20411B-ENU-TrainerHandbook
.pdf
|
|
Administering Windows Server® 2012 |
|
MCT |
|
|
|
2-13 |
|
||
Demonstration: Configuring the DNS Server Role |
|
|
|
||
This demonstration shows how to configure the DNS server properties. |
|
USE |
|||
1. |
Switch to LON-DC1 and, if necessary, log on as Adatum\Administrator with the password |
|
|||
|
Pa$$w0rd. |
|
|||
|
|
|
|
||
2. |
Open the DNS console. |
|
|
|
|
3. |
Review the properties of the LON-DC1 server: |
|
|
|
|
|
a. |
On the Forwarders tab, you can configure forwarding. |
|
|
|
|
b. |
On the Advanced tab, you can configure options including securing the cache against pollution, |
|||
|
|
and DNSSEC. |
|
ONLY. |
|
|
c. |
On the Root Hints tab, you can see the configuration for the root hints servers. |
|
||
|
|
STUDENT |
|||
|
d. |
On the Debug Logging tab, you can configure debug logging options. |
|
||
|
e. |
On the Event Logging tab, you can configure the level of event recording. |
|
||
|
f. |
On the Monitoring tab, you can perform simple and recursive tests against the server. |
|
||
|
g. |
On the Security tab, you can define permissions on the DNS infrastructure. |
|
||
• |
From the Conditional Forwarders node, you can configure conditional forwarding: |
|
|||
|
a. |
In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com. |
|
||
|
b. |
Click the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then |
|||
|
|
press Enter. Validation will fail since this is just an example configuration. |
|
||
|
|
|
|
Clear the DNS cache
•In the navigation pane, right-click LON-DC1, and then click Clear Cache.
PROHIBITED USE
2-14 Configuring and Troubleshooting Domain Name System
Lesson 3
Configuring DNS Zones
DNS zones are an important concept in DNS infrastructure, because they enable you to logically separate and manage DNS domains. This lesson provides the foundation for understanding how zones relate to DNS domains, and provides information about the different types of DNS zones that are available in the Windows Server 2012 DNS role.
Lesson Objectives
After completing this lesson, you will be able to:
•Explain a DNS zone.
•Explain the various DNS zone types available in Windows Server 2012.
•Explain the purpose of forward and reverse lookup zones.
•Explain the purpose of stub zones.
•Explain how to create zones.
•Explain how you can use DNS zone delegation.
What Is a DNS Zone?
A DNS zone hosts all or a portion of a domain and its subdomains. The slide illustrates how subdomains can belong to the same zone as their parents or can be delegated to another zone. The microsoft.com domain is separated into two zones. The first zone hosts the www.microsoft.com and ftp.microsoft.com records. Example.microsoft.com is delegated to a new zone, which hosts the example.microsoft.com subdomain, and its records ftp.example.microsoft.com and www.example.microsoft.com.
Note: The zone that hosts a root of the domain (microsoft.com) must delegate the subdomain (example.microsoft.com) to the second zone. If this does not occur, example.microsoft.com will be treated as if it were part of the first zone.
Zone data can be replicated to more than one server. This adds redundancy to a zone because the information needed to find resources in the zone now exists on two or more servers. The level of redundancy that is needed is one reason to create zones. If you have a zone that hosts critical server resource records, it is likely that this zone will have a higher level of redundancy than a zone in which noncritical devices are defined.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 2-15
Characteristics of a DNS Zone |
MCT |
Zone data is maintained on a DNS server and is stored in one of two ways: |
•In a flat zone file that contains mapping lists
•Integrated into Active Directory
A DNS server is authoritative for a zone if it hosts the resource records for the names and addresses that
the clients request in the zone file. |
USE |
||||
|
|
|
|||
What Are the DNS Zone Types? |
|
|
|||
The four DNS zone types are: |
|
|
|
||
|
ONLY |
||||
|
|
|
|||
• |
Primary |
|
|
|
|
• |
Secondary |
|
. |
||
|
|
|
|||
• |
Stub |
|
|
|
|
• Active Directory-integrated |
|
|
|
||
Primary Zone |
|
|
|
||
When a zone that a DNS server hosts is a primary |
|
|
|
||
zone, the DNS server is the primary source for |
|
|
|
||
information about this zone, and it stores the |
|
|
|
||
master copy of zone data in a local file or in |
STUDENT |
||||
AD DS. When the DNS server stores the zone in a file, the primary zone file is by default, named |
|||||
zone_name.dns, and is located in the %windir%\System32\Dns folder on the server. When the zone is |
|||||
not stored in Active Directory, the DNS server hosting the primary zone is the only DNS server that has |
|||||
a writable copy of the zone file. |
|||||
Secondary Zone |
|||||
USE |
|||||
When a zone that a DNS server hosts is a secondary zone, the DNS server is a secondary source for the |
|||||
zone information. The zone at this server must be obtained from another remote DNS server that also |
|||||
hosts the zone. This DNS server must have network access to the remote DNS server to receive updated |
|||||
zone information. Because a secondary zone is a copy of a primary zone that another server hosts, it |
|||||
cannot be stored in AD DS. Secondary zones can be useful if you are replicating data from DNS zones |
|||||
PROHIBITED |
|||||
that are not on Windows or you are running DNS on servers that are not AD DS domain controllers. |
|||||
Stub Zone |
|||||
|
|
|
Windows Server 2003 introduced stub zones, which solves several problems with large DNS namespaces and multiple tree forests. A multiple tree forest is an Active Directory forest that contains two different top-level domain names.
2-16 Configuring and Troubleshooting Domain Name System |
MCT |
|||
|
|
|
||
|
|
|
|
|
What Are Forward and Reverse Lookup Zones? |
|
|
|
|
Zones can be either forward or reverse, sometimes |
|
|
USE |
|
|
|
|||
known as inverse zones. |
|
|
||
Forward Lookup Zone |
|
|
||
|
|
|
|
|
The forward lookup zone resolves host names |
|
|
|
|
to IP addresses and hosts the common resource |
|
|
|
|
records: A, CNAME, SRV, MX, SOA, TXT, and NS. |
|
|
.ONLY |
|
Reverse Lookup Zone |
|
|
||
|
|
|
|
|
The reverse lookup zone resolves an IP address to |
|
|
|
|
a domain name, and hosts SOA, NS, and PTR |
|
|
|
|
records. |
|
|
|
|
|
|
|
|
|
A reverse zone functions in the same manner as a forward zone, but the IP address is the part of the query |
||||
and the host name is the returned information. Reverse zones are not always configured, but you should |
|
|
|
|
configure them to reduce warning and error messages. Many standard Internet protocols rely on reverse |
STUDENT |
|||
Overview of Stub Zones |
||||
zone lookup data to validate forward zone information. For example, if the forward lookup indicates that |
|
|
|
|
training.contoso.com is resolved to 192.168.2.45, you can use a reverse lookup to confirm that |
|
|
|
|
192.168.2.45 is associated with training.contoso.com. |
|
|
|
Having a reverse zone is important if you have applications that rely on looking up hosts by their IP |
|
|
addresses. Many applications will log this information in security or event logs. If you see suspicious |
|
|
activity from a particular IP address, you can resolve the host by using the reverse zone information. |
|
|
Many email security gateways use reverse lookups to validate that the IP address that is sending messages |
||
is associated with a domain. |
|
|
A stub zone is a replicated copy of a zone that |
|
USE |
|
||
contains only those resource records necessary to |
|
|
identify that zone’s authoritative DNS servers. A |
|
|
stub zone resolves names between separate DNS |
|
|
namespaces, which might be necessary when a |
|
|
corporate merger requires that the DNS servers |
|
|
for two separate DNS namespaces resolve names |
|
|
for clients in both namespaces. |
|
|
A stub zone consists of the following: |
|
PROHIBITED |
• The delegated zone’s SOA resource record, |
|
|
|
|
|
NS resource records, and A resource records. |
|
|
|
|
|
• The IP address of one or more master servers that you can use to update the stub zone. |
|
|
The master servers for a stub zone are one or more DNS servers that are authoritative for the child zone, |
|
|
usually the DNS server that is hosting the primary zone for the delegated domain name. |
|
|
Administering Windows Server® 2012 2-17 |
|
Stub Zone Resolution |
MCT |
|
|
|
When a DNS resolver performs a recursive query operation on a DNS server that is hosting a stub zone, the DNS server uses the resource records in the stub zone to resolve the query. The DNS server sends an
iterative query to the authoritative DNS servers that the stub zone’s NS resource records specify as if it |
USE |
|
|
were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers |
|
in its stub zone, the DNS server that is hosting the stub zone attempts standard recursion by using root |
|
hints. |
|
The DNS server will store the resource records it receives from the authoritative DNS servers that a stub zone in its cache lists, but it will not store these resource records in the stub zone itself. Only the SOA, NS, and glue A resource records returned in response to the query are stored in the stub zone. The resource records that the cache stores are cached according to the TTL value in each resource record. The SOA, NS, and glue A resource records, which are not written to cache, expire according to the expire interval that the stub zone’s SOA record specifies. During the stub zone’s creation, the SOA record is created. SOA record updates occur during transfers to the stub zone from the original, primary zone.
If the query was an iterative query, the DNS server returns a referral containing the servers that the stub |
ONLY. |
|
zone specifies. |
||
|
Communication between DNS Servers That Host Parent and Child Zones
A DNS server that delegates a domain to a child zone on a different DNS server is made aware of new authoritative DNS servers for the child zone only when resource records for them are added to the parent zone that the DNS server hosts. This is a manual process that requires administrators for the different DNS
servers to communicate often. Stub zones enable a DNS server that is hosting a stub zone for one of its |
STUDENT |
|
delegated domains to obtain updates of the authoritative DNS servers for the child zone when the stub |
||
zone is updated. The update is performed from the DNS server that is hosting the stub zone, and the |
||
administrator for the DNS server that is hosting the child zone does not need to be contacted. |
||
Contrasting Stub Zones and Conditional Forwarders |
||
|
There might be some confusion about when to use conditional forwarders rather than stub zones. This is because both DNS features allow a DNS server to respond to a query with a referral for, or by forwarding
•A conditional forwarder setting configures the DNS server to forward a query that it receives to a DNSUSE server, depending on the DNS name that the query contains.
•A stub zone keeps the DNS server that is hosting a parent zone aware of all the DNS servers that are authoritative for a child zone.to, a different DNS server. However, these settings have different purposes:
If you want DNS clients on separate networks to resolve the names of each other without having to queryPROHIBITED Internet DNS servers, such as when a company merger occurs, you should configure each network’s DNS
servers to forward queries for names in the other network. DNS servers in one network will forward names for clients in the other network to a specific DNS server, which builds a large information cache about the other network. This allows you to create a direct point of contact between two networks’ DNS servers, which reduces the need for recursion.
Stub zones do not provide the same server-to-server benefit, however. This is because a DNS server that is hosting a stub zone in one network replies to queries for names in the other network with a list of all authoritative DNS servers for the zone with that name, rather than the specific DNS servers that you designated to handle this traffic. This configuration complicates any security settings that you want to establish between specific DNS servers that are running in each of the networks.
2-18 Configuring and Troubleshooting Domain Name System
When to Use Stub Zones
Use stub zones when you want a DNS server to remain aware of the authoritative DNS servers for a foreign zone.
A conditional forwarder is not an efficient way to keep a DNS server that is hosting a parent zone aware of the authoritative DNS servers for a child zone. This is because whenever the authoritative DNS servers for the child zone change, you have to configure the conditional forwarder setting manually on the DNS server that hosts the parent zone. Specifically, you must update the IP address for each new authoritative DNS server for the child zone.
Demonstration: Creating Zones
This demonstration shows how to:
•Create a reverse lookup zone.
•Create a forward lookup zone.
Demonstration Steps
Create a reverse lookup zone
1.Switch to LON-DC1, and then create a new reverse lookup zone for the 172.16.0.0 IPv4 subnet.
2.Enable dynamic updates on the zone.
Create a forward lookup zone
1.Switch to LON-SVR1, and then open the DNS console.
2.Create a new forward lookup zone.
3.Configure the type as secondary, and then define LON-DC1 as the Master server for this zone.
DNS Zone Delegation
DNS is a hierarchical system, and zone delegation connects the DNS layers together. A zone delegation points to the next hierarchical level down, and identifies the name servers that are responsible for lower-level domain.
When deciding whether to divide the DNS namespace to make additional zones, consider the following reasons to use additional zones:
•You need to delegate management of a part of the DNS namespace to another organizational location or department.
•You need to divide one large zone into smaller zones so you can distribute traffic loads among multiple servers. This improves DNS name-resolution performance, and it creates a more faulttolerant DNS environment.
•You need to extend the namespace by adding numerous subdomains immediately to accommodate the opening of a new branch or site.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 2-19
Lesson 4 |
MCT |
|
Configuring DNS Zone Transfers |
||
USE |
||
|
DNS zone transfers determine how the DNS infrastructure moves DNS zone information from one server to another. Without zone transfers, the various name servers in your organization maintain disparate copies of the zone data. You also should consider that the zone contains sensitive data, and securing zone transfers is important. This lesson covers the different methods that the DNS server role uses when transferring zones.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how DNS zone transfers work. |
.ONLY |
||
• Explain how to configure zone transfer security. |
|||
• Explain how to DNS zone transfers. |
|||
|
|||
What Is a DNS Zone Transfer? |
|
|
|
A zone transfer occurs when you replicate the |
|
|
|
STUDENT |
|||
DNS zone that is on one server to another DNS |
|||
server. |
|||
Zone transfers synchronize primary and secondary |
|||
DNS server zones. This is how DNS builds its |
|||
resilience on the Internet. It is important that DNS |
|||
zones remain updated on primary and secondary |
|||
servers. Discrepancies in primary and secondary |
|||
zones can cause service outages and host names |
|||
that are resolved incorrectly. |
|
|
•Full zone transfer. A full zone transfer occurs when you copy the entire zone from one DNS server toUSE another. A full zone transfer is known as an All Zone Transfer (AXFR).
•Incremental zone transfer. An incremental zone transfer occurs when there is an update to the DNS
server and only the resource records that were changed are replicated to the other server. This is anPROHIBITED Incremental Zone Transfer (IXFR).
•Fast transfer. Windows DNS servers also perform fast transfers, which is a type of zone transfer that uses compression and sends multiple resource records in each transmission.
2-20 Configuring and Troubleshooting Domain Name System
The following table lists the features that various DNS servers support.
|
|
|
|
|
DNS server |
Full zone (AXFR) |
Incremental zone (IXFR) |
Fast transfer |
|
|
|
|
|
|
BIND Older than 4.9.4 |
Supported |
Not supported |
Not Supported |
|
BIND 4.9.4 – 8.1 |
Supported |
Not supported |
Supported |
|
BIND 8.2 |
Supported |
Supported |
Supported |
|
Windows 2000 Service |
Supported |
Supported |
Supported |
|
Pack 3 (SP3) |
|
|
|
|
Windows 2003 (R2) |
Supported |
Supported |
Supported |
|
Windows 2008 and R2 |
Supported |
Supported |
Supported |
|
Windows 2012 |
Supported |
Supported |
Supported |
|
|
|
|
|
Active Directory-integrated zones replicate by using multimaster AD DS replication instead of the zone transfer process. This means that any standard domain controller that also holds the DNS role can update the DNS zone information, which then replicates to all DNS servers that host the DNS zone.
DNS Notify
DNS notify is used by a master server to alert its configured secondary servers that zone updates are available. The secondary servers then petition their master to obtain the updates. DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur. This is useful in a time-sensitive environment, where data accuracy is important.
Configuring Zone Transfer Security
Zone information provides organizational data, so you should take precautions to ensure it is protected from access by malicious users, and that it cannot be overwritten with bad data, which is known as DNS poisoning. One way to protect the DNS infrastructure is to secure the zone transfers.
On the Zone Transfers tab in the Zone Properties dialog box, you can specify the list of allowed DNS servers. You also can use these
options to disallow zone transfer. By default, zone transfers are turned off.
Although the option that specifies the servers that
might request zone data provides security by limiting the data recipients, it does not secure that data during transmissions. If the zone information is highly confidential, we recommend that you use an Internet Protocol Security (IPsec) policy to secure the transmission or replicate the zone data over a virtual private network (VPN) tunnel. This prevents packet sniffing to determine information in the data transmission.
Using Active Directory–integrated zones replicates the zone data as part of normal AD DS replications. The zone transfer is then secured as a part of AD DS replication.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012
Demonstration: Configuring DNS Zone Transfers
This demonstration shows you how to:
•Enable DNS zone transfers.
•Update the secondary zone from the master server.
•Update the primary zone, and then verify the change on the secondary zone.
Demonstration Steps
Enable DNS zone transfers
1.On LON-DC1, enable zone transfers by configuring the Allow zone transfers option.
2.Configure zone transfers to Only to servers listed on the Name Servers tab.
3.Enable Notify to Only to servers listed on the Name Servers tab.
4.Add LON-SVR1.adatum.com as a listed name server to receive transfers.
2-MCT21
ONLY USE .
Update the secondary zone from the master server
• |
Switch to LON-SVR1 and in the DNS Manager, select Transfer from Master. It is sometimes |
|
|
necessary to perform this step a number of times before the zone transfers. Also, note that the |
|
|
transfer might occur automatically at any time. |
|
1. |
Switch back to LON-DC1, and then create a new alias record. |
|
2. |
Switch back to LON-SVR1, and then verify that the new record is present in the secondary zone. This |
|
|
may require a manual Transfer from Master and a screen refresh before the record is visible. |
STUDENT |
|
|
PROHIBITED USE
2-22 Configuring and Troubleshooting Domain Name System |
MCT |
|
|
|
|
|
|
|
Lesson 5 |
|
|
Managing and Troubleshooting DNS |
USE |
|
|
DNS is a crucial service in the Active Directory infrastructure. When the DNS service experiences problems, it is important to know how to troubleshoot them and identify the common issues that can occur in a DNS infrastructure. This lesson covers the common problems that occur in DNS, the common areas from which you can gather DNS information, and the tools that you can use to troubleshoot problems.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain how TTL, aging, and scavenging help to manage DNS records. |
.ONLY |
||||
• Explain how to manage TTL, aging, and scavenging for DNS records. |
|||||
• Explain how to identify problems with DNS by using DNS tools. |
|||||
• Describe how to troubleshoot DNS by using DNS tools. |
|||||
• Explain how to monitor DNS by using the DNS Event Log and debug logging. |
STUDENT |
||||
The following table describes the DNS tools that |
|||||
What Is TTL, Aging, and Scavenging? |
|
|
|
||
TTL, aging, and scavenging help manage DNS |
|
|
|
|
|
resource records in the zone files. Zone files can |
|
|
|
|
|
change over time, so there needs to be a way to |
|
|
|
|
|
manage DNS records that are updated or that are |
|
|
|
|
|
not valid because the hosts they represent are no |
|
|
|
|
|
longer on the network. |
|
|
|
|
|
help to maintain a DNS database. |
|
|
|
USE |
|
|
|
|
|
|
|
|
|
|
|
||
Tool |
Description |
|
|
||
|
|
||||
|
|
|
|
PROHIBITED |
|
TTL |
Indicates how long a DNS record remains valid and ineligible for scavenging. |
|
|||
|
|
|
|||
|
|
|
|
|
|
Aging |
Occurs when records inserted into the DNS server reach their expiration and are |
|
|
|
|
|
removed. This keeps the zone database accurate. During normal operations, aging |
|
|
|
|
|
should take care of stale DNS resource records. |
|
|
|
|
|
|
|
|
|
|
Scavenging |
Performs DNS server resource record grooming for old records in DNS. If resource |
|
|
|
|
|
records have not been aged, an administrator can scavenge the zone database for stale |
|
|
|
|
|
records to force a database cleanup. |
|
|
|
|
|
|
|
|
|
|
If left unmanaged, the presence of stale resource records in zone data might cause problems. For example:
•If a large number of stale resource records remain in server zones, they eventually can use up server disk space and cause unnecessarily long zone transfers.