Install and Configure Windows 2003 DNS
Domain Name System (DNS) is one of the most important technologies that a windows domain network is built on. A properly configured DNS infrastructure can allow a user to perform all daily tasks completely independent of the size and nature of the network, and allow an admin to concentrate on more important matters other than the numerous help desk calls that will appear as soon as www.hotmail.com becomes an unknown host.The subject of DNS is vast, there are so many different configurations, techniques and possible domain structures that there is no one definitive method that would fit all. In my opinion, the 2 things to remember when configuring DNS are: redundancy and hierarchy. It is a good idea to draw your network and plan for where there will be heavy network use especially if you have many remote sites, a separate DNS server at each site is preferable but not always cost efficient, to keep things simple an "Active Directory Integrated" DNS zone on every Domain Controller is the easiest way implement DNS.
1 - The efficient and secure "Active Directory Integrated" DNS
2 - The standalone Primary DNS Infrastructure and
3 - The network efficient Caching-Only DNS Infrastructure
i will also give an explanation of other useful DNS Information
The Active Directory Integrated Zone
Open the Windows Components part of Add/Remove Programs
Press Details
Press OK
Right - Click "Forward Lookup Zone" and Select New Zone
Press Next
For a new zone, the first zone must be a Primary zone and in this case it will be Active Directory Integrated.
here you can decide how far this zone will replicate, if in doubt select the above option
here you decide the namespace that the server will control.
A secure update comes from a computer that has an account in active directory, this is the default setting and the one that should be chosen.
All Done, press Finish
The zone is now ready to use.
The Standalone DNS Infrastructure
The standalone Primary zone is created exactly as above, except when selecting the zone type, uncheck the box called "Store the Zone in Active Directory". You will also be asked if you want to create a new dns cache file, you should. Once created right click on the new zone and select properties:
For a Primary zone the secure option is not available, in this case select secure and nonsecure because not allowing pc's to update their own DNS entries creates and administrative overhead. Replication is also not available for a standalone Zone. Press Aging:
Aging is not enabled by default, it is a good idea to enable it but increase both refresh intervals to 28 days . Press OK
The Serial number increments every time a change is made to the zone, including a new entry added or an removed. the rest of the entries can be left as they are.
Here is a list of DNS servers that operate for the namespace. As other DNS servers are added their names will be added to this list.
Disabled by default, only use if you have pre-windows 2000 computers and you have WINS servers.
Enabled by default for a primary standalone zone, select "Only to servers listed on the name servers tab, this ensures that no rogue DNS servers can be sent zone transfers.
Here you can decide who can administer DNS and who can use it.
Congratulations, your first Primary zone has been configured. Now you need redundancy:
In a standalone DNS infrastructure only 1 primary DNS zone is allowed, all other zones must be secondary, so if the primary zone fails no additions can be made to the DNS database. Create a secondary dns zone at locations where there are a lot of clients. The DNS database is located in C:\Windows\System32\DNS and will be named with the DNS namespace, example, dnsdomain.net.dns
A standalone DNS infrastructure is not as secure as an Active Directory Integrated DNS infrastructure and to be honest, i would use it.
Caching - Only DNS Infrastructure
A caching - only DNS server does not hold a copy of the DNS database, it simply answers queries and then holds that answer for any future queries. If a caching - only DNS server is restarted or the DNS service itself is stopped the cache of answered queries is lost. However a caching - only DNS server performs no zone transfers and hence saves network bandwidth, this can be useful if a remote site is connected by a slow link. A caching - only server cannot be used to create or modify DNS entries.
By creating an Active Directory Integrated zone on 2 or more Domain Controllers and then having caching - only servers at all other locations you can minimize network traffic. However be sure to to point clients to query the local caching - only DNS server first by configuring the appropriate DNS server options in the DHCP scope and add the main DNS server as a second DNS server in case their is a fault with the first one.
A caching - only DNS server is created by installing the DNS service and then making no further changes. Be sure to add the main DNS server in the Network Connection TCP/IP options if it does not use DHCP, or change the root hints, C:\Windows\System32\DNS\cache.dns, file to include on the main DNS server, no other entries should be added to the root hints file. In other words the caching - only server should only forward a query to the main DNS server if it cant answer the query itself.
Example
Other Useful DNS Information
DNS Recursion
Recursion refers to the process of s DNS server querying other DNS servers on behalf of an original querying client. This process in effect turns the DNS server into a DNS client. If recursion is disabled on the DNS server then the client uses iteration to resolve the query. Iteration refers to the process of a DNS client making repeated queries to different DNS servers.
Stub Servers
A Stub Server is a DNS server that holds a stub zone. A stub zone is a copy of the primary zone that contains Start Of Authority (SOA) and Name Server (NS) resource records, plus the Host (A) resource records that identify the authoritative servers for the zone. A stub zone is most commonly used to let a DNS server in one domain know which DNS servers control the DNS zone in another neighbouring domain.
Host (A) Resource Records
A host record maps an IP address to a known DNS name. Computers running windows 2000, windows XP, or windows 2003 use the DHCP Client service to dynamically register and update their own resource records. DHCP clients can have their resource records updated by the DHCP server. (Only the DHCP service on windows 2003 supports this feature).
The resource record is stored in the zone file using the following text:
server1 A 192.168.0.4
Alias (CNAME) Resource Records
Alias (CNAME) resource records are also sometimes called canonical names. CNAMEs are used when a number of DNS names point to the same IP Address.
A CNAM E entry has the following syntax:
ftp CNAME ftp1.micrpsoft.com
MX Resource Records
The mail exchanger (MX) resource record is used by email applications to locate a mail server within a zone. It allows a domain name such as microsoft.com, specified in an email address such as alan@microsoft.com, to be mapped to the A resource record of a computer hosting the mail server for the domain. This type of record allows a DNS server to handle email addresses in which no particular mail server is specified.
Often multiple MX records are created to provide fault tolerance and failover to another mail server when the preferred listed server is not available. Multiple servers are given a server preference value, with the lower values representing higher preference. The MX record is shown below:
@ MX 1 mailserver1.hirogen.net
@ MX 10 mailserver2.hirogen.net
@ MX 20 mailserver3.hirogen.net
The @ symbol represents the local domain name contained in the email address.
PTR Resource Records
The Pointer Resource Record is used only in reverse lookup zones. Reverse lookups are performed in zones rooted in the in-addr.arpa domain. PTR records are added to zones by the same methods with which A records are created.
1 PTR server1.microsoft.com
The 1 represents the name assigned to the host within the 172.16.48,in-addr.arpa domain. This domain, which is also the name of the hosting zone corresponds to the 172.16.48.0 subnet.
SRV Resource Records
Service Location (SRV) resource records are used to specify the location of specific services in a domain. Client applications that are SRV-aware can use DNS to retrieve the SRV resource records for a given application server. Windows 2003 Active Directory is an example of an SRV-aware application. The Netlogon service uses SRV records to locate domain controllers in a domain by searching the domain for the Lightweight Directory Access Protocol (LDAP) service. All of the SRV records for an AD DC can be found in a file named Netlogon.dns, located in Windows\System32\Config folder. If SRV records are missing in your DNS zone, you an reload then automatically by running the Netdiag /fix command.
If a computer needs to locate a domain controller in the .Microsoft.com domain, the DNS client can send a SRV query for the name:
_ldap._tcp.microsoft.com.
The DNS server responds to the client with all records matching the query.
The SRV record has the flowing syntax:
_ldap._tcp SRV 0 0 389 dc1.hirogen.net
SRV 10 0 389 dc2.hirogen.net
In this example, an LDAP server (domain controller) with a priority of 0 (highest) is mapped to the port 389 at the host dc1.hirogen.net. A second domain controller with a lower priority of 10 is mapped to port 389 at the host dc2.hirogen.net. Both entries have a value of 0 in the weight field, which means no load balancing has been configured among the servers.
DNS Forwarders
If your network is connected to the internet with a slow WAN link it would be a good idea to have only one DNS forwarder that forwards queries out to the internet, Iteration is not usually allowed through firewalls =, as that would mean leaving open ports.
No comments:
Post a Comment