Ripon dns by lawjuris

Chapter 1

Introduction to DNS in Windows Server 2003 1.1 Introduction There are three scenarios in which your network needs DNS. Firstly, to find Active Directory resources such as Global Catalog Servers and also Domain Controllers that authenticate Logon or Kerberos requests. Secondly to locate pages on the internet, and thirdly, mundane task for example, connecting to a printer share. DNS makes it possible for clients to access network resources using alphanumeric names rather than pure IP addresses. Unlike WINS, DNS is hierarchical, with advent of Windows 2000 DNS became dynamic DNS. In practical terms, it means that clients can update their own DNS Server records automatically, thus reducing the administrative load. The killer reason for implementing DNS is that Active Directory relies on DNS for finding Global Catalog, Kerberos and Logon Servers. Before you install DNS on a production network you need to answer a whole series of questions. For example Will your DNS name match our email domain? Who will be in charge of DNS, you or must you rely on a Unix department? One 'Litmus Test' for a difficult topic is the number of specialist terms a component uses. My rule is the more unusual words and acronyms, the more difficult the subject is to master. DNS passes this ' difficulty ' test with flying colours. For instance you need to understand, Namespace, Authoritative, Recursive, and Incremental to name just a few of the DNS keywords. As you learn about DNS Server watch out for ways to increase your computing vocabulary.

1.2 What's new in Windows Server 2003 DNS The big improvements in Microsoft's DNS came in Windows 2000, however Server 2003 has a surprising number of neat new dynamic DNS features.

1.2 New DNS Topics for Windows Server 2003 • • • • • •

DNS Stub Zones _MSDCS Zones Conditional Forwarding Debug Logging DNSLint Utility Universal Caching

1.3.1 DNS Stub Zones Stub Zones are rather like DNS Secondary zones. The similarity is that both Zones have a read only copy of the server that is authoritative for a child DNS domain. The difference is that Stub 1

Zones have only 3 records, SOA, NS and A, whereas Secondary zones have a full set of A records. Finally, the logic is that you create the Stub Zone only in the Root domain and the Stub Zone then has three records for each child domain. Incidentally, the A (Host) records in the Stub zone are referred to as 'glue' records. The point of Stub Zones is to streamline administration, improve name resolution and possibly, reduce network traffic. Needless to say, Stub Zones are only needed in large complicated Forests, and are unnecessary if you only have one domain. When you need to create a Stub Zone, just call for the DNS snap-in. Right click on the Forward Lookup Zones folder, and follow the wizard.

1.3.2 _MSDCS DNS Zones These DNS records beginning with an underscore are for servers to locate resources, for example _GC, means Global Catalog and _DC means Domain controller. While these resource records exist in Windows 2000, in Windows Server 2003 these _MSDCS records have been moved to their own zone. The benefit of this new arrangement is that you can control the resource replication. For example, you may want to replicate records to all Domain Controllers in the Forest, or perhaps you want to restrict replication to Domain Controllers in the local domain.

1.3.3 Conditional Forwarding Conditional DNS forwarding is rather like taking a short cut. If I am in guybay.com and I am running DNS and I want to contact quickgear.org, then I could go via the root ' . ' domain, then the org server, then quckgear.org. Or, provided I knew the server IP address in quickgear.org, I could set up conditional forwarding and so take a shortcut. Configure Conditional Forwarding from the Forwarders tab of the very DNS server (not the forward lookup zone tab).

1.3.4 Debug Logging for DNS If you are troubleshooting a DNS connectivity problem, for example mail delivery, 404 web pages error, then master Debug Logging. To start Debug Logging navigate to the DNS snap-in, then the server Icon properties. A bonus of learning about Debug Logging in DNS, is that you can apply the technique to other services, for instance Exchange 2003.

1.3.5 DNSLint Utility In the Windows Server 2003 support folder there is a marvellous utility called DNSLint. What this does is display information about DNS in HTML format. The important features are switches for Active Directory, MX records.

1.3.6 Related Feature - Universal Group Caching Universal Groups sound great, and they are great if you only use them when Global groups would NOT get the job done. Also stick to the best practice of only adding Global Groups to Universal Groups. My point is avoid adding individual accounts to a security Universal Group. This is the logon problem that Universal Group Caching solves. A domain controller will not let you logon until it has checked all the Universal groups that you could possible be a member of. The operating system's paranoia is that you may be a member of a Universal group in a distant part of the forest that has been used to deny permissions. So, unless the domain controller is sure it has enumerated all the Universal groups it will not let you logon - just in case there is a security violation. The answer to the security versus speed dilemma is Universal Group Caching. If the domain controller can check the cache for Universal Groups then it can logon the user with the correct security tokens without troubling domain controllers in other parts of the forest. Once you have decided to implementing Universal Group Caching, visit the Active Directory Sites and Services. Drill down to Site-name, and find NTDS Site Settings, server, NTDS Settings, properties, site Settings. (If you only see a general tab, then you have drilled down too far. Back-track from the server NTDS, to the Site NTDS.) Check the Box which says Enable Universal Group Caching. If you are really stuck then just ask for Help : Enable Universal Group Caching.

Chapter 2 DNS Names in Windows 2003 Server 2.1 DNS Names in Windows 2003 Server This page explains how DNS uses, resolves and maps names. Study the DNS namespace and make wise decisions when you create names for domain, sub-domain, servers and hosts.

2.2 Introduction to DNS Names The purpose of DNS is to provide a connection when we type a name. Now that name could refer to a server, a host, a web site, or a UNC path. Always remember that computers prefer to use an IP address and that the role of DNS is a database of host records. It's an exaggeration to say that DNS provides the connect, but it does supply the answer to the name to IP address mapping. Let us start with a simple network where DNS maps the HostName to IP address. DNS Servers are designed to answer queries, for example, where is BigServer? Back comes the reply BigServer - 10.10.1.1.

2.3 Hosts, Hosts Files and HostNames When ever you have trouble understand DNS, return to the basics. New features are supposed to make DNS easier and faster. What they don't tell you is that each extra setting makes it more scaleable and less error prone for the DNS server, but harder for you and I to understand. The answer is if you do get into a tangle, review the basics and test with ping. In modern DNS, Hosts means a simple (A) record that maps a machine name (HostName) to an IP address. If you like to match theory to practical, then type hostname at the command prompt. In addition, you can check the FQDN found at System Icon, Computer Name, Change, More... You will need this information to configure this setting when installing Active Directory. Hosts is also the name of a file found in the %systemroot%System32\drivers\etc folder. Can you believe that once upon a time (1983) this was how everyone mapped hostnames and IP addresses? Then in 1984 Paul Mockapetris invented a hierarchical, distributed system and called it DNS. The link between this history lesson and basics, is that when all else fails edit that hosts file in the \drivers\etc folder and add the hostname and IP address to make your connection work.

2.4 DNS Namespace I think that Namespace is a pretentious word, however it is shorter than, hierarchical structure of names that join up to form a FQDN. Having been rude about the moniker, I love the concept and design behind the word Namespace.

Approach the DNS namespace as if admiring a pyramid. At the top is the '.', dot or 'null'. So, if you see such a dot or period in your DNS Server Forward Lookup Zone then it's not a mistake, you have found the top level of your DNS system.

2.4.1 Levels of Namespace • • • •

•

1 Root 7 Top Level Domains (TLD): com, org, net, mil, edu, gov, co.uk Lots of Second level domains. This is the part of the namespace that we recognise e.g. microsoft as in microsoft.com. Incidentally, one of my hobby-horses and frustrations is that those 7 Top Level Domains were invented, almost over-night, by just one person. (As were DNS and IP 4). Whereas, committees have taken about ten years to thrash out IP 6 and more TLD for example .commerce, .info and .biz. Subdomains are optional. They are not needed by small companies or beginners. However one day you may consider an extra level of domains for example, research.yourdomain.com. The other use of subdomains is where you want a different domain names for your Active Directory, web and email address. For example, leave your email, internet domain as yourdoman.com and have ad.yourdomain.com for your Active Directory domain. Hostname for example, web.microsoft.com or bigserver.yourdomain.com. This level is sometimes called the leaf, or referred to as has holding DNS leaf objects.

•

Figure 2.1

: Levels of namespace

Take as an example a query for the FQDN web.microsoft.com. On the internet all attempts to answer queries start at the '.' and soon percolate down to the next level, where we find the familiar .com, .net .org .co.uk extensions. What happens next is that the .com server knows where to find Microsoft.com, and of course Microsoft's own DNS knows the whereabouts of web.microsoft.com.

2.5 DNS Name Server (NS). In DNS, Name Server has several shades of meaning. NS is a particular type of DNS record, along side Host (A), MX and CNAME. The most important nuance of Name Server is that here is a server that holds copies of these DNS resource records. Moreover, Name Servers know about other Name servers. In fact name servers have a whole world of their own where they replicate records and forward queries. Another important DNS and Name Server concept is that of Authority. Perhaps ownership best describes this usage of the word Authority. Servers that are authoritative are responsible for answering queries about their Host, MX and other records. Name Servers also register the records and are responsible for DNS house keeping. Always investigate the Start of Authority (SOA) record. Once you find the SOA, you can see which server is the Primary or ultimate source of all records for that domain.

2.6 Rules of DNS naming If you are planning a new domain, what characters can you use in DNS? The answer is letters AZ, lower case a-z, numbers and also the hyphen(-). To digress, my wife had a stroke of genius in having a hyphen in her domain name fashion-era.com. I wish that I had chosen computerperformance.co.uk. So if you are registering a domain a hyphen gives you more naming possibilities. The Underscore (_) is a reserved character used by Microsoft DNS for its Active Directory services. Examples of _SRV records include, _gc (Global Catalog) and _dc (Domain Controller).

Chapter 3

Types of DNS Zones in Windows Server 2003 3.1 Introduction When you plan a DNS installation, be sure that you choose the most suitable type of zone. For instance, if your goal is to install a Windows Server 2003 domain, then investigate Active Directory Integrated Zones. Also decide how many zones to configure, it is easy to focus on the forward lookup zone, but overlook the reverse lookup zone.

Figure 3.1 : Change zone type

3.2 Topics for DNS Zones in Windows 2003 One of the coincidence with DNS is how many of the components come in pairs. I find this provides a natural fork for decision making (and troubleshooting). • • • • • •

Active Directory-Integrated v Primary Zone This pairing could be called Windows 200x v NT 4.0. Scopes of DNS Zones Secure and Non Secure Dynamic Updates Forward and Reverse Lookup Zones DNS Level - Main Zone or Subzone Summary of DNS Types

3.2.1 Active Directory-Integrated DNS If the situation is that you are about to install Active Directory and have complete charge of DNS (no Unix DNS in the background) then aim for Active Directory-Integrated Zones. The big

advantage is efficient DNS record replication. Efficient in the sense of less network traffic, fewer errors and easier configuration with low maintenance. In a sense, Active Directory Integrated Zones are a special case of Primary Zones, where the all servers are required to be Domain Controllers.

3.3.1 Primary Zones This is the NT 4.0 DNS model, with Windows 200x improved incremental replication (IXFR). Naturally there are also Secondary Zones, which hold read only copies of the Primary Zones. There are two uses for this Primary / Secondary model : 1) The domain's main records are held on a Unix server 2) If your DNS servers are not Domain Controllers. (There are many ways of analyzing DNS zones, however, the advantage of looking at DNS from different angles is that you get a sense of perspective. Only by viewing the multiple sides of DNS will you be able to you judge how to configure your servers. Be sure to research thoroughly, plan carefully and test to destruction before you implement a production DNS network.)

3.3.2 Scopes of DNS Zones Primary Zone - Holds Read and Write copies of all resource records (A, NS, _SRV Secondary Zone - Read only copies of records, gets updates from the primary server by zone transfer. Stub Zone - New in Windows 2003, a tiny zone with just pointers to another domain. For example NS and SOA and A record of the main server in that Stub domain. Think of Stub Domains like secondary zones, but with only 3 records. (Store the zone in Active Directory is available for Primary Zone)

3.4 Secure and Non Secure Dynamic Updates Starting with Windows 2000, DNS became Dynamic. This is a huge advantage over the old model where you had to update records manually. Secure Updates means that only machines with computer records in Active Directory can add or update their Host (A) records with DNS servers. With secure updates you avoid lots of rogue records cluttering your DNS records. This can happen if you get a visiting laptop which picks up an IP address from DHCP but does not release it because they do not disconnect gracefully from the network. The default and recommended setting for Active Directory-Integrated is Secure only.

3.5 DNS Zone Directions- Forward and Reverse When you configure a DNS remember that there are 2 directions of DNS Zone. In particular, remember the reverse lookup otherwise utilities such as NSLookup or DNSLint fail. Forward Lookup - You know the hostname, DNS tells you the IP address. Forward Lookup zones supply the main DNS mechanism for finding Hosts (A), Name Servers (NS) or Service (_gc). Reverse Lookup - You know the IP, DNS gives you the hostname. I think of Reverse Lookup as a hackers tool, they can PING a server's IP address and then they use a Reverse Lookup query to discover the hostname. In truth, Reverse Lookup is required by NSLookup, DNSLint and other utilities.

3.6 DNS Level - Main Zone or Subzone Let us end this section with a reminder that DNS is hierarchical, moreover you should check which level or levels you need to create zones. Take as an example a company that has bought the domain name guybay.com from InterNIC. The first point to note is that they bought a .com rather than .net or .org. When it comes to configuring DNS servers, their DNS zone will be guybay.com. Later they could have subzones such as, customers.guybay.com. The company server where guybay.com is installed will be a name server, and it will have authority to answer queries for host records in the guybay.com zone. Remember that DNS is hierarchical. Here is an example of the levels. 1. 2. 3. 4.

' . ' ................ Root Zone com ............... Top Level Domain (TLD) guybay.com .... Guy's main zone customers.guybay.com auctions.guybay.com

(2 subzones)

3.7 Summary of DNS Zone Types. There are many ways of implementing DNS zones, but through looking at DNS from different angles you get a sense of perspective. Only by investigating forward, reverse and Active Directory zones will you be able to you judge how to configure your servers. Be sure to research thoroughly, plan carefully and test to destruction before you implement a production DNS network.

Chapter 4 Conditional Forwarding in Windows 2003 DNS 4.1 Introduction If you think carefully about the two words, Conditional and Forwarding then this feature becomes self explanatory. Deeper thought raises more problems than it solves. What condition? Where does it forward? Above all where do find this feature.

4.2 Configuring Conditional Forwarding Let us begin by discovering where you configure Conditional Forwarding. Start at the server icon in the DNS snap-in (not the Forward Lookup Zone). Right click, properties, Forwarders (Tab). Take the scenario where shootemup.com is an associate of your organization. Moreover, your users are for ever querying their server. If shootemup.com kindly provide the IP address of their server which is authoritative for shootemup.com then you can configure that server as a conditional forwarder.

Figure 4.1 : Alan Properties To summaries, the Condition is that one of your clients query is for shootemup.com. The Forwarding is to the IP address specified at the Forwarders tab of your DNS server.

So what would happen without Conditional Forwarding? The answer is that your server would ' walk the root hints '. The server (Alan in the diagram), contacts the root server ' . ' on the internet. The root server forwards your request to the .com server who in turn forwards the request to shootemup.com's server. In a nutshell, Conditional Forwarding is like taking a short cut. One last question, what happens if your clients query someonelse.org. The answer is that your server goes the long way around and ' walks the root hints '. Unless of course you are friendly with someonelse.org and configure another Conditional Forwarder.

4.3 Summary DNS in Windows 2000 was a huge improvement over NT4.0 Windows Server 2003 new DNS features iron out a few problems, add a few new features which speed up performance in large forests.

Chapter 5 Installing DNS Zones in Windows Server 2003

5.1 Introduction Installing DNS is deceptive. A plan is essential and the time it takes to prepare a checklist will repay ten fold in saved frustration. What makes installing DNS difficult is that usually the goal is to install Active Directory and DNS is merely a stepping stone. The biggest challenge is managing all the places and all the settings which require names. There are times when it is best to trust the DNS wizard to configure the settings, this is particularly true for Active Directories _MSDCS records.

5.2 Tutorial for Installing DNS Zones in Windows Server 2003 5.2.1 Preparing the DNS Server It is crucial to ' Get all your ducks in a row '. By that I mean match the names in System Icon, Computer Name (tab) with the namespace of your main DNS domain. for example guybay.com. Decide if this DNS name (guybay.com) should match your Active Directory domain name, or whether you want sub-domain, for example ad.guybay.com. This decision is especially important where you are installing DNS / Active Directory on a domain controller in a 'green field' site. I have assumed that you plan to install a forward lookup zone, but what about the reverse lookup zone? It only takes a minute to install the reverse lookup zone and without it utilities like DNSLint and NSLookup will not function. A setting that is easy to overlook is the TCP/IP properties of the network icon. If you add our own DNS name to the ' Preferred DNS server ', then DNS will automatically add an A (Host) record for your own machine. One variation of this trap is to forget to add the Preferred DNS server to the second or third network card. Another variation is to forget to add other DNS servers to the list of DNS servers underneath the TCP/IP properties tab.

5.2.2 Installing the DNS Server Service Remember that DNS is a service, ranking along side Alerter, SMTP, Print Spooler. First job, get your Windows 2003 Server CD ready. To install the DNS service navigate to Control

Figure 5.1 : Change zone type

Panel, Add or Remove Programs, Windows Components, Networking Services, tick the Domain Name System (DNS). As soon as the installation completes I would create an MMC and add the DNS snap-in. More traditional administrators use the administrators' folder or the Computer Management console. Once you launch the DNS snap-in, just right click and add the server by name. Take the time to familiarize yourself with which settings are on which tabs of the Server Icon and also, which settings are found on the property sheets of the Forward and Reverse Lookup zones.

5.2.3 Creating the DNS Zones Installing the DNS service is the easy part. Mechanically adding zones is straightforward, but your DNS server will only function correctly if you understand, then plan the fully qualified domain name. For example, what if any, extension will you for your Active Directory domain? guybay.org or yourcompany.com? ad.guybay.org? or plain guybay (no extension). These are hard questions with far reaching answers, moreover only you can decide.

5.2.3.1 Forward Lookup Zones Normally, you would start by creating a forward lookup zone on your DNS server. Right click the Forward Lookup Zone yellow folder and select, New Zone. Here is where your planning will repay as you have to decide on a Primary, Secondary or possibly a Stub zone. Note the check box for - Store the zone in Active Directory. In Windows Server 2003 you can decide to replicate the DNS information to all DC in the Forest, or just those in your domain. I would not worry too much about this as you can change your mind and move the radio button later. Next comes the zone name, this is important to get right otherwise you have to delete your zone and start all over again. In my example I would type guybay.com. (Note I have decided to use the .com extension.) I would allow secure and non secure dynamic updates. My thinking is let us give DNS the best chance of working. Once it works then I can start tightening up security. Now comes the magic moment when you press finish and see at least 3 records SOA, NS and Host (A) record.

5.2.3.2 Reverse Lookup Zones Do take a minute to create a Reverse Lookup Zone. My reasoning is that if have the Reverse Lookup in-place from day one, then all the PTR (Pointer) records are created automatically. The alternative is that if you create the Reverse Lookup 6 months down the line then you have to add those PTR records manually. Why are you creating a Reverse Lookup Zone? So that NSLookup and DNSLint work properly. The only planning here is to calculate your network IP. For example 10.1.0.1 Subnet mask 255.255.0.0 would mean an network ID of 10.1. Follow the simple action of typing in 10 then 1. (Do not go into ' over-think ' and type in 1 then 10. These days Windows works out the reverse numbers from your simple input. Make sure that you have a PTR record for each NIC and IP address. 5.2.3.3Stub Zones Conceptually, stub zones are like secondary zones in that they have a read only copy of a primary zone. The two differences are Stub Zones have fewer records. Stub zones are more efficient and create less replication traffic.

Stub Zones only have 3 records, the SOA for the primary zone, NS record and a Host (A) record. The idea is that if a client queries a record in the Stub Zone, your DNS server can refer that query to the correct Name Server because it knows its Host (A) record. My advice would be to use Stub Zones in situations where most of these are true: • • • •

You have a large Active Directory Forest. You use Active Directory Integrated DNS. DNS is delegated and distributed throughout the Child Domains. Users in one domain often issue DNS queries to other domains

5.3 Installing Active Directory Step one: you have the bare bones of DNS installed, for example just records for the first domain controller. Step two: run DCPROMO. The secret is to let the DCPROMO wizard automatically add the (_SRV) records to DNS. My advice is never add these records manually. Occasionally, especially with Windows 2000 the (_SRV) records are not installed, the trick is to stop then start the Netlogon service and miraculously the records will be created. If that does not work, give up and start again, run DCPROMO to demote, reconfigure the System Icon, Computer (Tab) - try again. Windows Server 2003 automatically creates a top level DNS Forward Lookup Zone called _MSDCS.your.dom. Previously, this was hidden away as a subzone under your.dom.

Summary of Installing DNS Zones When you install DNS take the time to plan carefully. In particular decide which name to use and then configure this name at the System Icon, Computer (Tab). Let the DCPROMO wizard install the (_SRV) resource records. My tutorial will take you through installing the DNS Service, and then configuring the forward, reverse and stub zones.

Chapter 6 DNS Queries in Windows Server 2003 6.1 Introduction Always remember that there are two sides to DNS. Firstly, registration which adds resource records such as Host (A) into the DNS database. Secondly there are queries where clients seek those resource records, for example where is BigServer? Back comes the reply from DNS: BigServer IP = 10.10.55.21.

6.2.1 Authoritative DNS Servers The goal of a DNS query is to find an authoritative DNS server, which can then return the IP address for the queried host. Authoritative DNS Servers have ownership and knowledge about resource records for a particular domain. From the point of view of a query, contacting Authoritative server is good news because you get an instant response of an IP address, or a host not found error message. However, if that server was not authoritative then, as we will see, DNS turns to forwarders, iterative queries and root hints. To check which DNS servers are authoritative, select the Forward Lookup Zone, domain name, properties and then Start of Authority (Tab), finally Primary Server:

6.2.2 Iterative and Recursive Queries Technically, DNS queries divide into two sub types, recursive or iterative. Whereas I a normally like to savour and remember terms, this pair don't help that much in understanding DNS. In practical terms a good DNS uses both methods to resolve the query and again from a practical point of view the best thing you can do is make sure the 'Root Hints' are set correctly on the server and the firewall. Recursive Query Recursive is the simpler query of the pair to understand in that its all or nothing. The DNS server either returns the full answer or a 'server not found' error. A recursive query is the type of name resolution that an XP client may send to its DNS server. If the server knows the answer to the query, then no problem, however if the DNS server does not know the answer then takes up the search on behalf of the client. Consider an example where an XP client in yourdomain.com says to its DNS server: ' Give me the IP address of webserver.microsoft.com.'

Your server could respond to the effect, 'I am not authoritative for microsoft.com - go away'. This would come back as an official reply: 'server not found'. More likely, your server would take up the search on behalf of the client. What would happen is that the server queries the root hints in an attempt to find the whereabouts of the microsoft.com domain servers. The key difference between a recursive and iterative request is that the server does all the work on behalf of the client.

Iterative Query An iterative Query is usually conversations between DNS Servers, whereas a recursive query is usually a client asking a DNS server for name resolution.

Figure 6.1 : Iteractive query What happens with an iterative query is that the requesting server 'steps' the DNS root hints. It says to the root servers, ' Where is Microsoft.com?' If this was a recursive query, then the root server would say 'I don't know, server not found'. But with an iterative query the root server gives its best shot and says, 'Try the .com servers at w.x.y.z. IP address'. Then the .com server would iteratively point your DNS to microsoft.com and as Microsoft would be authoritative for web.microsoft.com, at last, back comes the IP address. This 'stepping' the root hints is known as an iterative query. The key difference is that a server can respond to an iterative query with a partial reply. With luck, this partial reply will be a stepping stone to finding the Fully Qualified Domain Name.

6.2.3 Root Hints If your Windows DNS server is connected to the internet and your clients want to find websites, then you need to check your root hints. The good news is that Root Hints are installed be default. What Root Hints do is act as pointers to servers that know the IP address of the top level domains. Launch your DNS Snap-in, select the Server Icon, right click select Properties and then select the Root Hints tab.

On the other hand, if your DNS server is not connected to the internet, then. Root hints are stored in a physical file called cache.dns. You can inspect this file in the %systemroot%\windows32\dns\samples folder. Here is what cache.dns looks like ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 These NS records of the ' . ' root servers are loaded into the Root Hint tab of your DNS server. Test your forward and reverse lookups by clicking on the Monitoring Tab visible from your server properties. You may also be able to see the Monitoring Tab on the above diagram.

6.2.4 DNS Caching DNS Servers build up a cache of previously resolved queries. As requests are looked up on other servers, so records are added to the cache. A good cache has the twin benefits of faster response time and less network traffic. A bad cache can be a liability in that it gives the requestor incorrect information. One reason that I like to set the DNS snap-in to View, Advanced is that I can then see which records are in the Cached Lookups folder. Another reason that I like to view the Cached Lookups folder is so that when I am troubleshooting, I can right click the folder and Clear Cache. Small sites sometimes manage DNS through caching only servers, the point is that the learn, and cache records the few users need but as they have no Zones themselves, their is no associated replication traffic. This technique is useful where you have Active Directory Integrated zones and want a DNS server which is not a domain controller.

6.2.5 DNS Forwarders Forwarder by name, forwarder by nature. The situation is that when your DNS server receives a query, for which it is not authoritative, it contacts a server that does know the answer to that query. Moreover, instead of 'walking' the root hints, it refers directly to a server that has the appropriate resource records. Secondary zones contacting their primary zone would be an example of forwarders.

One major use of Forwarders is for networks which use firewalls, perimeter networks or DMZ (demilitarised zone. For security reasons, the internal DNS servers know nothing of the internet root hints, so they forward all such queries to severs on the internet facing side of the firewall or perimeter network. Conditional Forwarding Another classic use of forwards is where companies have subsidiaries, partners or people they know and contact regularly query. Instead of going the long-way around using the root hints, the network administrators configure Conditional Forwarders. The clever idea with conditional forwarders is that only certain namespaces are forwarded to particular servers. If you have a subsidiary called Acme.com, then you could configure all queries for Acme.com to their DNS servers, while other queries could go out to the internet via the root hints

6.3 DNS Root Hints in Windows 2003

Figure : 6.2 DNS root hints in windows 2003 Root Hints are a vital cog in configuring your DNS Server. If your server receives a query for an unknown domain, then the root hints give a clue as to where to search for the answer. Maybe you were lucky and the root hints magically configured themselves correctly. Perhaps it was a triumph for planning that you examined the root hints as soon as you ran DCPROMO. However, in my opinion you cannot be a successful DNS troubleshooter without understanding root hints.

6.3.1 Finding Root Hints Root hints are pointers to top level DNS servers on the internet. Every Windows server comes pre-configured with a physical file called cache.dns. Inside cache.dns are the IP addresses of a dozen 'well known' servers which hold information about the .com, .net, .org and other top level domains (TLD). You can inspect this file in the %systemroot%\windows32\dns\samples folder.

Here is what the cache.dns file looks like in notepad. ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4

6.3.2 Root Hint Choices I know it's obvious but you have to be connected to the internet to take advantage of root hints. The point is that if your DNS server is not connected to the internet then you these root hints are a liability as they will not work and only introduce time delays while queries try and contact unreachable IP addresses. Another problem is that you are connected to the internet but there is a conflict between the DNS name you are using internally and the same domain name that is registered on the internet. Confusion may be caused by your web server or your Exchange server registering the same domain name but with a different IP address. For instance your ISP or InterNic may have legitimately assigned a different IP address for your domain name.

Figure :

6.3 Guido Proterties

6.3.3 Configuration if legitimately connected to the Internet I use legitimate to mean a valid, conflict free IP address and domain name. In this instance go with the default. Check the DNS Server, Properties, Root Hints tab. (Note, start at the Server Icon, not the Zone Folder.)

Test your forward and reverse lookups by clicking on the Monitoring Tab visible from your server properties. You may also be able to see the Monitoring Tab on the above diagram.

Figure 6.4 : William Propertices

6.3.4 Alternative '.' Root Configuration Where your server is not connected to the internet you need to take action and create a '.' domain on your DNS Server. You also need this configuration if there is a conflict between your local domain name and domain name on the internet. The solution is simple and elegant, create a local '.' root domain. All that you need to do is expand your DNS server and right click Forward Lookup Zone, choose New Zone, and name it '.' (some call this character a dot others a period).

The result of your configuration is that when you return to examine the root hints, there are no servers listed, the Fully Qualified Domain Name box should be 'greyed out'. When managing your DNS Server there are many instances when restarting the DNS Server produces the desired effect of a refresh. The easiest way to restart DNS, is right click the Server Icon and select All Tasks.

6.3.5 Reversing your Root Hint Actions Sometimes when troubleshooting, in desperation you start ripping out configurations that the server needs. If you made a mistake, or circumstances dictate that you need to recreate those original root hint pointers, then simply delete the '.' domain.

If deleting the root domain on your serve did not work then try Copy from the server and type the IP address of another of your DNS Servers (Other Domain Controller?)., or copy from the %systemroot%\system32\dns\sample folder.

6.3.6 Summary of DNS Root Hints Root Hints provide a link between your DNS Server and top level DNS Servers on the internet. As these IP addresses remain constant, Microsoft automatically load them into your DNS Server's root hints. All is well unless your server is not allowed to connect to the internet, in which case you need to configure your own '.' local Root domain.

Chapter 7 DNS Resource Records in Windows 2003 7.1 Introduction It all started with Host records. In the beginning there were just flat text files with a list of servers and

corresponding IP addresses. When that got cumbersome and a pain to update, a proper database called DNS (Domain Name System) was invented by Paul Mockapetris in 1983. Since then the DNS types of records have grown, here is list: Type of Record

What it does

A (Host)

Classic resource record. Maps hostname to IP

PTR

Maps IP to hostname (Reverse of A (Host) Found in Reverse Lookup Zone

CName

Canonical name, in plain English an alias.

Identifies DNS name servers. Important for forwarders

Mail servers, particularly for other domains. MX records required to deliver internet email.

_SRV and _MSDCS

Required for Active Directory. Whole family of underscore service records, for example, gc = global catalog. dc = domain controller.

SOA

Make a point of finding the Start of Authority (SOA) tab at the DNS Server.

Custom / Special

It is possible to create more records in the DNS manager. However I would only do this in extreme circumstance, e.g. Following a TechNet article. Table : 7.1 Resource Records

7.1 Purpose of Resource Records

Without resource records DNS could not resolve queries. The mission of a DNS Query is to locate a server that is Authoritative for a particular domain. The easy part is for the Authoritative server to check the name in the query against its resource records.

7.2 Summary Take the time to investigate DNS Resource Records. Understand which are created automatically, for example _SRV records, and which you need to create yourself, for example MX records for Exchange.

Chapter 8 DNS Dynamic Registration in Windows 2003 Server

8.1 Introduction Although I never liked WINS, I had to admire its dynamic registration. With dynamic DNS (DDNS) host records are automatically registered and updated, thankfully, there is no more manual editing by an administrator. This tutorial will guide you to all the settings needed to manage dynamic DNS, we will visit the DNS client, DNS server and DHCP menus. Incidentally, I see a disturbing tendency to refer to it as 'dinamic DNS', has a new word called dinamic been born, or is it a spelling mistake?

8.2 Client Configuration Dynamic registration is another triumph for upgrading to XP. Windows 2000 and later clients have the built-in intelligence to dynamically register and update their DNS records. Fortunately, DHCP can act on behalf of down-level clients such as Windows 98 or NT 4.0. DHCP works hand in glove and DHCP will pass on requests from its clients to have their host record updated in the DNS database. Later in this tutorial we will consider DHCP, but if you have servers with manually assigned IP address then there is a little known checkbox to configure dynamic DNS. On the client, open the network connection, select TCP/IP settings, Advanced, DNS. Now down at the bottom is a check box to Register this connection's addresses in DNS Which resource records are dynamically updated? As expected, the Host (A) records but also the PTR (pointer) records. Of course PTR records only get updated if you configured the corresponding reverse lookup zone.

8.3 DHCP Configuration

Figure 8.1 DHCP configuration The idea is that if DHCP gave out the IP address, then DHCP can tell DNS. Confession time. I rarely find the DHCP / DNS integration tab first time. Fortunately I am not alone, and even more fortunately, here are detailed instructions to find enable dynamic DNS updates for downlevel clients. Start at the DHCP Icon (not the DNS icon, and not the DHCP Scope option). Right click properties and select the DNS tab. The default (See diagram) assumes you have Windows 2000 or later clients. These settings are to maximize efficiency and minimize network traffic. However, if you have primitive clients such as NT 4.0 or earlier, then you must tick the box 'Dynamically update DNS A and PTR records for DHCP clients that do not request updates.' Examine which boxes on the DNS tab are check boxes and which two are radio buttons. Incidentally, I await a killer use for removing the tick Discard A and PTR records when lease is deleted, I would always leave the default and keep this box checked.

8.4 DNS Server Settings There is just one Dynamic DNS setting to check on at the DNS server and that is whether to allow only secure updates. The menu we want is found underneath the Forward Lookup Zone. Choose your domain name (ourdom.com) properties, general tab. Under 'Data Stored in Active Directory, right in the center of the box is a Dynamic Update drop-down box. In the unlikely event that you do not want any part of Dynamic DNS, this is where you disable, by choosing 'None'. More likely, your choice lies between 'Secure Only' or 'NonSecure and Secure'. Secure

in this case means that the clients have been vouched for in sense that they have computer accounts in Active Directory. For a moment let us return to DHCP, it is possible that DHCP gives out IP addresses to all manner of devices, especially with the influx of wireless machines. However if these machines who receive an IP address do not have a computer account, then they cannot register their DNS. The underlying reason is that they may disappear suddenly rather than gracefully and so their A and PTR records could pollute your database for weeks. To prevent this clutter, be ruthless and set the 'Data is Stored in Active Directory to Secure Only.

Chapter 9 Troubleshooting Tips for DNS in Windows Server 2003 9.1 Introductin During my career as a biologist when we went on field trips, I had a student who always claimed that he had found a rare bird. Inevitably it turned out to be the common or garden variety. My point is this, when it comes to troubleshooting DNS, begin with the basics, investigate the most obvious solution, check the common trouble spots. Beware of making the problem worse by altering settings that are correct. Change one factor at a time, and write down what you configured.

9.2 Start Troubleshooting with Ping Can you ping the target machine? a) By IP address. Ping 10.1.0.100 b) By Hostname. Ping BigServer c) By fully qualified domain name. Ping BigServer.guybay.com Examine the replies for clues, for example is the reply BigServer or BigServer.domain.com. Depending on the results from Ping, check the Default Gateway and Subnet Mask.

9.3 Do not neglect IPCONFIG Collect information about default gateways and DNS servers with IPCONFIG's switches, particularly the /all. What you are particularly interested in is the DNS Server's IP address. Should that field be empty or incorrect then adjust the IP address at the Network Icon, TCP/IP properties. Remember that Ipconfig has 3 DNS specific switches. On more than one occasion /flushdns has saved me tearing my hair out. What happens is that you may have solved the problem, but the a dirty cache prevents confirmation. Ipconfig /registerdns can save a reboot, while /displaydns may give you extra information on what name resolution the client has achieved.

Figure 9.1

William properties

9.4 Time to look at the DNS server snap-in

Figure 9.2 DNS Snapping At the DNS console, Click on View (Menu) and make sure that Advanced is ticked. This is rather like 'Show All files'. Precisely what to look for in the Snap-in, depends on the problem. If you are checking basic connectivity, then check you have a Host (A) record for the machine you are trying to contact. However, I would follow up PING with a check of the Monitor Tab on the DNS Server icon. For basic Active Directory / DNS configuration check that the _msdcs records were created by DCPROMO. If not try restarting the Netlogon service. If you have a more difficult problem, for example zone replication, then click on the Server Icon, Properties. (In the diagram Alan is the name of the server.) One trap is to investigate the DNS server icon when you should be looking at the Forward Lookup Zone, domain name. (Also vica versa, you look at the domain properties instead of the DNS server icon.) About half the solution to DNS problems require a restart of the DNS service, fortunately Microsoft supply a Restart option on the 'All Tasks' menu. If the problem involves internet connectivity, then 9.5 NSLookup My conclusion for troubleshooting with NSLookup is avoid it. Instead, where ever possible, use the above DNS snap-in. At first I was in awe of NSLookup, then I mastered it, then I realized that it did not give me any more information than the DNS snap-in. So, the killer use of NSLookup is if you do not have the DNS snap-in, for example you are troubleshooting from an XP machine. 29

The trap with NSLookup is that you forget to configure the PTR records, without the corresponding Reverse Lookup Zone, NSLookup will fail. Instead of NSLookup I would use DNSLint

9.6 Hosts files Reverting to hosts files may seem like taking a step backwards into the dark ages, but many is the time that this trust old technology has solved a problem. The beauty of the hosts file is its simplicity and the fact that the client operating system reads the hosts file BEFORE it queries DNS. Be sure that you are editing the hosts file in the %systemroot%\system32\drivers\etc. (Not in the \i386 or dllcache folder) Once you have opened the hosts file with notepad, experiment with hostnames and IP addresses for the server that you wish to connect. Once you have added the host entry try once more to contact with Ping. Example of Hosts file entries 10.10.0.1 BigServer or 10.10.0.1 BigServer.guybay.com

9.7 Event Viewer In truth the Event Viewer should be the first place to look for clues, not the last! Mastering the Event Viewer is an art in itself. The point to remember is that DNS has its own Log. By all means check the system log or even the application log, but do investigate the DNS log. What you are looking for depends on the problem area. But here are a few categories to check: Domain Name Problems, Resource Record, Database Load and there really is a DNS Sanity Check!

9.8 Summary of Troubleshooting DNS When Troubleshooting DNS server, always begin with the basics. Start with Ping, Ipconfig and the DNS snap-in. Also, remember the Event Viewer. One of my favourite troubleshooting utilities is Monitor Server on the DNS Server snap-in.

Chapter 10 Advanced DNS Troubleshooting for Windows Server 2003 10.1 Intorduction So you need to solve a DNS problem. The situation is that you have checked the basics and you still suspect that DNS is not working properly. Where next? That depends on your situation. Here are my favourite DNS tips.

10.2 Gather evidence by asking questions 1. Will ipconfig /flushdns magically cure the problem? Alternatively, restart the DNS service. 2. Is there one DNS client affected or many clients. 3. Can the very DNS server itself resolve addresses and queries? 4. Beware that the cause is nothing to do with DNS. I once ripped out a perfectly good DNS configuration because I overlooked testing the physical network. 5. A variation of this external cause theme is that a firewall could be blocking DNS ports 53. 6. Do you have correct IP address in the resource records for the very server itself. 7. Is the server Authoritative for the domain that you are querying? 8. Remember to add PTR records in the reverse lookup zone. 9. For Email delivery problems, are the MX records correct? 10. Is the problem related to the internet? How are the Root Hints configured? 11. If it's a Web browsing problem, which sites are available. 12. Delegation. If you have subzones has delegation given the correct permissions?

10.3 Tests that you can make on DNS The scenario: when you attempt to cure a DNS problem by changing a setting, nothing seems to happen. At least nothing happens until you either restart the DNS service or close then re-open the DNS Snap-in. So use of click the Restart. Cache equivalent of

remember to make liberal Refresh and also right server icon, All Tasks, Note there is also a Clear setting, which is the IPCONFIG /flushdns.

Figure 10.1 : cp.com properties 10.4 DNS Check list DNS Server, properties Monitor (Tab). Test Simple and Recursive Queries. If the recursive query fails, check the Root Hints. Match Host (A) record with PTR in Reverse Lookup Zone; failure could cause problems with internet resolution. Are there any non-standard characters in any of your names? Be wary of underscores, and hostnames with only numbers. Could unneeded CName records be masking or confusing Host (A) records? FTP and WWW CName aliases are fine, but for all other cases use CName sparingly. MX records. It is good practice to create MX records to point to your own server. Lame Delegations, check that all NS records point to servers that exist and are authoritative for that domain. Replication problems Increment the Serial Number to force replication. Navigate to the Forward Lookup Zone (not server icon), Domain name, Properties, SOA (Tab) serial number, Increment (Button). If you are using Active Directory integrated zones, then you could force an instant replication by going to Active Directory Sites and Services, drill down through Default-first-name-site, servers, NTDS Settings, right click and Replicate Now. At the Domain properties, Check Zone transfer (Tab). Make sure the setting Allows Transfer. Registering Records in DNS

Check DHCP. First, a basic check that your Type 006 Option is set to the correct DNS server. Next find the DNS (tab) in DHCP, investigate Dynamic DNS Settings. Check client TCP/IP properties, Advanced, DNS, Register this connection's address in DNS. This is the equivalent of IPCONFIG /registerdns Problems with Active Directory. Check that the _msdcs folder exists and is populated with lots of records. If not try restarting the Netlogon services. While I am not a great fan of rebooting in Windows 2003, on this occasion I would try a reboot to see if that causes the _msdcs to be populated.

10.5 Troubleshooting Methods Ask: 'what has changed recently?' What were the last settings to change? Has any hardware changed? If so reverse engines, revert to how it was and see if that cures the problem. Pattern recognition is a vital troubleshooting skill. Look for patterns, spot what is out of the ordinary, such as resource records that is different, or a spelling misNake in a forwarder name. The Event Log Microsoft have provided a clue by situating a copy of the DNS Event log right underneath the server icon. So take advantage of this invitation to search for error messages and lookup the Event ID in TechNet. It may worth a quick look in the system event log, perhaps your DNS problem is a symptom of a bigger problem and not the underlying cause. Can you reproduce the problem? Can make the fault reoccur? If so write down any error messages and go to TechNet and experiment with different combinations of key words from the event viewer or message box. Phone a friend! Ask for help. Which expert do you know, what is there email address, or better still their mobile number. When you are stuck, it's time to call in favour. I have noticed that people approach problem solving in two distinct ways. I'll call the first method the 'techie' approach and the second the Henry Ford method. At this point I assume that you have been using the 'techie' approach and sadly it has not worked for your problem; if so, then give the Henry Ford method a chance.

Legend has it Henry Ford knew little about car manufacturing but had a row of buttons, blue for an engine expert, red for electrical etc. So, now is the time to press your buttons. Contact the most likely people, explain the problem and appeal to their problem solving skills.

10.6 Assemble the Toolkit Command Prompt 1. 2. 3. 4. 5. 6. 7. 8.

IPCONFIG /flushdns /registerdns /displaydns PING TraceRt (Trace route) Route Print NSLookup DNSLint DNSCmd NetDiag and DCDiag

DNS Server Icon 1. 2. 3. 4.

Monitoring (Tab) Root Hints (Tab) - Do you need them? Event Viewer - DNS log Debugging Logging (Tab)

10.7 Summary of Troubleshooting DNS The secret of troubleshooting DNS is to follow a structured plan. Play the detective and ask questions. Write down changes that you have made. Make it a habit to collect a wide variety of utilities from Ping to DNSLint.

Chapter 11 Debug Logging for DNS in Windows Server 2003 11.1 Introduction Why would you use DNS' debug logging? The answer is to track down problems with DNS queries, updates or notification errors. Perhaps the most common problem is why does a DNS query result in an unknown server error when you know the domain name is valid.

11.2 Scenarios for creating a DNS Debug Log • • • •

Web page not found - 404 error. Email delivery error. Cannot find a server by its a UNC path. Secondary DNS servers do not receive notifications or updates.

11.3 Where do you find the debug log settings? Open the DNS snap-in, click on the server icon itself, properties. (No use looking on Forward Lookup Zones). Make sure that you enter a valid path and filename in the box at the bottom called: File path and name. See diagram. Good news, the debug information gets appended to the log with the latest information at the bottom.

Figure 11.1

: Alan Properties

11.4 Interpreting the Debug log The trick to deciphering the log is to parse or divide up the line. It helps to look for patterns, for example Rcv Q (Incoming Request Query) or Snd R Q (Outgoing Response to Query). Watch out for error codes, NXDOMAIN, indicating a problem with the query, or NOERROR good news. Here are two examples from my Windows Server 2003 Debug Log e:\log\wed.log: Example 1: - Query Failure PACKET UDP Snd 10.1.0.1 R Q [8385 A DR NXDOMAIN] (7)EZINE(2)cp(3)com(0) In this example the query returned NXDOMAIN meaning it has no record of a machine called EZINE. Example 2 - Query success! PACKET UDP Snd 10.1.0.1 R Q [8085 A DR NOERROR] (8)LLANELLI(2)cp(3)com(0) Here the query send to 10.1.0.1 successfully resolved a machine called LLANELLI at cp.com. Note: Always turn off the log when you finish, otherwise the processor will be stressed unnecessarily.

Error Code

Explanation

NOERROR

Success. What you want! No problem

NXDOMAIN

The query name does not exist. I have no record for this host.

NOTAUTH

This server is not authoritative for the domain in the query. Could be a secondary server trying to transfer a zone from the server. However that server is not SOA.

SERVFAIL

Most likely a temporary problem causing a timeout error. With luck the retry will work. Problem seen with email transfer.

REFUSED

Security problem. Check permissions. Could be the result of an email check. We do not like your domain because we cannot reply to it. As a result we will not accept your incoming mail. Could be a request for a zone transfer which is refused because the requestor does not have permission Table 11.1 Error code

11.5 Filtering the log Either you can filter the log so that it only captures particular data, or else you can use Find in the resultant log to track down the server name you are interested in. Possible filters include the following pairs: UDP or TCP, Incoming or Outgoing, Request or Response.

11.6 Summary If you experience DNS connectivity problems, create a Debug log. Navigate to the DNS server icon, find the Debug Logging tab and set a path to the filename which stores the data.

Chapter 12 DNSLint troubleshooting Utility for DNS

12.1 Introduction I am always on the lookout for a good new Microsoft utility. DNSLint is my current favorites. For basic connectivity errors you cannot beat Ping and Ipconfig. But what if they don't solve the problem? The answer is try DNSLint.

12.2 Displays port numbers - htm output Firewall problems plague me, so my killer feature of DNSLint is that it displays port numbers e.g. TCP 53. As a bonus it displays the information as HTML. Perhaps this is the start of a new trend by Microsoft to replace the DOS output of command line utilities is permanent files. (Who remembers to pipe the output of Ipconfig to a text file?)

12.3 Where does DNSLint come from? The first question that I ask about any utility is where do you find it? In the case of DNSLint the answer is: Support Cabinet on Windows Server 2003 CD. By accident if discovered that to get the most out of DNSLint I needed the a reverse lookup zone. I say by accident as I normally set up a reverse lookup zone as best practice. But I went to a customers site and got egg on my face when DNSLint would not display correctly. I blamed the customer - but only under my breath! Does DNSLint work with Windows 2000? Yes just provided you have access to the Windows Server 2003 CD.

12.4 Getting started with DNSLint - /d /s As with many of Windows 2003's command line utilities there are whole bank of switches. To get started try DNSLint /d yourdom.com. However there is a trap with /d, if you are NOT connected to the internet. You must add another switch: /s server IP. Technically /s avoids the timeout when DNSLint tries to contact InterNIC whois Example go to the command line type: DNSLint /d yourdom.net /s 10.1.0.50 The second and subsequent times you run DNSLint, append the /y switch, meaning overwrite the dnslint.htm file. Even better use the /r and specify your own filename. For example, /r serverx.htm, or /t if you prefer a text file.

12.5 Troubleshooting Email with DNSLint - /c Another feature of DNSLint is that it displays MX records which will assist in tracking down email delivery problems. For further email testing, for example SMTP or POP3, try the /c switch. It is possible this only works if the ports are the defaults, 25 SMTP and 110 POP. To be clear if you just want to test SMTP the command would be: DNSLint /d guybay.com /c smtp

12.6 Checking Active Directory - /ad To tell the truth I was disappointed with this /ad switch. To be fair it is only designed to troubleshoot forest replication. However I was hoping for a list of _gc or _dc records. I even tried the /v (Verbose) mode - but no dice, just the bare bones of the Glue record for Active Directory Forest replication

12.7 DNS Sample report

DNSLint Report System Date: Wed Jan 26 09:47:25 2005 Command run: dnslint /d computerperformance.co.uk /s 10.1.0.20 Domain name tested: computerperformance.co.uk The following 4 DNS servers were identified as authoritative for the domain: DNS server: dns1.cp.computerperformance.co.uk IP Address: 10.1.0.20 Responding to queries: YES UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.cp.computerperformance.co.uk Hostmaster: msnhst.computerperformance.co.uk Zone serial number: 54234 Zone expires in: 83.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.cp.computerperformance.co.uk 10.1.0.20 dns1.dc.computerperformance.co.uk 10.68.128.151

dns1.sj.computerperformance.co.uk 10.1.97.11 dns1.uk.computerperformance.co.uk 10.1.232.37 Host (A) records for domain from server: 10.1.197.100 10.1.197.102 10.1.230.218 10.1.230.219 10.1.230.220 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.computerperformance.co.uk 10.107.3.124 10 mailb.computerperformance.co.uk 10.107.3.122 10 mailc.computerperformance.co.uk 10.107.3.126 ----------------------------------------------------------------------DNS server: dns1.uk.computerperformance.co.uk IP Address: 10.1.232.37 Responding to queries: YES Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.cp.computerperformance.co.uk Hostmaster: msnhst.computerperformance.co.uk Zone serial number: 54234 Zone expires in: 83.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.cp.computerperformance.co.uk 10.1.0.20 dns1.dc.computerperformance.co.uk 10.68.128.151 dns1.sj.computerperformance.co.uk 10.1.97.11 dns1.uk.computerperformance.co.uk 10.1.232.37 Host (A) records for domain from server: 10.1.230.219 10.1.230.220 10.1.197.100 10.1.197.102 10.1.230.218

Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.computerperformance.co.uk 10.107.3.124 10 mailb.computerperformance.co.uk 10.107.3.122 10 mailc.computerperformance.co.uk 10.107.3.126 ---------------------------------------------------------------------DNS server: dns1.dc.computerperformance.co.uk IP Address: 10.68.128.151 Responding to queries: YES Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.cp.computerperformance.co.uk Hostmaster: msnhst.computerperformance.co.uk Zone serial number: 54234 Zone expires in: 83.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.cp.computerperformance.co.uk 10.1.0.20 dns1.dc.computerperformance.co.uk 10.68.128.151 dns1.sj.computerperformance.co.uk 10.1.97.11 dns1.uk.computerperformance.co.uk 10.1.232.37 Host (A) records for domain from server: 10.1.230.218 10.1.230.219 10.1.230.220 10.1.197.100 10.1.197.102 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.computerperformance.co.uk 10.107.3.124 10 mailb.computerperformance.co.uk 10.107.3.122 10 mailc.computerperformance.co.uk 10.107.3.126 ---------------------------------------------------------------------DNS server: dns1.sj.computerperformance.co.uk

IP Address: 10.1.97.11 Responding to queries: YES Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.cp.computerperformance.co.uk Hostmaster: msnhst.computerperformance.co.uk Zone serial number: 54234 Zone expires in: 83.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.cp.computerperformance.co.uk 10.1.0.20 dns1.dc.computerperformance.co.uk 10.68.128.151 dns1.sj.computerperformance.co.uk 10.1.97.11 dns1.uk.computerperformance.co.uk 10.1.232.37 Host (A) records for domain from server: 10.1.197.100 10.1.197.102 10.1.230.218 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.computerperformance.co.uk 10.107.3.124 10 mailb.computerperformance.co.uk 10.107.3.122 10 mailc.computerperformance.co.uk 10.107.3.126 ----------------------------------------------------------------------Legend: warning, error

12.8 Summary Do you have a problem with DNS? Investigate solutions with DNSLint. Not only will you get a friendly HTML output, but it will display port numbers and Glue records for Active Directory replication.

Chapter 13 Problem Feature in Windows 2000 DNS and Windows Server 2003 DNS Question: What are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 domain controller? Answer: The most common mistakes are:

â&#x20AC;˘ The domain controller is not pointing to itself for DNS resolution on all network interfaces. â&#x20AC;˘ The "." zone exists under forward lookup zones in DNS. â&#x20AC;˘ Other computers on the local area network (LAN) do not point to the Windows 2000 or Windows Server 2003 DNS server for DNS. Question: Why do I have to point my domain controller to itself for DNS? Answer: The Netlogon service on the domain controller registers a number of records in DNS that enable other domain controllers and computers to find Active Directory-related information. If the domain controller is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different domain controller in the same domain as their alternative DNS server, preferably another domain controller in the same site. This process also works around the DNS "Island" problem in Windows 2000. You must always configure the DNS client settings on each domain controller's network interface to use the alternative DNS server addresses in addition to the primary DNS server address. For more information about the Windows 2000 DNS "Island" problem, see "Chapter 2 Structural Planning for Branch Office Environments" in the "Planning" section of the Windows 2000 Server Active Directory Branch Office Planning Guide at the following Microsoft Web site:

Question: What does a domain controller register in DNS? Answer: The Netlogon service registers all the SRV records for that domain controller. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information. :

Question: Why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0? Answer: A Windows 2000 or Windows Server 2003 domain controller does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 or Windows Server 2003 DNS server. Other Windows 2000-based and Windows Server 2003-based computers do not query WINS to find Active Directory-related information. Question: If I remove the ISP's DNS server settings from the domain controller, how does it resolve names such as Microsoft.com on the Internet? Answer: As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries. Question: What is the "." zone in my forward lookup zone? Answer: This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 229840 DNS server's root hints and forwarder pages are unavailable

Question: Do I need to configure forwarders in DNS? Answer: No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the forwarders. Question: Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers? Answer: No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN. Question: Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 44

2000 or Windows Server 2003 DNS server? Answer: Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution. Question: What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall? Answer: If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall. Question: What should I do if the domain controller points to itself for DNS, but the SRV records still do not appear in the zone? Answer: Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe. For more information about how to check for a disjointed namespace, click the following article number to view the article in the Microsoft Knowledge Base: 257623 The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000

Question: How do I set up DNS for a child domain? Answer: To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server. Answer: This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 229840 DNS server's root hints and forwarder pages are unavailable

Question: Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers? Answer: No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN. Question: Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server? Answer: Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution. Question: What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall? Answer: If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall. Question: What should I do if the domain controller points to itself for DNS, but the SRV records still do not appear in the zone? Answer: Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe. For more information about how to check for a disjointed namespace, click the following article number to view the article in the Microsoft Knowledge Base: 257623 The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000

Chapter 14 Active Directory 14.1 Objects of Active Directory Active Directory is a directory service used to store information about the network resources across a domain. An Active Directory (AD) structure is a hierarchical framework of objects. The objects fall into three broad categories — resources (e.g. printers), services (e.g. e-mail), and users (accounts, or users and groups). The AD provides information on the objects, organizes the objects, controls access, and sets security. Each object represents a single entity — whether a user, a computer, a printer, an application, or a shared data source—and its attributes. Objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object can contain—defined by a schema, which also determines the kind of objects that can be stored in the AD. Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of AD objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of AD itself. A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated — not deleted. Changing the schema usually requires a fair amount of planning

14.2 How do I install Active Directory on my Windows 2003 Server? First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a computer that's not connected to a LAN). Here is a quick list of what you must have: • •

An NTFS partition with enough free space An Administrator's username and password

•

The correct operating system version

•

A NIC

•

Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

•

A network connection (to a hub or to another computer via a crossover cable)

•

An operational DNS server (which can be installed on the DC itself)

•

A Domain name that you want to use

•

The Windows 2000 CD media (or at least the i386 folder)

•

Brains (recommended, not required...)

This article assumes that all of the above requirements are fulfilled.

14.3 Step 1: Configure the computer's suffix (Not mandatory, can be done via the Dcpromo process). 1. Right click My Computer and choose Properties. 2. Click the Network Identification tab, then Properties.

Figure 14.1 : System Properties 3. Set the computer's NetBIOS name. On a W2K server this cannot be changed after the computer has been promoted to Domain Controller. 4. Click More.

5. In the Primary DNS suffix of this computer box enter the would-be domain name. We will use dpetri.net for this example, you should use your own domain name. Make sure you got it right. No spelling mistakes, no "oh, I thought I did it right..." because on W2K this cannot be changed after the computer has been promoted to Domain Controller and if you got it wrong the Dcpromo process might fail.

Figure 14.2 DNS SUfix and NetBIOS Computer Name 6. Click Ok. 7. You'll get a warning window.

8. Click Ok. 9. Check your settings. See if they're correct.

10. Click Ok. 11. You'll get a warning window. 13. Click Ok to restart.

14.4 Step 2: Configuring the computer's TCP/IP settings You must configure the would-be Domain Controller to use it's own IP address as the address of the DNS server, so it will point to itself when registering SRV records and when querying the DNS database. Configure TCP/IP 1. Click Start, point to Settings and then click Control Panel. 2. Double-click Network and Dial-up Connections. 3. Right-click Local Area Connection, and then click Properties.

Figure 14.3 Network and Dial-up Connection 4. Click Internet Protocol (TCP/IP), and then click Properties. 50

Figure 14.4

Local Area Connection Properties

5. Assign this server a static IP address, subnet mask, and gateway address. Enter the server's IP address in the Preferred DNS server box.

Figure 14.5

Internet Protocol (TCP/IP) Properties

6. Click Advanced. 7. Click the DNS Tab. 8. Select "Append primary and connection specific DNS suffixes" 9. Check "Append parent suffixes of the primary DNS suffix" 10. Check "Register this connection's addresses in DNS". If this Windows 2000-based DNS server is on an intranet, it should only point to its own IP address for DNS; do

not enter IP addresses for other DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder configured

Figure 14.6 Advantage TCP/IP Settings 11. Click OK to close the Advanced TCP/IP Settings properties. 12. Click OK to accept the changes to your TCP/IP configuration. 13. Click OK to close the Local Area Connections properties.

14.5 Step 3: Install and configure the DNS Service Now you need to install Microsoft DNS Service: â&#x20AC;˘ Install and Configure Windows 2000 DNS Server â&#x20AC;˘ Install and Configure Windows 2000 DNS Server to Prepare for AD

14.6 Step 4: Running DCPROMO After completing all the previous steps (remember you didn't have to do them) and after double checking your requirements you should now run Dcpromo.exe from the Run command. 1. Click Start, point to Run and type "dcpromo". 2. The wizard windows will appear. Click Next.

Figure 14.7 Active Directory Installation Wizard 3. Choose Domain Controller for a new domain and click Next.

Choose Create a new domain tree and click Next.

5. Choose Create a new forest of domain trees and click Next.

6. Enter the full DNS name of the new domain, for example - dpetri.net - this must be the same as the DNS zone you've created in step 3, and the same as the computer name suffix you've created in step 1. Click Next.

This step might take some time because the computer is searching for the DNS server and checking to see if any naming conflicts exist. 7. Accept the the down-level NetBIOS domain name, in this case it's DPETRI. Click Next

8. Accept the Database and Log file location dialog box (unless you want to change them of course). The location of the files is by default %systemroot%\NTDS, and you should not change it unless you have performance issues in mind. Click Next.

9. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files is by default %systemroot%\SYSVOL, and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers. Click Next.

10. If your DNS server, zone and/or computer name suffix were not configured correctly you will get the following warning:

This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok. 11. You do have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server IP address. Click Next.

Accept the default choice or, if you want, quit Dcpromo and check steps 1-3. 12. Accept the Pre-Windows 2000 compatible permissions.

13. Enter the Restore Mode administrator's password. You can leave it blank (in Windows Server 2003 you must enter a password) but whatever you do - remember

it! Without it you'll have a hard time restoring the AD if you ever need to do so. Click Next.

14. Review your settings and if you like what you see - Click Next.

15. See the wizard going through the various stages of installing AD. Whatever you do NEVER click Cancel!!! You'll wreck your computer if you do. If you see you made

a mistake and want to undo it, you'd better let the wizard finish and then run it again to undo the AD.

16. If all went well you'll see the final confirmation window. Click Finish.

17. You must reboot in order for the AD to function properly. Click Restart now.

14.7 Step 5: Checking the AD installation You should now check to see if the AD installation went well. 1. First, see that the Administrative Tools folder has all the AD management tools installed.

2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that all OUs and Containers are there.

3. Run Active Directory Sites and Services. See that you have a site named DefaultFirst-Site-Name, and that in it your server is listed.

4. Open the DNS console. See that you have a zone with the same name as your AD domain (the one you've just created, remember? Duh...). See that within it you have the 4 SRV record folders. They must exist.

Good

If they don't (like in the following screenshot), your AD functions will be broken (a good sign of that is the long time it took you to log on. The "Preparing Network Connections" windows will sit on the screen for many moments, and even when you do log on many AD operations will give you errors when trying to perform them).

Bad

This might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you. 62

Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the DNS server (see steps 1 through 3). To try and fix the problems first see if the zone is configured to accept dynamic updates. 1. In DNS Manager, expand the DNS Server object. 2. Expand the Forward Lookup Zones folder. 3. Right-click the zone you created, and then click Properties. 4. On the General tab, click to select the Allow Dynamic Update check box, and then click OK to accept the change.

5. Do the same for the Reverse Lookup Zone.

You should now restart the NETLOGON service to force the SRV registration. From the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV record folders. If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly the same as the AD Domain name. Also check the computer's suffix (see step 1). You won't be able to change the computer's suffix after the AD is installed, but if you have a spelling mistake you'd be better off by removing the AD now, before you have any users, groups and other objects in place, and then after repairing the mistake - re-running DCPROMO. 5. Check the NTDS folder for the presence of the required files.

6. Check the SYSVOL folder for the presence of the required subfolders.

7. Check to see if you have the SYSVOL and NETLOGON shares, and their location.

14.8 Benefits Improvements in Active Directory deliver key strategic benefits for medium and large enterprises, enabling greater administrator and user productivity. Expanding on the foundation established in Windows 2000, Windows Server 2003 improves the versatility, manageability, and dependability of Active Directory. Organizations can benefit from further reductions in cost while increasing the efficiency in which they share and manage the various elements of the enterprise.

Benefit

Description

Greater

Active Directory introduces important new features ensuring that it is one of the

Flexibility

most flexible directory structures in the marketplace today. As directory-enabled applications become more prevalent, organizations can utilize the capabilities of Active Directory to manage the most complicated enterprise network environments. Internet data centers, extranet application deployments, large distributed branch office enterprises â&#x20AC;&#x201C; the improvements provided by Windows Server 2003 simplify administration and increase performance and efficiency, making it a very versatile solution.

Reduced Total Active Directory has been enhanced to reduce total cost of ownership (TCO) and Cost of

operation within the enterprise. New features and enhancements have been

Ownership

provided at all levels of the product to extend versatility, simplify management, and increase dependability.

14.9 Conclusion With so many options for tracking events in a Windows environment, it is important to understand what each option provides through the security log of the event viewer. It is also important to know and recognize the default settings, which are not always set to properly track events for your important member servers. Finally, you were provided with some best practice recommendations for these settings, which you should decide if your environment should accept the same settings.

Chapter 15 Conclusion Internet domain names are truly bizarre. There is nothing especially remarkable about them from a technical perspective, but from a social and political perspective they are all sorts of fun. We can have arguments over control of the DNS root, arguments over whether names are property, arguments over innate rights to specific names, arguments over a registrarâ&#x20AC;&#x2122;s right (or lack thereof) to exploit unregistered names for private gain, and many more arguments besides. In this article, Iâ&#x20AC;&#x2122;d like to explore the argument-space rather than defend any particular position in it. In so doing, I hope to illuminate some novel (or under-emphasized) perspectives on the matter. It has been suggested that Domain name be merged into this article or section. (Discuss) The Domain Name System or Domain Name Server (DNS) is a system that stores information associated with domain names in a distributed database on networks, such as the Internet. The domain name system (Domain Name Server) associates many types of information with domain names, but most importantly, it provides the IP address associated with the domain name. It also lists mail exchange servers accepting e-mail for each domain. In providing a worldwide keyword-based redirection service, DNS is an essential component of contemporary Internet use. DNS is useful for several reasons. Most well known, the DNS makes it possible to attach easyto-remember domain names (such as "wikipedia.org") to hard-to-remember IP addresses (such as 207.142.131.206). Humans take advantage of this when they recite URLs and e-mail addresses. Less recognized, the domain name system makes it possible for people to assign authoritative names, without needing to communicate with a central registrar each time.

References [1]

Active Directory for Microsoft Windows Server 2003 Technical Reference Active Directory for Microsoft Windows Server 2003 Technical Reference, Publisher. Microsoft Press.

[2]

Active Directory Services for Microsoft Windows 2000 Technical Reference, David Iseminger, Publisher(s): MICROSOFT PRESS

[3]

Microsoft Windows Server 2003 Administrator's Pocket William R. Stanek, ... , Publisher: Microsoft Press

[4]

Windows(R) Server 2003: The Complete Reference, Kathy Ivens, Christopher McKettrick (Contributor), John Linkous (Contributor), Publisher, McGraw Hill.

[5]

Lisa Donald, MCSE Windows 2000 Server, MICROSOFT PRESS

[6]

www.microsoft.com/windows/ simongibson.com /intranet/dns2003

[7]

www.windowsNetworking.com/windowsserver2003/ [8] technology/directory/active directory