Windows Server 2008 R2 Unleashed (62 page)

6. Select a scavenging period, as shown in Figure 10.13, and click OK to save your

changes.

ptg

FIGURE 10.13

Turning on scavenging.

Scavenging makes a DNS database cleaner, but overly aggressive scavenging can also

remove valid entries. Therefore, if you’re using scavenging, it is wise to strike a balance

between a clean database and a valid one.

Examining Root Hints

By default, a DNS installation includes a listing of Internet-level name servers that can be

used for name resolution of the .com, .net, .uk, and like domain names on the Internet.

10

When a DNS server cannot resolve a query locally in its cache or in local zones, it consults

the Root Hints list, which indicates which servers to begin iterative queries with.

The Hints file should be updated on a regular basis to ensure that the servers listed are still

relevant. This file is located in \%systemroot%\system32\DNS\cache.dns and can be

updated on the Internet at the following address:

ftp://ftp.rs.internic.net/domain/named.cache.

282

CHAPTER 10

Domain Name System and IPv6

At the time of writing, the latest root hints file, or root name servers, was dated December

12, 2008. The contents are shown in Listing 10.1. You can see the root server names (such

as “A.ROOT-SERVER.NET”) and their A records (such as “192.41.0.4”).

LISTING 10.1

Root Hints File Contents

; This file holds the information on root name servers needed to

; initialize cache of Internet domain name servers

; (e.g. reference this file in the “cache . ”

; configuration file of BIND domain name servers).

;

; This file is made available by InterNIC

; under anonymous FTP as

; file /domain/named.cache

; on server FTP.INTERNIC.NET

; -OR- RS.INTERNIC.NET

;

; last update: Dec 12, 2008

; related version of root zone: 2008121200

;

ptg

; formerly NS.INTERNIC.NET

;

. 3600000 IN NS A.ROOT-SERVERS.NET.

A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4

A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30

;

; FORMERLY NS1.ISI.EDU

;

. 3600000 NS B.ROOT-SERVERS.NET.

B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201

;

; FORMERLY C.PSI.NET

;

. 3600000 NS C.ROOT-SERVERS.NET.

C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12

;

; FORMERLY TERP.UMD.EDU

;

. 3600000 NS D.ROOT-SERVERS.NET.

D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90

;

; FORMERLY NS.NASA.GOV

;

. 3600000 NS E.ROOT-SERVERS.NET.

E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10

;

Other DNS Components

283

; FORMERLY NS.ISC.ORG

;

. 3600000 NS F.ROOT-SERVERS.NET.

F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241

F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F

;

; FORMERLY NS.NIC.DDN.MIL

;

. 3600000 NS G.ROOT-SERVERS.NET.

G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4

;

; FORMERLY AOS.ARL.ARMY.MIL

;

. 3600000 NS H.ROOT-SERVERS.NET.

H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53

H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235

;

; FORMERLY NIC.NORDU.NET

;

. 3600000 NS I.ROOT-SERVERS.NET.

ptg

I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17

;

; OPERATED BY VERISIGN, INC.

;

. 3600000 NS J.ROOT-SERVERS.NET.

J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30

J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30

;

; OPERATED BY RIPE NCC

;

. 3600000 NS K.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129

K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1

;

; OPERATED BY ICANN

;

. 3600000 NS L.ROOT-SERVERS.NET.

L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42

10

L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42

;

; OPERATED BY WIDE

;

. 3600000 NS M.ROOT-SERVERS.NET.

M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33

M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35

; End of File

284

CHAPTER 10

Domain Name System and IPv6

You can see the root hints for a Windows Server 2008 R2 DNS server by doing the following:

1. Launch Server Manager.

2. Expand the Roles, DNS Server, and DNS nodes, and then select the DNS server name.

3. Right-click the server name and choose Properties.

4. Select the Root Hints tab.

The name servers should match those in the root hints file retrieved from the Internic FTP

site.

Understanding the Role of Forwarders

Forwarders are name servers that handle all iterative queries for a name server. In other

words, if a server cannot answer a query from a client resolver, servers that have

forwarders simply forward the request to an upstream forwarder that will process the itera-

tive queries to the Internet root name servers. Forwarders are often used in situations in

which an organization utilizes the DNS servers of an Internet service provider (ISP) to

handle all name-resolution traffic. Another common situation occurs when Active

Directory’s DNS servers handle all internal AD DNS resolution but forward outbound DNS

ptg

requests to another DNS environment within an organization, such as a legacy UNIX

BIND server.

In conditional forwarding, queries that are made to a specific domain or set of domains

are sent to a specifically defined forwarder DNS server. This type of scenario is normally

used to define routes that internal domain resolution traffic will follow. For example, if an

organization controls the companyabc.com domain namespace and the companyxyz.com

namespace, it might want queries between domains to be resolved on local DNS servers, as

opposed to being sent out to the Internet just to be sent back again so that they are

resolved internally.

Forward-only servers are never meant to do iterative queries, but rather to forward all

requests that cannot be answered locally to a forwarder or set of forwarders. If those

forwarders do not respond, a failure message is generated.

If you plan to use forwarders in a Windows Server 2008 R2 DNS environment, you can

establish them by following these steps:

1. Launch Server Manager.

2. Expand the Roles, DNS Server, and DNS nodes, and then select the DNS server name.

3. Right-click the server name and choose Properties.

4. Select the Forwarders tab.

5. Click Edit to create forwarders.

Understanding the Evolution of Microsoft DNS

285

6. Type in the IP address of the server or servers that will be forwarders. Press Enter for

each server entered, and they will be validated. Click OK when you are finished.

7. If this server will be configured only to forward, and to otherwise fail if forwarding

does not work, uncheck the Use Root Hints If No Forwarders Are Available check box.

8. Click OK to save the changes.

Using WINS for Lookups

In environments with a significant investment in WINS, the WINS database can be used in

conjunction with DNS to provide for DNS name resolution. If a DNS query has exhausted

all DNS methods of resolving a name, a WINS server can be queried to provide for resolu-

tion. This method creates WINS RRs in DNS that are established to support this approach.

To enable WINS to assist with DNS lookups, follow these steps:

1. Launch Server Manager.

2. Expand the Roles, DNS Server, DNS, server name, and Forward Lookup Zones nodes.

3. Select the zone node.

4. Right-click the zone in question and choose Properties.

5. Choose the WINS tab.

ptg

6. Check the Use WINS Forward Lookup check box.

7. Enter the IP address of the WINS server(s), click the Add button, and then click OK

to save the changes.

Understanding the Evolution of Microsoft DNS

Windows Server 2008 R2’s implementation of Active Directory Domain Services expands

upon the advanced feature set that Windows 2000 DNS introduced and was expanded

again in Windows Server 2003. Several key functional improvements were added, but the

overall design and functionality changes have not been significant enough to change any

Windows 2003 design decisions that were previously made regarding DNS. The following

sections describe the functionality introduced in Windows 2000/2003/2008 DNS that has

been carried over to Windows Server 2008 R2 DNS and helps to distinguish it from other

DNS implementations.

Active Directory-Integrated Zones

10

The most dramatic change in Windows 2000’s DNS implementation was the concept of

directory-integrated DNS zones, known as AD-integrated zones. These zones were stored in

Active Directory, as opposed to a text file as in standard DNS. When the Active Directory

was replicated, the DNS zone was replicated as well. This also allowed for secure updates,

286

CHAPTER 10

Domain Name System and IPv6

using Kerberos authentication, as well as the concept of multimaster DNS, in which no

one server is the master server and all DNS servers contain a writable copy of the zone.

Windows Server 2008 R2, like Windows Server 2008, utilizes AD-integrated zones, but with

one major change to the design. Instead of storing the zone information directly in the

naming contexts of Active Directory, it is stored in the application partition to reduce repli-

cation overhead. You can find more information on this concept in the following sections.

Dynamic Updates

As previously mentioned, dynamic updates, using Dynamic DNS (DDNS), allow clients to

automatically register, update, and unregister their own host records as they are connected

to the network. This concept was a new feature introduced with Windows 2000 DNS and

is carried over to Windows Server 2008 R2.

Unicode Character Support

Introduced in Windows 2000 and supported in Windows Server 2008 R2, Unicode support

of extended character sets enables DNS to store records written in Unicode, or essentially

multiple character sets from many different languages. This functionality essentially

ptg

allows the DNS server to utilize and perform lookups on records that are written with

nonstandard characters, such as underscores, foreign letters, and so on.

NOTE

Although Microsoft DNS supports Unicode characters, it is a best practice that you

make any DNS implementation compliant with the standard DNS character set so that

you can support zone transfers to and from non-Unicode-compliant DNS implementa-

tions, such as UNIX BIND servers. This character set includes a–z, A–Z, 0–9, and the

hyphen (-) character.

DNS in Windows Server 2008 R2

The Windows Server 2008 R2 improvements on the basic BIND version of DNS help to

further establish DNS as a reliable, robust name-resolution strategy for Microsoft and non-

Microsoft environments. An overall knowledge of the increased functionality and the

structural changes will help you to further understand the capabilities of DNS in Windows

Server 2008 R2.

Application Partition

Perhaps the most significant feature in Windows Server 2008 R2 DNS implementation,

Active Directory-integrated zones are stored in the application partition of the AD. For

every domain in a forest, a separate application partition is created and is used to store all

DNS in Windows Server 2008 R2

287

records that exist in each AD-integrated zone. Because the application partition is not

included as part of the global catalog, DNS entries are no longer included as part of global

catalog replication.

With the application partition concept, replication loads are now reduced while important

zone information is delegated to areas of the network where they are needed.

Automatic Creation of DNS Zones

The Configure a DNS Server Wizard, as demonstrated in “Installing DNS Using the Add

Roles Wizard” section, allows for the automatic creation of a DNS zone through a step-by-

step wizard. This feature greatly eases the process of creating a zone, especially for Active

Directory. The wizard can be invoked by right-clicking on the server name in the DNS

MMC and choosing Configure a DNS Server.

Fix to the “Island” Problem

Earlier versions of the Microsoft DNS had a well-documented issue that was known as the

“island” problem, which was manifested by a DNS server that pointed to itself as a DNS