際際滷

際際滷Share a Scribd company logo

6425 b 10

Download as ppt, pdf
F
FMAB2010

The document provides an overview of configuring Domain Name System (DNS) including: - Reviewing DNS concepts such as zones, resource records, and name resolution - Installing and configuring DNS in an Active Directory domain, including creating zones, records, and redundant DNS servers - The relationship between Active Directory, DNS, and Windows including integrating DNS with the domain namespace, split-brain DNS, delegations, and dynamic updates

1 of 53
Downloaded 116 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Module 10 Configure Domain Name System (DNS)
Notes Page Over-flow 際際滷. Do Not Print 際際滷. See Notes pane.
Module Overview Review of DNS Concepts, Components, and Processes Install and Configure DNS in an AD DS Domain AD DS, DNS, and Windows Advanced DNS Configuration and Administration
Lesson 1: Review of DNS Concepts, Components, and Processes Why DNS? The DNS Hierarchy Zones Resource Records (RRs) Resource Record Management Zone Replication Subdomains Placing DNS Servers and Zones DNS Client (Resolver) Query to DNS Server DNS Server Resolution Recursion
Why DNS? Computers connect using IP addresses Humans prefer names DNS resolves names to IP addresses DNS Server Client 207.46.16.252 technet.microsoft.com technet.microsoft.com? 207.46.16.252
The DNS Hierarchy
Zones A database stored on a DNS server Supports resolution for a portion of the DNS namespace starting with a domain: contoso.com A server hosting a zone for a domain is authoritative for that domain DNS Server
Resource Records (RRs) Host or Address (A or AAAA) : name-to-IPv4/IPv6 address Name: hqdc01 Data: 10.0.0.11 Alias or Canonical Name (CNAME) : alias-to-name Name: ftp Data: internetserver.contoso.com Mail Exchange (MX): points to the e-mail server Data: exchange.contoso.com Name service (NS): points to a name server Name: contoso.com Data: nameserver01.contoso.com
Resource Record Management Manual Dynamic Client registers its own records Secure dynamic updates: prevents spoofing
Zone Replication File-based zone Primary zone: writable copy of the zone hosted by one (and only one) DNS server Secondary zone: read-only copy of the zone hosted by zero or more DNS servers Zone transfer copies zone data from primary zone to secondary zones Requires permission on source server for zone Traditionally the entire zone (can be quite large) is copied Active Directory integrated zone Zone is hosted on domain controllers Multimaster replication: important in dynamic update environments Data replicated using efficient Active Directory replication topology and processes Incremental updates
Subdomains A zone supports resolution for a portion of the DNS namespace, starting with a domain: contoso.com europe.contoso.com? Subdomain Records to support resolution for the subdomain Delegation NS records that point to name server(s) for subdomain List of name server(s) is static and updated manually Stub zone NS records that point to name server(s) for subdomain List of name servers is updated automatically Requires TCP port 53 to be open between the host (parent) DNS server and all name servers in the stub domain
Placing DNS Servers and Zones Accessibility of DNS servers to clients Administration, replication, and efficiency of resolution
DNS Client (Resolver) Client application makes request DNS Client service examines DNS resolver cache Pre-loaded with HOSTS file at service start or HOSTS file change Caches query responses (including negative answers!) ipconfig /flushdns nslookup.exe Queries the DNS server without checking the DNS resolver cache technet.microsoft.com? DNS Resolver Cache HOSTS File DNS Client Service
Query to DNS Server DNS Client queries primary DNS server Requests recursive or iterative query Recursive: DNS server continues performing query for client and returns a definitive answer Iterative: DNS server returns only what it knows (best guess) and client continues query Queries secondary DNS server only if primary server doesnt respond If primary server returns negative answer, secondary server not queried as second opinion Ensure that each DNS server is able to resolve all client queries DNS Client Service DNS Server
DNS Server Resolution DNS server checks its local zones Resolution returned as an authoritative response DNS server checks its cache Resolution returned as a positive response If no resolution found Iterative query: DNS server returns best guess Recursive query: DNS server performs query DNS Server Cache DNS Client Service Clients DNS Server technet.microsoft.com?
Recursion Iterative query to root DNS servers Root DNS servers configured in DNS servers root hints Root DNS server returns referral to .com name servers Iterative query to .com server .com returns referral to microsoft.com name servers Iterative query to microsoft.com server Cache response Return to client as positive answer technet.microsoft.com?
Lesson 2: Install and Configure DNS in an AD DS Domain Install and Manage the DNS Server Role Create a Zone Create a Zone: Dynamic Update Create Resource Records Configure Redundant DNS Servers Configure Forwarders Client Configuration
Install and Manage the DNS Server Role Methods Server Manager Roles Add Role Active Directory Domain Services Installation Wizard DNS Manager snap-in Server Manager DNS Manager console (dnsmgmt.msc) dnscmd.exe
Create a Zone Right-click Forward Lookup Zones Select zone type Specify replication (Active Directory integrated zones only) All DNS servers in forest All DNS servers in domain All domain controllers in domain (for compatibility with Windows速 2000 DCs) Enter zone name (DNS domain name) Manage updates
Create a Zone: Dynamic Update
Create Resource Records Right-click the zone Dialog box appears specific to the record type you choose
Configure Redundant DNS Servers Active Directoryintegrated zone Add DNS server to another DC Standard Primary Zone Add NS records for secondary servers Master server The server from which the zone will be copied Need not be the primary server Allow Zone Transfers Secondary server Create a new forward lookup zone Choose a secondary zone Configure the master server
Configure Forwarders Right-click DNS server Properties Forwarders For all names not in your domain, resolve using your Internet service providers (ISPs) DNS servers If forwarders are not available, use root servers based on root hints
Client Configuration IP configuration of client netsh interface ipv4 set dns "Local Area Connection" static 10.0.0.11 primary netsh interface ipv4 add dns "Local Area Connection" 10.0.0.12 Dynamic Host Configuration Protocol (DHCP) scope option 6
Lab A: Install the DNS Service Exercise 1: Add the DNS Server Role Exercise 2: Configure Forward Lookup Zones and Resource Records Logon information Estimated time: 30 minutes
Lab Scenario You are an administrator of Contoso, Ltd. You recently added a second domain controller to your enterprise, and you want to add redundancy to the DNS server hosting the domain's zone. Currently, the only DNS server for the contoso.com zone is HQDC01. You need to ensure that clients that resolve against the new DNS server, HQDC02, are able to access Internet Web sites. Additionally, you have been asked to configure a subdomain to support name resolution required for the testing of an application by the development team.
Lab Review If you did not configure forwarders on HQDC02, what would be the result for clients who use HQDC02 as their primary DNS server? What would happen to clients' ability to resolve names in the development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than an Active Directory integrated zone? Why would this happen? What would you have to do to solve this problem?
Lesson 3: AD DS, DNS, and Windows AD DS, DNS, and Windows Integrate AD DS and the DNS Namespace Split-Brain DNS Create a Delegation for an Active Directory Domain Active Directory-Integrated Zones Application Partitions for DNS Zones DNS Application Partitions Dynamic Updates Background Zone Loading Service Locator (SRV) Records Demonstration: SRV Resource Records Registered by AD DS Domain Controllers Domain Controller Location Read-Only DNS Zones
AD DS, DNS, and Windows An AD DS domain has a DNS domain name DNS zones can be stored in the Active Directory database Active Directory can replicate DNS zones to specific domain controllers Windows clients can update their own DNS records Active Directory can load large Active Directoryintegrated zones in the background DCs register service locator records in DNS Clients use these records to locate DCs Read-Only Domain Controllers (RODCs) can support DNS even in a dynamic update zone
Integrate AD DS and the DNS Namespace An Active Directory domain must have a DNS name Active Directory domain name vs. external DNS namespace Active Directory uses same domain name Active Directory uses subdomain of public domain Active Directory uses separate domain name contoso.com contoso.com ad.contoso.com contoso.net
Split-Brain DNS The zone that supports AD DS Secured from Internet exposure Dynamic Fully populated with AD DS client, server, and service records The zone that supports the external namespace Secure Static Populated with the records related to external resources Some (manually maintained) duplication of records, such as www contoso.com
Create a Delegation for an Active Directory Domain Necessary if child domain zone hosted on different DNS servers Create the delegation in the parent DNS domain (zone) Right-click zone New Delegation Refer to the server that is/will be the child domain DNS server Configure DNS client on child domain server Primary DNS server should be the parent DNS server Install the DNS role and zone Server Manager: Add role, then create primary zone or DCPromo can install DNS while promoting to a DC Optional but typical configuration Reconfigure child DNS client to refer to itself as primary DNS server Add parent DNS server as a forwarder on the child server Configure new zone to be Active Directory integrated and secure dynamic update
Active DirectoryIntegrated Zones DNS zone data is stored in AD DS Allows multimaster writes to zone Replicates DNS zone information using AD DS replication Leverages efficient replication topology Uses efficient Active Directory replication processes: incremental updates Enables secure dynamic updates Security: Can delegate zones, domains, RRs
Application Partitions for DNS Zones Store DNS zones in one of the default application partitions Replication scope is the difference Or create a custom partition and define its scope To all domain controllers that are DNS servers in the AD DS domain To all domain controllers in the replication scope for the application partition To all domain controllers that are DNS servers in the AD DS forest To all domain controllers in the AD DS domain (as in Windows 2000) Domain Config Schema DomainDNSZone ForestDNSZones Custom Partition
DNS Application Partitions Create an application partition dnscmd ServerName /CreateDirectoryPartition FQDN Change zone replication scope Properties of zone General Change replication
Dynamic Updates Client sends Start of Authority (SOA) query DNS server returns SOA RR Client sends dynamic update request(s) to identify the primary DNS server DNS server responds that it can perform update Client sends unsecured update to DNS server Resource Records DNS Server 1 3 4 2 5 1 2 3 4 5 6 7 If zone permits only secure updates, update is refused 6 Client sends secured update to DNS server 7 DHCP Client service registers records for client During client startup If new/changed IP address (fixed/DHCP) on any network connection If ipconfig /registerdns is run
Background Zone Loading When a domain controller with Active Directory-integrated DNS zones starts, it: Enumerates all zones to be loaded Loads root hints from files or AD DS servers Loads all zones that are stored in files rather than in AD DS Begins responding to queries and remote procedure calls (RPCs) Starts one or more threads to load the zones that are stored in AD DS
Service Locator (SRV) Records SRV resource records allow DNS clients to locate TCP/IP-based services. SRV resource records are used when: A domain controller needs to locate replication partners A client computer authenticates to AD DS A user changes his or her password A Microsoft Exchange server performs a directory lookup An admin opens Active Directory Users and Computers _ldap._tcp.contoso.com 600 IN SRV 0 100 389 hqdc01.contoso.com protocol.service.name TTL class type priority weight port target SRV record syntax: Example of an SRV record
Demonstration: SRV Resource Records Registered by AD DS Domain Controllers In this demonstration, we will: Look at the service locator (SRV) records registered in _tcp.contoso.com: all DCs in the domain _tcp.siteName._sites.contoso.com: all DCs in site siteName Simulate a clients query to DNS for domain controllers Learn how to register SRV records dynamically or statically View %systemroot%\system32\config\netlogon.dns
Notes Page Over-flow 際際滷. Do Not Print 際際滷. See Notes pane.
Domain Controller Location 1. Queries DNS for DC 4. MIA-DC1 returns site info NYC 2. Responds with multiple records 5. Queries DNS for DC in NYC site 6. Responds with DC in NYC site Miami Site 3. Contacts MIA-DC1 by using LDAP Local DNS Server MIA-DC1 NYC-DC1 NYC Site
Domain Controller Location New client queries for all DCs in the domain Retrieves SRVs from _tcp.domain Attempts LDAP bind to all First DC to respond Examines client IP and subnet definitions Refers client to a site Client stores site in registry Client queries for all DCs in the site Retrieves SRVs from _tcp.site._sites.domain Attempts LDAP bind to all First DC to respond Authenticates client Client forms affinity Subsequently Client binds to affinity DC DC offline? Client queries for DCs in registry-stored site Client moved to another site? DC refers client to another site
Read-Only DNS Zones DNS server on an RODC with Active Directoryintegrated zones RODC can resolve client queries Changes not allowed on the read-only DNS zone Records cannot be added manually Dynamic updates cannot be made Dynamic updates are referred to writeable DC Client attempts update RODC returns an SOA of a writeable Windows Server 2008 domain controller RODC performs replicate single object (RSO) Replicates the updated DNS record for the client it referred from the DC it referred the client to
Lesson 4: Advanced DNS Configuration and Administration Resolving Single-Label Names Resolve Names Outside Your Domain Reverse Lookup Zone DNS Server and Zone Maintenance Test and Troubleshoot DNS Server Test and Troubleshoot DNS Client
Resolving Single-Label Names Client-side resolution process Query DNS with fully qualified domain name (FQDN) created by adding DNS suffix of client: ad.contoso.com Domain name devolution ad.contoso.com then contoso.com or DNS suffix search order Manage with Group Policy WINS 12 seconds = timeout! Server-side resolution GlobalNames Zone: Specialized zone with single-label CNAME RRs WINS forward lookup: If zone lookup fails, DNS queries WINS http://legalapp
Resolve Names Outside Your Domain Secondary zone Create a copy of a zone from another DNS server Requires permissions from the master DNS server Forwarders Send unresolved query as recursive query to other DNS server(s) Root hints Begin iterative queries against root, ., name servers DNS server has list of root servers updated with Windows Update Conditional forwarders Send unresolved query for specific domain to other server(s) Stub zone Can be for any domain; dynamically updates NS records Requires TCP Port 53 to be open to all name servers in the domain
Reverse Lookup Zone Query for IP address, response with host name IP address is reversed (specifictogeneric) and appended with in-addr.arpa domain IP address: 10.0.1.34 Query: 34.1.0.10.in-addr.arpa Special domain to support this: in-addr.arpa Pointer (PTR) record with name (IP octet) and data (hostname) Fixed IP client registers its PTR DHCP server registers PTR for client Not required, but recommended Services/applications use reverse lookup as a security check: Who is this request coming from? DNS Server Client 34.1.0.10.in-addr.arpa file34.contoso.com
DNS Server and Zone Maintenance Scavenge stale resource records Important in dynamic environments, particularly for SRV RRs Server aging and scavenging properties Defaults for Active Directory-integrated zones Zone aging and scavenging properties Active Directory-integrated zone inherits server property or per-zone Primary zone ignores server property; must set per-zone. Scavenging Configure automatic scavenging: Server properties Advanced Manually launch scavenging: Right-click server Manage the cache View the cache: View menu Advanced Features Clear server cache: Right-click server or Cached Lookups node
Test and Troubleshoot DNS Server Event logs Visible in DNS Manager, Server Manager, and Event Viewer Debug logging Server Properties dialog box Recursive and iterative query tests Server Properties dialog box dcdiag.exe /test:DNS Performs a wide variety of tests to ensure that AD DS and DNS are working well together Network Monitor (packet capture)
Test and Troubleshoot DNS Client ipconfig /all NSLookup set server= IP address [Default: Primary DNS Server] set type= record type [Default: A] record ipconfig /displaydns : display client DNS resolver cache ipconfig /flushdns : purge client DNS resolver cache ipconfig /registerdns : register client DNS records
Lab B: Advanced Configuration of DNS Exercise 1: Enable Scavenging of DNS Zones Exercise 2: Create Reverse Lookup Zones Exercise 3: Explore Domain Controller Location Exercise 4: Configure Name Resolution for External Domains Logon information Estimated time: 60 minutes
Lab Scenario You are the DNS administrator at Contoso, Ltd. You want to improve the health and efficiency of your DNS infrastructure by enabling scavenging and by creating a reverse lookup zone for the domain. You also want to examine the records that enable clients to locate domain controllers. Finally, you are asked to configure name resolution between contoso.com and the domain of a partner company, tailspintoys.com.
Lab Review In this lab, you used a stub zone and a conditional forwarder to provide name resolution between two distinct domains. What other options might you have chosen to use?
Ad

Recommended

Wintel
Wintel
Anandharaj007
02 configuring and-troubleshooting-dns
02 configuring and-troubleshooting-dns
apshirame
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2b
hariclant1
Dns
Dns
deshvikas
70 640
70 640
alokfit
Windows server os chapter 12 13
Windows server os chapter 12 13
Nikolai Barachev
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
Luis Garay
DNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
Domain name system
Domain name system
mahakant sharma
Network and System Administration chapter 2
Network and System Administration chapter 2
IgguuMuude
Domain Name System ppt
Domain Name System ppt
OECLIB Odisha Electronics Control Library
Introduction to DNS
Introduction to DNS
Jonathan Oxer
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
hariclant1
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
velimamedov
How to configure dns server(2)
How to configure dns server(2)
Amandeep Kaur
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
webhostingguy
Domain name system
Domain name system
Diwaker Pant
Domain name system
Domain name system
Siddharth Chandel
25 DNS
25 DNS
Ahmar Hashmi
Windows server 2008 step by-step guide for dns in small networks
Windows server 2008 step by-step guide for dns in small networks
Ochiroo Dorj
13 dns
13 dns
Issam Jamal
Linux basics andng hosti
Linux basics andng hosti
Patruni Chidananda Sastry
DDNS
DDNS
praneetha523
Domain name system
Domain name system
Vivek Gautam
Dns ppt
Dns ppt
Bizuworkk Jemaneh
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
APNIC
Domain Name Server
Domain Name Server
vipulvaid
Linux and DNS Server
Linux and DNS Server
Prabhakar Thota
07 Implementing DNS Cyber security Baze University .pptx
07 Implementing DNS Cyber security Baze University .pptx
HassanAhmadAbubakar1
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07
gameaxt

More Related Content

What's hot (20)

Domain name system
Domain name system
mahakant sharma
Network and System Administration chapter 2
Network and System Administration chapter 2
IgguuMuude
Domain Name System ppt
Domain Name System ppt
OECLIB Odisha Electronics Control Library
Introduction to DNS
Introduction to DNS
Jonathan Oxer
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
hariclant1
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
velimamedov
How to configure dns server(2)
How to configure dns server(2)
Amandeep Kaur
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
webhostingguy
Domain name system
Domain name system
Diwaker Pant
Domain name system
Domain name system
Siddharth Chandel
25 DNS
25 DNS
Ahmar Hashmi
Windows server 2008 step by-step guide for dns in small networks
Windows server 2008 step by-step guide for dns in small networks
Ochiroo Dorj
13 dns
13 dns
Issam Jamal
Linux basics andng hosti
Linux basics andng hosti
Patruni Chidananda Sastry
DDNS
DDNS
praneetha523
Domain name system
Domain name system
Vivek Gautam
Dns ppt
Dns ppt
Bizuworkk Jemaneh
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
APNIC
Domain Name Server
Domain Name Server
vipulvaid
Linux and DNS Server
Linux and DNS Server
Prabhakar Thota
Domain name system
Domain name system
mahakant sharma
Network and System Administration chapter 2
Network and System Administration chapter 2
IgguuMuude
Domain Name System ppt
Domain Name System ppt
OECLIB Odisha Electronics Control Library
Introduction to DNS
Introduction to DNS
Jonathan Oxer
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
hariclant1
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
velimamedov
How to configure dns server(2)
How to configure dns server(2)
Amandeep Kaur
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
webhostingguy
Domain name system
Domain name system
Diwaker Pant
Domain name system
Domain name system
Siddharth Chandel
25 DNS
25 DNS
Ahmar Hashmi
Windows server 2008 step by-step guide for dns in small networks
Windows server 2008 step by-step guide for dns in small networks
Ochiroo Dorj
13 dns
13 dns
Issam Jamal
Linux basics andng hosti
Linux basics andng hosti
Patruni Chidananda Sastry
DDNS
DDNS
praneetha523
Domain name system
Domain name system
Vivek Gautam
Dns ppt
Dns ppt
Bizuworkk Jemaneh
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
APNIC
Domain Name Server
Domain Name Server
vipulvaid
Linux and DNS Server
Linux and DNS Server
Prabhakar Thota

Similar to 6425 b 10 (20)

07 Implementing DNS Cyber security Baze University .pptx
07 Implementing DNS Cyber security Baze University .pptx
HassanAhmadAbubakar1
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07
gameaxt
Implementing Domain Name
Implementing Domain Name
Napoleon NV
6421 b Module-03
6421 b Module-03
Bibekananada Jena
DNS & SITES-SERVICES OF Active Directory.pptx
DNS & SITES-SERVICES OF Active Directory.pptx
Dorcask3
Zone in windows server 2012
Zone in windows server 2012
devil00dante
Dns Configuration
Dns Configuration
Lohit Ahuja
7 understanding DNS
7 understanding DNS
Hameda Hurmat
Configuring Dns
Configuring Dns
Lohit Ahuja
vpn-radius-5.ppt
vpn-radius-5.ppt
ssuser472c4f
Dns server
Dns server
Muuluu
Session 4 Tp 4
Session 4 Tp 4
githe26200
Dns
Dns
julien pauli
Dns On Windows 2000 Second Matt Larson Cricket Liu
Dns On Windows 2000 Second Matt Larson Cricket Liu
noukuikakoro
Domain Name Service
Domain Name Service
webhostingguy
Dns interview
Dns interview
siddu balaganur
DNS Configuration
DNS Configuration
Vinod Gour
Dns
Dns
tmavroidis
DNS.docx
DNS.docx
gatetesam
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
zemedaryely
07 Implementing DNS Cyber security Baze University .pptx
07 Implementing DNS Cyber security Baze University .pptx
HassanAhmadAbubakar1
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07
gameaxt
Implementing Domain Name
Implementing Domain Name
Napoleon NV
6421 b Module-03
6421 b Module-03
Bibekananada Jena
DNS & SITES-SERVICES OF Active Directory.pptx
DNS & SITES-SERVICES OF Active Directory.pptx
Dorcask3
Zone in windows server 2012
Zone in windows server 2012
devil00dante
Dns Configuration
Dns Configuration
Lohit Ahuja
7 understanding DNS
7 understanding DNS
Hameda Hurmat
Configuring Dns
Configuring Dns
Lohit Ahuja
vpn-radius-5.ppt
vpn-radius-5.ppt
ssuser472c4f
Dns server
Dns server
Muuluu
Session 4 Tp 4
Session 4 Tp 4
githe26200
Dns
Dns
julien pauli
Dns On Windows 2000 Second Matt Larson Cricket Liu
Dns On Windows 2000 Second Matt Larson Cricket Liu
noukuikakoro
Domain Name Service
Domain Name Service
webhostingguy
Dns interview
Dns interview
siddu balaganur
DNS Configuration
DNS Configuration
Vinod Gour
Dns
Dns
tmavroidis
DNS.docx
DNS.docx
gatetesam
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
zemedaryely
Ad

6425 b 10

  • 1. Module 10 Configure Domain Name System (DNS)
  • 2. Notes Page Over-flow 際際滷. Do Not Print 際際滷. See Notes pane.
  • 3. Module Overview Review of DNS Concepts, Components, and Processes Install and Configure DNS in an AD DS Domain AD DS, DNS, and Windows Advanced DNS Configuration and Administration
  • 4. Lesson 1: Review of DNS Concepts, Components, and Processes Why DNS? The DNS Hierarchy Zones Resource Records (RRs) Resource Record Management Zone Replication Subdomains Placing DNS Servers and Zones DNS Client (Resolver) Query to DNS Server DNS Server Resolution Recursion
  • 5. Why DNS? Computers connect using IP addresses Humans prefer names DNS resolves names to IP addresses DNS Server Client 207.46.16.252 technet.microsoft.com technet.microsoft.com? 207.46.16.252
  • 7. Zones A database stored on a DNS server Supports resolution for a portion of the DNS namespace starting with a domain: contoso.com A server hosting a zone for a domain is authoritative for that domain DNS Server
  • 8. Resource Records (RRs) Host or Address (A or AAAA) : name-to-IPv4/IPv6 address Name: hqdc01 Data: 10.0.0.11 Alias or Canonical Name (CNAME) : alias-to-name Name: ftp Data: internetserver.contoso.com Mail Exchange (MX): points to the e-mail server Data: exchange.contoso.com Name service (NS): points to a name server Name: contoso.com Data: nameserver01.contoso.com
  • 9. Resource Record Management Manual Dynamic Client registers its own records Secure dynamic updates: prevents spoofing
  • 10. Zone Replication File-based zone Primary zone: writable copy of the zone hosted by one (and only one) DNS server Secondary zone: read-only copy of the zone hosted by zero or more DNS servers Zone transfer copies zone data from primary zone to secondary zones Requires permission on source server for zone Traditionally the entire zone (can be quite large) is copied Active Directory integrated zone Zone is hosted on domain controllers Multimaster replication: important in dynamic update environments Data replicated using efficient Active Directory replication topology and processes Incremental updates
  • 11. Subdomains A zone supports resolution for a portion of the DNS namespace, starting with a domain: contoso.com europe.contoso.com? Subdomain Records to support resolution for the subdomain Delegation NS records that point to name server(s) for subdomain List of name server(s) is static and updated manually Stub zone NS records that point to name server(s) for subdomain List of name servers is updated automatically Requires TCP port 53 to be open between the host (parent) DNS server and all name servers in the stub domain
  • 12. Placing DNS Servers and Zones Accessibility of DNS servers to clients Administration, replication, and efficiency of resolution
  • 13. DNS Client (Resolver) Client application makes request DNS Client service examines DNS resolver cache Pre-loaded with HOSTS file at service start or HOSTS file change Caches query responses (including negative answers!) ipconfig /flushdns nslookup.exe Queries the DNS server without checking the DNS resolver cache technet.microsoft.com? DNS Resolver Cache HOSTS File DNS Client Service
  • 14. Query to DNS Server DNS Client queries primary DNS server Requests recursive or iterative query Recursive: DNS server continues performing query for client and returns a definitive answer Iterative: DNS server returns only what it knows (best guess) and client continues query Queries secondary DNS server only if primary server doesnt respond If primary server returns negative answer, secondary server not queried as second opinion Ensure that each DNS server is able to resolve all client queries DNS Client Service DNS Server
  • 15. DNS Server Resolution DNS server checks its local zones Resolution returned as an authoritative response DNS server checks its cache Resolution returned as a positive response If no resolution found Iterative query: DNS server returns best guess Recursive query: DNS server performs query DNS Server Cache DNS Client Service Clients DNS Server technet.microsoft.com?
  • 16. Recursion Iterative query to root DNS servers Root DNS servers configured in DNS servers root hints Root DNS server returns referral to .com name servers Iterative query to .com server .com returns referral to microsoft.com name servers Iterative query to microsoft.com server Cache response Return to client as positive answer technet.microsoft.com?
  • 17. Lesson 2: Install and Configure DNS in an AD DS Domain Install and Manage the DNS Server Role Create a Zone Create a Zone: Dynamic Update Create Resource Records Configure Redundant DNS Servers Configure Forwarders Client Configuration
  • 18. Install and Manage the DNS Server Role Methods Server Manager Roles Add Role Active Directory Domain Services Installation Wizard DNS Manager snap-in Server Manager DNS Manager console (dnsmgmt.msc) dnscmd.exe
  • 19. Create a Zone Right-click Forward Lookup Zones Select zone type Specify replication (Active Directory integrated zones only) All DNS servers in forest All DNS servers in domain All domain controllers in domain (for compatibility with Windows速 2000 DCs) Enter zone name (DNS domain name) Manage updates
  • 20. Create a Zone: Dynamic Update
  • 21. Create Resource Records Right-click the zone Dialog box appears specific to the record type you choose
  • 22. Configure Redundant DNS Servers Active Directoryintegrated zone Add DNS server to another DC Standard Primary Zone Add NS records for secondary servers Master server The server from which the zone will be copied Need not be the primary server Allow Zone Transfers Secondary server Create a new forward lookup zone Choose a secondary zone Configure the master server
  • 23. Configure Forwarders Right-click DNS server Properties Forwarders For all names not in your domain, resolve using your Internet service providers (ISPs) DNS servers If forwarders are not available, use root servers based on root hints
  • 24. Client Configuration IP configuration of client netsh interface ipv4 set dns "Local Area Connection" static 10.0.0.11 primary netsh interface ipv4 add dns "Local Area Connection" 10.0.0.12 Dynamic Host Configuration Protocol (DHCP) scope option 6
  • 25. Lab A: Install the DNS Service Exercise 1: Add the DNS Server Role Exercise 2: Configure Forward Lookup Zones and Resource Records Logon information Estimated time: 30 minutes
  • 26. Lab Scenario You are an administrator of Contoso, Ltd. You recently added a second domain controller to your enterprise, and you want to add redundancy to the DNS server hosting the domain's zone. Currently, the only DNS server for the contoso.com zone is HQDC01. You need to ensure that clients that resolve against the new DNS server, HQDC02, are able to access Internet Web sites. Additionally, you have been asked to configure a subdomain to support name resolution required for the testing of an application by the development team.
  • 27. Lab Review If you did not configure forwarders on HQDC02, what would be the result for clients who use HQDC02 as their primary DNS server? What would happen to clients' ability to resolve names in the development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than an Active Directory integrated zone? Why would this happen? What would you have to do to solve this problem?
  • 28. Lesson 3: AD DS, DNS, and Windows AD DS, DNS, and Windows Integrate AD DS and the DNS Namespace Split-Brain DNS Create a Delegation for an Active Directory Domain Active Directory-Integrated Zones Application Partitions for DNS Zones DNS Application Partitions Dynamic Updates Background Zone Loading Service Locator (SRV) Records Demonstration: SRV Resource Records Registered by AD DS Domain Controllers Domain Controller Location Read-Only DNS Zones
  • 29. AD DS, DNS, and Windows An AD DS domain has a DNS domain name DNS zones can be stored in the Active Directory database Active Directory can replicate DNS zones to specific domain controllers Windows clients can update their own DNS records Active Directory can load large Active Directoryintegrated zones in the background DCs register service locator records in DNS Clients use these records to locate DCs Read-Only Domain Controllers (RODCs) can support DNS even in a dynamic update zone
  • 30. Integrate AD DS and the DNS Namespace An Active Directory domain must have a DNS name Active Directory domain name vs. external DNS namespace Active Directory uses same domain name Active Directory uses subdomain of public domain Active Directory uses separate domain name contoso.com contoso.com ad.contoso.com contoso.net
  • 31. Split-Brain DNS The zone that supports AD DS Secured from Internet exposure Dynamic Fully populated with AD DS client, server, and service records The zone that supports the external namespace Secure Static Populated with the records related to external resources Some (manually maintained) duplication of records, such as www contoso.com
  • 32. Create a Delegation for an Active Directory Domain Necessary if child domain zone hosted on different DNS servers Create the delegation in the parent DNS domain (zone) Right-click zone New Delegation Refer to the server that is/will be the child domain DNS server Configure DNS client on child domain server Primary DNS server should be the parent DNS server Install the DNS role and zone Server Manager: Add role, then create primary zone or DCPromo can install DNS while promoting to a DC Optional but typical configuration Reconfigure child DNS client to refer to itself as primary DNS server Add parent DNS server as a forwarder on the child server Configure new zone to be Active Directory integrated and secure dynamic update
  • 33. Active DirectoryIntegrated Zones DNS zone data is stored in AD DS Allows multimaster writes to zone Replicates DNS zone information using AD DS replication Leverages efficient replication topology Uses efficient Active Directory replication processes: incremental updates Enables secure dynamic updates Security: Can delegate zones, domains, RRs
  • 34. Application Partitions for DNS Zones Store DNS zones in one of the default application partitions Replication scope is the difference Or create a custom partition and define its scope To all domain controllers that are DNS servers in the AD DS domain To all domain controllers in the replication scope for the application partition To all domain controllers that are DNS servers in the AD DS forest To all domain controllers in the AD DS domain (as in Windows 2000) Domain Config Schema DomainDNSZone ForestDNSZones Custom Partition
  • 35. DNS Application Partitions Create an application partition dnscmd ServerName /CreateDirectoryPartition FQDN Change zone replication scope Properties of zone General Change replication
  • 36. Dynamic Updates Client sends Start of Authority (SOA) query DNS server returns SOA RR Client sends dynamic update request(s) to identify the primary DNS server DNS server responds that it can perform update Client sends unsecured update to DNS server Resource Records DNS Server 1 3 4 2 5 1 2 3 4 5 6 7 If zone permits only secure updates, update is refused 6 Client sends secured update to DNS server 7 DHCP Client service registers records for client During client startup If new/changed IP address (fixed/DHCP) on any network connection If ipconfig /registerdns is run
  • 37. Background Zone Loading When a domain controller with Active Directory-integrated DNS zones starts, it: Enumerates all zones to be loaded Loads root hints from files or AD DS servers Loads all zones that are stored in files rather than in AD DS Begins responding to queries and remote procedure calls (RPCs) Starts one or more threads to load the zones that are stored in AD DS
  • 38. Service Locator (SRV) Records SRV resource records allow DNS clients to locate TCP/IP-based services. SRV resource records are used when: A domain controller needs to locate replication partners A client computer authenticates to AD DS A user changes his or her password A Microsoft Exchange server performs a directory lookup An admin opens Active Directory Users and Computers _ldap._tcp.contoso.com 600 IN SRV 0 100 389 hqdc01.contoso.com protocol.service.name TTL class type priority weight port target SRV record syntax: Example of an SRV record
  • 39. Demonstration: SRV Resource Records Registered by AD DS Domain Controllers In this demonstration, we will: Look at the service locator (SRV) records registered in _tcp.contoso.com: all DCs in the domain _tcp.siteName._sites.contoso.com: all DCs in site siteName Simulate a clients query to DNS for domain controllers Learn how to register SRV records dynamically or statically View %systemroot%\system32\config\netlogon.dns
  • 40. Notes Page Over-flow 際際滷. Do Not Print 際際滷. See Notes pane.
  • 41. Domain Controller Location 1. Queries DNS for DC 4. MIA-DC1 returns site info NYC 2. Responds with multiple records 5. Queries DNS for DC in NYC site 6. Responds with DC in NYC site Miami Site 3. Contacts MIA-DC1 by using LDAP Local DNS Server MIA-DC1 NYC-DC1 NYC Site
  • 42. Domain Controller Location New client queries for all DCs in the domain Retrieves SRVs from _tcp.domain Attempts LDAP bind to all First DC to respond Examines client IP and subnet definitions Refers client to a site Client stores site in registry Client queries for all DCs in the site Retrieves SRVs from _tcp.site._sites.domain Attempts LDAP bind to all First DC to respond Authenticates client Client forms affinity Subsequently Client binds to affinity DC DC offline? Client queries for DCs in registry-stored site Client moved to another site? DC refers client to another site
  • 43. Read-Only DNS Zones DNS server on an RODC with Active Directoryintegrated zones RODC can resolve client queries Changes not allowed on the read-only DNS zone Records cannot be added manually Dynamic updates cannot be made Dynamic updates are referred to writeable DC Client attempts update RODC returns an SOA of a writeable Windows Server 2008 domain controller RODC performs replicate single object (RSO) Replicates the updated DNS record for the client it referred from the DC it referred the client to
  • 44. Lesson 4: Advanced DNS Configuration and Administration Resolving Single-Label Names Resolve Names Outside Your Domain Reverse Lookup Zone DNS Server and Zone Maintenance Test and Troubleshoot DNS Server Test and Troubleshoot DNS Client
  • 45. Resolving Single-Label Names Client-side resolution process Query DNS with fully qualified domain name (FQDN) created by adding DNS suffix of client: ad.contoso.com Domain name devolution ad.contoso.com then contoso.com or DNS suffix search order Manage with Group Policy WINS 12 seconds = timeout! Server-side resolution GlobalNames Zone: Specialized zone with single-label CNAME RRs WINS forward lookup: If zone lookup fails, DNS queries WINS http://legalapp
  • 46. Resolve Names Outside Your Domain Secondary zone Create a copy of a zone from another DNS server Requires permissions from the master DNS server Forwarders Send unresolved query as recursive query to other DNS server(s) Root hints Begin iterative queries against root, ., name servers DNS server has list of root servers updated with Windows Update Conditional forwarders Send unresolved query for specific domain to other server(s) Stub zone Can be for any domain; dynamically updates NS records Requires TCP Port 53 to be open to all name servers in the domain
  • 47. Reverse Lookup Zone Query for IP address, response with host name IP address is reversed (specifictogeneric) and appended with in-addr.arpa domain IP address: 10.0.1.34 Query: 34.1.0.10.in-addr.arpa Special domain to support this: in-addr.arpa Pointer (PTR) record with name (IP octet) and data (hostname) Fixed IP client registers its PTR DHCP server registers PTR for client Not required, but recommended Services/applications use reverse lookup as a security check: Who is this request coming from? DNS Server Client 34.1.0.10.in-addr.arpa file34.contoso.com
  • 48. DNS Server and Zone Maintenance Scavenge stale resource records Important in dynamic environments, particularly for SRV RRs Server aging and scavenging properties Defaults for Active Directory-integrated zones Zone aging and scavenging properties Active Directory-integrated zone inherits server property or per-zone Primary zone ignores server property; must set per-zone. Scavenging Configure automatic scavenging: Server properties Advanced Manually launch scavenging: Right-click server Manage the cache View the cache: View menu Advanced Features Clear server cache: Right-click server or Cached Lookups node
  • 49. Test and Troubleshoot DNS Server Event logs Visible in DNS Manager, Server Manager, and Event Viewer Debug logging Server Properties dialog box Recursive and iterative query tests Server Properties dialog box dcdiag.exe /test:DNS Performs a wide variety of tests to ensure that AD DS and DNS are working well together Network Monitor (packet capture)
  • 50. Test and Troubleshoot DNS Client ipconfig /all NSLookup set server= IP address [Default: Primary DNS Server] set type= record type [Default: A] record ipconfig /displaydns : display client DNS resolver cache ipconfig /flushdns : purge client DNS resolver cache ipconfig /registerdns : register client DNS records
  • 51. Lab B: Advanced Configuration of DNS Exercise 1: Enable Scavenging of DNS Zones Exercise 2: Create Reverse Lookup Zones Exercise 3: Explore Domain Controller Location Exercise 4: Configure Name Resolution for External Domains Logon information Estimated time: 60 minutes
  • 52. Lab Scenario You are the DNS administrator at Contoso, Ltd. You want to improve the health and efficiency of your DNS infrastructure by enabling scavenging and by creating a reverse lookup zone for the domain. You also want to examine the records that enable clients to locate domain controllers. Finally, you are asked to configure name resolution between contoso.com and the domain of a partner company, tailspintoys.com.
  • 53. Lab Review In this lab, you used a stub zone and a conditional forwarder to provide name resolution between two distinct domains. What other options might you have chosen to use?
About
息 2025 際際滷