Transcript NW_Week04 - carrieclasses

Module Overview
• Installing the DNS Server Role
• Configuring the DNS Server Role
• Configuring DNS Zones
• Configuring DNS Zone Transfers
• Managing and Troubleshooting DNS
• Overview of the Windows Internet Name Service
• Configuring WINS Replication
• Migrating from WINS to DNS
Overview of the Domain Name System Role
• DNS supports accessing resources by using
alphanumeric names
• InterNIC is responsible for managing the
domain namespace
Root Domain
Top-Level
Domain
net
Second-Level
Domain
Subdomain
com
org
nwtraders
west
FQDN:
SERVER1.sales.south.nwtraders.com
south
sales
east
Host: SERVER1
Domain Name System is a hierarchical distributed database
DNS Improvements for Windows Server 2008
New or enhanced features in the Windows Server 2008
version of DNS include:
• Background zone loading
• IP version 6 support
• Support for read-only domain controllers
• Global single names
• DNSSEC against Spoofing and Man-in-the-middle attack
Only available in R2 & IPv6 environment
Three new types of records:
Signature (SIG), Public Key (KEY), Next Domain (NXT)
Consideration for deploying DNS Server Role:

Manually configuring the server to use a static IP address

Use the DNS console or dnscmd

The user account must be a member of the local
administrators group or equivalent
dnscmd dns_server_name
/ageAllRecords
/startScavenging
/zoneinfo
/zoneexport
/info
/config
/statistics
/zoneresettype zonename /primary [ | /secondary]
/zoneresetsecondaries
/zoneresetmaster zonename
What Are the Components of a DNS Solution?
Resource
Record
Root “.”
.com
.edu
Resource
Record
DNS Clients
DNS Servers
DNS Servers on the Internet
DNS Resource Records
DNS resource records include:
• SOA: Start of Authority
• A: Host Record
• CNAME: Alias Record
• MX: Mail Exchange Record
• SRV: Service Resources
• NS: Name Servers
• AAAA: IPv6 DNS Record
What Are Root Hints?
Root hints contain the IP addresses for DNS root servers
Root (.) Servers
DNS Servers
Root Hints
DNS Server
Client
com
microsoft
What Is a DNS Query?
A query is a request for name resolution and is directed to a
DNS server
• Queries are recursive or iterative
• DNS clients and DNS servers both initiate queries
• DNS servers are authoritative or nonauthoritative for
a namespace
• An authoritative DNS server for the namespace will either:
• Return the requested IP address
• Return an authoritative “No”
• A nonauthoritative DNS server for the namespace will either:
• Check its cache
• Use forwarders
• Use root hints
What Are Recursive Queries?
A recursive query is sent to a DNS server and requires a
complete answer
mail1.contoso.msft
Database
172.16.64.11
DNS Client
Local DNS Server
What Are Iterative Queries?
An iterative query directed to a DNS server may be
answered with a referral to another DNS server
Local DNS Server
Iterative Query
Root Hint (.)
Ask .com
.com
Nwtraders.com
Client Server
What Is a Forwarder?
A forwarder is a DNS server designated to resolve
external or offsite DNS domain names
Iterative Query
Forwarder
Ask .com
Root Hint (.)
.com
Nwtraders.com
Local DNS Server
Client Server
What Is Conditional Forwarding?
Conditional forwarding forwards requests using a domain
name condition
All other DNS domains
Local DNS
ISP DNS
Client Computer
Contoso.msft DNS
How DNS Server Caching Works
DNS server cache
Host name
IP address
TTL
ServerA.contoso.msft
192.168.8.44
28 seconds
Where’s
ServerA
is at
ServerA?
192.168.8.44
ServerA
Client1
Client2
ServerA
is at
Where’s
192.168.8.44
ServerA?
What Is a DNS Zone?
Internet
“.”
microsoft.com
domain
DNS root domain
.com
microsoft.com
www.microsoft.com
microsoft.com zone
ftp.microsoft.com
example.microsoft.com
Zone database
example.microsoft.com
zone
example.microsoft.com
www.example.microsoft.com
Zone database
ftp.example.microsoft.com
What Are the DNS Zone Types?
Zones
Description
Primary
Read/write copy of a DNS database
Secondary
Read-only copy of a DNS database
Stub
Copy of a zone that contains only
records used to locate name servers
Active
Directory
integrated
Zone data is stored in Active
Directory rather than in zone files
What Are Forward and Reverse Lookup Zones?
Namespace: training.nwtraders.msft
DNS Server Authorized
for training
Forward
zone
Reverse
zone
Training
2.168.192.inaddr.arpa
DNS Client1
192.168.2.45
DNS Client2
192.168.2.46
DNS Client3
192.168.2.47
192.168.2.45
DNS Client1
192.168.2.46
DNS Client2
192.168.2.47
DNS Client3
DNS Client2 = ?
192.168.2.46 = ?
DNS Client3
DNS Client1
DNS Client2
What Are Stub Zones?
With
Without
a stub
stub
zone
zones,
defined,
the ny.na.contoso.com
the location of theserver must
na.fabrikam.com
query several servers
zone to
is find
known
thewithout
server that
querying
hostsmultiple
the
DNS
na.fabrikam.com
servers
zone
DNS server
DNS server
Contoso.com
(Root domain)
DNS server
DNS server
fabrikam.com
DNS server
na.contoso.com
DNS server
ny.na.contoso.com
sa.contoso.com
DNS server
rio.sa.contoso.com
na.fabrikam.com
DNS Zone Delegation
Contoso.msft
Training.contoso.msft
Sales.contoso.msft
What Is a DNS Zone Transfer?
A DNS zone transfer is the synchronization of
authoritative DNS zone data between DNS servers
Secondary server
1
SOA query for a zone
2
SOA query answered
3
IXFR or AXFR query for a zone
4
IXFR or AXFR query answered
(zone transferred)
Primary and
Master server
How DNS Notify Works
A DNS notify is an update to the original DNS
protocol specification that permits notification to
secondary servers when zone changes occur
Destination Server
Secondary Server
1
Resource record
is updated
2
SOA serial number
is updated
3
DNS notify
4
Zone transfer
Source Server
Primary and
Master Server
Securing Zone Transfers
• Restrict zone transfer to specified servers
• Encrypt zone transfer traffic
• Consider using Active Directory-integrated zones
Primary Zone
Secondary Zone
What Is Time to Live, Aging, and Scavenging?
Feature
Description
Time to Live
(TTL)
Indicates how long a DNS record will
remain valid
Aging
Occurs when records that have been
inserted into the DNS server reach
their expiration and are removed
Scavenging
Performs DNS server resource record
grooming for old records in DNS
Troubleshooting DNS
Tool
Used to:
Nslookup
Troubleshoot DNS problems
Dnscmd
Edit the DNS configuration
Dnslint
Diagnose common DNS issues
You can test the DNS server configuration by using:
• A recursive query to ensure that the DNS server
can communicate with the upstream DNS service
• A simple query to ensure that the DNS service
is answering
• Monitor DNS events in the event log to:
• Monitor zone transfer information
• Monitor computer events
What is WINS and When Is WINS Required?
WINS resolves NetBIOS name (single label name) to
ip address
WINS is required for the following reasons:
• Older versions of Microsoft operating systems rely on
WINS for name resolution
• Some applications, typically older applications, rely
on NetBIOS names
• When you need dynamic registration of single-label
names
• If users rely on the Network Neighborhood or My
Network Places network browser features
• If you are not using Windows Server 2008 as your
DNS infrastructure
Overview of WINS Components
WINS Server
Subnet 2
WINS Client
Subnet 1
WINS Proxy
WINS
Database
WINS Client Registration and Release Process
Name Registered
Name Released
WINS Client
WINS Server
1 • WINS client sends request to register
• WINS server returns registration message with TTL value,
indicating when the registration expires
2 • WINS client sends request to release name
• WINS server sends a positive name release response
WINS Server Name Resolution Process
Up to three attempts
WINS Server A
1
Client
Subnet 2
Subnet 1
2
WINS Server B
3
Subnet 2
Client makes three attempts to contact WINS server,
1 but does not receive a response
2 Client attempts to contact all WINS servers until contact is made
3 If name is resolved, IP address is returned to the client
What Are NetBIOS Node Types?
A NetBIOS node type determines the method that a
computer uses to resolve a NetBIOS name
Node
type
Description
Registry
value
B-node
Uses broadcasts for name registration
and resolution
1
P-node
Uses a NetBIOS name server, such as
WINS, to resolve NetBIOS names
2
M-node
Combines B-node and P-node, but
functions as a B-node by default
4
H-node
Combines P-node and B-node, but
functions as a P-node by default
8
Compacting the WINS Database
Compacting recovers unused space in a WINS database
Maintain WINS database integrity by using:
• Dynamic compacting. Automatically occurs while the
database is in use
• Offline compacting. Administrator stops the WINS server
and uses the Jetpack.exe command-line tool
What Is Push Replication?
• A push partner notifies replication partners based on the number
of changes in its database
• Push replication maintains a high level of synchronization
sent
Notification
Replication
request
sent
4
3
2 Replicas
ServerA
Subnet 1
1
50 changes occur
in database
ServerB
Subnet 2
1 ServerA reaches set threshold of 50 changes in its database
2 ServerA notifies ServerB that the threshold is reached
3 ServerB responds to ServerA with a replication request
4 ServerA sends replicas of its new database entries
What Is Pull Replication?
• A pull partner requests replication based on a time interval
• Pull replication limits frequency of replication traffic across
slow links
ServerA
1
2
Requests changes
Replicas sent
every eight hours
Subnet 1
1 ServerA requests database changes every 8 hours
2 ServerB sends replicas of its new database entries
ServerB
Subnet 2
What Is Push/Pull Replication?
Push/pull replication ensures that the databases on
multiple WINS servers are nearly identical at any
given time by:
• Notifying replication partners whenever the
database reaches a set threshold of changes
• Requesting replication based on a set time
Name Resolution for a Single-Label Name
IPv6 does not support WINS
Windows Server 2008 introduces a new zone type for DNS
called GlobalNames Zone
• Resolves single-label names in the enterprise without
using WINS
• Mitigates the management and maintenance of DNS suffix
search lists
• Relies on static record creation
• Requires the zone be available on DNS servers throughout
the forest
What Is the GlobalNames Zone?
The GlobalNames zone:
• Enables Single-Label name resolution for IPV6
enabled networks
• Uses CNAME records to point to the FQDN of the computer
that hosts the resource
• Is recommended to be integrated in Active Directory
with forest-wide replication
• Can be a used as a method to decommission WINS servers
• Requires no additional client configuration because the
client resolves the name in standard DNS query form
Setup GlobalNames Zone

Requires authoritative name servers running
Windows Server 2008

Configure forest-wide, Active Directory-integrated
replication of the GlobalNames zone
Functions
Content Advisor
include:
CNAMEofrecords
that point
to FQDN records
 Create static
 Disable dynamic updates on the GlobalNames zone

Enable single-label GlobalNames zone support on all
DNS servers that host the zone
Use the following command to enable support for the GlobalNames
zone on all DNS servers hosting the zone:
dnscmd /config /EnableGlobalNamessupport 1