MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory - PowerPoint PPT Presentation


PPT – MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory PowerPoint presentation | free to download - id: 3bb044-MzczY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory


MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 9: Configuring DNS for Active Directory MCTS Windows Server 2008 Active Directory ... – PowerPoint PPT presentation

Number of Views:473
Avg rating:3.0/5.0
Slides: 47
Provided by: cmsu2Ucmo
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

MCTS Guide to Configuring Microsoft Windows
Server 2008 Active Directory
  • Chapter 9 Configuring DNS for Active Directory

  • Describe the structure of Domain Name System
  • Install and use the DNS Server role in Windows
    Server 2008
  • Configure DNS zones
  • Configure advanced DNS server settings
  • Monitor and troubleshoot DNS

Introduction to Domain Name System
  • Domain Name System (DNS) is a distributed
    hierarchical database composed mainly of computer
    name and IP address pairs
  • In order to resolve a name to an address, a DNS
    lookup will often require multiple queries to a
    hierarchy of DNS servers

The Structure of DNS
  • DNS can be described as an inverted tree
  • Entire DNS tree is called the DNS namespace
  • Each domain has one or more servers that are
    authoritative for the domain
  • Root servers keep a database of addresses of
    other DNS servers managing top-level domain
    names, called top-level domain (TLD) servers

The Structure of DNS (cont.)
The DNS Database
  • A zone is a grouping of DNS information that
    represents one or more domains and possibly
  • Zones contain a variety of record types called
    resource records, which contain information about
    network resources
  • DNS records can be added and changed by
  • Static updates
  • Dynamic updates

The DNS Database (cont.)
DNS resource record types
The DNS Lookup Process
  • Two different types of DNS lookup can be
  • Iterative Query
  • A DNS server will respond with the best
    information it has to satisfy the query, or it
    may give a referral response
  • Recursive Query
  • DNS server processes the query until it responds
    with an address that satisfies the query or with
    an I dont know message
  • A typical DNS lookup made by a DNS client can
    involve both recursive and iterative queries
  • DNS clients maintain a hosts file that can
    contain static DNS entries. Hosts is stored in

The DNS Lookup Process (cont.)
DNS Server Roles
  • DNS Servers can perform one or more of the
    following roles for a zone
  • Authoritative server
  • Holds a complete copy of a zones resource
  • Forwarder
  • A DNS server to which other DNS servers send
    requests they cant resolve themselves
  • Conditional forwarder
  • DNS Server to which other DNS servers send
    requests targeted for a specific domain
  • Caching-only server
  • Does not have zones. It fields DNS queries, does
    recursive lookups to root servers or sends
    requests to forwarders, then caches the results

DNS Zones
  • Three different types of zones
  • Primary zone
  • Contains a read/write master copy of all resource
    records for the zone it is considered
    authoritative for the zone
  • Secondary zone
  • Contains a read-only copy of all resource records
    for the zone it is considered authoritative for
    the zone
  • Stub zone
  • Contains a read-only copy of only the SOA and NS
    records for a zone and the necessary A records to
    resolve NS records not authoritative

Installing DNS
  • DNS installation begins by installing the DNS
    Server role in Server Manager
  • If the DNS server is intended to manage domain
    name services for Active Directory, DNS Server
    role should be installed on a domain controller
  • Windows automatically detects whether or not the
    server is configured as a domain controller, then
    integrates DNS zones with Active Directory

Creating DNS Zones
  • An Active Directory integrated zone is a primary
    or stub zone with the DNS database stored in an
    Active Directory partition
  • Installing DNS on a domain controller that is
    part of an existing domain will have zone
    information copied to it automatically during AD
  • Some situations may require that a zone be
    created manually
  • Zones that are not Active Directory integrated
    are referred to as standard zones

Creating DNS Zones (cont.)
Active Directory-Integrated Zones
  • Store the zone in Active Directory check box
    means you want the zone stored in an Active
    Directory partition
  • Standard zones are stored in a text file called
    zone-name.dns, which is located in the
    systemroot\system32\dns folder
  • Active Directory-integrated zones have the
    following advantages over a standard zone
  • Automatic zone replication
  • Multimaster replication and update
  • Secure updates
  • Efficient replication

Zone Replication Scope
  • After selecting the zone type and specifying the
    zone is to be stored in Active directory, you are
    asked to select the zone replication scope with
    one of these options
  • To all DNS servers in this forest
  • To all DNS servers in this domain
  • To all domain controllers in this domain (for
    Windows 2000 compatibility)
  • To all domain controllers specified in the scope
    of this directory partition

Forward and Reverse Lookup Zones
  • Next, you are asked whether a zone should be a
    forward lookup zone or a reverse lookup zone
  • FLZ Forward lookup zone contains records that
    translate names to IP addresses, such as A, AAAA,
    and MX records
  • RLZ Reverse lookup zones contain PTR records
    that map IP addresses to names and is named after
    the IP network address (IPv4 or IPv6) of the
    computers whose records it contains

Dynamic Updates
  • Final step allows you to choose whether and how
    to use dynamic updates, which can be configured
    in one of three ways
  • Allow only secure dynamic updates
  • Allow both nonsecure and secure dynamic updates
  • Do not allow dynamic updates
  • Dynamic updates enable DNS client computers to
    register and dynamically update their resource
    records with a DNS server whenever changes occur

Creating Zones from the Command Line
  • Dnscmd.exe can create and configure various DNS
  • Basic syntax dnscmd server /command
  • Examples
  • Create a new primary Active Directoryintegrated
    zone named zone1 that allows only secure dynamic
    updatesdnscmd server99 /ZoneAdd zone1
  • Add an A record for the host named host1 in zone1
    with the IP address
    server99 /RecordAdd zone1 host1 A

Configuring DNS Zones
  • Zones can be viewed and changed in DNS Manager
  • DNS Manager provides the following options
  • Status
  • Type
  • Replication
  • Dynamic updates
  • Aging

Configuring DNS Zones (cont.)
Aging and Scavenging Resource Records
  • Stale resource records can degrade server
    performance, provide incorrect information, and
    generally make DNS less reliable and efficient
  • Enabling scavenging causes the server to check
    for stale records periodically and deletes those
    meeting the criteria for a stale record
  • Options in the Zone Aging/Scavenging Properties
    dialog box
  • Scavenge stale resource records
  • No-refresh interval
  • Refresh interval
  • The zone can be scavenged after

Start of Authority Records
  • SOA records are found in every zone and contains
    information that identifies the server primarily
    responsible for the zone as well as some
    operation properties for the zone
  • The SOA record contains the following
  • Serial number
  • Primary server
  • Responsible person
  • Refresh interval
  • Retry interval
  • Expires after
  • Minimum (default) TTL

Name Server Records
  • NS records specify FQDNs and IP addresses of
    authoritative servers for a zone
  • NS records are also used to refer DNS queries to
    a name server that has been delegated authority
    for a subdomain
  • Glue A records are A records containing a name
    servers IP address, and are used to resolve NS
    record information

Zone Delegation
  • Zone delegation is transferring authority for a
    subdomain to a new zone, which can be on the same
    server or another server
  • The server hosting the parent zone maintains only
    an NS record pointing to the DNS server hosting
    the delegated zone
  • _msdcs subdomain exists inside every Windows
    domain zone, and holds SRV records for Microsoft
    hosted services, such as global catalog, LDAP,
    and Kerberos

Zone Delegation (cont.)
Using Stub Zones
  • Stub zones are a special type of zone that
    contain only an SOA record, one or more NS
    records, and the necessary glue A records to
    resolve NS records
  • Reasons for using stub zones
  • Maintenance of zone delegation information
  • In lieu of conditional forwarders
  • Faster recursive queries
  • Distribution of zone information

Zone Transfers
  • A zone transfer copies all or part of a zone from
    one DNS server to another and occurs as a result
    of a second server requesting the transfer from
    another server
  • Zone transfers can be initiated in two ways
  • Refresh interval
  • DNS notify
  • Zone transfers are configured in the Zone
    Transfers tab of a zones Properties dialog box,
    which has the following options
  • Allow zone transfers
  • To any server
  • Only to servers listed on the Name Servers tab
  • Only to the following servers
  • Notify

Incremental Zone Transfers
  • Two types of zone transfer
  • Full zone transfers
  • Incremental zone transfers
  • Both master and slave DNS servers must support
    incremental zone transfers to use them
  • During the initiation of an incremental zone
    transfer, the serial number decides whether the
    slave or the master determines the differences
    between its current zone data and the zone data
    on the other server

Using WINS with DNS
  • Windows Internet Name Service (WINS) is a legacy
    name service used to resolve NetBIOS names,
    sometimes referred to as single-label names
  • Similar to DNS in that it keeps a database of
    name-to-address mappings
  • Generally used in environments that require
    NetBIOS resolution, or where applications depend
    on it
  • The WINS tab has the following options
  • Use WINS forward lookup
  • Do not replicate this record
  • IP address
  • Time to live (TTL)

Using the GlobalNames Zone
  • GlobalNames zone (GNZ) allows administrators to
    add single-label names to DNS, giving client
    computers the ability to resolve these names
    without including a DNS suffix in the query
  • Entries must be made manually
  • Can assist mobile users by dropping the need for
    remembering a resources FQDN
  • Enabled via dnscmd.exe
  • Dnscmd server /config /EnableGlobalNamesSupport 1

DNS Forwarders
  • Referring a DNS query to a forwarder can be more
    efficient under some situations
  • When the DNS server address for the target domain
    is known
  • When only one DNS server in a network should make
    external queries
  • When a forest trust is created
  • When the target domain is external to the network
    and an external DNS servers address is known
  • Conditional forwarding allows queries for
    particular domains to particular name servers and
    all other unresolved queries to a different server

Configuring Traditional Forwarders
  • To configure a traditional forwarder, right click
    the server node in DNS Manager, click Properties,
    and click the Forwarders tab
  • If more than one server is specified, they are
    queried in the order in which theyre listed
  • Additional servers are only queried if the first
    server provides no response
  • No response from any forwarders triggers a normal
    recursive lookup process, starting with a root

Configuring Conditional Forwarders
  • Previously, traditional and conditional
    forwarders were configured under the Forwarders
    tab, but Server 2008 has conditional forwarders
    as a node in DNS Manager
  • With forwarders and/or conditional forwarders
    configured, the DNS server attempts to resolve
    DNS queries in this order
  • 1. From locally stored zone resource records
  • 2. From the DNS cache
  • 3. From conditional forwarders
  • 4. From traditional forwarders
  • 5. Recursively by using root hints

Root Hints
  • Root hints consist of a list of name servers
    preconfigured on Windows DNS servers that point
    to Internet root servers
  • These servers contain lists of name servers that
    are responsible for top-level domains
  • Root hints data comes from the Cache.dns file
    located in the SystemRoot\System32\DNS folder
  • Internal DNS servers can be configured as root
    servers if the network is isolated from the
    public Internet

Round Robin
  • Load sharing can be configured among servers
    running mirrored services
  • Accomplished by creating multiple A records with
    the servers name in both records, but with each
    entry configured with a different IP address
  • DNS will then respond to queries by sending all
    addresses associated with the servers name, but
    will also vary their order
  • This process is called round robin because each
    IP address is placed first in the list an equal
    number of times

Recursive Queries
  • Recursion is enabled on Windows DNS servers by
    default, but there are two ways to change this
  • First involves configuring forwarders
  • Second is the Disable recursion (also disables
    forwarders) option in the advanced tab of the
    DNS servers Properties dialog box
  • Recursion might be disabled when you have a
    public DNS server containing resource records for
    your publicly available servers, but you dont
    want unauthorized users using your DNS server for
    recursive client requests

Event and Debug Logging
  • When DNS is installed, a new event log is created
    to record informational, error, and warning
    events generated by the DNS server
  • Common events include zone serial number changes,
    zone transfer requests, and DNS server startup
    and shutdown events
  • Debug logging can be enabled in the servers
    Properties dialog box
  • Debug logging records selected packets coming
    from and going to the DNS server in a text file

Event and Debug Logging
DNS Troubleshooting
  • Windows has several tools to administer, monitor,
    and troubleshoot DNS server operation, including
    the following tools
  • DNS Manager
  • Dnscmd.exe
  • Event Viewer
  • Dnslint
  • Nslookup
  • Ipconfig
  • Performance Monitor
  • Protocol analyzer

Monitoring DNS Performance
  • DNS Performance can degrade over time because of
    increased database size and increased client
  • Dnscmd.exe can display a snapshot of server
    statistics with the dnscmd.exe /statistics
  • Performance monitor can continuously monitor and
    gather statistics
  • Creating a performance baseline is good practice
    for troubleshooting issues that may arise later on

Monitoring DNS Performance (cont.)
Chapter Summary
  • DNS is based on a hierarchical naming structure
    and a distributed database
  • DNS can be described as an inverted tree with the
    root domain at the top, TLDs branch- ing off the
    root, and domains and subdomains branching off
  • The DNS database is composed of zones containing
    resource records, such as Start of Authority
    (SOA), Host (A), and Service (SRV) records

Chapter Summary (cont.)
  • DNS lookups involve iterative and recursive
    queries. Most lookups start from the DNS resolver
    with a recursive query to a DNS server. The DNS
    server satisfies the query or per- forms a series
    of iterative queries, starting with a root server
  • DNS servers can perform one or more of the
    following roles authoritative server, for-
    warder, conditional forwarder, and caching-only
  • Active Directoryintegrated zones have the
    advantages of automatic replication, multimaster
    replication and update, secure updates, and
    efficient replication

Chapter Summary (cont.)
  • A zone can be a forward lookup zone or a reverse
    lookup zone.
  • SOA records contain information about a zone,
    including its serial number and a number of
    timers used for zone transfers
  • Subdomains can be delegated to a zone on another
    server to improve performance and control
    replication scope
  • Advanced DNS settings include configuring
    forwarders, root hints, round robin, recursive
    queries, and logging

Chapter Summary (cont.)
  • Tools for monitoring and troubleshooting DNS
    include Dnscmd, Dnslint, Nslookup, Ipconfig, and
    Performance Monitor. You need to understand the
    DNS query process to troubleshoot DNS problems