DNS and Active Directory Integration

1
DNS and Active Directory Integration

• Understanding DNS Name Resolution
• Understanding and Configuring Zones
• Zone Replication and Transfer
• Monitoring and Troubleshooting DNS for Active
  Directory

2
Understanding DNS Name Resolution

• Name Resolution
• Forward Lookup Query
• Name Server Caching
• Reverse Lookup Query

3
IP Addressing

• Name resolution is the process of resolving DNS
  names to IP addresses.
• An IP address identifies each host that
  communicates by using TCP/IP.
• An IP address is a 32-bit binary number that is
  separated internally into two parts a network ID
  and a host ID.
• IP addresses are expressed in dotted decimal
  notation.
• The 32-bit address is segmented into four 8-bit
  octets.
• Octets are converted to decimal (base-10
  numbering system) and separated by periods.

4
IP Addressing Network ID

• Also known as a network address
• Identifies a single network segment within a
  larger TCP/IP internetwork
• Used to uniquely identify each network within the
  larger internetwork

5
IP Addressing Host ID

• Also known as the host address
• Identifies a TCP/IP node within each network
• Identifies a single system uniquely within its
  own network

6
Lookup Queries

• DNS name servers resolve forward and reverse
  lookup queries.
• Forward lookup query Resolves a name to an IP
  address.
• Reverse lookup query Resolves an IP address to a
  name.
• A name server can resolve a query only for an
  authorized zone.
• If a name server cant resolve the query, it
  passes it to other name servers that can resolve
  it.
• The name server caches the query results to
  reduce the DNS traffic on the network.
• The DNS service uses a client/server model for
  name resolution.

7
Resolving a Forward Lookup Query
8
Name Server Caching
9
Time to Live (TTL)

• Use shorter TTL values to help ensure that data
  about the domain namespace is more current across
  the network.
• Shorter TTL values increase the load on name
  servers.
• Longer TTL values decrease the time required to
  resolve information.
• If a change occurs, the client will not receive
  the updated information until the TTL expires and
  a new query to that portion of the domain
  namespace is resolved.

10
Reverse Lookup Query

• Maps an IP address to a name.
• NSLOOKUP command-line DNS utility uses reverse
  lookup queries to report back host names.
• Certain applications implement security based on
  the ability to connect to names, not IP
  addresses.
• DNS is indexed by name, not by IP address.
• A reverse lookup query would require an
  exhaustive search of every domain name because
  the DNS distributed database is indexed by name
  and not IP address.
• Special second-level domain called in-addr.arpa
  was created to solve the problem of finding a
  name that matches an IP address.

11
In-addr.arpa Domain

• Follows the same hierarchical naming scheme as
  the rest of the domain namespace.
• Based on IP addresses, not domain names.
• Subdomains are named after the numbers in the
  dotted-decimal representation of IP addresses.
• Order of the IP address octets is reversed.
• Companies administer subdomains of the
  in-addr.arpa domain based on their assigned IP
  addresses and subnet mask.

12
An in-addr.arpa Domain ExampleIP Address
169.254.16.200
13
An in-addr.arpa Domain Example (cont.)

• Assigned IP address range of 169.254.16.0 to
  169.254.16.255
• Subnet mask 255.255.255.0
• Authority over 16.254.169.in-addr.arpa domain

14
Understanding and Configuring Zones

• Zones
• Zone Planning
• Forward Lookup Zones
• Reverse Lookup Zones
• Resource Records
• Delegating Zones
• Configuring Dynamic DNS
• Practice Configuring Zones

15
Zone Overview

• DNS service provides the option of dividing up
  the namespace into one or more zones.
• Zones can be stored, distributed, and replicated
  to other DNS servers.
• The DNS namespace represents the logical
  structure of the network resources.
• DNS zones provide physical storage of these
  resources.

16
Reasons to Use Additional Zones

• A need exists to delegate management of part of
  the DNS namespace to another location or
  department within the organization.
• A need exists to divide one large zone into
  smaller zones for distributing traffic loads
  among multiple servers, improve DNS name
  resolution performance, or create a more
  fault-tolerant DNS environment.
• A need exists to extend the namespace by adding
  numerous subdomains at once, such as to
  accommodate the opening of a new branch or site.

17
Forward Lookup Zones

• Enable forward lookup queries.
• At least one forward lookup zone must be
  configured for the DNS service to work.
• Active Directory Installation Wizard can
  automatically create a forward lookup zone based
  on the DNS name you specified for the server.

18
Zone Type Active Directory Integrated

• Master copy of a new zone
• Uses Active Directory to store and replicate zone
  files

19
Zone Type Standard Primary

• Master copy of a new zone stored in a standard
  text file
• Administered and maintained on the computer on
  which the zone is created

20
Zone Type Standard Secondary

• Replica of an existing zone.
• Read-only stored in standard text files.
• Primary zone must be configured to create a
  secondary zone.
• Must specify DNS server, called the master
  server, that will transfer zone information to
  the name server containing the standard secondary
  zone.
• Create a secondary zone to provide redundancy and
  to reduce the load on the name server containing
  the primary zone database file.

21
Benefits of Active DirectoryIntegrated Zones

• Multimaster update and enhanced security based on
  the capabilities of Active Directory.
• Zones are replicated and synchronized to new
  domain controllers automatically whenever a new
  zone is added to an Active Directory domain.
• By integrating storage of your DNS namespace in
  Active Directory, you simplify planning and
  administration for both DNS and Active Directory.
• Directory replication is faster and more
  efficient than standard DNS replication.

22
Zone Name

• A zone is typically named after the highest
  domain in the hierarchy that the zone
  encompasses the root domain for the zone.
• For a zone that encompasses both microsoft.com
  and sales.microsoft.com, the zone name would be
  microsoft.com.

23
Zone File

• A zone file must be specified for the standard
  primary forward lookup zone type.
• The zone file is the zone database file name,
  which defaults to the zone name with a .dns
  extension.
• An existing zone file can be imported when
  migrating a zone from another server.
• Place the existing file in the systemroot\System32
  \DNS directory on the target computer before
  creating the new zone.

24
Reverse Lookup Zones

• Enable reverse lookup queries
• Are not required, except to run troubleshooting
  tools, such as NSLOOKUP, and to record a name
  instead of an IP address in IIS log files

25
Zone File

• Must be specified for the standard primary
  reverse lookup zone type.
• Network ID and subnet mask determine the default
  zone file name.
• DNS reverses the IP octets and adds the
  in-addr.arpa suffix.
• For a network ID of 169.254, the reverse lookup
  zone for the 169.254 network becomes
  254.269.in-addr.arpa.dns.
• The existing zone file may be imported when
  migrating a zone from another server.
• The existing zone file must be placed in the
  systemroot\System32\DNS directory.

26
Resource Records

• Entries in the zone database file that associate
  DNS domain names to related data for a given
  network resource.
• Many different types of resource records.
• When a zone is created, DNS automatically creates
  the Start of Authority (SOA) and the Name Server
  (NS) resource records.

27
Frequently Used Resource Record Types

• Host (A) Lists host name-to-IP address mappings
• Alias (CNAME) Creates alias or canonical name
• Host Information (HINFO) Identifies OS and CPU
• Mail Exchanger (MX) Identifies mail exchanger
• Name Server (NS) Lists name servers for domain
• Pointer (PTR) Points to another part of the
  domain
• Service (SRV) Identifies servers hosting
  services
• Start of Authority (SOA) Identifies
  authoritative source

28
Delegating Zones
29
Delegating Zones

• A zone starts as a storage database for a single
  DNS domain name.
• If other domains are added below the domain used
  to create the zone, these domains can be part of
  either the same zone or another zone.
• Once a subdomain is added, it can then be
• Managed and included as part of the original zone
  records.
• Delegated away to another zone created to support
  the subdomain.
• SOA resource records must be created and must
  point to the authoritative DNS server for the new
  zone.
• The New Delegation Wizard is available to assist
  in delegation of zones.

30
Dynamic DNS (DDNS) Updates
31
DDNS Overview

• DDNS is the DNS service that includes dynamic
  update capability.
• Name servers and clients within a network
  automatically update the zone database files.

32
Dynamic Updates

• A list of authorized servers can be configured to
  initiate dynamic updates.
• This list can include secondary name servers,
  domain controllers, and other servers that
  perform network registration for clients, such as
  servers running DHCP service or Microsoft WINS.

33
DDNS and DHCP

• These services interact to maintain synchronized
  name-to-IP mappings for network hosts.
• By default, DHCP service allows clients to add
  their own Host (A) records to the zone the DHCP
  service adds the PTR resource record to the zone.
• DHCP service cleans up both the A and PTR
  resource records in the zone when the lease
  expires.

34
Zone Replication and Transfer

• Zone Replication and Zone Transfers
• DNS Notification
• The DNS Notify Process

35
Zone Replication and Zone Transfers

• Zones play an important role in DNS their
  availability from more than one DNS server on the
  network is needed to provide fault tolerance when
  resolving name queries.
• If a single server is used and that server is not
  responding, queries for names in the zone can
  fail.
• Zone transfers are required to replicate and
  synchronize all copies of the zone used at each
  server configured to host the zone.
• A full zone transfer (AXFR) is performed when a
  new DNS server is added to the network and
  configured as a new secondary server for an
  existing zone.
• Earlier DNS server implementations used a full
  transfer (AXFR) for incremental changes to the
  zone.
• For Microsoft Windows 2003 Server, the DNS
  service supports incremental zone transfer (IXFR).

36
Reasons to Use Additional DNS Servers

• Provide zone redundancy
• Reduce DNS network traffic
• Reduce load on primary server

37
Incremental Zone Transfers (IXFR)

• Provide a more efficient method of propagating
  zone changes and updates.
• Allow the secondary server to pull only those
  zone changes it needs to synchronize its copy of
  the zone with its source.
• Source can be either a primary or secondary copy
  of the zone maintained by another DNS server.
• For an IXFR query to succeed and changes to be
  sent, the source DNS server for the zone must
  keep a history of incremental zone changes to use
  when answering these queries.
• IXFR requires substantially less traffic on a
  network, and zone transfers are completed much
  faster.

38
Incremental Zone Transfers (IXFR) (cont.)

• Differences between the source and replicated
  versions of the zone are determined as follows
• If the zones are identified to be the same
  version, as indicated by the serial number field
  in the SOA resource record of each zone, no
  transfer is made.
• If the source serial number is greater than the
  requesting secondary server, a transfer is made
  of only those changes to resource records for
  each incremental version of the zone.

39
Zone Transfer Process
40
Zone Transfer Security

• The DNS console permits you to specify the
  servers allowed to participate in zone transfers.
• This helps to prevent an undesired attempt by an
  unknown or unapproved DNS server to pull or
  request zone updates.

41
Zone Transfers Tab
42
DNS Notification

• Updated revision to the DNS standard
  specification (RFC 1996).
• Implements a push mechanism for notifying a
  select set of secondary servers for a zone when a
  zone is updated.
• Notified servers can then initiate the zone
  transfer process and pull changes from the
  notifying server to update the zone.
• Use DNS notification only to notify DNS servers
  that are operating as secondary servers for a
  zone.
• Not needed for replication of directory-integrated
  zones.

43
Notify Dialog Box
44
Typical DNS Notify Process

• Local zone is updated.
• Source server sends notify message to other
  servers.
• Secondary servers initiate a zone transfer.

45
Monitor and Troubleshoot DNS for Active Directory

• Monitoring DNS Servers
• DNS Troubleshooting Scenarios

46
Two Options for Monitoring DNS Servers

• Default logging of DNS server event messages to
  the DNS server log
• Optional debug options for trace logging to a
  text file on the DNS server computer

47
DNS Server Event Logging

• DNS server event messages are kept separate from
  events raised by other applications and services
  in the DNS server log.
• DNS server log contains basic predetermined
  events logged by the DNS server service, such as
  when the DNS server starts and stops.
• Use Event Viewer to view and monitor
  client-related DNS events.
• These events appear in the system log and are
  written by the DNS client service at any
  computers running Windows 2003 (all versions).

48
Debug Options

• The DNS console allows you to set additional
  logging options to create a temporary trace log
  as a text-based file for DNS server activity.
• DNS.LOG is stored in the systemroot\System32\Dns
  folder.
• By default, all debug logging options are
  disabled.
• DNS server service can perform additional
  trace-level logging of selected types of events
  or messages for general troubleshooting and
  debugging of the server.
• Debug logging can be resource-intensive,
  affecting overall server performance and
  consuming disk space.
• Debug logging should be used only temporarily,
  when more detailed information about server
  performance is needed.