1

DNS and Active Directory Integration

• Understanding DNS Name Resolution

• Understanding and Configuring Zones

• Zone Replication and Transfer

• Monitoring and Troubleshooting DNS for Active Directory

2

Understanding DNS Name Resolution

• Name Resolution

• Forward Lookup Query

• Name Server Caching

• Reverse Lookup Query

3

IP Addressing

• Name resolution is the process of resolving DNS names to IP addresses.

• An IP address identifies each host that communicates by using TCP/IP.

• An IP address is a 32-bit binary number that is separated internally into two parts: a network ID and a host ID.

• IP addresses are expressed in dotted decimal notation.

• The 32-bit address is segmented into four 8-bit octets.

• Octets are converted to decimal (base-10 numbering system) and separated by periods.

4

IP Addressing: Network ID

• Also known as a network address

• Identifies a single network segment within a larger TCP/IP internetwork

• Used to uniquely identify each network within the larger internetwork

5

IP Addressing: Host ID

• Also known as the host address

• Identifies a TCP/IP node within each network

• Identifies a single system uniquely within its own network

6

Lookup Queries

• DNS name servers resolve forward and reverse lookup queries.

• Forward lookup query: Resolves a name to an IP address.

• Reverse lookup query: Resolves an IP address to a name.

• A name server can resolve a query only for an authorized zone.

• If a name server can’t resolve the query, it passes it to other name servers that can resolve it.

• The name server caches the query results to reduce the DNS traffic on the network.

• The DNS service uses a client/server model for name resolution.

7

Resolving a Forward Lookup Query

8

Name Server Caching

9

Time to Live (TTL)

• Use shorter TTL values to help ensure that data about the domain namespace is more current across the network.

• Shorter TTL values increase the load on name servers.

• Longer TTL values decrease the time required to resolve information.

• If a change occurs, the client will not receive the updated information until the TTL expires and a new query to that portion of the domain namespace is resolved.

10

Reverse Lookup Query

• Maps an IP address to a name.

• NSLOOKUP command-line DNS utility uses reverse lookup queries to report back host names.

• Certain applications implement security based on the ability to connect to names, not IP addresses.

• DNS is indexed by name, not by IP address.

• A reverse lookup query would require an exhaustive search of every domain name because the DNS distributed database is indexed by name and not IP address.

• Special second-level domain called in-addr.arpa was created to solve the problem of finding a name that matches an IP address.

11

In-addr.arpa Domain

• Follows the same hierarchical naming scheme as the rest of the domain namespace.

• Based on IP addresses, not domain names.

• Subdomains are named after the numbers in the dotted-decimal representation of IP addresses.

• Order of the IP address octets is reversed.

• Companies administer subdomains of the in-addr.arpa domain based on their assigned IP addresses and subnet mask.

12

An in-addr.arpa Domain ExampleIP Address 169.254.16.200

13

An in-addr.arpa Domain Example (con’t.)

• Assigned IP address range of 169.254.16.0 to 169.254.16.255

• Subnet mask 255.255.255.0

• Authority over 16.254.169.in-addr.arpa domain

14

Understanding and Configuring Zones

• Zones

• Zone Planning• Forward Lookup Zones• Reverse Lookup Zones• Resource Records• Delegating Zones

• Configuring Dynamic DNS

• Practice: Configuring Zones

15

Zone Overview

• DNS service provides the option of dividing up the namespace into one or more zones.

• Zones can be stored, distributed, and replicated to other DNS servers.

• The DNS namespace represents the logical structure of the network resources.

• DNS zones provide physical storage of these resources.

16

Reasons to Use Additional Zones

• A need exists to delegate management of part of the DNS namespace to another location or department within the organization.

• A need exists to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment.

• A need exists to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site.

17

Forward Lookup Zones

• Enable forward lookup queries.

• At least one forward lookup zone must be configured for the DNS service to work.

• Active Directory Installation Wizard can automatically create a forward lookup zone based on the DNS name you specified for the server.

18

Zone Type: Active Directory Integrated

• Master copy of a new zone

• Uses Active Directory to store and replicate zone files

19

Zone Type: Standard Primary

• Master copy of a new zone stored in a standard text file

• Administered and maintained on the computer on which the zone is created

20

Zone Type: Standard Secondary

• Replica of an existing zone.

• Read-only; stored in standard text files.

• Primary zone must be configured to create a secondary zone.

• Must specify DNS server, called the master server, that will transfer zone information to the name server containing the standard secondary zone.

• Create a secondary zone to provide redundancy and to reduce the load on the name server containing the primary zone database file.

21

Benefits of Active Directory–Integrated Zones

• Multimaster update and enhanced security based on the capabilities of Active Directory.

• Zones are replicated and synchronized to new domain controllers automatically whenever a new zone is added to an Active Directory domain.

• By integrating storage of your DNS namespace in Active Directory, you simplify planning and administration for both DNS and Active Directory.

• Directory replication is faster and more efficient than standard DNS replication.

22

Zone Name

• A zone is typically named after the highest domain in the hierarchy that the zone encompasses; the root domain for the zone.

• For a zone that encompasses both microsoft.com and sales.microsoft.com, the zone name would be microsoft.com.

23

Zone File

• A zone file must be specified for the standard primary forward lookup zone type.

• The zone file is the zone database file name, which defaults to the zone name with a .dns extension.

• An existing zone file can be imported when migrating a zone from another server.

• Place the existing file in the systemroot\System32\DNS directory on the target computer before creating the new zone.

24

Reverse Lookup Zones

• Enable reverse lookup queries

• Are not required, except to run troubleshooting tools, such as NSLOOKUP, and to record a name instead of an IP address in IIS log files

25

Zone File

• Must be specified for the standard primary reverse lookup zone type.

• Network ID and subnet mask determine the default zone file name.

• DNS reverses the IP octets and adds the in-addr.arpa suffix.

• For a network ID of 169.254, the reverse lookup zone for the 169.254 network becomes 254.269.in-addr.arpa.dns.

• The existing zone file may be imported when migrating a zone from another server.

• The existing zone file must be placed in the systemroot\System32\DNS directory.

26

Resource Records

• Entries in the zone database file that associate DNS domain names to related data for a given network resource.

• Many different types of resource records.

• When a zone is created, DNS automatically creates the Start of Authority (SOA) and the Name Server (NS) resource records.

27

Frequently Used Resource Record Types

• Host (A): Lists host name-to-IP address mappings

• Alias (CNAME): Creates alias or canonical name

• Host Information (HINFO): Identifies OS and CPU

• Mail Exchanger (MX): Identifies mail exchanger

• Name Server (NS): Lists name servers for domain

• Pointer (PTR): Points to another part of the domain

• Service (SRV): Identifies servers hosting services

• Start of Authority (SOA): Identifies authoritative source

28

Delegating Zones

29

Delegating Zones• A zone starts as a storage database for a single DNS domain

name.

• If other domains are added below the domain used to create the zone, these domains can be part of either the same zone or another zone.

• Once a subdomain is added, it can then be

• Managed and included as part of the original zone records.• Delegated away to another zone created to support the

subdomain.

• SOA resource records must be created and must point to the authoritative DNS server for the new zone.

• The New Delegation Wizard is available to assist in delegation of zones.

30

Dynamic DNS (DDNS) Updates

31

DDNS Overview

• DDNS is the DNS service that includes dynamic update capability.

• Name servers and clients within a network automatically update the zone database files.

32

Dynamic Updates

• A list of authorized servers can be configured to initiate dynamic updates.

• This list can include secondary name servers, domain controllers, and other servers that perform network registration for clients, such as servers running DHCP service or Microsoft WINS.

33

DDNS and DHCP

• These services interact to maintain synchronized name-to-IP mappings for network hosts.

• By default, DHCP service allows clients to add their own Host (A) records to the zone; the DHCP service adds the PTR resource record to the zone.

• DHCP service cleans up both the A and PTR resource records in the zone when the lease expires.

34

Zone Replication and Transfer

• Zone Replication and Zone Transfers

• DNS Notification

• The DNS Notify Process

35

Zone Replication and Zone Transfers• Zones play an important role in DNS; their availability from more

than one DNS server on the network is needed to provide fault tolerance when resolving name queries.

• If a single server is used and that server is not responding, queries for names in the zone can fail.

• Zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host the zone.

• A full zone transfer (AXFR) is performed when a new DNS server is added to the network and configured as a new secondary server for an existing zone.

• Earlier DNS server implementations used a full transfer (AXFR) for incremental changes to the zone.

• For Microsoft Windows 2000 Server, the DNS service supports incremental zone transfer (IXFR).

36

Reasons to Use Additional DNS Servers

• Provide zone redundancy

• Reduce DNS network traffic

• Reduce load on primary server

37

Incremental Zone Transfers (IXFR)

• Provide a more efficient method of propagating zone changes and updates.

• Allow the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source.

• Source can be either a primary or secondary copy of the zone maintained by another DNS server.

• For an IXFR query to succeed and changes to be sent, the source DNS server for the zone must keep a history of incremental zone changes to use when answering these queries.

• IXFR requires substantially less traffic on a network, and zone transfers are completed much faster.

38

Incremental Zone Transfers (IXFR) (con’t.)

• Differences between the source and replicated versions of the zone are determined as follows:

• If the zones are identified to be the same version, as indicated by the serial number field in the SOA resource record of each zone, no transfer is made.

• If the source serial number is greater than the requesting secondary server, a transfer is made of only those changes to resource records for each incremental version of the zone.

39

Zone Transfer Process

40

Zone Transfer Security

• The DNS console permits you to specify the servers allowed to participate in zone transfers.

• This helps to prevent an undesired attempt by an unknown or unapproved DNS server to pull or request zone updates.

41

Zone Transfers Tab

42

DNS Notification

• Updated revision to the DNS standard specification (RFC 1996).

• Implements a push mechanism for notifying a select set of secondary servers for a zone when a zone is updated.

• Notified servers can then initiate the zone transfer process and pull changes from the notifying server to update the zone.

• Use DNS notification only to notify DNS servers that are operating as secondary servers for a zone.

• Not needed for replication of directory-integrated zones.

43

Notify Dialog Box

44

Typical DNS Notify Process

• Local zone is updated.

• Source server sends notify message to other servers.

• Secondary servers initiate a zone transfer.

45

Monitor and Troubleshoot DNS for Active Directory

• Monitoring DNS Servers

• DNS Troubleshooting Scenarios

46

Two Options for Monitoring DNS Servers

• Default logging of DNS server event messages to the DNS server log

• Optional debug options for trace logging to a text file on the DNS server computer

47

DNS Server Event Logging

• DNS server event messages are kept separate from events raised by other applications and services in the DNS server log.

• DNS server log contains basic predetermined events logged by the DNS server service, such as when the DNS server starts and stops.

• Use Event Viewer to view and monitor client-related DNS events.

• These events appear in the system log and are written by the DNS client service at any computers running Windows 2000 (all versions).

48

Debug Options

• The DNS console allows you to set additional logging options to create a temporary trace log as a text-based file for DNS server activity.

• DNS.LOG is stored in the systemroot\System32\Dns folder.

• By default, all debug logging options are disabled.

• DNS server service can perform additional trace-level logging of selected types of events or messages for general troubleshooting and debugging of the server.

• Debug logging can be resource-intensive, affecting overall server performance and consuming disk space.

• Debug logging should be used only temporarily, when more detailed information about server performance is needed.