DNS in Windows Server 2003


Published on

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DNS in Windows Server 2003

  1. 1. Module 2: DNS in Microsoft Windows Server 2003 Copyright Microsoft 2003
  2. 2. Overview <ul><li>What is DNS? </li></ul><ul><li>External and Internal Namespaces </li></ul><ul><li>DNS Zone Types </li></ul><ul><li>Stub Zones And Conditional Forwarding </li></ul><ul><li>Zone Transfers </li></ul><ul><li>Dynamic Updates </li></ul><ul><li>Configuring Name Resolution For Client Computers </li></ul><ul><li>DHCP Interaction </li></ul><ul><li>DNS and Microsoft ® Active Directory ® Application Partitions </li></ul>
  3. 3. What is DNS? <ul><li>Domain Name Service/Domain Name System </li></ul><ul><li>Defines a hierarchical namespace where each level of the namespace is separated by a “.” </li></ul><ul><ul><li>Similar to file system paths, but read from right to left </li></ul></ul><ul><ul><li>Rightmost portion of a name is most generic, for example, </li></ul></ul><ul><ul><ul><li>hostname.subdomain.secondleveldomain.topleveldomain . </li></ul></ul></ul><ul><ul><ul><ul><li>“.” indicates namespace root </li></ul></ul></ul></ul><ul><ul><li>Leftmost portion of a name is most specific </li></ul></ul><ul><ul><ul><li>hostname .subdomain.secondleveldomain.topleveldomain. </li></ul></ul></ul><ul><li>Provides resolution of names to IP addresses and resolution of IP addresses to names </li></ul>
  4. 4. What is a DNS Server? <ul><li>Computer running DNS service </li></ul><ul><ul><li>DNS server service is separate from DNS client, even when running on the same computer </li></ul></ul><ul><li>Can be: </li></ul><ul><ul><li>Microsoft ® Windows ® .NET Server 2003 </li></ul></ul><ul><ul><li>Windows 2000 </li></ul></ul><ul><ul><li>Microsoft Windows ® NT 4 </li></ul></ul><ul><ul><li>UNIX </li></ul></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>NetWare </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>Capabilities vary by operating system and/or DNS server software version </li></ul>
  5. 5. DNS Namespace . msn.com .com corp.microsoft.com. microsoft.com. mtu.edu .edu msu.edu .org unicef.org gov.au .au com.au Subdomain Second-Level Domain Top-Level Domain Root corp. microsoft. com .
  6. 6. Fully Qualified Domain Name (FQDN) <ul><li>Identifies a host’s name within the DNS namespace hierarchy </li></ul><ul><li>Host name plus DNS domain name = FQDN </li></ul><ul><ul><li>If referencing only a domain, no host component </li></ul></ul>Host name DNS domain name
  7. 7. Resolver <ul><li>Computer that requests DNS resolution </li></ul><ul><li>Issues queries that ask for specific types of mappings of computers and IP addresses ( records ) </li></ul><ul><li>Query types determine behavior of DNS server receiving query </li></ul><ul><li>Lookup types determine whether a name-to-IP mapping or an IP-to-name mapping is sought </li></ul>
  8. 8. Query and Lookup Types The DNS server returns an answer to the query or a pointer to other DNS servers Iterative query The DNS server returns a complete answer to the query, not a pointer to another DNS server Recursive query Query Types Requests name-to-address resolution Forward lookup Requests address-to-name resolution Reverse lookup Lookup Types
  9. 9. Recursive Queries <ul><li>A query made from a client to a DNS server in which the server assumes the full workload </li></ul><ul><li>DNS server returns either a complete answer or negative </li></ul><ul><li>Issued by: </li></ul><ul><ul><li>Client computers </li></ul></ul><ul><ul><li>DNS servers configured to use forwarder(s) </li></ul></ul>
  10. 10. Iterative Queries <ul><li>Receiving server may return an answer, a negative response, or a referral to other DNS server(s) </li></ul><ul><li>Typically issued by DNS servers not configured to use forwarders for resolution of queries </li></ul><ul><li>“Walk” the DNS tree </li></ul><ul><li>“Give me an answer or refer me to somebody else who can help me obtain resolution.” </li></ul>
  11. 11. How DNS Works Preferred DNS Server: http://server1.microsoft.com Recursive Query: server1.microsoft.com. Is name in cache? No Am I authoritative? No Is name in cache? No Cache response Is name in cache? No Is name in cache? No Am I authoritative? Yes Cache response Root Server Root Hints: b.root-servers.net [] j.root-servers.net [] k.root-servers.net [] l.root-servers.net [] m.root-servers.net [] i.root-servers.net [] e.root-servers.net [] d.root-servers.net [] a.root-servers.net [] h.root-servers.net [] c.root-servers.net [] g.root-servers.net [] f.root-servers.net [] Iterative Query: server1.microsoft.com. To: Root Servers Am I authoritative? Delegation: .com. = a.gtld-servers.net [] g-gtld-servers.net [] c.gtld-servers.net [] i.gtld-servers.net [] b.gtld-servers.net [] d.gtld-servers.net [] l.gtld-servers.net [] f.gtld-servers.net [] j.gtld-servers.net [] k.gtld-servers.net [] e.gtld-servers.net [] m.gtld-servers.net [] I don’t know. Ask: a.gtld-servers.net [] g-gtld-servers.net [] c.gtld-servers.net [] i.gtld-servers.net [] b.gtld-servers.net [] d.gtld-servers.net [] l.gtld-servers.net [] f.gtld-servers.net [] j.gtld-servers.net [] k.gtld-servers.net [] e.gtld-servers.net [] m.gtld-servers.net [] TLD Server Iterative Query: server1.microsoft.com. To: TLD Servers Am I authoritative? Delegation: microsoft.com. = dns2.cp.msft.net [] dns1.cp.msft.net [] dns1.tk.msft.net [] dns2.tk.msft.net [] dns3.uk.msft.net [] dns4.uk.msft.net [] dns3.jp.msft.net [] dns4.jp.msft.net [] dns1.dc.msft.net [] dns2.dc.msft.net [] dns1.sj.msft.net [] I don’t know. Ask: dns2.cp.msft.net [] dns1.cp.msft.net [] dns1.tk.msft.net [] dns2.tk.msft.net [] dns3.uk.msft.net [] dns4.uk.msft.net [] dns3.jp.msft.net [] dns4.jp.msft.net [] dns1.dc.msft.net [] dns2.dc.msft.net [] dns1.sj.msft.net [] microsoft.com DNS Servers Iterative Query: server1.microsoft.com. To: microsoft.com DNS servers server1.microsoft.com= server1.microsoft.com= http/tcp session- Root Server TLD Server microsoft.com DNS Servers http://server1.microsoft.com server1.microsoft.com= http/tcp session- Recursive Query: server1.microsoft.com.
  12. 12. Root Hints <ul><li>IP addresses of DNS servers that are considered authoritative for the root of the DNS namespace </li></ul><ul><li>Used by DNS servers to determine which DNS servers are considered the root (“.”) servers (for iterative queries) </li></ul><ul><ul><li>13 default root servers are part of any DNS installation </li></ul></ul><ul><ul><li>Can replace Internet root servers with internal DNS servers to shape DNS traffic within an organization </li></ul></ul>
  13. 13. Forwarders <ul><li>DNS servers configured to use forwarders send recursive queries to listed addresses when they cannot resolve queries themselves </li></ul><ul><li>By default, will fall back to iterative queries if forwarder fails to return answer </li></ul><ul><ul><li>Can disable </li></ul></ul><ul><ul><li>Do not use recursion setting disables further attempts to resolve names when forwarders fail </li></ul></ul>
  14. 14. Conditional Forwarding <ul><li>Windows Server 2003 DNS servers can be configured to forward to different DNS servers based on the suffix queried </li></ul><ul><li>Allows for granular configuration of forwarders instead of requiring all forwarding to go to the same server(s) </li></ul>
  15. 15. Zone <ul><li>Portion of DNS namespace for which an entity (company, organization) is responsible </li></ul><ul><li>May be divided up into multiple zone files hosted on multiple DNS servers </li></ul><ul><li>Subdomains </li></ul><ul><ul><li>Divisions within a DNS domain, used to divide namespace further </li></ul></ul><ul><ul><li>Stored on same DNS server(s) as parent domains unless delegated </li></ul></ul><ul><li>Delegated subdomains </li></ul><ul><ul><li>Stored on separate DNS servers from parent domains </li></ul></ul><ul><ul><li>Parent DNS servers maintain records that point to servers hosting the subdomains </li></ul></ul>
  16. 16. Delegation (Delegated Subdomain) <ul><li>Used by a DNS server that receives an iterative query for a subdomain </li></ul><ul><li>DNS server that has knowledge of the delegation returns the IP address(es) of the authoritative server(s) for the subdomain in response to iterative queries </li></ul><ul><li>Internet DNS namespace is comprised of a series of delegations, for example root servers have delegations for top-level domains, top level domains have delegations for second-level domains, etc. </li></ul>
  17. 17. Subdomains and Delegated Subdomains <ul><li>Subdomains </li></ul><ul><ul><li>All records for the zone are stored locally </li></ul></ul><ul><li>Delegated subdomains </li></ul><ul><ul><li>DNS server storing delegation information only has records of DNS servers that are authoritative for the zone </li></ul></ul>
  18. 18. Zone File <ul><li>Text file </li></ul><ul><li>Contains resource records </li></ul><ul><li>Portion of DNS namespace for which a particular server is responsible </li></ul><ul><ul><li>A server that hosts a copy of a zone file is said to be authoritative for that zone, meaning that it has direct, verifiable knowledge of the records stored in the zone </li></ul></ul><ul><li>May not include entire portion of DNS namespace for which an entity (company, organization) is responsible </li></ul><ul><ul><li>For example, a server may host only a subdomain of a larger DNS domain </li></ul></ul><ul><ul><ul><li>The larger DNS domain is the organization’s zone of authority, but the server is authoritative only for the subdomain </li></ul></ul></ul>
  19. 19. DNS Zone Types- Forward/Reverse Lookup Reverse Lookup DNS Server Forward Lookup Name for Name = nwtraders.msft IP address for nwtraders.msft? IP address = DNS Server
  20. 20. DNS Zone Types - Standard/Active Directory Integrated * Stub Zone data may be stored in text files or in Active Directory, but updates to the zone are always made on DNS server(s) that host a writable copy of the zone Standard Zones Primary Zone Secondary Zone Stub Zone* Change Zone Transfer Standard Queries Glue NS SOA Only Active Directory Integrated Zones Change Change Change Replication
  21. 21. Active Directory Integrated DNS Zones <ul><li>Only available on DNS servers that are also domain controllers </li></ul><ul><ul><li>Not stored in text files </li></ul></ul><ul><ul><li>Records stored as objects in Active Directory </li></ul></ul><ul><ul><ul><li>Have ACLs (Access Control Lists) and owners </li></ul></ul></ul><ul><li>Replicate as part of Active Directory replication </li></ul><ul><ul><li>Eliminate single point of failure (unless only one DC/DNS server hosts the zone) </li></ul></ul><ul><ul><li>Can have standard secondary servers in addition to replicating partners </li></ul></ul><ul><ul><li>Any server hosting the zone as an Active Directory integrated zone can write to the zone (multi-master writes) </li></ul></ul>
  22. 22. Stub Zones <ul><li>New in Windows Server 2003 </li></ul><ul><li>Server hosting a stub zone is not authoritative for the zone </li></ul><ul><ul><li>Only has SOA, NS and glue records (host records for DNS servers that are authoritative for zone), if necessary </li></ul></ul><ul><ul><ul><li>Glue records are host records identifying DNS servers for a zone </li></ul></ul></ul><ul><ul><li>Populates records via iterative queries to authoritative DNS server(s) </li></ul></ul>
  23. 23. Stub Zones <ul><li>Can only be created on Windows Server 2003 DNS servers (whether or not the DNS server is a domain controller) </li></ul><ul><li>A DNS server hosting a copy of a stub zone is not authoritative for the zone </li></ul><ul><li>Stub zones give a DNS server enough information for it to be able to use iterative queries to resolve names in the zone, but not all of the information in the zone itself </li></ul>
  24. 24. Configuring Zones <ul><li>A DNS server can host primary zones, secondary zones, stub zones, or any combination of zones </li></ul><ul><li>A primary server or a secondary server can be designated as a master server for a secondary zone </li></ul><ul><li>A stub zone is populated via standard iterative queries to authoritative server(s) for the zone </li></ul>DNS Server A DNS Server B DNS Server D DNS Server C Secondary Zone (Master DNS Server = DNS Server B) Secondary Zone (Master DNS Server = DNS Server A) Primary Zone Stub Zone (Authoritative DNS Servers = DNS Servers A & C) Zone Transfer Zone Transfer A B C D Standard Queries Standard Queries
  25. 25. Demonstration <ul><li>Creating Standard Primary Zone </li></ul><ul><li>Creating Active Directory Integrated Zone </li></ul><ul><li>Configuring Conditional Forwarding </li></ul>
  26. 26. Start of Authority Records <ul><li>Record that contains configuration information about zone </li></ul><ul><ul><li>Version (serial) number of zone </li></ul></ul><ul><ul><li>Primary server for zone </li></ul></ul><ul><ul><li>E-mail address of person responsible for zone </li></ul></ul><ul><ul><ul><li>“ @” is substituted for first “.” </li></ul></ul></ul><ul><ul><ul><li>for example, hostmaster.dot.dotnet = hostmaster@dot.dotnet </li></ul></ul></ul><ul><ul><li>Secondary refresh parameters </li></ul></ul><ul><ul><li>TTL information </li></ul></ul>
  27. 27. Resource Record <ul><li>Stored in a DNS zone file </li></ul><ul><li>May map </li></ul><ul><ul><li>Name to IP (A for IPv4, AAAA for IPv6) </li></ul></ul><ul><ul><li>Name to another name (CNAME) </li></ul></ul><ul><ul><li>IP to name (PTR) </li></ul></ul><ul><ul><li>DNS servers (NS) </li></ul></ul><ul><ul><li>Mail servers (MX) </li></ul></ul><ul><ul><li>Start of Authority servers (SOA) </li></ul></ul><ul><ul><li>Services to names, IPs, etc. (SRV) </li></ul></ul><ul><ul><li>Various other </li></ul></ul>
  28. 28. Service Resource Records <ul><li>Identify services running on computers (typically domain controllers) </li></ul><ul><ul><li>LDAP servers </li></ul></ul><ul><ul><li>Global Catalog servers </li></ul></ul><ul><ul><li>Kerberos servers </li></ul></ul><ul><ul><li>Domain controllers </li></ul></ul><ul><ul><li>PDC Emulators </li></ul></ul><ul><ul><li>Registration both with a site association and without </li></ul></ul><ul><li>Used by client computers to locate closest server offering service </li></ul>
  29. 29. Name Server - Standard DNS Zone <ul><li>Primary Name Server </li></ul><ul><ul><li>Server that has the only writable copy of the text file storing records for a given zone </li></ul></ul><ul><ul><li>Single point of failure in standard DNS implementation </li></ul></ul><ul><li>Secondary Name Server </li></ul><ul><ul><li>Read Only Copy of Primary Zone </li></ul></ul><ul><li>Master Name Server </li></ul><ul><ul><li>Server that transfers zone file information to a secondary DNS server </li></ul></ul>
  30. 30. Zone Transfer <ul><li>Process by which DNS servers hosting standard copies of DNS zones pass zone updates to one another </li></ul><ul><li>Master-secondary relationship </li></ul><ul><ul><li>Receiving DNS servers are always secondary </li></ul></ul><ul><ul><li>Master may be primary or secondary (secondaries can transfer to other secondaries) </li></ul></ul><ul><li>AXFR- Full zone transfer </li></ul><ul><li>IXFR- Incremental zone transfer </li></ul>
  31. 31. Zone Transfer Process <ul><li>A zone transfer is initiated when </li></ul><ul><ul><li>A master DNS server sends notification of zone changes to the secondary server or servers </li></ul></ul><ul><ul><li>The secondary server queries a master DNS server for changes to the zone file </li></ul></ul>Zone 1 Primary Zone Database File Secondary Zone Database File nwtraders.msft support.nwtraders.msft training.nwtraders.msft DNS Server DNS Server (Master)
  32. 32. Zone Transfers <ul><li>IXFR- Incremental Zone Transfers </li></ul><ul><ul><li>Only records that have changed since last zone transfer are sent </li></ul></ul><ul><li>AXFR- Full Zone Transfers </li></ul><ul><ul><li>Entire zone is transferred from master DNS server to secondary </li></ul></ul><ul><li>If either master or slave (secondary) is not capable of IXFR, then AXFR occurs </li></ul>
  33. 33. Demonstration <ul><li>Creating Resource Records </li></ul><ul><li>Configure Zone Transfers </li></ul>
  34. 34. Configuring Name Resolution for Client Computers IP address can be provided by a DHCP server or manually configured DNS server addresses can be provided by a DHCP server or manually configured
  35. 35. Overview of Dynamic Updates Local name server Server that is authoritative for name Client Result (zone name and authoritative server’s name and IP address) Find authoritative server Result (success or failure) Attempt dynamic update
  36. 36. Configuring a DNS Server to Allow Dynamic Updates to a Zone <ul><li>None </li></ul><ul><ul><li>Does not accept dynamic updates </li></ul></ul><ul><li>Nonsecure and secure </li></ul><ul><ul><li>Accepts dynamic updates from unauthenticated and authenticated entities </li></ul></ul><ul><li>Secure only </li></ul><ul><ul><li>Only available for Active Directory-integrated zones </li></ul></ul><ul><ul><li>Only allows dynamic updates from authenticated entities </li></ul></ul><ul><ul><li>Does not allow modification of record by entity that does not own or does not have permission to modify </li></ul></ul>
  37. 37. DHCP Registration of DNS Records For clients capable of dynamic update (Windows 2000, Windows XP, Windows .NET Server 2003) DHCP server registers PTR record and client registers A record by default DHCP server registers both PTR and A record regardless of client request DHCP removes A record when it removes PTR record from DNS For legacy clients that cannot perform dynamic update
  38. 38. DNSUpdateProxy Group <ul><li>When a DHCP server registers records on behalf of clients (for example, downlevel clients), by default the DHCP server is the owner of the record </li></ul><ul><ul><li>If client subsequently attempts to modify its record(s) (for example, if a legacy client is upgraded to an operating system capable of dynamic update), it cannot because it is not the owner of the record </li></ul></ul><ul><li>Making DHCP servers members of the DNSUpdateProxy group configures them to register the records with no owner </li></ul><ul><ul><li>First security principal to “touch” the record becomes its owner </li></ul></ul><ul><ul><li>Facilitates downlevel clients “taking over” maintenance of their own DNS records when they’re upgraded </li></ul></ul><ul><ul><li>Potential security risk </li></ul></ul>
  39. 39. DHCP Interaction <ul><li>New in Windows .NET Server 2003 </li></ul><ul><li>Allows DHCP server to be configured to register records as a specific security principal instead of as itself </li></ul>Configurability of Registering Account
  40. 40. Group Policy Settings for Client DNS Configuration <ul><li>Group Policy, which is a function of an Active Directory environment, can be used to configure DNS parameters on computers that are members of an Active Directory domain and are running Windows 2000 or later </li></ul>
  41. 41. Active Directory Replication Partitions <ul><li>Logical divisions in an Active Directory database </li></ul><ul><li>Domain controllers that host a replica of a partition will participate in Active Directory replication of the information stored in that partition </li></ul><ul><li>Domain controllers that are also DNS servers may participate in replication of DNS data stored in partitions in Active Directory </li></ul>
  42. 42. DNS Application Partitions <ul><li>Replication scopes for Active Directory integrated DNS zones </li></ul><ul><ul><li>Can replicate to every domain controller in a single Active Directory domain, regardless of whether or not all DCs are running the DNS service </li></ul></ul><ul><ul><li>Can replicate to every domain controller in a single Active Directory domain that is running the DNS service </li></ul></ul><ul><ul><li>Can replicate to every domain controller in the Active Directory forest that is running the DNS service </li></ul></ul><ul><ul><li>Can create administratively-defined replication scopes </li></ul></ul>
  43. 43. Domain Partition <ul><li>Contains domain-specific objects in Active Directory </li></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Computers </li></ul></ul><ul><ul><li>Groups </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>In Windows 2000, all DNS zones that were Active Directory integrated were stored in the domain partition for the domain where the zone was made Active Directory integrated </li></ul><ul><ul><li>Still an option in Windows .NET Server 2003, but other replication partitions are now available (as soon as the first .NET Server 2003 domain controller is created) </li></ul></ul>
  44. 44. Domain Partition Storage of DNS Zone(s) <ul><li>Every domain controller for a domain has a replica of the DNS information for an Active Directory-integrated zone stored in the domain partition, regardless of whether the domain controller is also a DNS server </li></ul><ul><ul><li>Advantage: can very easily make a domain controller an authoritative DNS server simply by installing the DNS Server service- the domain controller already has all of the zone information stored in its replica of the Active Directory database </li></ul></ul><ul><ul><li>Disadvantage: domain controllers that are not running the DNS service are replicating DNS information </li></ul></ul>
  45. 45. Domain Partition Storage of DNS Zone(s) <ul><li>Storage of DNS data in a domain partition does not allow Active Directory integration of zones across domain boundaries </li></ul><ul><li>Zone can only be Active Directory integrated in one domain* </li></ul><ul><ul><li>Domain controllers only store their own domain’s domain partition </li></ul></ul><ul><ul><li>Eliminates ability to utilize Active Directory replication mechanisms to propagate zone information to other domains </li></ul></ul><ul><ul><li>Can configure DNS servers in other domains as secondary servers for the zone </li></ul></ul><ul><ul><li>Zone transfers are the only mechanism to pass the DNS zone information to DNS servers in other domains </li></ul></ul>*You can configure a zone as Active Directory integrated in multiple domains, but the domain controllers for the individual domains will not replicate DNS information with each other- zones will become unsynchronized
  46. 46. DomainDNSZones <ul><li>Application partition that is replicated to every domain controller that is also running the DNS server service in an Active Directory domain </li></ul><ul><li>Does not allow replication of DNS zone data across domain boundaries </li></ul><ul><li>Only domain controllers in the domain that are also running the DNS service will replicate data stored in the DomainDNSZones partition </li></ul><ul><ul><li>Domain controllers not configured as DNS servers will not replicate the partition </li></ul></ul><ul><ul><li>If the DNS Server service is installed on a domain controller, it will then replicate the information in the DomainDNSZones partition </li></ul></ul><ul><ul><li>If the DNS Server service is removed from a domain controller, it will no longer host a replica of (nor replicate) the DomainDNSZones partition </li></ul></ul>
  47. 47. ForestDNSZones <ul><li>Application partition that is replicated to every domain controller that is also running the DNS server service in an Active Directory forest </li></ul><ul><li>Allows Active Directory integration that spans multiple domains </li></ul><ul><li>Does not provide granular control over which Domain controller/DNS servers host replicas of the partition </li></ul><ul><ul><li>All domain controller/DNS servers in the forest will contain a replica of the partition </li></ul></ul>
  48. 48. Demonstration <ul><li>Configure DNS Zone for Application Partition </li></ul>
  49. 49. Summary <ul><li>DNS Is An Important Service for Active Directory </li></ul><ul><li>Active Directory Zone Files </li></ul><ul><ul><li>Fault tolerance and easier management </li></ul></ul><ul><li>Service Records </li></ul><ul><ul><li>Locates Windows Server 2003 Active Directory directory service </li></ul></ul><ul><li>Dynamic DNS </li></ul><ul><ul><li>Secure Update for Higher Security </li></ul></ul><ul><li>DNS Active Directory Application Partitions </li></ul><ul><ul><li>Control of Replicated DNS Data </li></ul></ul>
  50. 50. Resources <ul><li>Course 2270: Updating Support Skills from Microsoft Windows NT 4.0 to the Windows Server 2003 </li></ul><ul><li>Windows Server 2003 Documentation and Resources http://www.microsoft.com/windows.netserver/preview/documentation.mspx </li></ul>