Re: 70-294 next week
From: *FESWANY (alkholy2000_at_hotmail.com)
Date: 01/28/05
- Next message: *FESWANY: "Re: 70-294 next week"
- Previous message: *FESWANY: "Re: 70-294 next week"
- Maybe in reply to: *FESWANY: "Re: 70-294 next week"
- Next in thread: *FESWANY: "Re: 70-294 next week"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 28 Jan 2005 17:06:48 +0200
server priority first. If this server is unavailable
or busy, they can
then contact the other mail servers.
5. When you are ready to create the record, click OK.
This will add the
MX record to the forward lookup zone specified in Step
3.
EXERCISE 2.3 ( c o n t i n u e d )
CA
Managing DNS Servers 85
Although you can manually specify DNS server records,
this process can
become quite tedious. In Chapter 3, "Installing and
Configuring the Active
Directory," we'll look at how DNS services can be
configured for the
Active Directory.
Managing DNS Servers
Once your DNS server is installed and configured
properly, you will
need to manage various settings. In the previous
section, we looked at the
various options and features available within the DNS
service. In this
section,
we'll focus on some specific operations that are
required for working
with the Active Directory. The exercises should be
helpful in learning
your
way around the various operations.
Configuring Zones for Automatic Updates
By allowing automatic updates to DNS zones, you will
be able to
dramatically
reduce the administrative burden of managing resource
records. Exercise
2.4 shows how to enable this option.
See "Managing DNS Interoperability," a section that
appears later in this
chapter, for coverage of the "Integrate Active
Directory DNS zones with
non-
Active Directory DNS zones" subobjective.
Microsoft
Exam
Objective
Install, configure, and troubleshoot DNS for Active
Directory.
Integrate Active Directory DNS zones with non-Active
Directory
DNS zones.
Configure zones for dynamic updates.
CA
86 Chapter 2 Integrating DNS with the Active Directory
Creating Zone Delegations
When you configure a DNS server as a primary server
for a zone, that
server
is responsible for performing name resolution for all
of the resources
within
that zone. In some cases, you might want to delegate
authority for a
portion
of the zone to another DNS server. Exercise 2.5 shows
how this can be done
.
EXERCISE 2.4
Allowing Automatic Updates
This exercise assumes that you have properly installed
and configured
the DNS service and have configured at least one
forward
lookup zone.
1. Open the DNS snap-in in the Administrative Tools
program group.
2. Expand the forward lookup zones folder under the
name of the
current server.
3. Right-click the name of a zone, and select
Properties.
4. Change the Allow Dynamic Updates option to Yes.
5. Click OK to accept and commit the setting.
E X E R C I S E 2 . 5
Creating a Zone Delegation
This exercise will delegate authority for a DNS zone
to another DNS
server. This exercise assumes that you have already
created at least
one DNS zone. Additionally, this server must be the
primary DNS
server for at least one zone.
1. Open the DNS administrative tool and expand the
branch for the
local server.
2. Right-click the name of a zone for which the
machine is the primary
server, and select New Delegation.
3. This will open the New Delegation Wizard. Click
Next.
CA
Managing DNS Servers 87
Managing DNS Replication
Managing DNS replication is an important concern. If
optimal settings are
not chosen, you might encounter too much replication
traffic.
Alternatively,
you might have the opposite problem.updates are not
occurring frequently
4. Enter the name of the delegated domain. The
delegated domain
must be a subdomain of the domain you selected in step
2. For
example, if the domain name is activedirectory.test,
the subdomain
might be domain2. This will make the fully-qualified
domain
name domain2.activedirectory.test. Click Next.
5. Specify the name server(s) to which you want to
delegate authority
for the domain. To add servers to the list, click Add.
You will be able
to browse a list of available name servers or specify
one by name
or IP address. You can also click Edit to change the
properties for
servers you have already added to the delegation list.
6. Click Next to accept the setting, and then click
Finish to create the
new delegation.
EXERCISE 2.5 ( c o n t i n u e d )
CA
88 Chapter 2 Integrating DNS with the Active Directory
enough. Earlier in this chapter, we looked at ways to
configure the DNS
Notify properties within a zone. In this section,
we'll see what is
required to
enable DNS replication.
Exercise 2.6 walks through the steps required to
configure DNS
replication.
Microsoft
Exam
Objective
Manage, monitor, and troubleshoot DNS.
Manage replication of DNS data.
E X E R C I S E 2 . 6
Configuring DNS Replication
In this exercise, you will configure various DNS
replication options.
This exercise assumes that you have already created at
least one DNS
zone and that the local server is the primary DNS
server for at least
one zone.
1. Open the DNS administrative tool, and expand the
branch for the
local server.
2. Right-click the name of a zone for which this
machine is the primary
server, and select Properties.
3. Select the Zone Transfers tab.
4. Place a check mark in the Allow Zone Transfers box.
5. Choose whether you want to allow zone transfers
from any server
(the default setting), only servers specified on the
Name Servers
tab, or specific DNS servers based on their IP
addresses. It is
recommended
that you choose one of the latter two options as these
provide greater security.
CA
Managing DNS Servers 89
Managing DNS Interoperability
In a pure Windows 2000 environment, you would probably
choose to use
only Microsoft's DNS service. However, in the real
world (and especially
in
larger environments), you might require the DNS
service to interact with
other implementations of DNS. A common Unix
implementation of DNS is
known as the Berkeley Internet Name Domain (BIND)
service. Active
Directory
mandates the use of SRV records and optionally
supports DNS dynamic
updates. The minimum version of BIND that supports
both is version 8.2.1.
When using a BIND server as the DNS server for Active
Directory, it must
be running version 8.2.1 or greater. Before you can
configure various DNS
6. Click the Notify button. Place a check mark in the
Automatically
Notify box. You can choose to automatically notify the
servers
listed on the Name Servers tab, or you can specify DNS
servers by
IP addresses. Each of these servers will be notified
automatically
whenever a change to the DNS database is made.
7. Click OK twice to save the settings.
EXERCISE 2.6 ( c o n t i n u e d )
CA
90 Chapter 2 Integrating DNS with the Active Directory
server settings for interoperability, you must know
which features are
supported
by the non-Microsoft DNS system you are using.
See "Configuring Zones for Automatic Updates," a
section that appears
earlier
in this chapter, for coverage of the "Configure zones
for dynamic updates"
subobjective.
Exercise 2.7 shows you how to set up a Windows 2000
DNS server to
interoperate with non-Windows 2000 DNS servers.
Microsoft
Exam
Objective
Install, configure, and troubleshoot DNS for Active
Directory.
Integrate Active Directory DNS zones with non-Active
Directory
DNS zones.
Configure zones for dynamic updates.
EXERCISE 2.7
Enabling DNS Interoperability
This exercise assumes that you have properly installed
and configured
the DNS service and have configured at least one
forward lookup
zone. It also assumes that you know the various
features supported by
the types of DNS servers in your environment.
1. Open the DNS snap-in in the Administrative Tools
program group.
2. Right-click the name of the local server, and click
Properties.
3. Click the Advanced tab. You will see a list of the
various settings
that can be enabled and disabled. Place a check mark
next to a feature
to enable it, or remove the check mark to disable it.
For more
information about the various options, click the
Question Mark
icon, then click the option.
4. Click OK to save the changes.
CA
Interoperation with WINS and DHCP 91
Interoperation with WINS and DHCP
Earlier in this chapter, we saw some of the benefits
of Microsoft's
implementation of DNS. We mentioned integration with
other services such
as WINS and Dynamic Host Configuration Protocol (DHCP
). In this section,
we'll drill down into the details of how these two
services work and
how they can further reduce administration headaches
by integrating with
Microsoft's DNS.
Overview of DHCP
As we mentioned in the beginning of this chapter, TCP
/IP requires a
considerable
amount of manual configuration. Some of the
information that might
be required by a TCP/IP client in a Windows
environment may include the
following pieces of information:
TCP/IP address
Subnet mask
Default gateway
DNS servers
DNS domain name
WINS servers
Additionally, other TCP/IP services must be set. For
example, if the
network
is using the Network Time Protocol (NTP), information
on the
timeserver address should also be transmitted. It's
easy to see how
maintaining
this information even on small networks can be quite
troublesome. For
much larger ones, the technical and management issues
associated with
assigning appropriate information can be overwhelming.
DHCP was
designed to ease some of these problems. DHCP works by
automatically
assigning TCP/IP address information to client
computers when they are
first
connected to the network. The general process works as
follows:
A client computer is initialized on the network.
During the boot up
process, a broadcast is sent requesting information
from a DHCP
server.
If a DHCP server is present, it receives the request
and generates an IP
address from its database of valid assignments. It
sends an offer of
TCP/IP information to the client that requested it.
CA
92 Chapter 2 Integrating DNS with the Active Directory
The client receives the packet and sends an
acknowledgement to the
DHCP server that it will accept the offer.
The DHCP server sends an acknowledgement to the
client, which then
configures its IP stack. The DHCP server prevents the
address from
being used again from its database as long as it is
assigned to the
client.
Figure 2.18 provides an example of the DHCP process.
FIGURE 2 . 1 8 Obtaining a DHCP lease
If more than one DHCP server is present on the
network, the client would
simply take the IP address from the first one to
respond. Since IP
addresses
are a limited resource on most networks, DHCP servers
generally assign a
lease duration to each IP address they assign to
clients. The typical
lease
duration is approximately three to five days for
networks with mobile
workstations
like laptops and longer for a more static environment.
Clients are
required to renew their IP address lease within this
time frame, or the IP
address will be retired and made available for other
clients.
The pool of TCP/IP addresses that are available for
assignment to clients
is called the DHCP scope. A scope consists of a range
of IP addresses and
a
subnet mask. Additionally, scope options can be used
to specify other TCP/
IP parameters, such as the default gateway, DNS
servers, and WINS servers.
Figure 2.19 shows the Server Options dialog box within
the DHCP
administrative
tool.
5
DHCP
Server
2 Server offers IP
address to client
Client sends confirmation
to server
3 Client uses
IP address
DHCP Server registers
IP address in DHCP
and DNS databases
IP
Address
Database
1
4
Client requests
IP address DHCP Client
CA
Interoperation with WINS and DHCP 93
FIGURE 2 . 1 9 Setting DHCP server options
To provide for fault tolerance of DHCP services, a
common practice is to
place more than one DHCP server on the same network.
However, in order
to prevent any problems with duplicate IP address
assignments, the DHCP
servers are configured with non-overlapping scopes.
Integrating DHCP and DNS
It doesn't take much imagination to see how DHCP
information can be used
to populate a DNS database. The DHCP service already
records all of the IP
address assignments within its own database. In order
to reduce manual
administration of DNS entries for client computers,
Windows 2000's DNS
implementation can automatically create Address (A)
records for hosts
based on DHCP information. When Windows 2000 dynamic
updates are
enabled, the client updates the A record and the DHCP
server updates the
client's
PTR record. However, the method in which DHCP
information is
CA
94 Chapter 2 Integrating DNS with the Active Directory
transmitted to the DNS server varies based on the
client. There are two
different
modes of DHCP/DNS integration based on the client
type:
For Windows 2000 Clients Windows 2000 DHCP clients
have the ability
to automatically send updates to a dynamic DNS server
as soon as they
receive an IP address. This method places the task of
registering the new
address on the client. It also allows the client to
specify whether or not
the
update of the DNS database should occur at all.
For Earlier Clients The DHCP client code for Windows
95/98 and Windows
NT 4 computers does not support dynamic DNS updates.
Therefore,
the DHCP server itself must update the DNS A and PTR
records.
Figure 2.20 illustrates the two different methods of
Dynamic DHCP/DNS
updates based on the different client types.
FIGURE 2 . 2 0 Dynamic DHCP/DNS updates
Implementing dynamic updates of DNS using information
from DHCP
can be done by opening the DHCP administrative tool.
By right-clicking the
DHCP
Server
B DHCP server
updates DNS server
DHCP
DNS
Server
DNS
Client sendsdynamicDNS update
DHCP serverassigns IP address
1
A
2
DHCP server
assigns
IP address
Windows 2000
Client
Non-Windows 2000
Client
CA
Interoperation with WINS and DHCP 95
name of the server and choosing Properties, you will
have the option to
select
the DNS tab (see Figure 2.21).
FIGURE 2 . 2 1 Setting DNS options using the DHCP
administrative tool
The options on this tab include the following:
Automatically Update DHCP Client Information in DNS
This option
allows you to enable dynamic DNS updates from the
client. This selection
applies only to Windows 2000 clients. Systems
administrators can choose
between two options:
The client can decide whether or not the update is
made.
DNS is always updated.
Discard Forward (Name-to-Address) Lookups when Lease
Expires
When this option is checked, DNS entries for clients
are automatically
removed if a lease is not renewed in time. This is a
useful option as it
will
ensure that outdated entries no longer exist in the
DNS database.
CA
96 Chapter 2 Integrating DNS with the Active Directory
Enable Updates for DNS Clients That Do Not Support
Dynamic
Update If you are using Windows NT 4, Windows 95, or
Windows 98
DHCP clients and want dynamic updates of DNS, you
should choose this
option. When it is set, the DHCP server will be
responsible for updating
the DNS database whenever a new IP address is
assigned.
By using the DHCP/DNS integration features of Windows
2000, you can
automate what can be a very tedious process.managing
client host name
address mappings.
Overview of WINS
Although TCP/IP has been the default base protocol
since Windows NT 4,
the NetBIOS protocol is heavily relied upon by
versions of Windows before
Windows 2000. The Windows Internet Naming Service (
WINS) was
designed to allow clients using the NetBIOS over TCP/
IP protocols to
resolve host names to network addresses. One of the
major benefits of
using
WINS is that it is largely self-configuring and
manages itself. That is,
names
are added automatically to the WINS database as the
server learns the
addresses of clients. This facilitates browsing on the
network. However,
WINS has several limitations in larger environments.
First, the
performance
of WINS can begin to degrade when many clients are
registered in its
database.
Second, the replication functionality of the WINS
database is not as
robust as that of other methods (such as DNS).
With Windows 2000 and the Active Directory, Microsoft
has eliminated
the need for WINS altogether. However, most networks
will still require
the
use of WINS for down-level clients (including Windows
NT 4, Windows 95,
and Windows 98 computers). Therefore, Windows 2000
includes an improved
version of WINS. To make it easier to manage two
different name resolution
methods (WINS and DNS), Windows 2000 supports
automatic querying of
WINS records if a host name is not found within a DNS
server's database.
This process, called a WINS referral, occurs on the
server side and
requires
no special configuration on the client.
Integrating WINS and DNS
To enable the automatic update process, right-click
the name of a forward
lookup zone using the DNS administrative tool and
select Properties. Click
the WINS tab to set the dynamic update options (see
Figure 2.22).
CA
Interoperation with WINS and DHCP 97
FIGURE 2 . 2 2 Setting WINS updates
The available options include the following:
Use WINS Forward Lookup Checking this box instructs
the DNS
server to query one or more WINS servers if it is
unable to fulfill a host
name request. The DNS server adds a new record type.
the WINS
record.to its own database.
Do Not Replicate This Record This option prevents the
WINS record
from being sent as part of a zone transfer request.
Therefore, the WINS
records are not sent to other secondary DNS servers in
the domain. You
should enable this option if you are using non-Windows
2000 DNS servers
on your network as those servers will not support the
WINS record
type and might cause errors.
IP Address Here, you can specify the IP address(es) of
the server(s) to be
contacted for name resolution. If a lookup in the DNS
database fails,
these servers will be queried for the host name
information. Note that the
order of the IP addresses matters. That is, WINS
server addresses higher
in the list will be contacted before those lower on
the list. You can
re-sort
the numbers using the Up and Down buttons.
CA
98 Chapter 2 Integrating DNS with the Active Directory
Once the preceding options are configured, the DNS
server will
automatically
query the specified WINS servers for host names if it
is unable to
resolve the request within its own database. This
allows both WINS and
DNS clients to perform name resolution accurately
while reducing
administrative
burdens.
In addition to WINS forward lookups, Windows 2000 DNS
servers are
able to perform WINS reverse lookups. The
configuration options are
similar
and can be set by right-clicking the name of a reverse
lookup zone in the
DNS administrative tool and then clicking Properties.
The WINS-R tab
allows you to set the WINS-R lookup information.
Troubleshooting DNS
Name resolution problems are extremely common when
working
with distributed networks. If, for example, we are
unable to connect to a
specific
host name, it could be due to various reasons. First,
the host itself may
be unavailable. This could occur if a server has gone
down or if a client
computer
is not online. In other cases, we may be receiving an
incorrect IP
address from a DNS server. Usually, the most common
symptom of a DNS
configuration problem is the ability to connect to a
host using its IP
address,
but not its host name. In this section, we'll look at
some ways in which
you
can troubleshoot client and server DNS problems.
See "Managing DNS Replication," an earlier section of
this chapter, for
coverage
of the "Manage replication of DNS data" subobjective.
Microsoft
Exam
Objective
Manage, monitor, and troubleshoot DNS.
Manage replication of DNS data.
CA
Troubleshooting DNS 99
Troubleshooting Clients
The most common client-side problem related to DNS is
incorrect TCP/IP
configuration. For example, if the DNS server values
are incorrect or the
default gateway is set incorrectly, clients may not be
able to contact
their
DNS server. Consequently, they will be unable to
connect to other
computers
using DNS names.
One of the fundamental troubleshooting steps in
diagnosing network
problems is to determine whether the problem is
occurring on the client
side
or is the fault of the server side. The most common
way to determine this
is
by testing if other clients are having the same
problem. If, on the one
hand,
a whole subnet is having problems resolving DNS names,
it is much more
likely that a server or network device is unavailable
or improperly
configured.
On the other hand, if only one or a few clients are
having problems,
then it is likely that the clients are misconfigured.
In this section, we'll look at ways to diagnose and
troubleshoot
client-side
DNS configuration problems.
Using IPCONFIG
Many times, an error in client configuration can cause
computers to be
unable to resolve DNS names. The common symptom is
that the client
computer
can connect to a machine if it is using the machine's
IP address, but
cannot connect if it is using the DNS name. The first
step in
troubleshooting
such problems is to verify the proper TCP/IP
configuration on the client.
This
can easily be done using the following command in
Windows NT 4, Windows
98, or Windows 2000 (note that in Windows 95, you must
use the
WINIPCFG command):
IPCONFIG /ALL |More
This command will list the TCP/IP configuration
information for each of
the client's network adapters (as shown in Figure 2.
23).
CA
100 Chapter 2 Integrating DNS with the Active
Directory
FIGURE 2 . 2 3 Viewing TCP/IP configuration
information using IPCONFIG
The command-line parameters and output of the IPCONFIG
utility are
slightly
different in various Microsoft operation systems. To
get a listing of the
exact
syntax, just type IPCONFIG /?.
If the client computer is using DHCP, you can use the
IPCONFIG /
RELEASE command to release the current TCP/IP
information. Then, you
can issue the IPCONFIG /RENEW command to obtain a new
IP address
lease from a DHCP server.
Windows 95/98 clients include a graphical utility for
viewing the same
information
provided by IPCONFIG. The easiest way to access the
utility is to click
Start Run, and then type winipcfg.
CA
Troubleshooting DNS 101
The Windows 2000 version of IPCONFIG also supports
several new
command-line switches in addition to those already
described. These
options
are shown in Table 2.4.
Using PING
After verifying the client configuration, a good
second step when
troubleshooting
a DNS client problem is to ensure that the server is
accessible on the
network. The PING command provides a simple way to do
this. You can use
PING by simply typing PING and then an IP address or
host name at the
command line.
When troubleshooting DNS problems, you should first
start by PINGing
a machine's TCP/IP address. For example, the command
PING 172.16
.25.33 should return a response from a server. If no
response is received,
either the server is down, or there is a problem with
the network
connectivity
(such as a failed router). If, however, a response is
received, you should
attempt to PING a computer using it's machine name. An
example is PING
server1.mycompany.com. If this test fails (but using
PING with an IP
address works), then you have a problem with your name
resolution
services.
TABLE 2 . 4 Windows 2000 IPCONFIG Command-Line
Switches
Switch Function
/flushdns Clears all of the entries in the local DNS
cache; useful
if names are being resolved to incorrect IP addresses
/registerdns Renews all current DHCP leases and
updates DNS
server information
/displaydns Shows the contents of the current local
DNS resolver
cache
/showclassid Shows the current DHCP class ID; used
when different
types of machines require specific DHCP information
(for example, a different class might be used for
servers
and workstations)
/setclassid Allows the current DHCP class ID to be
changed
CA
102 Chapter 2 Integrating DNS with the Active
Directory
Using NSLOOKUP
Sometimes, it is useful to find information about the
name servers on the
network.
The NSLOOKUP command is designed to do just that. A
basic test is
to run the command with no arguments. This will
display the IP address of
the current DNS server for this client. For NSLOOKUP
to work properly, a
PTR record must exist in the server's database.
The NSLOOKUP command is only available on Windows NT 4
and Windows
2000 machines. Windows 95/98 computers do not include
the command.
The NSLOOKUP command supports many other functions for
determining
name resolution paths and testing recursion. For
further information,
type HELP at the NSLOOKUP command prompt. A sample of
this display
is shown in Figure 2.24.
FIGURE 2 . 2 4 Viewing NSLOOKUP commands
CA
Troubleshooting DNS 103
Exercise 2.8 provides an example of how NSLOOKUP can
be used to verify
the DNS server settings on the local machine.
Unfortunately, the NSLOOKUP command is not as user-
friendly as it
could be. It requires you to learn several different
commands and use them
EXERCISE 2.8
Using NSLOOKUP to Verify DNS Configuration
In this exercise, the NSLOOKUP command will be used to
verify the
proper operation of the DNS server on the local
machine. This exercise
assumes that you have already installed and configured
DNS.
1. Open a command prompt by clicking Start Programs
Accessories
Command Prompt. Alternatively, you can click Start
Run and
type cmd.
2. At the command prompt, type NSLOOKUP and press
Enter. This
will run the NSLOOKUP command and present you with a >
prompt. This prompt indicates that NSLOOKUP is
awaiting a
command.
3. To activate the local DNS server, type Server 127.
0.0.1.
4. Type set type = SRV to filter resource records to
only SRV types,
and press Enter. If the command is successful, you
will receive
another > prompt.
5. To verify a resource record, simply type its FQDN.
For example, if
our domain name is activedirectory.test, we would type
_ldap._
tcp.activedirectory.test. You should receive
information about the
host name that is mapped as a domain controller for
this domain.
6. If you want to test other resources, simply type
the names of the
resources. You should receive valid responses. Table
2.3 provided
a list of the default resource records that should be
present.
7. When you are finished using NSLOOKUP, type exit and
then press
Enter. This will return you to the command prompt. To
close the
command prompt, type exit again and hit Enter.
CA
104 Chapter 2 Integrating DNS with the Active
Directory
in a specific syntax. Nevertheless, NSLOOKUP is an
invaluable tool for
troubleshooting DNS configuration issues.
Troubleshooting DNS Servers
The symptoms related to DNS server problems generally
include the
inability
to perform accurate name resolution. Provided that the
DNS server has been
>
- Next message: *FESWANY: "Re: 70-294 next week"
- Previous message: *FESWANY: "Re: 70-294 next week"
- Maybe in reply to: *FESWANY: "Re: 70-294 next week"
- Next in thread: *FESWANY: "Re: 70-294 next week"
- Messages sorted by: [ date ] [ thread ]
