copyright line. configuring dns exam objectives an introduction to domain name system (dns) ...

Copyright line.

Configuring DNSConfiguring DNS

EXAM OBJECTIVESEXAM OBJECTIVES

An Introduction to Domain Name System (DNS)An Introduction to Domain Name System (DNS)Configuring a DNS ServerConfiguring a DNS ServerCreating DNS ZonesCreating DNS ZonesConfiguring and Managing DNS ReplicationConfiguring and Managing DNS ReplicationCreating and Managing DNS RecordsCreating and Managing DNS RecordsConfiguring Name Resolution for Client Computers Configuring Name Resolution for Client Computers

Copyright line. Slide 2

An Introduction to DNSAn Introduction to DNS

DNS allows hosts and services to be located DNS allows hosts and services to be located on IP networks using friendly names instead on IP networks using friendly names instead of IP addresses.of IP addresses.

DNS can be used to resolve public FQDNs, DNS can be used to resolve public FQDNs, or used privately by organizations that wish to or used privately by organizations that wish to use its features while remaining isolated from use its features while remaining isolated from the Internet.the Internet.

DNS uses an incremental query process DNS uses an incremental query process involving client-to-server and server-to-server involving client-to-server and server-to-server queries to resolve names and IP addresses. queries to resolve names and IP addresses.


Configuring a DNS ServerConfiguring a DNS Server

When the DNS Server role is installed, a caching only When the DNS Server role is installed, a caching only DNS server is created.DNS server is created.

Root hints tell a DNS server where to look next when Root hints tell a DNS server where to look next when resolving queries for records not contained in locally resolving queries for records not contained in locally stored zones.stored zones.

Forwarding can be used instead of root hints. Server Forwarding can be used instead of root hints. Server forwarding typically involves an organization’s internal forwarding typically involves an organization’s internal DNS servers’ forwarding requests for public name DNS servers’ forwarding requests for public name resolution to a DNS server that has direct access to resolution to a DNS server that has direct access to the Internet. Conditional forwarding allows the Internet. Conditional forwarding allows administrators to configure DNS servers to forward administrators to configure DNS servers to forward resolution requests to other DNS servers based on resolution requests to other DNS servers based on specific domain names.specific domain names.


Creating DNS ZonesCreating DNS Zones

Forward lookup zones resolve host names to IP Forward lookup zones resolve host names to IP addresses. Reverse look up zones resolve IP addresses. Reverse look up zones resolve IP addresses to host names.addresses to host names.

DNS records can be changed on primary and AD DNS records can be changed on primary and AD integrated zones, but not on secondary or stub integrated zones, but not on secondary or stub zones.zones.

Zone delegation allows a domain name space to be Zone delegation allows a domain name space to be divided among different zones on separate servers.divided among different zones on separate servers.

The new GlobalNames feature supports single name The new GlobalNames feature supports single name resolutions (such as NetBIOS computer names) on resolutions (such as NetBIOS computer names) on IPv6 networks using DNS. IPv6 networks using DNS.


Configuring and Managing DNS Configuring and Managing DNS ReplicationReplication

By default, primary, AD integrated and By default, primary, AD integrated and secondary zones limit the servers from which secondary zones limit the servers from which they can accept zone transfer requests.they can accept zone transfer requests.

Administrators can manually request Administrators can manually request incremental zone updates or a complete incremental zone updates or a complete refresh of all zone records for secondary refresh of all zone records for secondary zones using DNS Manager.zones using DNS Manager.

The SOA zone record is used to configure the The SOA zone record is used to configure the replication parameters for secondary zones.replication parameters for secondary zones.


Creating and Managing DNS Creating and Managing DNS RecordsRecords

DNS records can be administered manually, DNS records can be administered manually, updated automatically by hosts, or both.updated automatically by hosts, or both.

DNS record types include A, AAAA, PTR, DNS record types include A, AAAA, PTR, MX, SRV, CNAME, and NS.MX, SRV, CNAME, and NS.

Aging and scavenging is used to clean up Aging and scavenging is used to clean up DDNS records that have not been updated or DDNS records that have not been updated or refreshed within a given period and may be refreshed within a given period and may be invalid. invalid.


Configuring Name Resolution for Configuring Name Resolution for Client ComputersClient Computers

Two primary forms of name resolution exist on Windows Two primary forms of name resolution exist on Windows networks: NetBIOS and host names. Microsoft increasingly has networks: NetBIOS and host names. Microsoft increasingly has moved away from NetBIOS toward DNS. If a network runs a moved away from NetBIOS toward DNS. If a network runs a variety of Windows client and server versions, it’s important that variety of Windows client and server versions, it’s important that both forms of name resolution are configured properly. If the both forms of name resolution are configured properly. If the network is comprised primarily of Windows XP and later clients, network is comprised primarily of Windows XP and later clients, and Windows Server 2003 and later servers, DNS is most likely and Windows Server 2003 and later servers, DNS is most likely supporting many of the network’s name resolution needs. supporting many of the network’s name resolution needs.

By default, the following name resolution steps are taken when By default, the following name resolution steps are taken when resolving host names: the local host name => the local DNS resolving host names: the local host name => the local DNS resolver cache => the local HOSTS file => DNS => the local resolver cache => the local HOSTS file => DNS => the local NetBIOS name cache => WINS => a local network broadcast NetBIOS name cache => WINS => a local network broadcast => the local LMHOSTS file.=> the local LMHOSTS file.

By default, the following name resolution steps are taken when By default, the following name resolution steps are taken when resolving NetBIOS names: the local NetBIOS name cache => resolving NetBIOS names: the local NetBIOS name cache => WINS => a local network broadcast => the LMHOSTS file => WINS => a local network broadcast => the LMHOSTS file => the local host name => the local DNS resolver cache => DNS. the local host name => the local DNS resolver cache => DNS.


FAQFAQ

Q:Q: What exactly is DNS and why do I need it? What exactly is DNS and why do I need it? A:A: DNS is the primary name resolution DNS is the primary name resolution

method for Windows Server 2008, making it method for Windows Server 2008, making it essential to a properly functioning domain essential to a properly functioning domain and network. It provides hosts with the actual and network. It provides hosts with the actual network location of network services and network location of network services and other hosts. It also can be used to determine other hosts. It also can be used to determine host and service information when an IP host and service information when an IP address is provided. Computers cannot find address is provided. Computers cannot find themselves using most key components of themselves using most key components of Windows Server 2008 without DNS.Windows Server 2008 without DNS.


FAQFAQ

Q:Q: My organization does not wish to connect to the My organization does not wish to connect to the Internet. We are using Windows Server 2008 and Internet. We are using Windows Server 2008 and Windows Vista DNS is essential for name resolution. Windows Vista DNS is essential for name resolution. I know that DNS was designed to work with the I know that DNS was designed to work with the Internet; what can I do?Internet; what can I do?

A:A: Although DNS originally was designed for use with Although DNS originally was designed for use with the Internet and its predecessors, it is no problem to the Internet and its predecessors, it is no problem to use it privately. In fact, if you have an Active Directory use it privately. In fact, if you have an Active Directory domain, it will be required. In this scenario you will domain, it will be required. In this scenario you will create and configure a separate DNS environment create and configure a separate DNS environment that is very similar to the Internet, except you will that is very similar to the Internet, except you will control all levels of it instead of just a tiny portion. control all levels of it instead of just a tiny portion.


FAQFAQ

Q:Q: I need to specify a totally private DNS I need to specify a totally private DNS server network for my organization. How server network for my organization. How should I configure root hints?should I configure root hints?

A:A: When root hints don’t need to point to the When root hints don’t need to point to the Internet’s root name servers, typically they Internet’s root name servers, typically they should point to the highest level DNS servers should point to the highest level DNS servers within an organization. A good way to think within an organization. A good way to think about root hints is that they are designed to about root hints is that they are designed to point to the top of whatever DNS hierarchy is point to the top of whatever DNS hierarchy is being used.being used.


FAQFAQ

Q:Q: I want to use forwarding, but don’t want all I want to use forwarding, but don’t want all queries to go to the same place. I need to queries to go to the same place. I need to distribute them based on the domain being distribute them based on the domain being asked for; how can I do this in Windows asked for; how can I do this in Windows Server 2008?Server 2008?

A:A: Conditional forwarding can be used to Conditional forwarding can be used to distribute queries to forwarders based on the distribute queries to forwarders based on the domain being requested.domain being requested.


FAQFAQ

Q:Q: Domains and zones are very confusing to me. Domains and zones are very confusing to me. What is the difference between a domain and a What is the difference between a domain and a zone?zone?

A:A: Because zones use domain names, it’s easy to Because zones use domain names, it’s easy to get confused. Zones hold the actual records for part get confused. Zones hold the actual records for part of the domain namespace. A domain like of the domain namespace. A domain like syngress.com. has records distributed across several syngress.com. has records distributed across several zones. The root name servers hold the “.” portion, zones. The root name servers hold the “.” portion, which is typically hidden from users at the end of the which is typically hidden from users at the end of the domain name. The “.com” name servers hold the domain name. The “.com” name servers hold the zone for this portion of the namespace. Finally a zone for this portion of the namespace. Finally a server managed by the organization contains a zone server managed by the organization contains a zone for the “syngress” portion of the DNS namespace.for the “syngress” portion of the DNS namespace.


FAQFAQ

Q:Q: Does Microsoft recommend standard or Does Microsoft recommend standard or AD integrated zones?AD integrated zones?

A:A: Microsoft recommends AD integrated Microsoft recommends AD integrated zones. The records are stored in the AD zones. The records are stored in the AD database, which increases their security and database, which increases their security and allows for more efficient replication of the allows for more efficient replication of the records when compared to traditional zone records when compared to traditional zone transfers. Using AD integrated zones also transfers. Using AD integrated zones also enables secure DDNS, which eases the enables secure DDNS, which eases the burden of DNS administration without burden of DNS administration without compromising security. compromising security.


FAQFAQ

Q:Q: My organization is implementing IPv6. My organization is implementing IPv6. Right now we use both DNS and WINS for Right now we use both DNS and WINS for name resolution. WINS supports only IPv4. name resolution. WINS supports only IPv4. What can I do to support NetBIOS type What can I do to support NetBIOS type names for IPv6?names for IPv6?

A:A: Microsoft’s new GlobalNames feature can Microsoft’s new GlobalNames feature can be used. When activated, DNS servers can be used. When activated, DNS servers can serve manually created single name records. serve manually created single name records. You can create these records to match You can create these records to match important NetBIOS resource names, such as important NetBIOS resource names, such as key servers.key servers.


FAQFAQ

Q:Q: What is the difference between an A and What is the difference between an A and AAAA host record?AAAA host record?

A:A: The Windows Server 2008 DNS Server The Windows Server 2008 DNS Server role fully supports IPv4 and IPv6. The A host role fully supports IPv4 and IPv6. The A host record is one of the oldest in DNS and is used record is one of the oldest in DNS and is used to resolve a host name to an IPv4 address. to resolve a host name to an IPv4 address. The newer AAAA record is used to resolve a The newer AAAA record is used to resolve a host name to an IPv6 address.host name to an IPv6 address.


FAQFAQ

Q:Q: What is a PTR record used for? What is a PTR record used for? A:A: PTR, or pointer, records are the primary PTR, or pointer, records are the primary

records used in reverse lookup zones. These records used in reverse lookup zones. These records facilitate the resolution of IP records facilitate the resolution of IP addresses into host names.addresses into host names.


FAQFAQ

Q:Q: My office has a lot of sales people that My office has a lot of sales people that work on laptops in and out of the office. I’ve work on laptops in and out of the office. I’ve noticed that there are quite a few inaccurate noticed that there are quite a few inaccurate DDNS records being left behind by these DDNS records being left behind by these computers. What can be done about it?computers. What can be done about it?

A:A: Microsoft’s aging and scavenging feature Microsoft’s aging and scavenging feature can be used to clean up records such as can be used to clean up records such as these. You can set your organization’s these. You can set your organization’s Windows 2000 and later DNS servers to Windows 2000 and later DNS servers to delete records automatically if they have not delete records automatically if they have not been kept up to date.been kept up to date.


FAQFAQ

Q:Q: Most of the name resolution on my network uses Most of the name resolution on my network uses DNS, however all clients are still configured for DNS, however all clients are still configured for WINS. When a client attempts to access a resource WINS. When a client attempts to access a resource by using the resource’s host name, what steps may by using the resource’s host name, what steps may occur?occur?

A:A: By default, the following name resolution steps are By default, the following name resolution steps are taken when resolving host names: the local host taken when resolving host names: the local host name => the local DNS resolver cache => the local name => the local DNS resolver cache => the local HOSTS file => DNS => the local NetBIOS name HOSTS file => DNS => the local NetBIOS name cache => WINS => a local network broadcast => the cache => WINS => a local network broadcast => the local LMHOSTS file. All these steps are at least local LMHOSTS file. All these steps are at least partially configurable by an administrator.partially configurable by an administrator.


FAQFAQ

Q:Q: My environment uses IPv6 addresses, but My environment uses IPv6 addresses, but NetBIOS broadcasts are supported only for IPv4. NetBIOS broadcasts are supported only for IPv4. What can I do?What can I do?

A:A: Microsoft has included a new protocol in Windows Microsoft has included a new protocol in Windows Vista and Server 2008 to solve this problem: Link-Vista and Server 2008 to solve this problem: Link-Local Multicast Name Resolution. If these are the Local Multicast Name Resolution. If these are the primary operating systems in use and hosts on a primary operating systems in use and hosts on a segment of the network are unable to contact a DNS segment of the network are unable to contact a DNS server, some name resolution can still take place on server, some name resolution can still take place on a peer-to-peer basis using either IPv4 or IPv6. a peer-to-peer basis using either IPv4 or IPv6.


FAQFAQ

Q:Q: I’m responsible for several hundred Windows XP I’m responsible for several hundred Windows XP and Vista clients. Is there an easy way to automate and Vista clients. Is there an easy way to automate their DNS configuration?their DNS configuration?

A:A: Many DNS settings can be managed centrally Many DNS settings can be managed centrally using group policy. In most cases, settings applied using group policy. In most cases, settings applied with group policy will override settings that are with group policy will override settings that are configured manually on the client. Not all settings configured manually on the client. Not all settings work with all client types, however. It’s important to work with all client types, however. It’s important to carefully read the description of each to determine carefully read the description of each to determine how and where it can be applied.how and where it can be applied.


Test Day TipTest Day Tip

In addition to caching responses from DNS servers In addition to caching responses from DNS servers containing the requested resources (called positive containing the requested resources (called positive caching), the local resolver also caches negative caching), the local resolver also caches negative responses. These result from a failure to locate DNS responses. These result from a failure to locate DNS resources. When a server returns a request to a resources. When a server returns a request to a client’s query that contains a negative response, the client’s query that contains a negative response, the local resolver caches it and will not request it again local resolver caches it and will not request it again for a period of time. Temporary DNS problems can for a period of time. Temporary DNS problems can thus become longer term issues until this cached thus become longer term issues until this cached record expires. You can manually purge the client’s record expires. You can manually purge the client’s resolver cache using the following command: resolver cache using the following command: ipconfig /flushdnsipconfig /flushdns. .


Exam WarningExam Warning

A server cannot be configured to conditionally A server cannot be configured to conditionally forward for a domain if it has a zone forward for a domain if it has a zone configured on it that includes the same configured on it that includes the same portion of the domain name space. For portion of the domain name space. For example, if a DNS server hosts the example, if a DNS server hosts the authors.syngress.com zone, it cannot also authors.syngress.com zone, it cannot also have conditional forwarding setup for the have conditional forwarding setup for the authors.syngress.com domain. authors.syngress.com domain.



Beware of Microsoft’s default options. Beware of Microsoft’s default options. Sometimes they represent Microsoft’s Sometimes they represent Microsoft’s recommended settings. Other times a recommended settings. Other times a nonrecommended setting is selected by nonrecommended setting is selected by default. On the test, never assume that a default. On the test, never assume that a default option or setting is a recommended default option or setting is a recommended one. one.



Be sure to remember that Microsoft Be sure to remember that Microsoft recommends and really expects you to use recommends and really expects you to use AD integrated zones with secure dynamic AD integrated zones with secure dynamic updates whenever possible. updates whenever possible.



Only Windows Server 2008 servers support Only Windows Server 2008 servers support GlobalNames zones. GlobalNames zones.



Pay careful attention to Microsoft’s Pay careful attention to Microsoft’s recommendations regarding GlobalNames recommendations regarding GlobalNames zones. Although these zones do not have to zones. Although these zones do not have to be AD integrated, or replicated to all domain be AD integrated, or replicated to all domain controllers in the forest, or configured not to controllers in the forest, or configured not to allow dynamic updates—this is how Microsoft allow dynamic updates—this is how Microsoft expects them to be configured. Often their expects them to be configured. Often their documentation does not even acknowledge documentation does not even acknowledge that other configuration options can be used. that other configuration options can be used. Play it safe on the exam and give them the Play it safe on the exam and give them the answers they want. answers they want.



The server’s right-click menu contains a The server’s right-click menu contains a ReloadReload option in addition to option in addition to Reload from Reload from MasterMaster. It’s important not to confuse these on . It’s important not to confuse these on the exam. On a secondary zone, the the exam. On a secondary zone, the ReloadReload option reloads the information in the local option reloads the information in the local zone file. The zone file. The Reload from MasterReload from Master initiates a initiates a full zone transfer from a master DNS server full zone transfer from a master DNS server and overwrites the records in the zone file. and overwrites the records in the zone file.



Unlike standard primary zones, by default AD Unlike standard primary zones, by default AD integrated and secondary zones are not integrated and secondary zones are not configured to allow zone transfers. You must configured to allow zone transfers. You must check the check the Allow zone transfers:Allow zone transfers: box in the box in the Zone TransfersZone Transfers tab in the server’s tab in the server’s PropertiesProperties. .



The refresh, retry, and expiration settings on The refresh, retry, and expiration settings on the SOA record apply only to standard the SOA record apply only to standard secondary zones. AD integrated zones use secondary zones. AD integrated zones use Active Directory replication and ignore these Active Directory replication and ignore these settings. settings.



In addition to creating application directory In addition to creating application directory partitions, you can also add servers to and partitions, you can also add servers to and remove servers from partitions using remove servers from partitions using DNSCMD. DNSCMD.



If you use a mix of Windows and non-If you use a mix of Windows and non-Windows DNS servers, consider selecting the Windows DNS servers, consider selecting the Do not replicate this recordDo not replicate this record option. WINS option. WINS records are not standard DNS record types records are not standard DNS record types and are not supported by all DNS servers. and are not supported by all DNS servers. Attempting to replicate them to DNS servers Attempting to replicate them to DNS servers that do not support them may cause errors. that do not support them may cause errors.



DDNS can conflict with data in the DDNS can conflict with data in the GlobalNames zone. If a GNZ is configured on GlobalNames zone. If a GNZ is configured on the DNS server, it is checked first when the DNS server, it is checked first when DDNS requests are received. If a client DDNS requests are received. If a client attempts to register or update a DDNS record attempts to register or update a DDNS record using a name that is already specified in the using a name that is already specified in the GNZ, the request will fail. GNZ, the request will fail.



Client DNS server settings can be assigned Client DNS server settings can be assigned by group policy. When a client has locally by group policy. When a client has locally configured DNS servers, and a group policy configured DNS servers, and a group policy setting that specifies them, the local server setting that specifies them, the local server list is ignored. list is ignored.

copyright line. configuring dns exam objectives an introduction to domain name system (dns) ...

Documents

dns dns

dns zones

dns records dns records

dns replication

system dns

dns manager

dns server role

dns record types