MCTS Guide to Configuring

Microsoft Windows Server 2008

Active Directory
Chapter 9: Configuring DNS for Active
Directory

Objectives
Describe the structure of Domain Name System
Install and use the DNS Server role in Windows
Server 2008
Configure DNS zones
Configure advanced DNS server settings
Monitor and troubleshoot DNS

MCTS Windows Server 2008 Active Directory

Introduction to Domain Name System

Domain Name System (DNS) is a distributed
hierarchical database composed mainly of
computer name and IP address pairs
In order to resolve a name to an address, a DNS
lookup will often require multiple queries to a
hierarchy of DNS servers

MCTS Windows Server 2008 Active Directory

The Structure of DNS

DNS can be described as an inverted tree structure
Entire DNS tree is called the DNS namespace
Each domain has one or more servers that are
authoritative for the domain
Root servers keep a database of addresses of
other DNS servers managing top-level domain
names, called top-level domain (TLD) servers

MCTS Windows Server 2008 Active Directory

The Structure of DNS (cont.)

MCTS Windows Server 2008 Active Directory

The DNS Database

A zone is a grouping of DNS information that
represents one or more domains and possibly subdomains
Zones contain a variety of record types called
resource records, which contain information about
network resources
DNS records can be added and changed by:
Static updates
Dynamic updates

MCTS Windows Server 2008 Active Directory

The DNS Database (cont.)

DNS resource record types

MCTS Windows Server 2008 Active Directory

The DNS Lookup Process

Two different types of DNS lookup can be
performed:
Iterative Query
A DNS server will respond with the best information it has to satisfy
the query, or it may give a referral response

Recursive Query
DNS server processes the query until it responds with an address
that satisfies the query or with an I dont know message

A typical DNS lookup made by a DNS client can

involve both recursive and iterative queries
DNS clients maintain a hosts file that can contain
static DNS entries. Hosts is stored in %systemroot
%\System32\drivers\etc
MCTS Windows Server 2008 Active Directory

The DNS Lookup Process (cont.)

MCTS Windows Server 2008 Active Directory

DNS Server Roles

DNS Servers can perform one or more of the
following roles for a zone:
Authoritative server
Holds a complete copy of a zones resource records

Forwarder
A DNS server to which other DNS servers send requests they
cant resolve themselves

Conditional forwarder
DNS Server to which other DNS servers send requests targeted
for a specific domain

Caching-only server
Does not have zones. It fields DNS queries, does recursive
lookups to root servers or sends requests to forwarders, then
caches the results
MCTS Windows Server 2008 Active Directory

10

DNS Zones
Three different types of zones:
Primary zone
Contains a read/write master copy of all resource records for the
zone; it is considered authoritative for the zone

Secondary zone
Contains a read-only copy of all resource records for the zone; it is
considered authoritative for the zone

Stub zone
Contains a read-only copy of only the SOA and NS records for a
zone and the necessary A records to resolve NS records; not
authoritative

MCTS Windows Server 2008 Active Directory

11

Installing DNS
DNS installation begins by installing the DNS
Server role in Server Manager
If the DNS server is intended to manage domain
name services for Active Directory, DNS Server
role should be installed on a domain controller
Windows automatically detects whether or not the
server is configured as a domain controller, then
integrates DNS zones with Active Directory

MCTS Windows Server 2008 Active Directory

12

Creating DNS Zones

An Active Directory integrated zone is a primary or
stub zone with the DNS database stored in an
Active Directory partition
Installing DNS on a domain controller that is part of
an existing domain will have zone information
copied to it automatically during AD replication
Some situations may require that a zone be
created manually
Zones that are not Active Directory integrated are
referred to as standard zones
MCTS Windows Server 2008 Active Directory

13

Creating DNS Zones (cont.)

MCTS Windows Server 2008 Active Directory

14

Active Directory-Integrated Zones

Store the zone in Active Directory check box
means you want the zone stored in an Active
Directory partition
Standard zones are stored in a text file called zonename.dns, which is located in the %systemroot
%\system32\dns folder
Active Directory-integrated zones have the
following advantages over a standard zone:

Automatic zone replication

Multimaster replication and update
Secure updates
Efficient replication

MCTS Windows Server 2008 Active Directory

15

Zone Replication Scope

After selecting the zone type and specifying the
zone is to be stored in Active directory, you are
asked to select the zone replication scope with one
of these options:
To all DNS servers in this forest
To all DNS servers in this domain
To all domain controllers in this domain (for Windows 2000
compatibility)
To all domain controllers specified in the scope of this directory
partition

MCTS Windows Server 2008 Active Directory

16

Forward and Reverse Lookup Zones

Next, you are asked whether a zone should be a
forward lookup zone or a reverse lookup zone:
FLZ Forward lookup zone contains records that translate
names to IP addresses, such as A, AAAA, and MX records
RLZ Reverse lookup zones contain PTR records that map IP
addresses to names and is named after the IP network address
(IPv4 or IPv6) of the computers whose records it contains

MCTS Windows Server 2008 Active Directory

17

Dynamic Updates
Final step allows you to choose whether and how
to use dynamic updates, which can be configured
in one of three ways:
Allow only secure dynamic updates
Allow both nonsecure and secure dynamic updates
Do not allow dynamic updates

Dynamic updates enable DNS client computers to

register and dynamically update their resource
records with a DNS server whenever changes
occur
MCTS Windows Server 2008 Active Directory

18

Creating Zones from the Command Line

Dnscmd.exe can create and configure various DNS
settings
Basic syntax: dnscmd server /command
Examples:
Create a new primary Active Directoryintegrated zone named
zone1 that allows only secure dynamic updates:
dnscmd server99 /ZoneAdd zone1 /DsPrimary
Add an A record for the host named host1 in zone1 with the IP
address 192.168.200.99:
dnscmd server99 /RecordAdd zone1 host1 A 192.168.200.99

MCTS Windows Server 2008 Active Directory

19

Configuring DNS Zones

Zones can be viewed and changed in DNS
Manager
DNS Manager provides the following options:

Status
Type
Replication
Dynamic updates
Aging

MCTS Windows Server 2008 Active Directory

20

Configuring DNS Zones (cont.)

MCTS Windows Server 2008 Active Directory

21

Aging and Scavenging Resource Records

Stale resource records can degrade server
performance, provide incorrect information, and
generally make DNS less reliable and efficient
Enabling scavenging causes the server to check
for stale records periodically and deletes those
meeting the criteria for a stale record
Options in the Zone Aging/Scavenging Properties
dialog box:

Scavenge stale resource records

No-refresh interval
Refresh interval
The zone can be scavenged after

MCTS Windows Server 2008 Active Directory

22

Start of Authority Records

SOA records are found in every zone and contains
information that identifies the server primarily
responsible for the zone as well as some operation
properties for the zone
The SOA record contains the following information:

Serial number
Primary server
Responsible person
Refresh interval
Retry interval
Expires after
Minimum (default) TTL

MCTS Windows Server 2008 Active Directory

23

Name Server Records

NS records specify FQDNs and IP addresses of
authoritative servers for a zone
NS records are also used to refer DNS queries to a
name server that has been delegated authority for
a subdomain
Glue A records are A records containing a name
servers IP address, and are used to resolve NS
record information

MCTS Windows Server 2008 Active Directory

24

Zone Delegation
Zone delegation is transferring authority for a
subdomain to a new zone, which can be on the
same server or another server
The server hosting the parent zone maintains only
an NS record pointing to the DNS server hosting
the delegated zone
_msdcs subdomain exists inside every Windows
domain zone, and holds SRV records for Microsoft
hosted services, such as global catalog, LDAP, and
Kerberos
MCTS Windows Server 2008 Active Directory

25

Zone Delegation (cont.)

MCTS Windows Server 2008 Active Directory

26

Using Stub Zones

Stub zones are a special type of zone that contain
only an SOA record, one or more NS records, and
the necessary glue A records to resolve NS records
Reasons for using stub zones:

Maintenance of zone delegation information

In lieu of conditional forwarders
Faster recursive queries
Distribution of zone information

MCTS Windows Server 2008 Active Directory

27

Zone Transfers
A zone transfer copies all or part of a zone from one DNS
server to another and occurs as a result of a second server
requesting the transfer from another server
Zone transfers can be initiated in two ways:
Refresh interval
DNS notify

Zone transfers are configured in the Zone Transfers tab of a

zones Properties dialog box, which has the following
options:
Allow zone transfers
To any server
Only to servers listed on the Name Servers tab
Only to the following servers

Notify
MCTS Windows Server 2008 Active Directory

28

Incremental Zone Transfers

Two types of zone transfer:
Full zone transfers
Incremental zone transfers

Both master and slave DNS servers must support

incremental zone transfers to use them
During the initiation of an incremental zone
transfer, the serial number decides whether the
slave or the master determines the differences
between its current zone data and the zone data on
the other server
MCTS Windows Server 2008 Active Directory

29

Using WINS with DNS

Windows Internet Name Service (WINS) is a legacy name
service used to resolve NetBIOS names, sometimes referred
to as single-label names
Similar to DNS in that it keeps a database of name-toaddress mappings
Generally used in environments that require NetBIOS
resolution, or where applications depend on it
The WINS tab has the following options:

Use WINS forward lookup

Do not replicate this record
IP address
Time to live (TTL)

MCTS Windows Server 2008 Active Directory

30

Using the GlobalNames Zone

GlobalNames zone (GNZ) allows administrators to
add single-label names to DNS, giving client
computers the ability to resolve these names
without including a DNS suffix in the query
Entries must be made manually
Can assist mobile users by dropping the need for
remembering a resources FQDN
Enabled via dnscmd.exe:
Dnscmd server /config /EnableGlobalNamesSupport 1

MCTS Windows Server 2008 Active Directory

31

DNS Forwarders
Referring a DNS query to a forwarder can be more
efficient under some situations:
When the DNS server address for the target domain is known
When only one DNS server in a network should make external
queries
When a forest trust is created
When the target domain is external to the network and an
external DNS servers address is known

Conditional forwarding allows queries for particular

domains to particular name servers and all other
unresolved queries to a different server
MCTS Windows Server 2008 Active Directory

32

Configuring Traditional Forwarders

To configure a traditional forwarder, right click the
server node in DNS Manager, click Properties, and
click the Forwarders tab
If more than one server is specified, they are
queried in the order in which theyre listed
Additional servers are only queried if the first server
provides no response
No response from any forwarders triggers a normal
recursive lookup process, starting with a root
server
MCTS Windows Server 2008 Active Directory

33

Configuring Conditional Forwarders

Previously, traditional and conditional forwarders
were configured under the Forwarders tab, but
Server 2008 has conditional forwarders as a node
in DNS Manager
With forwarders and/or conditional forwarders
configured, the DNS server attempts to resolve
DNS queries in this order:

1. From locally stored zone resource records

2. From the DNS cache
3. From conditional forwarders
4. From traditional forwarders
5. Recursively by using root hints

MCTS Windows Server 2008 Active Directory

34

Root Hints
Root hints consist of a list of name servers
preconfigured on Windows DNS servers that point
to Internet root servers
These servers contain lists of name servers that
are responsible for top-level domains
Root hints data comes from the Cache.dns file
located in the %SystemRoot%\System32\DNS
folder
Internal DNS servers can be configured as root
servers if the network is isolated from the public
Internet
MCTS Windows Server 2008 Active Directory

35

Round Robin
Load sharing can be configured among servers
running mirrored services
Accomplished by creating multiple A records with
the servers name in both records, but with each
entry configured with a different IP address
DNS will then respond to queries by sending all
addresses associated with the servers name, but
will also vary their order
This process is called round robin because each IP
address is placed first in the list an equal number of
times
MCTS Windows Server 2008 Active Directory

36

Recursive Queries
Recursion is enabled on Windows DNS servers by default,
but there are two ways to change this setting
First involves configuring forwarders
Second is the Disable recursion (also disables forwarders)
option in the advanced tab of the DNS servers Properties
dialog box
Recursion might be disabled when you have a public DNS
server containing resource records for your publicly available
servers, but you dont want unauthorized users using your
DNS server for recursive client requests

MCTS Windows Server 2008 Active Directory

37

Event and Debug Logging

When DNS is installed, a new event log is created
to record informational, error, and warning events
generated by the DNS server
Common events include zone serial number
changes, zone transfer requests, and DNS server
startup and shutdown events
Debug logging can be enabled in the servers
Properties dialog box
Debug logging records selected packets coming
from and going to the DNS server in a text file
MCTS Windows Server 2008 Active Directory

38

Event and Debug Logging

MCTS Windows Server 2008 Active Directory

39

DNS Troubleshooting
Windows has several tools to administer, monitor,
and troubleshoot DNS server operation, including
the following tools:

DNS Manager
Dnscmd.exe
Event Viewer
Dnslint
Nslookup
Ipconfig
Performance Monitor
Protocol analyzer

MCTS Windows Server 2008 Active Directory

40

Monitoring DNS Performance

DNS Performance can degrade over time because
of increased database size and increased client
activity
Dnscmd.exe can display a snapshot of server
statistics with the dnscmd.exe /statistics command
Performance monitor can continuously monitor and
gather statistics
Creating a performance baseline is good practice
for troubleshooting issues that may arise later on

MCTS Windows Server 2008 Active Directory

41

Monitoring DNS Performance (cont.)

MCTS Windows Server 2008 Active Directory

42

Chapter Summary
DNS is based on a hierarchical naming structure
and a distributed database
DNS can be described as an inverted tree with the
root domain at the top, TLDs branch- ing off the
root, and domains and subdomains branching off
TLDs
The DNS database is composed of zones
containing resource records, such as Start of
Authority (SOA), Host (A), and Service (SRV)
records
MCTS Windows Server 2008 Active Directory

43

Chapter Summary (cont.)

DNS lookups involve iterative and recursive
queries. Most lookups start from the DNS resolver
with a recursive query to a DNS server. The DNS
server satisfies the query or per- forms a series of
iterative queries, starting with a root server
DNS servers can perform one or more of the
following roles: authoritative server, for- warder,
conditional forwarder, and caching-only server
Active Directoryintegrated zones have the
advantages of automatic replication, multimaster
replication and update, secure updates, and
efficient replication
MCTS Windows Server 2008 Active Directory

44

Chapter Summary (cont.)

A zone can be a forward lookup zone or a reverse
lookup zone.
SOA records contain information about a zone,
including its serial number and a number of timers
used for zone transfers
Subdomains can be delegated to a zone on
another server to improve performance and control
replication scope
Advanced DNS settings include configuring
forwarders, root hints, round robin, recursive
queries, and logging
MCTS Windows Server 2008 Active Directory

45

Chapter Summary (cont.)

Tools for monitoring and troubleshooting DNS
include Dnscmd, Dnslint, Nslookup, Ipconfig, and
Performance Monitor. You need to understand the
DNS query process to troubleshoot DNS problems
efficiently

MCTS Windows Server 2008 Active Directory

46