Lecture

Networking II Lesson Plan Week 9 Addendum


Windows Server 2000/2003


DNS


Name Types


There are two standard network access methods that students should be able to distinguish. These are WinSock and NetBIOS.

WinSock names are referred to as host names.

Students will be interested to learn how Internet servers are accessed through fully qualified domain names such as www.google.com. The FQDN consists of both a host name and a DNS domain name. Here, the host name is www and the domain name is google.com.

In order for the world to access your computer through a FQDN, you must register it with a registrar. The registrar will merge your domain name with the worldwide DNS lookup system. This registration is very important if you wish others throughout the world to be able to use this simple name in place of an IP address to access resources.

Although NetBIOS is slowly disappearing, it is still prevalent enough to warrant that students become familiar with it.

NetBIOS was used for all networking functions in pre-Windows 2000 machines.

NetBIOS can be complicated or simple depending upon the level at which you explain the concepts to students. At the very least, students should know what NetBIOS is and when it should be used.




Teaching Tip

It might be interesting for students to research how they can get their domain name registered with a worldwide DNS lookup system. Have them research the costs associated with the registrations and who provides the services.



Activity 6-1: Viewing Computer Names


In this activity, students will be viewing various names associated with a computer.

The ipconfig utility can be used to view your host name and DNS suffix.

Use nbtstat to view NetBIOS information.


Activity 6-2: Removing Active Directory and the DNS Service


In this activity, students will be removing both the Active Directory and DNS services.

After the services are uninstalled, the computer names viewed in Activity 6-1 will be reviewed to note any changes.

This activity will take longer than most activities. Also, you may wish to skip this activity if you desire to use the Active Directory and DNS services at a later date.


Host Name Resolution


WinSock applications work very hard in order to try to resolve host names to IP addresses. There are a number of methods the applications attempt. Students should be familiar with each one and in what order they are performed.

The resolution steps are:

  1. check to see if the host name is the same as the requesting machine’s host name

  2. check for the entry in the DNS cache

  3. query a DNS server

  4. attempt NetBIOS resolution

In the last attempt, the machine attempts NetBIOS resolution. NetBIOS names are more restrictive than host names. Therefore, if a host name is too long to be a NetBIOS name, then the host name is truncated to a valid NetBIOS name.


Configuring a HOSTS File for Name Resolution


Try not to complicate things. A HOSTS file is just a simple text file that is used to assist in name resolution.

The file is very easy to modify and use. Viewing a sample HOSTS file should be sufficient for students to learn how to use it.

Make sure students understand that the HOSTS file is not allowed to have an extension in its filename. Extensions are sometimes automatically appended when using some text editing software.


Activity 6-3: Configuring a HOSTS File


This is an easy activity. Students will enter an IP address and its corresponding host name within a HOSTS file.

Upon modification of the file, students should check to make sure their alterations take effect.


Managing the DNS Cache


The DNS cache is a combination of the HOSTS file and previous DNS server query results.

Each DNS query entry has a certain amount of time to live. This ensures that outdated information does not stay within the cache and also keeps the cache from growing too large.

Instruct students on how to clear the cache using the ipconfig utility. This concept will also be demonstrated in the following activity.


Activity 6-4: Viewing and Purging the DNS Cache


This is an easy activity. Students are only required to view and clear the DNS cache.


Using DNS for Name Resolution


The idea of this short section is that you can manually specify the address for a DNS server for name resolution.


Forward Lookup


This is the most common task performed by a DNS server. The forward lookup involves resolving a host name into an IP address.

Students should realize that a forward lookup within an organization and a forward lookup across the Internet is a very different process that varies considerable in complexity.

In a forward lookup within an organization, the local DNS server merely responds with the IP address of the host. This entire process requires only two packets.

In a lookup over the Internet, the client machine first contacts the local DNS server for the required information. If the local server does not have this information, then a recursive lookup is performed in order to obtain the information required.

There are only thirteen root servers over the Internet. Their job is to provide the addresses of DNS servers responsible for top-level domain names.


Reverse Lookup


If students understand the concept of a forward lookup, then the concept of a reverse lookup will be easily understood.

A reverse lookup is the exact opposite of a forward lookup. A reverse lookup attempts to resolve an IP address to a host name.

Reverse lookups are commonly used for network log files so as to make them easier to read or understand.


DNS Record Types


Students should know that DNS records are created on a DNS server in order to resolve queries.

Ensure that students are familiar with the most common types of DNS records. These records are provided in Table 6-3.


Using NSLOOKUP


The purpose of the NSLOOKUP utility is to query DNS records.

NSLOOKUP is a command-line utility.

This utility is extremely useful in troubleshooting DNS problems. Students should know that this is the utility of choice for assessing any kind of problem with their DNS server.

NSLOOKUP can be run in two different modes: command-line mode and interactive mode. Students should know that this utility is most powerful when run in interactive mode.


Activity 6-5: Performing DNS Lookups with NSLOOKUP


This activity will demonstrate the effectiveness of the nslookup utility for determining DNS functionality.

Students should be encouraged to complete this activity as this command-line utility is easy to forget about. The NSLOOKUP utility has the potential for greatly reducing the troubleshooting time associated with repairing a network with DNS problems.


NetBIOS Name Resolution


The important concept of this section is that there are a number of techniques employed by client machines when attempting to resolve NetBIOS names. These techniques are always attempted in a specified order.

Client machines attempt the following resolution methods until one succeeds:

  1. check the NetBIOS cache

  2. contact a WINS service

  3. attempt a network broadcast

  4. check the LMHOSTS file

  5. attempt host name resolution

The above steps may be altered in Windows Server 2003 by configuring the node type. Students need to know that one can change the node type of the system only through editing the appropriate key in the Windows registry.


Using a LMHOSTS File for Name Resolution


The concept of a LMHOSTS file is very similar to the concept of the HOSTS file. Therefore, you should not have to dwell on this topic for long.

This file is a simple text file that stores IP addresses and NetBIOS names.

More advanced knowledge of this file will be obtained through the next activity.


Activity 6-6: Creating an LMHOSTS File


In this activity, students will create an LMHOSTS file and add an entry in order to test NetBIOS name resolution.

This activity is very important in ensuring that students understand how to create and manipulate properly an LMHOSTS file.


Using WINS for Name Resolution


In order for a WINS server to be useful, all client machines within the network should be configured to utilize WINS. Especially important is to remember to configure the machine running the WINS server itself to use the WINS service.

WINS offers advantages over traditional NetBIOS resolution techniques. These enhancements are:

  1. functions across routers

  2. dynamic update capability

  3. automatic update capability

  4. client configuration through DHCP

  5. integration with DNS

The final important topic introduced in this section is the four major tasks performed by a WINS server. These tasks will be described in more detail in subsequent sections. For now, ensure students know what these tasks are: name registration, name renewal, name query, and name release.


Name Registration


Name registration merely involves the registration of a client computer’s NetBIOS name with a WINS server at boot up.

There are two situations that may occur during name registration. In the first scenario, the name is not already registered and so the registration is successful. In the other scenario, the name is already registered. In this case, the WINS server attempts to contact the machine that already registered the NetBIOS name. If successful, registration fails. If unsuccessful, registration succeeds and the new machine is registered with the NetBIOS name.


Name Renewal


After the TTL of a name registration is half complete, the client computer attempts a name renewal. This is a two packet process.



Name Release


This is a two packet process that is invoked whenever a client machine is shut down. This frees up the NetBIOS name with the WINS server.


Name Query


This is the process in which a NetBIOS name is actually resolved to an IP address.

This process is a two-packet process.

The WINS server is contacted only after the name is not found in the NetBIOS cache.






Domain Name System



Teaching Tips


Features of the DNS Service


  1. This section provides an introduction to the DNS service and begins with describing the service’s popularity. Students should know that DNS is THE method to resolve host names to IP addresses.

  2. As Active Directory will probably, at some point, be installed by any network administrator in a new domain, it is important that students know the importance that DNS plays within the Active Directory service.


Installing DNS


  1. The first important idea presented here is that Windows Server 2003 may act as a DNS server.

  2. There are a couple ways in which DNS may be installed on the server. One way is through the Active Directory installation wizard. The other is through a manual installation using the Add/Remove Programs utility.

  3. An important thing to remember is that the DNS service is not automatically added whenever a server is promoted to a domain controller.

  4. Also, any machine running a DNS server should be configured with a static IP address.


Activity 7-1: Installing DNS


  1. This is another simple activity involving the adding of a Windows component.

  2. This activity differs from others in that it also requires the student to check to make sure the service is set to automatically start and that it is currently started.


DNS Zones


  1. This will probably be a new concept to most students. Therefore, make sure they fully understand this concept before moving on to other DNS topics.

  2. A DNS zone is nothing more than the part of the namespace with which a DNS server is responsible.

  3. A DNS zone for a domain consists of DNS records for computers within that domain.

  4. The concept of a DNS zone is probably best illustrated through example. Suppose that there exists a domain called engineering.someUniversity.edu. An Internet root server would contain the edu zone and hold a DNS record for identifying the computer containing the someUniversity.edu zone. This DNS server will hold host name information for client machines and a DNS record pointing to a machine containing the engineering.someUniversity.edu zone. This zone will have host name DNS records as well.

  5. When a zone is created, it must be specified whether this zone should act as a forward or reverse lookup zone.



Primary and Secondary Zones


  1. The main idea of this section is that primary and secondary zones are used to replicate DNS information between different machines automatically.

  2. Secondary zones store copies of primary zone information. Therefore, primary zones should be created first.

  3. There can only be one primary zone in charge of a domain. There can be as many secondary zones configured as deemed necessary.

  4. Students should understand that replicating DNS information is useful for reducing network traffic and increasing fault tolerances.

  5. It is very important to stress to students that whenever there is DNS information stored on multiple machines within a domain, it is absolutely essential that these servers replicate the information between them.


Activity 7-2: Creating a Primary Zone


  1. Remind students that the overall purpose of this activity is to create a primary zone that can communicate with non-Windows secondary zones.

  2. The instruction list for this activity is longer than that of the average activity. Make sure that students follow instructions carefully.

  3. Make sure that students fully understand the concepts of primary and secondary zones. Otherwise, this activity will not make much sense to them.


Activity 7-3: Creating a Secondary Zone and Performing a Zone Transfer


  1. This is an easy activity that involves creating a secondary zone of a primary zone, configuring the primary zone to allow transfers, and then manually performing a zone transfer.

  2. The point of this activity is to demonstrate how to perform a common technique aimed at reducing WAN traffic.


Activity 7-4: Testing DNS Name Resolution


  1. This is a simple activity which allows students to learn how to better use the NSLOOKUP utility.


Active Directory-integrated Zones


  1. This is a long section containing a lot of potentially new information for students. When teaching, break up this section into its multiple concepts and teach each individually ensuring that students understand each concept before moving to the next. The concepts introduced in this section include:

    1. differences between Active Directory-integrated zones and traditional zones

    2. where zone information can be stored within Active Directory

    3. options of storing zone information within the application directory partition

    4. how an Active Directory-integrated zone interfaces with traditional zones

  2. This section provides an alternative to the traditional zone already introduced in this chapter. An Active Directory-integrated zone stores information within Active Directory as opposed to a file on the hard drive.

  3. Students need to realize that in order to utilize an Active Directory-integrated zone, the DNS server must also be a domain controller for the network.

  4. Stress to students the advantages of this type of zone so that they may best choose what is required for their networking situation.

  5. The advantages to an Active Directory-integrated zone include:

    1. automatic zone backups

    2. multimaster replication

    3. increased security

  6. Ensure that students understand the two areas in which DNS zone information can be stored within Active Directory.

  7. If the zone information is stored within the domain directory, all domain controllers within the domain receive copies of the zone information. This may result in unwanted network traffic.

  8. If the information is stored within the application directory partition, then the information can only be replicated among a defined set of domain controllers.

  9. Briefly introduce the three options for storing zone information within the application directory partition:  all DNS servers in a forest, all DNS servers in a domain, and all DNS servers in the scope of the application directory partition. These should not be difficult concepts.

  10. There are a number of situations under which a DNS server will not be able to participate in an Active Directory-integrated zone. As these situations may result in network problems that may prove to be especially frustrating to the network administrator who is unaware of them, it may be important to ensure that each student is familiar with these scenarios.


Activity 7-5: Promoting a Member Server to a Domain Controller


  1. The important concept in the activity is that in order to utilize an Active Directory-integrated zone, the server has to be updated to a domain controller.

  2. The update can be achieved through the DCPROMO utility.

  3. Again, make sure students read the instructions before attempting to complete this exercise as it will lessen the amount of time required for this activity.


Activity 7-6: Converting a Primary Zone to an Active

Directory-Integrated Zone


  1. This is a simple activity that can be quickly completed using the DNS snap-in found under Administrative Tools.

Activity 7-7: Creating an Active Directory-Integrated Zone


  1. This activity takes students through the process of configuring an Active Directory-integrated zone on the DNS server for this domain.

  2. The zone information will be stored within the directory partition of each domain controller.


Activity 7-8: Performing a Zone Transfer from an Active Directory-Integrated Zone


  1. This is a simple activity that involves students manually initiating a zone transfer.


Stub Zones


  1. Stub zones are useful in the situation in which your network’s domain name is not registered on the Internet.

  2. A stub zone is used as an alternative to the Internet root servers.


Activity 7-9: Creating a Stub Zone


  1. This activity involves students creating a stub zone for their domain. This activity will provide a concrete example to the concepts introduced in the previous section.


Caching-Only DNS Servers


  1. This will be a simple concept for students. A caching-only server acts merely as a DNS cache.

  2. The main reason for creating such a server is to reduce network traffic over very slow WAN networks.

  3. In order to set up a caching-only server, configure the DNS service without any zones. Windows Server 2003 automatically does most everything else required.


Active Directory and DNS


  1. Active Directory requires DNS. The most important service that DNS performs for Active Directory is the locating of services.

  2. The basic idea behind this section, and the most important concept for students to remember, is that DNS is required for the proper operation of Active Directory.

  3. Although it is possible that students can manually add all SRV and A records required for an Active Directory domain, it should be stressed that doing so is not advisable and that dynamic DNS, to be discussed next, should almost always be used.


Dynamic DNS


  1. The basic idea behind dynamic DNS is that DNS records can be updated dynamically without administrator intervention.

  2. Windows 2000/XP perform their own dynamic DNS updates. However, remind students that the process can be started manually through the ipconfig utility.


Activity 7-10: Testing Dynamic DNS


  1. In this activity, the student will first delete the A record for a client machine on the DNS server. Then, the student will initiate a manual registration using the ipconfig utility.


Dynamic DNS and DHCP


  1. This section briefly describes the interaction between DHCP services and dynamic DNS services.

  2. There are a number of options that can be configured on a DHCP server running on Windows Server 2003. By default, the DHCP server updates records for DNS records for Windows 2000/XP machines and only if requested to do so. Other options include:

    1. always dynamically update

    2. discard A and PTR records when lease is deleted

    3. dynamically update DNS A and PTR records for DHCP clients that do not request updates

  3. Ensure that students know exactly what each of these options does and why and when you might choose them.


Configuring a Zone for Dynamic DNS


  1. A zone can be configured for dynamic DNS during creation or through configuring an existing zone.

  2. There are three options that are important for students to become familiar with. These are:

    1. allow only secure dynamic updates

    2. allow both nonsecure and secure dynamic updates

    3. do not allow dynamic updates

  3. Option (a) is only available in an Active Directory-integrated zone. It allows updates only subject to the permissions specified in Active Directory.

  4. Option (b) allows any client to update records. This is a risky option that may render your network vulnerable to hackers. Therefore, students should know to use this option at their own risk.

  5. The last option (c) is obvious in its results. This option is typically never chosen for a network that utilizes zones stored within Active Directory.


Managing DNS Servers


  1. This section merely lists the DNS options configurable at the server level. Each option will be described in more detail in subsequent sections.


Aging and Scavenging


  1. This is a new but simple addition to the DNS service of Windows Server 2003. If a DNS record sits in the server for too long without being updated, the record is automatically removed.

  2. This is a useful tool for ensuring that DNS information remains updated.


Update Server Data Files


  1. If the zone is Active Directory-integrated, this option has no effect. Otherwise, all DNS changes in memory are forced to be written to the zone file on disk.


Clear Cache


  1. Clear the cache in order to clear outdated information.


Configure Bindings


  1. These options allow the DNS server to only listen to requests on a specified IP address in the case that the server is bound to multiple addresses.



Quick Quiz


  1. What is the most common system used to resolve host names to IP addresses?

Answer: DNS


  1. A secondary zone always contains a backup of what type of zone’s DNS information?

Answer: Primary zone


  1. Does an Active Directory-integrated zone store DNS information in the same way that a traditional zone does?

Answer: No


Forwarding


  1. The main idea in this section is that a DNS server that cannot access the Internet in order to respond to client requests can forward those requests to a DNS server that is allowed to access the Internet.


Root Hints


  1. Root hints may sound strange to students. However, they are simply servers used to perform recursive lookups.

  2. By default, the root hints configuration is automatically populated with the Internet root servers.

  3. There is no need to alter this configuration unless your network is completely self contained and has absolutely no need to access the Internet. Students should not often have to worry about this configuration and it is usually better to just leave this alone.


Activity 7-11: Creating a Root Server


  1. In this activity, the students will be configuring a Windows Server 2003 DNS server to act as a root server.  This will prevent the server from accessing the Internet to request DNS information.


Logging


  1. There are two types of logging that can be enabled for DNS servers: Event and Debug logging.

  2. Event logging records errors, warnings, and information.

  3. Debug logging records more detailed information that event logging.




Teaching Tip

There are many options that can be configured for debug logging. You may wish to have students figure out for themselves what each of the options mean or you may wish to go through it together as a class. The book does not directly discuss these options so it may be important to go through them so that they will be ensured to fully understand them. Often, these logs are crucial to properly identify network problems.


Advanced Options


  1. This section introduces a list of advanced options associated with the DNS service. These options include:

    1. disable recursion

    2. BIND secondaries

    3. fail on load if bad zone data

    4. enable round robin

    5. enable netmask ordering

    6. secure cache against pollution

  2. Each of the above options is briefly discussed in the text. Ensure that students know what each option means for the DNS service.

  3. The text places some emphasis on the concept of round robin DNS. As this is likely to be a new term for students, it would be beneficial to carefully introduce this topic.

  4. Round robin DNS occurs simply whenever more than one record exists for a DNS query. It can be used to provide load balancing for Web and other related services.

  5. Be sure to explain carefully how round robin DNS can be used to provide load balancing as this concept may prove to be confusing to many students.


.Security


  1. These options allow you to specify which users are allowed to modify DNS settings.

  2. By default, Windows Server 2003 allows users belonging to the Domain Admins, Enterprise Admins, and Domain Admins group privilege to modify DNS settings.

  3. Students need to know that they should be extra careful whenever modifying the access settings for DNS. Setting restrictions too loosely can have disastrous results if a hacker becomes aware of the vulnerability.


Managing Zones


  1. This section lists the options that can be configured for a zone. Each of the listed options will be discussed in more detail in subsequent sections of this chapter.


Reload Zone Information


  1. This option tells DNS to completely reload the information stored within its zone file.


Create a New Delegation


  1. Creating a new delegation merely allows you to delegate the authority for a subdomain to another server.

  2. Windows Server 2003 provides a wizard to ease this process.


Changing the Type of Zone and Replication


  1. The idea of this section is to explain that much of the properties of a zone can be modified after creation. Some properties include the type of zone and how the zone is replicated.

  2. Not all options that exist for an Active Directory-integrated zone exist for traditional zones.


Configure Aging and Scavenging


  1. If students understand the concept of aging and scavenging introduced in a previous section, then its configuration should pose little problem.

  2. Practice configuring the aging and scavenging properties of a zone will be obtained in the next section.


Activity 7-12: Configuring Aging and Scavenging


  1. In this activity, students will be configuring a zone to remove old records.

  2. Records will be scavenged after 28 days if the record is not updated or refreshed.


.Modify the Start of Authority Record


  1. The start of authority record defines characteristics of the zone.

  2. The concept stressed in the text is the concept of how the serial number is used to indicate the necessity for a zone transfer to secondary zones. Whenever a modification is made to the DNS service, the serial number is incremented. The secondary zones compare their serial number with that of the primary zone. If the serial number of the secondary zone is smaller than the primary zone, a zone transfer is initiated.

  3. Students may find it interesting that a zone transfer can be manually initiated by incrementing the serial number of the primary zone by one.

  4. The other options described in this section are easily understandable.


Name Servers


  1. What is important here is that the name servers configured for a zone are the authoritative DNS servers for the zone.


WINS Resolution


  1. This is actually an interesting option that allows you to specify a WINS server in the case that host name resolution fails. If the DNS server cannot resolve the request for a particular host name, it forwards the information to the WINS server to see if it can help.

  2. This is an important concept in that students should know that a DNS and WINS server can interact with each other to assist and increase networking capability.


Zone Transfers


  1. These options can be used to determine which IP addresses are allowed to request zone transfers.




Teaching Tip

Although it may seem quicker and easier to allow zone transfers to any server, it is better to allow only known computers perform transfers. Taking the extra time to configure these options to avoid later complications is the indicator of a good network administrator.


Security


  1. The security options allow you to modify the list of users who has control over modifying zone properties.


.Troubleshooting DNS


  1. It is important to stress that most problems with DNS occur client-side.

  2. If a server problem is suspected, an iterative or recursive query can be initiated from the Monitoring tab of the DNS server properties dialog box to troubleshoot the problem.

  3. Tests can be performed manually or configured to run automatically.


Activity 7-13: Removing Active Directory and the DNS Service


  1. This activity will take longer than most other activities performed in this text.

  2. Active Directory and DNS services will be removed from the server machine.

  3. This activity is important if future activities are to be performed using the same machine as these services may interfere with the activities provided later on in this text.



Class Discussion Topics


  1. How many secondary zones should an administrator install on a network? What factors will influence this decision?

  2. How do you choose between implementing an Active Directory-integrated zone and a traditional zone on your network?

  3. How do you choose where to store DNS zones within Active Directory?

  4. When should a stub zone be set up on a network?