DNS Server for Windows Server 2008
Uploaded by itfreetraining on 04.08.2011
Transcript:
In this section I will look at domain name system or D N S. DNS is a system used to help
users locate resources on the internet. In this video I will start with a bit of the
background and history of DNS follow by the new features that Windows Server 2008 DNS
server has to offer. Next I will cover the components that make up a complete DNS solution.
To better understand DNS and how it can work inside your network, I will cover the DNS
name space. This will help you understand how you can start creating your own DNS name
spaces and what rules you will need to follow. Next you have the topic of DNS forwarding
which allows your DNS server to pass requests on to anther DNS servers to be resolved. Finally
I will cover installing DNS and configuring the server properties for DNS. Once you complete
this section you will learn that installing DNS server is the easy part, the hard part
comes from understanding DNS and configuring it.
DNS, or domain name system is the most widely used name resolution system used today. DNS
was originally developed to be used on the internet. Originally when the internet was
first developed, computer names and IP address were store in a file. This file contained
all the computer names on the network and their IP addresses. When a change was made
the file had to be updated on all the computers on the network.
When there was only a few computer on the network this was not a problem, however as
more and more computers were added to the network this became harder and harder. As
more computers were added the file also became, larger and larger. The file became so large
that it became impractical to keep coping it around the network and thus DNS was born.
D N S allows for a hierarchy model to be used rather than flat host files. DNS is easy to
update as compared to having to update a host file on 100’s or even 1000’s of computers.
Microsoft DNS server meets internet standards so you can be assured that it will work with
other DNS servers on the internet. You will find that Microsoft’s DNS server is both
powerful and easy to use. Over the years, the function of DNS has remained
the same. DNS resolve’s names to i p addresses and allows computers to find services on the
network. With windows server 2008, Microsoft have added some features to the DNS server.
One of the most noticeable features of DNS server for windows Server 2008 is support
for IP version 6. If you have used DNS server before you will be familiar with the A record.
An A record maps an IP version 4 address to a name. Later on in the course, I will cover
DNS records in more detail including A records. A DNS server for windows server 2008 has the
ability to allow you to add quad A records. Quad A record are the same as A records accept
they hold IP version 6 addresses. If you are planning on deploying a DNS server in an IP
version 6 network, Windows Server 2008 is fully IP 6 compatible and ready to go. Later
on in the course I will cover zones in more detail. Zones simply hold DNS records and
can be stored either in a file or inside active directory.
Previously with Windows Server 2003 DNS server, if you stored your zone files in active directory
and than rebooted the server, the data files or zone files, would need to be loaded before
the DNS server would start answering requests. If you had very large zone files the server
may not start answering requests for quiet a long time.
If the client attempts to resolve a name that has not been loaded the DNS server will not
be able to resolve the request. In a large network it’s is not unheard for a DNS server
to take up to an hour to load the zone files from active directory. AS you can imagine,
this is a long time to wait. To fix this problem Windows Server 2008 added
the feature background zone loading. This works for zones that are stored inside active
directory or active directory integrated zones. The DNS server this time launches a back ground
process to load the zone data. This means the DNS server is ready to answer requests.
If the client attempts to ask for a record that has not been loaded yet, the DNS server
simply queries active directory to get the data. Active directory returns the data to
the d n s. The data can than be passed on to the client.
This means you no longer have to wait after a reboot for your DNS server to start answering
requests. With windows server 2008, you can now deploy read only domain controllers. As
the name suggests, the active directory database on these domain controllers is read only.
DNS server in windows 2008 supports read only domain controllers.
If you store your zone data in active directory, when the DNS server tries to make a change
on a read only domain controller it will not be able to. The request will than be passed
to a writable domain controller so don’t worry if you install DNS server on a read
only domain controller. As long as the read only domain controller can contact a writable
domain controller you can still update your DNS data.
Remember this only applies to data stored in active directory. DNS server gives you
the option to store your DNS data in a file instead of active directory. If you store
your data in a file, the DNS data can be updated on that server even if DNS server is installed
on a read only domain controller. Don’t worry if you are a little confused about zones.
Zones will be covered in a lot more detail later in the course.
Windows Server 2008 DNS server also adds a new feature called Global Single names. This
allows you to use a single unique name over an enterprise network. With global single
names you can create one record in your forest which is used in all domains in that forest.
This saves you having to create one record in each domain for a global resource.
To better under the hierarchical nature of D N S, you need to better understand how the
name space is spread out. First of all you have the root name servers. These resolves
the first part of the domain name. The first part of any domain name working from right
to left is dot, just dot. Any fully qualified domain name ends with
a dot. If you take the example www dot example dot com, the fully qualified domain name will
end with a dot. This may seem a little strange to you as you probably have never had to add
the dot to the end of a domain name. This is because the DNS software will automatically
append the dot to the end of the domain name for you.
To start resolving any domain name, your DNS server will first contact a dot server which
are called root hint servers. There are 13 root hints servers on internet. These are
independently managed. When you pay to register a domain name you are paying to be part of
this service. 13 may not seem a lot when you consider the size of the internet, but this
is fact this limitation of the TCP protocol. Even so the root hint servers are on high
availably clusters so you can be assured your DNS server will be able to contact one.
The root hint server will return the IP address of a top level domain DNS server. This DNS
server contains details about the second part of the domain, for example .com, .org, .net
and even country codes like uk and au. Your DNS server will than contact this server to
get the IP address of a second level domain server. This server contains details of the
next part of the domain name. The second level domain can be registered
to yourself and is the first part of the domain name in which you can host on your own DNS
server. For example the DNS records for microsoft.com are stored on Microsoft’s own DNS server
and can be changed at any time by Microsoft. Unlike the root name and top level domain
which you have no control over. On the next level you have sub domains which
you have complete control over. You can even create sub domains of sub domains. On your
DNS server you are free to create any sub domains as you wish without having to get
permission and without having to register the domain name. All you need to do is make
sure that the top level domain points to your DNS server. As you can see the DNS name system
gives you a hieratical based system of domain names and also allows the name space to be
spread out over many servers providing expandability and redundancy.
To better understand the name resolution process consider this example. A client computer wants
to resolve sales.example.com. It first contacts it local DNS server. The local DNS server
sends a query to the root hint server. The root hint server responses back to the local
DNS server with the IP address of a top level domain server.
The DNS server contacts the top level domain server. The top level domain server responses
back with the IP address of the second level domain server. The local DNS server now contacts
the second level server. The second level domain server also holds the sub domains.
It is not uncommon for one DNS server to hold many different DNS names spaces. The server
returns the IP address back for DNS server for that domain name. The DNS server than
returns the IP address back to the client. As you can see a lot goes on to resolve a
single IP address, but this system is necessary to allow the internet to have the large domain
space it has and provide redundancy and high availability to it’s users.
In a lot of cases it is not efficient to have your each of your DNS servers contacting the
internet root servers. In a large network this will result in more traffic than required.
Consider this example, image there were 3 different networks. A client in each of the
3 network attempts to resolve the same domain name. The DNS server in each network contacts
the root hints server. The root hint server returns the address of
a .com server to each of the DNS servers. The DNS servers than contact the dot com server.
The dot com server returns the IP address of a server that is an authority for that
domain. The 3 DNS server than contact this server. This server is able to provide a response
for the request. The request is returned to the DNS server and passed on to the client.
In total this took 9 different queries to resolve the 3 requests.
This scenario is the default behaviour for windows server 2008 DNS server. In a large
network this is not very efficient. If you configure forwarding you can have one server
on your network performing the DNS lookups for you. In a lot of companies, they will
deploy this configuration. One DNS server behind a firewall contacts the internet to
resolve DNS requests for the others. If the same DNS name is resolved more than once,
the DNS server will have the result in it’s cache. This makes DNS resolving a lot fast
and reduces the number of times root hint servers need to be contacted.
A lot of companies take it to the next step and configure their internet DNS server to
forward requests to your internet services providers DNS server. In this scenario all
the companies DNS resolving requests go to the isp’s internet DNS server. The ISP’s
DNS server contacts any required DNS servers to complete the request.
As you could imagine, your isp has many customers and there is a good chance that they have
already resolved the DNS name you are asking for and it will be in the I S P's DNS cache.
This will speed up your DNS resolving. All I S P should have at least two DNS servers,
so I would add both DNS servers to your lists of forwarders. It is unlike both your I S
P DNS servers will go down, but if this were to occur, your DNS server would than default
back to contacting the root hint servers. As you can see, using this scenario gives
you fast name resolution and redundancy. In this scenario all DNS resolve requests
will go to your I S P DNS server to be resolved. In most cases this is what you want. This
can present a problem if you have DNS names that can not be resolved by the internet DNS
server. When this occurs you may want to use conditional forwarding. Consider this example.
Client 1 wants to resolve example.local. The request gets sent to the ISP DNS server. Dot
local domain names are private use only. Your ISP DNS server does not know how to resolve
this DNS address. The DNS server a bottom of the screen hosts
the DNS records for example.local. You want all the requests for example.local to go to
this DNS server. Conditional forwarding allows you to create a rule to forward requests for
this DNS name to the DNS server that has the DNS records. These rules can be replicated
to all DNS servers in your forest or your domain. This means you create the rule once
and all your DNS servers will pass the forward the requests correctly without any more configuration.
All you have to do is set the option to replicated the rules to all domain controllers. Once
set, the rule will replace to all domain controllers in your domain or your forest.
Before you can add the DNS server role to your server, you first need to meet a couple
of install requirements. First of all, your server must have a static i p address. The
static i p address can be a version 4 or a version 6 IP address. If you wish you can
assign a static i p address for both but as long as you have one static address on one
for the network card your DNS server will work. To add the role, the user account needs
to a member of the local administrators group. When your install DNS server on a domain controller
you can store the DNS data or zone data in active directory database. Having the data
in active directory allows you to take advantage of the active directory replication system.
Using active directory means you can have redundancy and also use the replication system
in active directory which is more efficient at replicating small changes.
If you integrate you zone data in active directory you can also enable secure updates. Secure
updates is a feature that requires a computer to prove who it is before it will be allowed
to change or add records to the DNS server. Without the secure updates feature, you either
have to switch off all dynamic updates or allow unsecure updates. If you allow unsecure
updates it is possible for hacker to comprise your DNS records.
D N S is a very a important service in active directory, without active directory it can’t
not function. Because of this it recommended that you have at least 2 DNS servers on your
network for redundancy. If you have only one DNS server and it goes down all your active
directory based resources will stop running. Let’s have a look, how to install DNS server
on windows server 2008. (use demo file Install Domain Name Server.swf)
To install DNS server, open server manger from the start menu. Select the option roles
from the left hand side and than select the option add roles from the right hand side.
From the list of roles, select the role DNS server from the list. Press install and DNS
server will be installed to your windows server 2008 computer. As you can see the install
of the DNS role is very simple. Once DNS server has been installed, you can
expand down to DNS server under roles in the server manager. This screen will give you
a quick indication how your DNS server is running. As you can see there are no events
for the DNS server as yet and if I scroll down a bit more you can see that the DNS server
services is running. Down the bottom of the screen Microsoft gives
you some links to access additional DNS resources. These links will help you further configure
your DNS server and gives you access to DNS best practices documentation. As you can see,
installing DNS server is easy, the difficult part is configuring it.
In the exam, you may see the term Cache only DNS server. In reality all DNS servers cache
resolved requests. This saves the DNS server having to resolve the same name again if it
is requested multiple times. The difference between a cache only DNS server and regular
DNS Server is that a cache only DNS server does not hold any DNS data or zones. The DNS
server that I just installed is a cache only DNS server and will continue to be one until
DNS records are added to the DNS server. To understand why Microsoft makes the distinction
between a cache only DNS server and regular DNS server, consider this example. Imagine
this network contains 500 users and is connected to the internet. The DNS server contains DNS
records for all the computers in the domain plus any other resources and servers in the
domain. This amount to over 500 DNS records. Now consider that there is another office
that has just opened with just two users connected to the main office via a slow network connection.
The DNS server in the second office has a copy of the DNS records from the main office.
Over 500 DNS records that change as computers come and go from the network are in the DNS
server. In very large network you can see that the slow network link can easily become
congested just simply trying to keep it’s local copy of the DNS records up to date.
With only two users at the other office, there is little benefit to having a complete copy
of the DNS data at the remote site. This is a perfect scenario to deploy a Cache only
DNS server. In this case you would not hold any DNS records on the remote DNS server and
forward all DNS requests to the DNS server in the larger network.
Cache only DNS servers can still be configured to use forwards, they only stop being called
cache only DNS servers once you start storing DNS records on them. Once a request is resolved
it will stay in the local DNS server cache. The only DNS data than comes across the slow
link is data that one of the two clients asks for. This makes better use of the bandwidth
than coping over 100’s of DNS records the clients on the network are most likely never
to ask for. The advantages of cache only DNS servers are
they are very easy to setup and require no administration. When I added the DNS role
to the server in the previous example, the DNS server is automatically a cache only DNS
server and will start resolving DNS requests by contacting the root hint servers. Notice
how easy it was to setup and no administration was required. In the exam, look out of questions
where the best solution is to deploy a Cache only DNS server. Look for key words like ease
of administration, slow network links or remote locations. Let's have a look how to configure
your DNS server once it is installed. Once you have DNS up and running, you may
want to tweak your DNS server. To configure the properties of your DNS server, first open
the DNS admin tool from administrative tools under the start menu. From here right click
your DNS server and select the option properties. On the interface tab, you can select the IP
addresses your DNS server will listen on. Notice that you can select i p version 4 or
i p version 6 addresses here or a combination of both. If your DNS server is only to be
used on your local network you should consider selecting the option only the following IP
addresses and than select the IP address for your local network.
Some hackers will attempt to read data from your DNS server to get an understand of your
local network. They can than use this information to hack into your network. It is not uncommon
for companies to have a external and internal DNS server.
If you do this, make sure that you set only the following IP address option so that the
DNS server can not be accidentally be used to gather information from the wrong people.
In this case, I will leave it on the default. On the forwarders tab, you can enter in DNS
servers this DNS server will use to forward requests onto. Any request that this DNS server
can not resolve will be passed onto the DNS forwarder.
A lot of companies will set up a DNS server on their DMZ to resolve all DNS requests.
All the DNS servers in the company will direct there requests to this server. You can also
put your ISP DNS server in here. (Note: “Disable recursion (also disables
forwarders)” shown below is said as Disable recursion also disables forwarders). This
is what exactly what is on the demo screen.) On the advanced tab, you have 6 tickboxs you
can tick to change how the DNS server handles certain requests. The first “Disable recursion
(also disables forwarders)”. This means your DNS server will not attempt to contact
other DNS server to try and resolve names. If your DNS server is on a secure network
or is only intended to service local clients, you may want to switch this option on. Hackers
can sent a lot of DNS requests to a DNS server that require recursion to and thus cause a
denial of service attack. If your DNS server does not require recursion,
switch this option on to make your server safer from a recursive denial of service attack.
By default windows server 2008 will use a fast transfer method to replicate data from
one server to anther. The option “Bind secondaries” switches this option off and uses a slow transfer
method. If you are communicating with a DNS server
that is not compatible with BIND 4.9.4 or greater than you need to switch this option.
BIND 4.9.4 came out in 1996 so it is unlikely that any DNS server released in the last 10
years will not be compatible. If you do have an older system, you will need to switch this
option on. The next option “Enable round robin” will
return IP addresses in circular sequential order when more than one exists. For example,
if you have a 3 web servers you could create 3 separate hosts records with the same name
but with different IP addresses. When round robin is enabled, the DNS server
will rotate through multiple records. If the next option “Enable netmask ordering”
is ticked, the DNS server will attempt to return an IP address in the same subnet as
the client if one exists. If round robin is also enable this may causes
some unwanted results. For example, if I were to add a fourth server of the same name in
a different subnet, round robin would work in the following way. Any clients in the same
subnet as the server would only get rotated between only the servers in that subnet. This
means clients in the first subnet will receive only the first 3 servers when querying the
DNS server. Clients in the second subnet will only receive
the one server. If you want round robin to rotate through all records in the DNS server
regardless of which subnet the client is located you will need to switch enable netmask ordering
off. The last option “secure cache against pollution”
helps protect your DNS server from having modified records placed in it cache. What
happens when the DNS server attempts to resolve a name, the DNS server will find a DNS server
that is an authority for that domain. You can be assure that when this occurs the
IP address is correct. If you were to switch off secure cache against pollution the following
can occur. When your DNS server is trying to resolve a query, a DNS server could tell
your DNS server the IP address of say Microsoft.com. This DNS server is not an authority for Microsoft
dot com and thus the DNS could be used by a hacker to insert and incorrect IP address
for Microsoft.com. When this occur the user can be redirected without their knowledge
to anther web site instead of Microsoft.com. Having this option on does mean that you end
up having to perform more queries to locate the authority server, however the extra security
is well worth it. The root hints tab is populated by default
with the 13 root hint servers on the internet. The default work fine and you should not need
to change this. In a very, very large company with a very complex DNS network you may add
your own root hint servers, however this is very rare.
On the debug logging tab you can set a lot of logging options. As you can see there is
a lot of information you can log down to the packet level. If you are having problems with
your DNS server you may want to switch this option on however I would suggest using the
event logging tab first. The debug tab does record a lot of data and may have an effect
of performance. On the event logging tab you can log a lot
of details in the event log. If you need to troubleshoot your DNS server, I would suggest
trying this tab first over the debugging tab. In most cases, the event viewer will log enough
information to help troubleshoot your problems. The trust anchors tab is a new feature of
windows Server 2008 R2. When you set up trust anchors, the DNS server can contact a trust
anchor to obtain a certificate. Using the certificate the DNS server will return a digital
signature with the DNS record. The digital signature allows the client to
validate the DNS record as being correct. If security is a big concern on your network
you may want to consider using trust anchors to ensure your DNS records have not be tampered
with or sent from a 3rd party pretending to be your DNS server.
On the monitoring tab this allows you to perform two test to make sure your DNS server is working.
The first test is a simple query against the local server while the second test will perform
a recursive query using other DNS servers. If I tick both and press test now, you can
see down the bottom the test results. This shows that both the simple and recursive queries
are working. If you make changes to your DNS server configuration, for example adding forwarders,
I would suggest performing this quick test to make sure that everything is working correctly.
This concludes this section on configuring a DNS Server. When installing DNS on your
network, make sure that you have at least two DNS servers on your network. If one of
the servers goes down the other server can still return requests from clients. Remember,
active directory relies on D N S. Without DNS your client will not be able to find your
domain controller and not be able to log on to the network.
In some cases you may want to deploy a cache only DNS server. A cache only server does
not hold any records. Any requests that it receives are queried from anther server. Look
for questions in the exam that require a cache only server. When deploying DNS on your network,
remember, careful planning can save you a lot of headaches later on.
users locate resources on the internet. In this video I will start with a bit of the
background and history of DNS follow by the new features that Windows Server 2008 DNS
server has to offer. Next I will cover the components that make up a complete DNS solution.
To better understand DNS and how it can work inside your network, I will cover the DNS
name space. This will help you understand how you can start creating your own DNS name
spaces and what rules you will need to follow. Next you have the topic of DNS forwarding
which allows your DNS server to pass requests on to anther DNS servers to be resolved. Finally
I will cover installing DNS and configuring the server properties for DNS. Once you complete
this section you will learn that installing DNS server is the easy part, the hard part
comes from understanding DNS and configuring it.
DNS, or domain name system is the most widely used name resolution system used today. DNS
was originally developed to be used on the internet. Originally when the internet was
first developed, computer names and IP address were store in a file. This file contained
all the computer names on the network and their IP addresses. When a change was made
the file had to be updated on all the computers on the network.
When there was only a few computer on the network this was not a problem, however as
more and more computers were added to the network this became harder and harder. As
more computers were added the file also became, larger and larger. The file became so large
that it became impractical to keep coping it around the network and thus DNS was born.
D N S allows for a hierarchy model to be used rather than flat host files. DNS is easy to
update as compared to having to update a host file on 100’s or even 1000’s of computers.
Microsoft DNS server meets internet standards so you can be assured that it will work with
other DNS servers on the internet. You will find that Microsoft’s DNS server is both
powerful and easy to use. Over the years, the function of DNS has remained
the same. DNS resolve’s names to i p addresses and allows computers to find services on the
network. With windows server 2008, Microsoft have added some features to the DNS server.
One of the most noticeable features of DNS server for windows Server 2008 is support
for IP version 6. If you have used DNS server before you will be familiar with the A record.
An A record maps an IP version 4 address to a name. Later on in the course, I will cover
DNS records in more detail including A records. A DNS server for windows server 2008 has the
ability to allow you to add quad A records. Quad A record are the same as A records accept
they hold IP version 6 addresses. If you are planning on deploying a DNS server in an IP
version 6 network, Windows Server 2008 is fully IP 6 compatible and ready to go. Later
on in the course I will cover zones in more detail. Zones simply hold DNS records and
can be stored either in a file or inside active directory.
Previously with Windows Server 2003 DNS server, if you stored your zone files in active directory
and than rebooted the server, the data files or zone files, would need to be loaded before
the DNS server would start answering requests. If you had very large zone files the server
may not start answering requests for quiet a long time.
If the client attempts to resolve a name that has not been loaded the DNS server will not
be able to resolve the request. In a large network it’s is not unheard for a DNS server
to take up to an hour to load the zone files from active directory. AS you can imagine,
this is a long time to wait. To fix this problem Windows Server 2008 added
the feature background zone loading. This works for zones that are stored inside active
directory or active directory integrated zones. The DNS server this time launches a back ground
process to load the zone data. This means the DNS server is ready to answer requests.
If the client attempts to ask for a record that has not been loaded yet, the DNS server
simply queries active directory to get the data. Active directory returns the data to
the d n s. The data can than be passed on to the client.
This means you no longer have to wait after a reboot for your DNS server to start answering
requests. With windows server 2008, you can now deploy read only domain controllers. As
the name suggests, the active directory database on these domain controllers is read only.
DNS server in windows 2008 supports read only domain controllers.
If you store your zone data in active directory, when the DNS server tries to make a change
on a read only domain controller it will not be able to. The request will than be passed
to a writable domain controller so don’t worry if you install DNS server on a read
only domain controller. As long as the read only domain controller can contact a writable
domain controller you can still update your DNS data.
Remember this only applies to data stored in active directory. DNS server gives you
the option to store your DNS data in a file instead of active directory. If you store
your data in a file, the DNS data can be updated on that server even if DNS server is installed
on a read only domain controller. Don’t worry if you are a little confused about zones.
Zones will be covered in a lot more detail later in the course.
Windows Server 2008 DNS server also adds a new feature called Global Single names. This
allows you to use a single unique name over an enterprise network. With global single
names you can create one record in your forest which is used in all domains in that forest.
This saves you having to create one record in each domain for a global resource.
To better under the hierarchical nature of D N S, you need to better understand how the
name space is spread out. First of all you have the root name servers. These resolves
the first part of the domain name. The first part of any domain name working from right
to left is dot, just dot. Any fully qualified domain name ends with
a dot. If you take the example www dot example dot com, the fully qualified domain name will
end with a dot. This may seem a little strange to you as you probably have never had to add
the dot to the end of a domain name. This is because the DNS software will automatically
append the dot to the end of the domain name for you.
To start resolving any domain name, your DNS server will first contact a dot server which
are called root hint servers. There are 13 root hints servers on internet. These are
independently managed. When you pay to register a domain name you are paying to be part of
this service. 13 may not seem a lot when you consider the size of the internet, but this
is fact this limitation of the TCP protocol. Even so the root hint servers are on high
availably clusters so you can be assured your DNS server will be able to contact one.
The root hint server will return the IP address of a top level domain DNS server. This DNS
server contains details about the second part of the domain, for example .com, .org, .net
and even country codes like uk and au. Your DNS server will than contact this server to
get the IP address of a second level domain server. This server contains details of the
next part of the domain name. The second level domain can be registered
to yourself and is the first part of the domain name in which you can host on your own DNS
server. For example the DNS records for microsoft.com are stored on Microsoft’s own DNS server
and can be changed at any time by Microsoft. Unlike the root name and top level domain
which you have no control over. On the next level you have sub domains which
you have complete control over. You can even create sub domains of sub domains. On your
DNS server you are free to create any sub domains as you wish without having to get
permission and without having to register the domain name. All you need to do is make
sure that the top level domain points to your DNS server. As you can see the DNS name system
gives you a hieratical based system of domain names and also allows the name space to be
spread out over many servers providing expandability and redundancy.
To better understand the name resolution process consider this example. A client computer wants
to resolve sales.example.com. It first contacts it local DNS server. The local DNS server
sends a query to the root hint server. The root hint server responses back to the local
DNS server with the IP address of a top level domain server.
The DNS server contacts the top level domain server. The top level domain server responses
back with the IP address of the second level domain server. The local DNS server now contacts
the second level server. The second level domain server also holds the sub domains.
It is not uncommon for one DNS server to hold many different DNS names spaces. The server
returns the IP address back for DNS server for that domain name. The DNS server than
returns the IP address back to the client. As you can see a lot goes on to resolve a
single IP address, but this system is necessary to allow the internet to have the large domain
space it has and provide redundancy and high availability to it’s users.
In a lot of cases it is not efficient to have your each of your DNS servers contacting the
internet root servers. In a large network this will result in more traffic than required.
Consider this example, image there were 3 different networks. A client in each of the
3 network attempts to resolve the same domain name. The DNS server in each network contacts
the root hints server. The root hint server returns the address of
a .com server to each of the DNS servers. The DNS servers than contact the dot com server.
The dot com server returns the IP address of a server that is an authority for that
domain. The 3 DNS server than contact this server. This server is able to provide a response
for the request. The request is returned to the DNS server and passed on to the client.
In total this took 9 different queries to resolve the 3 requests.
This scenario is the default behaviour for windows server 2008 DNS server. In a large
network this is not very efficient. If you configure forwarding you can have one server
on your network performing the DNS lookups for you. In a lot of companies, they will
deploy this configuration. One DNS server behind a firewall contacts the internet to
resolve DNS requests for the others. If the same DNS name is resolved more than once,
the DNS server will have the result in it’s cache. This makes DNS resolving a lot fast
and reduces the number of times root hint servers need to be contacted.
A lot of companies take it to the next step and configure their internet DNS server to
forward requests to your internet services providers DNS server. In this scenario all
the companies DNS resolving requests go to the isp’s internet DNS server. The ISP’s
DNS server contacts any required DNS servers to complete the request.
As you could imagine, your isp has many customers and there is a good chance that they have
already resolved the DNS name you are asking for and it will be in the I S P's DNS cache.
This will speed up your DNS resolving. All I S P should have at least two DNS servers,
so I would add both DNS servers to your lists of forwarders. It is unlike both your I S
P DNS servers will go down, but if this were to occur, your DNS server would than default
back to contacting the root hint servers. As you can see, using this scenario gives
you fast name resolution and redundancy. In this scenario all DNS resolve requests
will go to your I S P DNS server to be resolved. In most cases this is what you want. This
can present a problem if you have DNS names that can not be resolved by the internet DNS
server. When this occurs you may want to use conditional forwarding. Consider this example.
Client 1 wants to resolve example.local. The request gets sent to the ISP DNS server. Dot
local domain names are private use only. Your ISP DNS server does not know how to resolve
this DNS address. The DNS server a bottom of the screen hosts
the DNS records for example.local. You want all the requests for example.local to go to
this DNS server. Conditional forwarding allows you to create a rule to forward requests for
this DNS name to the DNS server that has the DNS records. These rules can be replicated
to all DNS servers in your forest or your domain. This means you create the rule once
and all your DNS servers will pass the forward the requests correctly without any more configuration.
All you have to do is set the option to replicated the rules to all domain controllers. Once
set, the rule will replace to all domain controllers in your domain or your forest.
Before you can add the DNS server role to your server, you first need to meet a couple
of install requirements. First of all, your server must have a static i p address. The
static i p address can be a version 4 or a version 6 IP address. If you wish you can
assign a static i p address for both but as long as you have one static address on one
for the network card your DNS server will work. To add the role, the user account needs
to a member of the local administrators group. When your install DNS server on a domain controller
you can store the DNS data or zone data in active directory database. Having the data
in active directory allows you to take advantage of the active directory replication system.
Using active directory means you can have redundancy and also use the replication system
in active directory which is more efficient at replicating small changes.
If you integrate you zone data in active directory you can also enable secure updates. Secure
updates is a feature that requires a computer to prove who it is before it will be allowed
to change or add records to the DNS server. Without the secure updates feature, you either
have to switch off all dynamic updates or allow unsecure updates. If you allow unsecure
updates it is possible for hacker to comprise your DNS records.
D N S is a very a important service in active directory, without active directory it can’t
not function. Because of this it recommended that you have at least 2 DNS servers on your
network for redundancy. If you have only one DNS server and it goes down all your active
directory based resources will stop running. Let’s have a look, how to install DNS server
on windows server 2008. (use demo file Install Domain Name Server.swf)
To install DNS server, open server manger from the start menu. Select the option roles
from the left hand side and than select the option add roles from the right hand side.
From the list of roles, select the role DNS server from the list. Press install and DNS
server will be installed to your windows server 2008 computer. As you can see the install
of the DNS role is very simple. Once DNS server has been installed, you can
expand down to DNS server under roles in the server manager. This screen will give you
a quick indication how your DNS server is running. As you can see there are no events
for the DNS server as yet and if I scroll down a bit more you can see that the DNS server
services is running. Down the bottom of the screen Microsoft gives
you some links to access additional DNS resources. These links will help you further configure
your DNS server and gives you access to DNS best practices documentation. As you can see,
installing DNS server is easy, the difficult part is configuring it.
In the exam, you may see the term Cache only DNS server. In reality all DNS servers cache
resolved requests. This saves the DNS server having to resolve the same name again if it
is requested multiple times. The difference between a cache only DNS server and regular
DNS Server is that a cache only DNS server does not hold any DNS data or zones. The DNS
server that I just installed is a cache only DNS server and will continue to be one until
DNS records are added to the DNS server. To understand why Microsoft makes the distinction
between a cache only DNS server and regular DNS server, consider this example. Imagine
this network contains 500 users and is connected to the internet. The DNS server contains DNS
records for all the computers in the domain plus any other resources and servers in the
domain. This amount to over 500 DNS records. Now consider that there is another office
that has just opened with just two users connected to the main office via a slow network connection.
The DNS server in the second office has a copy of the DNS records from the main office.
Over 500 DNS records that change as computers come and go from the network are in the DNS
server. In very large network you can see that the slow network link can easily become
congested just simply trying to keep it’s local copy of the DNS records up to date.
With only two users at the other office, there is little benefit to having a complete copy
of the DNS data at the remote site. This is a perfect scenario to deploy a Cache only
DNS server. In this case you would not hold any DNS records on the remote DNS server and
forward all DNS requests to the DNS server in the larger network.
Cache only DNS servers can still be configured to use forwards, they only stop being called
cache only DNS servers once you start storing DNS records on them. Once a request is resolved
it will stay in the local DNS server cache. The only DNS data than comes across the slow
link is data that one of the two clients asks for. This makes better use of the bandwidth
than coping over 100’s of DNS records the clients on the network are most likely never
to ask for. The advantages of cache only DNS servers are
they are very easy to setup and require no administration. When I added the DNS role
to the server in the previous example, the DNS server is automatically a cache only DNS
server and will start resolving DNS requests by contacting the root hint servers. Notice
how easy it was to setup and no administration was required. In the exam, look out of questions
where the best solution is to deploy a Cache only DNS server. Look for key words like ease
of administration, slow network links or remote locations. Let's have a look how to configure
your DNS server once it is installed. Once you have DNS up and running, you may
want to tweak your DNS server. To configure the properties of your DNS server, first open
the DNS admin tool from administrative tools under the start menu. From here right click
your DNS server and select the option properties. On the interface tab, you can select the IP
addresses your DNS server will listen on. Notice that you can select i p version 4 or
i p version 6 addresses here or a combination of both. If your DNS server is only to be
used on your local network you should consider selecting the option only the following IP
addresses and than select the IP address for your local network.
Some hackers will attempt to read data from your DNS server to get an understand of your
local network. They can than use this information to hack into your network. It is not uncommon
for companies to have a external and internal DNS server.
If you do this, make sure that you set only the following IP address option so that the
DNS server can not be accidentally be used to gather information from the wrong people.
In this case, I will leave it on the default. On the forwarders tab, you can enter in DNS
servers this DNS server will use to forward requests onto. Any request that this DNS server
can not resolve will be passed onto the DNS forwarder.
A lot of companies will set up a DNS server on their DMZ to resolve all DNS requests.
All the DNS servers in the company will direct there requests to this server. You can also
put your ISP DNS server in here. (Note: “Disable recursion (also disables
forwarders)” shown below is said as Disable recursion also disables forwarders). This
is what exactly what is on the demo screen.) On the advanced tab, you have 6 tickboxs you
can tick to change how the DNS server handles certain requests. The first “Disable recursion
(also disables forwarders)”. This means your DNS server will not attempt to contact
other DNS server to try and resolve names. If your DNS server is on a secure network
or is only intended to service local clients, you may want to switch this option on. Hackers
can sent a lot of DNS requests to a DNS server that require recursion to and thus cause a
denial of service attack. If your DNS server does not require recursion,
switch this option on to make your server safer from a recursive denial of service attack.
By default windows server 2008 will use a fast transfer method to replicate data from
one server to anther. The option “Bind secondaries” switches this option off and uses a slow transfer
method. If you are communicating with a DNS server
that is not compatible with BIND 4.9.4 or greater than you need to switch this option.
BIND 4.9.4 came out in 1996 so it is unlikely that any DNS server released in the last 10
years will not be compatible. If you do have an older system, you will need to switch this
option on. The next option “Enable round robin” will
return IP addresses in circular sequential order when more than one exists. For example,
if you have a 3 web servers you could create 3 separate hosts records with the same name
but with different IP addresses. When round robin is enabled, the DNS server
will rotate through multiple records. If the next option “Enable netmask ordering”
is ticked, the DNS server will attempt to return an IP address in the same subnet as
the client if one exists. If round robin is also enable this may causes
some unwanted results. For example, if I were to add a fourth server of the same name in
a different subnet, round robin would work in the following way. Any clients in the same
subnet as the server would only get rotated between only the servers in that subnet. This
means clients in the first subnet will receive only the first 3 servers when querying the
DNS server. Clients in the second subnet will only receive
the one server. If you want round robin to rotate through all records in the DNS server
regardless of which subnet the client is located you will need to switch enable netmask ordering
off. The last option “secure cache against pollution”
helps protect your DNS server from having modified records placed in it cache. What
happens when the DNS server attempts to resolve a name, the DNS server will find a DNS server
that is an authority for that domain. You can be assure that when this occurs the
IP address is correct. If you were to switch off secure cache against pollution the following
can occur. When your DNS server is trying to resolve a query, a DNS server could tell
your DNS server the IP address of say Microsoft.com. This DNS server is not an authority for Microsoft
dot com and thus the DNS could be used by a hacker to insert and incorrect IP address
for Microsoft.com. When this occur the user can be redirected without their knowledge
to anther web site instead of Microsoft.com. Having this option on does mean that you end
up having to perform more queries to locate the authority server, however the extra security
is well worth it. The root hints tab is populated by default
with the 13 root hint servers on the internet. The default work fine and you should not need
to change this. In a very, very large company with a very complex DNS network you may add
your own root hint servers, however this is very rare.
On the debug logging tab you can set a lot of logging options. As you can see there is
a lot of information you can log down to the packet level. If you are having problems with
your DNS server you may want to switch this option on however I would suggest using the
event logging tab first. The debug tab does record a lot of data and may have an effect
of performance. On the event logging tab you can log a lot
of details in the event log. If you need to troubleshoot your DNS server, I would suggest
trying this tab first over the debugging tab. In most cases, the event viewer will log enough
information to help troubleshoot your problems. The trust anchors tab is a new feature of
windows Server 2008 R2. When you set up trust anchors, the DNS server can contact a trust
anchor to obtain a certificate. Using the certificate the DNS server will return a digital
signature with the DNS record. The digital signature allows the client to
validate the DNS record as being correct. If security is a big concern on your network
you may want to consider using trust anchors to ensure your DNS records have not be tampered
with or sent from a 3rd party pretending to be your DNS server.
On the monitoring tab this allows you to perform two test to make sure your DNS server is working.
The first test is a simple query against the local server while the second test will perform
a recursive query using other DNS servers. If I tick both and press test now, you can
see down the bottom the test results. This shows that both the simple and recursive queries
are working. If you make changes to your DNS server configuration, for example adding forwarders,
I would suggest performing this quick test to make sure that everything is working correctly.
This concludes this section on configuring a DNS Server. When installing DNS on your
network, make sure that you have at least two DNS servers on your network. If one of
the servers goes down the other server can still return requests from clients. Remember,
active directory relies on D N S. Without DNS your client will not be able to find your
domain controller and not be able to log on to the network.
In some cases you may want to deploy a cache only DNS server. A cache only server does
not hold any records. Any requests that it receives are queried from anther server. Look
for questions in the exam that require a cache only server. When deploying DNS on your network,
remember, careful planning can save you a lot of headaches later on.