm the selection, and close the Properties dialog box.

5.

You will need to repeat this process for each of your forward and reverse lookup zones that are to utilize dynamic updates.

DDNS is specified in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." It is the foundation of a successful Active Directory implementation. As discussed in this chapter, DNS is used to resolve a name to an IP address, or vice versa, using a defined hierarchical naming structure to ensure uniformity. DDNS takes that architecture to the next level. This section describes the Windows Server 2003 implementation of the dynamic update process.

In Windows Server 2003, client computers can send dynamic updates for three types of network adapters: DHCP adapters, statically configured adapters, and remote access adapters. We will examine these configurations in more detail in the next section, "Configuring DNS Client Computers."

DDNS integrates DHCP and DNS, as described in RFC 2136. Every time a computer requests a new address or renews its address, the computer sends an option 81 and its fully qualified domain name to the DHCP server and requests that the DHCP server register an entry in the reverse lookup DNS zone on its behalf. The DHCP client computer also requests an entry in the forward lookup zone on its own behalf. The end result is that every DHCP client computer has an entry in the DNS zones, both forward and reverse. This information can be used by other Windows Server 2003 computers in place of WINS for identifying the names and IP addresses of other hosts.

Note: Option 81

Option 81 (also known as the FQDN option) allows the client computer to send its FQDN to the DHCP server when it requests an IP address.


By default, the dynamic update client computer dynamically registers its resource records whenever any of the following events occur:

  • The TCP/IP configuration is changed.

  • The DHCP address is renewed or a new lease is obtained.

  • A Plug and Play event occurs.

  • An IP address is added to or removed from the computer when the user changes or adds an IP address for a static adapter.

By default, the dynamic update client computer automatically deregisters nametoIP address mappings whenever the DHCP lease expires.

You can force a re-registration by using the command-line tool ipconfig. For Windows Server 2003based client computers, you type the following at the command prompt:

ipconfig /registerdns


This command also works for Windows XP and Windows 2000 computers.

Now let's take a quick look at the dynamic update process and see how a Windows Server 2003 host gets dynamically registered with DNS. A dynamic update occurs in the following manner:

1.

The DNS client computer queries its local name server to find the primary name server and the zone that is authoritative for the name it is updating. The local name server performs the standard name resolution process to discover the primary name server, and it returns the name of the authoritative server and zone.

2.

The client computer sends a dynamic update request to the primary server. The authoritative server performs the update and replies to the client computer regarding the result of the dynamic update.

The Start of Authority (SOA) Tab

From the Start of Authority (SOA) tab, as seen in Figure 3.34, you can configure the fields that appear on the SOA record. Each DNS zone has one and only one server that is considered to be the primary name server for that zone (even in Active Directoryintegrated zones where all DNS servers are otherwise considered equal). The root name server of a domain is the name server that is acting as the SOA for that DNS zone and is the one referenced by the Windows Server 2003 DNS services as the primary server. The SOA record is the first record in the database, and it has the following format:

IN SOA <primary server> <contact email> <serial number> <refresh time> <retry time> <expiration time><time to live>


Figure 3.34. The Start of Authority (SOA) tab allows you to configure the SOA record.


These are the sections of the SOA field (in the order in which they appear on the tab in Figure 3.34):

  • serial number This is important. It acts as the version number for the database file, and it should increase each time the database file is changed. The file with the highest serial number takes precedence during zone transfers.

  • primary server This is the DNS server that maintains this file.

  • responsible person This is the Internet email address for the person responsible for this domain's database file. See the note "Don't Use a Standard Email Address for the SOA" for important formatting information.

  • refresh interval This is the elapsed time (in seconds) that a secondary server will wait between checks to its master server to see whether the database file has changed and a zone transfer should be requested. This is set to 15 minutes by default, but it can be increased in an environment where DNS doesn't change often.

  • retry interval This is the elapsed time (in seconds) that a secondary server will wait before retrying a failed zone transfer. The default for Windows Server 2003 is 10 minutes, and this setting can be increased or decreased as needed for the environment.

  • expires after This is the elapsed time (in seconds) that a secondary server will keep trying to download a zone. After this time limit expires, the old zone information is discarded. This is set to one day by default, and it can be modified as needed. You might want to increase this number for areas with intermittent connectivity where outages are common, such as with DNS across a VPN.

  • time to live The time to live (TTL) is the elapsed time (in seconds) that a DNS server is allowed to cache any resource records from the database file.

Note: Don't Use a Standard Email Address for the SOA

One very important fact about the contact email in the SOA is that it does not use the standard Internet email format. Instead, you replace the @ symbol in the email address with a period. For example, billg@microsoft.com would be billg.microsoft.com in the zone file.


The Start of Authority (SOA) tab also has a configuration field that allows you to configure a different TTL for the SOA record itself, if desired.

The Name Servers Tab

From the Name Servers tab, as seen in Figure 3.35, you can configure which name servers are to be considered authoritative for the zone. For standard zones, this will include the server that holds the primary zone and all servers that hold secondary copies of the zone. For Active Directoryintegrated zones, this will include all DNS servers that hold the zone.

Figure 3.35. The Name Servers tab allows you to add and remove authoritative name servers for the zone.


You can manage the list of authoritative name servers using the Add, Edit, and Remove buttons on this tab.

The WINS Tab

From the WINS tab, as seen in Figure 3.36, you can configure the zone for WINS lookup integration. If your network still relies on WINS, then you will likely need to configure the options on this tab to provide the best name resolution services available to your clients. We discuss this integration in Chapter 4, "Implementing and Managing WINS."

Figure 3.36. The WINS tab allows you to configure the zone for WINS integration if you need to support legacy WINS clients.


The Zone Transfers Tab

From the Zone Transfers tab, as seen in Figure 3.37, you can configure how the zone will perform zone transfers.

Figure 3.37. The Zone Transfers tab allows you to configure the zone transfer properties.


In most cases, the default selection of Only to Servers Listed on the Name Servers Tab will be the best selection. However, there are times when you may need to change the selection. The available options are as follows:

  • Allow zone transfers If this option is unchecked, the options below it become unavailable and no zone transfers will be allowed for the server. Turning off zone transfers (for standard zones) is useful only in cases in which no other DNS servers that would need a zone transfer exist; this is typically an unlikely scenario. By default, Active Directoryintegrated zones do not allow zone transfer as the zone data is replicated by Active Directory itself and is not stored in a flat text file.

  • To any server This least-secure option allows any server that requests a zone transfer of your zone file to have it.

  • Only to servers listed on the Name Servers tab The default option allows zone transfers with those authoritative name servers that you configured on the Name Servers tab.

  • Only to the following servers This option allows you to explicitly specify which servers (by IP address) will be allowed to perform zone transfers with this zone.

The Security Tab

From the Security tab, as seen in Figure 3.38, you can configure additional zone security. Recall that the Security tab in the server Properties dialog box does not appear unless the DNS server is running on a Domain Controller. Likewise, the Security tab in the zone Properties dialog box will not appear unless the zone is an Active Directoryintegrated one, which is discussed in the "Integrating Active Directory and DNS" section later in this chapter.

Figure 3.38. The Security tab will be available only for Active Directoryintegrated zones.


Now that you have finished the basic configuration of a Windows Server 2003 DNS server and its zones, let's move on and examine additional DNS-related management and configuration tasks you'll need to understand.

Configuring DNS Client Computers

Now that you have installed and configured the DNS server portion of Windows Server 2003 DNS, you should take a look at how to properly configure DNS on a Windows XP Professional client computer. The key to configuring DNS on a Windows XP client computer (and on a Windows 2000 client computer as well) is to keep in mind that DNS is installed in two places. First, DNS is configured as part of the TCP/IP interface. If you have ever installed DNS on a Windows NT 4.0 or Windows 2000 computer, this process should be familiar.

Exam Alert: You Need Windows XP or Windows 2000 for DDNS

Remember that the Windows 9x and Me operating systems were designed for use by home users, who do not typically need to register with a DNS server to interact with Active Directory appropriately. These operating systems do not participate in DDNS. For that reason, this chapter looks only at the business operating systems, such as Windows XP Professional and Windows 2000.


The second place you may need to configure DNS on a client computer is in the System Properties dialog box. The DNS information configured here is used as the DNS suffix for building FQDNs and is similar to the suffix information configured under the Internet Protocol (TCP/IP) Properties dialog box on other Windows operating systems. It is also used as part of the process for registering a computer in DDNS. Step by Step 3.7 describes how to configure the Internet Protocol (TCP/IP) Properties.

Step By Step
3.7. Configuring a Windows XP Professional DNS Client Computer

1.

Log on to a Windows XP Professional DNS client computer using the Administrator account or another account that has administrator privileges.

2.

Open the Control Panel and double-click the Network Connections applet. The Network Connections window appears, as seen in Figure 3.39.

Figure 3.39. The Network Connections window allows you to see all the configured connections on the client workstation, including both LAN and dial-up connections.


3.

Right-click the Local Area Connection icon and select Properties from the context menu. The Local Area Connection Properties dialog box appears, as seen in Figure 3.40.



Figure 3.40. The local area connection properties include all the protocols and services configured to run on this connection.


4.

Select Internet Protocol (TCP/IP) and click the Properties button. You can accomplish the same effect by double-clicking the Internet Protocol (TCP/IP) entry. The Internet Protocol (TCP/IP) Properties dialog box appears, as seen in Figure 3.41.

Figure 3.41. The Internet Protocol (TCP/IP) Properties dialog box can be used to make changes to a TCP/IP configuration, including not only DNS, but also DHCP, WINS, and even TCP/IP filters.


5.

In the bottom section of the Internet Protocol (TCP/IP) Properties dialog box, you can choose to have DNS configured automatically via DHCP or specify the preferred and alternate DNS servers. Click Advanced for additional DNS options. The Advanced TCP/IP Settings dialog box appears. Select the DNS tab to see the DNS options shown in Figure 3.42.



Figure 3.42. The DNS tab of the Advanced TCP/IP Settings dialog box is where you can control how the client will interact with the Windows Server 2003 DNS server(s).


6.

In the Advanced TCP/IP Settings dialog box, you can configure several DNS client computer settings. In this case, leave the default settings. By default, Windows XP Professional is configured to register with DNS. You control this setting by selecting or deselecting the Register This Connection's Addresses in DNS option. You can also select Use This Connection's DNS Suffix in DNS Registration, but this option is useful only if your system is part of a different domain than the one in which you are registering. You might use this option if you travel frequently and want to ensure that your system's DNS registration name is consistent.

7.

Click OK to return to the Internet Protocol (TCP/IP) Properties dialog box, and then click OK to return to the Local Area Connection Properties dialog box. Last, click OK to close the Local Area Connection Properties dialog box and put unapplied changes into effect.

A number of advanced TCP/IP options can be configured in the Advanced TCP/IP Settings dialog box in conjunction with the DNS client computer. They include the following:

  • DNS server addresses, in order of use.

  • Parameters for resolving unqualified domain names. An unqualified domain name is one is that is simply supplied as "host", such as fileserver042, and not fully qualified, such as fileserver042.corp.quepublishing.com. The options include the following:

    • Append Primary and Connection-Specific DNS Suffixes This option appends the domain suffixes configured in the System Properties dialog box to any unqualified domain names sent for resolution.

    • Append Parent Suffixes of the Primary DNS Suffix This option adds not only the specified domain suffixes, but also the suffixes of any parent domains to any unqualified domain names sent for resolution.

    • Append These DNS Suffixes (In Order) This option allows you to specify specific DNS suffixes to be appended to any unqualified domain names sent for resolution.

    • DNS Suffix for This Connection This option allows you to configure a specific DNS suffix for this connection in the Network and Dial-up Connections list. You can specify different suffixes in case you have multiple LAN adapters loaded or you want to use different suffixes between the LAN and dial-up connections.

    • Register This Connection's Addresses in DNS You can use this setting to configure the computer to take advantage of DDNS.

    • Use This Connection's DNS Suffix in DNS Registration This option allows you to use the DNS suffix specified with this connection as part of the information used when the host is registered with DDNS.

Note: What If I'm Using Windows 2000 Professional?

The steps for configuring DNS registration on a client system have not changed in Windows XPthey are the same steps used in Windows 2000. If you know these steps in one operating system, you know them for both.


Note: Append These DNS Suffixes

Although you can enter in additional DNS suffixes manually on the Advanced TCP/IP Settings DNS tab, it's worth noting that this configuration is usually best made by using Group Policy.


To modify the DNS settings in the System Properties dialog box, follow the procedure outlined in Step by Step 3.8.

Step By Step
3.8. Modifying the DNS Settings for Active Directory Integration

1.

Right-click the My Computer icon on the desktop. From the context menu, select Properties.

2.

Select the Computer Name tab, as seen in Figure 3.43.



Figure 3.43. The Computer Name tab of the System Properties dialog box can be used to configure not only the computer name, but also a description and domain or workgroup membership.


3.

From the Computer Name tab, click the Change button. The Computer Name Changes dialog box appears, as seen in Figure 3.44.

Figure 3.44. From this screen, you can change the name and domain membership of the computer.


4.

Click More, and the DNS Suffix and NetBIOS Computer Name dialog box appears as seen in Figure 3.45. Change the DNS domain name if needed (for example, corp.quepublishing.com). Checking the Change Primary DNS Suffix When Domain Membership Changes option ensures that the host's DNS domain matches its Active Directory domain.



Figure 3.45. This dialog box allows you to set a DNS domain to append to the computer name as well as to configure how the DNS settings should behave when the computer logs in to Active Directory.


5.

Click OK to save the changes. Click OK to return to the System Properties dialog box. Click OK twice to close the System Properties dialog box. When you are prompted to reboot the computer, do so.

Note: Default DNS Suffix

By default, you should never need to change the primary DNS suffix of a Windows XP or 2000 Professional computer in an Active Directory domain. You will not need to change it because the default primary DNS suffix is the local primary DNS suffix, which is the DNS name of the Active Directory domain to which the computer is joined. Configuring the DNS suffix as seen in Step by Step 3.8 is an advanced configuration action. It's worth noting that the primary DNS suffix can also be controlled through Group Policy.


Testing the DNS Service

How can you test to make sure DNS is working? Several methods (ping, nslookup, or a Web browser) allow you to quickly check whether DNS is working. The following sections discuss them in order of complexity.

Using ping to Test the DNS Service

The first application for testing DNS is the ping utility. ping, as discussed in detail in Chapter 1, "Configuring and Troubleshooting TCP/IP Addressing," allows you to send an Internet Control Message Protocol (ICMP) message to a TCP/IP host. If you use the correct flag with it, ping can also perform name resolution as part of its testing procedure. The correct syntax for the ping command is the following:

ping <destination address>


A sample ping session might look like this:

ping ptgdc01.corp.quepublishing.com Pinging ptgdc01.corp.quepublishing.com [192.168.0.155] with 32 bytes of data: Reply from 192.168.0.155: bytes=32 time<1ms TTL=128 Reply from 192.168.0.155: bytes=32 time<1ms TTL=128 Reply from 192.168.0.155: bytes=32 time<1ms TTL=128 Reply from 192.168.0.155: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.0.155:       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:       Minimum = 0ms, Maximum = 0ms, Average = 0ms


A number of other switches can be used with the ping utility, as described in Chapter 1.

From the earlier example, you can see several things. First, because your ping returns the IP address 192.168.0.155, you know that DNS is functional. The rest of the information has to do with network latency and has little application for this chapter.

Using nslookup to Test the DNS Service

The next utility we need to look at is nslookup. nslookup is a standard command-line tool that is provided in most DNS server implementations, including Windows Server 2003. nslookup offers the capability to perform query testing of DNS servers and obtain detailed responses at the command prompt. This information can be useful for diagnosing and solving name resolution problems, for verifying that resource records are added or updated correctly in a zone, and for debugging other server-related problems.

You can use nslookup by typing nslookup at a command prompt and pressing Enter. You can run nslookup with the options listed in Table 3.3. In the table, identifiers are shown in uppercase and each [ ] indicates an optional parameter.

Table 3.3. Interactive nslookup Options

Option

Description

NAME

Prints information about the host/domain name using the default server.

NAME1 NAME2

Like NAME, but uses NAME2 as the server.

help or ?

Prints information on common commands.

set OPTION

Sets an option.

all

Prints options for the current server and host.

[no]debug

Prints debugging information.

[no]d2

Prints exhaustive debugging information.

[no]defname

Appends the domain name to each query.

[no]recurse

Asks for a recursive answer to a query.

[no]search

Uses a domain search list.

[no]vc

Specifies to always use a virtual circuit.

domain=NAME

Sets the default domain name to NAME.

srchlist=N1[/N2/.../N6]

Sets the domain to N1 and search list to N1, N2, and so on.

root=NAME

Sets the root server to NAME.

retry=X

Sets the number of retries to X.

timeout=X

Sets the initial timeout interval to X seconds.

type=X

Sets the query type (for example, A, ANY, CNAME, MX, NS, PTR, SOA, or SRV).

querytype=X

Sets the query type (for example, A, ANY, CNAME, MX, NS, PTR, SOA, or SRV).

class=X

Sets the query class (for example, IN [Internet], ANY).

[no]msxfr

Uses Microsoft fast zone transfer.

ixfrver=X

Specifies the current version to use in IXFR transfer request.

server NAME

Sets the default server to NAME, using the current default server.

lserver NAME

Sets the default server to NAME, using the initial server.

finger [USER]

Fingers the optional NAME at the current default host.

root

Sets the current default server to the root.

ls [opt] DOMAIN [> FILE]

Lists addresses in DOMAIN (optional: output to FILE).

-a

Lists canonical names and aliases.

-d

Lists all records.

-t TYPE

Lists records of the given type (for example, A, CNAME, MX, NS, or PTR).

view FILE

Sorts an ls output file and views it with pg.

exit

Exits the program.


Note: Displaying nslookup Options

You can display these options by typing nslookup at a command prompt, typing ? at the interactive prompt, and then pressing Enter.


Exam Alert: Knowing nslookup

Because nslookup is the standard tool for troubleshooting DNS, you should be familiar with its capabilities and options for the exam. Also, be sure to remember that nslookup will not function correctly without properly configured and operating reverse lookup zones.


Note: Knowing the nslookup Modes

You should be familiar with the fact that nslookup functions in both interactive and noninteractive modes. You use noninteractive mode when you need only a single piece of information.


If you are not familiar with nslookup, the options just described are probably clear as mud. The best way to get a thorough understanding of the nslookup options and flags is to try them out. However, for a simple test of DNS using nslookup, select a hostname you know is in DNS and type the following:

nslookup ptgdc01.corp.quepublishing.com


This command returns the following:

Server:   ptgdc01.corp.quepublishing.com Address:   192.168.0.155 Name:      ptgdc01.corp.quepublishing.com Address:   192.168.0.155


In this example, you used the name of the DNS server for the test. You can use any host in the DNS table. The first name and address returned are the name and address for the DNS server you are querying. If this server does not have a PTR record in a reverse lookup zone, the server name is returned, along with the following message:

***Can't find server name for address (address of configured DNS server): Timed out


This does not mean anything is broken; it just means there is no reverse lookup zone configured or no reverse lookup zone entry for this server. If you still get name resolution in the Name/Address section of the response, the DNS server is working.

Note: nslookup Is Now on the Menu

If you right-click the server in the DNS console, you'll see that Launch nslookup is now one of the options. This helps you identify and use available management/testing tools.


Using a Web Browser to Test the DNS Service

A final method for testing a DNS server is to use a Web browser such as Internet Explorer. You type the FQDN you want to reach into the Address box and press Enter. If DNS is working correctly, the IP address is displayed in the lower-left corner of the application. This occurs even if the host in question is not a Web server. The browser may not connect successfully, but you should see that resolution if DNS is configured correctly.

Challenge

You are the network administrator for NR Widgets, Inc., a multinational conglomerate, and you are based in the conglomerate's corporate headquarters. NR Widgets, Inc., is made up of three companies: NR Manufacturing, NR Consulting, and NR Telecommunications. Each company has its own IT department and maintains its own network infrastructure. Each company also has its own DNS domain.

You have been asked to prepare the network for a complete Windows Server 2003 rollout, which includes both client computers and servers, with the goal of having a purely Windows Server 2003 and Windows XP Professional network. The first thing on your list is to implement a Windows Server 2003capable DNS infrastructure.

Through your discussions with the key stakeholders in this project, you've determined the following requirements for the deployment:

  • Each IT department controls its own domain.

  • Each company's users must have the fastest possible resolution for other companies' hosts.

  • The users in the headquarters facility need fast DNS resolution for each of the company's hosts.

  • Headquarters is a not a computing center, so it will not maintain any primary DNS servers.

Your task is to implement the required DNS solution for NR Widgets, Inc.

Try to complete this exercise on your own, listing your conclusions on a sheet of paper. After you have completed the exercise, compare your results to those given here.

Answers

Obviously, you need to install the required DNS servers in the required locations. As well, you would have been best off to implement this solution concurrently with the Active Directory implementation for the network, since you should strive to use Active Directoryintegrated zones as much as possible. However, because that was not part of the problem definition you received, you should plan to proceed using standard DNS zones, which can be converted to Active Directoryintegrated zones later.

You should roll out the new Windows Server 2003 DNS servers in the following manner:

  • First, each company gets the primary DNS server for its own domain. This gives it control of its DNS domain. For redundancy, each company should also have a secondary master server.

  • To allow each company to quickly resolve addresses for the other companies, each company's DNS servers should also be configured with stub zones pointing to the other company's DNS servers. This will allow users in either company to quickly get name resolution without the burden of managing additional secondary zones.

  • Corporate headquarters needs a caching-only server that is configured to receive cache updates from the other DNS servers on the network. Another possibility is to set up a DNS server that acts as a secondary master to the three company domains.

  • Finally, all DNS servers should be set to accept dynamic updates. This is a requirement in the environment that was detailed to you.





MCSA(s)MCSE 70-291(c) Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
MCSA/MCSE 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (Exam Prep)
ISBN: 0789736497
EAN: 2147483647
Year: 2006
Pages: 196
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net