| Objective: Install and configure the DNS Server service. Manage DNS. Monitor DNS. Tools might include System Monitor, Event Viewer, Replication Monitor, and DNS debug logs. Now that you know how to install, configure, and create entries for zones, you need to understand how to manage and monitor the DNS server. If your job is typical of most, you will spend a great deal more time managing DNS servers than installing them. Although the DNS server doesn't include any specific monitoring capabilities, you should be aware of a number of additional options as you manage your DNS server over the long term. One utility that is very useful for managing the DNS server is the DNS snap-in to the MMC, which is listed as DNS in the Administrative Tools menu. Capabilities of the DNS Console To take a closer look at the capabilities of the DNS console, open the DNS console. Then, select the DNS server and select the Action menu to see these available actions: Set Aging/Scavenging for All Zones Opens the Server Aging/Scavenging Properties dialog box. Scavenge Stale Resource Records Manually Allows the manual removal of outdated or incorrect DNS entries. All Tasks Includes tasks such as starting, stopping, pausing, resuming, and restarting the DNS server service. Delete Deletes the DNS server. Refresh Causes all the displayed information to be refreshed for the current status. Export List Exports the information from the DNS server to a tab- or comma-delimited text or Unicode text file. Properties Opens the Properties dialog box for the selected DNS server, as discussed earlier in this chapter.
The following sections take a closer look at several of these actions. Configuring Aging/Scavenging Aging and scavenging of resource records will be important to you if you have clients that come and go from your network or have clients that have IP address changes. In reality, that statement describes almost 100 percent of all networks that use DNS today, so aging and scavenging are useful for almost every DNS implementation to help keep records clean and up to date. By default, aging and scavenging are not enabled or configured on a newly installed Windows Server 2003 DNS server, so you'll need to perform those tasks yourself or run the risk of slowly poisoning your DNS information with outdated and conflicting resource records. In terms of DNS, aging is the process of placing a timestamp on a dynamically created resource record and then tracking the age of that record. Scavenging, in DNS, is the process of deleting any resource records that have timestamps on them that are found to be outdated. As a result, scavenging can occur only when aging has also been enabled and properly configured. In order for aging and scavenging to work correctly, they must be configured on the DNS server and also on any zones residing on that DNS server for which you want aging and scavenging to occur. Note: Not Backwards Compatible Once you enable and configure aging and scavenging on a zone, only Windows Server 2003 and Windows 2000 Server DNS servers will be able to read the zone.
To enable aging and scavenging for a server, complete the steps outlined in Step by Step 3.11. Step By Step 3.11. Configuring a Server for Aging and Scavenging 1. | Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
| 2. | Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.
| 3. | Right-click the DNS server for which you want to configure aging and scavenging and select Set Aging/Scavenging for All Zones to open the Server Aging/Scavenging Properties dialog box, as seen in Figure 3.54.
Figure 3.54. By default, aging and scavenging are disabled in Windows Server 2003 DNS. 
| | | 4. | Enable aging and scavenging by selecting the Scavenge stale resource records option. If desired, you can change the No-refresh and Refresh intervals (explained in the list below), although the defaults will work fine in most cases. After making your selection, click OK to confirm it.
- No-refresh Interval This option controls the time between the most recent refresh of a record's time stamp and when the time stamp can be refreshed again. In a very busy network where computers come on and leave frequently, you might want to lower this from the default, which is 7 days.
- Refresh Interval This option sets the time between the earliest moment that a record time stamp can be refreshed and the earliest moment a record can be scavenged.
| 5. | The Server Aging/Scavenging Confirmation dialog box appears as seen in Figure 3.55. If you want to enable the same configuration on all of your Active Directory-integrated zones, which is usually the best choice, then select the Apply These Settings option and click OK to apply your settings at the server and zone level.
Figure 3.55. You can quickly and easily apply your aging and scavenging settings to all Active Directory-integrated zones. 
|
If the server on which you configured aging and scavenging contains any standard zones, you will now need to configure aging and scavenging on them manually. Likewise, if you did not allow the configuration to be applied to your existing Active Directory-integrated zones, as seen in Figure 3.55, then you'll need to configure aging and scavenging manually on them as well. Step by Step 3.12 presents this process. Step By Step 3.12. Configuring a Zone for Aging and Scavenging 1. | Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
| 2. | Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.
| 3. | Right-click the DNS zone for which you want to configure aging and scavenging and select Set Properties from the context menu to open the zone Properties dialog box, which was seen in Figure 3.50.
| | | 4. | Click the Aging…button to open the Zone Aging/Scavenging Properties dialog box, as seen in Figure 3.56.
Figure 3.56. Aging and scavenging are configured manually for standard DNS zones. 
| 5. | Enable aging and scavenging by selecting the Scavenge Stale Resource Records option. If desired, you can change the No-refresh and Refresh intervals, although the defaults will work fine in most cases. After making your selection, click OK to confirm it.
| 6. | You will now be warned about the fact that making these changes to your zone will render it incompatible with older DNS servers, as previously mentioned. Click Yes to apply the aging and scavenging configuration to the zone.
|
Scavenging Stale Resource Records Manually You can force scavenging of stale resource records by right-clicking a server and selecting the Scavenge Stale Resource Records Manually option from the context menu. Selecting this option manually removes any out-of-date resource records. When you choose this option, the Update Server Data Files option writes to the server's hard drive any changes to the table that are in RAM. To clear the server cache manually, you will need to right-click the DNS server and select Clear Cache from the context menu. Implementing Delegated Zones for DNS You can create a delegated zone for DNS, whereby you assign responsibility for a specific subdomain within the DNS namespace to another entity. Typically, this translates into your delegating responsibility for one or more child subdomains in your DNS namespace (which are usually mapped directly to your Active Directory organization) to another group or branch within your organization. When you delegate a domain, DNS queries on the existing domain will be referred to the name server in the delegated domain for resolution. You can delegate only down the hierarchy, so the delegated domain must be a subdomain of the domain doing the delegation. For example, the domain marketing.quepublishing.com can delegate resolution for the domain it.marketing.quepublishing.com to another server, but it.marketing.quepublishing.com cannot delegate up the DNS hierarchy by delegating for the marketing.quepublishing.com domain. This might be a little confusing, but the configuration procedure, described in Step by Step 3.13, should make it a little clearer. Step By Step 3.13. Creating a Delegated Zone 1. | Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
| 2. | Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.
| 3. | Right-click the DNS zone in which you would like to create a delegated domain, and from the context menu, select New Delegation. The New Delegation Wizard appears; click Next to dismiss the opening page and continue. The Delegated Domain Name dialog box appears, as seen in Figure 3.57.
Figure 3.57. The Delegated Domain Name screen lets you name and create the subdomain for which you are creating the delegation. 
| | | 4. | In the Delegated Domain Name screen, enter the unqualified name for the domain to which you want to delegate (that is, the name of the subdomain you want to create) in the Delegated Domain field. For example, you can use IT for the domain name. Notice that it is carried into the Fully Qualified Domain Name (FQDN) field. Click Next to continue. The Name Servers dialog box appears, as seen in Figure 3.58.
Figure 3.58. The name server or servers to which you are delegating the domain can exist in any domain but are typically located in the domain in which the subdomain is being created. 
| | | 5. | In the Name Servers dialog box, click Add, and the New Resource Record dialog box appears, as seen in Figure 3.59. When you delegate a zone, you must first configure the Name Server (NS) record for the new domain. You can do this either by browsing to the name server in Active Directory or specifying it by name or IP address. After you have filled in the IP address field, click Add to add the server to your NS record list. Click OK to return to the Name Servers dialog box, as seen in Figure 3.60. Note that your new DNS server appears on the list.
Figure 3.59. You need to test to be sure that the new name server's name can be resolved if you enter it manually. 
Figure 3.60. This screen should contain all the name servers that have NS records for the new subdomain you are creating. 
| 6. | Click Next, and the Completing the New Delegation Wizard screen appears. Verify that the information shown on this screen is correct. To complete the wizard and create the new domain, click Finish. You should see the newly created subdomain listed under the existing domain in the DNS console, as seen in Figure 3.61.
Figure 3.61. You need to visually ensure that the domain you create and the associated delegation entries are installed correctly. 
|
Note: Names for a Record When you create a record, you can use the FQDN or just the hostname. If you use just the hostname, the rest of the FQDN for the domain in which you are creating the entry will automatically be appended.
Manually Creating DNS Resource Records We've spent most of this chapter looking at the dynamic methods for creating entries in the DNS zone. Now let's look at how to manually create an entry. You might use this method for non-Windows Server 2003 hosts, table entry types that are not supported by DDNS, or hosts that you just want to configure with a static entry. For example, if your company's server naming convention is based on server location and purpose, a Web server for Que Publishing located in New York City might be named nycweb001, which would make its dynamic entry nycweb001.publishing.quepublishing.com. If you wanted people to be able to go to www.quepublishing.com, you would create a manual entry in DNS to allow users to access the server using the more common naming convention. When you manually create a DNS entry, you have these four options: New Host This creates an A record. New Alias This creates a CNAME record. New Mail Exchanger This creates an MX record. Other New Records This allows you to select the other record types.
Next you will create a new host record. To manually create a DNS entry, follow the procedure outlined in Step by Step 3.14. Step By Step 3.14. Manually Creating a DNS Entry 1. | Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
| 2. | Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.
| | | 3. | Right-click the zone in which you want to add an entry and select New Host (A). The New Host dialog box, as seen in Figure 3.62, opens.
Figure 3.62. You need to know the correct DNS name and IP address of the host you are adding. 
| 4. | In the Name field, enter the hostname. Enter the IP address in the IP Address box. If you want to create an entry in the reverse lookup zone for that network, you can select the Create Associated Pointer (PTR) Record option. Click Add Host to create the entry. Click Done when you have finished adding A records to the zone.
|
Note: Record Types Refer back to Table 3.1 for a complete listing of record types.
Monitoring the DNS Service There are a number of ways to monitor different components of the DNS service, including using the Monitoring tab of the server Properties dialog box, the System Monitor, the Event Viewer, the DNS debug logs, and the Replication Monitor. Let's look at using the Monitoring tab options of the server Properties dialog box first. The Server Properties Monitoring Tab The simplest method for monitoring the DNS server service is to use the monitoring capabilities that are built in to the DNS console application. As discussed earlier in this chapter, the Monitoring tab of the DNS server Properties dialog box can be used to configure monitoring of the Windows Server 2003 DNS service. To set up testing and monitoring, follow the procedure outlined in Step by Step 3.15. Step By Step 3.15. Testing the DNS Service 1. | Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.
| | | 2. | Right-click the DNS server and select Properties. The DNS server Properties dialog box appears. Select the Monitoring tab as seen in Figure 3.63. You can configure a simple query or a recursive query or even automatic testing of the DNS service from this tab.
Figure 3.63. The Monitoring tab of the DNS server Properties dialog box allows you to perform simple DNS resolution testing to ensure that the DNS service is working properly. 
| 3. | Click Test Now to perform the selected tests.
| 4. | Click OK to return to the DNS console.
|
This test allows you to perform two types of queries: Simple (iterative) query A simple query, also called an iterative query, is one in which the name server provides the best response based on what that server knows from local zone files or from caching. If a name server doesn't have any information to answer the query, it simply sends a negative response. Recursive query A recursive query forces a DNS server to respond to a request with either a failure response or a success response. With a recursive query, the DNS server must contact any other DNS servers it needs to contact to resolve the request. This is a much more resource-intensive query mechanism than the simple query.
If the test fails, you see an error message in the DNS console, and an alert icon appears on the DNS server. System Monitor The following groups of counters are available for the DNS object: AXFR These counters are associated with the full zone transfer requests received by the master DNS server. This group includes the Requests Received, Requests Sent, Response Received, Success Received, and Success Sent counters. Caching Memory This counter tracks the amount of memory used by the DNS server. Database Node Memory This counter tracks the amount of database node memory used by the DNS server. Dynamic Update These counters are associated with the dynamic updating of DNS. This group includes the NoOperation, NoOperation/sec, Queued, Received, Received/sec, Rejected, Timeouts, Written to Database, and Written to Database/sec counters. IXFR These counters are associated with the incremental zone transfer requests received by the master DNS server. This group includes the Requests Received, Requests Sent, Response Received, Success Received, Success Sent, TCP Success Received, and UDP Success Received counters. Nbtstat Memory This counter tracks the amount of nbtstat memory in use by the server. Notify Received/Sent These counters track the notifications sent and received by the secondary DNS server. Record Flow Memory This counter tracks the amount of record flow memory used by the DNS server. Recursive These counters are associated with the recursive queries the DNS server must make. This group includes the Queries, Queries/sec, Query Failure, Query Failure/sec, Send TimeOuts, and TimeOut/sec counters. Secure Update These counters are associated with the number of secure updates sent and received. This group includes the Failure, Received, and Received/sec counters. TCP/UDP These counters track the respective TCP and UDP queries and responses. This group includes the Message Memory, Query Received, Query Received/sec, Response Sent, and Response Sent/sec counters. Total These counters total the respective categories of requests and responses. This group includes the Query Received, Query Received/sec, Response Sent, and Response Sent/sec counters. WINS Because DNS under Windows Server 2003 can be used for WINS lookups, the DNS counters include the following WINS-specific counters: Lookup Received, Lookup Received/sec, Response Sent, Response Sent/sec, Reverse Lookup Received, Reverse Lookup Received/sec, Reverse Response Sent, and Reverse Response Sent/sec. Zone Transfer These counters are associated with the process of transferring copies of the DNS table between DNS servers. This group includes the Failure, Request Received, SOA Request Sent, and Success counters.
To configure DNS performance monitoring, follow the procedure outlined in Step by Step 3.16. Note: Identifying a Counter If you need to know what a counter means and you have left your copy of this book at home under your pillow, fear not. Microsoft provides an option that does an excellent job of defining the counters: You select the counter you want to know more about and then click the Explain button.
Step By Step 3.16. Configuring DNS Performance Monitoring 1. | Open the Performance console by selecting Programs, Administrative Tools, Performance.
| 2. | In the left pane of the Performance console, select System Monitor.
| 3. | To create an entry in System Monitor, click the + icon. The Add Counters window appears, as shown in Figure 3.64. By default it opens to the Processor performance object.
Figure 3.64. The DNS performance object offers a number of parameters to monitor. 
| 4. | Select the DNS performance object. The list of counters that are available for DNS is displayed. If you aren't sure what a counter does, select it and click the Explain button.
| | | 5. | After you have decided what counter you want to monitor, click Add. (Total Query Received is usually a good monitor for seeing what the Performance console can do for you.) You can add multiple counters either by selecting each counter and clicking Add or by using the standard Windows multiple-item-select method of holding down the Ctrl key while you select all the counters you want to monitor and clicking Add. Click Close when you are done. You should see your counters being graphed, similar to those shown in Figure 3.65.
Figure 3.65. The graphing capabilities of the Performance console are great for giving you orders-of-magnitude reporting on activities. 
|
Exam Alert: Don't Memorize All the Counters Microsoft does not expect you to memorize all these counters. You should, however, be familiar with the different types and know how to use the Performance console.
Exam Alert: The AXFR and IXFR Counters Two types of counters that are especially important are the AXFR and IXFR counters. Remember that AXFR counters are used in conjunction with full zone transfers, and IXFR counters are used in conjunction with incremental zone transfers.
Event Viewer The Event Viewer is where the DNS event logs can be viewed and any informational, warning, or error messages can be reviewed to ensure that DNS is working as it should. To check the DNS event log, follow the procedure outlined in Step by Step 3.17. Step By Step 3.17. Reviewing an Error in the DNS Event Log 1. | Open the Event Viewer by selecting Start, Administrative Tools, Event Viewer. The Event Viewer console opens.
| 2. | Select the DNS Server log. The list of events for that log appears in the right pane of the Event Viewer, as seen in Figure 3.66.
Figure 3.66. If you configured the DNS service to log all events, you should see a list of events in the DNS Server log. 
| 3. | Double-click an entry from the right pane. The Event Properties window opens, as seen in Figure 3.67.
Figure 3.67. The Event Properties window gives you very detailed information about the event that was logged. 
| | | 4. | After you have reviewed the event, click OK to return to the Event Viewer. You should try to look at several other types of events before you close the Event Viewer.
|
The DNS Debug Log The DNS debug log captures detailed information about each packet that is sent or received by the DNS server. This log can be read with any text editor (Notepad for example) and is geared toward users with very in-depth knowledge of DNS and DNS packet data. Figure 3.60 shows sample DNS debug log output. By default, the DNS debug log can be found in the %systemroot%\system32\dns directory. You can also specify a location for this file on the Debug Logging tab of the DNS server Properties dialog box. Exam Alert: Reading DNS Debug Logs You might be wondering if you're going to have to read a DNS debug log for the exam. Definitely not. For the exam, you should know how to enable the DNS debug log and how to view it. Interpreting the data is beyond the scope of Exam 70-291.
Replication Monitor The Replication Monitor (replmon.exe) is a utility that is available in the Windows Server 2003 Resource Kit, and it is used to monitor Active Directory replication. If you are using Active Directory to store and replicate DNS information, you might want to use the Replication Monitor to verify that Active Directory is replicating DNS information accurately. Exam Alert: replmon.exe It's not likely that you'll see the replmon.exe utility on your 70-291 exam, but you should be aware of its existence and its basic purpose.
Securing DNS Although Active Directory-integrated zones with Secure dynamic updates are fairly secure, there are some more advanced configuration changes that can be made in the interest of further securing the server. While not a complete listing of items by any means, the following list presents some of the more common items that you can work with to increase security: Network interfaces If your DNS server has multiple network interfaces, the DNS service will by default listen for and respond to name resolution queries on all of them. You can add some security to your DNS server installation by configuring it so that it listens only on the IP address that DNS clients use to contact it. Disabling recursion Recursion is enabled by default in Windows Server 2003 DNS, which allows the DNS server to perform recursive queries to other DNS servers on behalf of its DNS clients and other DNS servers that have forwarded queries to it for resolution. If a DNS server is not intended to perform recursive queries, you should disable them to prevent recursion from being used as an attack vector on the DNS server. Securing the cache against pollution This advanced server option is enabled by default to aid in ensuring that server's DNS cache is secured against pollution. Cache pollution can result when a DNS query response returns incorrect nonauthoritative or malicious data. By keeping this option enabled, the DNS server will not accept resource records in a query response that were not requested in the original query. You should not disable this protection. Removing root hints If you have configured an internal DNS root in your DNS infrastructure, configure the root hints on all of your other internal DNS servers to point only to your internal DNS root server. By removing the ability for the other DNS servers to contact root servers on the Internet, you remove the capability to accidentally disclose your private internal information on the Internet. Use a private DNS namespace If your network clients will never need to communicate with the Internet, you can use a private DNS namespace, such as quepublishing.corp, along with an internal root DNS server and applicable firewall configuration to prevent DNS-related traffic from ever leaving your organization. You should note that simply by using a private DNS namespace, you have not eliminated the ability to communicate with the Internet. Use a split DNS namespace If your network clients will need to communicate with the Internet, consider using a split DNS namespace. In this model, the internet namespace may be something such as quepublishing.com, while the internal namespace may be corp.quepublishing.com. Each section of the DNS namespace should be hosted on separate DNS servers located on the applicable side of your corporate firewall. Requests made by clients internally should be forwarded to your external DNS servers if the internal DNS servers cannot provide the requested query answer. This would be accomplished by configuring your internal DNS servers to forward requests only to your external DNS servers. Additionally, you should configure your external DNS servers to forward requests only to your ISP's trusted DNS servers. Use firewall rules You can configure and implement a firewall rule on your packet-filtering firewall to separate your internal network from the Internet. This would allow TCP and UDP traffic on port 53 between your internal and external DNS servers. Harden servers You can get detailed information and assistance on hardening Windows Server 2003 servers from the "Windows Server 2003 Security Guide."
|
