70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network2 Objectives Optimize DNS performance Secure DNS replication and Dynamic DNS Manage DNS servers Manage DNS zones Troubleshoot DNS issues using various tools

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network3 Optimizing DNS Performance DNS servers can be configured to perform different roles depending on what network design is required Each role has an effect on WAN traffic and performance levels in larger networks: Caching-only Non-recursive Forwarding-only Conditional forwarder

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network4 Delegating Authority To divide the DNS namespace, you must delegate authority for a subdomain When authority for a subdomain is delegated, a name server record is created for the subdomain The name server record points to the server that contains the DNS information for the subdomain

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network5 Activity 8-1: Delegating Authority for a Subdomain The purpose of this activity is to Delegate authority for a subdomain to another DNS server

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network6 Caching-only DNS Servers A caching-only DNS server does not permanently store any DNS namespace information Caching-only DNS servers reduce DNS lookup traffic across an Internet connection or on a WAN The major disadvantage of caching-only DNS servers is the potential for caching out-of date information

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network7 Nonrecursive DNS Servers When you do not want client computers to resolve Internet DNS names directly, configuring your DNS server as a nonrecursive DNS server stops them Disabling recursion prevents Internet DNS server being overwhelmed by unauthorized DNS lookup requests from anonymous users on the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network8 Forwarding-only DNS Servers Forwarding-only DNS server: Configured to look only at local DNS zones and forwarders Never queries the root servers on the Internet Can be useful if WAN is configured with only a single Internet connection

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network9 Activity 8-2: Configuring a Forwarding-only DNS Server The purpose of this activity is to configure your DNS server to use forwarders, but not additional recursive lookups using root servers

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network10 Conditional Forwarders A DNS server that is configured as a conditional forwarder uses a forwarder for requests only if they are for records in certain domains Useful for reducing WAN traffic When the authority for subdomains is delegated and Each location has its own Internet connection

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network11 DNS Security DNS security is very important in a network using Active Directory because DNS is critical for the proper functioning of Active Directory

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network12 Zone Replication Security Using Active Directory-integrated zones is the easiest way to secure zone synchronization Primary and secondary zones are unencrypted If you want to encrypt zone transfers, you must use an additional mechanism, such as IPSec or a VPN To prevent hackers from learning about internal resources, ensure that DNS records for internal resources are never made available on the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network13 Activity 8-3: Securing Zone Transfers The purpose of this activity is to configure traditional primary zones to limit zone transfers to approved secondary zones

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network14 Dynamic DNS Security Active Directory-integrated zones can be secured for Dynamic DNS Only allow secure dynamic updates in the zone properties When secure dynamic updates are enabled, the permissions in Active Directory control who is able to update DNS records Authenticated Users group can Create All Child objects, which allows computers to create their own DNS records Does not give computers the ability to modify each others’ DNS records

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network15 Dynamic DNS Security (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network16 Dynamic DNS and DHCP Servers When DHCP servers perform secure dynamic updates on behalf of clients, the DHCP server is the owner of the DNS record rather than the client computer When a roaming client receives an IP address from a different DHCP server, that DHCP server cannot update the record with the new IP address

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network17 Managing DNS Servers Can configure many DNS options at the server level: Configure aging and scavenging Update server data files Clear cache Configure bindings Edit the root hints Set advanced options Configure security Modify EDNSO

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network18 Configuring Aging and Scavenging With aging and scavenging, DNS records created by Dynamic DNS can be removed after a certain period of time if they have not been updated Prevents out-of-date information from being stored in a zone

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network19 Updating Server Data Files The Update Server Data Files option is available when you right-click the server Has no effect if a zone is Active Directory-integrated If a primary zone is not Active Directory-integrated, it forces all of the DNS changes in memory to be written to the zone file on disk

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network20 Clearing Cache DNS server automatically caches all lookups it does You may have outdated information in the cache Clear the cache to force a DNS server to perform a new lookup before the record in cache times out

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network21 Configuring Bindings By default, DNS Service listens on all IP addresses that are bound to the server on which it is running Can configure DNS to respond only to those certain IP addresses that are bound to the server The Interfaces tab of the server properties allows you to configure the IP addresses to which the DNS Service listens

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network22 Editing the Root Hints Root hints are servers that are used to perform recursive lookups The Root Hints tab of the server properties is automatically populated with the names and IP addresses of the DNS root servers on the Internet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network23 Activity 8-4: Creating a Root Server The purpose of this activity is to configure your server as a root DNS server

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network24 Setting Advanced Options You can configure several options on the Advanced tab of the server properties, including: Disable recursion (also disables forwarders) BIND secondaries Fail on load if bad zone data Enable round robin Enable netmask ordering Secure cache against pollution

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network25 Configuring Security The Security tab of the server properties allows you to view and modify which users and groups can modify the configuration of the DNS server The Domain Admins group, Enterprise Admins group, and DnsAdmins group can manage DNS

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network26 Modifying EDNSO Windows Server 2003 DNS Service supports a relatively new protocol called Extension Mechanisms for DNS (EDNSO) Allows DNS servers to send UDP packets with more than 512 bytes of information Servers that support EDNSO send an OPT record before their DNS lookup requests This OPT record gives the maximum size of DNS message that is supported over UDP

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network27 Managing DNS Zones Can configure the following options for a zone: Reload zone information Change the type of zone and replication Configure aging and scavenging Modify the SOA (start of authority) record Modify the list of name servers Enable WINS resolution Enable zone transfers Configure security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network28 Reloading Zone Information To perform mass editing of DNS information stored in a non-Active Directory-integrated zone, you can edit the zone file stored in C:\WINDOWS\system32\dns rather than using the DNS snap-in To get the DNS server to use the newly edited zone file, restart the DNS Service or tell it to reload the zone file To reload the zone file, right-click the zone, and click Reload

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network29 Changing the Type of Zone and Replication When a zone is created, you must select whether it is a primary zone, secondary zone, or stub zone If it is a primary zone, you must also choose whether it is stored in Active Directory If the zone is stored in Active Directory, you also must choose how it is replicated All of these options can be changed after the zone is created

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network30 Configuring Aging and Scavenging After scavenging has been enabled at the server level, the aging/scavenging properties must be configured at the zone level To enable the deletion of old DNS records, select the Scavenge stale resource records check box Manually created DNS records are never scavenged Dynamic DNS records are scavenged only if they have not been updated or refreshed and both the no- refresh interval and refresh interval have expired

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network31 Activity 8-5: Configuring Aging and Scavenging The purpose of this activity is to configure a zone to remove old records automatically

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network32 Modifying the Start of Authority Record The start of authority (SOA) record for a domain defines a number of characteristics for a zone, including serial number and caching instructions Configured in the SOA tab of the zone properties

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network33 Modifying the List of Name Servers The name servers configured for a zone are the authoritative DNS servers for the zone They are used in the recursive lookup process to resolve requests for the domain In addition, they are used by Dynamic DNS clients for dynamic updates

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network34 Enabling WINS Resolution A DNS zone can be configured with a WINS server that is used to help resolve names If a DNS zone receives a query for a host name for which it has no A record, it forwards the request to a WINS server You can specify that records resolved via WINS are not replicated to other domain controllers by selecting the Do not replicate this record check box

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network35 Enabling Zone Transfers Zone transfers are used to copy zone information from a primary zone to a secondary zone You can configure which IP addresses can request zone transfers By default, zone transfers are allowed To disable zone transfers, deselect the Allow zone transfers check box If zone transfers are enabled, you can choose whether they are enabled to any server, to only servers listed in the Name Servers tab for the zone, or to specific IP addresses

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network36 Configuring Security The Security tab in the zone properties allows you to control the permissions to modify the records for this zone The Security tab is only available for Active Directory-integrated zones

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network37 Troubleshooting DNS When DNS problems are experienced, first discover whether the problems are limited to one client or applies to many clients If the problem applies to just a single client, it is likely a configuration problem with only that client If a DNS resolution problem exists for multiple clients, it is likely a server problem Server level problems may include incorrect records, the DNS Service being unavailable, or improper firewall configuration

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network38 Server Functionality To test whether a DNS server is functioning correctly, use the Monitoring tab of the DNS server properties If a recursive query is requested, submit a NS query for the root domain “.” If unsuccessful, it may be due to incorrectly configured Internet connectivity or root hints

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network39 Server Functionality (continued) If a simple query is requested, test the server for iterative query functionality An iterative query: DNS server looks only in the zones for which it is responsible

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network40 Nslookup The utility Nslookup queries DNS records Nslookup can be used from a command prompt to resolve host names, but is most powerful in interactive mode With Nslookup, you can query any DNS record from a DNS server Allows you to confirm that each DNS server is configured with the correct information

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network41 Activity 8-6: Verifying DNS Records with Nslookup The purpose of this activity is to verify proper DNS lookups using the utility Nslookup

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network42 DNSLint DNSLint is a command-line utility that allows you to verify correct DNS configuration It has commands that help you confirm that a zone is correctly configured or verify records for Active Directory This utility uses command-line switches to control functionality

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network43 DNSLint (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network44 Activity 8-7: Using DNSLint to Verify Active Directory DNS Records The purpose of this activity is to use the DNSLint utility to confirm that the proper DNS records exist for Active Directory

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network45 DNSCmd DNSCmd is a command-line utility that can be used to view DNS server status and to configure DNS servers, DNS zones, and DNS records This utility can be used in a script that is useful when you want to make changes on many servers

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network46 Resetting Default Settings When attempting to optimize DNS, you may render DNS inoperable or impair functionality When making system changes, always fully document the existing configuration first Windows Server 2003 allows you to reset the configuration of a DNS server back to the defaults Default settings should restore functionality

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network47 Resetting Default Settings (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network48 Activity 8-8: Resetting a DNS Server to the Defaults The purpose of this activity is to reset the settings on a DNS server back to installation defaults

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network49 Resetting Default Security When attempting to optimize security settings for DNS, you may render your server inoperable or impair its operation If you did not properly document the default security permissions, you can reset them in the Advanced Security Settings of the zone properties

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network50 DNS Server Logging DNS servers are capable of event logging and debug logging Event logging records errors, warnings, and information to the event log Debug logging records much more detailed information The Event Logging tab of the DNS server properties gives you the option to record: No events Errors only Errors and warnings All events

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network51 DNS Server Logging (continued) Debug logging records packet-by-packet information about the queries that the DNS server is receiving Enabled only for troubleshooting because it records a large volume of information To reduce the amount of information recorded, can specify the type of information: Packet direction Transport protocol Packet contents Packet type

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network52 Summary To optimize DNS, you can delegate authority for subdomains to different servers A caching-only server is used to speed up DNS name resolution Forwarding-only DNS servers use forwarders to resolve recursive queries rather than root servers on the Internet A nonrecursive DNS server does not communicate with other DNS servers when resolving queries

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network53 Summary (continued) Conditional forwarders use forwarders only for certain specified DNS domains Dynamic updates for Active Directory-integrated zones can be secured EDNSO allows Windows Server 2003 to send UDP packets larger than 512 bytes Wide variety of DNS server and zone management tasks

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network54 Summary (continued) Nslookup queries DNS records DNSLint is a command-line utility that allows you to verify correct DNS configuration DNSCmd can be used to view DNS server status and to configure DNS servers, zones, and records The Advanced Security Settings for a zone can be used to reset zone security back to defaults for an Active Directory-integrated zone