1. Copyright line. Configuring DNS EXAM OBJECTIVES  An Introduction to Domain Name System (DNS)  Configuring a DNS Server  Creating DNS Zones  Configuring and Managing DNS Replication  Creating and Managing DNS Records  Configuring Name Resolution for Client Computers

2. Copyright line. Slide 2 An Introduction to DNS  DNS allows hosts and services to be located on IP networks using friendly names instead of IP addresses.  DNS can be used to resolve public FQDNs, or used privately by organizations that wish to use its features while remaining isolated from the Internet.  DNS uses an incremental query process involving client-to-server and server-to-server queries to resolve names and IP addresses.

3. Copyright line. Slide 3 Configuring a DNS Server  When the DNS Server role is installed, a caching only DNS server is created.  Root hints tell a DNS server where to look next when resolving queries for records not contained in locally stored zones.  Forwarding can be used instead of root hints. Server forwarding typically involves an organization’s internal DNS servers’ forwarding requests for public name resolution to a DNS server that has direct access to the Internet. Conditional forwarding allows administrators to configure DNS servers to forward resolution requests to other DNS servers based on specific domain names.

4. Copyright line. Slide 4 Creating DNS Zones  Forward lookup zones resolve host names to IP addresses. Reverse look up zones resolve IP addresses to host names.  DNS records can be changed on primary and AD integrated zones, but not on secondary or stub zones.  Zone delegation allows a domain name space to be divided among different zones on separate servers.  The new GlobalNames feature supports single name resolutions (such as NetBIOS computer names) on IPv6 networks using DNS.

5. Copyright line. Slide 5 Configuring and Managing DNS Replication  By default, primary, AD integrated and secondary zones limit the servers from which they can accept zone transfer requests.  Administrators can manually request incremental zone updates or a complete refresh of all zone records for secondary zones using DNS Manager.  The SOA zone record is used to configure the replication parameters for secondary zones.

6. Copyright line. Slide 6 Creating and Managing DNS Records  DNS records can be administered manually, updated automatically by hosts, or both.  DNS record types include A, AAAA, PTR, MX, SRV, CNAME, and NS.  Aging and scavenging is used to clean up DDNS records that have not been updated or refreshed within a given period and may be invalid.

7. Copyright line. Slide 7 Configuring Name Resolution for Client Computers  Two primary forms of name resolution exist on Windows networks: NetBIOS and host names. Microsoft increasingly has moved away from NetBIOS toward DNS. If a network runs a variety of Windows client and server versions, it’s important that both forms of name resolution are configured properly. If the network is comprised primarily of Windows XP and later clients, and Windows Server 2003 and later servers, DNS is most likely supporting many of the network’s name resolution needs.  By default, the following name resolution steps are taken when resolving host names: the local host name => the local DNS resolver cache => the local HOSTS file => DNS => the local NetBIOS name cache => WINS => a local network broadcast => the local LMHOSTS file.  By default, the following name resolution steps are taken when resolving NetBIOS names: the local NetBIOS name cache => WINS => a local network broadcast => the LMHOSTS file => the local host name => the local DNS resolver cache => DNS.

8. Copyright line. Slide 8 FAQ  Q: What exactly is DNS and why do I need it?  A: DNS is the primary name resolution method for Windows Server 2008, making it essential to a properly functioning domain and network. It provides hosts with the actual network location of network services and other hosts. It also can be used to determine host and service information when an IP address is provided. Computers cannot find themselves using most key components of Windows Server 2008 without DNS.

9. Copyright line. Slide 9 FAQ  Q: My organization does not wish to connect to the Internet. We are using Windows Server 2008 and Windows Vista DNS is essential for name resolution. I know that DNS was designed to work with the Internet; what can I do?  A: Although DNS originally was designed for use with the Internet and its predecessors, it is no problem to use it privately. In fact, if you have an Active Directory domain, it will be required. In this scenario you will create and configure a separate DNS environment that is very similar to the Internet, except you will control all levels of it instead of just a tiny portion.

10. Copyright line. Slide 10 FAQ  Q: I need to specify a totally private DNS server network for my organization. How should I configure root hints?  A: When root hints don’t need to point to the Internet’s root name servers, typically they should point to the highest level DNS servers within an organization. A good way to think about root hints is that they are designed to point to the top of whatever DNS hierarchy is being used.

11. Copyright line. Slide 11 FAQ  Q: I want to use forwarding, but don’t want all queries to go to the same place. I need to distribute them based on the domain being asked for; how can I do this in Windows Server 2008?  A: Conditional forwarding can be used to distribute queries to forwarders based on the domain being requested.

12. Copyright line. Slide 12 FAQ  Q: Domains and zones are very confusing to me. What is the difference between a domain and a zone?  A: Because zones use domain names, it’s easy to get confused. Zones hold the actual records for part of the domain namespace. A domain like syngress.com. has records distributed across several zones. The root name servers hold the “.” portion, which is typically hidden from users at the end of the domain name. The “.com” name servers hold the zone for this portion of the namespace. Finally a server managed by the organization contains a zone for the “syngress” portion of the DNS namespace.

13. Copyright line. Slide 13 FAQ  Q: Does Microsoft recommend standard or AD integrated zones?  A: Microsoft recommends AD integrated zones. The records are stored in the AD database, which increases their security and allows for more efficient replication of the records when compared to traditional zone transfers. Using AD integrated zones also enables secure DDNS, which eases the burden of DNS administration without compromising security.

14. Copyright line. Slide 14 FAQ  Q: My organization is implementing IPv6. Right now we use both DNS and WINS for name resolution. WINS supports only IPv4. What can I do to support NetBIOS type names for IPv6?  A: Microsoft’s new GlobalNames feature can be used. When activated, DNS servers can serve manually created single name records. You can create these records to match important NetBIOS resource names, such as key servers.

15. Copyright line. Slide 15 FAQ  Q: What is the difference between an A and AAAA host record?  A: The Windows Server 2008 DNS Server role fully supports IPv4 and IPv6. The A host record is one of the oldest in DNS and is used to resolve a host name to an IPv4 address. The newer AAAA record is used to resolve a host name to an IPv6 address.

16. Copyright line. Slide 16 FAQ  Q: What is a PTR record used for?  A: PTR, or pointer, records are the primary records used in reverse lookup zones. These records facilitate the resolution of IP addresses into host names.

17. Copyright line. Slide 17 FAQ  Q: My office has a lot of sales people that work on laptops in and out of the office. I’ve noticed that there are quite a few inaccurate DDNS records being left behind by these computers. What can be done about it?  A: Microsoft’s aging and scavenging feature can be used to clean up records such as these. You can set your organization’s Windows 2000 and later DNS servers to delete records automatically if they have not been kept up to date.

18. Copyright line. Slide 18 FAQ  Q: Most of the name resolution on my network uses DNS, however all clients are still configured for WINS. When a client attempts to access a resource by using the resource’s host name, what steps may occur?  A: By default, the following name resolution steps are taken when resolving host names: the local host name => the local DNS resolver cache => the local HOSTS file => DNS => the local NetBIOS name cache => WINS => a local network broadcast => the local LMHOSTS file. All these steps are at least partially configurable by an administrator.

19. Copyright line. Slide 19 FAQ  Q: My environment uses IPv6 addresses, but NetBIOS broadcasts are supported only for IPv4. What can I do?  A: Microsoft has included a new protocol in Windows Vista and Server 2008 to solve this problem: Link- Local Multicast Name Resolution. If these are the primary operating systems in use and hosts on a segment of the network are unable to contact a DNS server, some name resolution can still take place on a peer-to-peer basis using either IPv4 or IPv6.

20. Copyright line. Slide 20 FAQ  Q: I’m responsible for several hundred Windows XP and Vista clients. Is there an easy way to automate their DNS configuration?  A: Many DNS settings can be managed centrally using group policy. In most cases, settings applied with group policy will override settings that are configured manually on the client. Not all settings work with all client types, however. It’s important to carefully read the description of each to determine how and where it can be applied.

21. Copyright line. Slide 21 Test Day Tip  In addition to caching responses from DNS servers containing the requested resources (called positive caching), the local resolver also caches negative responses. These result from a failure to locate DNS resources. When a server returns a request to a client’s query that contains a negative response, the local resolver caches it and will not request it again for a period of time. Temporary DNS problems can thus become longer term issues until this cached record expires. You can manually purge the client’s resolver cache using the following command: ipconfig /flushdns.

22. Copyright line. Slide 22 Exam Warning  A server cannot be configured to conditionally forward for a domain if it has a zone configured on it that includes the same portion of the domain name space. For example, if a DNS server hosts the authors.syngress.com zone, it cannot also have conditional forwarding setup for the authors.syngress.com domain.

23. Copyright line. Slide 23 Test Day Tip  Beware of Microsoft’s default options. Sometimes they represent Microsoft’s recommended settings. Other times a nonrecommended setting is selected by default. On the test, never assume that a default option or setting is a recommended one.

24. Copyright line. Slide 24 Test Day Tip  Be sure to remember that Microsoft recommends and really expects you to use AD integrated zones with secure dynamic updates whenever possible.

25. Copyright line. Slide 25 Exam Warning  Only Windows Server 2008 servers support GlobalNames zones.

26. Copyright line. Slide 26 Exam Warning  Pay careful attention to Microsoft’s recommendations regarding GlobalNames zones. Although these zones do not have to be AD integrated, or replicated to all domain controllers in the forest, or configured not to allow dynamic updates—this is how Microsoft expects them to be configured. Often their documentation does not even acknowledge that other configuration options can be used. Play it safe on the exam and give them the answers they want.

27. Copyright line. Slide 27 Exam Warning  The server’s right-click menu contains a Reload option in addition to Reload from Master. It’s important not to confuse these on the exam. On a secondary zone, the Reload option reloads the information in the local zone file. The Reload from Master initiates a full zone transfer from a master DNS server and overwrites the records in the zone file.

28. Copyright line. Slide 28 Exam Warning  Unlike standard primary zones, by default AD integrated and secondary zones are not configured to allow zone transfers. You must check the Allow zone transfers: box in the Zone Transfers tab in the server’s Properties.

29. Copyright line. Slide 29 Test Day Tip  The refresh, retry, and expiration settings on the SOA record apply only to standard secondary zones. AD integrated zones use Active Directory replication and ignore these settings.

30. Copyright line. Slide 30 Test Day Tip  In addition to creating application directory partitions, you can also add servers to and remove servers from partitions using DNSCMD.

31. Copyright line. Slide 31 Test Day Tip  If you use a mix of Windows and non- Windows DNS servers, consider selecting the Do not replicate this record option. WINS records are not standard DNS record types and are not supported by all DNS servers. Attempting to replicate them to DNS servers that do not support them may cause errors.

32. Copyright line. Slide 32 Test Day Tip  DDNS can conflict with data in the GlobalNames zone. If a GNZ is configured on the DNS server, it is checked first when DDNS requests are received. If a client attempts to register or update a DDNS record using a name that is already specified in the GNZ, the request will fail.

33. Copyright line. Slide 33 Exam Warning  Client DNS server settings can be assigned by group policy. When a client has locally configured DNS servers, and a group policy setting that specifies them, the local server list is ignored.