Exploring DNS in an Active Directory Environment

20 Aug

In this practice, you create an Active Directory domain named Nwtraders.msft. During the process
of creating this Active Directory domain, a DNS server is created for hosting the zone
lookup information for Nwtraders.msft. You then explore this zone information along with
the DNS server settings, create a domain administrator account for personal use, add the Boston
computer to the domain, and observe the new DNS records created for Boston.
 Practice 1 Creating a Domain Controller
In this exercise, you use the Dcpromo program to create a domain controller for a new Active
Directory domain named Nwtraders.msft.
1. Log on to Dcsrv1 with the account named Administrator.
2. In the Run box, type dcpromo, and then press Enter.
A message appears indicating the Active Directory Domain Services binaries are being
installed. After the binaries have been installed, the Active Directory Domain Services
Installation Wizard appears.
3. On the Welcome page of the Active Directory Domain Services Installation Wizard, read
all the text on the page, and then click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Choose A Deployment Configuration page, select Create A New Domain In A
New Forest, and then click Next.
6. On the Name The Forest Root Domain page, type nwtraders.msft, and then click Next.
The forest name is verified to ensure that it is unique on the network, and then the Net-
BIOS name is verified.
7. On the Set Forest Functional Level page, select the Windows Server 2008 functional
level, read the text in the Details section, and click Next.
8. On the Additional Domain Controller Options page, verify that DNS Server is selected,
read the text in the Additional Information section, and click Next.
A dialog box appears and informs you that a delegation for this server cannot be created.
You receive this message because you are creating a new DNS root domain and not a subdomain
(for example, in the Internet namespace).
9. Click Yes to continue.
10. On the Location For Database, Log Files, And SYSVOL page, review the default settings,
and then click Next.
11. On the Directory Services Restore Mode Administrator Password page, read all the text
on the page, and then type a password of your choice in the Password and Confirm Password
fields.
Lesson 2: Deploying a DNS Server 137
12. Click Next.
13. On the Summary page, review the summary information (especially the DNS server
information), and then click Export Settings.
You should always choose this option because it generates an answer file that you can
later modify to use with Dcpromo on a Server Core installation. If you want to promote
a Server Core installation to a domain controller, you must specify such an answer file.
14. In the Save Unattend File dialog box, specify a name, such as DCunattend, and then save
the text file in the default location (the Documents folder).
A message box appears, informing you that the settings were successfully exported.
15. Click OK.
16. On the Summary page of the Active Directory Domain Services Installation Wizard, click
Next.
The Active Directory Domain Services Installation Wizard dialog box appears while the
DNS Server and Active Directory Domain Services are installed and configured.
When the installation completes, the Completing page of the Active Directory Domain
Services Installation Wizard appears.
17. Click Finish.
A dialog box appears informing you that you need to restart your computer for the
changes take effect.
18. Click Restart Now.
 Practice 2 Reviewing DNS Server Information
In this exercise, you review the DNS server configuration on Dcsrv1.
1. After Dcsrv1 finishes restarting, log on to Nwtraders from Dcsrv1 as Administrator.
After a few moments the Initial Configuration Tasks window appears.
2. If the Select Features page of the Add Features Wizard appears, click Cancel and then Yes
to confirm the cancel.
3. In the Initial Configuration Tasks window, verify that the computer name is now
dcsrv1.nwtraders.msft and that the domain is nwtraders.msft.
4. Open the DNS Manager console by clicking Start, pointing to Administrative Tools, and
then choosing DNS.
5. In the DNS Manager console tree, navigate to DCSRV1\Forward Lookup Zones\nwtraders.
msft.
In the details pane, two records have been created for dcsrv1—a Host (A) record and an
IPv6 Host (AAAA) record. These records point to the IPv4 and IPv6 addresses, respectively,
of Dcsrv1.
138 Chapter 2 Configuring Name Resolution
6. Spend a few minutes browsing the contents of the other folders in the nwtraders.msft
zone.
Notice that many of the records in the zone are SRV records. These records point clients
to the domain controller (Dcsrv1) when they query DNS for the location of a specific service
such as Kerberos (which provides network authentication) or Lightweight Directory
Access Protocol (LDAP). LDAP finds objects in Active Directory.
7. In the DNS Manager console tree, right-click the DCSRV1 node, and then choose Properties.
8. In the DCSRV1 Properties dialog box, review the information in the Interfaces tab.
If your DNS server has multiple network interfaces or multiple addresses, you can use
this tab to limit the sources of requests to which the server will respond.
9. Click the Forwarders tab.
10. Read the text in the tab, and then click the Edit button.
11. In the Edit Forwarders dialog box, read the text on the page.
You would use this tab to specify a DNS server (a forwarder) to which unanswered queries
should be forwarded. In a large organization, for example, the DNS servers for subdomains
like east.contoso.local could forward queries to DNS server authoritative for
the root zone (contoso.local) in the private DNS namespace.
12. Click Cancel to close the Edit Forwarders dialog box.
13. In the DCSRV1 Properties dialog box, click the Root Hints tab.
14. Read the text on the tab.
Note that these name servers are the root DNS servers for the Internet. In a large organization,
you might choose to replace this list with the root servers in your private
namespace. (In such a case, the DNS servers in the corporate network could no longer
resolve Internet names, but users could still connect to the Internet through the use of
proxy servers.)
15. Click the Monitoring tab.
16. In the Monitoring tab, select the check box to test a simple query, and then click Test
Now.
In the Test Results area, an entry appears indicating that the simple query has passed.
Do not perform the recursive test now. The recursive test would fail because this server
is not yet configured with Internet access and cannot connect to the root servers.
17. In the DCSRV1 Properties dialog box, click Cancel.
18. In the DNS Manager console tree, select and then right-click the Conditional Forwarders
container, and then choose New Conditional Forwarder. (If the option appears dimmed,
select the Conditional Forwarders container, and then right-click it again.)
Lesson 2: Deploying a DNS Server 139
19. In the New Conditional Forwarder dialog box, read all the text.
Note that you use this dialog box to specify the addresses of remote DNS servers to
which queries for specific domain names should be forwarded.
20. In the New Conditional Forwarder dialog box, click Cancel.
21. Minimize all open windows.
 Practice 3 Creating a Personal Administrator Account
In this exercise, you create a domain administrator account to use in future exercises.
1. Open Active Directory Users And Computers by clicking Start, pointing to Administrative
Tools, and then choosing Active Directory Users And Computers.
2. In the Active Directory Users And Computers console tree, navigate to nwtraders.msft
\Users.
3. Right-click the Users container, point to New, and then choose User.
4. In the New Object – User wizard, complete the fields by using a domain name of your
choosing for a personal administrator account.
5. Click Next.
6. On the second page of the New Object – User wizard, type a password of your choosing
in the Password and Confirm Password fields, select or clear any options, and then click
Next.
7. On the third page of the New Object – User wizard, click Finish.
8. In the Active Directory Users And Computers console, locate the user account you have
just created in the details pane.
9. Right-click your new user account, and then choose Add To A Group.
10. In the Select Groups dialog box, type domain admins, and then press Enter.
A message box appears indicating that the operation was successfully completed.
11. Click OK.
12. Close Active Directory Users And Computers.
 Practice 3 Adding Boston to the Nwtraders Domain
In this exercise, you join Boston to the Nwtraders domain.
1. Log on to Boston as an administrator, and then open an elevated command prompt. (To
open an elevated command prompt, right-click Command Prompt in the Start Menu,
and then choose Run As Administrator. If you are logged on with the account named
Administrator, you can merely open a Command Prompt because this prompt is already
elevated by default.)
140 Chapter 2 Configuring Name Resolution
2. At the command prompt, type netsh interface ip set dnsserver “local area connection”
static 192.168.0.1.
3. When the prompt reappears, type netsh interface ipv6 set dnsserver “local area connection”
static fd00::1.
These two commands configure Boston to look for the Nwtraders.msft domain by querying
Dcsrv1.
4. When the prompt reappears, minimize or close the command prompt.
5. In the Initial Configuration Tasks window, click Provide Computer Name And Domain.
If the Initial Configuration Tasks is not open, you can open it by typing oobe in the Run
box.
6. In the System Properties dialog box, click Change.
7. In the Member Of area of the Computer Name/Domain Changes dialog box, select
Domain, and then type nwtraders.msft in the associated text box.
8. Click OK.
A Windows Security prompt opens.
9. In the Windows Security prompt, specify the user name and password of your domain
administrator account, and then click OK.
After several moments (up to a minute), a message box appears welcoming you to the
nwtraders.msft domain.
10. Click OK.
A message appears indicating that you must restart your computer to apply these
changes.
11. Click OK.
12. In the System Properties dialog box, click Close.
A message appears again indicating that you must restart your computer.
13. Click Restart Now.
 Practice 4 Verifying New Zone Data
In this exercise you verify that new resource records have been created in the Nwtraders.msft
zone.
1. After Boston has finished restarting, switch to Dcsrv1.
2. While you are logged on to Dcsrv1 as a domain administrator, open DNS Manager.
3. In the console tree, navigate to the nwtraders.msft forward lookup zone.
4. Right-click the nwtraders.msft container, and then choose Refresh.
Lesson 2: Deploying a DNS Server 141
Two records have been created for Boston—a Host (A) record mapped to 192.168.0.2 and
an IPv6 Host (AAAA) record mapped to fd00::2.
5. Log off Dcsrv1.
Lesson Summary
■ In most Windows networks, DNS servers are hosted on Active Directory domain controllers.
You can install a DNS server together with a domain controller by running
Dcpromo.exe. To install a DNS server without a domain controller, use the Add Roles
Wizard to add the DNS Server role.
■ You can install a DNS server on a Server Core installation of Windows Server 2008. To
do so on a domain controller, use Dcpromo and specify an answer file by using the command
dcpromo /unattend:<unattendfile>. To install a stand-alone DNS server on a
Server Core installation, type start /w ocsetup DNS-Server-Core-Role.
■ The DNS server properties dialog box allows you to configure settings that apply to the
DNS server and all its hosted zones.
■ The Interfaces tab allows you to specify which of the local computer’s IP addresses the
DNS server should listen to for DNS requests. The Root Hints tab allows you to modify
default root servers for the DNS namespace. The Forwarders tab allows you to specify
the IP addresses of upstream DNS servers to which queries should be directed if the
local DNS server cannot provide a response through its cache or zone data.
■ You can use the DNS Manager console to configure conditional forwarding. In conditional
forwarding, queries for specific domains are forwarded to specific DNS servers.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson.
The questions are also available on the companion CD if you prefer to review them in electronic
form.
NOTE Answers
Answers to these questions and explanations of why each answer choice is correct or incorrect are
located in the “Answers” section at the end of the book.
142 Chapter 2 Configuring Name Resolution
1. You are configuring a new DNS server in your organization. You want to configure the
new DNS server to specify the root servers in your organization as its root servers. What
should you do?
A. Replace the Cache.dns file with a new version specifying the company root servers.
B. Configure a HOSTS file with the names and addresses of the root servers in your
organization.
C. Configure an Lmhosts file with the names and addresses of the root servers in your
organization.
D. Configure the new DNS server to forward queries to the root servers in your organization.
2. Your company includes a headquarters office in New York and a branch office in Sacramento.
These offices host the Active Directory domains ny.lucernepublishing.com and
sac.lucernepublishing.com, respectively. You want users in each office to be able to
resolve names and browse the internal network of the other office. You also want users
in each network to resolve Internet names. How should you configure the DNS servers
in each office?
A. Configure root servers in the New York office, and then configure the Sacramento
servers to forward queries to the root servers in New York.
B. Configure the DNS server in each office to forward queries to an external forwarder.
C. Use conditional forwarding to configure the parent DNS servers in the New York
office to forward queries destined for the sac.lucernepublishing.com to the Sacramento
DNS servers. Configure the parent DNS servers in the Sacramento office to
forward queries destined for the ny.lucernepublishing.com to the New York DNS
servers.
D. Configure the parent DNS servers in the New York office to forward queries to the
parent DNS server in the Sacramento office. Configure the parent DNS servers in
the Sacramento office to forward queries to the parent DNS server in the New York
office.
Lesson 3: Configuring DNS Client Settings 143
Lesson 3: Configuring DNS Client Settings
A DNS infrastructure requires configuration for clients as well as for servers. In a typical
business network, DNS clients are configured through settings inherited through DHCP or
from Active Directory domain membership. However, for computers with static IP configurations,
as well as for some outside of an Active Directory environment, you need to define
DNS client settings manually. This lesson describes the DNS settings that affect a computer’s
ability to resolve DNS names successfully and to have its own name resolved by
other querying computers.
After this lesson, you will be able to:
■ Configure a DNS client with a DNS server list
■ Configure a suffix search list
■ Configure a DNS client with a primary DNS suffix
■ Configure a DNS client with a connection-specific DNS suffix
■ Configure a DNS client to register its name and address with a DNS server
Estimated lesson time: 45 minutes
Specifying DNS Servers
The most important configuration parameter for a DNS client is the DNS server address.
When a client performs a DNS query, the client first directs that query toward the address
specified as the client’s preferred DNS server. If the preferred DNS server is unavailable, a DNS
client then contacts an alternate DNS server, if one is specified. Note that the client does not
contact an alternate DNS server when the preferred server is available yet merely unable to
resolve a query.
You can configure a DNS client with a prioritized list of as many DNS server addresses you
choose, either by using DHCP to assign the list or by manually specifying the addresses. With
DHCP, you can configure clients with a DNS server list by using the 006 DNS Server option
and then configuring the clients to obtain a DNS server address automatically in the TCP/IPv4
Properties dialog box, as shown in Figure 2-26. (This is the default setting.)
MORE INFO DHCP options
DHCP options are discussed in Chapter 4, “Creating a DHCP Infrastructure.”
To configure a DNS server list manually, you can use the TCP/IPv4 Properties dialog box if you
want to configure the local client with one or two DNS servers (a preferred and an alternate).
144 Chapter 2 Configuring Name Resolution
However, if you want to configure a longer list, click the Advanced button, and then select the
DNS tab. Use the Add button to add servers to the prioritized list of DNS servers, as shown in
Figure 2-27.
Figure 2-26 By default, IPv4 hosts are configured to obtain a DNS server address through DHCP
Figure 2-27 Configuring a prioritized list of DNS servers for a client to contact
Lesson 3: Configuring DNS Client Settings 145
Specifying a Computer Name and DNS Suffixes
When you install Windows Server 2008 on a computer or server, a computer name is generated
automatically if you do not specify one in an answer file. You can later change this computer
name after installation by using the System Properties dialog box (which you can open
through the System control panel or by typing the sysdm.cpl command). In DNS, this same
computer name is called a host name and is analogous to a person’s first name or given name.
An example of such a computer name or host name is ClientA. You can determine the computer’s
host name by typing the command hostname at a command prompt.
However, a client can take the fullest advantage of DNS name resolution services when it is configured
with not just a host name, but also with a primary DNS suffix, which is analogous to a
person’s last name or surname (family name). The host name together with the primary DNS
suffix creates the full computer name. For example, a computer named ClientA with a primary
DNS suffix of contoso.com is configured with a full computer name of ClientA.contoso.com.
Normally, the primary DNS suffix corresponds to the name of a primary (read-write) zone
hosted on the locally specified preferred DNS server. For example, the client named ClientA.
contoso.com would normally be configured with the address of a DNS server hosting the
contoso.com zone.
The primary DNS suffix serves two specific functions. First, it enables a client to automatically
register its own host record in the DNS zone whose name corresponds to the primary
DNS suffix name. This host record enables other computers to resolve the name of the local
DNS client. Second, the DNS client automatically adds the primary DNS suffix to DNS queries
that do not already include a suffix. For example, on a computer configured with the
DNS suffix fabrikam.com, the command ping dcsrv1 would effectively be translated to ping
dcsrv1.fabrikam.com. This appended query, demonstrated in Figure 2-28, would then be
sent to the DNS server.
Figure 2-28 A computer configured with a DNS suffix appends that suffix to host names in its DNS
queries
146 Chapter 2 Configuring Name Resolution
Joining a computer to an Active Directory domain automatically configures the domain name
as the computer’s primary DNS suffix. To configure a primary DNS suffix outside of an Active
Domain, click Change in the Computer Name tab in the System Properties dialog box, and
then click More in the Computer Name / Domain Changes dialog box. This procedure opens
the DNS Suffix And NetBIOS Computer Name dialog box, shown in Figure 2-29.
Figure 2-29 Manually configuring a DNS suffix
Configuring a Connection-specific DNS Suffix
Besides being assigned a primary DNS suffix, a computer can also be assigned a connectionspecific
suffix from a DHCP server or from a manual configuration. This type of suffix is associated
with a particular network connection only. From a DHCP server, the connection-specific
suffix is assigned through the 015 DNS Domain Name option. You can assign a
connection-specific suffix manually for any particular network connection in the DNS tab of
the Advanced TCP/IP Settings dialog box, as shown in Figure 2-30.
A connection-specific suffix is useful if a computer has two network adapters and you want to
distinguish the two routes to that computer by name. For example, in Figure 2-31 a computer
named Host-A is connected to two subnets through two separate adapters. The first adapter,
assigned the address 10.1.1.11, is connected to Subnet 1 by a slow (10-MB) Ethernet connection.
This slow connection is assigned a connection-specific DNS suffix of public.example.
microsoft.com. The second adapter, assigned the address 10.2.2.22, is connected to
Subnet 2 by a Fast Ethernet (100-MB) connection. This fast connection is assigned a connection-
specific DNS suffix of backup.example.microsoft.com.
Computers on both subnets can connect to Host-A through either adapter. However, when
computers specify the address host-a.public.example.microsoft.com, their connections are
resolved and then routed to Host-A through the slow link. When they specify hosta.
backup.example.com, their connections are resolved and then routed to Host-A through the
fast link.
Lesson 3: Configuring DNS Client Settings 147
Figure 2-30 Assigning a connection-specific DNS suffix
Figure 2-31 Using a connection-specific suffix to name different routes to a computer
DNS server A DNS server B
Subnet 1
(10 Megabit Ethernet)
Full DNS computer name
host-a.example.microsoft.com
Subnet 1 IP address:
10.1.1.11
Subnet 1 DNS domain name:
host-a.public.example.microsoft.com
Subnet 2 DNS domain name:
host-a.backup.example.microsoft.com
Subnet 2 IP address:
10.2.2.22
Subnet 2
(100 Megabit Ethernet)
148 Chapter 2 Configuring Name Resolution
Configuring a Suffix Search List
For DNS clients, you can configure a DNS domain suffix search list that extends or revises
their DNS search capabilities. By adding suffixes to the list, you can search for short, unqualified
computer names in more than one specified DNS domain. Then, if a DNS query fails, the
DNS Client service can use this list to append other name suffix endings to your original name
and repeat DNS queries to the DNS server for these alternate FQDNs.
Default DNS Suffix Searches
By default, the DNS Client service first attaches the primary DNS suffix of the local computer
to the unqualified name. If the query fails to resolve this name, the DNS Client service then
adds any connection-specific suffix that you have assigned to a network adapter. Finally, if
these queries are also unsuccessful, the DNS Client service adds the parent suffix of the primary
DNS suffix.
For example, suppose the full computer name of a multihomed computer is computer1
.domain1.microsoft.com. The network adapters on Computer1 have been assigned the connection-
specific suffixes subnet1.domain1.microsoft.com and subnet2.domain1.microsoft.com,
respectively. If on this same computer you type computer2 into the Address text box in Internet
Explorer and then press Enter, the local DNS Client service first tries to resolve the name
Computer2 by performing a query for the name computer2.domain1.microsoft.com. If this
query is unsuccessful, the DNS Client service queries for the names computer2.subnet1
.domain1.microsoft.com and computer2.subnet2.domain1.microsoft.com. If this query does
not succeed in resolving the name, the DNS Client service queries for the name computer2
.microsoft.com.
Custom DNS Suffix Search Lists
You can customize suffix searches by creating a DNS suffix search list in the Advanced TCP/
IP Settings dialog box, as shown in Figure 2-32.
The Append These DNS Suffixes option lets you specify a list of DNS suffixes to add to unqualified
names. If you enter a DNS suffix search list, the DNS Client service adds those DNS suffixes
in order and does not try any other domain names. For example, if the suffixes appearing
in the search list in Figure 2-32 are configured and you submit the unqualified, single-label
query “coffee,” the DNS Client service first queries for coffee.lucernepublishing.com and then
for coffee.eu.lucernepublishing.com.
You can also configure a DNS suffix search list through Group Policy. You can find this setting
in a GPO by navigating to Computer Configuration\Policies\Administrative Tools\Network
\DNS Client and then configuring the policy setting named DNS Suffix Search List.
Lesson 3: Configuring DNS Client Settings 149
Figure 2-32 Adding suffixes to DNS queries
Configuring Dynamic Update Settings
When configured to do so, DNS servers running on Windows Server 2008 can accept
dynamic registration and updates of the A (host), AAAA (IPv6 host), and PTR (pointer)
resource records. The registration and updates themselves must be performed either by a DNS
client or by a DHCP server (on behalf of a DNS client).
NOTE What are host and pointer records?
A host record in a forward lookup zone is a record that returns the address of a computer when
you query using its name. It is the most important resource record type. A pointer record provides
the opposite service: it is found only in a reverse lookup zone and returns the name of a computer
when you query using its IP address. For more information about zone types and resource records,
see Chapter 3, “Configuring a DNS Zone Infrastructure.”
Dynamic updates for particular clients can occur only when those clients are configured with
a primary or connection-specific DNS suffix that matches the zone name hosted by the preferred

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.