Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
6. Select a scavenging period, as shown in Figure 10.13, and click OK to save your
changes.
ptg
FIGURE 10.13
Turning on scavenging.
Scavenging makes a DNS database cleaner, but overly aggressive scavenging can also
remove valid entries. Therefore, if you’re using scavenging, it is wise to strike a balance
between a clean database and a valid one.
Examining Root Hints
By default, a DNS installation includes a listing of Internet-level name servers that can be
used for name resolution of the .com, .net, .uk, and like domain names on the Internet.
10
When a DNS server cannot resolve a query locally in its cache or in local zones, it consults
the Root Hints list, which indicates which servers to begin iterative queries with.
The Hints file should be updated on a regular basis to ensure that the servers listed are still
relevant. This file is located in \%systemroot%\system32\DNS\cache.dns and can be
updated on the Internet at the following address:
ftp://ftp.rs.internic.net/domain/named.cache.
282
CHAPTER 10
Domain Name System and IPv6
At the time of writing, the latest root hints file, or root name servers, was dated December
12, 2008. The contents are shown in Listing 10.1. You can see the root server names (such
as “A.ROOT-SERVER.NET”) and their A records (such as “192.41.0.4”).
LISTING 10.1
Root Hints File Contents
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the “cache .
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Dec 12, 2008
; related version of root zone: 2008121200
;
ptg
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
Other DNS Components
283
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
ptg
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
10
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
284
CHAPTER 10
Domain Name System and IPv6
You can see the root hints for a Windows Server 2008 R2 DNS server by doing the following:
1. Launch Server Manager.
2. Expand the Roles, DNS Server, and DNS nodes, and then select the DNS server name.
3. Right-click the server name and choose Properties.
4. Select the Root Hints tab.
The name servers should match those in the root hints file retrieved from the Internic FTP
site.
Understanding the Role of Forwarders
Forwarders are name servers that handle all iterative queries for a name server. In other
words, if a server cannot answer a query from a client resolver, servers that have
forwarders simply forward the request to an upstream forwarder that will process the itera-
tive queries to the Internet root name servers. Forwarders are often used in situations in
which an organization utilizes the DNS servers of an Internet service provider (ISP) to
handle all name-resolution traffic. Another common situation occurs when Active
Directory’s DNS servers handle all internal AD DNS resolution but forward outbound DNS
ptg
requests to another DNS environment within an organization, such as a legacy UNIX
BIND server.
In conditional forwarding, queries that are made to a specific domain or set of domains
are sent to a specifically defined forwarder DNS server. This type of scenario is normally
used to define routes that internal domain resolution traffic will follow. For example, if an
organization controls the companyabc.com domain namespace and the companyxyz.com
namespace, it might want queries between domains to be resolved on local DNS servers, as
opposed to being sent out to the Internet just to be sent back again so that they are
resolved internally.
Forward-only servers are never meant to do iterative queries, but rather to forward all
requests that cannot be answered locally to a forwarder or set of forwarders. If those
forwarders do not respond, a failure message is generated.
If you plan to use forwarders in a Windows Server 2008 R2 DNS environment, you can
establish them by following these steps:
1. Launch Server Manager.
2. Expand the Roles, DNS Server, and DNS nodes, and then select the DNS server name.
3. Right-click the server name and choose Properties.
4. Select the Forwarders tab.
5. Click Edit to create forwarders.
Understanding the Evolution of Microsoft DNS
285
6. Type in the IP address of the server or servers that will be forwarders. Press Enter for
each server entered, and they will be validated. Click OK when you are finished.
7. If this server will be configured only to forward, and to otherwise fail if forwarding
does not work, uncheck the Use Root Hints If No Forwarders Are Available check box.
8. Click OK to save the changes.
Using WINS for Lookups
In environments with a significant investment in WINS, the WINS database can be used in
conjunction with DNS to provide for DNS name resolution. If a DNS query has exhausted
all DNS methods of resolving a name, a WINS server can be queried to provide for resolu-
tion. This method creates WINS RRs in DNS that are established to support this approach.
To enable WINS to assist with DNS lookups, follow these steps:
1. Launch Server Manager.
2. Expand the Roles, DNS Server, DNS, server name, and Forward Lookup Zones nodes.
3. Select the zone node.
4. Right-click the zone in question and choose Properties.
5. Choose the WINS tab.
ptg
6. Check the Use WINS Forward Lookup check box.
7. Enter the IP address of the WINS server(s), click the Add button, and then click OK
to save the changes.
Understanding the Evolution of Microsoft DNS
Windows Server 2008 R2’s implementation of Active Directory Domain Services expands
upon the advanced feature set that Windows 2000 DNS introduced and was expanded
again in Windows Server 2003. Several key functional improvements were added, but the
overall design and functionality changes have not been significant enough to change any
Windows 2003 design decisions that were previously made regarding DNS. The following
sections describe the functionality introduced in Windows 2000/2003/2008 DNS that has
been carried over to Windows Server 2008 R2 DNS and helps to distinguish it from other
DNS implementations.
Active Directory-Integrated Zones
10
The most dramatic change in Windows 2000’s DNS implementation was the concept of
directory-integrated DNS zones, known as AD-integrated zones. These zones were stored in
Active Directory, as opposed to a text file as in standard DNS. When the Active Directory
was replicated, the DNS zone was replicated as well. This also allowed for secure updates,
286
CHAPTER 10
Domain Name System and IPv6
using Kerberos authentication, as well as the concept of multimaster DNS, in which no
one server is the master server and all DNS servers contain a writable copy of the zone.
Windows Server 2008 R2, like Windows Server 2008, utilizes AD-integrated zones, but with
one major change to the design. Instead of storing the zone information directly in the
naming contexts of Active Directory, it is stored in the application partition to reduce repli-
cation overhead. You can find more information on this concept in the following sections.
Dynamic Updates
As previously mentioned, dynamic updates, using Dynamic DNS (DDNS), allow clients to
automatically register, update, and unregister their own host records as they are connected
to the network. This concept was a new feature introduced with Windows 2000 DNS and
is carried over to Windows Server 2008 R2.
Unicode Character Support
Introduced in Windows 2000 and supported in Windows Server 2008 R2, Unicode support
of extended character sets enables DNS to store records written in Unicode, or essentially
multiple character sets from many different languages. This functionality essentially
ptg
allows the DNS server to utilize and perform lookups on records that are written with
nonstandard characters, such as underscores, foreign letters, and so on.
NOTE
Although Microsoft DNS supports Unicode characters, it is a best practice that you
make any DNS implementation compliant with the standard DNS character set so that
you can support zone transfers to and from non-Unicode-compliant DNS implementa-
tions, such as UNIX BIND servers. This character set includes a–z, A–Z, 0–9, and the
hyphen (-) character.
The Windows Server 2008 R2 improvements on the basic BIND version of DNS help to
further establish DNS as a reliable, robust name-resolution strategy for Microsoft and non-
Microsoft environments. An overall knowledge of the increased functionality and the
structural changes will help you to further understand the capabilities of DNS in Windows
Server 2008 R2.
Application Partition
Perhaps the most significant feature in Windows Server 2008 R2 DNS implementation,
Active Directory-integrated zones are stored in the application partition of the AD. For
every domain in a forest, a separate application partition is created and is used to store all
DNS in Windows Server 2008 R2
287
records that exist in each AD-integrated zone. Because the application partition is not
included as part of the global catalog, DNS entries are no longer included as part of global
catalog replication.
With the application partition concept, replication loads are now reduced while important
zone information is delegated to areas of the network where they are needed.
Automatic Creation of DNS Zones
The Configure a DNS Server Wizard, as demonstrated in “Installing DNS Using the Add
Roles Wizard” section, allows for the automatic creation of a DNS zone through a step-by-
step wizard. This feature greatly eases the process of creating a zone, especially for Active
Directory. The wizard can be invoked by right-clicking on the server name in the DNS
MMC and choosing Configure a DNS Server.
Fix to the “Island” Problem
Earlier versions of the Microsoft DNS had a well-documented issue that was known as the
“island” problem, which was manifested by a DNS server that pointed to itself as a DNS