|1| Chapter 5, DNS and Active Directory Integration

|2| Chapter 5, Lesson 1

Understanding DNS Name Resolution

1. Name Resolution

|3| A. IP addressing

1. Overview

a. Name resolution is the process of resolving DNS names to IP addresses.

b. An IP address identifies each host that communicates by using TCP/IP.

c. An IP address is a 32-bit binary number that is separated internally into two parts: a network ID and a host ID.

d. IP addresses are expressed in dotted decimal notation.

e. The 32-bit address is segmented into four 8-bit octets.

f. Octets are converted to decimals (base-10 numbering system) and separated by periods.

|4| 2. Network ID

a. Also known as a network address

b. Identifies a single network segment within a larger TCP/IP internetwork

c. Used to uniquely identify each network within the larger internetwork

|5| 3. Host ID

a. Also known as the host address

b. Identifies a TCP/IP node within each network

c. Identifies a single system uniquely within its own network

|6| B. Lookup queries

1. DNS name servers resolve forward and reverse lookup queries.

2. A forward lookup query resolves a name to an IP address.

3. A reverse lookup query resolves an IP address to a name.

4. A name server can resolve a query only for a zone for which it has authority.

5. If a name server cannot resolve the query, it passes the query to other name servers that can resolve it.

6. The name server caches the query results to reduce the DNS traffic on the network.

7. The DNS service uses a client/server model for name resolution.

|7| 2. Forward Lookup Query

A. The client passes a forward lookup query for www.microsoft.com to its local name server.

B. The local name server checks its zone database file for the name-to-IP address mapping for the query.

C. If the local name server does not have authority, it passes the query to one of the DNS root servers, requesting resolution of the host name; in this case the root name server sends back a referral to the com name servers

D. The local name server sends a request to a com name server, which responds with a referral to the Microsoft name servers

E. The local name server sends a request to the Microsoft name server. If the Microsoft name server has authority for that portion of the domain namespace, it returns the IP address to the local name server.

F. The name server sends the IP address for www.microsoft.com to the client.

G. Name resolution is complete and the client can access the www.microsoft.com.

|8| 3. Name Server Caching

A. With each query, the name server discovers other name servers that have authority for a portion of the domain namespace.

B. The name server caches these query results to reduce network traffic.

C. Caching enables the name server to resolve other queries to the same portion of the domain namespace quickly.

D. When a name server receives a query

1. The name server caches the query result for a specified amount of time, referred to as Time To Live (TTL)

2. Once the name server caches the query result, TTL starts counting down from its original value.

3. When TTL expires, the name server deletes the query result from its cache.

Note The zone that provided the query results specifies the TTL, which is configured using the DNS console. Default TTL is 60 minutes.

|9| E. TTL values

1. Use shorter TTL values to help ensure that data about the domain namespace is more current across the network

2. Shorter TTL values increase the load on name servers.

3. Longer TTL values decrease the time required to resolve information.

4. If a change occurs, the client will not receive the updated information until the TTL expires and a new query to that portion of the domain namespace is resolved.

|10| 4. Reverse Lookup Query

A. Overview

1. Maps an IP address to a name

2. NSLOOKUP command-line DNS utility uses reverse lookup queries to report back host names.

3. Certain applications implement security based on the ability to connect to names, not IP addresses.

4. DNS is indexed by name, not by IP address.

5. A reverse lookup query would require an exhaustive search of every domain name because the DNS distributed database is indexed by name and not IP address.

6. A special second-level domain called in-addr.arpa was created to solve the problem of finding a name that matches an IP address.

|11| B. In-addr.arpa domain

1. Follows the same hierarchical naming scheme as the rest of the domain namespace

2. Based on IP addresses, not domain names

3. Subdomains are named after the numbers in the dotted-decimal representation of IP addresses.

4. Order of the IP address octets is reversed.

|12||13| 5. Companies administer subdomains of the in-addr.arpa domain based on their assigned IP addresses and subnet mask.

|14| Chapter 5, Lesson 2

Understanding and Configuring Zones

1. Zones

|15| A. Overview

1. DNS service provides the option of dividing up the namespace into one or more zones.

2. Zones can be stored, distributed, and replicated to other DNS servers.

3. The DNS namespace represents the logical structure of the network resources.

4. DNS zones provide physical storage of these resources.

B. Zone planning

|16| 1. Consider the following reasons to use additional zones:

a. A need exists to delegate management of part of the DNS namespace to another location or department within the organization

b. A need exists to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment

c. A need exists to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site

2. Two zone lookup types:

a. Forward lookup zones

b. Reverse lookup zones

|17| C. Forward lookup zones

1. Overview

a. Enable forward lookup queries.

b. At least one forward lookup zone must be configured for the DNS service to work.

c. Active Directory Installation Wizard can automatically create a forward lookup zone based on the DNS name you specified for the server.

d. To create a new forward lookup zone:

(1) Click Start, point to Programs, point to Administrative Tools, and then click DNS

(2) Expand the DNS server

(3) Right-click the Forward Lookup Zone folder and click New Zone. The New Zone Wizard steps through the process of setting up a forward lookup zone

|18| 2. Zone types

a. Active Directory–integrated

(1) Master copy of a new zone

(2) Uses Active Directory to store and replicate zone files

|19| b. Standard primary

(1) Master copy of a new zone stored in a standard text file

(2) Administered and maintained on the computer on which the zone is created

|20| c. Standard secondary

(1) Replica of an existing zone

(2) Read-only; stored in standard text files

(3) The primary zone must be configured to create a secondary zone.

(4) Must specify DNS server, called the master server, that will transfer zone information to the name server containing the standard secondary zone

(5) Create a secondary zone to provide redundancy and to reduce the load on the name server containing the primary zone database file

|21| d. Benefits of Active Directory–integrated zones

(1) Multimaster update and enhanced security based on the capabilities of Active Directory

(2) Zones are replicated and synchronized to new domain controllers automatically whenever a new zone is added to an Active Directory domain.

(3) Integrating storage of your DNS namespace in Active Directory simplifies planning and administration for both DNS and Active Directory.

(4) Directory replication is faster and more efficient than standard DNS replication.

|22| 3. Zone name

c. A zone is typically named after the highest domain in the hierarchy that the zone encompasses; the root domain for the zone.

|23| 4. Zone file

a. A zone file must be specified for the standard primary forward lookup zone type.

b. The zone file is the zone database file name, which defaults to the zone name with a .dns extension.

c. An existing zone file can be imported when migrating a zone from another server.

d. Place the existing file in the systemroot\System32\DNS directory on the target computer before creating the new zone.

5. Master DNS servers

a. For the standard secondary forward lookup zone type, specify the DNS server(s) from which to copy the zone.

b. The IP address of one or more DNS servers must be entered.

|24| D. Reverse lookup zones

1. Overview

a. Enable reverse lookup queries

b. Are not required, except to run troubleshooting tools, such as NSLOOKUP, and to record a name instead of an IP address in IIS log files

2. To create a new reverse lookup zone

a. Click Start, point to Programs, point to Administrative Tools, and then click DNS

b. Expand the DNS server

c. Right-click the Reverse Lookup Zone folder and click New Zone. The New Zone Wizard guides you through the process of setting up a reverse lookup zone

Note The wizard presents the following configuration options: Zone Type, Reverse Lookup Zone, Zone File, and Master DNS Servers.

3. Zone type

a. Active Directory–integrated

b. Standard primary

c. Standard secondary

4. Reverse lookup zone

a. To identify, type the network ID or the name of the zone.

b. For a network ID of 169.254, all reverse lookup queries within the 169.254 network are resolved in the new zone.

|25| 5. Zone file

a. Must be specified for the standard primary reverse lookup zone type

b. The network ID and subnet mask determine the default zone file name.

c. DNS reverses the IP octets and adds the in-addr.arpa suffix.

d. For a network ID of 169.254, the reverse lookup zone for the 169.254 network becomes 254.269.in-addr.arpa.dns.

e. The existing zone file may be imported when migrating a zone from another server.

f. The existing zone file must be placed in the systemroot\System32\DNS directory.

6. Master DNS servers

a. The DNS server(s) from which to copy the zone must be specified.

b. The IP address must be entered for one or more DNS servers.

|26| E. Resource records

1. Overview

a. Entries in the zone database file that associate DNS domain names to related data for a given network resource

b. Many different types of resource records

c. When a zone is created, DNS automatically creates the Start of Authority (SOA) and the Name Server (NS) resource records.

|27| 2. Frequently used resource record types

a. Host (A): Lists the host name-to-IP address mappings for a forward lookup zone

b. Alias (CNAME): Creates an alias, or canonical name, for the specified host name

c. Host Information (HINFO): Identifies the CPU and operating system used by the host

d. Mail Exchange (MX): Identifies which mail exchanger to contact for a specified domain and in what order to use each mail host

e. Name Server (NS): Lists the name servers that are assigned to a particular domain

f. Pointer (PTR): Points to another part of the domain namespace

g. Service (SRV): Identifies which servers are hosting a particular service

h. Start of Authority (SOS): Identifies which name server is the authoritative source of information for data within this domain

3. To view a resource record

a. In the DNS console tree, click the zone for which you want to view a resource record

b. In the details pane, click the record to be viewed

c. On the Action menu, click Properties

d. On the Properties dialog box, view the properties specific to the record selected

e. When finished viewing the record, click OK

4. To add a resource record

a. Right-click the zone to which the new record is to be added

b. Select the type of record that is needed

|28| F. Delegating zones

|29| 1. Overview

a. A zone starts as a storage database for a single DNS domain name.

b. If other domains are added below the domain used to create the zone, these domains can be part of either the same zone or another zone.

c. Once a subdomain is added, it can then be

(1) Managed and included as part of the original zone records

(2) Delegated away to another zone created to support the subdomain

d. When zones are delegated within a namespace, SOA resource records must be created and must point to the authoritative DNS server for the new zone.

e. Necessary to transfer authority and provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone

f. New Delegation Wizard is available to assist in the delegation of zones.

2. To create a zone delegation

a. In the DNS console tree, click the subdomain for which the zone delegation is to be created

b. On the Action menu, click New Delegation

c. On the New Delegation Wizard welcome page, click Next

d. On the Delegated Domain Name page, specify the name of the domain you want to create, and then click Next

e. On the Name Servers page, specify the servers to host the delegated zone, and then click Next

c. Review the settings on the Completing The New Delegation Wizard page, and then click Finish

Note All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing delegation.

|30| 2. Configuring Dynamic DNS (DDNS)

|31| A. Overview

1. DDNS is the DNS service that includes dynamic update capability.

2. Name servers and clients within a network automatically update the zone database files.

|32| B. Dynamic updates

1. A list of authorized servers can be configured to initiate dynamic updates.

2. This list can include secondary name servers, domain controllers, and other servers that perform network registration for clients, such as servers running DHCP service or Microsoft WINS.

|33| C. DDNS and DHCP

1. These services interact to maintain synchronized name-to-IP mappings for network hosts.

2. By default, DHCP service allows clients to add their own Host (A) records to the zone; the DHCP service adds the PTR resource record to the zone.

3. DHCP service cleans up both the A and PTR resource records in the zone when the lease expires.

4. The Only Secure Updates option

a. Appears only if the zone type is Active Directory–integrated

d. If the option is chosen, the requester’s permission to update the records in the zone database is tested using mechanisms specified in a subsequent secure DNS update protocol.

Note To send dynamic updates, you must configure the DHCP server to point to the appropriate DNS servers.

D. To configure a zone for DDNS

1. From the DNS console, right-click the forward or reverse lookup zone that needs to be configured, and then click Properties

2. On the General tab, in the Allow Dynamic Updates? list, choose one of the following options:

a. No: Does not allow dynamic updates for this zone

b. Yes: Allows all dynamic DNS update requests for this zone

e. Only Secure Updates: Allows only dynamic DNS updates that use secure DNS for this zone; this is the preferred option.

|34| Chapter 5, Lesson 3

Zone Replication and Transfer

|35| 1. Zone Replication and Zone Transfers

A. Overview

1. Because zones play an important role in DNS, their availability from more than one DNS server on the network is intended to provide availability and fault tolerance when resolving name queries.

2. If a single server is used and that server is not responding, queries for names in the zone can fail.

3. For additional servers to host a zone, zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host the zone.

|36| 4. Several good reasons exist to use additional DNS servers for zone replication

a. They provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.

b. They can reduce DNS network traffic.

c. They can reduce loads on a primary server for a zone

5. A full zone transfer (AXFR) is performed when a new DNS server is added to the network and configured as a new secondary server for an existing zone.

6. Earlier DNS server implementations used a full transfer for incremental changes to the zone.

3. For Windows 2000 Server, the DNS service supports incremental zone transfer (IXFR), a revised DNS zone transfer process for intermediate changes.

Note IXFR is described in RFC 1995 as an additional DNS standard for replicating DNS zones.

|37| B. Incremental zone transfers (IXFR)

1. Provide a more efficient method of propagating zone changes and updates

2. Allow the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source

3. The source can be either a primary or secondary copy of the zone maintained by another DNS server.

4. For an IXFR query to succeed and changes to be sent, the source DNS server for the zone must keep a history of incremental zone changes to use when answering these queries.

5. IXFR requires substantially less traffic on a network, and zone transfers are completed much faster.

|38| 6. When differences between the source and replicated versions of the zone are determined

a. If the zones are identified to be the same version, as indicated by the serial number field in the SOA resource record of each zone, no transfer is made.

b. If the source serial number is greater than the requesting secondary server, a transfer is made of only those changes to resource records for each incremental version of the zone.

|39| C. Example: Zone transfer

1. Overview

a. A zone transfer occurs during any of the following scenarios:

(1) Manual initiation

(2) When starting the DNS service on the secondary server for a zone

(3) When the refresh interval time expires for the zone

(4) When changes are made to the primary zone and a notify list is configured

b. Zone transfers are always initiated by the secondary server for a zone and sent to the DNS server configured as its source for the zone.

c. When the source server receives the request for the zone, it can reply with either a partial or full transfer of the zone.

d. Zone transfers between servers follow an ordered process.

e. The process varies depending on whether a zone has been previously replicated or initial replication of a new zone is being performed.

2. The following sequence is performed for a requesting secondary server (the destination server) for a zone and its source server, another DNS server that hosts the zone:

a. During new configuration, the destination server sends an initial (AXFR) transfer request for the zone to the DNS server configured as its source for the zone.

b. The source server responds and fully transfers the zone to the destination server.

c. When the refresh interval expires, the destination server requests renewal of the zone from the source server with an SOA query.

d. The source server answers the query for its SOA record.

e. The destination server checks the serial number of the SOA record in the response and determines how to renew the zone.

(1) If the value of the serial number in the SOA response is equal to its current local serial number, the destination server concludes that the zone is the same at both servers and a zone transfer is not needed; the destination server renews the zone by resetting its refresh interval.

(2) If the value of the serial number in the SOA response is higher than its current local serial number, the destination server concludes that the zone has been updated and a transfer is needed.

f. If the destination server concludes that the zone has changed, it sends an IXFR query to the source server containing its current local value for the serial number in the SOA record for the zone.

g. The source server responds with either an incremental or full transfer of the zone.

(1) If the source server supports incremental transfer, it can answer with an incremental (IXFR) transfer of the zone.

(3) If the source server does not support incremental transfer, it can answer with a full (AXFR) transfer of the zone instead.

Note For Windows 2000 Server, incremental zone transfer through IXFR query is supported. For earlier versions of the DNS service running in Windows NT Server 4.0, incremental transfer is not available and only full zone (AXFR) queries and transfers are used to replicate zones.

|40| D. Zone transfer security

1. Overview

a. DNS console permits you to specify the servers allowed to participate in zone transfers.

b. This helps to prevent an undesired attempt by an unknown or unapproved DNS server to pull or request zone updates.

2. To specify servers allowed to participate in zone transfers

a. Click Start, point to Programs, point to Administrative Tools, and then click DNS

b. In the DNS console tree, right-click the zone for which you want to set up zone transfers, and then click Properties

|41| c. Select the Zone Transfers tab

d. Specify the servers that are allowed zone transfers, and then click OK

|42| 2. DNS Notification

A. Overview

1. Updated revision to the DNS standard specification (RFC 1996)

2. Implements a push mechanism for notifying a select set of secondary servers for a zone when a zone is updated

3. Notified servers can then initiate the zone transfer process and pull changes from the notifying server to update the zone.

4. Use DNS notification only to notify DNS servers that are operating as secondary servers for a zone.

5. Not needed for replication of directory-integrated zones

|43| B. To specify servers to be notified

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS

2. In the DNS console tree, right-click the zone for which you want to set up zone transfers, and then click Properties

3. Select the Zone Transfers tab, and then click Notify

4. In the Notify dialog box, specify the secondary servers to be notified when the zone changes, and then click OK

|44| 3. The DNS Notify Process

A. The local zone is updated; the serial number field in the SOA record also updates, indicating a new local version of the zone.

B. The source server sends a notify message to other servers specified on the Notify screen.

C. All secondary servers that receive the notification message can then respond by initiating a zone transfer request back to the notifying server.

|45| Chapter 5, Lesson 4

Monitoring and Troubleshooting DNS for Active Directory

1. Monitoring DNS Servers

|46| A. Two options for monitoring DNS servers

1. Default logging of DNS server event messages to the DNS server log

2. Optional debug options for trace logging to a text file on the DNS server computer

|47| B. DNS server event logging

1. DNS server event messages are kept separate from events raised by other applications and services in the DNS server log.

2. The DNS server log contains basic predetermined events logged by the DNS server service, such as when the DNS server starts and stops.

3. Use Event Viewer to view and monitor client-related DNS events

4. These events appear in the system log and are written by the DNS client service at any computers running Microsoft Windows 2000 (all versions).

|48| C. Debug options

1. Overview

a. The DNS console allows you to set additional logging options to create a temporary trace log as a text-based file for DNS server activity.

b. DNS.LOG is stored in the systemroot\System32\Dns folder.

c. By default, all debug logging options are disabled.

d. The DNS server service can perform additional trace-level logging of selected types of events or messages for general troubleshooting and debugging of the server.

e. Debug logging can be resource-intensive, affecting overall server performance and consuming disk space.

f. Debug logging should be used only temporarily, when more detailed information about server performance is needed.

2. DNS server debug logging options

a. Query: Logs queries received by the DNS server service from clients

b. Notify: Logs notification messages received by the DNS server service from other servers

c. Update: Logs dynamic updates received by the DNS server service from other computers

d. Questions: Logs the contents of the question section for each DNS query message processed by the DNS server service

e. Answers: Logs the contents of the answer section for each DNS query message processed by the DNS server service

f. Send: Logs the number of DNS query messages sent by the DNS server service

g. Receive: Logs the number of DNS query messages sent by the DNS server service

h. UDP: Logs the number of DNS requests received by the DNS server service over a UDP port

i. TCP: Logs the number of DNS requests received by the DNS server service over a TCP port

j. Full Packets: Logs the number of full packets written and sent by the DNS server service

k. Write Through: Logs the number of packets written through by the DNS server service and back to the zone

3. To set DNS server debug options

a. In the DNS console tree, right-click the name server, and then click Properties

b. On the Logging tab, select the debug options you want to log, and then click OK

2. DNS Troubleshooting Scenarios

A. Symptom: A problem related to zone transfers

1. DNS server service is stopped or the zone is paused.

a. Verify that the master and secondary DNS servers involved in completing transfer of the zone are both started and that the zone is not paused at either server.

2. DNS servers used during a transfer do not have network connectivity with each other.

a. Using the DNS console, perform the following tasks: On the (SOA) tab, increase the value of the serial number for the zone at the master server to a number greater than the value at the applicable secondary server.

b. Initiate zone transfer at the secondary server.

3. The serial number is the same at both the source and destination servers.

a. Using the DNS console, perform the following tasks: On the Start Of Authority (SOA) tab, increase the value of the serial number for the zone at the master server (source) to a number greater than the value at the applicable secondary server (destination).

b. Initiate zone transfer at the secondary server.

4. The master server and its targeted secondary server (destination) are having interoperability-related problems.

a. Investigate problems related to interoperability between Windows 2000 DNS servers and other DNS servers running different implementations.

5. The zone has resource records or other data that cannot be interpreted by the DNS server.

a. Verify that the zone does not contain incompatible data, such as unsupported resource record types or data errors.

b. Verify that the server has not been configured in advance to prevent loading a zone when bad data is found.

c. Investigate the server’s method for checking names.

6. Authoritative zone data is incorrect.

a. If a zone transfer continues to fail, ensure that the zone does not contain nonstandard data.

b. Look in the DNS server event log for messages, to determine whether erroneous zone data is a likely source for a failed zone transfer.

B. Symptom: Zone delegation appears to be broken

1. Zone delegations are not configured correctly.

a. Review how zone delegations are used.

b. Revise the zone configuration as needed.

C. Symptom: The client is not performing dynamic updates

1. The client does not support use of the DNS dynamic update protocol.

a. Verify that your clients or servers support the DNS dynamic update protocol using the options for dynamic update support provided in Windows 2000.

b. Either install or upgrade client computers to Windows 2000 or install and use a Windows 2000 DHCP server on your network to lease client computers.

2. The client was not able to register and update with the DNS server because of missing or incomplete DNS configuration.

a. Verify that the client is fully and correctly configured for DNS, and update its configuration as needed.

b. Either configure a primary DNS suffix at the client computer for static TCP/IP clients or configure a connection-specific DNS suffix for use at one of the installed network connections at the client.

3. The DNS client attempted to update its information with the DNS server, but failed because of a problem related to the server.

a. If a client can reach its preferred and alternate DNS servers as configured, the cause of its failed updates can likely be found elsewhere.

b. Use Event Viewer to check the System log for any event messages that explain why attempts by the client to dynamically update its host (A) or pointer (PTR) resource records failed.

4. The DNS server does not support dynamic updates.

a. Verify that the DNS server used by the client can support the DNS dynamic update protocol.

c. Only Windows 2000 DNS servers support dynamic updates.

Note The DNS dynamic update protocol is described in RFC 2136.

5. The DNS server supports dynamic updates, but is not configured to accept them.

a. Verify that the primary zone where clients require updates is configured to allow dynamic updates.

b. For Windows 2000 DNS servers, the default for a new primary zone is to not accept dynamic updates.

c. Modify zone properties to allow updates at the DNS server that loads the applicable primary zone.

6. The zone database is not available; verify that

a. The zone exists

b. The zone is available for updates

c. The zone file exists at the server and that the zone is not paused

d. The DNS server is running as a domain controller and has access to the Active Directory database where zone data is stored