DNSTasks

Previous page
Table of content
Next page

DNS Tasks

DNS administration tasks are performed using the DNS console, which can be opened by either:

Start Programs Administrative Tools DNS

Command line dnsmgmt.msc

In addition, many DNS administration tasks can also be performed from the command line using the following utilities found in DEPLOY.CAB in the \SUPPORT\TOOLS folder on your product CD:

Dnscmd

Particularly useful for scripted administration of DNS servers

DNSLint

Can be used to diagnose and repair problems caused by missing or incorrect DNS records in a domain environment

Install DNS Manually

On a standalone server, first open the TCP/IP Properties sheet for your Local Area Connection, assign your server a static IP address, and specify the server's own IP address as its preferred DNS server. Then install the DNS service using Add or Remove Programs in Control Panel. Finally, configure your new name server by creating forward- and reverse-lookup zones; adding A, PTR, or other records to your zones; configuring zone transfers with other DNS servers; and so on. These tasks are described later in this section.

Install DNS Using Wizard

Start Manage Your Server Add or Remove Role

If your server is going to be the first server in your forest, select Typical Setup for a First Server as the role and follow the prompts. The wizard suggests a DNS name of the form organization.local for your root domain, where organization is the company name you specified when you installed WS2003 on your machine. The wizard also creates the necessary forward- and reverse-lookup zones automatically and allows you to specify the IP address of your ISP's name server as a forwarder for resolving hosts on the Internet.

If your server will be a standalone name server, select DNS Server as the role, and the Configure a DNS Server Wizard leads you through the process of creating forward- and reverse-lookup zones for your domain. If you abort the wizard, DNS is installed, but you have to create your zones manually using the DNS console.

Create a Forward-Lookup Zone

Right-click on Forward Lookup Zones New Zone

This starts the New Zone Wizard. The path through the wizard depends on the type of zone you create and whether Active Directory is installed. On standalone servers the process is simple. For example, to create a primary zone:

Primary zone specify DNS name disable dynamic updates for optimal security

To create a secondary or stub zone:

Secondary or stub zone specify DNS name specify IP address of master name server from which zone information will be obtained

If Active Directory-integrated zones are being used, extra steps are involved. For example, to create a primary zone:

Primary zone specify DNS replication scope specify DNS name enable dynamic updates for easiest administration

The replication scope defines the other name servers your machine will perform zone transfers with and can be forestwide, domainwide , domain controllers only, or an Active Directory partition. The default is all domain controllers in the local domain.

Secondary zones aren't stored in Active Directory, so the procedure is the same as for standalone servers. Stub zones may or may not be stored in Active Directory as desired.

Create a Reverse-Lookup Zone

Right-click on Reverse Lookup Zones New Zone

The rest is the same as creating a forward-lookup zone, except instead of specifying a zone name, you specify a network ID, and the wizard automatically creates the name for the zone in the standard in-addr.arpa format. For example, if you specify 172.16.13 as the network ID, the reverse-lookup zone is automatically named 13.16.172.in-addr.arpa .

Convert a Zone

You can convert a zone from one type to anotherfor example, from primary to secondaryby:

Right-click on zone Properties General Change (Type) specify new zone type

You can convert a primary zone to an Active Directory-integrated zone only if the name server is a domain controller.

Configure Zone Transfer/Replication

To manually configure zone transfer:

Right-click on zone Properties Zone Transfers enable zone transfer specify who can request zone transfers

By default, zone transfers are enabled on standalone name servers but are allowed only for name servers listed on the Name Servers tab. If desired, you can instead specify IP addresses of servers allowed to request zone transfers or allow any server to request a zone transfer, which is a security risk. By default, your name server also notifies all servers on the Name Servers tab when updates are available. Additional configuration of zone transfer can be performed using the Start of Authority (SOA) tab, where you can specify:

Refresh interval

This specifies how often a secondary name server contacts its master name server for zone updates, which by default is every 15 minutes.

Retry interval

This specifies how long a secondary server waits before attempting to contact a master name server after a failed attempt at contacting it, which by default is every 10 minutes.

Expire interval

This specifies how long the secondary server retries before it stops responding to client requests for name resolution, as the second server's DNS information is probably out-of-date. The default is one day.

Minimum TTL

This specifies the amount of time during which the DNS server caches information it receives from other name servers in response to a recursive query it issues. Making the TTL smaller makes the DNS database information more consistent across the various DNS servers for the zone, but it also increases DNS network traffic and the load on the DNS servers. WS2003 DNS servers can also cache negative responses to name-query requests.

On stable networks whose configuration doesn't frequently change, you can try increasing the zone-transfer settings to reduce zone-transfer traffic. If name resolution starts to become erratic on the network, lower the settings again.

Zone transfer is configured differently for Active Directory-integrated zones:

Right-click on zone Properties General Change (Replication) specify replication scope

In addition, you can manually specify zone transfers with name servers that don't use Active Directory-integrated zones.

Force Zone Transfer/Replication

To force a name server to update a secondary zone from a master name server:

Right-click on secondary zone Transfer from master

The option to reload from a master forces a full zone transfer instead of an incremental one. To force a master name server to notify its secondary name servers that they should contact it to initiate a zone transfer:

Right-click on a zone Properties Start of Authority (SOA) Increment

This increments the version number of the zone on the master name server, indicating to secondary servers that the zone has been updated and that they should initiate a zone transfer with the primary.

If you are using Active Directory-integrated zones exclusively (that is, all your DNS servers are domain controllers), you can force a zone transfer with another DNS server by forcing Active Directory replication to occur. To do this, open Active Directory Sites and Services from Administrative Tools and expand the following nodes in the console tree:

Root node Sites select a site Servers select target DNS server (domain controller) NDTS settings

Right-click on the object in the details pane that represents the link to the DNS server that you want to immediately replicate, and select Replicate Now.

Add a Resource Record

You can manually create resource records in a zone by right-clicking on a zone and specifying one of the following:

New Host

Creates an A record for a host. This option is available only for forward-lookup zones, and you can optionally create an associated PTR record simultaneously .

New Pointer

Creates a PTR record for a host. This option is available only for reverse-lookup zones.

New Alias

Creates a CNAME record to map an alias to a host.

New Mail Exchanger

Creates an MX record for an SMTP mail-forwarding host.

Other New Records

Lets you create any type of resource record (use this mainly to create NS records).

Once you create a resource record, you can modify it by:

Select zone double-click on resource record

Create a Subdomain

Right-click on zone New Domain specify name of subdomain

For example, if your existing zone is authoritative for the mtit.com domain, you can create a subdomain called sales within the same zone. You need to specify only the name sales for the new subdomain, not the full name sales.mtit.com . Creating subdomains is a way of adding structure to the DNS namespace of your company.

Configure a Forwarder

To configure a name server to forward queries that can't be resolved locally to a different name server (that is, to a forwarder):

Right-click on DNS server Properties Forwarders specify IP addresses of forwarders

If you specify more than one forwarder, they are tried in order until one is contacted within the specified forward time-out period. When a DNS server configured to use a forwarder receives a name query that it can't resolve itself, it sends the query to the forwarder to handle. If the forwarder can't resolve the name, it returns a failure message to the original DNS server. The original DNS server can then either:

  • Simply pass the failure message to the client that issued the query (i.e., iterative behavior)

  • Attempt to resolve the query itself from its own zone information (i.e., recursive behavior)

To choose the first option, on the Forwarders tab of the DNS server's properties sheet, select the checkbox "Do not use recursion." This makes your DNS server simply send all queries to the forwarder.

Note that you can now specify that the forwarder be used only for specific DNS domains (the default is any domain). This feature, known as conditional forwarding, is new to WS2003. Conditional forwarders can be used to set up more efficient forwarding paths in your company if you support several zones.

Configure a Caching-Only Name Server

Simply install the DNS Server service on a WS2003 machine and don't configure any forward- or reverse-lookup zones on it!

Configure Scavenging

Right-click on DNS server Set Aging/Scavenging for all zones Scavenge stale resource records

Scavenging removes stale resource records from the DNS database. This is important if you are using dynamic updates to maintain your DNS database. For example, if a DNS client configured to use dynamic updates shuts down improperly (for example, by turning the power off or removing the cable from its network card), the DNS server is not aware that the client is gone and still resolves names directed toward the client. If the client shuts down smoothly, its resource records are deleted from the DNS database when dynamic updates are used.

You can manually initiate scavenging by:

Right-click on DNS server Scavenge stale resource records

Be careful with enabling scavenging. If it is not configured properly, you may end up deleting resource records that should have been retained. Scavenging can be enabled on a per-server, per-zone, or per-record basis. See the Windows Server 2003 Resource Kit for more information on configuring DNS scavenging.

Monitor a DNS Server

WS2003 DNS servers can perform self-monitoring actions on a scheduled basis to ensure they are functioning properly. To configure monitoring:

Right-click on DNS server Properties Monitoring select type of test specify test interval

A simple query means the DNS server must return a response without querying any other name servers. Selecting recursive query means that your DNS server can recursively query other name servers if necessary, which is a more complex test to perform and interpret. You can also click Test Now to perform a test manually. Test results are PASS or FAIL.

Specify Boot Method

Right-click on DNS server Properties Advanced Load zone data on startup select from where

Here are the possibilities:

From registry

The default on WS2003 when Active Directory-integrated zones aren't used.

From file

The option to store your name server configuration information in a boot file, an ASCII text file that uses BIND 4 format. You don't need this file for DNS on WS2003, but if you are importing your DNS information from an existing BIND 4.x.x name server, you can port the boot file from the BIND server to the WS2003 name server and then specify the setting described earlier.

From Active Directory and registry

The default on WS2003 domain controllers.

Update Server Datafiles

At predefined update intervals, DNS servers automatically write changes in standard primary zones to their associated zone files on the server's disk. This information is also written to disk when a DNS server is shut down. To immediately write changes in standard primary zones to their associated zone files on the server's disk:

Right-click DNS server Update Server Data Files

When you make a change to an Active Directory-integrated zone, the information is written immediately to Active Directorythe Update Server Data Files option has no effect for these zones.

Clear the DNS Server Cache

Right-click on DNS server Clear cache

This removes all resolved names from the server cache. The server cache contains information received from other name servers in response to recursive queries it has issued. You might clear the server cache after you manually modify existing resource records within a zone (for example, if servers had their IP addresses changed). This will ensure that DNS clients querying the server will have names resolved from zone data and not from a stale server cache.

The server cache on a DNS server and the resolver cache on a DNS client are two different things, although both are present on a DNS server (since every DNS server must also be a DNS client).

Configure DNS Clients

The procedure you will use to configure client computers to contact DNS servers for name resolution depends on the type of operating system on the client and whether DHCP or static IP addressing is used. The actual steps will vary, depending on which version of Microsoft Windows your clients are running, but some general guidelines are as follows .

Clients Using Static Addresses

Configure the following information on the client computer:

  • Specify the IP address of the primary (and possibly a secondary) DNS server.

  • Specify a list of DNS suffixes that should be appended to unqualified DNS names to try to resolve them (optional).

  • Enable the client to register its IP address with the DNS server using DNS dynamic updates (W2K/2003/XP clients only).

On W2K/2003/XP clients, dynamic updates are configured by default.

Clients Using DHCP

Configure the following information on the client computer:

  • Enable DHCP on the client.

  • Enable dynamic updates on the client by selecting the checkbox to register the connection's addresses in DNS (W2K/2003/XP clients only).

Configure the following information on the DHCP server:

  • Specify the IP addresses of primary and alternate DNS servers with DHCP option 6.

  • If desired, specify a list of DNS suffixes that should be appended to unqualified DNS names to try to resolve them. Only one suffix can be assigned using DHCP option 15; others have to be manually assigned at the client.

New to WS2003 is the fact that Group Policy now lets you configure DNS on W2K/2003/XP clients by enabling/disabling dynamic updates, specifying a DNS suffix, and so on. These new policy settings are found under Computer Configuration Administrative Templates Network DNS Client.

Enable Dynamic Updates

To allow a zone to be automatically updated by dynamic updates:

Right-click on a zone Properties General Dynamic updates select option

On standalone name servers your options are None (the default) or Nonsecure and Secure (not recommended). For Active Directory-integrated zones you have a third option, Secure Only, which is the default and is recommended. Once you enable dynamic updates on the name server, you also need to enable it on the client. W2K/2003/XP clients belonging to a Windows 2003/2000 domain and using DHCP are configured to use dynamic updates by default. This can be toggled on or off by:

Right-click on My Network Places Properties right-click on Local-Area Connection Properties select Internet Protocol (TCP/IP) Properties Advanced DNS select/deselect Register this connection's addresses in DNS

W2K/2003/XP machines dynamically reregister their A resource records with the DNS server every 24 hours or when a DHCP lease is renewed, a new lease is obtained, the TCP/IP configuration on the client changes, an IP address is added or removed for a static adapter, or a Plug and Play event occurs. If a DHCP lease expires , the client also deregisters its A record with DNS servers. You can force a client to reregister its A record with DNS servers with ipconfig /registerdns at the command line on the client. With NT clients that use DHCP to perform dynamic updates, use ipconfig /release and ipconfig /renew instead.

Preload Resolver Cache

You can speed up name queries to frequently accessed hosts by preloading the client resolver cache. On WS2003 clients, for example, open the Hosts file located in %SystemRoot%\System32\drivers\etc and add hostname-to-IP-address mappings using the format outlined in the file. When the client tries to resolve a name, it tries its local resolver cache first; if this fails, it then contacts a name server. You can verify that these entries have been preloaded into the client cache by using the ipconfig /displaydns command from a command prompt on the client. The downside of this procedure is that name-resolution data on your clients could become stale if you make changes to your server infrastructure often.

Flush the Resolver Cache

On a DNS client you can flush the contents of the resolver cache (the cached responses from a name query the client issued) using ipconfig /flushdns at the command line. You can do this if its contents become stale (for example, after you modify existing records on DNS servers).

View the Resolver Cache

In order to see what information is stored in the resolver cache on a DNS client, type ipconfig /displaydns at the command line. This displays both:

  • Information received from name servers in response to recently issued name queries by the client

  • Preloaded hostname-to-IP-address mappings from the client's local Hosts file

The entries in the cache age and expire when the TTLs associated with their records on the name server expire (entries in Hosts don't expire).


Previous page
Table of content
Next page
Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
MySQL Clustering
The Complete Cisco VPN Configuration Guide
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy