Upload
edita
View
83
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Module Overview. Installing the DNS Server Role Configuring the DNS Server Role Configuring DNS Zones Configuring DNS Zone Transfers Managing and Troubleshooting DNS Overview of the Windows Internet Name Service Configuring WINS Replication Migrating from WINS to DNS. - PowerPoint PPT Presentation
Citation preview
Module Overview
• Installing the DNS Server Role
• Configuring the DNS Server Role
• Configuring DNS Zones
• Configuring DNS Zone Transfers
• Managing and Troubleshooting DNS
• Overview of the Windows Internet Name Service
• Configuring WINS Replication
• Migrating from WINS to DNS
Overview of the Domain Name System Role
Domain Name System is a hierarchical distributed databaseDomain Name System is a hierarchical distributed database
• DNS supports accessing resources by using alphanumeric names
• InterNIC is responsible for managing the domain namespace
Root DomainRoot Domain
SubdomainSubdomain
Second-Level Second-Level DomainDomain
Top-Level Top-Level DomainDomain
FQDN:SERVER1.sales.south.nwtraders.com
southsouth
nwtradersnwtraders
comcom
salessales
westwest easteast
orgorgnetnet
Host: SERVER1
DNS Improvements for Windows Server 2008
New or enhanced features in the Windows Server 2008 version of DNS include:
• Background zone loading
• IP version 6 support
• Support for read-only domain controllers
• Global single names
• DNSSEC against Spoofing and Man-in-the-middle attack
Only available in R2 & IPv6 environment
Three new types of records: Signature (SIG), Public Key (KEY), Next Domain (NXT)
Consideration for deploying DNS Server Role:
Manually configuring the server to use a static IP address
Use the DNS console or dnscmd
The user account must be a member of the local administrators group or equivalent
dnscmd dns_server_name /ageAllRecords/startScavenging/zoneinfo/zoneexport /info/config/statistics/zoneresettype zonename /primary [ | /secondary]/zoneresetsecondaries /zoneresetmaster zonename
What Are the Components of a DNS Solution?
DNS Servers on the InternetDNS ServersDNS Clients
Root “.”
.com
.eduResourceRecord
ResourceRecord
DNS resource records include:
• SOA: Start of Authority
• A: Host Record
• CNAME: Alias Record
• MX: Mail Exchange Record
• SRV: Service Resources
• NS: Name Servers
• AAAA: IPv6 DNS Record
DNS Resource RecordsDNS Resource Records
What Are Root Hints?
Root hints contain the IP addresses for DNS root servers Root hints contain the IP addresses for DNS root servers
microsoft
DNS Servers
DNS Server
Root (.) Servers
com
Client
Root Hints
What Is a DNS Query?
• Queries are recursive or iterative
• DNS clients and DNS servers both initiate queries
• DNS servers are authoritative or nonauthoritative for a namespace
• An authoritative DNS server for the namespace will either:• Return the requested IP address
• Return an authoritative “No”
• A nonauthoritative DNS server for the namespace will either:• Check its cache
• Use forwarders
• Use root hints
A query is a request for name resolution and is directed to a DNS serverA query is a request for name resolution and is directed to a DNS server
What Are Recursive Queries?
DNS Client
mail1.contoso.msft
172.16.64.11
A recursive query is sent to a DNS server and requires a complete answerA recursive query is sent to a DNS server and requires a complete answer
Database
Local DNS Server
What Are Iterative Queries?
An iterative query directed to a DNS server may be answered with a referral to another DNS serverAn iterative query directed to a DNS server may be answered with a referral to another DNS server
Client Server
Local DNS Server Root Hint (.)
.com
Rec
urs
ive
Quer
y
mai
l1.n
wtr
ader
s.co
m17
2.1
6.64
.11
Iterative Query
Iterative Query
Iterative Query
Ask .com
Ask nwtraders.comAuthoritative Response
Nwtraders.com
What Is a Forwarder?
A forwarder is a DNS server designated to resolve external or offsite DNS domain namesA forwarder is a DNS server designated to resolve external or offsite DNS domain names
Nwtraders.com
Root Hint (.)
.com
Iterative Query
Iterative Query
Iterative Query
Ask .com
Ask nwtraders.com
Authoritative Response
Forwarder
Recursive Query for mail1.nwtraders.com
172.16.64.11
172.
16.6
4.11
Recu
rsiv
e Q
uery
Local DNS Server Client Server
ISP DNS
All other DNS domains
Local DNS
Contoso.msft DNS
contoso.msft
Que
ry fo
r
ww
w.c
onto
so.m
sft
Conditional forwarding forwards requests using a domain name conditionConditional forwarding forwards requests using a domain name condition
Client Computer
What Is Conditional Forwarding?
Where’s ServerA?
ServerA is at 192.168.8.44
Where’s ServerA?
ServerA is at 192.168.8.44
How DNS Server Caching Works
Client1
Client2
ServerA
DNS server cache
Host name IP address TTL
ServerA.contoso.msft
192.168.8.44 28 seconds
What Is a DNS Zone?
““.”.”““.”.”
.com.com.com.com
microsoft.com zone
microsoft.com domain
Internet
example.microsoft.comzone
DNS root domain
Zone database
Zone database
example.microsoft.com
www.example.microsoft.com
ftp.example.microsoft.com
Del
egat
ed
microsoft.com
www.microsoft.com
ftp.microsoft.com
example.microsoft.com
WWW
FTP
WWW.exampleFTP.example
What Are the DNS Zone Types?
Zones Description
Primary Read/write copy of a DNS database
Secondary Read-only copy of a DNS database
Stub Copy of a zone that contains only records used to locate name servers
Active Directory integrated
Zone data is stored in Active Directory rather than in zone files
DNS Client2
DNS Client3
What Are Forward and Reverse Lookup Zones?
Namespace: training.nwtraders.msft
DNS Client1
DNS Server Authorizedfor training Forward
zoneTraining
DNS Client1 192.168.2.45
DNS Client2 192.168.2.46
DNS Client3 192.168.2.47
Reverse zone
2.168.192.in-addr.arpa
192.168.2.45 DNS Client1
192.168.2.46 DNS Client2
192.168.2.47 DNS Client3
DNS Client2 = ?
192.168.2.46 = ?
With a stub zone defined, the location of the na.fabrikam.com zone is known without querying multiple DNS servers
With a stub zone defined, the location of the na.fabrikam.com zone is known without querying multiple DNS servers
Contoso.com(Root domain)
na.contoso.com sa.contoso.com
ny.na.contoso.com rio.sa.contoso.com
DNS server
DNS server
DNS server
DNS server
DNS server
fabrikam.com
DNS server
DNS server
na.fabrikam.com
Stub zone: na.fabrikam.com
Stub zone: rio.sa.contoso.com
Without stub zones, the ny.na.contoso.com server must query several servers to find the server that hosts the na.fabrikam.com zone
Without stub zones, the ny.na.contoso.com server must query several servers to find the server that hosts the na.fabrikam.com zone
Contoso.com(Root domain)
na.contoso.com sa.contoso.com
ny.na.contoso.com rio.sa.contoso.com
DNS server
DNS server
DNS server
DNS server
DNS server
fabrikam.com
DNS server
DNS server
na.fabrikam.com
What Are Stub Zones?
DNS Zone Delegation
Training.contoso.msft Sales.contoso.msft
Contoso.msft
What Is a DNS Zone Transfer?
A DNS zone transfer is the synchronization of authoritative DNS zone data between DNS serversA DNS zone transfer is the synchronization of authoritative DNS zone data between DNS servers
SOA query for a zone
SOA query answered
IXFR or AXFR query for a zone
IXFR or AXFR query answered
(zone transferred)
11
22
33
44
Secondary server Primary andMaster server
How DNS Notify Works
Secondary Server Primary andMaster Server
DNS notify
Zone transfer
A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur
A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur
Source ServerDestination Server11
22
33
44
Resource record is updated
SOA serial number is updated
Securing Zone Transfers
Primary Zone Secondary Zone
• Encrypt zone transfer traffic
• Consider using Active Directory-integrated zones
• Restrict zone transfer to specified servers
What Is Time to Live, Aging, and Scavenging?
Feature Description
Time to Live (TTL)
Indicates how long a DNS record will remain valid
AgingOccurs when records that have been inserted into the DNS server reach their expiration and are removed
Scavenging Performs DNS server resource record grooming for old records in DNS
Troubleshooting DNS
Tool Used to:
Nslookup Troubleshoot DNS problems
Dnscmd Edit the DNS configuration
Dnslint Diagnose common DNS issues
You can test the DNS server configuration by using:
• A simple query to ensure that the DNS service is answering
• A recursive query to ensure that the DNS server can communicate with the upstream DNS service
• Monitor DNS events in the event log to:
• Monitor zone transfer information
• Monitor computer events
What is WINS and When Is WINS Required?
WINS resolves NetBIOS name (single label name) to ip address
WINS is required for the following reasons:
•Older versions of Microsoft operating systems rely on WINS for name resolution
•Some applications, typically older applications, rely on NetBIOS names
•When you need dynamic registration of single-label names
•If users rely on the Network Neighborhood or My Network Places network browser features
•If you are not using Windows Server 2008 as your DNS infrastructure
Overview of WINS Components
Subnet 1
Subnet 2
WINS ServerWINS Server
WINS Database
WINS Database
WINS ProxyWINS Proxy
WINS ClientWINS Client
WINS Client Registration and Release Process
WINS ClientWINS Client WINS ServerWINS Server
Name RegisteredName Registered
Name Released Name Released
• WINS client sends request to register
• WINS server returns registration message with TTL value, indicating when the registration expires
11
• WINS client sends request to release name
• WINS server sends a positive name release response22
WINS Server Name Resolution Process
Subnet 2
Subnet 1
Subnet 2
WINS Server AWINS Server A
WINS Server BWINS Server B
ClientClient
Client makes three attempts to contact WINS server, but does not receive a response11
Client attempts to contact all WINS servers until contact is made22
If name is resolved, IP address is returned to the client33
Up to three attemptsUp to three attempts
33
11
22
What Are NetBIOS Node Types?
Node type Description Registry
value
B-node Uses broadcasts for name registration and resolution 1
P-node Uses a NetBIOS name server, such as WINS, to resolve NetBIOS names 2
M-node Combines B-node and P-node, but functions as a B-node by default 4
H-node Combines P-node and B-node, but functions as a P-node by default 8
A NetBIOS node type determines the method that a computer uses to resolve a NetBIOS name A NetBIOS node type determines the method that a computer uses to resolve a NetBIOS name
Compacting the WINS Database
Maintain WINS database integrity by using:
• Dynamic compacting. Automatically occurs while the database is in use
• Offline compacting. Administrator stops the WINS server and uses the Jetpack.exe command-line tool
Compacting recovers unused space in a WINS databaseCompacting recovers unused space in a WINS database
Notification sentNotification sent22 Replication requestReplication request33 Replicas sentReplicas sent44 ServerB
What Is Push Replication?
• A push partner notifies replication partners based on the number of changes in its database
• Push replication maintains a high level of synchronization
ServerA reaches set threshold of 50 changes in its database11
ServerA notifies ServerB that the threshold is reached22
ServerB responds to ServerA with a replication request33
ServerA sends replicas of its new database entries44
ServerA
Subnet 1 Subnet 250 changes occur in database
50 changes occur in database
11
Replicas sent2 Requests changes every eight hours11
ServerB
What Is Pull Replication?
• A pull partner requests replication based on a time interval
• Pull replication limits frequency of replication traffic acrossslow links
ServerA requests database changes every 8 hours11
ServerB sends replicas of its new database entries22
ServerA
Subnet 1Subnet 2
What Is Push/Pull Replication?
Push/pull replication ensures that the databases on multiple WINS servers are nearly identical at any given time by:
• Notifying replication partners whenever the database reaches a set threshold of changes
• Requesting replication based on a set time
Name Resolution for a Single-Label Name
IPv6 does not support WINS
Windows Server 2008 introduces a new zone type for DNS called GlobalNames Zone
IPv6 does not support WINS
Windows Server 2008 introduces a new zone type for DNS called GlobalNames Zone
• Resolves single-label names in the enterprise without using WINS
• Mitigates the management and maintenance of DNS suffix search lists
• Relies on static record creation
• Requires the zone be available on DNS servers throughout the forest
The GlobalNames zone:
What Is the GlobalNames Zone?
• Enables Single-Label name resolution for IPV6 enabled networks
• Uses CNAME records to point to the FQDN of the computerthat hosts the resource
• Is recommended to be integrated in Active Directorywith forest-wide replication
• Can be a used as a method to decommission WINS servers
• Requires no additional client configuration because the client resolves the name in standard DNS query form
Setup GlobalNames Zone
Functions of Content Advisor include:
Requires authoritative name servers running Windows Server 2008 Configure forest-wide, Active Directory-integrated replication of the GlobalNames zone
Create static CNAME records that point to FQDN records
Disable dynamic updates on the GlobalNames zone
Enable single-label GlobalNames zone support on all DNS servers that host the zone
Use the following command to enable support for the GlobalNames zone on all DNS servers hosting the zone:dnscmd /config /EnableGlobalNamessupport 1
Use the following command to enable support for the GlobalNames zone on all DNS servers hosting the zone:dnscmd /config /EnableGlobalNamessupport 1