EXAM 70-640 WINDOWS SERVER 2008 ACTIVE DIRECTORY, CONFIGURING.

EXAM 70-640EXAM 70-640

WINDOWS SERVER 2008 ACTIVE DIRECTORY,

CONFIGURING

Chapter 1:Chapter 1: Configuring DNS for Active Directory

Configuring DNS for Active Configuring DNS for Active DirectoryDirectory

The Domain Name System (DNS) is a highly scalable system for mapping hostnames with numerical Internet Protocol (IP) addresses. On Transmission Control Protocol / Internet Protocol (TCP/IP) networks such as the Internet computers are assigned unique IP addresses. These numerical addresses are not particularly user friendly, so computers are also given a host name. The domain name system is a hierarchical naming system for organizing computers into domains and mapping IP addresses to host names. When a user enters a DNS name such as www.kurtkurtdillard.com into an application DNS services is used to find the IP address assigned to that host name.

Configuring DNS for Active Configuring DNS for Active DirectoryDirectory

DNS is a critical piece of a network that includes AD DS, member computers use DNS to find domain controllers and other servers for various activities such as authentication, accessing file shares, and browsing web servers. Understanding how to deploy and manage the DNS Server role in Windows Server 2008 will help you to more effectively leverage Active Directory Domain Services (AD DS) in your organization. In this chapter I will cover managing DNS zones, replication, and other DNS settings. More specifically, you will learn about the following:

Configure zones. Configure DNS server settings. Configure zone transfers and replication.

Configuring DNS ZonesConfiguring DNS Zones

DNS records are partitioned into zones, a zone contains resource records for the hosts that belong to the corresponding portion of the DNS namespace. The namespace for a zone can include one or multiple DNS domains. Zones are maintained by DNS servers, a zone can be stored as a file or within Active Directory. In the latter case, the size of the zone impacts how long it takes for DNS to initialize because the zone data must be retrieved from Active Directory, we’ll explore this further later in this section.

You may want to delegate a portion of the DNS namespace for a couple of reasons: in order to assign management to a department within the organization or to improve performance by spreading the load of a large DNS database across separate DNS servers. Consider an extended example, you might want to store all of the records for your publicly accessible hosts in one zone, e.g. the zone might include kurtkurtdillard.com, which could include hosts named www.kurtkurtdillard.com, ftp.kurtdillard.com; and mail.kurtdillard.com. Internal hosts could be organized by geographic location within subdomains, each stored as a separate zone, e.g. americas.kurtdillard.com and europe.kurtdillard.com. This example is represented in figure 1 below. In the rest of this section we will explore the various kinds of zones available in Windows Server 2008 and how to manage them.

Figure 1: DNS Zone Delegation

Start of Authority (SOA)

The first record in any DNS zone is the Start of Authority (SOA) Resource Record (RR). The SOA RR specifies the authoritative DNS server for the zone, i.e., the best source of data for the zone. Depending upon the installation options the SOA RR may or may not be automatically added for a new zone. Figure 2 shows DNS manager with various elements highlighted. In this case, this is the first domain controller in a new domain within a new forest and the SOA record was automatically created during the installation of AD DS.

Figure 2: DNS Manager

Start of Authority (SOA)

To manage the SOA record for a zone navigate to the desired zone within DNS Manager and then right-click on the SOA record and select Properties. Figure 3 shows the SOA RR from my test domain. In most cases the default values for refresh, expiration, and time to live (TTL) are sufficient however you may wish to increase these values in order to reduce the amount of DNS traffic on your network. The downside of increasing the values is that DNS clients will take longer to learn about configuration changes and therefore are more likely to have problems finding other hosts on your network.

Figure 3: Start of Authority Resource Record

Managing Other Resource Records There are other types of resource records in addition to the SOA RR. Each type has

a specific purpose related to helping clients locate remote hosts and services. The most common kinds are:

Host (A) resource records: this type of record maps a hostname to a 32-bit IPv4 address.

AAAA resource records: these map a hostname to a 128-bit IPv6 address. Name Service (NS) records: this kind of record maps a domain name to a list of

DNS servers authoritative for the domain. Service location (SRV) resource records: this type maps a DNS domain name to

a list of computers that provide a service, for example, an SRV RR is required for computers to locate Active Directory domain controllers.

Mail exchange (MX) resource records: this kind of record maps a DNS domain name to the name of a mail exchange computer for the domain.

Alias (CNAME) resource records: also called canonical name records, these allow you to configure multiple DNS names to resolve to a single host.

Pointer (PTR) resource records: this type of record is used for the reverse lookup process, which is discussed in more detail later in this chapter.

Managing Other Resource Records Resource records can be added and updated to the database

manually or automatically. The manual process, also referred to as Non-Dynamic DNS (NDDNS), is useful when adding records that are unlikely to change for a long time such as public facing web and mail servers. To manually add a static record using DNS Manager: Right-click on the desired zone and select Other New Records. Select the type of record to create from the Select a resource

record type drop-down list. Click Create Record. Enter the information for the new record in the New Resource

Record dialog box, click OK to add the record to the database. The type of information required for the new record will vary depending upon its type.

Managing Other Resource Records To manually add a record using a command prompt open a

command prompt with administrative privileges, type the following command, and press ENTER.

Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType> <RRData>

As you can see, the command has many options, Table 1 briefly explains each. You can view more detailed information about all of these options by entering the following command:

Dnscmd /RecordAdd /help

Parameter Description

<ServerName> This is a required parameter. You specify either the host name or IP address of the DNS server where the record is to be created.

/RecordAdd This is a required parameter, it specifies what action is to be taken, in this case to add a new record.

<ZoneName> This is a required parameter. The fully qualified domain name (FQDN) of the zone.

<NodeName> This is a required parameter. The FQDN of the node.

[/Aging] This optional parameter specifies that the record may be aged and scavenged.

[OpenAcl] This optional parameter specifies that the record may be modified by any user, without this parameter only administrators are able to do so.

[TTL] This optional parameter specifies the time to live (TTL) for the record.

<RRType> This is a required parameter. It specifies what kind of record to add, e.g.: A, AAAA, MX, NS, CNAME, SRV, or PTR.

<RRData> These are required parameters that vary depending upon the type of record being added. Each of these parameters must be separated by a space.

Table 1: Dnscmd options when adding records

Managing Other Resource Records Enterprise networks can be large with hundreds of thousands of hosts,

managing static records for so many hosts isn’t feasible, to address this challenge Windows Server 2008 also supports dynamically updated records. There are two ways in which records can be dynamically updated. First, the DCHP Client Service on the client computer can register itself with the DNS server upon boot-up. Second, you can configure DHCP servers, if they support the feature, to register clients when they assign an address to a host. There are two methods available for dynamic updates: Dynamic DNS (DDNS) and Secure Dynamic DNS (SDDNS).

DDNS is the least secure choice because in this configuration updates can be accepted from untrusted hosts, however it is supported by a wider range of operating systems. SDDNS is only available for Active Directory-integrated zones, and it’s the preferred configuration whenever possible. The default setting for new zones is NDDNS, that is, to disable dynamic updates unless the new zone is integrated with Active Directory, in which case SDDNS is the default setting.

Managing Other Resource Records To enable or disable dynamic updates in DNS Manager right-

click on the desired zone and select Properties, then make the appropriate selection in the Dynamic Updates drop-down list and press OK. To configure dynamic updates from a command prompt type the following command and press ENTER:

Dnscmd <ServerName> /Config {<ZoneName or ..AllZones>} AllowUpdate 2

Table 2 briefly explains what each of the command line options mean.


<ServerName>

This is a required parameter. You specify either the host name or IP address of the DNS server where the zone is stored.

/Config This is a required parameter. The second parameter specifies what action is to be taken, in this case to modify the specified zone.

<ZoneName or ..AllZones>

This is a required parameter. The fully qualified domain name (FQDN) of the zone. To configure all zones stored on the server type ..AllZones.

AllowUpdate This is a required parameter, it enables dynamic updates.

2 This optional parameter specifies secure updates only, if it is omitted then the zone will only allow standard dynamic updates.

Table 2: Dnscmd parameters when configuring a zone.

Managing Other Resource Records Tip: The graphical tool for DNS administration in Windows Server

2008 is the DNS Manager Microsoft Management Console console, henceforth referred to as “DNS Manager.” There is also a command prompt tool available which is useful for managing Server Core installations and scripting of administrative tasks, it is called dnscmd. While many administrators will be most comfortable using DNS Manager you may also want to familiarize yourself with the command prompt tool.

Understanding DNS Zones

The DNS Server role supports three different types of zones: primary, secondary, and stub. Only primary and stub zones can be configured as Active Directory-integrated zones if the server is a domain controller in an Active Directory domain. The difference between integrated and non-integrated zones is where zone information is stored. Active Directory-integrated zones are stored within the AD DS. Zones that are not integrated are stored as text files, by default in %windir%\System32\dns.

Caution:Caution: Although it may be tempting to edit these DNS text files in Notepad or some other text editor Microsoft strongly recommends that you do not. Instead, you should always use the built-in tools such as DNS Manager to configure zones and resource records to ensure proper formatting and versioning.


Primary A primary zone is the writable master copy of a zone. A DNS server

hosting the primary zone is the authoritative source for information about that zone.

Secondary A secondary zone is a read-only copy of a zone. A server hosting a

secondary zone must download the zone data and ongoing updates to the data from another server hosting the same zone. A secondary copy cannot be stored in AD DS because it is merely a copy of a primary zone stored on another server.


Stub A stub zone is a copy of the primary zone that only contains

resource records for the authoritative DNS servers for that zone. A server hosting a stub zone must download the zone data and ongoing updates to the data from another server hosting the same zone. When properly implemented stub zones can improve name resolution efficiency by allowing DNS servers to complete recursive queries without having to query the Internet or internal root servers. Stub zones also tend to be less processor intensive than conditional forwarding.

Expert Discussion: Why Background Zone Loading is Important Background zone loading is a new feature in Windows Server 2008

that large organizations my find to be very useful. In previous versions of the DNS Server service all of the DNS data stored in AD DS had to be downloaded before the server would start responding to DNS queries. Some enterprises had to endure waits of an hour or more when restarting their DNS Servers.

In Windows Server 2008 the DNS Server service can start responding to client request much more quickly because it is able to do so while continuing to retrieve zone data from AD DS. When clients request data for a zone that has already been loaded the DNS server responds normally, when they request data for a zone that hasn’t been loaded yet it retrieves the information from AD DS and then responds to the client.

Creating New Zones

To create a new zone in DNS Manager right-click on either the DNS Server, Forward Lookup Zones, or Reverse Lookup Zones. If the first option is used then the wizard will display an additional page asking whether to create a forward or reverse lookup zone. The wizard will prompt you to specify information that’s described earlier in this chapter such as zone type, zone name, and dynamic updates; however, the wizard will also ask you to specify the replication scope as shown in figure 4. Replication scope is discussed in more detail later in this chapter.

Figure 4: Selecting the Active Directory replication scope in the New Zone Wizard

Creating New Zones

To create a new zone from a command prompt type the following command and press ENTER:

dnscmd <ServerName> /ZoneAdd <ZoneName> {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file <FileName>] [/load] [/a <AdminEmail>] [/DP <FQDN>]

Once again, there are many options available, table 3 briefly explains each.


<ServerName> This is a required parameter. You specify either the host name or IP address of the DNS server where the zone is stored.

/ZoneAdd This is a required parameter, it specifies what action is to be taken, in this case to add a new zone.


{/Primary|/DsPrimary|/Secondary|/Stub|/DsStub This is a required parameter for defining the zone type; /DsPrimary and /DsStub indicate AD DS-integrated zones.

[/file <FileName>] This is required only when creating a primary zone that is not integrated with AD DS.

[/load] This optional parameter loads an existing file otherwise the default zone records are automatically generated.

[/a <AdminEmail>] Use this optional parameter to specify an email address for the zone’s administrator.

[/DP <FQDN>] Use this optional parameter to specify the FQDN for an application directory where the zone is to be added.

Table 3: Dnscmd parameters when creating a zone

Zone Aging and Scavenging Out-of-date resource records can accrete in a zone database much

like barnacles on a freighter. If the number of stale records becomes substantial it could impact performance by consuming disk space, slowing down response to queries, and sending outdated information to clients. In some cases, stale records may prevent the use of a name being used by other hosts in the domain. By observing the time stamps on resource records the DNS Server service can automatically remove records when they’ve aged beyond the time limit you have specified. To use these features they must be enabled at both the DNS server and zone levels.

Caution:Caution: There is a reason why the aging and scavenging features are disabled by default: when implemented incorrectly records may be deleted that are still needed. For this reason only implement these features once you fully understand all of the options available

Zone Aging and Scavenging

Normally only dynamically updated records are configured to be scavenged because in most cases when you configure a static record it’s for a server that is going to be sharing resources for a relatively long time. By default static records are given a time stamp of zero which exempts them from aging and scavenging. You can change this by modifying the records individually to permit them to use a current time stamp instead. The aging and scavenging concepts introduce some terms that you may not be familiar with:


No-refresh interval: The period of time between the last refresh and the moment when the timestamp can be refreshed again.

Refresh interval: The period of time from when a record is refreshed to when it can be scavenged. This must be greater than the maximum refresh period.

Scavenging period: The period of time between scavenging operations. Record refresh: This occurs when a dynamic update is processed and the only

change made to the record is to update its time stamp. This happens when a computer restarts, every 24 hours when the computer attempts to update its record, and when other network services attempt a fresh.

Record update: This occurs when a dynamic update is processed and other characteristics are modified in addition to its time stamp.

Scavenging servers: Its possible to restrict scavenging to a specific list of DNS servers, identified by their IP address.


To configure aging and scavenging for a zone in DNS Manager: Right-click on the zone and select Properties. Click Aging on the General tab of the dialog box. Select the Scavenge stale resource records check box. Modify the other properties as appropriate.

To configure aging and scavenging for a zone from a command prompt enter the following command:

dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>}

Table 4 briefly explains each option.





/Aging <Value> This is required, set the value to 1 to enable aging, or 0 to disable it.

/RefreshInterval <Value> This is required, it specifies the refresh interval in hours, 168 by default.

/NoRefreshInterval <Value> This is required, it specifies the no-refresh interval in seconds, 3600 by default

Table 4: Dnscmd parameters for scavenging at the zone level


To configure aging and scavenging for a DNS server in DNS Manager right-click on the server and click Set Aging/Scavenging for all zones, then select the Scavenge stale resource records check box and modify the other properties as appropriate.

To configure aging and scavenging for a DNS server from a command prompt enter the following command:

dnscmd <ServerName> /Config {/ScavengingInterval <Value>|/DefaultAgingState <Value>|/DefaultNoRefreshInterval <Value>|/DefaultRefreshInterval <Value>}





/ScavengingInterval <Value> This required parameter specifies the scavenging frequency for all zones enabled for scavenging.

/DefaultAgingState <Value> This required parameter sets the default aging configuration for all zones, 1 enables aging and 0 disables it.

/DefaultRefreshInterval <Value> This is required, it specifies the default refresh interval in hours.

/DefaultNoRefreshInterval <Value> This is required, it specifies the default no-refresh interval in seconds.

Table 5: Dnscmd parameters for scavenging at the server level

Understanding Forward Lookups and Reverse Lookups A forward lookup occurs when a client looks for the IP address

assigned to a particular hostname. How the hostname is resolved to an IP address can happen in several different ways. First, if the hostname is less than 16 bytes long it will attempt to resolve it using NetBIOS. If that fails, or if the hostname is longer the client will check its own local cache of recent DNS queries, this includes the local hosts file since it is pre-cached during boot up. The DNS server will answer the query directly if the information is in its database, then it checks its own cache of previous queries.

Understanding Forward Lookups and Reverse Lookups Then the DNS server will start the recursion process, it uses the list

of root hints to find a list of DNS servers authoritative for the domain where the host is located. By default, the list of root hints points to the publicly available list of root servers that host the top-level domains such as “com,” “info,” “org,” and “us.” So if the host name is www.kurtdillard.com the DNS server will query one of the root servers to find the IP address of an authoritative DNS server for the kurtdillard.com domain. Next, it will query the macgrawhill.com DNS server to find the IP address for the host named www. It then returns the answer back to the original client machine. Figure 5 illustrates the lookup process from the point where the client queries its primary DNS server.

Figure 5: Recursive forward lookup

Understanding Forward Lookups and Reverse Lookups

DNS also supports reverse lookups in which the client knows the IP address but wants to learn the primary hostname assigned to it. Why would anyone want to do that? There are many situations where it could be useful, for example, when parsing a web site’s log files knowing the domains your visitors are coming from helps to better understand their usage patterns. An organization hosting a publicly available Internet Relay Chat (IRC) service might want to track both hostnames and IP addresses in real-time to facilitate any complaints of harassment or other unauthorized behavior.


Reverse lookups were not part of the original specification for DNS, the way domain names are organized and indexed is very different from how IP addresses are assigned. Additionally, while domain names are interpreted from right to left IP addresses are read in the opposite direction. That’s why the IP address octets are reversed when building the reverse lookup domain tree. A special domain is reserved to facilitate reverse lookups, the in-addr.arpa domain. A new reverse lookup zone consists of the reverse address of a subnet prepended to adr.arpa. That is, the subnet 192.168.2/24 would correspond to a zone named 2.168.192.in-addr.arpa. The DNS service can create a pointer (PTR) RR for each host record added to the original zone.


The reverse lookup process is similar to forward lookups. The client queries the DNS server for a PTR RR that maps to the IP address. The DNS server then reverses the address and appends the in-addr.arpa domain to it. It then performs the lookup process normally, first looking locally and then performing a recursive query if necessary. Figure 6 illustrates a simple reverse lookup where the server named www.kurtdillard.com wants to know the hostname for

the client that has initiated communications.

Exercise 1: Prepare Your Practice Lab To ensure that you understand how to perform that tasks related to

managing Windows Server 2008 its helpful to get hands-on with the software. The availability of free virtualization software and evaluation copies of Microsoft’s operating systems means that even students with very tight budgets can build themselves a flexible environment for becoming familiar with Windows Server 2008. There are numerous software-based virtualization products available, since its free, easy to use, and reliable I recommend that you download and install Microsoft’s Virtual PC. As with many of their products, if you simply append the product name to their public web address you’ll get forwarded to the homepage for Virtual PC where you can access the free download:

http://www.microsoft.com/virtualpc. Install Virtual PC on your test machine, in most cases the default settings are sufficient. If you have multiple machines available use the one with the most physical memory installed, a speedy hard drive and CPU also helps but RAM is the most important component for performance when using software virtualization.

Exercise 1: Prepare Your Practice Lab You can download ISO images for both 32- and 64-bit versions of

Windows Server 2008 from the Try It webpage. Click on the download link for trial software, I suggest that you do these exercises with the 64-bit build if your computer will support it. If this URL has changed you should be able to find links to the evaluation software on the Windows Server 2008 webpage. These files are very large, however I am able to download them overnight and I live in Buenos Aires, surely you can find a way too! You could also try the virtual labs and the virtual hard drives, however I prefer to download and build my servers because the virtual labs aren’t as flexible and the virtual hard drive images currently available were built with pre-release versions of the operating system.

Exercise 1: Prepare Your Practice Lab Once you have downloaded the ISO image you can burn it to a DVD

but its not necessary to do so because Virtual PC is able to mount ISO images as if they were an actual DVD or CD. If you are unfamiliar with Virtual PC it includes extensive documentation in its help file. To create a new virtual machine with Windows Server 2008 installed start Virtual PC and do the following:

Exercise 1: Prepare Your Practice Lab Click New… The New Virtual Machine Wizard starts, click Next. On the Options page make sure that Create a new virtual machine is selected and click

Next. Type a name for your new virtual machine, click the Browse… if you want to specify a

location other than the default for storing the configuration file for the virtual machine. Click Next, click Next again on the Operating System page. Select Adjusting the RAM and type 512 in the text box, then click Next. Select A new virtual hard disk and click Next. Specify a path and file name for the virtual hard disk and click Next Click Finish. Ensure that the new virtual machine is selected and click Start to launch it. Click the CD menu and select Capture ISO Image… Navigate to where you saved the ISO image and select it, then click Open. If the virtual

machine boot process is already too far along you can reboot it from the Action menu by selecting Reset.

You should be able to install Windows Server 2008 the same way you would if you were installing it on a physical machine. Use the default options throughout the installation but be sure to select a sensible hostname when given the opportunity.

Exercise 1: Prepare Your Practice Lab To make it easier to tear down and restart your practice lab I

suggest that you make a copy of the virtual hard disk file once the operating system installation is complete. Some of the other exercises require two servers so you ought to make yet another copy.

Configuring Zone Transfers and Replication

Zone transfers were once the most common way to replicate DNS database updates between servers, in recent years other replication mechanisms have become increasingly popular. There are two types of zone transfers: full and incremental. The DNS Server service in Windows Server 2008 supports zone transfers as well as AD DS replication. This section explorers each of these features

Configuring Zone Transfers

A full zone transfer is fairly simple, the client, also called the “secondary” or “slave” server requests a copy of the zone from the server, also called the “primary” or “master.” The transfer initiates with the SOA resource record. Since the serial number of the SOA RR is incremented each time there is a change to the zone the client can compare the serial number for the current version of the SOA with its own copy, if they are identical then the client concludes that there haven’t been any changes to the zone and the transfer is terminated.

If the serial numbers differ the client requests all of the remaining records for the zone. An incremental zone transfer differs in that the client sends its own copy of the SOA RR to the server, the server then compares the serial number with that of its own copy and only sends changes that have occurred since that version of the SOA RR.

Configuring Zone Transfers Active Directory-integrated zones rely on AD DS for replication between domain

controllers; whenever feasible it’s the preferred method. However, when file-based zone transfers are used incremental zone transfers consume less network bandwidth than full transfers and therefore they are the next best choice. For this reason the DNS Server service in Windows Server 2008 requests incremental zone transfers when retrieving a zone from a primary server. To configure zone transfers using DNS Manager do the following:

Right-click on the desired zone, and then select Properties. Click the Zone Transfers tab. Enable or disable the Allow zone transfers check box. If you have enabled transfers select the appropriate radio button: To any

server, Only to the servers listed on the Name Servers tab, or Only to the following servers; as shown in figure 7.

If the last button is selected click Edit and enter the IP addresses for each desired DNS server, as shown in figure 8.

Figure 7: Specifying what servers are allowed to request zone transfers

Figure 8: Defining the list of IP addresses for servers allowed to request zone transfers.

Configuring Zone Transfers

To configure zone transfers from a command prompt enter the following command:

dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList [<SecondaryIPAddress...>]}

Table 6 briefly explains each of the command line options.



/ZoneResetSecondaries This is a required parameter. The second parameter specifies what action is to be taken, in this case to configure zone transfers for the specified zone.


/NoXfr This option disables transfers.

/NonSecure This option permits transfers to any DNS server.

/SecureNs This option permits transfers to servers listed in the zone using name server resource records.

/SecureList This option permits transfers to the list of servers specified by SecondaryIPAddress

<SecondaryIPAddress> Required if /SecureList is used, a list of one or more IP address for DNS servers to be allowed to obtain transfers.

Table 6: Dnscmd parameters for zone transfers.

Configuring DNS Notify

When DNS Notify is enabled for a zone the primary server will send messages to the secondary servers notifying them when changes have occurred. You enable DNS Notify from the Zone Transfers tab of the zone’s properties dialog box by clicking on the Notify… button. You can indicate a specific list of servers or specify all servers on the Name Servers tab. When secondary servers receive the notification they can initiate the normal zone transfer process. Configuring DNS Notify from the command prompt is a simple variation on configuring zone transfers, to do so enter the following:

dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoNotify|/Notify|/NotifyList <IPaddress>}



/ZoneResetSecondaries This is a required parameter. The second parameter specifies what action is to be taken, in this case to configure zone transfers for the specified zone.


/NoNotify This option disables notification for the zone.

/Notify This option enables notification for all servers on the name server tab.

/NotifyList <IPaddress list> This option enables notification for all servers provided in the subsequent list of IP addresses.

Table 7: Dnscmd parameters for DNS Notify.

Note: DNS Notify is not necessary for AD-integrated zones because the DNS servers automatically poll the directory for changes on a regular basis.

Using Secure Zone Transfers

It is possible for nefarious individuals to learn a great deal about your network from your DNS servers. If they are able to initiate full zone transfers for your internal and external zones they can learn the host names and IP addresses for all of the computers listed in those zones. For this reason it’s a good idea to limit zone transfers to a list of authorized DNS servers when using file-based replication. You accomplish this within DNS Manager by selecting either Only to the servers listed on the Name Servers tab or Only to the following servers when configuring zone transfers, or by specifying either /SecureNs or /SecureList when using dnscmd from a command prompt.

Exercise 2: Build Your Active Directory Domain The next step in preparing your practice lab is to build an Active

Directory domain. This is quite easy to do in a test environment because you do not have to spend much time planning details such as your domain namespace, your zone configuration, and your replication configuration whereas these and other considerations are critical to a successful deployment in a production environment. To get started you first have to install the Active Directory Domain Services role and then launch the installation wizard by executing dcpromo. You can add the role from Server Manager by doing the following:

Exercise 2: Build Your Active Directory Domain 1. Navigate to Roles in the navigation pane and then select Add Roles in the Roles

Summary pane.

2. Click Next

3. Select Active Directory Domain Services on the Select Server Roles page, click Add Required Features when prompted.

4. Click Next.

5. Complete the Add Roles wizard using the default settings.

6. On the Installation Results page click Close this wizard and launch the Active Directory Domain Services Installation Wizard.

7. Use the default settings throughout the installation including installing the DNS Server role. You will need to specify values for some options such as the AD restore mode password and an FQDN for your domain; I suggest you pick something that is completely unresolvable from the Internet like domain.test or testing.domain.

8. You will also need to specify that this is the first domain controller in a new domain, and the first domain in a new forest.

9. Once the wizard has gathered all of the necessary information from you the installation will proceed automatically, how long it takes will depend upon the hardware capacity of your test system.

Defining Replication Scope for Active Directory-Integrated Zones When a DNS zone is integrated with Active Directory you need to specify where

it will be stored and its replication scope. You can specify the replication scope when creating a new zone and you can change it at any time after creation. The following storage options are available for Active Directory-integrated zones:

Forest-wide DNS application directory partition – This corresponds to To all DNS servers in this forest in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in the forest-wide partition are replicated to all DNS servers running on domain controllers in the forest. This partition is automatically created when DNS is installed on the first domain controller in a new forest. This provides the broadest scope of replication but generates the most replication traffic.

Domain-wide DNS application directory partition – This corresponds to To all DNS servers in this domain in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are replicated to all DNS servers running on domain controllers in the domain. This partition is automatically created when DNS is installed on the first domain controller in a new domain.

Defining Replication Scope for Active Directory-Integrated Zones Domain partition – This corresponds to To all domain controllers in this domain in the

Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are replicated to all domain controllers in the zone, even those that are not running the DNS Server service. This is the only option for zones that are replicated to domain controllers running Windows 2000 Server.

Custom DNS application directory partition – This corresponds to To all domain controllers in the scope of this directory partition in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are replicated to all DNS servers running on domain controllers that enlist in the partition. To utilize this type of partition you must first create the application directory partition from a command prompt using dnscmd.

To create a DNS application directory partition enter the following at a command prompt:

Dnscmd <ServerName> /CreateDirectoryPartition <FQDN>

You specify the name of the new DNS application directory partition by entering a FQDN. After creating the partition you are able to select it from the drop-down list as shown in figure 9.

Figure 9: Selecting a custom directory partition for replication scope.

Defining Replication Scope for Active Directory-Integrated Zones To enlist a DNS server in an application directory partition enter the

following at a command prompt:

Dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>

To remove a DNS server in an application directory partition enter the following at a command prompt:

Dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>

In each case, you specify the name of the DNS application directory partition by entering its FQDN.

Expert Discussion: What is the GlobalNames Zone? Windows Internet Name System (WINS) is a name resolution

system that can be deployed independently of or integrated with the DNS Server service. WINS will become obsolete though, it relies on NetBIOS over TCP/IP which is an older protocol that Microsoft (and many Windows sysadmins!) hope to avoid in the future. One of the things that people like about WINS is that it facilitates using single-label names for hosts. For example, on a WINS-enabled network you could connect to a shared folder by specifying \\servername\sharename but on a network that only uses DNS for name resolution you would have to specify the entire hostname like this: \\servername.domainname.suffix\sharename.

Expert Discussion: What is the GlobalNames Zone? To help organizations migrate to all-DNS networks Windows Server 2008

introduces support for a new type of DNS zone called the GlobalNames zone. It provides support for single-label name resolution for a limited number of hosts. The number should be kept relatively small because the records in this zone must be managed manually, it is not feasible to maintain records for every end-user PC in this type of zone.

When the GlobalNames zone is properly implemented a client attempting to resolve a single-label name will first append its primary DNS suffix to the name. If resolution fails it will attempt resolution using its DNS suffix search list. If that also fails the client attempts resolution using the single-label name, if the name appears in the GlobalNames zone the DNS server will provide the answer to the client. If that also doesn’t work the query fails over to WINS.

Expert Discussion: What is the GlobalNames Zone? This feature has to be enabled and configured manually as follows:

1. Create an AD DS-integrated forward lookup zone named GlobalNames.

2. Enable support for the GlobalNames zone by running the following command for every authoritative DNS server in the forest:dnscmd <ServerName> /config /enableglobalnamessupport 1Replace <ServerName> with the name of the authoritative DNS server.

3. Replicate the new zone to all domain controllers in the forest.

4. Add the desired alias (CNAME) resource records to the new zone.

5. Publish the location of the new GlobalNames zone in other forests as appropriate by adding service location to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone.

Configuring Additional DNS Server Options

There are additional significant settings in the DNS Server service that you should understand. This section briefly discusses each.

Updating Root Hints

As discussed previously, DNS servers use the list of root hint servers to located authoritative name servers for domains at a higher level or in other subtrees of the DNS namespace. When you add the DNS server role a file called cache.dns is written to %systemroot%\System32\dns, this file includes the NS and A resource records for the Internet’s root servers. If you are using DNS in a network that is not connected to the Internet you may wish to replace this list of root hints with your own. You can modify the list in DNS Manager by doing the following:

Updating Root Hints

1. Right-click on the server and select Properties. 2. Click the Root Hints tab. 3. Modify the list as appropriate, as shown in figure 10: Click Add… to create a new record. Select a record and click Edit… to modify an existing record. Select a record and click Remove to delete an existing record. Click Copy from Server and then specify the IP address to

retrieve the list of root hints from another DNS server. This action will not overwrite any existing root hints.

Figure 10: Updating the Root Hints in Server Manager

Configuring Server Forwarding A forwarder is a DNS queries for external DNS names to DNS

servers outside of the network. You use forwarders to manage DNS traffic sent from your internal network to the Internet. Conditional forwarders forward queries for specific domain names do certain servers, for example, you may want to configure conditional forwarding to more quickly resolve hostnames for your organization’s most important business partners.

Configuring Server Forwarding To configure forwarders you configure the network’s firewalls to

block outbound DNS traffic from all DNS servers except the forwarders. Then you specify the IP addresses of the forwarders on the other DNS servers in your network. You define the list of forwarders in DNS Manager from the Forwarders tab in the Properties dialog box for the DNS server by clicking Edit and entering the list of IP address in the Edit Forwarders dialog box. To define a conditional forwarder select a DNS domain name before entering the IP address of the DNS server.

Configuring Round Robin DNS Round robin DNS is a rudimentary form of load balancing in which the

multiple IP addresses are assigned to the same hostname. The DNS server responds to queries for that hostname by sending the entire list, the order of the addresses is rotated each time the server responds. Clients use the first entry and discard the rest, which should result in queries being evenly distributed across all of the hosts assigned that hostname. This form of load balancing is much less robust than others because the DNS server will continue to respond with the address of a server even if it is no longer available. Additionally, round robin DNS does not make provisions for the differing capacities of the servers, all of them will receive the same amount of traffic. This feature is turned on and off in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options enable or disable the checkbox for Enable round robin.

Disabling Recursion

As described previously, the DNS Server service automatically performs recursive queries on behalf of its clients by querying other DNS servers for information about hosts when it is unable to resolve the name locally. Recursion should be disabled on externally facing DNS servers because attackers may be able to flood the DNS server with unresolvable queries leading to a denial-of-service condition. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options enable or disable the checkbox for Disable recursion (also disables forwarders).

Securing the Cache from Names Pollution By default the DNS Server service is configured to protect itself from cache

pollution by rejecting resource records that it did not request. In some cases its possible for a remote DNS server to provide information about records for which it is not authoritative. While this may speed up a recursive query its possible for an attacker to include corrupt information in such a response that could cause clients to be redirected to servers under the attacker’s control.

With names pollution enabled the DNS Server service will ignore these types of records and instead perform the lookup itself by contacting each authoritative server as needed. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options enable or disable the checkbox for Secure cache against pollution.

Implementing Zone Delegation You can delegate management of portions of your DNS namespace

by delegating management of the corresponding zone. Zone delegation can also be used to distribute workload across several servers by dividing one large zone into several smaller ones. To create a zone delegation using DNS Manager right-click on the desired sub-domain, and then click New Delegation. Use the New Delegation Wizard to complete the process. To create a zone delegation from a command prompt enter the following:

Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] NS {<Hostname>|<FQDN>}



<ServerName>

This is a required parameter. You specify either the host name or IP address of the DNS server where the record is to be created.

/RecordAdd This is a required parameter, it specifies what action is to be taken, in this case to add a new record.


<NodeName> This is a required parameter. The FQDN of the node.

[/Aging] This optional parameter specifies that the record may be aged and scavenged.

[OpenAcl] This optional parameter specifies that the record may be modified by any user, without this parameter only administrators are able to do so.

[TTL] This optional parameter specifies the time to live (TTL) for the record.

NS This required parameter specifies that you are adding a new NS record to the zone.

<Hostname>|<FQDN>

These required parameters specify the hostname or FQDN of the new authoritative server.

Table 8: Dnscmd parameters for zone delegation.

EXAM 70-640 WINDOWS SERVER 2008 ACTIVE DIRECTORY, CONFIGURING.

Documents

Transcript of EXAM 70-640 WINDOWS SERVER 2008 ACTIVE DIRECTORY, CONFIGURING.