Managing Name Resolution Network Services Managing Name Resolution
Nội dung Moving from Workgroups to Domain Environments TCP/IP for AD Transport, Access, and Support Using Group Policy to Manage Network Protocols
Introduction to NetBIOS Name Resolution 16-character name first 15 characters identify a unique host 16th character identifies a service or application running on host such as Workstation or Server service.
Introduction to WINS Installing WINS Configuring a WINS Server WINS Replication Configuring WINS Replication Forcing Replication
Install WINS
Install WINS
Exploring WINS & DNS Integration
Exploring WINS & DNS Integration
Examining WINS Replication
Examining WINS Replication
Examining WINS Replication
WINS replication partners
Upgrading a WINS Environment
Upgrading a WINS Environment
Active Directory Global Catalog
Configuring WINS Clients configure DHCP server to assign IP Address of WINS server to DHCP clients Open DHCP management console highlight Server Options in left pane select Action/ Configure 044 WINS/NBNS Servers Specifies IP address of WINS servers available to clients. 046 WINS/NBT Node Type Specifies name resolution type. available options include 1 = B-node (broadcast), 2 = P-node (peer), 4 = M-node (mixed), 8 = H-node (hybrid).
Configuring WINS Clients Windows XP client for WINS Open Local Area Connection/ Properties. select Internet Protocol (TCP/IP), click Properties. select Advanced tab and WINS tab. Click Add, type IP address for WINS server. Repeat process for additional WINS servers other configurable options Enable LMHOSTS Lookup enables client to use LMHOSTS file Enable NetBIOS over TCP/IP uses NetBIOS over TCP/IP and WINS Disable NetBIOS over TCP/IP disables NetBIOS over TCP/IP and WINS for LAN Use NetBIOS Setting from DHCP Server client obtain WINS information from a DHCP server.
Configuring Static Mappings Case clients are unable to dynamically update NetBIOS name with a WINS server use static mapping Open WINS management console, Rclick Active Registrations, select New Static Mapping. type in computer name (NetBIOS name) for host. If required, type in NetBIOS scope. select type of entry created. Type in IP address of host.
DNS on a Windows Server 2008 R2
configure role Expand DNS Server, select DNS server Select Action/Config DNS Server Select Create Forward and Reverse Lookup Zones Select Create a Forward Lookup Zone Select type of zone Primary Zone Type FQDN in Zone Name
select Create a Reverse Lookup Zone Select Primary Zone Type in network ID of reverse lookup zone
Creating Resource Records list of common resource records Host Address (A) Maps a DNS name to IP address Start of Authority (SOA) Identifies primary DNS server for zone first resource record in a zone file Mail Exchanger (MX) Routes messages to a specified mail exchanger Pointer (PTR) map an IP address to a DNS name (reverse lookups). Alias (CNAME) another name for name referenced in another record. Service Locator (SRV) used to locate domain controllers in Active Directory domain
sample SOA record
Host (A) Records
Service (SRV) Records
Service (SRV) Records
Other DNS Record Types
DNS Zones a portion of a DNS namespace that is controlled by a particular DNS server or group of servers. establish boundaries over which a particular server can resolve requests.
Top level domain
Zone Types Forward Lookup Zones Reverse Lookup Zones resolves names to IP addresses and resource information Reverse Lookup Zones exact opposite operation as a forward lookup zone.
Zone Types primary zone secondary zone Active Directoryintegrated zone maintains master writable copy of zone in a text file secondary zone stores a copy of existing zone in read-only text file. To create a secondary zone, primary zone must already exist, must specify a master name server Active Directoryintegrated zone stores zone information within Active Directory configured on WS 2008 domain controllers run DNS Stub zone only a list of authoritative name servers for a particular zone. Ensure: DNS servers hosting a parent zone are aware of authoritative DNS servers for its child zones
Stub zone
Create stub zone
Entering stub master servers
Performing Zone Transfers Copying DNS database from server to another pulled by secondary servers from primary servers Primary DNS servers can be configured to notify secondary DNS servers of changes to a zone
Config secondary server to pull zone transfers from a forward lookup zone
create secondary zone & begin zone transfers
Initiating Incremental Zone Transfers asynchronous zone transfer
Recursive and iterative queries
Other DNS Componentss Time to Live time (in seconds) that a resolver or name server will keep a cached DNS request before requesting it again from original name server. modified via SOA record.
Changing TTL
Aging and Scavenging for DNS scavenging those records removes them from a database after their original owners do not update them not turned on, by default
Scavenging
Scavenging
forwarder
forwarder
Active Directory-Integrated Zones zones were stored in Active Directory, as opposed to a text file as in standard DNS. Windows Server 2008, utilizes AD-integrated zones,
DNS in Windows Server 2008 R2 Application Partition Active Directory-integrated zones are stored in application partition of AD Automatic Creation of Zones Forest Root Zone for _msdcs In AD, all client logons and lookups are directed to local DC and global catalog servers through references to SRV records in DNS.
Forest Root Zone for _msdcs
Troubleshooting DNS DNS Event Viewer to Diagnose Client-Side Cache and HOST Resolution Problems NSLOOKUP Command IPCONFIG Command TRACERT Command DNSCMD Command
DNS Event Viewer to Diagnose - enable Debug logging
log file dns.log in c:\windows\system32\dns\
Client-Side Cache and HOST Resolution Problems When requesting lookups, client resolver First parses this cache Then contact name server Items remain in cache until TTL expires, machine is rebooted, cache is flushed. flush cache ipconfig /flushdns
NSLOOKUP view MX and SOA records associated with a specific domain
IPCONFIG ipconfig /flushdns ipconfig /registerdns ipconfig /displaydns forces client to dynamically reregister itself in DNS ipconfig /displaydns displays contents of client-side cache
TRACERT gives you an idea of path that a DNS query takes when being sent over a network.
DNSCMD
Secure DNS with DNSSEC
DNSSEC Components DNSSEC relies on signed zones records are signed as defined by RFC 4035 signed zone contains new DNSEC record types DNSKEY, NSEC, RRSIG, DS records Use Zone Signing Key (ZSK) Key Signing Key (KSK) is key used to sign ZSK
DNSEC record DNSKEY NSEC used to store a public key prove non-existence of a DNS name DNS clients to be sure that if a record is not retrieved in a DNS lookup, record does not exist in DNSSEC zone
DNSEC record RRSIG Delegation Signer (DS) hold signature for a DNS record Map: A record - RRSIG record Delegation Signer (DS) secure delegations to other DNS servers and confirm their validity
Config a DNSSEC Zone using dnscmd Scenario zone secure.companyabc.com will be encrypted generate signing certificates ZSK and KSK certificates. sign zone file and records reload zone file into DNS server.
generate signing certificates
KSK and ZSK certificates
sign zone file and records
reload zone file into DNS server
Encrypted zone records
config to request secure DNS entries Allow clients use DNSSEC properties of DNS zone config a Name Resolution Policy Table (NRPT) policy for clients NRPT policy can be configured through group policy
create NRPT group policy for secure.companyabc.com zone