Lecture

Networking II Lesson Plan Week 15 Addendum

Domain Name System


Features of the DNS Service


  1. This section provides an introduction to the DNS service and begins with describing the service’s popularity. Students should know that DNS is THE method to resolve host names to IP addresses.

  2. As Active Directory will probably, at some point, be installed by any network administrator in a new domain, it is important that students know the importance that DNS plays within the Active Directory service.


Installing DNS


  1. The first important idea presented here is that Windows Server 2003 may act as a DNS server.

  2. There are a couple ways in which DNS may be installed on the server. One way is through the Active Directory installation wizard. The other is through a manual installation using the Add/Remove Programs utility.

  3. An important thing to remember is that the DNS service is not automatically added whenever a server is promoted to a domain controller.

  4. Also, any machine running a DNS server should be configured with a static IP address.


Activity 7-1: Installing DNS


  1. This is another simple activity involving the adding of a Windows component.

  2. This activity differs from others in that it also requires the student to check to make sure the service is set to automatically start and that it is currently started.


DNS Zones


  1. This will probably be a new concept to most students. Therefore, make sure they fully understand this concept before moving on to other DNS topics.

  2. A DNS zone is nothing more than the part of the namespace with which a DNS server is responsible.

  3. A DNS zone for a domain consists of DNS records for computers within that domain.

  4. The concept of a DNS zone is probably best illustrated through example. Suppose that there exists a domain called engineering.someUniversity.edu. An Internet root server would contain the edu zone and hold a DNS record for identifying the computer containing the someUniversity.edu zone. This DNS server will hold host name information for client machines and a DNS record pointing to a machine containing the engineering.someUniversity.edu zone. This zone will have host name DNS records as well.

  5. When a zone is created, it must be specified whether this zone should act as a forward or reverse lookup zone.


Primary and Secondary Zones


  1. The main idea of this section is that primary and secondary zones are used to replicate DNS information between different machines automatically.

  2. Secondary zones store copies of primary zone information. Therefore, primary zones should be created first.

  3. There can only be one primary zone in charge of a domain. There can be as many secondary zones configured as deemed necessary.

  4. Students should understand that replicating DNS information is useful for reducing network traffic and increasing fault tolerances.

  5. It is very important to stress to students that whenever there is DNS information stored on multiple machines within a domain, it is absolutely essential that these servers replicate the information between them.


Activity 7-2: Creating a Primary Zone


  1. Remind students that the overall purpose of this activity is to create a primary zone that can communicate with non-Windows secondary zones.

  2. The instruction list for this activity is longer than that of the average activity. Make sure that students follow instructions carefully.

  3. Make sure that students fully understand the concepts of primary and secondary zones. Otherwise, this activity will not make much sense to them.


Activity 7-3: Creating a Secondary Zone and Performing a Zone Transfer


  1. This is an easy activity that involves creating a secondary zone of a primary zone, configuring the primary zone to allow transfers, and then manually performing a zone transfer.

  2. The point of this activity is to demonstrate how to perform a common technique aimed at reducing WAN traffic.


Activity 7-4: Testing DNS Name Resolution


  1. This is a simple activity which allows students to learn how to better use the NSLOOKUP utility.


Active Directory-integrated Zones


  1. This is a long section containing a lot of potentially new information for students. When teaching, break up this section into its multiple concepts and teach each individually ensuring that students understand each concept before moving to the next. The concepts introduced in this section include:

    1. differences between Active Directory-integrated zones and traditional zones

    2. where zone information can be stored within Active Directory

    3. options of storing zone information within the application directory partition

    4. how an Active Directory-integrated zone interfaces with traditional zones

  2. This section provides an alternative to the traditional zone already introduced in this chapter. An Active Directory-integrated zone stores information within Active Directory as opposed to a file on the hard drive.

  3. Students need to realize that in order to utilize an Active Directory-integrated zone, the DNS server must also be a domain controller for the network.

  4. Stress to students the advantages of this type of zone so that they may best choose what is required for their networking situation.

  5. The advantages to an Active Directory-integrated zone include:

    1. automatic zone backups

    2. multimaster replication

    3. increased security

  6. Ensure that students understand the two areas in which DNS zone information can be stored within Active Directory.

  7. If the zone information is stored within the domain directory, all domain controllers within the domain receive copies of the zone information. This may result in unwanted network traffic.

  8. If the information is stored within the application directory partition, then the information can only be replicated among a defined set of domain controllers.

  9. Briefly introduce the three options for storing zone information within the application directory partition:  all DNS servers in a forest, all DNS servers in a domain, and all DNS servers in the scope of the application directory partition. These should not be difficult concepts.

  10. There are a number of situations under which a DNS server will not be able to participate in an Active Directory-integrated zone. As these situations may result in network problems that may prove to be especially frustrating to the network administrator who is unaware of them, it may be important to ensure that each student is familiar with these scenarios.


Activity 7-5: Promoting a Member Server to a Domain Controller


  1. The important concept in the activity is that in order to utilize an Active Directory-integrated zone, the server has to be updated to a domain controller.

  2. The update can be achieved through the DCPROMO utility.

  3. Again, make sure students read the instructions before attempting to complete this exercise as it will lessen the amount of time required for this activity.


Activity 7-6: Converting a Primary Zone to an Active

Directory-Integrated Zone


  1. This is a simple activity that can be quickly completed using the DNS snap-in found under Administrative Tools.

Activity 7-7: Creating an Active Directory-Integrated Zone


  1. This activity takes students through the process of configuring an Active Directory-integrated zone on the DNS server for this domain.

  2. The zone information will be stored within the directory partition of each domain controller.


Activity 7-8: Performing a Zone Transfer from an Active Directory-Integrated Zone


  1. This is a simple activity that involves students manually initiating a zone transfer.


Stub Zones


  1. Stub zones are useful in the situation in which your network’s domain name is not registered on the Internet.

  2. A stub zone is used as an alternative to the Internet root servers.


Activity 7-9: Creating a Stub Zone


  1. This activity involves students creating a stub zone for their domain. This activity will provide a concrete example to the concepts introduced in the previous section.


Caching-Only DNS Servers


  1. This will be a simple concept for students. A caching-only server acts merely as a DNS cache.

  2. The main reason for creating such a server is to reduce network traffic over very slow WAN networks.

  3. In order to set up a caching-only server, configure the DNS service without any zones. Windows Server 2003 automatically does most everything else required.


Active Directory and DNS


  1. Active Directory requires DNS. The most important service that DNS performs for Active Directory is the locating of services.

  2. The basic idea behind this section, and the most important concept for students to remember, is that DNS is required for the proper operation of Active Directory.

  3. Although it is possible that students can manually add all SRV and A records required for an Active Directory domain, it should be stressed that doing so is not advisable and that dynamic DNS, to be discussed next, should almost always be used.


Dynamic DNS


  1. The basic idea behind dynamic DNS is that DNS records can be updated dynamically without administrator intervention.

  2. Windows 2000/XP perform their own dynamic DNS updates. However, remind students that the process can be started manually through the ipconfig utility.


Activity 7-10: Testing Dynamic DNS


  1. In this activity, the student will first delete the A record for a client machine on the DNS server. Then, the student will initiate a manual registration using the ipconfig utility.


Dynamic DNS and DHCP


  1. This section briefly describes the interaction between DHCP services and dynamic DNS services.

  2. There are a number of options that can be configured on a DHCP server running on Windows Server 2003. By default, the DHCP server updates records for DNS records for Windows 2000/XP machines and only if requested to do so. Other options include:

    1. always dynamically update

    2. discard A and PTR records when lease is deleted

    3. dynamically update DNS A and PTR records for DHCP clients that do not request updates

  3. Ensure that students know exactly what each of these options does and why and when you might choose them.


Configuring a Zone for Dynamic DNS


  1. A zone can be configured for dynamic DNS during creation or through configuring an existing zone.

  2. There are three options that are important for students to become familiar with. These are:

    1. allow only secure dynamic updates

    2. allow both nonsecure and secure dynamic updates

    3. do not allow dynamic updates

  3. Option (a) is only available in an Active Directory-integrated zone. It allows updates only subject to the permissions specified in Active Directory.

  4. Option (b) allows any client to update records. This is a risky option that may render your network vulnerable to hackers. Therefore, students should know to use this option at their own risk.

  5. The last option (c) is obvious in its results. This option is typically never chosen for a network that utilizes zones stored within Active Directory.


Managing DNS Servers


  1. This section merely lists the DNS options configurable at the server level. Each option will be described in more detail in subsequent sections.


Aging and Scavenging


  1. This is a new but simple addition to the DNS service of Windows Server 2003. If a DNS record sits in the server for too long without being updated, the record is automatically removed.

  2. This is a useful tool for ensuring that DNS information remains updated.


Update Server Data Files


  1. If the zone is Active Directory-integrated, this option has no effect. Otherwise, all DNS changes in memory are forced to be written to the zone file on disk.


Clear Cache


  1. Clear the cache in order to clear outdated information.


Configure Bindings


  1. These options allow the DNS server to only listen to requests on a specified IP address in the case that the server is bound to multiple addresses.



Forwarding


  1. The main idea in this section is that a DNS server that cannot access the Internet in order to respond to client requests can forward those requests to a DNS server that is allowed to access the Internet.


Root Hints


  1. Root hints may sound strange to students. However, they are simply servers used to perform recursive lookups.

  2. By default, the root hints configuration is automatically populated with the Internet root servers.

  3. There is no need to alter this configuration unless your network is completely self contained and has absolutely no need to access the Internet. Students should not often have to worry about this configuration and it is usually better to just leave this alone.


Activity 7-11: Creating a Root Server


  1. In this activity, the students will be configuring a Windows Server 2003 DNS server to act as a root server.  This will prevent the server from accessing the Internet to request DNS information.


Logging


  1. There are two types of logging that can be enabled for DNS servers: Event and Debug logging.

  2. Event logging records errors, warnings, and information.

  3. Debug logging records more detailed information that event logging.




Teaching Tip

There are many options that can be configured for debug logging. You may wish to have students figure out for themselves what each of the options mean or you may wish to go through it together as a class. The book does not directly discuss these options so it may be important to go through them so that they will be ensured to fully understand them. Often, these logs are crucial to properly identify network problems.


Advanced Options


  1. This section introduces a list of advanced options associated with the DNS service. These options include:

    1. disable recursion

    2. BIND secondaries

    3. fail on load if bad zone data

    4. enable round robin

    5. enable netmask ordering

    6. secure cache against pollution

  2. Each of the above options is briefly discussed in the text. Ensure that students know what each option means for the DNS service.

  3. The text places some emphasis on the concept of round robin DNS. As this is likely to be a new term for students, it would be beneficial to carefully introduce this topic.

  4. Round robin DNS occurs simply whenever more than one record exists for a DNS query. It can be used to provide load balancing for Web and other related services.

  5. Be sure to explain carefully how round robin DNS can be used to provide load balancing as this concept may prove to be confusing to many students.


Security


  1. These options allow you to specify which users are allowed to modify DNS settings.

  2. By default, Windows Server 2003 allows users belonging to the Domain Admins, Enterprise Admins, and Domain Admins group privilege to modify DNS settings.

  3. Students need to know that they should be extra careful whenever modifying the access settings for DNS. Setting restrictions too loosely can have disastrous results if a hacker becomes aware of the vulnerability.


Managing Zones


  1. This section lists the options that can be configured for a zone. Each of the listed options will be discussed in more detail in subsequent sections of this chapter.


Reload Zone Information


  1. This option tells DNS to completely reload the information stored within its zone file.


Create a New Delegation


  1. Creating a new delegation merely allows you to delegate the authority for a subdomain to another server.

  2. Windows Server 2003 provides a wizard to ease this process.


Changing the Type of Zone and Replication


  1. The idea of this section is to explain that much of the properties of a zone can be modified after creation. Some properties include the type of zone and how the zone is replicated.

  2. Not all options that exist for an Active Directory-integrated zone exist for traditional zones.


Configure Aging and Scavenging


  1. If students understand the concept of aging and scavenging introduced in a previous section, then its configuration should pose little problem.

  2. Practice configuring the aging and scavenging properties of a zone will be obtained in the next section.


Activity 7-12: Configuring Aging and Scavenging


  1. In this activity, students will be configuring a zone to remove old records.

  2. Records will be scavenged after 28 days if the record is not updated or refreshed.


Modify the Start of Authority Record


  1. The start of authority record defines characteristics of the zone.

  2. The concept stressed in the text is the concept of how the serial number is used to indicate the necessity for a zone transfer to secondary zones. Whenever a modification is made to the DNS service, the serial number is incremented. The secondary zones compare their serial number with that of the primary zone. If the serial number of the secondary zone is smaller than the primary zone, a zone transfer is initiated.

  3. Students may find it interesting that a zone transfer can be manually initiated by incrementing the serial number of the primary zone by one.

  4. The other options described in this section are easily understandable.


Name Servers


  1. What is important here is that the name servers configured for a zone are the authoritative DNS servers for the zone.


WINS Resolution


  1. This is actually an interesting option that allows you to specify a WINS server in the case that host name resolution fails. If the DNS server cannot resolve the request for a particular host name, it forwards the information to the WINS server to see if it can help.

  2. This is an important concept in that students should know that a DNS and WINS server can interact with each other to assist and increase networking capability.


Zone Transfers


  1. These options can be used to determine which IP addresses are allowed to request zone transfers.




Teaching Tip

Although it may seem quicker and easier to allow zone transfers to any server, it is better to allow only known computers perform transfers. Taking the extra time to configure these options to avoid later complications is the indicator of a good network administrator.


Security


  1. The security options allow you to modify the list of users who has control over modifying zone properties.


Troubleshooting DNS


  1. It is important to stress that most problems with DNS occur client-side.

  2. If a server problem is suspected, an iterative or recursive query can be initiated from the Monitoring tab of the DNS server properties dialog box to troubleshoot the problem.

  3. Tests can be performed manually or configured to run automatically.


Activity 7-13: Removing Active Directory and the DNS Service


  1. This activity will take longer than most other activities performed in this text.

  2. Active Directory and DNS services will be removed from the server machine.

  3. This activity is important if future activities are to be performed using the same machine as these services may interfere with the activities provided later on in this text.


Additional Projects


  1. Suppose you are the administrator of a slow wide area network. As your network is very slow, it is absolutely essential that WAN traffic be reduced to the minimum amount necessary. Because of this, you have already decided not to store Active Directory-integrated zones and secondary zones. You need some kind of local DNS but you also need reduced network traffic.  What is probably your best remaining option? Describe this option and how it is set up on the network.


  1. A fellow network administrator wants you to implement “poor man’s load balancing” for her web server. How can this be done?


Solutions to Additional Projects


  1. The only reasonable option available to you is to use a caching-only DNS server. Having this server around will allow local machines to receive cached DNS information resulting in less WAN traffic. A caching only server is configured by installing a DNS server and making sure no zones are configured on it. Windows Server 2003 will then automatically act as a caching-only server.


  1. This form of load balancing is achieved through the concept of round robin DNS. Round robin DNS occurs whenever there is more than one record for a DNS query. Therefore, if there are multiple machines hosting the same Web service, multiple accesses to the same host name can be delegated to different machines. This ensures that a single machine is not required to handle all client requests.