Module Overview

• Installing the DNS Server Role

• Configuring the DNS Server Role

• Configuring DNS Zones

• Configuring DNS Zone Transfers

• Managing and Troubleshooting DNS

• Overview of the Windows Internet Name Service

• Configuring WINS Replication

• Migrating from WINS to DNS

Overview of the Domain Name System Role

Domain Name System is a hierarchical distributed databaseDomain Name System is a hierarchical distributed database

• DNS supports accessing resources by using alphanumeric names

• InterNIC is responsible for managing the domain namespace

Root DomainRoot Domain

SubdomainSubdomain

Second-Level Second-Level DomainDomain

Top-Level Top-Level DomainDomain

FQDN:SERVER1.sales.south.nwtraders.com

southsouth

nwtradersnwtraders

comcom

salessales

westwest easteast

orgorgnetnet

Host: SERVER1

DNS Improvements for Windows Server 2008

New or enhanced features in the Windows Server 2008 version of DNS include:

• Background zone loading

• IP version 6 support

• Support for read-only domain controllers

• Global single names

• DNSSEC against Spoofing and Man-in-the-middle attack

Only available in R2 & IPv6 environment

Three new types of records: Signature (SIG), Public Key (KEY), Next Domain (NXT)

Consideration for deploying DNS Server Role:

Manually configuring the server to use a static IP address

Use the DNS console or dnscmd

The user account must be a member of the local administrators group or equivalent

dnscmd dns_server_name /ageAllRecords/startScavenging/zoneinfo/zoneexport /info/config/statistics/zoneresettype zonename /primary [ | /secondary]/zoneresetsecondaries /zoneresetmaster zonename

What Are the Components of a DNS Solution?

DNS Servers on the InternetDNS ServersDNS Clients

Root “.”

.com

.eduResourceRecord

ResourceRecord

DNS resource records include:

• SOA: Start of Authority

• A: Host Record

• CNAME: Alias Record

• MX: Mail Exchange Record

• SRV: Service Resources

• NS: Name Servers

• AAAA: IPv6 DNS Record

DNS Resource RecordsDNS Resource Records

What Are Root Hints?

Root hints contain the IP addresses for DNS root servers Root hints contain the IP addresses for DNS root servers

microsoft

DNS Servers

DNS Server

Root (.) Servers

com

Client

Root Hints

What Is a DNS Query?

• Queries are recursive or iterative

• DNS clients and DNS servers both initiate queries

• DNS servers are authoritative or nonauthoritative for a namespace

• An authoritative DNS server for the namespace will either:• Return the requested IP address

• Return an authoritative “No”

• A nonauthoritative DNS server for the namespace will either:• Check its cache

• Use forwarders

• Use root hints

A query is a request for name resolution and is directed to a DNS serverA query is a request for name resolution and is directed to a DNS server

What Are Recursive Queries?

DNS Client

mail1.contoso.msft

172.16.64.11

A recursive query is sent to a DNS server and requires a complete answerA recursive query is sent to a DNS server and requires a complete answer

Database

Local DNS Server

What Are Iterative Queries?

An iterative query directed to a DNS server may be answered with a referral to another DNS serverAn iterative query directed to a DNS server may be answered with a referral to another DNS server

Client Server

Local DNS Server Root Hint (.)

.com

Rec

urs

ive

Quer

y

mai

l1.n

wtr

ader

s.co

m17

2.1

6.64

.11

Iterative Query

Iterative Query

Iterative Query

Ask .com

Ask nwtraders.comAuthoritative Response

Nwtraders.com

What Is a Forwarder?

A forwarder is a DNS server designated to resolve external or offsite DNS domain namesA forwarder is a DNS server designated to resolve external or offsite DNS domain names

Nwtraders.com

Root Hint (.)

.com

Iterative Query

Iterative Query

Iterative Query

Ask .com

Ask nwtraders.com

Authoritative Response

Forwarder

Recursive Query for mail1.nwtraders.com

172.16.64.11

172.

16.6

4.11

Recu

rsiv

e Q

uery

Local DNS Server Client Server

ISP DNS

All other DNS domains

Local DNS

Contoso.msft DNS

contoso.msft

Que

ry fo

r

ww

w.c

onto

so.m

sft

Conditional forwarding forwards requests using a domain name conditionConditional forwarding forwards requests using a domain name condition

Client Computer

What Is Conditional Forwarding?

Where’s ServerA?

ServerA is at 192.168.8.44

Where’s ServerA?

ServerA is at 192.168.8.44

How DNS Server Caching Works

Client1

Client2

ServerA

DNS server cache

Host name IP address TTL

ServerA.contoso.msft

192.168.8.44 28 seconds

What Is a DNS Zone?

““.”.”““.”.”

.com.com.com.com

microsoft.com zone

microsoft.com domain

Internet

example.microsoft.comzone

DNS root domain

Zone database

Zone database

example.microsoft.com

www.example.microsoft.com

ftp.example.microsoft.com

Del

egat

ed

microsoft.com

www.microsoft.com

ftp.microsoft.com

example.microsoft.com

WWW

FTP

WWW.exampleFTP.example

What Are the DNS Zone Types?

Zones Description

Primary Read/write copy of a DNS database

Secondary Read-only copy of a DNS database

Stub Copy of a zone that contains only records used to locate name servers

Active Directory integrated

Zone data is stored in Active Directory rather than in zone files

DNS Client2

DNS Client3

What Are Forward and Reverse Lookup Zones?

Namespace: training.nwtraders.msft

DNS Client1

DNS Server Authorizedfor training Forward

zoneTraining

DNS Client1 192.168.2.45

DNS Client2 192.168.2.46

DNS Client3 192.168.2.47

Reverse zone

2.168.192.in-addr.arpa

192.168.2.45 DNS Client1

192.168.2.46 DNS Client2

192.168.2.47 DNS Client3

DNS Client2 = ?

192.168.2.46 = ?

With a stub zone defined, the location of the na.fabrikam.com zone is known without querying multiple DNS servers

With a stub zone defined, the location of the na.fabrikam.com zone is known without querying multiple DNS servers

Contoso.com(Root domain)

na.contoso.com sa.contoso.com

ny.na.contoso.com rio.sa.contoso.com

DNS server

DNS server

DNS server

DNS server

DNS server

fabrikam.com

DNS server

DNS server

na.fabrikam.com

Stub zone: na.fabrikam.com

Stub zone: rio.sa.contoso.com

Without stub zones, the ny.na.contoso.com server must query several servers to find the server that hosts the na.fabrikam.com zone

Without stub zones, the ny.na.contoso.com server must query several servers to find the server that hosts the na.fabrikam.com zone

Contoso.com(Root domain)

na.contoso.com sa.contoso.com

ny.na.contoso.com rio.sa.contoso.com

DNS server

DNS server

DNS server

DNS server

DNS server

fabrikam.com

DNS server

DNS server

na.fabrikam.com

What Are Stub Zones?

DNS Zone Delegation

Training.contoso.msft Sales.contoso.msft

Contoso.msft

What Is a DNS Zone Transfer?

A DNS zone transfer is the synchronization of authoritative DNS zone data between DNS serversA DNS zone transfer is the synchronization of authoritative DNS zone data between DNS servers

SOA query for a zone

SOA query answered

IXFR or AXFR query for a zone

IXFR or AXFR query answered

(zone transferred)

11

22

33

44

Secondary server Primary andMaster server

How DNS Notify Works

Secondary Server Primary andMaster Server

DNS notify

Zone transfer

A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur

A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur

Source ServerDestination Server11

22

33

44

Resource record is updated

SOA serial number is updated

Securing Zone Transfers

Primary Zone Secondary Zone

• Encrypt zone transfer traffic

• Consider using Active Directory-integrated zones

• Restrict zone transfer to specified servers

What Is Time to Live, Aging, and Scavenging?

Feature Description

Time to Live (TTL)

Indicates how long a DNS record will remain valid

AgingOccurs when records that have been inserted into the DNS server reach their expiration and are removed

Scavenging Performs DNS server resource record grooming for old records in DNS

Troubleshooting DNS

Tool Used to:

Nslookup Troubleshoot DNS problems

Dnscmd Edit the DNS configuration

Dnslint Diagnose common DNS issues

You can test the DNS server configuration by using:

• A simple query to ensure that the DNS service is answering

• A recursive query to ensure that the DNS server can communicate with the upstream DNS service

• Monitor DNS events in the event log to:

• Monitor zone transfer information

• Monitor computer events

What is WINS and When Is WINS Required?

WINS resolves NetBIOS name (single label name) to ip address

WINS is required for the following reasons:

•Older versions of Microsoft operating systems rely on WINS for name resolution

•Some applications, typically older applications, rely on NetBIOS names

•When you need dynamic registration of single-label names

•If users rely on the Network Neighborhood or My Network Places network browser features

•If you are not using Windows Server 2008 as your DNS infrastructure

Overview of WINS Components

Subnet 1

Subnet 2

WINS ServerWINS Server

WINS Database

WINS Database

WINS ProxyWINS Proxy

WINS ClientWINS Client

WINS Client Registration and Release Process

WINS ClientWINS Client WINS ServerWINS Server

Name RegisteredName Registered

Name Released Name Released

• WINS client sends request to register

• WINS server returns registration message with TTL value, indicating when the registration expires

11

• WINS client sends request to release name

• WINS server sends a positive name release response22

WINS Server Name Resolution Process

Subnet 2

Subnet 1

Subnet 2

WINS Server AWINS Server A

WINS Server BWINS Server B

ClientClient

Client makes three attempts to contact WINS server, but does not receive a response11

Client attempts to contact all WINS servers until contact is made22

If name is resolved, IP address is returned to the client33

Up to three attemptsUp to three attempts

33

11

22

What Are NetBIOS Node Types?

Node type Description Registry

value

B-node Uses broadcasts for name registration and resolution 1

P-node Uses a NetBIOS name server, such as WINS, to resolve NetBIOS names 2

M-node Combines B-node and P-node, but functions as a B-node by default 4

H-node Combines P-node and B-node, but functions as a P-node by default 8

A NetBIOS node type determines the method that a computer uses to resolve a NetBIOS name A NetBIOS node type determines the method that a computer uses to resolve a NetBIOS name

Compacting the WINS Database

Maintain WINS database integrity by using:

• Dynamic compacting. Automatically occurs while the database is in use

• Offline compacting. Administrator stops the WINS server and uses the Jetpack.exe command-line tool

Compacting recovers unused space in a WINS databaseCompacting recovers unused space in a WINS database

Notification sentNotification sent22 Replication requestReplication request33 Replicas sentReplicas sent44 ServerB

What Is Push Replication?

• A push partner notifies replication partners based on the number of changes in its database

• Push replication maintains a high level of synchronization

ServerA reaches set threshold of 50 changes in its database11

ServerA notifies ServerB that the threshold is reached22

ServerB responds to ServerA with a replication request33

ServerA sends replicas of its new database entries44

ServerA

Subnet 1 Subnet 250 changes occur in database

50 changes occur in database

11

Replicas sent2 Requests changes every eight hours11

ServerB

What Is Pull Replication?

• A pull partner requests replication based on a time interval

• Pull replication limits frequency of replication traffic acrossslow links

ServerA requests database changes every 8 hours11

ServerB sends replicas of its new database entries22

ServerA

Subnet 1Subnet 2

What Is Push/Pull Replication?

Push/pull replication ensures that the databases on multiple WINS servers are nearly identical at any given time by:

• Notifying replication partners whenever the database reaches a set threshold of changes

• Requesting replication based on a set time

Name Resolution for a Single-Label Name

IPv6 does not support WINS

Windows Server 2008 introduces a new zone type for DNS called GlobalNames Zone

IPv6 does not support WINS

Windows Server 2008 introduces a new zone type for DNS called GlobalNames Zone

• Resolves single-label names in the enterprise without using WINS

• Mitigates the management and maintenance of DNS suffix search lists

• Relies on static record creation

• Requires the zone be available on DNS servers throughout the forest

The GlobalNames zone:

What Is the GlobalNames Zone?

• Enables Single-Label name resolution for IPV6 enabled networks

• Uses CNAME records to point to the FQDN of the computerthat hosts the resource

• Is recommended to be integrated in Active Directorywith forest-wide replication

• Can be a used as a method to decommission WINS servers

• Requires no additional client configuration because the client resolves the name in standard DNS query form

Setup GlobalNames Zone

Functions of Content Advisor include:

Requires authoritative name servers running Windows Server 2008 Configure forest-wide, Active Directory-integrated replication of the GlobalNames zone

Create static CNAME records that point to FQDN records

Disable dynamic updates on the GlobalNames zone

Enable single-label GlobalNames zone support on all DNS servers that host the zone

Use the following command to enable support for the GlobalNames zone on all DNS servers hosting the zone:dnscmd /config /EnableGlobalNamessupport 1

Use the following command to enable support for the GlobalNames zone on all DNS servers hosting the zone:dnscmd /config /EnableGlobalNamessupport 1