083006 windows server 2003 dns
TRANSCRIPT
-
8/14/2019 083006 Windows Server 2003 DNS
1/31
Windows Server 2003DNS
-
8/14/2019 083006 Windows Server 2003 DNS
2/31
What Is a Domain Namespace?
Root DomainRoot Domain
SubdomainsSubdomains
Second-LevelSecond-Level
DomainDomain
Top-LevelTop-Level
DomainDomain
FQDN:server1.sales.south.nwtr
aders.com
FQDN:server1.sales.south.nwtr
aders.com
south
south
nwtraders
nwtraders
com
com
sales
sales
west
west east
east
org
orgnet
net
Host: server1Ho
st: server1
-
8/14/2019 083006 Windows Server 2003 DNS
3/31
Overview of the DNS Query Process
Query TypesQuery Types
Query TypesQuery Types
Iterative Query
Iterative QueryThe DNS server returns the best answer that it canprovide without help from other servers
The DN
S server returns the best answer that it canprovide without help from other servers
Recursive Query
Recursive Query
The D
NS server returns a complete answer to the
query, not a pointer to another DNS server
The D
NS server returns a complete answer to the
query, not a pointer to another DNS server
Lookup TypesLookup Types
Lookup TypesLookup Types
Forward Lookup
Forward Lookup
Requires name-to-address resolution
Requires name-to-address resolution
Reverse Lookup
Reverse Lookup
Requires address-to-name resolution
Requires address-to-name resolution
-
8/14/2019 083006 Windows Server 2003 DNS
4/31
How Recursive Queries Work
Computer1
Computer1
Recursive queryfor
mail1.nwtraders
.com172.16.64.11
A recursive queryis a query made to a DNSserver, in which the DNS client asks the DNSserver to provide a complete answer to thequery
A recursive queryis a query made to a DNS
server, in which the DNS client asks the DNSserver to provide a complete answer to thequery
DNS server checks theforward lookup zone and
cache for an answer to thequery
DNS server checks theforward lookup zone and
cache for an answer to thequery
Database
Local DNS ServerLo
cal DNS Server
-
8/14/2019 083006 Windows Server 2003 DNS
5/31
How Iterative Queries WorkAn iterative query is a query made to a DNS server inwhich the DNS client requests the best answer that
the DNS server can provide without seeking furtherhelp from other DNS servers.The result of aniterative query is often a referral to another DNSserver lower in the DNS tree
An iterative query is a query made to a DNS server inwhich the DNS client requests the best answer that
the DNS server can provide without seeking furtherhelp from other DNS servers.The result of aniterative query is often a referral to another DNSserver lower in the DNS tree
Computer1
Computer1
Local
DNS Server
Local
DNS Server
nwtraders.comnw
traders.com
Root Hint (.)Ro
ot Hint (.)
.com
.com
Recu
rsiv
equery
for
mail1
.nwtr
aders
.com
172.1
6.64
.11
Iterative Query
IterativeQuery
IterativeQuery
Ask
.com
Asknwtraders.com
AuthoritativeResponse
-
8/14/2019 083006 Windows Server 2003 DNS
6/31
How Root Hint Works
Root hints are DNS resource records stored ona DNS server that list the IP addresses for theDNS root servers
Root hints are DNS resource records stored ona DNS server that list the IP addresses for theDNS root servers
microsoft
microsoft
Corp. or ISP
DNS Servers
Corp. or ISP
DNS Servers
Root Hints
Root Hints
LocalDNS Server
LocalDNS Server
InterNIC
Root (.) Servers
InterNIC
Root (.) Servers
com
com
Computer1
Computer1
-
8/14/2019 083006 Windows Server 2003 DNS
7/31
How Forwarders WorkA forwarderis a DNS server designated by other
internal DNS servers to forward queries forresolving external or offsite DNS domain names
A forwarderis a DNS server designated by other
internal DNS servers to forward queries forresolving external or offsite DNS domain names
Computer1Computer1
nwtraders.comnwtraders.com
Root Hint (.)Root Hint (.)
.com.com
Iterative Query
IterativeQuery
IterativeQuery
Ask.com
Asknwtraders.com
AuthoritativeResponse
LocalDNS Server
LocalDNS Server
ForwarderForwarder
Recursivequeryfor
mail1.nwtraders.com
172.16.64.11
172
.16
.64
.11
Recursiv
eQuery
-
8/14/2019 083006 Windows Server 2003 DNS
8/31
What Is a DNS Zone?
NwtradersNwtraders
WestWestSouthSouth
SupportSupportSalesSales TrainingTraining
NorthNorth
-
8/14/2019 083006 Windows Server 2003 DNS
9/31
What Are DNS Zone Types?
Zones Description
Primary Read/write copy of a DNSdatabase
Secondary Read-only copy of a DNSdatabase
Stub Copy of a zone containinglimited records
Read/Write
Read-Only
Copy oflimitedrecords
-
8/14/2019 083006 Windows Server 2003 DNS
10/31
Selecting Zone Data Location
Standard Zones
Primary Zone Secondary Zone
ChangeChangeZone Transfer
Active Directory Integrated Zones
ChangeChange ChangeChange ChangeChange
Zone Transfer
-
8/14/2019 083006 Windows Server 2003 DNS
11/31
Configuring Standard Zones You can configure a DNS server to host standard primary zones,
standard secondary zones, or any combination of zones You can designate a primary server or a secondary server as a
master server for a standard secondary zone
DNS
Server A AA
DNSServer B
BBSecondary Zone
(Master DNS Server =DNS Server A)
CC
DNSServer C
Secondary Zone(Master DNS Server =
DNS Server A)
Primary Zone
ZoneInforma
tion
-
8/14/2019 083006 Windows Server 2003 DNS
12/31
-
8/14/2019 083006 Windows Server 2003 DNS
13/31
Zone Transfer Process
A Zone Transfer is Initiated When
A master DNS server sends notification of zone changes tothe secondary server or servers
The secondary server queries a master DNS server forchanges to the zone file
DNSServer
(Master)
nwtraders
trainingsupport
Primary ZoneDatabase File
Secondary ZoneDatabase File
DNSServe
r
Zone 1
-
8/14/2019 083006 Windows Server 2003 DNS
14/31
Configuring Zone Transfers
Zone Transfer Types Full zone transfer (AXFR)
Incremental zone transfer (IXFR)
Configuring Zone Transfer Properties
Configuring DNS Notify
Serial number:2 Increment
15 minutes
10 minutes
1 days
Refresh interval:
Retry interval:
Expires after:
0 :1 :0 :0Minimum (default) TTL:
-
8/14/2019 083006 Windows Server 2003 DNS
15/31
Configuring Zone Transfersnwtraders.msft Properties
WINS Zone Transfers Security
General Start of Authority (SOA) Name Servers
Serial number:
28
Primary server:
london.contoso.com
Responsible person:
admin.contoso.com
Increment
Browse
Browse
15 minutes
10 minutes
1 days
0 :1 :0 :0
0 :1 :0 :0
OK Cancel
Refresh interval:
Retry interval:
Expires after:
Minimum [default] TTL:
TTL for this record:
ApplyApply
OK Cancel AApplypplyAApplypply
nwtraders.msft Properties
General Start of Authority (SOA) Name Servers
WINS Zone Transfers Security
Allow zone transfers
To any server
Only to servers listed on the Name Servers tab
Only to the following servers
IP address:
To specify secondary servers to be notified of zoneupdates, click Notify.
AAddddAAdddd
RRemoveemoveRRemoveemove
Notify
A zone transfer sends a copy of the zone to requestingservers.
-
8/14/2019 083006 Windows Server 2003 DNS
16/31
How DNS Notify Works
Secondary Server Primary andMaster Server
DNS notify
Zone transfer
A DNS notifyis an update to the original DNSprotocol specification that permits notificationto secondary servers when zone changesoccur
A DNS notifyis an update to the original DNSprotocol specification that permits notificationto secondary servers when zone changesoccur
Source ServerSource ServerDestination ServerDestination Server 1
2
3
4
Resource
record isupdatedSOA serialnumber isupdated
-
8/14/2019 083006 Windows Server 2003 DNS
17/31
Configuring AD Integrated Zones
Active Directory Integrated Zone Data Is Stored as an Active Directory object
Replicated as part of domain replication
Active DirectoryActive Directory contoso.com
DNS Server
Active Directory
Integrated Zone
Active Directory
Integrated Zone
-
8/14/2019 083006 Windows Server 2003 DNS
18/31
What Are Directory Partitions?
Active DirectoryDatabase
Active DirectoryDatabase
Configurable
replication
Domain
Forest Schema
Configuration
Definitions and rulesfor creating andmanipulating objectsand attributes
Definitions and rules
for creating andmanipulating objectsand attributes
Information aboutthe Active Directorystructure
Information aboutthe Active Directorystructure
Information aboutdomain-specificobjects
Information aboutdomain-specificobjects
Information about
applications
Information about
applications
Contains:
-
8/14/2019 083006 Windows Server 2003 DNS
19/31
Selecting a Partition
Forest Application
Domain Partition
Domain
Application
-
8/14/2019 083006 Windows Server 2003 DNS
20/31
Configuring Dynamic Updates DNS Dynamic Update Protocol
Allows clients to automatically update DNS servers
Can be used in conjunction with DHCP
DNS Server
Request for IP addressRequest for IP address11
Assign IP addressof 192.168.120.133
Assign IP addressof 192.168.120.133
22
Zone Database
Computer1192.168.120.133
Computer1192.168.120.133
DHCP
Server
Windows clientupdates forwardresource recordon DNS server
Windows clientupdates forward
resource recordon DNS server
DHCP updates reverseresource record forWindows 2000, XP and2003 clients and bothresource records forother clients
DHCP updates reverseresource record forWindows 2000, XP and
2003 clients and bothresource records forother clients
-
8/14/2019 083006 Windows Server 2003 DNS
21/31
Securing Dynamic Updatesnwtraders.msft. Properties
WINS Zone Transfers Security
General Start of Authority (SOA) Name Servers
Status:
Type:
Running
Active Directory-integrated
Pause
Change
Data is stored in Active Directory.
Allow dynamic updates?
Aging
Only secure updates
To set aging/scavenging properties,
click Aging
OK Cancel Apply
SecureSecureDynamic UpdatesDynamic Updates
SecureSecureDynamic UpdatesDynamic Updates
Active DirectoryActive DirectoryIntegrated ZoneIntegrated ZoneActive DirectoryActive DirectoryIntegrated ZoneIntegrated Zone
-
8/14/2019 083006 Windows Server 2003 DNS
22/31
Creating a Subdomain
Create a Subdomain to Better Organize Your Namespace
Delegate Authority of a Subdomain To Delegate management of portions of the namespace
Delegate administrative tasks of maintaining one large DNS
database
org.org. com.com.com.com. edu.edu. tw.tw.
....
microsoft.com.
training.microsoft.com.
SubdomainSubdomainSecond-Level DomainSecond-Level DomainTop-Level DomainTop-Level DomainRootRoot
-
8/14/2019 083006 Windows Server 2003 DNS
23/31
DNS Server Roles
Role SituationCaching-onlyservers
A remote office has a limited amount ofavailable bandwidth
Non-recursiveservers
You have Internet-facing DNS that areauthoritative for one or more zones
Forward-onlyservers
You want to manage the DNS traffic betweenyour network and the Internet
Conditionalforwarders
You want DNS clients in separate networks toresolve each others names without having toquery the DNS server on the Internet
-
8/14/2019 083006 Windows Server 2003 DNS
24/31
How the Time-to-Live Value Works
The records in the zone are sent to other DNSservers and clients in response to queriesThe records in the zone are sent to other DNSservers and clients in response to queries1
DNS servers and DNS clients that store therecord in their cache hold the record for theTTL period supplied in the record
DNS servers and DNS clients that store therecord in their cache hold the record for theTTL period supplied in the record
2
When the TTL expires, the record is removedfrom the cacheWhen the TTL expires, the record is removedfrom the cache3
The Time-to-Live (TTL) value is a time-out valueexpressed in seconds that is included with DNSrecords that are returned in a DNS query
The Time-to-Live (TTL) value is a time-out valueexpressed in seconds that is included with DNSrecords that are returned in a DNS query
Zone
TTL seton the zone
DNS Server1DNS Server1DNS ClientDNS ClientAuthoritativeDNS Server2
AuthoritativeDNS Server2
Cac
he
Cac
he
Cac
he
Cac
he
Resource RecordResource RecordResource RecordResource Record
-
8/14/2019 083006 Windows Server 2003 DNS
25/31
Reducing Network Traffic by Using
Caching-Only Servers
Caching-Only Servers Perform name resolution on behalf of client computers andcache the results
Can be used to reduce DNS-related traffic across a WAN
Caching-OnlyDNS ServerClient
Client
Client
Remote Office
DNS Server
Corporate Headquarters
Slow WAN Link
-
8/14/2019 083006 Windows Server 2003 DNS
26/31
How Aging and Scavenging Works
Jan 1 Jan 15Jan 8
Scave
nge
Scave
nge
No-Refreshinterval
No-Refreshinterval
Refresh
interval
Refresh
interval
Timestampe
d
Timestampe
d
AgingAging
7-days 7-days
-
8/14/2019 083006 Windows Server 2003 DNS
27/31
What Is DNS Debug Logging?
Primary DNS Server1Primary DNS Server1
DNS debug logging is an optional logging toolfor DNS that stores the DNS information that
you select
DNS debug logging is an optional logging toolfor DNS that stores the DNS information that
you select
Secondary DNS Server2Secondary DNS Server2
-
8/14/2019 083006 Windows Server 2003 DNS
28/31
Planning a DNS Implementation
Small Companies Can use ISP DNS servers for queries and to
store company domain names
Larger Companies Maintain their own DNS servers
Two DNS Servers Recommended
Primary name server Secondary name server
-
8/14/2019 083006 Windows Server 2003 DNS
29/31
DNS Namespace Options
SameNamespac
e
SameNamespac
e
DelegatedNamespac
e
DelegatedNamespac
e
UniqueNamespac
e
UniqueNamespac
eExistingDNS
Namespace
ExistingDNS
Namespace
ExistingDNS
Namespace
ExistingDNS
Namespace
ExistingDNS
Namespace
ExistingDNS
Namespace
nwtraders.com
nwtraders.com
nwtraders.com
nwtraders.local
ad.nwtraders.comnwtraders.com
InternalNamesp
ace
InternalNamesp
ace
InternalNamesp
ace
InternalNamesp
ace
InternalNamesp
ace
InternalNamesp
ace
-
8/14/2019 083006 Windows Server 2003 DNS
30/31
-
8/14/2019 083006 Windows Server 2003 DNS
31/31
Integrating DNS into Screened Subnets
Zones Contain Records for PublicResources
Configure Firewalls to PermitAppropriate DNS Traffic
Place Only Secondary Zones
Encrypt Replication Traffic with IPSec
public.contoso.msft
Firewall
Firewall
Internet
ScreenedSubnet
public.contoso.msft
Primary DNS Zone Secondary DNS Zone
Private
Network