Additional Study Topics: Utilities | Groups | Migration Issues | RIS
I.
Installing,
configuring, and troubleshooting DNS for Active Directory
A. Understanding
DNS
1. Introducing
DNS – Chances are, everyone in the class uses DNS every day and may not realize it.
Every time you surf the Web, telnet to a UNIX server, or send SMTP-based e-mail, a DNS
server out there somewhere is making the process work.
a. All
IP-based networking uses nothing but a bunch of ones and zeros to determine everything
from context to delivery.
b. The
language the computer speaks (binary) is not a communication media most of us are
comfortable with.
c. IP
addresses were converted into decimal numbers.
d. DNS
servers were created to allow resources to access these addresses via computer name,
rather than by binary or decimal combinations.
2. ARPANET
(1970s)
a. Origin
of the Internet
b. Used
host.txt files to resolve names to IP addresses
c. Grew
to be unmanageable; something else had to be developed
B. Overview of
Active Directory and domain namespace interoperability
1. Tree
structure (upside down)
a. Various
common root (top level) domains
i.
.com
ii.
.edu
iii.
.org
iv.
.net
v.
.gov
vi.
.num
vii.
.arpa
viii.
.us (United
States)
ix.
Other country
codes exist as well, including the new .tv domain structure
b. Second-level
domains
i.
Consist of
hosts and subdomains
ii.
For example,
Microsoft.com is a subdomain
iii.
www.microsoft.com
is a host within the Microsoft.com subdomain.
iv.
Namespace can
be broken down into zones
C. Installing DNS
1. DNS
required for all Windows 2000 deployments
2. Can
be hosted by external servers (as long as they are running BIND 8.1.2 or higher)
3. Using
the integrated DNS service within Windows 2000 decreases administrative overhead
a. Automatic
resource registration
b. Support
of dynamic updates
c. Integration
with WINS (still required by some clients)
D. Installing DNS
during server installation
1. Networking
services components
2. Select
Details and choose Domain Name System
3. During
first boot of server, three options are presented
a. This
is the only server in my network
i.
Automatically
makes system AD server
ii.
Automatically
installs DNS and DHCP
iii.
All
components then have to be configured during automatic installation process
b. One
or more servers are already running on my network
i.
Assumes
preexisting servers are already running AD
ii.
Assumes
preexisting servers are already running DHCP and DNS
iii.
Any
additional services can be manually added at a later time
c. I
will configure this server later
i.
Bypasses
configuration screens
ii.
Allows for
selecting these options at a later time
E. Adding DNS
after server install
1. Use
Control Panel | Add/Remove Programs
2. Detailed
in Exercise 5-1 on page 226 of the text
F. Creating
zones
1. Introduction
a. Zones
allow DNS namespaces to be subdivided.
b. While
the DNS namespace is independent of AD, the structure of the two matches as a requirement
of Active Directory.
c. Zones
allow for local resources to be stored locally without the need to host the entire tree.
2. Lookup
zones
a. Configured
to allow for information to be stored within the DNS directory
b. Accessed
by requesting clients when needed
c. Two
types: forward and reverse
3. Forward
lookup zones
a. Allow
for the translation of names to IP address
b. Most
common DNS function
c. Required
function for AD domains
i.
Stores AD
resources so requesting clients can find services within the AD domain
ii.
Can provide
for automatic registration of resources when servers are available and removal when
servers are taken offline
d. Provides
special records such as “MX” (Mail Exchanger), which allows for SMTP mail
routing
e. Can
only answer queries for its own resources: will pass queries for other resources to root
servers above it in the namespace responsible for the root domain being queried
4. Reverse
lookup domains
a. Provide
translation of IP address into host name
i.
Designated by
an In-addr.arpa naming scheme
ii.
Also divided
into zones of authority
b. Not
required in all networks
c. Normally
used in troubleshooting scenarios
i.
Can be tied
into WINS and dynamic DNS to provide reverse lookup of client IP address
ii.
Very helpful
when implementing security schemes, especially when DHCP and DNS are integrated
5. Creating
new zones
a. All
DNS administration is done through the DNS Manager MMC snap-in.
i.
Automatically
located in administrative tools after successful DNS installation
ii.
Requires
domain administrator or DNS administrator rights to operate
iii.
Can be added
to custom MMC as a standard MMC snap-in
b. Configure
DNS Server Wizard
i.
Available by
right-clicking the server object in the DNS Manager
ii.
Not available
after DNS has been configured for the first time
6. Three
types of forward lookup zones: Selection determines how the DNS server will obtain
updates, but will not necessarily affect the use or functionality of the zone itself
a. Active
Directory-integrated
i.
Master
records of the zone file and all updates are stored in Active Directory.
ii.
All other DNS
servers update their information based on what is found in the AD.
iii.
All DNS
servers can receive updates.
iv.
Integrates
with dynamic DNS and DHCP very well
b. Standard
primary
i.
Traditional
DNS server role
ii.
Server’s
data is considered to be authoritative.
iii.
All updates
will come from direct manipulation of the data by the administrator or through dynamic DNS
functions taken by the clients.
iv.
Only one DNS
server can receive updates.
v.
Can accept
dynamic DNS updates
vi.
Not
responsible for maintaining data consistency, will only maintain its own database and
provide access to other DNS servers to perform their own updates
vii.
No assurance
all DNS servers contain the same information
c. Standard
secondary
i.
Backup DNS
server, which receives all information from the primary DNS
ii.
Non-authoritative;
will not accept updates from anyone except the primary DNS server (or another secondary
DNS server for the same zone)
iii.
Same as
standard primary in most respects
iv.
Cannot accept
dynamic or manual database updates
7. Changing
zone types
a. All
Windows 2000 DNS zones can be reconfigured to a different zone type.
b. Changes
are made using the properties of the zone itself.
c. Care
needs to be taken in switching zone types to ensure consistency throughout the network.
G. Integrating
Active Directory DNS with non-AD DNS
1. BIND
(Berkeley Internet Name Domain)
a. Written
for UNIX machines
b. Allows
for sharing of zone information between servers
2. Zone
transfers
a. Transfer
of zone data from one server (primary) to another (secondary)
b. Normally
accomplished through fast file format
i.
Supports
compression and multiple records sent within the same message
ii.
Requires BIND
4.9.4 or higher
iii.
Should be
enabled on all Windows 2000 installations as long as all third-party servers are
configured with BIND 4.9.4 or higher
iv.
Configured
though the configuration of BIND Secondaries in the server’s Advanced Properties tab
c. Zone
file transfer configuration and security are managed through the DNS console
H. Configuring
zones for dynamic updates
1. Dynamic
updates
a. DNS
has typically been static; information placed in the AD by the administrator would stay
there until modified by manual intervention.
b. Dynamic
DNS provides for the automatic registration of resources within the domain at boot.
i.
Similar to
WINS under NT 4.0 domains
ii.
Can be
directly integrated into Windows 2000’s DHCP server services as well
iii.
DHCP can
register host information for clients automatically, thus allowing support for clients
that do not recognize dynamic DNS.
iv.
Can function
with DNS and DHCP services hosted on two separate servers, although not really recommended
2. Configuring
the zone
a. Configured
through the DNS console
b. Support
for three different options
i.
Yes: Enables
support for dynamic updates for the zone
ii.
No: Disables
support for dynamic updates for the zone
iii.
Only Secure
Update: Allows dynamic updates, but only from clients using secure DNS. Only clients,
users, and servers that have been given permission to update the zone can actually
register an update. Only supported with Active Directory-integrated zones.
II.
Managing,
monitoring, and troubleshooting Domain Name System
A. Other
management tools
1. DNS
console
a. The
core tool for managing the DNS server
b. Provided
with all Windows 2000 servers
c. Can
be configured to manage multiple DNS servers at the same time
d. Can
be installed on Windows 2000 Professional desktops for domain management as well
2. Aging
and scavenging
a. Used
to remove old resource records
b. Needed
when using dynamic updates to remove dynamic records that are no longer present on the
network
i.
All records
are automatically removed from the zone when the system is shut down correctly.
ii.
Improperly
configured clients and improper shutdowns leave the system’s records in the DNS
tables.
c. Two
basic time intervals must be set
i.
No-refresh
interval: Time between the last refresh and the date/time stamp
ii.
Refresh
interval: Time from the earliest date and time when the record is eligible for a refresh
to when the record becomes eligible for scavenging
d. One
setting is used for all Active Directory integrated zones on the server.
e. Each
standard primary zone has to be individually configured.
3. Cache
a. Used
to store entries server had to look up from other DNS servers higher in the tree
b. Used
to speed performance of queries for same information at a later time
c. Can
be cleared of all information by using the Clear Cache command within the DNS console
4. Time-to-live
(TTL)
a. Specifies
how long a resource should be stored in a server’s cache before it is considered
stale and resolved again
b. Set
low for resources that change often
c. Set
high for resources that are fairly static.
5. Managing
the Domain Name System
a. DNS
console and Control Panel | Services can be used to:
i.
Start
ii.
Stop
iii.
Pause
iv.
Resume
v.
Restart
b. Command-line
utility can be used to:
i.
Start: NET
START DNS
ii.
Stop: NET
STOP DNS
iii.
Pause: NET
PAUSE DNS
iv.
Resume: NET
CONTINUE DNS
6. Creating
records
a. All
records exist within zones
b. Records
can be associated to the root of the zone or to a specific host
c. Common
records that can be added include:
i.
New host: A
record
ii.
New alias:
CNAME
iii.
New Mail
Exchange: MX
iv.
New domain:
Subdomain
v.
Other new
records: Various other records as described on page 246 of the text and within most BIND
reference manuals
B. Performance
Console
1. System
Monitor
a. Also
known as Perfomance Monitor
b. NT
4.0 tool, now integrated into the Performance Console
c. Allows
for customized monitoring of all server performance characteristics
i.
Monitor local
or remote services
ii.
Special
monitors for most services and applications
iii.
Logging
ability to create benchmark information
2. MMC
snap-in
a. Found
in administrative tools of all Windows 2000 systems
b. Can
be run from Windows 2000 Professional machines to monitor server performance
C. DNS event logs
1. Found
within the Event Viewer
2. Can
be viewed on local and remote systems
3. Must
have administrative authority to read most logs
D. Additional
troubleshooting tools
1. NSLOOKUP
a. Command-line
utility used to manually query for specific information with a DNS database
b. Can
be used to query from any server reachable via IP
c. Basic
use and configuration are required knowledge for all Windows 2000 administrators.
2. IPCONFIG
a. Command-line
utility used to provide IP and DNS information about local machine
b. Can
be used to flush DNS entry for local client as well as force a re-registration of dynamic
DNS updates
c. Can
also be used to display IP information when systems are dynamically configured via DHCP
E. Managing
replication of DNS data
1. DNS
is crucial part of AD, and for this reason every effort has to be made to ensure a DNS
server is always available to service the requests of AD users.
2. Have
multiple name servers in each zone
a. Reduces
load on primary servers
b. Provides
redundancy and protection against DNS failures
3. With
multiple servers, DNS data needs to be replicated
4. Replication
process
a. DNS
data needs to be replicated to other servers in the zone when:
i.
DNS is
started on a secondary server
ii.
A zone’s
refresh interval time expires
iii.
The primary
zone has experienced changes and configuration changes are made to the notify list
iv.
Replication
is initiated manually
4. Zone
transfers: Initialized by secondary servers
a. Full
zone transfer - AXFR
i.
Copies all
resource records
ii.
Can cause
excessive network traffic
iii.
Places undue
load on the name servers
b. Incremental
zone transfer - IXFR
i.
More
efficient
ii.
Sends changes
made since last update
iii.
Uses serial
numbers to determine changes made
c. Zone
security
i.
Use DNS
console
ii.
Ability to
configure update capabilities
5. Active
Directory-integrated zone considerations
a. No
need to configure DNS notification if you are running AD-integrated zones, as these zones
load zone information straight from Active Directory