Issuu on Google+

Designing and Implementing DNS

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

1


Learning Objectives • Understand Domain Name System (DNS) improvements in Windows 2008 • Understand the basics of DNS • Plan and implement DNS Zones • Create DNS records to support different clients • Design replication scope using different Active Directory partitions

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

2


Improvements in Windows Server 2008 DNS • • • •

GlobalNames zones IPv6 support RODC support Background zone loading

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

3


Name Resolution in a Domain • Provided by Domain Name System (DNS) server – Resolves names to IP addresses using A or Host records – Resolves IP addresses to names using pointer (PTR) records – Locates domain controllers using service location (SRV) records – Locates mail servers using mail exchange (MX) records – Resolves single-label names using GlobalNames zones MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

4


Computer Names • Two types of computer network names – NetBIOS names – Host names

• 255 characters allowed – Most truncated to 15 to determine the host name • NetBIOS forces a 15 character limit

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

5


Name Resolution Methods • Seven different name resolution types – Three primarily used with host names • DNS server, hosts file, host cache

– Three primarily used with NetBIOS • WINS server, LMHosts file, NetBIOS cache

– Broadcast

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

6


Table 3-1 Name resolution methods used with host names

Table 3-2 Name resolution methods used with NetBIOS names MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

7


DNS Zones, Zone Files, and Zone Resource Records • DNS zone defines a namespace • If DNS server has a DNS zone: – Can authoritatively answer queries for hosts in that zone or with that common namespace

• If a host exists with a given host name: – Authoritative DNS server knows it • Can respond with IP address

• DNS server holds forward and/or reverse lookup zone files containing individual records MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

8


Figure 3-1 Viewing the DNS console Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

9


DNS Zones • Primary DNS zone – Master copy of a zone

• Secondary DNS zone – Read-only copy of a zone – Used for fault tolerance and load balancing

• Active Directory-integrated (ADI) primary zone – Hosted on a domain controller – Zone transfers integrated into Active Directory replication MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

10


DNS Zones (cont’d.) • Stub zone – Copy of a zone – Hosts resource records necessary to identify the authoritative DNS servers for that zone

• GlobalNames zones (GNZs) – New to Windows Server 2008 – Allows DNS to resolve single-label names

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

11


DNS Files • DNS zone includes one or two files – Forward lookup zone files • For name-to-IP address resolution • Required for a zone • Defined when zone created

– Reverse lookup zone files • For IP address-to-name resolution • Optional

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

12


DNS Resource Records • A record – Resoles name to an IPv4 address

• AAAA record – Resolves name to an IPv6 address

• Service location (SRV) record – Locates server running specific services

• Start of authority (SOA) record – Used by DNS and other services

• Name server (NS) records – Identifies DNS servers in the zone MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

13


DNS Resource Records (cont’d.) • Mail exchange (MX) record – Finds mail servers

• Alias record – Known as a canonical name (or CNAME) record – Allows a single server to be resolved to the same IP address with multiple names

• Pointer (PTR) records – Used for reverse lookups

• Activity 3-1: Creating an A record and an MX record in DNS MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

14


Figure 3-2 Creating an A record Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

15


Figure 3-3 Creating an MX record Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

16


Figure 3-4 A and MX records created in DNS Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

17


Understanding Dynamic Update and Secure Dynamic Update • Dynamic Update process – Allows A, AAAA, and PTR records to be updated automatically in DNS without any intervention

• Secure dynamic updates requires: – DNS server hosted on a domain controller – A primary ADI zone being used

• Items needed: – Client configured to use DHCP – DHCP options must include DNS server address – DNS server configured to allow dynamic updates MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

18


Figure 3-5 DNS dynamic updates Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

19


Understanding Dynamic Update and Secure Dynamic Update (cont’d.) • Dynamic updates not unique to Microsoft DNS • Secure dynamic updates – Unique to Microsoft DNS – Only work on a Microsoft server: • Hosting ADI DNS on a domain controller

• Secure dynamic updates benefits – Only domain clients can update records – Can set permissions on zones and records

• Activity 3-2: Configuring Secure Dynamic Updates on DNS MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

20


Figure 3-6 Verifying that secure updates are enabled on DNS Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

21


DNS and Active Directory • Tightly intertwined – 75 percent of Active Directory problems • Can be directly attributed to DNS

• Primary records used with Active Directory – Service location (SRV) records – Can locate: • Domain controllers • Global catalog servers (DCs designated as GC servers) • PDC emulators (Domain DC holding the PDC operations master role)

– Includes site-specific information MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

22


Figure 3-7 SRV records in the Windows Server 2008 DNS console Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

23


DNS and Active Directory (cont’d.) • Service property – Identifies service running on the domain controller • • • •

_ldap _kerberos _gc _kpasswd

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

24


Using Non-Site-Specific SRV Records • Larger organizations – Sometimes require manipulation of the creation of some SRV records

Figure 3-8 A multiple-site organization in a hub and spoke replication topology Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

25


Using Non-Site-Specific SRV Records (cont’d.) • Default steps taken when user tries to log on in Office 5 and the DC in Office 5 not available – Netlogon service queries DNS for a DC – Site-specific record used to identify a DC in Office 5 site – Discovers DC in Office 5 not reachable – A generic (non-site-specific) DNS record used to identify any DC in the domain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

26


Using Non-Site-Specific SRV Records (cont’d.) • Can control the creation of generic records – Controls which DCs used when a DC in the site goes down – Can prevent all DCs in outlying offices from registering non-site-specific SRV records • Only DCs in the main office or regional HQ office used if a DC in any site fails

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

27


Using Non-Site-Specific SRV Records (cont’d.) • Group Policy – Primary method used to prevent generic records from being created • Node: Computer Configuration, Policies, Administrative Templates, System, Net Logon, DC Locator DNS Records • Setting: DC Locator DNS Records Not Registered by the DCs • Entry for Group Policy

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

28


Table 3-3 Mnemonics and records associated with generic (non-site-specific) records

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

29


Table 3-4 Site-specific SRV mnemonics and SRV records

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

30


Using Non-Site-Specific SRV Records (cont’d.) • Activity 3-3: Preventing Generic SRV Records From Being Registered

Figure 3-9 Configuring Group Policy to prevent the creation of non-site-specific records Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

31


Designing DNS Zones • Know when DNS zones used – – – – –

ADI Primary Zones Primary Zones Secondary Zones Stub Zones GlobalNames Zones

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

32


Primary Zones • Referred to as a standard primary zone • Server hosting the primary zone – Called the master server – Hosts the only writable copy of the DNS zone data

• Used with traditional DNS • Use on a Microsoft server (over an Active Directoryintegrated zone) – When DNS server hosted on a member server

• Activity 3-4: Creating a Primary Zone MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

33


Figure 3-10 Creating a primary zone from the DNS console Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

34


Configuring Zone Transfers • DNS data protection from inadvertent disclosure – Accomplished by protecting zone transfers

• Zone transfers – Managed with the start of authority (SOA) record and the Zone Transfer settings • Accessible from the properties of the zone

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

35


Configuring Zone Transfers (cont’d.) • Start of Authority (SOA) tab – Includes information from the SOA record – Fields • • • • • • • •

Serial number Primary server Responsible person Refresh interval Retry interval Expires after Minimum (default) TTL TTL for this record

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

36


Figure 3-11 Viewing the SOA record Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

37


Configuring Zone Transfers (cont’d.) • Zone Transfers tab – Specifies which DNS servers can participate in zone transfers – Three choices available when Allow zone transfers checked • To any server • Only to servers listed on the Name Servers tab • Only to the following servers

• NSLookup command – Used to check if zone transfers allowed to a server MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

38


Figure 3-12 Configuring zone transfers Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

39


Secondary Zones • Referred to as a standard secondary zone • Benefits for clients in the network – Fault tolerance – Load balancing

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

40


Figure 3-13 Local area connection configured with preferred and alternate DNS servers Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

41


Secondary Zones (cont’d.) • Activity 3-5: Creating a Secondary Zone

Figure 3-14 Configuring a secondary DNS zone with the IP address of the master server Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

42


Figure 3-15 Adding an NS record to DNS Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

43


ADI Primary Zones • Used when DNS hosted on a domain controller • Use whenever possible • Cannot host ADI zone if: – Standard primary zone hosted on a member server – Standard primary zone hosted on a domain controller

• Solution: move DNS to a domain controller – Create zone as an ADI zone instead of a standard primary zone

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

44


ADI Primary Zones (cont’d.) • Benefits – Secure dynamic updates supported – Zone data transferred to other ADI zones • Through Active Directory replication

– Replicated zone traffic encrypted – Multiple writable DNS servers can host the same primary zone if also ADI – Individual security permissions • Can be applied to zones and records

• Activity 3-6: Converting a Primary Zone to an ADI Zone MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

45


GlobalNames Zones • New in Windows Server 2008 • Used to resolve single-label names – Mimics a NetBIOS name

• Primary reason to include a GNZ in DNS – Support legacy applications using NetBIOS names after migrating to an IPv6 network in a multi-domain forest

• Older Windows operating systems – Used Windows Internet Naming Service (WINS) and NetBIOS MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

46


GlobalNames Zones (cont’d.) • Significant difference between a GNZ and WINS – GNZ does not support automatic registration of clients

• GNZ records – CNAME (or alias) records pointing to an A (or AAAA) record • Contained in the primary zone

• GNZ not needed in a single-domain forest – Due to how the DNS suffix search order used – Can achieve same functionality in a multiple-domain environment • Add suffixes to client’s TCP/IP configuration MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

47


Figure 3-16 Additional DNS suffixes added to a client Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

48


GlobalNames Zones (cont’d.) • GlobalNames zone functionality – Not enabled on DNS server by default – Enable it using DNSCmd: Dnscmd ServerName /config /Enableglobalnamessupport 1

• Once enabled on the server: – Can create a primary zone called GlobalNames

• Can designate a GlobalNames zone as ADI • Activity 3-7: Enabling and Creating a GlobalNames Zone MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

49


Figure 3-17 Adding a GlobalNames zone Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

50


Stub Zones • Store information about other zones hosted by other authoritative DNS servers – Information about a child zone associated with a child domain • Reduces administrative effort

– Information on DNS between two trusting domains that are not in a parent/child relationship

• Upon stub zone creation: – Changes to DNS servers in the related zone automatically transferred to DNS server hosting the parent domain MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

51


Figure 3-18 DNS zones in a multiple-domain environment Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

52


Stub Zones (cont’d.) • Three records in stub zone when created – Start of Authority (SOA) record – Name Server (NS) record – A (Host) record

• If additional DNS servers added to delegated subdomain – Stub zone holds two more records for each DNS server • NS record and the A record

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

53


Stub Zones (cont’d.) • Benefits – Simplified DNS administration – Improved host name resolution

• Activity 3-8: Creating a Stub Zone for a Delegated Subdomain

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

54


Figure 3-19 The South delegated subdomain is automatically created by DCpromo Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

55


Figure 3-20 The south.cengage.com stub zone with the three records identifying the authoritative DNS server Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

56


Delegated Subdomain • Possible to create a delegated subdomain manually – Without running DCpromo

• Useful to prestage the delegated subdomains • Useful if an organization already created with multiple domains: – But has grown large enough that you want to delegate name resolution to some of the domains to different DNS servers

• Activity 3-9: Manually Creating a Delegated Subdomain MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

57


Figure 3-21 Naming the delegated domain Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

58


Designing Zone Replication Scope • Using Active Directory-integrated (ADI) zones – Allows replication scope choice

• Zone transfers for ADI zones – Handled as part of Active Directory replication • Replication scope only refers to DNS zone data

• Windows Server 2003 introduced Active Directory partitions – Allows LDAP applications to store data in a separate partition • Use Active Directory infrastructure to replicate partition to other domain controllers MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

59


Designing Zone Replication Scope (cont’d.) • ADI DNS zones in Windows Server 2003 and later domain controllers – Accomplish the same thing – DNS zone data • Stored in a separate partition • Replicated as part of Active Directory replication

• Consider where zone data will be replicated – To all DNS servers in the forest – To all DNS servers in the domain – To all domain controllers in the domain MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

60


Figure 3-22 Configuring zone replication scope Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

61


Summary • Windows Server 2008 provides DNS improvements – Background zone loading, GlobalNames zones, RODC support, IPv6 support

• Computer names – NetBIOS names resolved by WINS – Host names resolved by DNS servers

• Windows Server 2008 DNS servers – Host the typical DNS records

• DNS servers host several zones – Standard primary, standard secondary, Active Directory-integrated (ADI), stub, GlobalNames MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

62


Summary (cont’d.) • Stub zones – Configured in parent domain zone for delegated subdomains • Reduces administrative overhead

• GlobalNames zones – Used to resolve single-label (NetBIOS) names

• Generic or non-site-specific records – Used to locate domain controllers in another site • If domain controller in current site fails

• Zone replication scope can be controlled MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

63


Design DNS