ch06

Implementing, Managing,and Maintaining a Microsoft

Windows Server 2003Network Infrastructure

(Exam 70-291)■ Chapter 6 Administering DNS in a Windows

Server 2003 Network■ Chapter 7 Implementing, Managing, and Maintaining

IP Addressing■ Chapter 8 Implementing, Managing, and Maintaining

Name Resolution■ Chapter 9 Implementing, Managing, and Maintaining

Routing and Remote Access■ Chapter 10 Managing Network Security■ Chapter 11 Maintaining a Network Infrastructure

1

All-In-One / MCSE Windows Server 2003 All-in-One Exam Guide / Culp, Harwood, Berg / 222406-1/Chapter 6

P:\010Comp\All-in-1\406-1\ch06.vpFriday, October 24, 2003 1:50:10 PM

Color profile: Generic CMYK printer profileComposite Default screen

All-In-One / MCSE Windows Server 2003 All-in-One Exam Guide / Culp, Harwood, Berg / 222406-1/Blind Folio 2



CHAPTER 6Administering DNS ina Windows Server 2003NetworkIn this chapter, you will learn about

• The NetBIOS namespace• The DNS namespace• Fully qualified domain names• Zones• Host names

Welcome to the 291 section of this All-in-One certification guide. This section will pre-pare you for the test entitled Implementing, Managing, and Maintaining a MicrosoftWindows Server 2003 Network Infrastructure. Just what exactly does that mean? Mostly,it’s about getting Windows computers to talk to one another.

For computers in a Windows 2003 network infrastructure to talk to one another, oneof the key ingredients is the DNS service. DNS is the name resolution mechanism usedby Windows Server 2003 clients to find other computers and services running on thosecomputers. A client consults its configured DNS servers for a list of Active Directory do-main controllers where it will then submit its logon credentials.

Before we get too far along, however, you need to understand a few background con-cepts about the network infrastructure—any network infrastructure. This chapter willexplain the concepts at work in DNS. If you are already familiar with the DNS serviceand terms such as zones, FQDNs, iterative queries, and the PTR records, you can proba-bly move right ahead to Chapter 7 where the exam objectives are met with a discussionof TCP/IP. The topic of how to install, configure, and manage DNS in a Windows Server2003 implementation is explored in Chapter 8.

The NetBIOS NamespaceWe start our discussion of DNS with the NetBIOS (Network Basic Input Output System)namespace. Namespaces make it easier for humans to work with computers because

3




MCSE Windows Server 2003 All-in-One Exam Guide

4


both the best thing and the worst thing about computers is that they work with num-bers. Humans, however, like to work with names.

Computers and network services are therefore given names in these namespaces, andservices like the DNS service exist to resolve the names that humans prefer into numberscomputers rely on so that the computers can communicate. This is the essence of anamespace.

But no two namespaces are exactly alike. There are important differences between theDNS namespace and the NetBIOS namespace, and identifying some of the advantagesand disadvantages of each namespace can help you understand them. It can also helpexplain why almost all computer networks today use DNS as the namespace of choice.

Prior to Windows 2000, the Windows networking model was built upon theNetBIOS namespace, not the DNS namespace. The NetBIOS namespace uses NetBIOSnames. NetBIOS is actually an application-layer protocol (more on that in the nextchapter) that can use the transport services of TCP/IP when used in a routed network.

A NetBIOS name is a 16-byte address that identifies a NetBIOS resource on a net-work. The important thing to keep in mind about the NetBIOS namespace, especiallywhen contrasting it to the DNS namespace, is that it’s a flat namespace. DNS, con-versely, is a hierarchical namespace. Every NetBIOS name must be unique, period. Thereis no structure of parent and child namespaces that allows computer or service names tobe used. For example, if the Internet used the NetBIOS namespace, there could only beone computer with the name of www. Of course, we know that www is used millions oftimes, because each instance of the www service only needs to be unique in the parentdomain. In the NetBIOS world, there is no such thing as a parent domain.

In the NetBIOS environment, computers and services register unique NetBIOS namesby using a 15-character computer name appended with a 16th hexadecimal character thatidentifies the service on the network. If the computer name does not contain 15 charac-ters, the protocol of NetBIOS dictates that the name is padded with as many spaces as nec-essary to generate a 15-character name.

What’s more, there are still some services running on the default Windows Server 2003installation that register NetBIOS names. An example is File and Print Sharing forMicrosoft Networks (also known as the Server service). At startup time, your WindowsServer 2003 system registers this unique name, which is generated by using the computername given to the system during operating system installation.

You can look up the NetBIOS name your computer uses by looking at the SystemProperties dialog box and choosing the Network Identification tab. Click Properties,then click More to display the NetBIOS name.

Also by default, your system registers this name by broadcasting it to the network andlistening to see if any computer has already registered the name. If there is no response,the system registers the name in its NetBIOS name cache. You can look at the NetBIOSname cache by using the nbtstat utility from the command prompt with the -n switch, asshown in Figure 6-1.

If you see that it appears your Windows Server 2003 computer has registered its namemore than once, as you should, it hasn’t; you are really looking at different NetBIOSnames, because the 16th hexadecimal character makes the names unique. However, ifthere were another computer on the same network trying to use the same computername, that computer would not be able to successfully register its name at startup time,



Chapter 6: Administering DNS in a Windows Server 2003 Network

5


PA

RT

II

because the NetBIOS names would conflict. For example, the Server service will alwaysidentify itself with the 16th hexadecimal character of 0x20, so two computers runningthe Server service with the same computer name would both try to register the sameNetBIOS name, and a conflict would result.

There is also an application that can be installed on a Windows Server 2003 com-puter that provides name registration, renewal, and resolution services for NetBIOSnames to IP addresses. In Windows, this NetBIOS name server is called the WindowsInternet Naming Service, or WINS (the Internet, in this instance, is a misnomer; WINS isnot used on the Internet). WINS eliminates the need for broadcast resolution ofNetBIOS names to TCP/IP addresses by keeping a centralized database of name-to-IP-address mappings. In other words, WINS does for the NetBIOS namespace preciselywhat DNS servers do for the DNS namespace.

In Windows 2003, WINS can still be deployed, and it may even be a good idea de-pending on whether the applications or operating systems in your network still relyheavily on NetBIOS name resolution. However, it should not be needed when the com-puting environment is entirely Windows 2000 or newer. Furthermore, you should notexpect to be tested on your knowledge of WINS.

So why did we start here? Because DNS is also a namespace, a much more flexible andscalable namespace, albeit one that is considerably more complex.

The DNS NamespaceThe Domain Name System (DNS) is a vital component in a Windows 2003 network, aswill be made clear throughout this chapter and throughout your pursuit of the MCSEcertification. Without DNS, you would have to know the IP address of every computeryou are communicating with. DNS exists to resolve the names of computers to IP ad-dresses. It also aids in locating services on a network. In the DNS namespace, the com-puter names are known as hosts, although the word host can refer to about any networkinterface card (NIC) with an IP address bound to it.

Figure 6-1 A list of registered NetBIOS names




6


Furthermore, DNS organizes these resources into a hierarchy of domains. The DNSyou implement on a Windows Server 2003 system is built on the same standards as theDNS in use on other TCP/IP networks, such as the Internet. It provides a mechanismthrough which user-friendly names (such as ftp.beanlake.com) are resolved to IP ad-dresses (such as 10.100.9.23) so that computers can establish a communications channelusing protocols such as HTTP, FTP, or SMB. The TCP/IP protocols are the transport mech-anism that carries data from one system to the other.

And more important, at least in reference to the study of Windows 2003 networks,DNS provides the naming infrastructure for Active Directory. When you build your Ac-tive Directory domains, you name them in accordance with the DNS naming conven-tions in use in the Internet. That way, Active Directory can easily integrate with existingnetworks that follow the same naming conventions, using the same name resolutiontechnologies—namely, DNS.

In fact, DNS not only provides a possible namespace—an alternative to the NetBIOSnamespace, say—it’s the required namespace for Active Directory. You can choose to inte-grate with the Internet or create a completely private Active Directory network, but youhave no choice about the naming standards. As implemented in Active Directory, DNSprovides a parent/child architecture for the naming of objects, and using this architecture,the DNS namespace allows for a virtually unlimited number of Active Directory objects.

DNS ComponentsThere are three main components you’ll find in the Domain Name System. Not justMicrosoft’s implementation, but any DNS solution. These three items are

• Domain name servers

• DNS resolvers

• The logical namespace

The domain name servers are servers running the DNS software component, whichstore information about a zone file (we’ll get to zones in just a bit). These name serversprovide address resolution and other information about the computers that you accessin both Active Directory domain and in the named domains across the entire Internet.

DNS resolvers are pieces of code that are built into the operating system. These piecesof code, known also as DNS clients, request resolution of FQDNs to IP addresses by que-rying their configured name servers. FQDNs are defined in the next section.

Finally, the namespace is the logical division of names where DNS objects are stored.The emphasis here is on the word logical. There is nothing you can point to, for example,and say, “That’s the domain.” To illustrate, ask yourself, “Where is the Microsoft domain?”You can’t really say. That’s because the DNS domain, much like an Active Directory do-main, is an organizational entity. The only physical thing you can point to are the nameservers, which are the computers that store information and service requests about the re-sources in the domain.



Keep in mind, too, that in an Active Directory domain, the namespace can often re-flect the organizational chart of a particular company, where the company name startsat the root of the namespace, and then from there breaks into domains that provide a hi-erarchy for your domain enterprise.

Fully Qualified Domain NamesAs just mentioned, the job of a resolver is to request resolution of a fully qualified do-main name (FQDN) to an IP address. A fully qualified domain name represents a hostname appended to the parent namespaces in a hierarchy. In other words, within thefully qualified domain name you can see the different levels in the namespace hierar-chy. Figure 6-2 helps you visualize this hierearchy—the root level namespace, top-leveldomains, and so on—in use throughout the Internet today.

Note that the leftmost portion of the FQDN is the host portion of the name. A hostname is an alias we give to an IP address. Typically, any computer in a network is alsoconsidered a host, but other devices, such as routers and network print devices, can havenames assigned to them, too.

All other naming information—every name to the right of the first name—containedin the FQDN identifies the logical parent namespace where the host lives.

There are organizations outside of your control that manage the topmost levels of thedomain namespace. InterNIC is the organization that manages the top-level namespaces.

NOTE For full information on the InterNIC and what it governs, visit http://www.internic.net/.

The InterNIC, in fact, controls the first two levels of the DNS namespace: theroot-level and top-level domains. There is only one root domain, which acts as the start-ing point of all fully qualified domain names. This root domain is designated with a dot(.), and in days of yore, people had to type this dot when using FQDNs. Now, however,


7


PA

RT

II

Figure 6-2The logical DNShierarchy




8


applications like Internet Explorer assume the last dot is implied, and you no longerhave to enter the root domain when browsing to an Internet address.

The top-level domains, also under the governance of InterNIC, include familiar do-mains like .com, .edu, .gov, .net, .mil, all of which were intended to be used in the UnitedStates. Other top-level domain names include country codes like .ca, .uk, and .au (forCanada, the United Kingdom, and Australia, respectively). New top-level domains like.tv, .law, .info, .biz, and many more are either being proposed or implemented to accom-modate new entities entering the Internet fray.

To register a first-level domain, you need to ask the InterNIC whether your domainwill be unique in the parent namespace, or at least have a company like register.com doso on your behalf. For example, if you want to register beanlake.com, you’re out of luck.However, if you want to register beanlake.org, you may. The domain beanlake can beused multiple times; the only requirement is that it be unique in the parent-levelnamespace.

Likewise with host names. There are most likely several thousand computers withthe host name of COMPUTER1. That’s okay, as long as the COMPUTER1 name is notreused within a single domain—for instance, there can only be one COMPUTER1 inthe beanlake.com parent domain, just as there can only be one COMPUTER1 in themicrosoft.com domain.

Also, when you register a name for use on the Internet, you’re responsible for provid-ing the addresses of two name servers (NS records; discussed next) that will resolve thenames of hosts and other domains as well as other resources in that second-level do-main. The second-level domains are controlled by you if you’re the one who registersthe domain. From there you’re free to add records on your DNS servers representing in-dividual computers in that domain space, subdomains in that domain space, or evenprovide the addresses of Active Directory domain controllers.

Furthermore, in order to communicate with other computers, both in your own do-main and across the Internet, you need to be able to resolve fully qualified domain namesto an IP address. How is this done? You ask your configured DNS server for resolution.

But before we examine the process for resolving a name to an IP address, we must un-derstand what information is kept on the name servers. To store the name-to-IP-addressmappings so crucial to network communication, name servers use zone files.

Understanding ZonesIf domains represent logical division of the DNS namespace, zones represent the physi-cal separations of the DNS namespace. In other words, information about records of theresources within your DNS domains is stored in a zone file, and this zone file exists onthe hard drive of one of your name servers. So there are logical parts of the DNSnamespace—the domains themselves—and there are physical parts—both the nameservers and the zone files. Domain name servers are simply servers that store these zonedatabase files, which in turn provide resolution for records in the zone files. The DNSservers also manage how those zone files are updated and transferred.



Zone files are divided into one of two basic types:

• Forward lookup zone Provides host-name-to-IP-address resolution

• Reverse lookup zone Provides IP-address-to-host-name resolution

Generally speaking, humans are more concerned with the proper configuration ofa forward lookup zone, as this is indeed more vital for successful computer commu-nications. For example, a forward lookup zone is consulted when a domain user in aWindows Server 2003 Active Directory domain is looking for a domain controllerwhere logon credentials can be submitted. And let’s not forget the web browser,which also relies on forward lookup zoned to resolve FQDNs such as ftp.beanlake.comor www.beanlake.com into IP addresses, either when typed in the address bar or codedwithin a hyperlink. As administrators everywhere know, users without working Internetaccess are unhappy users.

Reverse lookup zones, on the other hand, are generally used by utilities likenslookup. In fact, nslookup, which we will discuss in Chapter 8, requires a properly con-figured reverse lookup zone in order to work like it should.

When a zone file is first created on a DNS server, that server is said to be authoritativefor that zone. Then, for each child DNS domain name included in a zone, the zone be-comes the authoritative source for the resource records stored in that child domain aswell. This means that the DNS server can provide resolution for multiple domainswithin a zone file, and all changes to the resource records in both domains are made tothe authoritative zone it stores.

Additionally, keep in mind that a zone can be authoritative for a single domain ormultiple domains. This can be a little confusing because it’s possible that one zone filecan be authoritative for multiple domains. If you have a DNS hierarchy that, for admin-istrative reasons, you have broken into multiple domains, yet those domains don’t havevast number of resources, it may be good planning to store records about bothnamespaces, or all three or all five namespaces, on a single DNS server. In this example,this single zone would be authoritative for multiple portions of the DNS namespace.

It usually helps if you can remember the distinction between the logical part of DNS(the domains) and the physical part (the zones). In Figure 6-3, name server A stores azone file that’s authoritative for two domains, while name server B is authoritative foronly a single domain.


9


PA

RT

II

Figure 6-3A zone can beauthoritative forone domain ormultiple domains.



Zone CategoriesThe DNS zones kept on Windows Server 2003 computers can be further broken downinto one of three categories. For each forward or reverse lookup zone, the file will be oneof these types of zones:

• Primary zone

• Secondary zone

• Stub zone

What’s more, all of the zones you can create in Windows 2003 can be integrated inActive Directory. Each of these zone categories is discussed in Chapter 8.

Resource Records Stored in a Zone FileEach record stored in a zone file has a specific purpose. Some of the records set the be-havior of the name server, others have the job of resolving a host name or service into anIP address. Table 6-1 explains the most common resource records you will administer,in no particular order.


10


Record Name Purpose

A Host A host record populates a forward lookup zoneand is the workhorse record of a DNS zone. Itprovides host-name-to-IP-address resolution.

PTR Pointer This record populates the reverse lookup zonefiles, if configured, and does just the opposite ofan A record: it provides IP-address-to-host-nameresolution.

SRV Service A service record helps identify services running ina domain namespace. When a user submits adomain logon, his DNS server must resolve thedomain to the IP address of a domain controller.The SRV records help perform this task.

MX Mail Exchange This record identifies the IP address of a mailserver for a given domain. All mail destined for adomain such as yahoo.com is dropped at the IPaddress specified by the MX record in the zonefiles authoritative for the yahoo.com domain.

NS Name Server These specify the name servers that areauthoritative for a given potion of the DNSnamespace. These records are essential whenDNS servers are performing iterative queries toperform name resolution.

Table 6-1 Resource Records Stored in a Zone File




11


PA

RT

II

Updates to Windows Server 2003’s DNSDNS is open standards–based. Modifications and improvements are constantly beingdeveloped by the open standards community through a series of Requests for Comment(RFCs). These RFCs help shape DNS into a better name resolution service with each iter-ation, and help it integrate with the improvements in other areas of network communi-cations.

As such, there have been several enhancements to the DNS features available with theWindows 2003 implementation of DNS, especially when compared to Microsoft’s ear-lier deployments of the DNS service. Some of the improvements include the following:

• Conditional forwarders DNS queries can be sent to specific DNS servers ifthey meet a defined set of conditions. For example, the 2003 DNS server can beset so that all queries of FQDNs that end in whatisthematrix.com be forwardedto a specific DNS server.

• Stub zones Stub zones keep a DNS server that hosts a parent zone aware ofthe authoritative DNS servers for its child zone. This improves efficiency ofDNS name resolution.

• Enhanced DNS zone replication in Active Directory You now have fourreplication choices for Active Directory–integrated DNS zone data.

• Enhanced DNS security features Windows Server 2003’s DNS now providesgreater flexibility when administering security for the DNS server, DNS client,and DNS zone information data.

• Enhanced debug logging The DNS server has been written with enhanceddebug logging options to aid in troubleshooting of DNS name resolution.

Record Name Purpose

SOA Start Of Authority This resource record indicates the name of originfor the zone and contains the name of the serverthat is the primary source for information aboutthe zone. The information in an SOA recordaffects how often transfers of the zone are donebetween servers authoritative for the zone. It isalso used to store other properties such asversion information and timings that affect zonerenewal or expiration.

CNAME Canonical Name Also referred to as an alias record, the CNAMEcan be used to assign multiple names to a singleIP address. For example, the server hosting thesite www.microsoft.com is probably not namedwww, but a CNAME record exists for resolutionof www to an IP address all the same. TheCNAME record actually points not to an IPaddress, but to an existing A record in the zone.

Table 6-1 Resource Records Stored in a Zone File (continued)



Resolving a Host NameNow that you have an understanding of the components of the DNS infrastructure, youneed to understand how a DNS client resolves an FQDN to an IP address. There are actu-ally many ways. A client can sometimes answer a query using information cached froma previously successfully resolved name. In fact, this is the first location the DNS resolverchecks.

If the check of the cache is unsuccessful in providing IP address resolution, the re-solver gets help from its configured DNS server, as outlined in the next section. This pro-cess is known as a recursive query.

The DNS server in turn can use its own cache of resource record information to an-swer a query. Barring a quick resolution from the DNS servers cache, the server begins a“walk” of the DNS tree through a series of iterative queries. The next section describesthe navigation through the DNS namespace.

Forward Lookup Resolution of FQDNsAny time you enter a fully qualified domain name into an application, your operatingsystem uses the resolver piece of code to query its configured DNS server (or servers) toget an IP address for the name you have just entered. If your locally configured DNSserver has a zone file that contains a record for the resource you’re trying to browse to (orif it’s contained in the server’s cache), that resource’s IP address is returned to your re-solver. In most cases, the zone file is not going to hold the IP address for the record thatyou’re trying to look up. In that case, the DNS server will resolve that name to an IP ad-dress on your behalf. The DNS server does that by walking the DNS hierarchy.

For example, if you type ftp.atchison.beanlake.com into a browser, the browserneeds to look up this fully qualified domain name using its resolver. The computerdoesn’t care what the name of the computer is; in order to communicate, it needs the IPaddress. The first place it looks for resolution is its configured DNS server. This query tothe locally configured DNS server is called a recursive query.

If the local DNS server does not have an A record that maps ftp.atchison.beanlake.comto an IP address, the client’s local DNS server—if it’s configured to do so—will begin look-ing through the entire DNS hierarchy on behalf of the DNS client. The DNS server per-forms the name resolution; the DNS client sits there and waits for a response to itsrecursive query. The client’s local DNS server then talks to other DNS servers throughoutthe DNS hierarchy using a series of iterative queries.

It begins with a check with one of its configured root-level name servers. Every Win-dows Server 2003 installation of DNS comes with several root-level name servers al-ready known, and the server will query one of the servers in the list unless it’s beenconfigured to be a root-level server of a private network not directly connected to theInternet. You can access this list of root-level name servers by opening your DNS con-sole, right-clicking your server, and choosing Properties. The Root Hints tab, shown inFigure 6-4, contains the entries for the root-level name servers. In Chapter 8, we investi-gate the DNS console in greater detail.


12





13


PA

RT

II

The root-level name servers won’t know how to resolve ftp.atchison.beanlake.com toan IP address either, but they’ll know to steer the client’s local DNS server to a top-levelname server. Subsequently, one of the top-level name servers in the .com level namespacewill be asked the same question by the local DNS server: “What’s the IP address forftp.atchison.beanlake.com?” They won’t have records for that resource in their zone fileseither, so they’ll return their best answers, which in this case will be the NS records of theDNS servers authoritative for the domain .beanlake.

And so it goes. When the client’s local DNS server finally locates the IP address for theDNS servers authoritative over the .beanlake subdomain, the local DNS server will thenask those servers for the record for the name ftp.

At long last, the DNS server that’s just been queried—the one responsible for thezone file that stores host (A) records for the atchison.beanlake.com zone—will indeedhave the IP address for that ftp name, and will return said IP address to the local DNSserver. The local DNS server will hand the IP address back to the resolver, and then com-munication can be established from one IP address to another IP address (the FTP clientand the FTP server in this case). This procedure is diagrammed in Figure 6-5.

After the resolution is complete, the DNS server caches the successful resolution in itsDNS cache. If the next request for a resource from the same name is requested, the namecan be resolved without a query through DNS. Likewise, the entry is usually cached onthe DNS server for the same purpose. If another client of the DNS server were to requestresolution before the entry’s time-to-live (TTL) expires, the name would be resolvedwithout walking the DNS tree.

Recursive Queries and Iterative QueriesAs mentioned, the process takes place with two types of queries. The client asks its localDNS server using a recursive query. A recursive query says, basically, give me the answeror tell me that you can’t find it. It’s a pass/fail type of proposition. The other type ofquery, where other DNS servers are talking to each other as the local DNS server is walk-ing the domain tree, is called an iterative query. When your DNS server uses an iterative

Figure 6-4The preconfiguredlist of root-levelname servers



query, it’s asking for a “best guess.” So the root-level name servers don’t have the IP ad-dress for ftp.atchison.beanlake.com, but they will give you their best response, which is,“I don’t have it, but I’ll send you down to the .com level name servers—you can go askthem.” If you’re asking for something in the .com level namespace, the root-level nameservers aren’t going to send you the IP address of .net name servers or .gov name servers.They will give you the NS records for the name servers that govern the .com levelnamespace.

Reverse QueriesWhat was just described was the forward lookup process, where a client is looking for aname-to-IP-address mapping. This is the most common type of lookup, in which an IPaddress is the expected resource data that is to be provided by the response.

But DNS also provides a mechanism to extract names from IP addresses. This enablesclients to use a known IP address during a name query and look up a computer name. In-stead of asking, “What’s the IP address for ftp.atchison.beanlake.com?” a reverse queryasks, “What’s the name of the computer with the IP address of 10.169.254.23?”

This is more common with IP diagnostic and troubleshooting utilities like nslookup,which uses the IP address of the client’s configured DNS server to query for resource re-


14


Figure 6-5Iterative queries“walk” the DNShierarchy



cords on that server. It is also used by reporting utilities that might collect informationabout who is accessing a particular web site. When HTTP “request” packets (they’re tech-nically HTTP gets) enter a web server, the information in the packet contains the IP ad-dress of the requester, but not the requester’s computer name. So how do you find outwho is hitting your site? With the reverse lookup zones. Utilities use reverse lookupzones to pinpoint either certain users or certain domains that are most frequent guestsof the web site.

When DNS was first designed, it wasn’t built to support this type of IP-address-to-namequery. If you look at Figure 6-6, you see an FQDN, with an arrow representing the flow ofthe FQDN from general to specific. Below it, you see an IP address with the same arrow. Asyou can see, the FQDN resolves from the big namespace to the host from right to left,while the IP address identifies the network and then the host from left to right.

So a modification was made to the DNS namespace to get IP addresses to look likeFQDNs. To support this reverse lookup query, there’s a special domain called thein-addr.arpa domain, which is an abbreviation for “inverse-address. Advanced ResearchProjects Agency.” (ARPA was the Department of Defense agency that was instrumentalin the development of the Internet.)

The in-addr.arpa domain is now defined in RFC standards and is reserved in theInternet DNS namespace to provide a practical way to perform reverse queries. To cre-ate the reverse namespace, subdomains within the in-addr.arpa domain are formedusing the reverse ordering of the numbers in the dotted-decimal notation of IP ad-dresses. In other words, IP addresses are flipped around so that a query for the hostname for 200.23.102.9 becomes a query resembling an FQDN, like so:

L 6-1 9.102.23.200.in-addr.arpa

Notice that the order of host’s IP address will be reversed when building your reverselookup zone files. The IP addresses of the DNS in-addr.arpa tree can be delegated tocompanies as they are assigned a specific or limited set of IP addresses within theInternet-defined address classes.


15


PA

RT

II

Figure 6-6The “flow” of anFQDN and an IPaddress




16


NOTE Forward lookup zones are built with A records, but reverse lookupzones are built with PTR records, which, strangely enough, point to A recordsin existing forward lookup zones. It doesn’t necessarily matter in what orderyou create your zones, but you definitely want a forward lookup ready when

you’re populating the reverse lookup zone. In fact, you can populate the reverse lookupzone with PRT records at the same time you add host (A) records with a single check box.

Chapter ReviewThe Domain Name System is the central name resolution component of a WindowsServer 2003 network, and is even required for when it’s time to implement Active Direc-tory. In this chapter, you were either introduced to or reviewed some of DNS’s underly-ing concepts.

We started with a look at the NetBIOS namespace, which is an alternate, flatnamespace that can be used in Windows networking, and in fact was in versions prior toWindows 2000. It is not, however, used to resolve names on the Internet.

We then looked at how the DNS hierarchy is put together. We looked at the purposeof domains, which are the logical divisions of the DNS namespace, and then at the jobof the zone files, which hold the resource records that resolve (among other things) hostnames to IP addresses. We also looked at some of the improvements that have beenmade recently to DNS, which have been integrated into Windows Server 2003’s imple-mentation.

In Chapter 8, we’ll build upon this foundation and look at the many managementtools and tasks needed to maintain your organization’s Windows Server 2003 DNS de-ployment. Because there aren’t that many things you will be directly tested on in thischapter, the review questions are fewer than usual. Don’t worry, we’ll make it up inchapters to come.

Questions

1. You are installing the root domain controller for your forest. You havedecided that the fully qualified domain name for the computer will bebirmingham1.taylortoys.com. The system prompts you with a suggestedNetBIOS name for the computer. Which NetBIOS name is prompted?

A. birmingham1.taylor

B. birmingham1

C. taylortoys

D. birmingham1.taylortoys.com




17


PA

RT

II

2. You are installing the root domain controller for your forest. You’ve decidedthat the fully qualified domain name for the computer will be birmingham1.taylortoys.com. The system prompts you with a suggested NetBIOS name forthe computer. You decide to use a different name. Which names could you use?(Choose all that apply.)

A. birmingham.1

B. birminghamserver1

C. bham

D. birmingham1

3. You are the Domain Admin of a Windows Server 2003 network for a companynamed Taylortoys. You currently use the same DNS name, taylortoys.com, onboth sides of your firewall. Management is concerned that a breach in thefirewall could expose the Active Directory. Which other names could you useon the inside of your firewall? (Choose all that apply.)

A. taylortoys.com.ad

B. ttoys.ad

C. taylortoys.toys.ad

D. whateveryouwant.com

4. You are the Enterprise Admin of a Windows Server 2003 network. You arecurrently using only standard primary and standard secondary zones. Anotheradministrator asks you what would be required to upgrade all zones to ActiveDirectory integrated zones. Which statement is true?

A. All servers in the forest would have to be Windows Server 2003.

B. All servers in the forest would have to be Windows 2000 or Windows Server2003.

C. All DNS servers would have to be domain controllers.

D. The domain will need to be in at least Windows 2000 native mode.

5. You are the Domain Admin of a Windows Server 2003 network namedeaglesinc.com.ad. You have a computer in the domain named computer1.What is the fully qualified domain name of this computer?

A. eaglesinc.com.ad.computer1

B. eaglesinc.computer1

C. computer1.ad.eaglesinc.com

D. computer1.eaglesinc.com.ad



Answers

1. B. The NetBIOS name is used by Windows Server 2003 computers for backwardcompatibility with legacy clients and legacy applications. It can be up to 15characters in length and cannot contain any hierarchical symbols such as “/”or “.”. The system will add a 16th character that indicates what service thatname provides. Computers that supply multiple services to the network willhave multiple NetBIOS names. The system will suggest a NetBIOS name forthe computer based on the prefix of the fully qualified domain name.

2. C and D. You can choose any NetBIOS name that meets the parameters andthat is unique in the forest. In this case, since the computer established a forestroot, uniqueness is not an issue.

3. A, B, C, and D. Management’s concerns in this scenario are valid. Since youare using the same name on both sides of the firewall, a breach in the firewallcould expose the Active Directory. You have two other options. You could usean appended name to the current name (such as taylortoys.com.ad) or youcould use a completely different name. Each strategy has its own advantagesand disadvantages.

4. C. Active Directory integrated zones replicate their databases along with ActiveDirectory replication. Therefore, all servers that host Active Directory integratedzones must be domain controllers. There is no functional level requirementand no requirement that all servers be Windows 2000 or Windows Server 2003.However, all of the DNS servers would need to be Windows 2000 or WindowsServer 2003 domain controllers.

5. D. A fully qualified domain name consists of a prefix and a suffix. The prefix isthe name of the computer or other object (user). The suffix is the full name ofthe domain in which the object is contained. In this case, the prefix iscomputer1 and the suffix is eaglesinc.com.ad.


18




Documents

ch06