ITM 315 – NETWORK ADMINISTRATION

MODULE 12 – December 3, 2016

Windows DNS in an AD environment

In this module we will explore some of the important aspects of Windows 2012/R2 Domain
Name System (DNS) and its integration with Active Directory.

DNS
DNS is a distributed hierarchical database composed mainly of computer name and IP address
pairs. The notion of a distributed database means that no single database contains all data and
hierarchical means there’s no structure to how information is stored and accessed in the database.
In order to resolve a name to an address, a DNS lookup will often require multiple queries to a
hierarchy of DNS servers.
DNS can also be described as an inverted tree structure the so called DNS namespace ( see figure
12-1). In this context each domain has one or more servers that are authoritative for the domain.
The Root servers keep a database of addresses of other DNS servers managing top-level domain
names, called top-level domain (TLD) servers.

Figure 12.1: A partial view of the DNS naming hierarchy

Source: Tomsho, G. (2014). MCSA Guide to Installing and Configuring, Microsoft Windows
Server 2012/R2  (Exam #70-410). Boston: Course Technology/Cengage, Figure 12-1
DNS defines a zone as a grouping of DNS information that represents one or more domains and
possibly sub-domains. Zones contain a variety of record types called resource records, which
contain information about network resources DNS records can be added and changed by:
  Static updates - administrator enters DNS record information manually
 Dynamic updates - referred to as Dynamic DNS (DDNS)
The DNS Lookup Process
 Two types of DNS lookup can be performed:
 Iterative Query - a DNS server will respond with the best information it has to satisfy the
query, or it may give a referral response
 Recursive Query - a DNS server processes the query until it responds with an address
that satisfies the query or with an “I don’t know message”
 A typical DNS lookup (see figure 12-2) made by a DNS client can involve both recursive
and iterative queries
 DNS clients maintain a text file that can contain static DNS entries and the file is stored
in %systemroot%\System32\drivers\etc

DNS Server Roles

DNS Servers can perform one or more of the following roles for a zone:

 Authoritative server - holds a complete copy of a zone’s resource records

 Forwarder - a DNS server to which other DNS servers send requests they can’t resolve
themselves
 Conditional forwarder  - a DNS Server to which other DNS servers send requests
targeted for a specific domain
 Caching-only server - does not have zones and it’s job is to field DNS queries, do
recursive lookups to root servers or send requests to forwarders, and then cache the
results

Installing and Configuring DNS

 A correctly configured and efficiently functioning DNS service is essential for a well-
functioning network
 When domain controllers replicate with one another and when trusts are created between
domains in different forests, DNS is required to resolve names and services to IP
addresses
  DNS installation begins by installing the DNS Server role with Server Manager or
PowerShell
 If the DNS server is intended to manage domain name services for Active Directory,
DNS Server role should be installed on a domain controller
 Windows automatically detects whether or not the server is configured as a domain
controller, then integrates DNS zones with Active Directory
 You may need to create a zone manually in DNS Manager if you:
o Don’t install DNS at the time you install Active Directory
o Install DNS on a server that’s not a domain controller
o Create a stub zone
o Create a secondary zone for a primary zone
o Create a primary or secondary zone for an Internet domain

Forward and Reverse Lookup Zones

Before creating a zone, you must decide whether it’s a forward lookup zone or a reverse lookup
zone:

 Forward lookup zone (FLZ)  – contains records that translate names to IP addresses, such
as A, AAAA, and MX records
 Reverse lookup zone (RLZ) – contains PTR records that map IP addresses to names and is
named after the IP network address (IPv4 or IPv6) of the computers whose records it
contains
Zone Type
Three different types of zones:

 Primary zone  - contains a read/write master copy of all resource records for the zone; it is
considered authoritative for the zone
 Secondary zone - contains a read-only copy of all resource records for the zone; it is
considered authoritative for the zone
 Stub zone - contains a read-only copy of only the SOA and NS records for a zone and the
necessary A records to resolve NS records; not authoritative

Active Directory-Integrated Zones

 Active Directory-Integrated zone - not a new zone type but it is a primary or stub zone
with the DNS database stored in an Active Directory partition
 The only valid zone type options are primary and stub zones
 If you select a secondary zone, the option to store the zone in Active Directory is disabled
Standard Zones
 Standard zone - a primary, secondary, or stub zone that isn’t Active Directory-integrated
 Standard zones are stored in a text file called zone-name.dns, which is located in the
%systemroot%\system32\dns folder
  Mostly installed on stand-alone servers that need to provide name resolution services for
network resources outside the domain
 Or in networks that don’t use Active Directory, such as Linux or UNIX-based networks
Active Directory Zone Replication Scope
After selecting the zone type and specifying the zone is to be stored in Active directory, you are
asked to select the zone replication scope with one of these options:

 To all DNS servers in this forest

 To all DNS servers running on domain controllers in this domain
 To all domain controllers in this domain (for Windows 2000 compatibility)
 To all domain controllers specified in the scope of this directory partition
Dynamic Updates
The final step allows you to choose whether and how to use dynamic updates, which can be
configured in one of three ways:

 Allow only secure dynamic updates

 Allow both nonsecure and secure dynamic updates
 Do not allow dynamic updates
Dynamic updates enable DNS client computers to register and dynamically update their resource
records with a DNS server whenever changes occur

Configuring DNS Zones

Zones can be viewed and changed in DNS Manager, DNS Manager provides the following
options:

 Status
 Type
 Replication
 Dynamic updates
 Aging

DNS Records
According to Microsoft, after you create the necessary zone files, you can add records to the
zones. Computers that need to be accessed from Active Directory and DNS domains must have
DNS records. The following main records exist in an AD integrated DNS server.

 A (address): Maps a host name to an IP address. When a computer has multiple adapter

cards or IP addresses, or both, it should have multiple address records.
 AAAA (also quad-A record): specifies IPv6 address for given host.
 CNAME (canonical name): sets an alias for a host name. For example, using this
record, zeta.microsoft.com can have an alias as www.microsoft.com.
  MX (mail exchange): specifies a mail exchange server for the domain, which allows
mail to be delivered to the correct mail servers in the domain.
 NS (name server): specifies a name server for the domain, which allows DNS lookups
within various zones. Each primary and secondary name server should be declared
through this record.
 PTR (pointer): creates a pointer that maps an IP address to a host name for reverse
lookups.
 SOA (start of authority): declares the host that's the most authoritative for the zone and,
as such, is the best source of DNS information for the zone. Each zone file must have an
SOA record (which is created automatically when you add a zone).
 SRV (Service): service location (SRV) resource record is responsible for mapping a
DNS domain name to a specified list of DNS host computers that offer a specific type of
service, such as Active Directory domain controllers.

Using WINS with DNS

 Windows Internet Name Service (WINS) is a legacy name service used to resolve
NetBIOS names, sometimes referred to as single-label names
 Similar to DDNS in that it keeps a database of name-to-address mappings
 Generally used in environments that require NetBIOS resolution, or where applications
depend on it
 The WINS tab has the following options:
o Use WINS forward lookup
o Do not replicate this record
o IP address
o Time to live (TTL)

Round Robin
 Load sharing can be configured among servers running mirrored services
 Accomplished by creating multiple A records with the server’s name in the records, but
with each entry configured with a different IP address
 DNS will then respond to queries by sending all addresses associated with the server’s
name, but will also vary their order
 This process is called round robin because each IP address is placed first in the list an
equal number of times
Recursive Queries
 Recursion is enabled on Windows DNS servers by default, but there are two ways to
change this setting
o First involves configuring forwarders
o Second is the “Disable recursion (also disables forwarders)” option in the
Advanced tab of the DNS server’s Properties dialog box
 You might want to disable recursion when you have a public DNS server containing
resource records for your publicly available servers
DNS Troubleshooting commands
Windows has several tools to administer, monitor, and troubleshoot DNS server operation,
including:

 DNS Manager
 dcdiag /test:dns
 dnscmd.exe
 PowerShell
 Event Viewer
 dnslint
 nslookup
 ipconfig
 Performance Monitor
 Protocol analyzer
In order to troubleshoot DNS queries you need a clear picture in your mind of the DNS lookup
process, which involves the following steps:

1. Check the local DNS cache

2. Query the DNS server with a recursive lookup
3. Check the local zone data
4. Check locally cached data
5. Query root server or configured forwarders
After these steps, double-check the Hosts file to make sure you didn’t miss something when you
displayed the local cache
To verify DNS configuration, use these ipconfig options:

 /all - displays IP addresses of the configured DNS servers as well as the DNS suffix
search list
 /displaydns - displays the local DNS cache
 /flushdns - deletes the local DNS cache