DNS Records
Uploaded by itfreetraining on 26.08.2012
Transcript:
In this section I will look at DNS records. DNS records contain the data that will be
returned to the client when the clients requests information from the server about hosts or
resources on the network. In this video I will look a different DNS
records. There are a lot of different DNS records, but I will look at only
the most common. Next I will look at dynamic DNS. Dynamic DNS allows clients to
adjust their own DNS records as they change. This can be a real time saver.
Lastly I will perform a demonstration of how to create DNS records and how to use dynamic
DNS. DNS is a key part of active directory, so it is beneficial to understand how DNS
records work. Once you understand how DNS records work you will have a better understanding
how active directory finds resources on the network helping you to trouble shoot active
directory problems on your network. With DNS, there a number of different records
types. This is by no means a complete list, but does cover the more common types. The first
record is start of authority or SOA. The SOA record indicates the DNS server with the
best source of information for that zone. This should be the primary name server. Simply
put, it is the DNS server which has the most authority to make changes in the domain or
answer questions in regards to it. Contained in the SOA is the email address of the administrator
of the domain. The SOA also contains configuration information in regards to replication.
This includes the domains serial number. The domain serial number is a number the tells
other DNS zones which version of the DNS zone that server contains. When changes are made
to the zone, the serial number will increase. The next most common record is the A or quad
A record. This record maps a name to an IP address.
The A record is used for IP version 4 addresses while the quad A record is used for IP version
6 addresses. For each computer or device on your network you can create an A record or
Quad record for it. If you have dynamic updates on, the record will be created automatically
for you. In some cases you will want to map a service
to a host name. For example you may want to map the name mail to your general application
server called App1. You could create a new A record for the host, however if the IP address
of that host were to change you would need to update two records.
To help with administration, DNS allows you to create an alias record called a CName
which stands for canonical name. The CName record points to an A record or quad A record.
When you attempt to resolve a CName record, the corresponding A record or quad A record
is returned. With CName’s you can also change the destination
the CName is pointing to. For example, if you moved your mail server from App1 to App2,
all you would need to do is change the CName to point to App2 rather than App1.
Without the CName, you would need to change every client on your network to point to the
new server. You can see that by using CName’s you can save yourself a lot of reconfiguration
headaches on your network when things change. Originally DNS was designed to only to resolve
hostname to IP addresses, since than it has expanded to allows users to find resources
and services on the network. To do this, DNS has service records or SRV records. A service
record allows a client to locate services on the network using DNS.
Service records are used by Active Directory to allow a client to locate a Domain Controller,
this is why DNS is so important in a windows environment. Lastly you have the mail exchange
or MX records. When you attempt to send an e-mail, the e-mail server will read the MX
records for that domain. Each MX record has a priority. The lower priority
MX records are tried first. If the e-mail server can not contact the server with the
lowest MX priority it will try the next one. To better understand how MX records work,
consider this example. In this example there is an e-mail server in the USA and one in
the UK for the same company. Both e-mail servers for the UK and US are connected together by
a high speed link. A client attempts to sent an e-mail to the example.com domain.
The first MX record for example.com is read. This has a priority of 5. If the mail
server can be contacted in the US the e-mail will sent straight to this server. If the
server can not be contacted or the server is down, the next MX record with the higher
priority will be read, in this case mail.example.com.UK with a priority of
10. If the first server can not be contacted,
all e-mails for example.com will be sent via the UK server. In other words, each server
acts as a back up for the other servers. I have seen this set up in many different companies.
Having back up e-mail servers stops e-mails from being bounced back to the sender when
there are long outages. The back up e-mails servers do not have to be on other sides of
the world. In some cases, the same company may have multiple
e-mail servers at the same site. Regardless of the case, remember, lower priority MX records
will be tried first. Don’t confuse priority with load balancing. If the server with the
lowest priority is online than all e-mail for that domain will be sent to this server.
The last record I will look at is the PTR record. There are other DNS record types,
however the ones I have look at so far and the PTR record are the main types. PTR stands
for pointer record and simply maps an IP address to a name. Windows can create the PTR records
automatically, but in order for this to happen you must have a reverse look up zone created
to store the PTR record. In a moment I will show you how to create
a reverse look up zone. In the real world, I have worked on large networks that don’t
have a single reverse look up zone created. For active directory to run you don’t require
any reverse look up zones. Reverse look up zones are mainly used for troubleshooting
tools like trace route and NSLookUp. Even though you can get away with not having
any reverse look up zones, when you are troubleshooting network problems you may find an IP address
in a log file. It is useful to be able to perform a reverse look up and find out the
host name for this IP address. In the old days, you had to up date your DNS
records manually. With Windows Server 2000 came the ability for clients to update their
DNS record dynamically. This is controlled by the service, DHCP client. If you client
is not automatically updating it’s records in DNS, make sure this service is running
correctly. If you want to force the client to up date
it’s settings, run the command IPconfig /RegisterDNS. This will force the
client to up date it’s DNS records on the DNS server immediately. If you are trying to connect
to a users computer from remote and DNS can not resolved their IP addresses, you can often
fix the problem by getting the user to run this command.
With dynamic updates, you can also configure it to use secure update. This stops a hacker
from inserting their own records in your DNS server and redirecting your users to the hackers
server. In order to use secure updates the client must be a windows computer and be in
the windows domain. DHCP can register DNS records in your DNS
server. If you have any non windows clients, this is a work around for this clients not
being able to update their own DNS records. Let’s have a close look at DNS records on
windows server 2008 To add records to your DNS server, run the
DNS Admin tool from administrative tools under the start menu. I want to add some records
to the test.local forward zone. As you can see there are a number of records that
have all ready been created to the test.local forward zone. These records have automatically
been added using dynamical DNS or created when active directory was installed.
In some cases you may want to create an alias or CName for an existing record. To do this,
right click and select new alias. In this case I want to add an alias for windows update,
this will point to the server WSUS. At present WSUS is on its own server, later on I may
consolidate this server so that WSUS is on another server with other services.
When this occurs I don’t want to have to reconfigure all my client’s to point to
the new server. By using an alias when I move the WSUS server I simply have to update the
alias to point to the new server. Updating an alias is a lot easier than going around
and reconfiguring all the client’s. You can see now an alias has been created
for windows update. This alias will point to the record WSUS. In a lot of cases the
windows clients will automatically create a dynamic DNS record for you. In some cases
you will need to create a Manual entry. For example, you may have a computer that does
not automatically register itself in the DNS server. When this occurs you will need to
create a Manual entry in your DNS server. In this case I will create an entry called
App2. App2 is a UNIX server that does not have support for dynamic DNS so I must create
a manually entry. To do this, right click where you want to create the new record and
select new host. All I need to do is put in the computer name and the IP address. You
will notice that the tick box “create associated pointer PTR record” is ticked by default.
This will automatically create a reverse look up entry in the reverse look up zone if a
reverse look up zone is available. You notice that you now get a message letting you know
that the DNS record was created. If I now open the reverse look up zone, you will notice
the PTR record. Another of the more common DNS records you
may want to create is a Mail exchange record or MX record. To do this, right click and
select new mail exchange. All I need to do is enter in the full qualified domain name
for the mail exchange record. The mail server priority indicates the priority this mail
server will receive. The server with a lower priority value will be tried first. Servers
with the same priority value will be used interchangeable.
In this case I will accept the default 10 and create the record. In some cases you may
need to create another type of DNS record not listed in the menu. To do this, select
the option “Other new records”. As you can see there are a lot of DNS records you
can create. One of the more common records you may need to create is a SRV record found
at the bottom. Service records allow programs to find services
on the network, for example domain controllers. If I go back, you will notice that so far
most of the records are Host A records. A refers to a name record that uses IP version
4. If you were to create a host record for IP
version 6, this would appear as quadruple A. I will go through manually creating an
IP version 6 host, however before I do that I am going to create a reverse lookup zone
for IP version 6 addresses. To do this, right click reverse look up zone and select new
zone. From the wizard, I am going to select primary
zone and store the zone in active directory. In this case I will leave it on the default
and allow the data to be replicated to all domain controllers. To create the IP version
6 zone, all I need to do is select the option IP version 6 reverse look up zone.
Next I need to enter in the network address that I want this zone to save the IP addresses
in. I will leave it on the default allow only secure dynamic updates and move on. That’s
it, press finish and the IP version 6 reverse look up zone is created. Now if I right click
test.local forward look up zone and select new host I can create a new host.
All I need to do now is enter the hostname and copy and paste the IP version 6 address
in the IP address text box. Notice I can leave the tick box “create associated pointer
PTR record” ticked as I have a reverse look up zone created. The IP version 6 host record
is now created. If I go back to the forward look up zone you will notice that the new
quadruple A record has been created with the IP version 6 address.
You will notice at the top of the screen there are a number of folders that start with an
underscore. These contain some of the service records that active directory uses to tell
clients where resources on the network are located.
For example, in the underscore UDP folder there are the service records for the domain
controllers for this domain. Windows will create these automatically for you so you
should not have to create them yourself. If you delete these records, your clients will
not be able to locate any domain controllers and thus not be able to logon to active directory.
If for some reason you did deleted this record or they were damaged, go to the properties
for the zone and make sure that dynamic updates are switched on. If it is set to none, the
net logon service will not be able to create the DNS records.
Try switching the setting to either "non secure and secure" or secure only and restarting
the net logon service. This should recreate the missing or damaged active directory service
records. If I select the aging button, I can switch on the option at the top, scavenge
stale resource records. When you have this option on, DNS will automatically
remove records from its database that it thinks are no longer required. The next option no
refresh interval sets how long until the time stamp for the record can be updated.
If you attempt to refresh the record before this time has expired, in this case 7 days,
the DNS server will not update the time stamp. Once the time period has expired, the timestamp
can be updated. The next option set how long until a record can be scavenge or removed
from the DNS database. What this means is that after the no refresh
interval has expired, the DNS record can be refreshed for a period of another 7 days.
If the record is not refresh in this rime the record may be removed from the DNS database.
In this example, it would take 14 days for a DNS record to be considered no longer required
and removed from the database. A lot of the time, these settings correspond to the settings
in your DHCP server since DHCP can also update your DNS records.
If I now run the DHCP snap in, I can expand down to IP version 4 and select properties.
In properties, if I select the DNS tab I can see how DHCP will work with DNS. You can see
the first option enable dynamic update according to the settings below.
The next two settings only apply to clients that support dynamic updates. The first setting
will only update the DNS records with the client asks the DHCP server to do so on its
behalf. The next setting, always dynamically update DNS A and PTR records.
When you select this setting, if the client supports dynamic updates, the DHCP server
will always update the DNS records for them. The important thing to understand is that
the client needs to support dynamic updates.
When a lease expires, DHCP will tell the DNS server to remove the entry from its database.
Without this option on, the DHCP server may allocate the IP address to a new client. When
you attempt to resolve the old clients name that no longer exists on the network, you
will instead get connected to the new client. If you are using remote control software,
this can be quite embarrassing when you connect up to the wrong client. With careful planning,
you should be able to keep your DNS database up to date.
On a large network with a lot of computers coming and going from the network, dynamic
updates save you a lot of time and headaches. If you decide to use dynamic update make sure
you give some thought to keeping them secure from hackers.
If your DNS server is behind a firewall than you should not have any problems as long as
the hackers can not break into your network. If your DNS server is accessible from the
internet, it is possible for a hacker to insert or even update DNS records and redirect your
users to their servers. Lastly, have a good understanding of the common
DNS record types. Without DNS active directory can not run. It is important to understand
DNS as a lot of services rely on DNS to operate.
returned to the client when the clients requests information from the server about hosts or
resources on the network. In this video I will look a different DNS
records. There are a lot of different DNS records, but I will look at only
the most common. Next I will look at dynamic DNS. Dynamic DNS allows clients to
adjust their own DNS records as they change. This can be a real time saver.
Lastly I will perform a demonstration of how to create DNS records and how to use dynamic
DNS. DNS is a key part of active directory, so it is beneficial to understand how DNS
records work. Once you understand how DNS records work you will have a better understanding
how active directory finds resources on the network helping you to trouble shoot active
directory problems on your network. With DNS, there a number of different records
types. This is by no means a complete list, but does cover the more common types. The first
record is start of authority or SOA. The SOA record indicates the DNS server with the
best source of information for that zone. This should be the primary name server. Simply
put, it is the DNS server which has the most authority to make changes in the domain or
answer questions in regards to it. Contained in the SOA is the email address of the administrator
of the domain. The SOA also contains configuration information in regards to replication.
This includes the domains serial number. The domain serial number is a number the tells
other DNS zones which version of the DNS zone that server contains. When changes are made
to the zone, the serial number will increase. The next most common record is the A or quad
A record. This record maps a name to an IP address.
The A record is used for IP version 4 addresses while the quad A record is used for IP version
6 addresses. For each computer or device on your network you can create an A record or
Quad record for it. If you have dynamic updates on, the record will be created automatically
for you. In some cases you will want to map a service
to a host name. For example you may want to map the name mail to your general application
server called App1. You could create a new A record for the host, however if the IP address
of that host were to change you would need to update two records.
To help with administration, DNS allows you to create an alias record called a CName
which stands for canonical name. The CName record points to an A record or quad A record.
When you attempt to resolve a CName record, the corresponding A record or quad A record
is returned. With CName’s you can also change the destination
the CName is pointing to. For example, if you moved your mail server from App1 to App2,
all you would need to do is change the CName to point to App2 rather than App1.
Without the CName, you would need to change every client on your network to point to the
new server. You can see that by using CName’s you can save yourself a lot of reconfiguration
headaches on your network when things change. Originally DNS was designed to only to resolve
hostname to IP addresses, since than it has expanded to allows users to find resources
and services on the network. To do this, DNS has service records or SRV records. A service
record allows a client to locate services on the network using DNS.
Service records are used by Active Directory to allow a client to locate a Domain Controller,
this is why DNS is so important in a windows environment. Lastly you have the mail exchange
or MX records. When you attempt to send an e-mail, the e-mail server will read the MX
records for that domain. Each MX record has a priority. The lower priority
MX records are tried first. If the e-mail server can not contact the server with the
lowest MX priority it will try the next one. To better understand how MX records work,
consider this example. In this example there is an e-mail server in the USA and one in
the UK for the same company. Both e-mail servers for the UK and US are connected together by
a high speed link. A client attempts to sent an e-mail to the example.com domain.
The first MX record for example.com is read. This has a priority of 5. If the mail
server can be contacted in the US the e-mail will sent straight to this server. If the
server can not be contacted or the server is down, the next MX record with the higher
priority will be read, in this case mail.example.com.UK with a priority of
10. If the first server can not be contacted,
all e-mails for example.com will be sent via the UK server. In other words, each server
acts as a back up for the other servers. I have seen this set up in many different companies.
Having back up e-mail servers stops e-mails from being bounced back to the sender when
there are long outages. The back up e-mails servers do not have to be on other sides of
the world. In some cases, the same company may have multiple
e-mail servers at the same site. Regardless of the case, remember, lower priority MX records
will be tried first. Don’t confuse priority with load balancing. If the server with the
lowest priority is online than all e-mail for that domain will be sent to this server.
The last record I will look at is the PTR record. There are other DNS record types,
however the ones I have look at so far and the PTR record are the main types. PTR stands
for pointer record and simply maps an IP address to a name. Windows can create the PTR records
automatically, but in order for this to happen you must have a reverse look up zone created
to store the PTR record. In a moment I will show you how to create
a reverse look up zone. In the real world, I have worked on large networks that don’t
have a single reverse look up zone created. For active directory to run you don’t require
any reverse look up zones. Reverse look up zones are mainly used for troubleshooting
tools like trace route and NSLookUp. Even though you can get away with not having
any reverse look up zones, when you are troubleshooting network problems you may find an IP address
in a log file. It is useful to be able to perform a reverse look up and find out the
host name for this IP address. In the old days, you had to up date your DNS
records manually. With Windows Server 2000 came the ability for clients to update their
DNS record dynamically. This is controlled by the service, DHCP client. If you client
is not automatically updating it’s records in DNS, make sure this service is running
correctly. If you want to force the client to up date
it’s settings, run the command IPconfig /RegisterDNS. This will force the
client to up date it’s DNS records on the DNS server immediately. If you are trying to connect
to a users computer from remote and DNS can not resolved their IP addresses, you can often
fix the problem by getting the user to run this command.
With dynamic updates, you can also configure it to use secure update. This stops a hacker
from inserting their own records in your DNS server and redirecting your users to the hackers
server. In order to use secure updates the client must be a windows computer and be in
the windows domain. DHCP can register DNS records in your DNS
server. If you have any non windows clients, this is a work around for this clients not
being able to update their own DNS records. Let’s have a close look at DNS records on
windows server 2008 To add records to your DNS server, run the
DNS Admin tool from administrative tools under the start menu. I want to add some records
to the test.local forward zone. As you can see there are a number of records that
have all ready been created to the test.local forward zone. These records have automatically
been added using dynamical DNS or created when active directory was installed.
In some cases you may want to create an alias or CName for an existing record. To do this,
right click and select new alias. In this case I want to add an alias for windows update,
this will point to the server WSUS. At present WSUS is on its own server, later on I may
consolidate this server so that WSUS is on another server with other services.
When this occurs I don’t want to have to reconfigure all my client’s to point to
the new server. By using an alias when I move the WSUS server I simply have to update the
alias to point to the new server. Updating an alias is a lot easier than going around
and reconfiguring all the client’s. You can see now an alias has been created
for windows update. This alias will point to the record WSUS. In a lot of cases the
windows clients will automatically create a dynamic DNS record for you. In some cases
you will need to create a Manual entry. For example, you may have a computer that does
not automatically register itself in the DNS server. When this occurs you will need to
create a Manual entry in your DNS server. In this case I will create an entry called
App2. App2 is a UNIX server that does not have support for dynamic DNS so I must create
a manually entry. To do this, right click where you want to create the new record and
select new host. All I need to do is put in the computer name and the IP address. You
will notice that the tick box “create associated pointer PTR record” is ticked by default.
This will automatically create a reverse look up entry in the reverse look up zone if a
reverse look up zone is available. You notice that you now get a message letting you know
that the DNS record was created. If I now open the reverse look up zone, you will notice
the PTR record. Another of the more common DNS records you
may want to create is a Mail exchange record or MX record. To do this, right click and
select new mail exchange. All I need to do is enter in the full qualified domain name
for the mail exchange record. The mail server priority indicates the priority this mail
server will receive. The server with a lower priority value will be tried first. Servers
with the same priority value will be used interchangeable.
In this case I will accept the default 10 and create the record. In some cases you may
need to create another type of DNS record not listed in the menu. To do this, select
the option “Other new records”. As you can see there are a lot of DNS records you
can create. One of the more common records you may need to create is a SRV record found
at the bottom. Service records allow programs to find services
on the network, for example domain controllers. If I go back, you will notice that so far
most of the records are Host A records. A refers to a name record that uses IP version
4. If you were to create a host record for IP
version 6, this would appear as quadruple A. I will go through manually creating an
IP version 6 host, however before I do that I am going to create a reverse lookup zone
for IP version 6 addresses. To do this, right click reverse look up zone and select new
zone. From the wizard, I am going to select primary
zone and store the zone in active directory. In this case I will leave it on the default
and allow the data to be replicated to all domain controllers. To create the IP version
6 zone, all I need to do is select the option IP version 6 reverse look up zone.
Next I need to enter in the network address that I want this zone to save the IP addresses
in. I will leave it on the default allow only secure dynamic updates and move on. That’s
it, press finish and the IP version 6 reverse look up zone is created. Now if I right click
test.local forward look up zone and select new host I can create a new host.
All I need to do now is enter the hostname and copy and paste the IP version 6 address
in the IP address text box. Notice I can leave the tick box “create associated pointer
PTR record” ticked as I have a reverse look up zone created. The IP version 6 host record
is now created. If I go back to the forward look up zone you will notice that the new
quadruple A record has been created with the IP version 6 address.
You will notice at the top of the screen there are a number of folders that start with an
underscore. These contain some of the service records that active directory uses to tell
clients where resources on the network are located.
For example, in the underscore UDP folder there are the service records for the domain
controllers for this domain. Windows will create these automatically for you so you
should not have to create them yourself. If you delete these records, your clients will
not be able to locate any domain controllers and thus not be able to logon to active directory.
If for some reason you did deleted this record or they were damaged, go to the properties
for the zone and make sure that dynamic updates are switched on. If it is set to none, the
net logon service will not be able to create the DNS records.
Try switching the setting to either "non secure and secure" or secure only and restarting
the net logon service. This should recreate the missing or damaged active directory service
records. If I select the aging button, I can switch on the option at the top, scavenge
stale resource records. When you have this option on, DNS will automatically
remove records from its database that it thinks are no longer required. The next option no
refresh interval sets how long until the time stamp for the record can be updated.
If you attempt to refresh the record before this time has expired, in this case 7 days,
the DNS server will not update the time stamp. Once the time period has expired, the timestamp
can be updated. The next option set how long until a record can be scavenge or removed
from the DNS database. What this means is that after the no refresh
interval has expired, the DNS record can be refreshed for a period of another 7 days.
If the record is not refresh in this rime the record may be removed from the DNS database.
In this example, it would take 14 days for a DNS record to be considered no longer required
and removed from the database. A lot of the time, these settings correspond to the settings
in your DHCP server since DHCP can also update your DNS records.
If I now run the DHCP snap in, I can expand down to IP version 4 and select properties.
In properties, if I select the DNS tab I can see how DHCP will work with DNS. You can see
the first option enable dynamic update according to the settings below.
The next two settings only apply to clients that support dynamic updates. The first setting
will only update the DNS records with the client asks the DHCP server to do so on its
behalf. The next setting, always dynamically update DNS A and PTR records.
When you select this setting, if the client supports dynamic updates, the DHCP server
will always update the DNS records for them. The important thing to understand is that
the client needs to support dynamic updates.
When a lease expires, DHCP will tell the DNS server to remove the entry from its database.
Without this option on, the DHCP server may allocate the IP address to a new client. When
you attempt to resolve the old clients name that no longer exists on the network, you
will instead get connected to the new client. If you are using remote control software,
this can be quite embarrassing when you connect up to the wrong client. With careful planning,
you should be able to keep your DNS database up to date.
On a large network with a lot of computers coming and going from the network, dynamic
updates save you a lot of time and headaches. If you decide to use dynamic update make sure
you give some thought to keeping them secure from hackers.
If your DNS server is behind a firewall than you should not have any problems as long as
the hackers can not break into your network. If your DNS server is accessible from the
internet, it is possible for a hacker to insert or even update DNS records and redirect your
users to their servers. Lastly, have a good understanding of the common
DNS record types. Without DNS active directory can not run. It is important to understand
DNS as a lot of services rely on DNS to operate.